- 08 3月, 2016 5 次提交
-
-
由 Matt Caswell 提交于
Document the new split_send_frag, max_pipelines and read_buf options. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
Previously s_client and s_server relied on using SSL_pending() which does not take into account read_ahead. For read pipelining to work, read_ahead gets set automatically. Therefore s_client and s_server have been converted to use SSL_has_pending() instead. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
This capability is required for read pipelining. We will only read in as many records as will fit in the read buffer (and the network can provide in one go). The bigger the buffer the more records we can process in parallel. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
Add the options min_send_frag and max_pipelines to s_server and s_client in order to control pipelining capabilities. This will only have an effect if a pipeline capable cipher is used (such as the one provided by the dasync engine). Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Rich Salz 提交于
This replaces SHUTDOWN/SHUTDOWN2 with BIO_closesocket. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 01 3月, 2016 1 次提交
-
-
由 J Mohan Rao Arisankala 提交于
in s_server cmd: specifying -trace option, falls through and turn-on security_debug Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 28 2月, 2016 3 次提交
-
-
由 J Mohan Rao Arisankala 提交于
Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 J Mohan Rao Arisankala 提交于
- srtp_profiles variable is defined when building with SRTP, keeping the variable usage also under ifndef OPENSSL_NO_SRTP - alpn help option was kept under ifndef OPENSSL_NO_SRTP Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Now that BIO_sock_nbio is available, use it in the apps. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 25 2月, 2016 2 次提交
-
-
由 Emilia Kasper 提交于
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Flavio Medeiros 提交于
This is also RT 4137 Signed-off-by: NRich Salz <rsalz@akamai.com> Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 23 2月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 17 2月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 15 2月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
On some platforms, the implementation is such that a signed char triggers a warning when used with is*() functions. On others, the behavior is outright buggy when presented with a char that happens to get promoted to a negative integer. The safest thing is to cast the char that's used to an unsigned char. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 09 2月, 2016 3 次提交
-
-
由 A J Mohan Rao 提交于
* added missing help option messages * ecdh_single option is removed as it is a no-op and not an option supported in earlier versions * ssl_ctx_security_debug() was invoked before ctx check for NULL * trusted_first option can be removed, as it is always enabled in 1.1. But not removed the option, require confirmation. Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Matt Caswell 提交于
This builds on the previous commit to auto initialise/deinitialise libcrypto. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a real function. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 06 2月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
The DTLSv1_listen function exposed details of the underlying BIO abstraction and did not properly allow for IPv6. This commit changes the "peer" argument to be a BIO_ADDR and makes it a first class function (rather than a ctrl) to ensure proper type checking. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 04 2月, 2016 2 次提交
-
-
由 Richard Levitte 提交于
s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default |host| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the |family| parameter. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
由 Richard Levitte 提交于
The control commands that previously took a struct sockaddr * have been changed to take a BIO_ADDR * instead. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 01 2月, 2016 1 次提交
-
-
由 Emilia Kasper 提交于
PACKET contents should be read-only. To achieve this, also - constify two user callbacks - constify BUF_reverse. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 21 1月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 19 1月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just TLS 1.2. In the future they might want to disable TLS 1.2 and enable just TLS 1.3, ... This commit makes it possible to disable any or all of the TLS or DTLS protocols. It also considerably simplifies the SSL/TLS tests, by auto-generating the min/max version tests based on the set of supported protocols (425 explicitly written out tests got replaced by two loops that generate all 425 tests if all protocols are enabled, fewer otherwise). Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 15 1月, 2016 1 次提交
-
-
由 Rich Salz 提交于
It turns out that -pause calls the undocumented function SSL_set_debug. That just sets flag inside the SSL structure. That flag, despite the command is never used. So remove the flag, the field, and the function. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 22 12月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 17 12月, 2015 2 次提交
-
-
由 Ben Laurie 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Rich Salz 提交于
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 15 12月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
s_server was trying to set the ECDH curve when no-ec was defined. This also highlighted the fact that the -no_ecdhe option to s_server is broken, and doesn't make any sense any more (ECDHE is on by default and the only way it can be disabled is through the cipherstring). Therefore this commit removes the option. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 12 12月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 06 12月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> MR: #364
-
- 21 11月, 2015 9 次提交
-
-
由 Matt Caswell 提交于
In theory the pthreads approach for Thread Local Storage should be more portable. This also changes some APIs in order to accommodate this change. In particular ASYNC_init_pool is renamed ASYNC_init_thread and ASYNC_free_pool is renamed ASYNC_cleanup_thread. Also introduced ASYNC_init and ASYNC_cleanup. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
s_server already had the ability to wait on an async file descriptor. This adds it to s_client too. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
0 is a valid file descriptor so SSL_get_async_wait_fd should instead return -1 on error. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
If an async event occurs during a renegotiation in SSL_read then s_server was looping around, detecting we were in init and calling init_ssl_connection instead of re-calling SSL_read. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Implement the ASYNC_JOB as a local thread pool. Remove the API support for global pools. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Initial API implemented for notifying applications that an ASYNC_JOB has completed. Currently only s_server is using this. The Dummy Async engine "cheats" in that it notifies that it has completed *before* it pauses the job. A normal async engine would not do that. Only the posix version of this has been implemented so far, so it will probably fail to compile on Windows at the moment. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
It is expensive to create the ASYNC_JOB objects due to the "makecontext" call. This change adds support for pools of ASYNC_JOB objects so that we don't have to create a new ASYNC_JOB every time we want to use one. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
The s_server option -WWW was not async aware, and therefore was not handling SSL_ERROR_WANT_ASYNC conditions. This commit fixes that. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
A new -async option is added which activates SSL_MODE_ASYNC. Also SSL_WANT_ASYNC errors are handled appropriately. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 10 11月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
continue on from previous commits but in the apps directory Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-