1. 08 3月, 2016 19 次提交
  2. 07 3月, 2016 1 次提交
    • E
      Rework the default cipherlist. · a556f342
      Emilia Kasper 提交于
       - Always prefer forward-secure handshakes.
       - Consistently order ECDSA above RSA.
       - Next, always prefer AEADs to non-AEADs, irrespective of strength.
       - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
       - Prefer TLS v1.2 ciphers to legacy ciphers.
       - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
         list to reduce ClientHello bloat.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      a556f342
  3. 05 3月, 2016 1 次提交
  4. 04 3月, 2016 3 次提交
  5. 03 3月, 2016 3 次提交
  6. 29 2月, 2016 2 次提交
    • M
      Refactor the async wait fd logic · ff75a257
      Matt Caswell 提交于
      Implementation experience has shown that the original plan for async wait
      fds was too simplistic. Originally the async logic created a pipe internally
      and user/engine code could then get access to it via API calls. It is more
      flexible if the engine is able to create its own fd and provide it to the
      async code.
      
      Another issue is that there can be a lot of churn in the fd value within
      the context of (say) a single SSL connection leading to continually adding
      and removing fds from (say) epoll. It is better if we can provide some
      stability of the fd value across a whole SSL connection. This is
      problematic because an engine has no concept of an SSL connection.
      
      This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
      proxy for an SSL connection down at the engine layer.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      ff75a257
    • D
      TLS support for X25519 · 1db3107a
      Dr. Stephen Henson 提交于
      Add X25519 to TLS supported curve list.
      Reject attempts to configure keys which cannot be used
      for signing.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      1db3107a
  7. 26 2月, 2016 1 次提交
  8. 25 2月, 2016 2 次提交
  9. 24 2月, 2016 2 次提交
  10. 23 2月, 2016 1 次提交
  11. 20 2月, 2016 2 次提交
    • R
      Always build library object files with shared library cflags · 45502bfe
      Richard Levitte 提交于
      This takes us away from the idea that we know exactly how our static
      libraries are going to get used.  Instead, we make them available to
      build shareable things with, be it other shared libraries or DSOs.
      
      On the other hand, we also have greater control of when the shared
      library cflags.  They will never be used with object files meant got
      binaries, such as apps/openssl or test/test*.
      
      With unified, we take this a bit further and prepare for having to
      deal with extra cflags specifically to be used with DSOs (dynamic
      engines), libraries and binaries (applications).
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      45502bfe
    • E
      TLS: reject duplicate extensions · aa474d1f
      Emilia Kasper 提交于
      Adapted from BoringSSL. Added a test.
      
      The extension parsing code is already attempting to already handle this for
      some individual extensions, but it is doing so inconsistently. Duplicate
      efforts in individual extension parsing will be cleaned up in a follow-up.
      Reviewed-by: NStephen Henson <steve@openssl.org>
      aa474d1f
  12. 19 2月, 2016 3 次提交
    • R
      Remove all special make depend flags, as well as OPENSSL_DOING_MAKEDEPEND · ce192ebe
      Richard Levitte 提交于
      All those flags existed because we had all the dependencies versioned
      in the repository, and wanted to have it be consistent, no matter what
      the local configuration was.  Now that the dependencies are gone from
      the versioned Makefile.ins, it makes much more sense to use the exact
      same flags as when compiling the object files.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      ce192ebe
    • R
      Fix {TLS,CIPHER}_DEBUG compiles. · d1776fde
      Rich Salz 提交于
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d1776fde
    • R
      Remove outdated DEBUG flags. · d63a5e5e
      Rich Salz 提交于
      Add -DBIO_DEBUG to --strict-warnings.
      Remove comments about outdated debugging ifdef guards.
      Remove md_rand ifdef guarding an assert; it doesn't seem used.
      Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
      For pkcs12 stuff put OPENSSL_ in front of the macro name.
      Merge TLS_DEBUG into SSL_DEBUG.
      Various things just turned on/off asserts, mainly for checking non-NULL
      arguments, which is now removed: camellia, bn_ctx, crypto/modes.
      Remove some old debug code, that basically just printed things to stderr:
        DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
        RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
      Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d63a5e5e