| Age | Commit message (Collapse) | Author |
|---|
|
assembly due to switches between .quad and .zero for structs.
|
|
|
|
for libraries in OpenBSD is to deliberately let NULL pointers cause a SIGSEGV.
ok doug@ jsing@
|
|
|
|
noops around 15 years ago. Remove multiple occurances of both that still
exist in the code today.
|
|
LIBRESSL_INTERNAL - we do not need them any more.
|
|
macros so that the code is visible and functions can be readily located.
Change has been scripted and there is no change to the generated assembly.
Discussed with beck@ miod@ tedu@
|
|
|
|
and functions can be readily located.
Change has been scripted and the generated assembly only differs by changes
to line numbers.
Discussed with beck@ miod@ tedu@
|
|
the IMPLEMENT_ASN1_DUP_FUNCTION macro.
|
|
the code is visible and functions can be readily located.
Change has been scripted and there is no change to the generated assembly.
Discussed with beck@ miod@ tedu@
|
|
and functions can be readily located.
Change has been scripted and the generated assembly only differs by changes
to line numbers.
Discussed with beck@ miod@ tedu@
|
|
code is visible and functions can be readily located.
Change has been scripted and the generated assembly only differs by changes
to line numbers.
Discussed with beck@ miod@ tedu@
|
|
functions can be readily located.
Change has been scripted and there is no change to the generated assembly.
Discussed with beck@ miod@ tedu@
|
|
functions can be readily located.
Change has been scripted and the generated assembly only differs by changes
to line numbers.
Discussed with beck@ miod@ tedu@
|
|
There are currently cases where the return from each call is checked,
the return from only the last call is checked and cases where it is not
checked at all (including code in bn, ec and engine).
Checking the last return value is valid as once the function fails it will
continue to return NULL. However, in order to be consistent check each
call with the same idiom. This makes it easy to verify.
Note there are still a handful of cases that do not follow the idiom -
these will be handled separately.
ok beck@ doug@
|
|
functions can be readily located.
Change has been scripted and the generated assembly only differs by changes
to line numbers.
Discussed with beck@ miod@ tedu@
|
|
OpenBSD does not have SCTP support and it sees little use in the wild.
OPENSSL_NO_SCTP is already specified via opensslfeatures.h, hence this
is a code removal only and symbols should remain unchanged.
ok beck@ miod@ tedu@
|
|
OpenBSD does not have SCTP support and it sees little use in the wild.
OPENSSL_NO_SCTP is already specified via opensslfeatures.h, hence this
is a code removal only and symbols should remain unchanged.
ok beck@ miod@ tedu@
|
|
OpenSSL added this change to avoid an out-of-bounds write since
they're accessing p[-1]. We initialize buf and use strrchr() so we
aren't subject to the same OOB write.
However, we should return NULL rather than an empty string when there
are no shared ciphers.
Also, KNF a particularly bad section above here that miod noticed.
Based on OpenSSL commits:
4ee356686f72ff849f6f3d58562224ace732b1a6
308505b838e4e3ce8485bb30f5b26e2766dc7f8b
ok miod@
|
|
|
|
clang warns that it is unused and we have -Werror enabled. This test isn't
hooked up to anything yet. We can add it back with a future GOST update.
clang 3.5 can now build libssl and libcrypto as long as you use
CFLAGS=-Wno-pointer-sign.
"seems reasonable" bcook@, miod@
|
|
EC_POINT_is_at_infinity() and EC_POINT_is_on_curve(), for they may return -1
should an error arise.
ok doug@ jsing@
|
|
and get rid of a silly FIXME comment.
ok doug@ jsing@
|
|
ok doug@ jsing@
|
|
Also fix a memory leak in one of the error paths of SMIME_read_ASN1(), spotted
by doug@
tweaks&ok doug@ jsing@
|
|
SHA256 in ssl_get_algorithm2().
From OpenSSL HEAD; ok jsing@
|
|
|
|
|
|
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
|
Apparently "very old" Netscape versions illegally included empty content
and a detached signature. OpenSSL removed the #if 0 that protected
these users and added a new button OPENSSL_DONT_SUPPORT_OLD_NETSCAPE.
It appears to be off by default to keep the hopes and dreams of very old
Netscape users alive. We decided to be rebels and disable support.
