- 22 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
The ocsp.h file did not have appropriate guards causing link failures on Windows. GH Issue 900 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 20 4月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
The Unix build was the last to retain the classic build scheme. The new unified scheme has matured enough, even though some details may need polishing. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 18 4月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Make OBJ_name_cmp internal Rename idea_xxx to IDEA_xxx Rename get_rfc_xxx to BN_get_rfc_xxx Rename v3_addr and v3_asid functions to X509v3_... Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 16 4月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 14 4月, 2016 3 次提交
-
-
由 Lyon Chen 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
no-sha is no longer an option so remove OPENSSL_NO_SHA guards. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
no-aes is no longer a Configure option and therefore the OPENSSL_NO_AES guards can be removed. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 13 4月, 2016 4 次提交
-
-
由 Matt Caswell 提交于
There is a preference for suffixes to indicate that a function is internal rather than prefixes. Note: the suffix is only required to disambiguate internal functions and public symbols with the same name (but different case) Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
There was a lot of naming inconsistency, so we try and standardise on one form. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
SSL_COMP_free_compression_methods() should not be called expicitly - we should leave auto-deinit to clean this up instead. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
ERR_free_strings() should not be called expicitly - we should leave auto-deinit to clean this up instead. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 11 4月, 2016 3 次提交
-
-
由 Kazuki Yamaguchi 提交于
Add an accessor for SSL_CTX. Since libssl was made opaque, there is no way for users to access the cipher_list, while users can set the cipher_list by SSL_CTX_set_cipher_list(). Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
The function pqueue_print is not exported and is never called. Therefore we should delete it. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Misc fixes to get no-nextprotoneg config option working again. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 09 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Move the dh_st structure into an internal header file and provide relevant accessors for the internal fields. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 08 4月, 2016 6 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Andy Polyakov 提交于
Since NDEBUG is defined unconditionally on command line for release builds, we can omit *_DEBUG options in favour of effective "all-on" in debug builds exercised though CI. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Viktor Dukhovni 提交于
Signed-off-by: NRob Percival <robpercival@google.com> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Viktor Dukhovni 提交于
Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: NRob Percival <robpercival@google.com> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 Viktor Dukhovni 提交于
The original check for != SSL_VERIFY_NONE can give surprising results when flags SSL_VERIFY_PEER is not set, but other flags are. Note that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense of all other flag bits. Signed-off-by: NRob Percival <robpercival@google.com> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
由 David Benjamin 提交于
Free up parsed X509_NAME structure if the CertificateRequest message contains excess data. The security impact is considered insignificant. This is a client side only leak and a large number of connections to malicious servers would be needed to have a significant impact. This was found by libFuzzer. Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 06 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Misc fixes for no-ocsp Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 05 4月, 2016 5 次提交
-
-
由 Emilia Kasper 提交于
Currently, SSL tests are configured via command-line switches to ssltest.c. This results in a lot of duplication between ssltest.c and apps, and a complex setup. ssltest.c is also simply old and needs maintenance. Instead, we already have a way to configure SSL servers and clients, so we leverage that. SSL tests can now be configured from a configuration file. Test servers and clients are configured using the standard ssl_conf module. Additional test settings are configured via a test configuration. Moreover, since the CONF language involves unnecessary boilerplate, the test conf itself is generated from a shorter Perl syntax. The generated testcase files are checked in to the repo to make it easier to verify that the intended test cases are in fact run; and to simplify debugging failures. To demonstrate the approach, min/max protocol tests are converted to the new format. This change also fixes MinProtocol and MaxProtocol handling. It was previously requested that an SSL_CTX have both the server and client flags set for these commands; this clearly can never work. Guide to this PR: - test/ssl_test.c - test framework - test/ssl_test_ctx.* - test configuration structure - test/handshake_helper.* - new SSL test handshaking code - test/ssl-tests/ - test configurations - test/generate_ssl_tests.pl - script for generating CONF-style test configurations from perl inputs Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
This reverts commit 620d540b. It wasn't reviewed. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
This reverts commit 2b0bcfaf. It wasn't reviewed. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 4月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 01 4月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 31 3月, 2016 1 次提交
-
-
由 Pauli 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 30 3月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Move the the BIO_METHOD and BIO structures into internal header files, provide appropriate accessor methods and update all internal code to use the new accessors where appropriate. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 28 3月, 2016 2 次提交
-
-
由 David Benjamin 提交于
Session resumption involves a version check, so version negotiation must happen first. Currently, the DTLS implementation cannot do session resumption in DTLS 1.0 because the ssl_version check always checks against 1.2. Switching the order also removes the need to fixup ssl_version in DTLS version negotiation. Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NViktor Dukhovni <viktor@openssl.org> RT: #4392, MR: #2452
-
由 Fedor Indutny 提交于
We now send the highest supported version by the client, even if the session uses an older version. This fixes 2 problems: - When you try to reuse a session but the other side doesn't reuse it and uses a different protocol version the connection will fail. - When you're trying to reuse a session with an old version you might be stuck trying to reuse the old version while both sides support a newer version Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NViktor Dukhovni <viktor@openssl.org> GH: #852, MR: #2452
-
- 23 3月, 2016 1 次提交
-
-
由 Kurt Roeckx 提交于
algo_strength contains 2 parts that need to be checked by their own. Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #2082
-
- 22 3月, 2016 3 次提交
-
-
由 Ben Laurie 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 David Benjamin 提交于
BIO_new, etc., don't need a non-const BIO_METHOD. This allows all the built-in method tables to live in .rodata. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Misc fixes for no-sock Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 21 3月, 2016 3 次提交
-
-
由 Richard Levitte 提交于
This removes all scripts that deal with MINFO as well, since that's only used by mk1mf. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Todd Short 提交于
* Clear proposed, along with selected, before looking at ClientHello * Add test case for above * Clear NPN seen after selecting ALPN on server * Minor documentation updates Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Don't have #error statements in header files, but instead wrap the contents of that file in #ifndef OPENSSL_NO_xxx This means it is now always safe to include the header file. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-