- 10 5月, 2016 1 次提交
-
-
由 David Benjamin 提交于
Per RFC 5246, Note: this extension is not meaningful for TLS versions prior to 1.2. Clients MUST NOT offer it if they are offering prior versions. However, even if clients do offer it, the rules specified in [TLSEXT] require servers to ignore extensions they do not understand. Although second sentence would suggest that there would be no interop problems in always offering the extension, WebRTC has reported issues with Bouncy Castle on < TLS 1.2 ClientHellos that still include signature_algorithms. See also https://bugs.chromium.org/p/webrtc/issues/detail?id=4223 RT#4390 Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 29 4月, 2016 1 次提交
-
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/952)
-
- 22 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
The ocsp.h file did not have appropriate guards causing link failures on Windows. GH Issue 900 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 18 4月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Make OBJ_name_cmp internal Rename idea_xxx to IDEA_xxx Rename get_rfc_xxx to BN_get_rfc_xxx Rename v3_addr and v3_asid functions to X509v3_... Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 09 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Move the dh_st structure into an internal header file and provide relevant accessors for the internal fields. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 06 4月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Misc fixes for no-ocsp Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 05 4月, 2016 2 次提交
-
-
由 Rich Salz 提交于
This reverts commit 620d540b. It wasn't reviewed. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 FdaSilvaYY 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 21 3月, 2016 2 次提交
-
-
由 Todd Short 提交于
* Clear proposed, along with selected, before looking at ClientHello * Add test case for above * Clear NPN seen after selecting ALPN on server * Minor documentation updates Reviewed-by: NEmilia Käsper <emilia@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Don't have #error statements in header files, but instead wrap the contents of that file in #ifndef OPENSSL_NO_xxx This means it is now always safe to include the header file. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 18 3月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
If a call to EVP_DecryptUpdate fails then a memory leak could occur. Ensure that the memory is freed appropriately. Issue reported by Guido Vranken. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 10 3月, 2016 1 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NViktor Dukhovni <viktor@openssl.org> MR: #1595
-
- 08 3月, 2016 1 次提交
-
-
由 Todd Short 提交于
* Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out if unexpectedly received. * clean up ssl3_free() no need to explicitly clear when doing memset * document ALPN functions Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 04 3月, 2016 2 次提交
-
-
由 Rob Percival 提交于
Disabled by default, but can be enabled by setting the ct_validation_callback on a SSL or SSL_CTX. Reviewed-by: NBen Laurie <ben@openssl.org> Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Change the ECC default curve list to be this, in order: x25519, secp256r1, secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, and brainpool512r1. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 03 3月, 2016 1 次提交
-
-
由 Emilia Kasper 提交于
1) Simplify code with better PACKET methods. 2) Make broken SNI parsing explicit. SNI was intended to be extensible to new name types but RFC 4366 defined the syntax inextensibly, and OpenSSL has never parsed SNI in a way that would allow adding a new name type. RFC 6066 fixed the definition but due to broken implementations being widespread, it appears impossible to ever extend SNI. 3) Annotate resumption behaviour. OpenSSL doesn't currently handle all extensions correctly upon resumption. Annotate for further clean-up. 4) Send an alert on ALPN protocol mismatch. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 29 2月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add X25519 to TLS supported curve list. Reject attempts to configure keys which cannot be used for signing. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 20 2月, 2016 1 次提交
-
-
由 Emilia Kasper 提交于
Adapted from BoringSSL. Added a test. The extension parsing code is already attempting to already handle this for some individual extensions, but it is doing so inconsistently. Duplicate efforts in individual extension parsing will be cleaned up in a follow-up. Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 19 2月, 2016 1 次提交
-
-
由 Rich Salz 提交于
Add -DBIO_DEBUG to --strict-warnings. Remove comments about outdated debugging ifdef guards. Remove md_rand ifdef guarding an assert; it doesn't seem used. Remove the conf guards in conf_api since we use OPENSSL_assert, not assert. For pkcs12 stuff put OPENSSL_ in front of the macro name. Merge TLS_DEBUG into SSL_DEBUG. Various things just turned on/off asserts, mainly for checking non-NULL arguments, which is now removed: camellia, bn_ctx, crypto/modes. Remove some old debug code, that basically just printed things to stderr: DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG, RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG. Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 18 2月, 2016 1 次提交
-
-
由 Matt Caswell 提交于
Certain code paths in tls_decrypt_ticket could return early without first freeing the HMAC_CTX or the EVP_CIPHER_CTX. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 2月, 2016 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 12 2月, 2016 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove support for static ECDH ciphersuites. They require ECDH keys in certificates and don't support forward secrecy. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
To enable heartbeats for DTLS, configure with enable-heartbeats. Heartbeats for TLS have been completely removed. This addresses RT 3647 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 01 2月, 2016 1 次提交
-
-
由 Emilia Kasper 提交于
PACKET contents should be read-only. To achieve this, also - constify two user callbacks - constify BUF_reverse. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 27 1月, 2016 1 次提交
-
-
由 Rich Salz 提交于
This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 20 1月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 12 1月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 08 1月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 02 1月, 2016 1 次提交
-
-
由 Viktor Dukhovni 提交于
The protocol selection code is now consolidated in a few consecutive short functions in a single file and is table driven. Protocol-specific constraints that influence negotiation are moved into the flags field of the method structure. The same protocol version constraints are now applied in all code paths. It is now much easier to add new protocol versions without reworking the protocol selection logic. In the presence of "holes" in the list of enabled client protocols we no longer select client protocols below the hole based on a subset of the constraints and then fail shortly after when it is found that these don't meet the remaining constraints (suiteb, FIPS, security level, ...). Ideally, with the new min/max controls users will be less likely to create "holes" in the first place. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 01 1月, 2016 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 30 12月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
If DSA parameters are absent return -1 (for unknown) in DSA_security_bits. If parameters are absent when a certificate is set in an SSL/SSL_CTX structure this will reject the certificate by default. This will cause DSA certificates which omit parameters to be rejected but that is never (?) done in practice. Thanks to Brian 'geeknik' Carpenter for reporting this issue. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 28 12月, 2015 3 次提交
-
-
由 Matt Caswell 提交于
Move all calls of the OCSP callback into one place, rather than repeating it in two different places. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
It makes no sense to call the OCSP status callback if we are resuming a session because no certificates will be sent. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
If a server sends the status_request extension then it may choose to send the CertificateStatus message. However this is optional. We were treating it as mandatory and the connection was failing. Thanks to BoringSSL for reporting this issue. RT#4120 Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 20 12月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove all fixed DH ciphersuites and associated logic. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 17 12月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 10 12月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
If the call to OBJ_find_sigid_by_algs fails to find the relevant NID then we should set the NID to NID_undef. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-