Commit Graph

573 Commits

Author SHA1 Message Date
Lutz Jänicke
8ec16ce711 Really fix SSLv2 session ID handling
PR: 377
2003-01-15 09:51:22 +00:00
Lutz Jänicke
21cde7a41c Fix wrong handling of session ID in SSLv2 client code.
PR: 377
2002-12-29 20:59:35 +00:00
Richard Levitte
5e42f9ab46 make update 2002-12-29 01:38:15 +00:00
Lutz Jänicke
ea8e0cc7c2 Some more adjustments
Submitted by: Jeffrey Altman <jaltman@columbia.edu>, "Kenneth R. Robinette" <support@securenetterm.com>
2002-12-24 21:55:57 +00:00
Richard Levitte
8d6ad9e39d Stop a possible memory leak.
(I wonder why s2_connect() handles the initial buffer allocation slightly
differently...)
PR: 416
2002-12-21 23:49:21 +00:00
Lutz Jänicke
1004c99c29 Fix Kerberos5/SSL interaction
Submitted by: "Kenneth R. Robinette" <support@securenetterm.com>
Reviewed by:
PR:
2002-12-20 12:48:00 +00:00
Richard Levitte
9cd16b1dea We stupidly had a separate LIBKRB5 variable for KRB5 library dependencies,
and then didn't support it very well.  And that when there already is a
useful variable for exactly this kind of thing; EX_LIBS...
2002-12-19 22:10:12 +00:00
Richard Levitte
09867a47a4 If _XOPEN_SOURCE_EXTENDED or _XOPEN_SOURCE are defined, _POSIX_C_SOURCE gets
defined in DECC$TYPES.H.  If _POSIX_C_SOURCE is defined, certain types do
not get defined (u_char, u_int, ...).  DECC.H gets included by assert.h
and others.  Now, in6.h uses the types u_char, u_int and so on, and gets
included as part of other header inclusions, and will of course fail because
of the missing types.

On the other hand, _XOPEN_SOURCE_EXTENDED is needed to get gethostname()
properly declared...

Solution: define _XOPEN_SOURCE_EXTENDED much later, so DECC$TYPES.H has
a chance to be included *first*, so the otherwise missing types get defined
properly.

Personal: *mumble* *mumble*
2002-12-19 19:39:30 +00:00
Richard Levitte
f70ddce761 Protect loading routines with a lock.
PR: 373
2002-12-16 06:06:03 +00:00
Geoff Thorpe
e9224c7177 This is a first-cut at improving the callback mechanisms used in
key-generation and prime-checking functions. Rather than explicitly passing
callback functions and caller-defined context data for the callbacks, a new
structure BN_GENCB is defined that encapsulates this; a pointer to the
structure is passed to all such functions instead.

This wrapper structure allows the encapsulation of "old" and "new" style
callbacks - "new" callbacks return a boolean result on the understanding
that returning FALSE should terminate keygen/primality processing.  The
BN_GENCB abstraction will allow future callback modifications without
needing to break binary compatibility nor change the API function
prototypes. The new API functions have been given names ending in "_ex" and
the old functions are implemented as wrappers to the new ones.  The
OPENSSL_NO_DEPRECATED symbol has been introduced so that, if defined,
declaration of the older functions will be skipped. NB: Some
openssl-internal code will stick with the older callbacks for now, so
appropriate "#undef" logic will be put in place - this is in case the user
is *building* openssl (rather than *including* its headers) with this
symbol defined.

There is another change in the new _ex functions; the key-generation
functions do not return key structures but operate on structures passed by
the caller, the return value is a boolean. This will allow for a smoother
transition to having key-generation as "virtual function" in the various
***_METHOD tables.
2002-12-08 05:24:31 +00:00
Geoff Thorpe
e90e719739 Fix a warning, and do some constification as a lucky side-effect :-) 2002-12-08 05:19:43 +00:00
Richard Levitte
7ba666fa0e Since it's defined in draft-ietf-tls-compression-04.txt, let's make
ZLIB a known compression method, with the identity 1.
2002-12-08 02:41:11 +00:00
Richard Levitte
4fbe40c54f gethostname() is more a BSD feature than an XOPEN one.
PR: 379
2002-12-04 22:48:01 +00:00
Richard Levitte
e7a285694e define USE_SOCKETS so sys/param.h gets included (and thusly, MAXHOSTNAMELEN
gets defined).
PR: 371
2002-12-02 22:49:02 +00:00
Richard Levitte
43d601641f A few more memset()s converted to OPENSSL_cleanse().
I *think* I got them all covered by now, bu please, if you find any more,
tell me and I'll correct it.
PR: 343
2002-11-29 11:30:45 +00:00
Richard Levitte
55f78baf32 Have all tests use EXIT() to exit rather than exit(), since the latter doesn't
always give the expected result on some platforms.
2002-11-28 18:54:30 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Richard Levitte
31be2daa06 Small bugfixes to the KSSL implementation.
PR: 349
2002-11-26 10:09:36 +00:00
Richard Levitte
d020e701bb Typo. OPENSSL_NO_ECDH, not NO_OPENSSL_ECDH 2002-11-22 08:40:34 +00:00
Lutz Jänicke
6a8afe2201 Fix bug introduced by the attempt to fix client side external session
caching (#288): now internal caching failed (#351):
Make sure, that cipher_id is set before comparing.
Submitted by:
Reviewed by:
PR: 288 (and 351)
2002-11-20 10:48:58 +00:00
Bodo Möller
1e3a9b650f allocate bio_err before memory debugging is enabled to avoid memory leaks
(we can't release it before the CRYPTO_mem_leaks() call!)

