- Jan 08, 2014
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
PR#3220
-
- Jan 06, 2014
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
-
- Jan 04, 2014
-
-
Dr. Stephen Henson authored
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL 0.9.7h but deleting it will break source compatibility with any software that references it. Restore it but #define to zero. (cherry picked from commit b17d6b8d)
-
- Jan 02, 2014
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
When sending an invalid version number alert don't change the version number to the client version if a session is already established. Thanks to Marek Majkowski for additional analysis of this issue. PR#3191
-
- Dec 22, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 8f686789)
-
- Dec 20, 2013
-
-
Dr. Stephen Henson authored
For DTLS we might need to retransmit messages from the previous session so keep a copy of write context in DTLS retransmission buffers instead of replacing it after sending CCS. CVE-2013-6450.
-
Dr. Stephen Henson authored
-
- Dec 19, 2013
-
-
Dr. Stephen Henson authored
When deciding whether to use TLS 1.2 PRF and record hash algorithms use the version number in the corresponding SSL_METHOD structure instead of the SSL structure. The SSL structure version is sometimes inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. (CVE-2013-6449)
-
- Dec 18, 2013
-
-
Andy Polyakov authored
SHA512_Transform was initially added rather as tribute to tradition than for practucal reasons. But use was recently found in ssl/s3_cbc.c and it turned to be problematic on platforms that don't tolerate misasligned references to memory and lack assembly subroutine. (cherry picked from commit cdd1acd7)
-
Dr. Stephen Henson authored
Partial mitigation of PR#3200
-
- Dec 10, 2013
-
-
Dr. Stephen Henson authored
We need to lock when *not* in FIPS mode. (cherry picked from commit 57c4e42d)
-
Dr. Stephen Henson authored
-
- Dec 09, 2013
-
-
Dr. Stephen Henson authored
-
- Dec 08, 2013
-
-
Dr. Stephen Henson authored
-
Dr. Stephen Henson authored
PR: 3176. In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is performed in either a single threaded context (when the PRNG is first initialised) or under a lock (reseeding). To avoid multiple locks disable use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes. (cherry picked from commit 53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)
-
- Dec 03, 2013
-
-
Andy Polyakov authored
PR: 3189 Submitted by: Oscar Ciurana (cherry picked from commit c5d5f5bd)
-
- Nov 27, 2013
-
-
Dr. Stephen Henson authored
-
- Nov 12, 2013
-
-
Andy Polyakov authored
PR: 3165 Submitted by: Daniel Richard G. (cherry picked from commit 2df9ec01) (cherry picked from commit 0de70011)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit 220d1e53)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit d1cf23ac)
-
- Nov 11, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 16bc45ba)
-
Dr. Stephen Henson authored
(cherry picked from commit 5c50462e)
-
- Nov 10, 2013
-
-
Andy Polyakov authored
(cherry picked from commit 60adefa6)
-
- Nov 09, 2013
-
-
Dr. Stephen Henson authored
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
-
Dr. Stephen Henson authored
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
-
- Nov 08, 2013
-
-
Andy Polyakov authored
Original definition depended on __LONG_MAX__ that is not guaranteed to be present. As we don't support platforms with int narrower that 32 bits it's appropriate to make defition inconditional. PR: 3165 (cherry picked from commit 96180cac)
-
Andy Polyakov authored
PR: 3165 (cherry picked from commit d24d1d7d)
-
- Nov 06, 2013
-
-
Dr. Stephen Henson authored
Enable PSK ciphersuites with AES or DES3 in FIPS mode. (cherry picked from commit e0ffd129)
-
Dr. Stephen Henson authored
(cherry picked from commit a4947e4e)
-
- Nov 03, 2013
-
-
Ben Laurie authored
<christian@python.org>.
-
- Nov 01, 2013
-
-
Robin Seggelmann authored
PR: 2808 With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and FORWARD-TSN chunks. The key for this extension is derived from the master secret and changed with the next ChangeCipherSpec, whenever a new key has been negotiated. The following Finished then already uses the new key. Unfortunately, the ChangeCipherSpec and Finished are part of the same flight as the ClientKeyExchange, which is necessary for the computation of the new secret. Hence, these messages are sent immediately following each other, leaving the server very little time to compute the new secret and pass it to SCTP before the finished arrives. So the Finished is likely to be discarded by SCTP and a retransmission becomes necessary. To prevent this issue, the Finished of the client is still sent with the old key. (cherry picked from commit 9fb523ad) (cherry picked from commit b9ef52b0)
-
Robin Seggelmann authored
PR: 2809 DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with SCTP-AUTH. It is checked if this has been activated successfully for the local and remote peer. Due to a bug, however, the gauth_number_of_chunks field of the authchunks struct is missing on FreeBSD, and was therefore not considered in the OpenSSL implementation. This patch sets the corresponding pointer for the check correctly whether or not this bug is present. (cherry picked from commit f596e3c4) (cherry picked from commit b8140811)
-
- Oct 20, 2013
-
-
Nick Mathewson authored
-
Dr. Stephen Henson authored
Since the TLS 1.2 supported signature algorithms extension is less sophisticaed in OpenSSL 1.0.1 this has to be done in two stages. RSA+MD5 is removed from supported signature algorithms extension: any compliant implementation should never use RSA+MD5 as a result. To cover the case of a broken implementation using RSA+MD5 anyway disable lookup of MD5 algorithm in TLS 1.2.
-