- 29 1月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
A new return value for DH_check_pub_key was recently added: DH_CHECK_PUBKEY_INVALID. As this is a flag which can be ORed with other return values it should have been set to the value 4 not 3. RT#4278 Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 28 1月, 2016 5 次提交
-
-
由 Matt Caswell 提交于
Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same DH exponent. A simple mitigation is to ensure that y^q (mod p) == 1 CVE-2016-0701 Issue reported by Antonio Sanso. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Rich Salz 提交于
Also turn B<foo> into foo() in the pod page. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Rich Salz 提交于
Many options for supporting optimizations for legacy crypto on legacy platforms have been removed. This simplifies the source code and does not really penalize anyone. DES_PTR (always on) DES_RISC1, DES_RISC2 (always off) DES_INT (always 'unsigned int') DES_UNROLL (always on) BF_PTR (always on) BF_PTR2 (removed) MD2_CHAR, MD2_LONG (always 'unsigned char') IDEA_SHORT, IDEA_LONG (always 'unsigned int') RC2_SHORT, RC2_LONG (always 'unsigned int') RC4_LONG (only int and char (for assembler) are supported) RC4_CHUNK (always long), RC_CHUNK_LL (removed) RC4_INDEX (always on) And also make D_ENCRYPT macro more clear (@appro) This is done in consultation with Andy. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Richard Levitte 提交于
Some files that are automatically generated still had those comments added by the generating scripts. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 27 1月, 2016 1 次提交
-
-
由 Rich Salz 提交于
This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 26 1月, 2016 2 次提交
-
-
由 Matt Caswell 提交于
The SSL and SSL_CTX structures are reference counted. However since libssl was made opaque there is no way for users of the library to manipulate the reference counts. This adds functions to enable that. Reviewed-by: NStephen Henson <steve@openssl.org>
-
由 Richard Levitte 提交于
Now that we're using templates, we should warn people not to edit the resulting file. We do it through util/dofile.pl, which is enhanced with an option to tell what file it was called from. We also change the calls so the template files are on the command line instead of being redirected through standard input. That way, we can display something like this (example taken from include/openssl/opensslconf.h): /* WARNING: do not edit! */ /* Generated by Configure from include/openssl/opensslconf.h.in */ Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 25 1月, 2016 2 次提交
-
-
由 Rich Salz 提交于
Move opensslconf.h.in to include/openssl. Split off DES,BN,RC4 stuff into separate header file templates in crypto/include/internal/*_conf.h.in Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
This is an internal facility, never documented, not for public consumption. Move it into ssl (where it's only used for DTLS). I also made the typedef's for pqueue and pitem follow our style: they name structures, not pointers. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 23 1月, 2016 1 次提交
-
-
由 Michał Trojnara 提交于
Change to reflect changes in dynamic_fns Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 20 1月, 2016 4 次提交
-
-
由 Matt Caswell 提交于
Calling SSL_shutdown while in init previously gave a "1" response, meaning everything was successfully closed down (even though it wasn't). Better is to send our close_notify, but fail when trying to receive one. The problem with doing a shutdown while in the middle of a handshake is that once our close_notify is sent we shouldn't really do anything else (including process handshake/CCS messages) until we've received a close_notify back from the peer. However the peer might send a CCS before acting on our close_notify - so we won't be able to read it because we're not acting on CCS messages! Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The GOST engine is now out of date and is removed by this commit. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/BinariesReviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 19 1月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add EVP_PKEY algorithm for TLS1 PRF. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 18 1月, 2016 2 次提交
-
-
由 Corinna Vinschen 提交于
Signed-off-by: NCorinna Vinschen <vinschen@redhat.com> Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 17 1月, 2016 2 次提交
-
-
由 Rich Salz 提交于
Author: Remi Gacogne <rgacogne-github@coredump.fr> GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of a OCSP_SINGLERESP. It is possible to do it the other way around using OCSP_resp_find(), but this is more efficient when you have a tree indexed by OCSP_CERTID, like haproxy does. (This is also RT4251) Author: Marek Klein <kleinmrk@gmail.com> GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a OCSP_BASICRESP GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 15 1月, 2016 3 次提交
-
-
由 Benjamin Kaduk 提交于
The entropy-gathering daemon is used only on a small number of machines. Provide a configure knob so that EGD support can be disabled by default but re-enabled on those systems that do need it. Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Rich Salz 提交于
It turns out that -pause calls the undocumented function SSL_set_debug. That just sets flag inside the SSL structure. That flag, despite the command is never used. So remove the flag, the field, and the function. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 14 1月, 2016 8 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Add CRYPTO_EX_DATA add EndC_KEY_[gs]et_method, From Roumen Petrov. Had to add various exdata calls to init/copy/free the exdata. Had to remove const from some EC functions because exdata isn't const-correct. :( Also remove EC_EXTRA_DATA and use a union to hold the possible pre-computed values and an enum to tell which value is in the union. (Rich Salz) Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
由 Viktor Dukhovni 提交于
For some strange reason opensslconf.h was only defining DES_LONG when included via des.h, but that's exceedingly fragile (as a result of include guards the include via des.h might not actually process the content again). Ripped out the nesting constraint, now always define OSSL_DES_LONG if not already defined. Note, this could just be DES_LONG, but trying to avoid exposing DES_LONG in places where it has never been seen before, so it is up to des.h to actually define DES_LONG as OSSL_DES_LONG. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 13 1月, 2016 4 次提交
-
-
由 Mathias Berchtold 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NStephen Henson <steve@openssl.org>
-
由 Viktor Dukhovni 提交于
Well, I'm not actually changing time_t, just changing how time_t valued opt values are converted from string to time_t. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 12 1月, 2016 3 次提交
-
-
由 Richard Levitte 提交于
The M_EVP_* macros related to EVP_CIPHER / EVP_CIPHER_CTX are not public, and are unused. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-