Submitted by: Nils Larsch
2002-11-19 11:56:05 +00:00
Richard Levitte
0bf23d9b20 WinCE patches 2002-11-15 22:37:18 +00:00
Lutz Jänicke
c566205319 The pointer to the cipher object is not yet set, when session was reloaded
from external cache (using d2i_SSL_SESSION). Perform comparison based on
the cipher's id instead.
Submitted by: Steve Haslam <araqnid@innocent.com>
Reviewed by:
PR: 288
2002-11-15 10:53:33 +00:00
Richard Levitte
0a5942093e We need to read one more byte of the REQUEST-CERTIFICATE message.
PR: 300
2002-11-15 09:15:55 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Bodo Möller
896e4fef30 avoid Purify warnings
Submitted by: Nils Larsch
2002-11-05 13:54:41 +00:00
Bodo Möller
5e3247d8bc fix typo 2002-11-05 10:54:40 +00:00
Richard Levitte
b6d0defb98 Remove all referenses to RSAref, since that's been gone for more than
a year.
2002-10-31 16:46:52 +00:00
Bodo Möller
259cdf2af9 Sun has agreed to removing the covenant language from most files.
Submitted by: Sheueling Chang <Sheueling.Chang@Sun.COM>
2002-10-29 10:59:32 +00:00
Geoff Thorpe
e0db2eed8d Correct and enhance the behaviour of "internal" session caching as it
relates to SSL_CTX flags and the use of "external" session caching. The
existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" remains but is
supplemented with a complimentary flag, "SSL_SESS_CACHE_NO_INTERNAL_STORE".
The bitwise OR of the two flags is also defined as
"SSL_SESS_CACHE_NO_INTERNAL" and is the flag that should be used by most
applications wanting to implement session caching *entirely* by its own
provided callbacks. As the documented behaviour contradicted actual
behaviour up until recently, and since that point behaviour has itself been
inconsistent anyway, this change should not introduce any compatibility
problems. I've adjusted the relevant documentation to elaborate about how
this works.

Kudos to "Nadav Har'El" <nyh@math.technion.ac.il> for diagnosing these
anomalies and testing this patch for correctness.

PR: 311
2002-10-29 00:33:04 +00:00
Bodo Möller
00a357ab20 increase permissible message length so that we can handle
CertificateVerify for 4096 bit RSA signatures
2002-10-28 15:45:51 +00:00
Richard Levitte
28c8a911bd Typos.
PR: 189
2002-10-15 20:30:56 +00:00
Richard Levitte
437d1ed49f Typos.
PR: 189
2002-10-15 20:29:09 +00:00
Richard Levitte
677532629d makedepend complains when a header file is included more than once in
the same source file.
2002-10-14 10:02:36 +00:00
Richard Levitte
ef0baf60aa Typo 2002-10-10 08:32:39 +00:00
Richard Levitte
7ba3a4c3d2 RFC 2712 redefines the codes for use of Kerberos 5 in SSL/TLS.
PR: 189
2002-10-10 07:59:03 +00:00
Richard Levitte
001ab3abad Use double dashes so makedepend doesn't misunderstand the flags we
give it.
For 0.9.7 and up, that means util/domd needs to remove those double
dashes from the argument list when gcc is used to find the
dependencies.
2002-10-09 13:25:12 +00:00
Bodo Möller
929f116733 fix more race conditions
Submitted by: "Patrick McCormick" <patrick@tellme.com>
PR: 262
2002-09-26 15:52:34 +00:00
Lutz Jänicke
ba5ba5490d Add missing brackets.
Submitted by: "Chris Brook" <cbrook@v-one.com>
2002-09-25 20:19:04 +00:00
Bodo Möller
b8565a9af9 really fix race conditions
Submitted by: "Patrick McCormick" <patrick@tellme.com>

PR: 262
PR: 291
2002-09-25 15:38:57 +00:00
Bodo Möller
e78f137899 really fix race condition
PR: 262
2002-09-23 14:25:07 +00:00
Bodo Möller
a4f53a1c73 there is no minimum length for session IDs
PR: 274
2002-09-19 11:44:07 +00:00
Bodo Möller
a90ae02454 fix race condition
PR: 262
2002-09-19 11:26:45 +00:00
Lutz Jänicke
82a20fb0f0 Reorder cleanup sequence in SSL_CTX_free() to leave ex_data for remove_cb().
Submitted by:
Reviewed by:
PR: 212
2002-08-16 17:04:04 +00:00
Bodo Möller
52c29b7b99 use correct function code in error message 2002-08-15 16:17:20 +00:00
Richard Levitte
265e892fed Sometimes, the value of the variable containing the compiler call can
become rather large.  This becomes a problem when the default 1024
character large buffer that WRITE uses isn't enough.  WRITE/SYMBOL
uses a 2048 byte large buffer instead.
2002-08-15 08:28:38 +00:00
Richard Levitte
90f5a2b6fe Instead of returning errors when certain flags are unusable, just ignore them.
That will make the test go through even if DH (or in some cases ECDH) aren't
built into OpenSSL.
PR: 216, part 2
2002-08-14 12:16:27 +00:00
Bodo Möller
aa1e56b0b9 remove comment
Submitted by: Douglas Stebila
2002-08-12 08:54:40 +00:00
Bodo Möller
7ef524ea1c remove debug messages
Submitted by: Douglas Stebila
2002-08-12 08:52:23 +00:00
Bodo Möller
0c7141a343 fix comment
Submitted by: Douglas Stebila
2002-08-12 08:51:30 +00:00