- 30 1月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2259)
-
- 25 1月, 2017 1 次提交
-
-
由 Todd Short 提交于
Remove duplicate defines from EVP source files. Most of them were in evp.h, which is always included. Add new ones evp_int.h EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is now always defined in evp.h, so remove conditionals on it Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2201)
-
- 11 1月, 2017 2 次提交
-
-
由 Matt Caswell 提交于
TLSv1.3 freezes the record layer version and ensures that it is always set to TLSv1.0. Some implementations check this. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2157)
-
由 Matt Caswell 提交于
We can't handle these messages yet, so ignore them for now. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2157)
-
- 10 1月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
Otherwise the client will try to process it again. The second time around it will try and move the record data into handshake fragment storage and realise that there is no data left. At that point it marks it as read anyway. However, it is a bug that we go around the loop a second time, so we prevent that. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2200)
-
- 12 12月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
SSL_clear() was resetting numwpipes to 0, but not freeing any allocated memory for existing write buffers. Fixes #2026 Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 06 12月, 2016 5 次提交
-
-
由 Matt Caswell 提交于
Improves the readability of the code, and reduces the liklihood of errors. Also made a few minor style changes. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 22 11月, 2016 1 次提交
-
-
由 Kurt Roeckx 提交于
This reverts commit 4880672a. Fixes: #1903 Reviewed-by: NMatt Caswell <matt@openssl.org> GH: #1931
-
- 04 11月, 2016 9 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Travis is reporting one file at a time shadowed variable warnings where "read" has been used. This attempts to go through all of libssl and replace "read" with "readbytes" to fix all the problems in one go. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Travis was failing in some builds due to a bogus complaint about uninit variables. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Previously they return -1 for failure or the size of the mac. But the size was never used anywhere. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Writing still to be done Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 03 11月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but TLS 1.2 says you MUST send an unexpected message alert. We swap to the TLS 1.2 behaviour for all protocol versions to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. Issue reported by 郭志攀 Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
The function ssl3_read_n() takes a parameter |clearold| which, if set, causes any old data in the read buffer to be forgotten, and any unread data to be moved to the start of the buffer. This is supposed to happen when we first read the record header. However, the data move was only taking place if there was not already sufficient data in the buffer to satisfy the request. If read_ahead is set then the record header could be in the buffer already from when we read the preceding record. So with read_ahead we can get into a situation where even though |clearold| is set, the data does not get moved to the start of the read buffer when we read the record header. This means there is insufficient room in the read buffer to consume the rest of the record body, resulting in an internal error. This commit moves the |clearold| processing to earlier in ssl3_read_n() to ensure that it always takes place. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 28 10月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
A zero return from BIO_read()/BIO_write() could mean that an IO operation is retryable. A zero return from SSL_read()/SSL_write() means that the connection has been closed down (either cleanly or not). Therefore we should not propagate a zero return value from BIO_read()/BIO_write() back up the stack to SSL_read()/SSL_write(). This could result in a retryable failure being treated as fatal. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 22 9月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
If while calling SSL_peek() we read an empty record then we go into an infinite loop, continually trying to read data from the empty record and never making any progress. This could be exploited by a malicious peer in a Denial Of Service attack. CVE-2016-6305 GitHub Issue #1563 Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those warning alerts. Implement a count so that we abort the connection if we receive too many. Issue reported by Shi Lei. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 9月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
This reverts commit 77a6be4d. There were some unexpected side effects to this commit, e.g. in SSLv3 a warning alert gets sent "no_certificate" if a client does not send a Certificate during Client Auth. With the above commit this causes the connection to abort, which is incorrect. There may be some other edge cases like this so we need to have a rethink on this. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 13 9月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
A peer continually sending unrecognised warning alerts could mean that we make no progress on a connection. We should abort rather than continuing if we receive an unrecognised warning alert. Thanks to Shi Lei for reporting this issue. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 24 8月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
It is never valid to call ssl3_read_bytes with type == SSL3_RT_CHANGE_CIPHER_SPEC, and in fact we check for valid values for type near the beginning of the function. Therefore this check will never be true and can be removed. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 18 8月, 2016 1 次提交
-
-
由 Emilia Kasper 提交于
Run util/openssl-format-source on ssl/ Some comments and hand-formatted tables were fixed up manually by disabling auto-formatting. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 8月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Matt Caswell 提交于
Feedback on the previous SSLv2 ClientHello processing fix was that it breaks layering by reading init_num in the record layer. It also does not detect if there was a previous non-fatal warning. This is an alternative approach that directly tracks in the record layer whether this is the first record. GitHub Issue #1298 Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 30 7月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
The MULTIBLOCK code uses a "jumbo" sized write buffer which it allocates and then frees later. Pipelining however introduced multiple pipelines. It keeps track of how many pipelines are initialised using numwpipes. Unfortunately the MULTIBLOCK code was not updating this when in deallocated its buffers, leading to a buffer being marked as initialised but set to NULL. RT#4618 Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 20 7月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Fix some indentation at the same time Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1292)
-
- 29 6月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Reviewed-by: NAndy Polyakov <appro@openssl.org> Reviewed-by: NKurt Roeckx <kurt@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1264)
-
- 27 6月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
In some situations (such as when we receive a fragment of an alert) we try to get the next packet but did not mark the current one as read, meaning that we got the same record back again - leading to an infinite loop. Found using the BoringSSL test suite. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 08 6月, 2016 3 次提交
-
-
由 Todd Short 提交于
Sessions are stored on the session_ctx, which doesn't change after SSL_set_SSL_CTX(). Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Matt Caswell 提交于
Previously if we received an empty record we just threw it away and ignored it. Really though if we get an empty record of a different content type to what we are expecting then that should be an error, i.e. we should reject out of context empty records. This commit makes the necessary changes to achieve that. RT#4395 Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Matt Caswell 提交于
The number of read pipelines should be reset in the event of reuse of an SSL object. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 27 5月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Windows was complaining about a unary minus operator being applied to an unsigned type. It did seem to go on and do the right thing anyway, but the code does look a little suspect. This fixes it. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-