- 10 6月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The return type of BIO_number_read() and BIO_number_written() as well as the corresponding num_read and num_write members in the BIO structure has been changed from unsigned long to uint64_t. On platforms where an unsigned long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is transferred. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 05 6月, 2015 1 次提交
-
-
由 Github User 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 23 5月, 2015 2 次提交
-
-
由 Matt Caswell 提交于
Remove support for the two export grade static DH ciphersuites. These two ciphersuites were newly added (along with a number of other static DH ciphersuites) to 1.0.2. However the two export ones have *never* worked since they were introduced. It seems strange in any case to be adding new export ciphersuites, and given "logjam" it also does not seem correct to fix them. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 20 5月, 2015 1 次提交
-
-
由 Emilia Kasper 提交于
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else. The result: $ openssl s_server -named_curves "auto" This command will negotiate an ECDHE ciphersuite with P-256: $ openssl s_client This command will negotiate P-384: $ openssl s_client -curves "P-384" This command will not negotiate ECDHE because P-224 is disabled with "auto": $ openssl s_client -curves "P-224" Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Update various documentation references to the new TLS_*_method names. Also add a CHANGES entry. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 13 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 5月, 2015 1 次提交
-
-
由 Rich Salz 提交于
https://github.com/openssl/openssl/pull/176 (CHANGES) https://rt.openssl.org/Ticket/Display.html?id=3545 (objects.txt) https://rt.openssl.org/Ticket/Display.html?id=3796 (verify.pod) Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 30 4月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 09 4月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Remove CA.sh script and use CA.pl for testing, etc. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 25 3月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in the default implementation both end up calling ssleay_rand_bytes. Both may return -1 in an error condition. If there is insufficient entropy then both will return 0, but RAND_bytes will additionally add an error to the error queue. They both return 1 on success. Therefore the fundamental difference between the two is that one will add an error to the error queue with insufficient entory whilst the other will not. Frequently there are constructions of this form: if(RAND_pseudo_bytes(...) <= 1) goto err; In the above form insufficient entropy is treated as an error anyway, so RAND_bytes is probably the better form to use. This form is also seen: if(!RAND_pseudo_bytes(...)) goto err; This is technically not correct at all since a -1 return value is incorrectly handled - but this form will also treat insufficient entropy as an error. Within libssl it is required that you have correctly seeded your entropy pool and so there seems little benefit in using RAND_pseudo_bytes. Similarly in libcrypto many operations also require a correctly seeded entropy pool and so in most interesting cases you would be better off using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes being incorrectly used in scenarios where security can be compromised by insufficient entropy. If you are not using the default implementation, then most engines use the same function to implement RAND_bytes and RAND_pseudo_bytes in any case. Given its misuse, limited benefit, and potential to compromise security, RAND_pseudo_bytes has been deprecated. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 24 3月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Start ensuring all OpenSSL "free" routines allow NULL, and remove any if check before calling them. This gets ASN1_OBJECT_free and ASN1_STRING_free. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 19 3月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Resync CHANGES with the latest version from 1.0.2. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 11 3月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Suggested by John Foley <foleyj@cisco.com>. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 03 2月, 2015 2 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Rich Salz 提交于
Includes VMS fixes from Richard. Includes Kurt's destest fixes (RT 1290). Closes tickets 1290 and 1291 Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 01 2月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 24 1月, 2015 3 次提交
-
-
由 Rich Salz 提交于
This removes all code surrounded by '#ifdef undef' One case is left: memmove() replaced by open-coded for loop, in crypto/stack/stack.c That needs further review. Also removed a couple of instances of /* dead code */ if I saw them while doing the main removal. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Andy Polyakov 提交于
If you examine changes, you are likely to wonder "but what about ILP64, elusive as they are, don't they fall victim to 16-bit rationalization?" No, the case was modeled and verified to work. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx Remove MS_STATIC; it's a relic from platforms <32 bits. Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 23 1月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Use setbuf(fp, NULL) instead of setvbuf(). This removes some ifdef complexity because all of our platforms support setbuf. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 15 1月, 2015 1 次提交
-
-
由 Rich Salz 提交于
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO Two typo's on #endif comments fixed: OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 13 1月, 2015 1 次提交
-
-
由 Rich Salz 提交于
This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 12 1月, 2015 1 次提交
-
-
由 Rich Salz 提交于
This commit removes NCR, Tandem, Cray. Regenerates TABLE. Removes another missing BEOS fluff. The last platform remaining on this ticket is WIN16. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 07 1月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 06 1月, 2015 6 次提交
-
-
由 Andy Polyakov 提交于
This is re-commit without unrelated modification. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Andy Polyakov 提交于
This reverts commit 4fec9150. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Andy Polyakov 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side. Remove both options as they are a protocol violation. Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204) Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Fix bug where an OpenSSL client would accept a handshake using an ephemeral ECDH ciphersuites with the server key exchange message omitted. Thanks to Karthikeyan Bhargavan for reporting this issue. CVE-2014-3572 Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Adam Langley 提交于
when its SSL_CTX is updated. From BoringSSL commit https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3aReviewed-by: NRich Salz <rsalz@openssl.org>
-
- 05 1月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). CVE-2014-8275 Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 28 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes DG-UX. It also flushes out some left-behinds in config. And regenerates TABLE from Configure (hadn't been done in awhile). Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 26 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes Sinix/ReliantUNIX RM400 (And a missed piece of BEOS fluff) Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 23 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes MPE/iX Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 22 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes SunOS (a sentimental favorite of mine). Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 20 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes all mention of NeXT and NextStep. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 19 12月, 2014 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
This commit removes Sony NEWS4 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 18 12月, 2014 1 次提交
-
-
由 Rich Salz 提交于
This commit removes BEOS. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-