Matt Caswell 
							
						 
					 
					
						
						
							
						
						02f0c26cea 
					 
					
						
						
							
							Re-align some comments after running the reformat script.  
						
						... 
						
						
						
						This should be a one off operation (subsequent invokation of the
script should not move them)
This commit is for the 0.9.8 changes
Reviewed-by: Tim Hudson <tjh@openssl.org > 
						
						
					 
					
						2015-01-22 09:53:07 +00:00 
						 
				 
			
				
					
						
							
							
								Matt Caswell 
							
						 
					 
					
						
						
							
						
						40720ce3ca 
					 
					
						
						
							
							Run util/openssl-format-source -v -c .  
						
						... 
						
						
						
						Reviewed-by: Tim Hudson <tjh@openssl.org > 
						
						
					 
					
						2015-01-22 09:52:55 +00:00 
						 
				 
			
				
					
						
							
							
								Tim Hudson 
							
						 
					 
					
						
						
							
						
						b558c8d597 
					 
					
						
						
							
							mark all block comments that need format preserving so that  
						
						... 
						
						
						
						indent will not alter them when reformatting comments
(cherry picked from commit 1d97c84351tjh@openssl.org > 
						
						
					 
					
						2015-01-22 09:48:44 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						2ed80d14d7 
					 
					
						
						
							
							Fix for session tickets memory leak.  
						
						... 
						
						
						
						CVE-2014-3567
Reviewed-by: Rich Salz <rsalz@openssl.org >
Reviewed-by: Matt Caswell <matt@openssl.org >
(cherry picked from commit 90e53055939db40cf0fac1ad0c59630280aeee86) 
						
						
					 
					
						2014-10-15 08:46:57 -04:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						9e6857a358 
					 
					
						
						
							
							Fix memory leak.  
						
						... 
						
						
						
						PR#2531.
(cherry picked from commit 59899c4d1b 
						
						
					 
					
						2014-06-29 13:54:21 +01:00 
						 
				 
			
				
					
						
							
							
								Rob Stradling 
							
						 
					 
					
						
						
							
						
						a4bfeff254 
					 
					
						
						
							
							Tidy up comments.  
						
						
						
						
					 
					
						2013-10-04 14:55:01 +01:00 
						 
				 
			
				
					
						
							
							
								Rob Stradling 
							
						 
					 
					
						
						
							
						
						43433b3852 
					 
					
						
						
							
							Use TLS version supplied by client when fingerprinting Safari.  
						
						
						
						
					 
					
						2013-10-04 14:55:01 +01:00 
						 
				 
			
				
					
						
							
							
								Rob Stradling 
							
						 
					 
					
						
						
							
						
						cadbbd51c8 
					 
					
						
						
							
							Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.  
						
						... 
						
						
						
						OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers. 
						
						
					 
					
						2013-10-04 14:55:01 +01:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						2708813166 
					 
					
						
						
							
							Add and use a constant-time memcmp.  
						
						... 
						
						
						
						This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a 
						
						
					 
					
						2013-02-05 16:50:32 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						71a2440ee5 
					 
					
						
						
							
							backport OCSP fix enhancement  
						
						
						
						
					 
					
						2012-10-05 13:02:31 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						48bcdad0d5 
					 
					
						
						
							
							Backport OCSP fix.  
						
						
						
						
					 
					
						2012-10-05 12:50:24 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						0c214e0153 
					 
					
						
						
							
							Submitted by: Adam Langley <agl@chromium.org>  
						
						... 
						
						
						
						Reviewed by: steve
Fix memory leaks. 
						
						
					 
					
						2012-01-04 14:25:10 +00:00 
						 
				 
			
				
					
						
							
							
								Bodo Möller 
							
						 
					 
					
						
						
							
						
						957ebe98fb 
					 
					
						
						
							
							OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)  
						
						... 
						
						
						
						Submitted by: Neel Mehta, Adam Langley, Bodo Moeller 
						
						
					 
					
						2011-02-08 17:10:47 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						2ae47ddbc2 
					 
					
						
						
							
							fix CVE-2010-3864  
						
						
						
						
					 
					
						2010-11-16 14:26:18 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						d886975835 
					 
					
						
						
							
							Fix gcc 4.6 warnings. Check TLS server hello extension length.  
						
						
						
						
					 
					
						2010-06-12 13:18:58 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						442ac8d259 
					 
					
						
						
							
							Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as  
						
						... 
						
						
						
						initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway. 
						
						
					 
					
						2010-02-17 18:37:47 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						3798a4d059 
					 
					
						
						
							
							Simplify RI+SCSV logic:  
						
						... 
						