If you installed your browser from floppy disks, it's time to upgrade!
Based on OpenSSL commit: 02a938c953b3e1ced71d9a832de1618f907eb96d
ok tedu@, miod@, jsing@
|
|
There are a few instances where #if 1 is removed but the code remains.
Based on the following OpenSSL commits. Some of the commits weren't
strictly deletions so they are going to be split up into separate commits.
6f91b017bbb7140f816721141ac156d1b828a6b3
3d47c1d331fdc7574d2275cda1a630ccdb624b08
dfb56425b68314b2b57e17c82c1df42e7a015132
c8fa2356a00cbaada8963f739e5570298311a060
f16a64d11f55c01f56baa62ebf1dec7f8fe718cb
9ccc00ef6ea65567622e40c49aca43f2c6d79cdb
02a938c953b3e1ced71d9a832de1618f907eb96d
75d0ebef2aef7a2c77b27575b8da898e22f3ccd5
d6fbb194095312f4722c81c9362dbd0de66cb656
6f1a93ad111c7dfe36a09a976c4c009079b19ea1
1a5adcfb5edfe23908b350f8757df405b0f5f71f
8de24b792743d11e1d5a0dcd336a49368750c577
a2b18e657ea1a932d125154f4e13ab2258796d90
8e964419603d2478dfb391c66e7ccb2dcc9776b4
32dfde107636ac9bc62a5b3233fe2a54dbc27008
input + ok jsing@, miod@, tedu@
|
|
message handling routines.
ok miod@
|
|
Requested by deraadt@
|
|
Tag 31 is invalid for a short form identifier octet (single byte).
KNF a little more.
Based on BoringSSL commit 5ba305643f55d37a3e45e8388a36d50c1b2d4ff5
ok miod@
|
|
ok beck@ deraadt@ miod@
|
|
ssl3_get_cipher_by_value() in other parts of the code where it simplifies
things.
ok doug@
|
|
CBB_init_fixed() should not call free because it can lead to use after
free or double free bugs. The caller should be responsible for
creating and destroying the buffer.
From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece
miod agrees with the reasoning
ok jsing@, beck@
|
|
retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value()
function returns the cipher suite value for a given SSL_CIPHER. These
functions should mean that software does not need to resort to
put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher.
Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a
cipher via the internal cipher identifier. Unfortunately these have already
been leaked outside the library via SSL_CIPHER_by_id() and the various
SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers.
ok beck@ miod@
|
|
this split across files, especially when two of them have less code than
license text.
ok bcook@ beck@ doug@ miod@
|
|
CBS_get_asn1() and CBS_get_any_asn1_element() only support the single
byte ASN.1 identifier octets (aka short form tags). Tag number 31 is
the start of the multi-byte long form per X.690 section 8.1.2.4.
From BoringSSL commit 2683af70e73f116e14db2bca6290fa4a010a2ee4
ok miod@
|
|
I checked that this doesn't change anything. Compiled with clang using
-Wno-pointer-sign -g0 to reduce the differences. Only difference in the
asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c.
miod is ok with the general process.
|
|
This was to test a patch for upstream.
|
|
If you're still using a buggy version of Netscape from 2000, for HTTPS with
client certificates, it is probably a good time to find a new browser.
"kill it softly... with napalm and kisses" miod@
|
|
ephemeral keys exist for SSL_kDHE and SSL_kECDHE.
This would have prevented CVE-2014-3572.
ok doug@
|
|
This is imported with as few changes as possible for the initial commit.
I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc()
and changed a few header includes.
BoringSSL has this as part of their public API. We're leaving it internal
to libssl for now.
Based on BoringSSL's CBB/CBS API as of commit
c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54.
input + ok jsing@, miod@
|
|
This API was intended to be an internal only, however like many things in
OpenSSL, it is exposed externally and parts of the software ecosystem are
now using it since there is no real alternative within the public API.
ok doug@, tedu@ and reluctantly miod@
|
|
As discussed with beck@ jsing@ and others
OK beck@
|
|
shouldn't be used directly. They aren't part of the API; each module
(file, dir, mem) provides an actual function to export the now-static
object.
OK miod@
|
|
from OpenSSL with a hint of boring and some things done here. Addresses
CVE-2014-8275 for OpenSSL fully
ok miod@ doug@
|
