- 14 11月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
This disables some ciphersuites which aren't supported in SSL v3: specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC. Thanks to the Open Crypto Audit Project for identifying this issue. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 10 11月, 2015 2 次提交
-
-
由 Matt Caswell 提交于
The function tls1_get_curvelist() has an explicit check to see if s->cert is NULL or not. However the check appears *after* calling the tls1_suiteb macro which derefs s->cert. In reality s->cert can never be NULL because it is created in SSL_new(). If the malloc fails then the SSL_new call fails and no SSL object is created. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x| for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise the approach in libssl. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 08 11月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 02 11月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be true because it is testing the sum of values that have been set as constants just a few lines above and nothing has changed them. Therefore remove this. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 30 10月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The SSL variable |in_handshake| seems misplaced. It would be better to have it in the STATEM structure. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 24 10月, 2015 1 次提交
-
-
由 Alessandro Ghedini 提交于
RT#4081 Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 07 10月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The function ssl_check_for_safari fingerprints the incoming extensions to see whether it is one of the broken versions of safari. However it was failing to reset the PACKET back to the same position it started in, hence causing some extensions to be skipped incorrectly. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 06 10月, 2015 2 次提交
-
-
由 Alessandro Ghedini 提交于
RT#4069 Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Emilia Kasper 提交于
Move all packet parsing to the beginning of the method. This limits the SSLv2 compatibility soup to the parsing, and makes the rest of the processing uniform. This is also needed for simpler EMS support: EMS servers need to do an early scan for EMS to make resumption decisions. This'll be easier when the entire ClientHello is parsed in the beginning. As a side effect, 1) PACKETize ssl_get_prev_session and tls1_process_ticket; and 2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 18 9月, 2015 1 次提交
-
-
由 Emilia Kasper 提交于
The bookmark API results in a lot of boilerplate error checking that can be much more easily achieved with a simple struct copy. It also lays the path for removing the third PACKET field. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 07 9月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Process ServerHello messages using the PACKET API Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 15 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Commit 9ceb2426 (PACKETise ClientHello) broke session tickets by failing to detect the session ticket extension in an incoming ClientHello. This commit fixes the bug. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 14 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Enhance the PACKET code readability, and fix a stale comment. Thanks to Ben Kaduk (bkaduk@akamai.com) for pointing this out. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 11 8月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Especially since after the #ifdef cleanups this is not useful. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 03 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Uses the new PACKET code to process the incoming ClientHello including all extensions etc. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 30 7月, 2015 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 28 7月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 18 7月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 12 6月, 2015 1 次提交
-
-
由 Adam Langley 提交于
It is valid for an extension block to be present in a ClientHello, but to be of zero length. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 10 6月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
This adds additional checks to the processing of extensions in a ClientHello to ensure that either no extensions are present, or if they are then they take up the exact amount of space expected. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 05 6月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
At least in the case of SSLv3 we can't send an extention. Reviewed-by: NMatt Caswell <matt@openssl.org> MR #811
-
- 26 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The size of the SRP extension can never be negative (the variable |size| is unsigned). Therefore don't check if it is less than zero. RT#3862 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 23 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 20 5月, 2015 1 次提交
-
-
由 Emilia Kasper 提交于
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else. The result: $ openssl s_server -named_curves "auto" This command will negotiate an ECDHE ciphersuite with P-256: $ openssl s_client This command will negotiate P-384: $ openssl s_client -curves "P-384" This command will not negotiate ECDHE because P-224 is disabled with "auto": $ openssl s_client -curves "P-224" Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 19 5月, 2015 4 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Move per-connection state out of the CERT structure: which should just be for shared configuration data (e.g. certificates to use). In particular move temporary premaster secret, raw ciphers, peer signature algorithms and shared signature algorithms. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Following the version negotiation rewrite all of the previous code that was dedicated to version negotiation can now be deleted - all six source files of it!! Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 13 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Remove RFC2712 Kerberos support from libssl. This code and the associated standard is no longer considered fit-for-purpose. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 07 5月, 2015 1 次提交
-
-
由 Rich Salz 提交于
For the various string-compare routines (strcmp, strcasecmp, str.*cmp) use "strcmp()==0" instead of "!strcmp()" Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 06 5月, 2015 1 次提交
-
-
由 Gunnar Kudrjavets 提交于
Compiling OpenSSL code with MSVC and /W4 results in a number of warnings. One category of warnings is particularly interesting - C4701 (potentially uninitialized local variable 'name' used). This warning pretty much means that there's a code path which results in uninitialized variables being used or returned. Depending on compiler, its options, OS, values in registers and/or stack, the results can be nondeterministic. Cases like this are very hard to debug so it's rational to fix these issues. This patch contains a set of trivial fixes for all the C4701 warnings (just initializing variables to 0 or NULL or appropriate error code) to make sure that deterministic values will be returned from all the execution paths. RT#3835 Signed-off-by: NMatt Caswell <matt@openssl.org> Matt's note: All of these appear to be bogus warnings, i.e. there isn't actually a code path where an unitialised variable could be used - its just that the compiler hasn't been able to figure that out from the logic. So this commit is just about silencing spurious warnings. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 5月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add OSSL_NELEM macro to e_os.h to determine the number of elements in an array. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 01 5月, 2015 2 次提交
-
-
由 Rich Salz 提交于
Don't check for NULL before calling OPENSSL_free Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 17 4月, 2015 1 次提交
-
-
由 Viktor Dukhovni 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 26 3月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-