1. 08 4月, 2016 3 次提交
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
      no certificates.  Ditto when the certificate chain is validated via
      DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
      when the chain is fails verification.
      
      Move and consolidate CT callbacks from libcrypto to libssl.  We
      also simplify the interface to SSL_{,CTX_}_enable_ct() which can
      specify either a permissive mode that just collects information or
      a strict mode that requires at least one valid SCT or else asks to
      abort the connection.
      
      Simplified SCT processing and options in s_client(1) which now has
      just a simple pair of "-noct" vs. "-ct" options, the latter enables
      the permissive callback so that we can complete the handshake and
      report all relevant information.  When printing SCTs, print the
      validation status if set and not valid.
      Signed-off-by: NRob Percival <robpercival@google.com>
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
    • V
      Fix client verify mode to check SSL_VERIFY_PEER · c636c1c4
      Viktor Dukhovni 提交于
      The original check for != SSL_VERIFY_NONE can give surprising results
      when flags SSL_VERIFY_PEER is not set, but other flags are.  Note
      that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
      of all other flag bits.
      Signed-off-by: NRob Percival <robpercival@google.com>
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      c636c1c4
    • D
      Fix memory leak on invalid CertificateRequest. · 6afef8b1
      David Benjamin 提交于
      Free up parsed X509_NAME structure if the CertificateRequest message
      contains excess data.
      
      The security impact is considered insignificant. This is a client side
      only leak and a large number of connections to malicious servers would
      be needed to have a significant impact.
      
      This was found by libFuzzer.
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      Reviewed-by: NStephen Henson <steve@openssl.org>
      6afef8b1
  2. 07 4月, 2016 6 次提交
  3. 06 4月, 2016 15 次提交
  4. 05 4月, 2016 16 次提交