- 22 1月, 2015 2 次提交
-
-
由 Matt Caswell 提交于
Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 15 1月, 2015 1 次提交
-
-
由 Rich Salz 提交于
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO Two typo's on #endif comments fixed: OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 06 1月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side. Remove both options as they are a protocol violation. Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204) Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 31 12月, 2014 1 次提交
-
-
由 Tim Hudson 提交于
indent will not alter them when reformatting comments Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 19 12月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
Introduce use of DECLARE_DEPRECATED Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 12月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 11 12月, 2014 1 次提交
-
-
由 Jonas Maebe 提交于
Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 05 12月, 2014 1 次提交
-
-
由 Emilia Kasper 提交于
Odd-length lists should be rejected everywhere upon parsing. Nevertheless, be extra careful and add guards against off-by-one reads. Also, drive-by replace inexplicable double-negation with an explicit comparison. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 04 12月, 2014 1 次提交
-
-
由 Kurt Roeckx 提交于
The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 03 12月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
and instead use the value provided by the underlying BIO. Also provide some new DTLS_CTRLs so that the library user can set the mtu without needing to know this constant. These new DTLS_CTRLs provide the capability to set the link level mtu to be used (i.e. including this IP/UDP overhead). The previous DTLS_CTRLs required the library user to subtract this overhead first. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 26 11月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
PR#3574 Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 20 11月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3 options for s_client/s_server/ssltest. When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3 options. We should document this somewhere, e.g. wiki, FAQ or manual page. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 19 11月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
The supported signature algorithms extension needs to be processed before the certificate to use is decided and before a cipher is selected (as the set of shared signature algorithms supported may impact the choice). Reviewed-by: NMatt Caswell <matt@openssl.org> (cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c) Conflicts: ssl/ssl.h ssl/ssl_err.c
-
- 24 10月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 22 10月, 2014 1 次提交
-
-
由 Bodo Moeller 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 15 10月, 2014 1 次提交
-
-
由 Bodo Moeller 提交于
Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 25 9月, 2014 1 次提交
-
-
由 Rich Salz 提交于
The following #ifdef tests were all removed: __MWERKS__ MAC_OS_pre_X MAC_OS_GUSI_SOURCE MAC_OS_pre_X OPENSSL_SYS_MACINTOSH_CLASSIC OPENSSL_SYS_MACOSX_RHAPSODY Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 29 8月, 2014 7 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Support separate parse and add callback arguments. Add new callback so an application can free extension data. Change return value for send functions so < 0 is an error 0 omits extension and > 0 includes it. This is more consistent with the behaviour of other functions in OpenSSL. Modify parse_cb handling so <= 0 is an error. Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument order consistent. NOTE: these changes WILL break existing code. Remove (now inaccurate) in line documentation. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Use "parse" and "add" for function and callback names instead of "first" and "second". Change arguments to callback so the extension type is unsigned int and the buffer length is size_t. Note: this *will* break existing code. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reject attempts to use extensions handled internally. Add flags to each extension structure to indicate if an extension has been sent or received. Enforce RFC5246 compliance by rejecting duplicate extensions and unsolicited extensions and only send a server extension if we have sent the corresponding client extension. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Dr. Stephen Henson 提交于
Use the same structure for client and server custom extensions. Add utility functions in new file t1_ext.c. Use new utility functions to handle custom server and client extensions and remove a lot of code duplication. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 22 8月, 2014 1 次提交
-
-
由 Emilia Kasper 提交于
Use existing error code SSL_R_RECORD_TOO_SMALL for too many empty records. For ease of backporting the patch to release branches. Reviewed-by: NBodo Moeller <bodo@openssl.org>
-
- 15 8月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Move custom extension structures from SSL_CTX to CERT structure. This change means the form can be revised in future without binary compatibility issues. Also since CERT is part of SSL structures so per-SSL custom extensions could be supported in future as well as per SSL_CTX. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 09 8月, 2014 1 次提交
-
-
由 Viktor Szakats 提交于
The "unsigned char *d" should be const. Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
-
- 07 8月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Check SRP parameters when they are received so we can send back an appropriate alert. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 25 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Don't call internal functions directly call them through SSL_test_functions(). This also makes unit testing work on Windows and platforms that don't export internal functions from shared libraries. By default unit testing is not enabled: it requires the compile time option "enable-unit-test". Reviewed-by: NGeoff Thorpe <geoff@openssl.org>
-
- 05 7月, 2014 1 次提交
-
-
由 Ben Laurie 提交于
-
- 04 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
-
- 30 6月, 2014 1 次提交
-
-
由 Ben Laurie 提交于
-
- 09 6月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
SRP ciphersuites do not have no authentication. They have authentication based on SRP. Add new SRP authentication flag and cipher string.
-
- 02 6月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add TLS padding extension to SSL_OP_ALL so it is used with other "bugs" options and can be turned off. This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient option referring to SSLv2 and SSLREF. PR#3336
-
- 24 5月, 2014 1 次提交
-
-
由 Martin Kaiser 提交于
Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352
-
- 28 3月, 2014 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
-
由 Dr. Stephen Henson 提交于
New function ssl_cipher_disabled. Check for disabled client ciphers using ssl_cipher_disabled. New function to return only supported ciphers. New option to ciphers utility to print only supported ciphers.
-
由 Dr. Stephen Henson 提交于
Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1); and appropriate DH parameters will be used based on the size of the server key. Unlike ECDH there is no way a peer can indicate the range of DH parameters it supports. Some peers cannot handle DH keys larger that 1024 bits for example. In this case if you call: SSL_CTX_set_auto_dh(ctx, 2); Only 1024 bit DH parameters will be used. If the server key is 7680 bits or more in size then 8192 bit DH parameters will be used: these will be *very* slow. The old export ciphersuites aren't supported but those are very insecure anyway.
-
- 27 3月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (cherry picked from commit 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
-