- 08 6月, 2016 7 次提交
-
-
由 Rich Salz 提交于
GH1098: Add X509_get_pathlen() (and a test) GH1097: Add SSL_is_dtls() function. Documented. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Todd Short 提交于
Sessions are stored on the session_ctx, which doesn't change after SSL_set_SSL_CTX(). Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Matt Caswell 提交于
Previously if we received an empty record we just threw it away and ignored it. Really though if we get an empty record of a different content type to what we are expecting then that should be an error, i.e. we should reject out of context empty records. This commit makes the necessary changes to achieve that. RT#4395 Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Matt Caswell 提交于
The number of read pipelines should be reset in the event of reuse of an SSL object. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Alessandro Ghedini 提交于
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine if the client requested the certificate status, but SSL is now opaque. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 04 6月, 2016 2 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The ssl3_init_finished_mac() function can fail, in which case we need to propagate the error up through the stack. RT#3198 Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 01 6月, 2016 2 次提交
-
-
由 TJ Saunders 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1135)
-
由 TJ Saunders 提交于
accompanying documentation. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1135)
-
- 31 5月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 28 5月, 2016 1 次提交
-
-
由 Todd Short 提交于
When setting the certificate chain, if a certificate doesn't pass security checks, then chain may point to a freed STACK_OF(X509) Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 27 5月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Windows was complaining about a unary minus operator being applied to an unsigned type. It did seem to go on and do the right thing anyway, but the code does look a little suspect. This fixes it. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 26 5月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
The ssl3_digest_cached_records() function was failing to handle errors that might be returned from EVP_DigestSignInit() and EVP_DigestSignUpdate(). RT#4180 Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 24 5月, 2016 2 次提交
-
-
由 Rich Salz 提交于
Add script to find unused err/reason codes Remove unused reason codes. Remove entries for unused functions Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 23 5月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
from BoringSSL 306ece31bcaaed49e0240a2e5555f8901ebb2d45 Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 20 5月, 2016 4 次提交
-
-
由 Rich Salz 提交于
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE Make lhash stuff opaque. Use typedefs for function pointers; makes the code simpler. Remove CHECKED_xxx macros. Add documentation; remove old X509-oriented doc. Add API-compat names for entire old API Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
由 Matt Caswell 提交于
In the new state machine if using nbio and we get the header of a handshake message is one record with the body in the next, with an nbio event in the middle, then the connection was failing. This is because s->init_num was getting reset. We should only reset it after we have read the whole message. RT#4394 Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 David Benjamin 提交于
ChangeCipherSpec messages have a defined value. They also may not occur in the middle of a handshake message. The current logic will accept a ChangeCipherSpec with value 2. It also would accept up to three bytes of handshake data before the ChangeCipherSpec which it would discard (because s->init_num gets reset). Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in. RT#4391 Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Matt Caswell 提交于
The write BIO for handshake messages is bufferred so that we only write out to the network when we have a complete flight. There was some complexity in the buffering logic so that we switched buffering on and off at various points through out the handshake. The only real reason to do this was historically it complicated the state machine when you wanted to flush because you had to traverse through the "flush" state (in order to cope with NBIO). Where we knew up front that there was only going to be one message in the flight we switched off buffering to avoid that. In the new state machine there is no longer a need for a flush state so it is simpler just to have buffering on for the whole handshake. This also gives us the added benefit that we can simply call flush after every flight even if it only has one message in it. This means that BIO authors can implement their own buffering strategies and not have to be aware of the state of the SSL object (previously they would have to switch off their own buffering during the handshake because they could not rely on a flush being received when they really needed to write data out). This last point addresses GitHub Issue #322. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 19 5月, 2016 2 次提交
-
-
由 Viktor Dukhovni 提交于
Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Viktor Dukhovni 提交于
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot continue due to malloc failure. Also, when X509_verify_cert() returns <= 0 make sure that the verification status does not remain X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns an error without setting an appropriate value of ctx->error. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 18 5月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 17 5月, 2016 8 次提交
-
-
由 Matt Caswell 提交于
In the SSLV2ClientHello processing code in ssl3_get_record, the value of |num_recs| will always be 0. This isn't obvious from the code so a comment is added to explain it. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
The function ssl3_get_record() can obtain multiple records in one go as long as we are set up for pipelining and all the records are app data records. The logic in the while loop which reads in each record is supposed to only continue looping if the last record we read was app data and we have an app data record waiting in the buffer to be processed. It was actually checking that the first record had app data and we have an app data record waiting. This actually amounts to the same thing so wasn't wrong - but it looks a bit odd because it uses the |rr| array without an offset. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
Pipelining introduced the concept of multiple records being read in one go. Therefore we work with an array of SSL3_RECORD objects. The pipelining change erroneously made a change in ssl3_get_record() to apply the current record offset to the SSL3_BUFFER we are using for reading. This is wrong - there is only ever one read buffer. This reverts that change. In practice this should make little difference because the code block in question is only ever used when we are processing a single record. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
Fix various references to s3_clnt.c and s3_srvr.c which don't exist any more. GitHub Issue #765 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Kurt Roeckx 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> MR: #2153
-
由 TJ Saunders 提交于
This involves providing more session ticket key data, for both the cipher and the digest Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatt Caswell <matt@openssl.org> GH: #515, MR: #2153
-
由 TJ Saunders 提交于
Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatt Caswell <matt@openssl.org> GH: #515, MR: #2153
-
由 Viktor Dukhovni 提交于
Document thread-safe lock creation Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 16 5月, 2016 4 次提交
-
-
由 Alessandro Ghedini 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 jfigus 提交于
To allow OCSP stapling to work with libcurl. Github PR #200 Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Kazuki Yamaguchi 提交于
Since 50932c4a "PACKETise ServerHello processing", ssl_next_proto_validate() incorrectly allows empty protocol name. draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that the empty string is not included and that no byte strings are truncated." This patch restores the old correct behavior. [1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 FdaSilvaYY 提交于
Add a status return value instead of void. Add some sanity checks on reference counter value. Update the docs. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 14 5月, 2016 1 次提交
-
-
由 Alessandro Ghedini 提交于
The current limit of 2^14 bytes is too low (e.g. RFC 5246 specifies the maximum size of just the extensions field to be 2^16-1), and may cause bogus failures. RT#4063 Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/413)
-
- 13 5月, 2016 1 次提交
-
-
由 David Benjamin 提交于
Per RFC 4507, section 3.3: This message [NewSessionTicket] MUST be sent if the server included a SessionTicket extension in the ServerHello. This message MUST NOT be sent if the server did not include a SessionTicket extension in the ServerHello. The presence of the NewSessionTicket message should be determined entirely from the ServerHello without probing. RT#4389 Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 12 5月, 2016 1 次提交
-
-
由 Dmitry Belyavsky 提交于
RT#4438 Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NStephen Henson <steve@openssl.org>
-