						
						
						1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating. 
						
						
					 
					
						2010-01-07 19:09:32 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						98809a1458 
					 
					
						
						
							
							Alert to use is now defined in spec: update code  
						
						
						
						
					 
					
						2009-12-17 15:42:25 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						ccc3df8c33 
					 
					
						
						
							
							New option to enable/disable connection to unpatched servers  
						
						
						
						
					 
					
						2009-12-16 20:34:20 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						593a6dbe19 
					 
					
						
						
							
							add another missed case  
						
						
						
						
					 
					
						2009-12-14 01:32:47 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						efbe446f1a 
					 
					
						
						
							
							simplify RI error code and catch extra error case ignored before  
						
						
						
						
					 
					
						2009-12-14 01:28:51 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						725745d105 
					 
					
						
						
							
							Allow initial connection (but no renegoriation) to servers which don't support  
						
						... 
						
						
						
						RI. 
						
						
					 
					
						2009-12-14 01:09:01 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						7a014dceb6 
					 
					
						
						
							
							Add support for magic cipher suite value (MCSV). Make secure renegotiation  
						
						... 
						
						
						
						work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.
NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.
Change mismatch alerts to handshake_failure as required by spec.
Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set. 
						
						
					 
					
						2009-12-08 13:15:38 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						b14713c231 
					 
					
						
						
							
							Include a more meaningful error message when rejecting legacy renegotiation  
						
						
						
						
					 
					
						2009-11-18 14:24:00 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						af13c50d51 
					 
					
						
						
							
							Fix wrong function codes and duplicate codes  
						
						
						
						
					 
					
						2009-11-09 18:21:57 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						c2b78c31d6 
					 
					
						
						
							
							First cut of renegotiation extension.  
						
						
						
						
					 
					
						2009-11-08 14:51:54 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						a1dc0336dd 
					 
					
						
						
							
							Re-revert (re-insert?) temporary change that made renegotiation work again  
						
						... 
						
						
						
						and add a proper fix: specifically if it is a new session don't send the old
TLS ticket, send a zero length ticket to request a new session. 
						
						
					 
					
						2009-11-08 14:30:22 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						2a8834cf89 
					 
					
						
						
							
							Fix stateless session resumption so it can coexist with SNI  
						
						
						
						
					 
					
						2009-10-30 13:28:07 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						197ab47bdd 
					 
					
						
						
							
							PR: 2028  
						
						... 
						
						
						
						Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de >
Approved by: steve@openssl.org 
Fix DTLS cookie management bugs. 
						
						
					 
					
						2009-09-04 17:53:30 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						5d577d7eb0 
					 
					
						
						
							
							Update from 1.0.0-stable.  
						
						
						
						
					 
					
						2009-04-28 22:02:16 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						8f59c61d1d 
					 
					
						
						
							
							If tickets disabled behave as if no ticket received to support  
						
						... 
						
						
						
						stateful resume. 
						
						
					 
					
						2008-09-03 22:13:04 +00:00 
						 
				 
			
				
					
						
							
							
								Mark J. Cox 
							
						 
					 
					
						
						
							
						
						d3b3a6d389 
					 
					
						
						
							
							Fix double-free in TLS server name extensions which could lead to a remote  
						
						... 
						
						
						
						crash found by Codenomicon TLS test suite (CVE-2008-0891)
Reviewed by: openssl-security@openssl.org 
Obtained from: jorton@redhat.com  
						
						
					 
					
						2008-05-28 07:26:33 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						db533c96e3 
					 
					
						
						
							
							TLS ticket key setting callback: this allows and application to set  
						
						... 
						
						
						
						its own TLS ticket keys. 
						
						
					 
					
						2008-04-30 16:11:33 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						5f95651316 
					 
					
						
						
							
							Ensure the ticket expected flag is reset when a stateless resumption is  
						
						... 
						
						
						
						successful. 
						
						
					 
					
						2007-10-18 11:39:11 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						a523276786 
					 
					
						
						
							
							Backport certificate status request TLS extension support to 0.9.8.  
						
						
						
						
					 
					
						2007-10-12 00:00:36 +00:00 
						 
				 
			
				
					
						
							
							
								Bodo Möller 
							
						 
					 
					
						
						
							
						
						4ab0088bfe 
					 
					
						
						
							
							More changes from HEAD:  
						
						... 
						
