aboutsummaryrefslogtreecommitdiffstats
path: root/ssl/ssl3.h
Commit message (Collapse)AuthorAgeFilesLines
* Remove SGC restart flag.Dr. Stephen Henson2015-01-021-10/+0
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is resetEmilia Kasper2014-11-201-3/+10
| | | | | | | | | | | | | | once the ChangeCipherSpec message is received. Previously, the server would set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would corrupt the server state. (Because the first CCS would latch the correct keys and subsequent CCS messages would have to be encrypted, a MitM attacker cannot exploit this, though.) Thanks to Joeri de Ruiter for reporting this issue. Reviewed-by: Matt Caswell <matt@openssl.org>
* Support TLS_FALLBACK_SCSV.Bodo Moeller2014-10-151-1/+6
| | | | Reviewed-by: Stephen Henson <steve@openssl.org>
* Remove serverinfo checks.Dr. Stephen Henson2014-08-281-6/+0
| | | | | | Since sanity checks are performed for all custom extensions the serverinfo checks are no longer needed. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Remove all RFC5878 code.Dr. Stephen Henson2014-07-041-19/+0
| | | | Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
* Update value to use a free bit.Dr. Stephen Henson2014-06-051-1/+1
|
* Fix for CVE-2014-0224Dr. Stephen Henson2014-06-051-0/+1
| | | | | | | | | | Only accept change cipher spec when it is expected instead of at any time. This prevents premature setting of session keys before the master secret is determined which an attacker could use as a MITM attack. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue and providing the initial fix this patch is based on. (cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)
* Update custom TLS extension and supplemental data 'generate' callbacks to ↵Scott Deboy2014-02-051-6/+4
| | | | | | | | support sending an alert. If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake. Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
* Support retries in certificate callbackDr. Stephen Henson2014-01-261-0/+1
|
* Replace EDH-RSA-DES-CBC-SHA, etc. with DHE-RSA-DES-CBC-SHADaniel Kahn Gillmor2014-01-091-0/+11
| | | | | | | | | Replace the full ciphersuites with "EDH-" in their labels with "DHE-" so that all DHE ciphersuites are referred to in the same way. Leave backward-compatible aliases for the ciphersuites in question so that configurations which specify these explicitly will continue working.
* change SSL3_CK_EDH_* to SSL_CK_DHE_* (with backward-compatibility)Daniel Kahn Gillmor2014-01-091-6/+12
| | | | | | This change normalizes the SSL_CK_DHE_ #defines to use the common term "DHE", while permitting older code that uses the more uncommon "EDH" constants to compile properly.
* Fix compilation with no-nextprotoneg.Piotr Sikora2013-11-141-1/+1
| | | | PR#3106
* Tidy up comments.Rob Stradling2013-09-131-2/+2
|
* Experimental encrypt-then-mac support.Dr. Stephen Henson2013-09-081-0/+2
| | | | | | | | | | | Experimental support for encrypt then mac from draft-gutmann-tls-encrypt-then-mac-02.txt To enable it set the appropriate extension number (0x10 for the test server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10 For non-compliant peers (i.e. just about everything) this should have no effect.
* Add callbacks supporting generation and retrieval of supplemental data ↵Scott Deboy2013-09-061-18/+18
| | | | | | | | entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
* Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.Rob Stradling2013-09-051-0/+8
| | | | OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
* Support ALPN.Adam Langley2013-07-221-1/+11
| | | | | | | | | | | | This change adds support for ALPN[1] in OpenSSL. ALPN is the IETF blessed version of NPN and we'll be supporting both ALPN and NPN for some time yet. [1] https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-00 Conflicts: ssl/ssl3.h ssl/t1_lib.c
* Add support for arbitrary TLS extensions.Trevor2013-06-121-0/+9
| | | | Contributed by Trevor Perrin.
* DTLS revision.Dr. Stephen Henson2013-03-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Revise DTLS code. There was a *lot* of code duplication in the DTLS code that generates records. This makes it harder to maintain and sometimes a TLS update is omitted by accident from the DTLS code. Specifically almost all of the record generation functions have code like this: some_pointer = buffer + HANDSHAKE_HEADER_LENGTH; ... Record creation stuff ... set_handshake_header(ssl, SSL_MT_SOMETHING, message_len); ... write_handshake_message(ssl); Where the "Record creation stuff" is identical between SSL/TLS and DTLS or in some cases has very minor differences. By adding a few fields to SSL3_ENC to include the header length, some flags and function pointers for handshake header setting and handshake writing the code can cope with both cases. Note: although this passes "make test" and some simple DTLS tests there may be some minor differences in the DTLS code that have to be accounted for.
* ssl/*: revert "remove SSL_RECORD->orig_len" and merge "fix IV".Andy Polyakov2013-02-081-0/+4
| | | | | Revert is appropriate because binary compatibility is not an issue in 1.1.
* ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.Andy Polyakov2013-02-061-4/+0
| | | | | | Kludge alert. This is arranged by passing padding length in unused bits of SSL3_RECORD->type, so that orig_len can be reconstructed. (cherry picked from commit 8bfd4c659f180a6ce34f21c0e62956b362067fba)
* Make CBC decoding constant time.Ben Laurie2013-02-061-0/+4
| | | | | | | | | | | | | | This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects. (cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
* send out the raw SSL/TLS headers to the msg_callback and display them in ↵Dr. Stephen Henson2012-12-071-0/+3
| | | | SSL_trace
* New compile time option OPENSSL_SSL_TRACE_CRYPTO, when set this passesDr. Stephen Henson2012-08-281-0/+14
| | | | | | all derived keys to the message callback. Add code to SSL_trace to include support for printing out keys.
* Version skew reduction: trivia (I hope).Ben Laurie2012-06-031-2/+1
|
* RFC 5878 support.Ben Laurie2012-05-301-1/+21
|
* ABI compliance fixes.Dr. Stephen Henson2012-02-221-6/+6
| | | | Move new structure fields to end of structures.
* oops, revert unrelated changesDr. Stephen Henson2012-02-091-2/+1
|
* Modify client hello version when renegotiating to enhance interop withDr. Stephen Henson2012-02-091-1/+2
| | | | some servers.
* Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)Dr. Stephen Henson2012-01-041-0/+11
|
* oops, revert wrong patchDr. Stephen Henson2012-01-031-11/+0
|
* only send heartbeat extension from server if client sent oneDr. Stephen Henson2012-01-031-0/+11
|
* PR: 2658Dr. Stephen Henson2011-12-311-0/+4
| | | | | | | Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Reviewed by: steve Support for TLS/DTLS heartbeats.
* PR: 2535Dr. Stephen Henson2011-12-251-0/+8
| | | | | | | Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Reviewed by: steve Add SCTP support for DTLS (RFC 6083).
* PR: 1794Dr. Stephen Henson2011-11-251-2/+0
| | | | | | | | | | | | | | | Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> Reviewed by: steve Make SRP conformant to rfc 5054. Changes are: - removal of the addition state after client hello - removal of all pre-rfc srp alert ids - sending a fatal alert when there is no srp extension but when the server wants SRP - removal of unnecessary code in the client.
* PR: 2295Dr. Stephen Henson2011-05-201-0/+1
| | | | | | | | Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com> Reviewed by: steve OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code elimination.
* Initial incomplete TLS v1.2 support. New ciphersuites added, new versionDr. Stephen Henson2011-04-291-1/+1
| | | | | | | checking added, SHA256 PRF support added. At present only RSA key exchange ciphersuites work with TLS v1.2 as the new signature format is not yet implemented.
* Initial "opaque SSL" framework. If an application definesDr. Stephen Henson2011-04-291-0/+7
| | | | | | | | | | OPENSSL_NO_SSL_INTERN all ssl related structures are opaque and internals cannot be directly accessed. Many applications will need some modification to support this and most likely some additional functions added to OpenSSL. The advantage of this option is that any application supporting it will still be binary compatible if SSL structures change.
* Add SRP support.Ben Laurie2011-03-121-0/+2
|
* Fixes to NPN from Adam Langley.Ben Laurie2010-09-051-4/+4
|
* Add Next Protocol Negotiation.Ben Laurie2010-07-281-0/+17
|
* oopsDr. Stephen Henson2010-01-201-13/+0
|
* update NEWS fileDr. Stephen Henson2010-01-201-0/+13
|
* Updates to conform with draft-ietf-tls-renegotiation-03.txt:Dr. Stephen Henson2010-01-061-4/+2
| | | | | | 1. Add provisional SCSV value. 2. Don't send SCSV and RI at same time. 3. Fatal error is SCSV received when renegotiating.
* Update RI to match latest spec.Dr. Stephen Henson2009-12-271-2/+2
| | | | | | | | MCSV is now called SCSV. Don't send SCSV if renegotiating. Also note if RI is empty in debug messages.
* New option to enable/disable connection to unpatched serversDr. Stephen Henson2009-12-161-0/+2
|
* Add support for magic cipher suite value (MCSV). Make secure renegotiationDr. Stephen Henson2009-12-081-0/+3
| | | | | | | | | | | | | work in SSLv3: initial handshake has no extensions but includes MCSV, if server indicates RI support then renegotiation handshakes include RI. NB: current MCSV value is bogus for testing only, will be updated when we have an official value. Change mismatch alerts to handshake_failure as required by spec. Also have some debugging fprintfs so we can clearly see what is going on if OPENSSL_RI_DEBUG is set.
* First cut of renegotiation extension. (port to HEAD)Dr. Stephen Henson2009-11-091-0/+6
|
* Submitted by: Artem Chuprina <ran@cryptocom.ru>Dr. Stephen Henson2009-06-161-0/+1
| | | | | | | | | | Reviewed by: steve@openssl.org Various GOST ciphersuite and ENGINE fixes. Including... Allow EVP_PKEY_set_derive_peerkey() in encryption operations. New flag when certificate verify should be omitted in client key exchange.
* Update from 1.0.0-stable.Dr. Stephen Henson2009-05-281-1/+1
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-13 07:01:19 +0000