Skip to content
  1. Nov 13, 2015
  2. Nov 11, 2015
  3. Nov 10, 2015
    • Matt Caswell's avatar
      Stop DTLS servers asking for unsafe legacy renegotiation · d40ec4ab
      Matt Caswell authored
      
      
      If a DTLS client that does not support secure renegotiation connects to an
      OpenSSL DTLS server then, by default, renegotiation is disabled. If a
      server application attempts to initiate a renegotiation then OpenSSL is
      supposed to prevent this. However due to a discrepancy between the TLS and
      DTLS code, the server sends a HelloRequest anyway in DTLS.
      
      This is not a security concern because the handshake will still fail later
      in the process when the client responds with a ClientHello.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      d40ec4ab
    • Matt Caswell's avatar
      Only call ssl3_init_finished_mac once for DTLS · 15a7164e
      Matt Caswell authored
      
      
      In DTLS if an IO retry occurs during writing of a fragmented ClientHello
      then we can end up reseting the finish mac variables on the retry, which
      causes a handshake failure. We should only reset on the first attempt not
      on retries.
      
      Thanks to BoringSSL for reporting this issue.
      
      RT#4119
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      15a7164e
  4. Nov 09, 2015
  5. Nov 08, 2015
  6. Nov 04, 2015
  7. Nov 02, 2015
  8. Nov 01, 2015
  9. Oct 29, 2015
  10. Oct 23, 2015
  11. Oct 22, 2015
  12. Oct 15, 2015
  13. Oct 14, 2015
  14. Oct 13, 2015
  15. Oct 10, 2015
  16. Oct 08, 2015
    • Matt Caswell's avatar
      Don't treat a bare OCTETSTRING as DigestInfo in int_rsa_verify · 985abd1f
      Matt Caswell authored
      
      
      The function int_rsa_verify is an internal function used for verifying an
      RSA signature. It takes an argument |dtype| which indicates the digest type
      that was used. Dependant on that digest type the processing of the
      signature data will vary. In particular if |dtype == NID_mdc2| and the
      signature data is a bare OCTETSTRING then it is treated differently to the
      default case where the signature data is treated as a DigestInfo (X509_SIG).
      
      Due to a missing "else" keyword the logic actually correctly processes the
      OCTETSTRING format signature first, and then attempts to continue and
      process it as DigestInfo. This will invariably fail because we already know
      that it is a bare OCTETSTRING.
      
      This failure doesn't actualy make a real difference because it ends up at
      the |err| label regardless and still returns a "success" result. This patch
      just cleans things up to make it look a bit more sane.
      
      RT#4076
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit dffe5109)
      985abd1f
    • Richard Levitte's avatar
      When ENGINE_add finds that id or name is missing, actually return · b0042479
      Richard Levitte authored
      
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit 5850cc75)
      b0042479
  17. Oct 07, 2015
  18. Oct 06, 2015
  19. Oct 05, 2015
  20. Oct 03, 2015
  21. Sep 29, 2015
  22. Sep 28, 2015
    • Emilia Kasper's avatar
      RT2772: accept empty SessionTicket · 21b538d6
      Emilia Kasper authored
      
      
      RFC 5077 section 3.3 says: If the server determines that it does not
      want to include a ticket after it has included the SessionTicket
      extension in the ServerHello, then it sends a zero-length ticket in the
      NewSessionTicket handshake message.
      
      Previously the client would fail upon attempting to allocate a
      zero-length buffer. Now, we have the client ignore the empty ticket and
      keep the existing session.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      21b538d6