| Age | Commit message (Collapse) | Author |
|---|
|
|
|
lines when printing to console or stderr.
OK deraadt@
|
|
|
|
While there are no additional symbols, there is an additional command that
clients will potentially depend on.
|
|
if you're careful, cert only verification can be useful.
always enable both though, to avoid accidentally leaving one off.
ok jsing
|
|
default. This enables automatic handling of ephemeral EC keys.
Discussed with reyk@ and tedu@
|
|
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
|
ok tedu@, miod@
|
|
jmates at ee dot washington dot edu reported this bug and provided a patch.
This is a slightly modified version of the patch that only contains the
bug fix.
ok millert@, otto@
|
|
- don't define default_bits, allowing the compiled-in default (now 2048
bits) to take priority.
- add commented-out default_md line in case somebody needs an easy way
to change this.
- remove some sample sections which aren't really useful in the default
file (/etc/examples is the place for a more descriptive config, this
file should be barebones).
Help/OK jsing@. OKs on earlier diff (openssl.cnf only) from phessler@ aja@.
|
|
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
|
|
|
|
|
http://sqlite.org/releaselog/3_8_6.html.
Tested in a bulk and ok landry@
|
|
if a NULL stack was passed as argument. Fix this by returning NULL early in
that case.
|
|
so that applies to both the ressl client and server.
|
|
configured.
Discussed with several.
ok bcook@
|
|
than rerolling our own key clearing code.
ok tedu@
|
|
X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon
failure, for we did not allocate it and it might not come from the heap,
such as in check_crl_path() in this very same file where X509_STORE_CTX_init()
gets invoked with a stack address.
ok bcook@
|
|
memcpy().
ok bcook@
|
|
parameter, correctly set param->name to NULL after having freed it.
ok bcook@
|
|
|
|
ok jsing@ miod@
|
|
Now that ressl config takes copies of the keys passed to it, the keys need
to be explicitly cleared. While this can be done by calling the appropriate
functions with a NULL pointer, it is simpler and more obvious to call one
function that does this for you.
ok tedu@
|
|
read the PEM-encoded certificate chain from memory instead of a file.
This idea is derived from an older implementation in relayd that was
needed to use the function with a privep'ed process in a chroot. Now
it is time to get it into LibreSSL to make the API more privsep-
friendly and to make it available for other programs and the ressl
library.
ok jsing@ miod@
|
|
ok bcook@
|
|
for it may be NULL. Do not leak memory upon error.
ok bcook@
|
|
manual field fiddling to create an ASN1_INTEGER object, instead of using
M_ASN1_INTEGER_new() which will allocate sizeof(long) bytes.
That person had probably never looked into malloc(3) and never heard of
allocation size rounding.
Thus, replace the obfuscated code with M_ASN1_INTEGER_new() followed by
ASN1_INTEGER_set(), to achieve a similar result, without the need for
/* version == 0 */ comments.
ok bcook@
|
|
caller worrying about leaks or lifetimes.
after feedback from jsing
|
|
fixed.
|
|
the 64-bit code has to be disabled under OpenBSD/hppa.
|
|
cases and breaks TLS 1.2; crank libcrypto.so minor version out of safety and
to be able to tell broken versions apart easily.
|
|
ok miod@
|
|
Based on OpenSSL.
ok miod@
|
|
This explanation is based off of Ted's site. Also, fix a comment from
the SHA-1 version.
ok tedu@
|
|
X509_STORE_get1_certs(), X509_STORE_get1_crls(): check the result of
allocations.
ok tedu@
|
|
the first EVP block.
ok tedu@
|
|
ok tedu@
|
|
for the server hello.
From OpenSSL.
ok miod@
|
|
strdup() to allocated directory list components.
ok jsing@
|
|
effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.
From OpenSSL (part of a larger commit).
ok miod@
|
|
ssl3_send_finished(). While this previously checked against a zero return
value (which could occur on failure), we may as well test against the
expected length, since we already know what that is.
|
|
end up with a value of zero, primarily since ssl3_take_mac() fails to check
the return value from the final_finish_mac() call. This would then mean that
an SSL finished message with a zero-byte payload would successfully match
against the calculated finish MAC.
Avoid this by checking the length of peer_finish_md_len and the SSL
finished message payload, against the known length already stored in
the SSL3_ENC_METHOD finish_mac_length field (making use of a previously
unused field).
ok miod@ (a little while back)
|
|
From OpenSSL.
|
|
is off by default (instead of being enabled unconditionally).
The TLS padding extension was added as a workaround for a bug in F5 SSL
terminators, however appears to trigger bugs in IronPort SMTP appliances.
Now the SSL client gets to choose which of these devices it wants to
trigger bugs in...
Ported from OpenSSL.
Discussed with many.
ok miod@
|
|
some changes an a_int.c did not get applied to a_enum.c; despite style
changes, make sure BN_to_ASN1_ENUMERATED() correctly handles a zero value
the same way BN_to_ASN1_INTEGER() does.
ok bcook@ beck@ jsing@
|
|
Replace an if() posse with a switch() statement in traverse_string().
Remove unnecessary casts in cpy_*(),
with tweaks from guenther@; ok bcook@ jsing@ guenther@
|
|
From Ming <gzchenym at 126.com>
|
|
|
|
"Since the function is a simple wrapper around b64_ntop(),
there is no restriction on the possible lengths of the raw data in
`src'."
ok millert
|