						
						
						- no need to disable SSL 2.0 for SSL_CTRL_SET_TLSEXT_HOSTNAME
  now that ssl23_client_hello takes care of that
- fix buffer overrun checks in ssl_add_serverhello_tlsext() 
						
						
					 
					
						2007-09-21 14:05:08 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						3bd1690bfb 
					 
					
						
						
							
							Fixes from HEAD.  
						
						
						
						
					 
					
						2007-09-21 13:40:51 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						afdbadc704 
					 
					
						
						
							
							Update from HEAD.  
						
						
						
						
					 
					
						2007-08-20 12:44:22 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						865a90eb4f 
					 
					
						
						
							
							Backport of TLS extension code to OpenSSL 0.9.8.  
						
						... 
						
						
						
						Include server name and RFC4507bis support.
This is not compiled in by default and must be explicitly enabled with
the Configure option enable-tlsext 
						
						
					 
					
						2007-08-12 18:59:03 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						4479ce9c1c 
					 
					
						
						
							
							Update from HEAD.  
						
						
						
						
					 
					
						2007-01-21 16:07:25 +00:00 
						 
				 
			
				
					
						
							
							
								Dr. Stephen Henson 
							
						 
					 
					
						
						
							
						
						222f224664 
					 
					
						
						
							
							Initialize SSL_METHOD structures at compile time. This removes the need  
						
						... 
						
						
						
						for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used. 
						
						
					 
					
						2005-08-05 23:52:08 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						36d16f8ee0 
					 
					
						
						
							
							Add DTLS support.  
						
						
						
						
					 
					
						2005-04-26 16:02:40 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						41a15c4f0f 
					 
					
						
						
							
							Give everything prototypes (well, everything that's actually used).  
						
						
						
						
					 
					
						2005-03-31 09:26:39 +00:00 
						 
				 
			
				
					
						
							
							
								Richard Levitte 
							
						 
					 
					
						
						
							
						
						d3442bc780 
					 
					
						
						
							
							Move the registration of callback functions to special functions  
						
						... 
						
						
						
						designed for that.  This removes the potential error to mix data and
function pointers.
Please note that I'm a little unsure how incorrect calls to the old
ctrl functions should be handled, in som cases.  I currently return 0
and that's it, but it may be more correct to generate a genuine error
in those cases. 
						
						
					 
					
						2000-02-20 23:43:02 +00:00 
						 
				 
			
				
					
						
							
							
								Ulf Möller 
							
						 
					 
					
						
						
							
						
						9d1a01be8f 
					 
					
						
						
							
							Source code cleanups: Use void * rather than char * in lhash,  
						
						... 
						
						
						
						eliminate some of the -Wcast-qual warnings (debug-ben-strict target) 
						
						
					 
					
						2000-01-30 22:20:28 +00:00 
						 
				 
			
				
					
						
							
							
								Ulf Möller 
							
						 
					 
					
						
						
							
						
						de808df47b 
					 
					
						
						
							
							Cosmetic changes.  
						
						
						
						
					 
					
						1999-09-29 22:14:47 +00:00 
						 
				 
			
				
					
						
							
							
								Bodo Möller 
							
						 
					 
					
						
						
							
						
						ec577822f9 
					 
					
						
						
							
							Change #include filenames from <foo.h> to <openssl.h>.  
						
						... 
						
						
						
						Submitted by:
Reviewed by:
PR: 
						
						
					 
					
						1999-04-23 22:13:45 +00:00 
						 
				 
			
				
					
						
							
							
								Ulf Möller 
							
						 
					 
					
						
						
							
						
						6b691a5c85 
					 
					
						
						
							
							Change functions to ANSI C.  
						
						
						
						
					 
					
						1999-04-19 21:31:43 +00:00 
						 
				 
			
				
					
						
							
							
								Ben Laurie 
							
						 
					 
					
						
						
							
						
						b4cadc6e13 
					 
					
						
						
							
							Fix security hole.  
						
						
						
						
					 
					
						1999-03-22 12:22:14 +00:00 
						 
				 
			
				
					
						
							
							
								Ralf S. Engelschall 
							
						 
					 
					
						
						
							
						
						9cb0969f65 
					 
					
						
						
							
							Fix version stuff:  
						
						... 
						
						
						
						1. The already released version was 0.9.1c and not 0.9.1b
2. The next release should be 0.9.2 and not 0.9.1d, because
   first the changes are already too large, second we should avoid any more
   0.9.1x confusions and third, the Apache version semantics of
   VERSION.REVISION.PATCHLEVEL for the version string is reasonable (and here
   .2 is already just a patchlevel and not major change).
tVS: ---------------------------------------------------------------------- 
						
						
					 
					
						1998-12-31 09:36:40 +00:00