- Aug 05, 2016
-
-
Richard Levitte authored
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Richard Levitte authored
We mark small comments with a dash immediately following the starting /*. However, *INDENT-(ON|OFF)* comments shouldn't be treated that way, or indent will ignore them if we do. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Dániel Bakai authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Aug 04, 2016
-
-
David Woodhouse authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
Baroque, almost uncommented code triggers behaviour which is undefined by the C standard. You might quite reasonably not care that the code was broken on ones-complement machines, but if we support a ubsan build then we need to at least pretend to care. It looks like the special-case code for 64-bit big-endian is going to behave differently (and wrongly) on wrap-around, because it treats the values as signed. That seems wrong, and allows replay and other attacks. Surely you need to renegotiate and start a new epoch rather than wrapping around to sequence number zero again? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
Commit 3eb2aff4 ("Add support for minimum and maximum protocol version supported by a cipher") disabled all ciphers for DTLS1_BAD_VER. That wasn't helpful. Give them back. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so we have to make a special case for it. This does leave us with a set of macros which will evaluate their arguments more than once, but it's not a public-facing API and it's not like this is the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
The Change Cipher Spec message in this ancient pre-standard version of DTLS that Cisco are unfortunately still using in their products, is 3 bytes. Allow it. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
Commit d8e8590e ("Fix missing return value checks in SCTP") made the DTLS handshake fail, even for non-SCTP connections, if SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER. Apply the trivial fix to make it succeed, since there's no real reason why it shouldn't even though we never need it. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Benjamin Kaduk authored
The options RC4_CHUNK_LL, DES_PTR, and BF_PTR were removed by Rich in commit 3e9e810f but were still sticking around in a coupule configuration entries. Since they're unused, remove them. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1390)
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1389)
-
Rich Salz authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1389)
-
Dr. Stephen Henson authored
Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
FdaSilvaYY authored
into a structure , to avoid any accident . Plus some few cleanups Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
JimC authored
- Commit a95ce7f builds *.manifest files on windows -- added them to .gitignore. - ignore pod -> html temp file Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
... get_by_fingerprint() and get_by_alias() Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
- append_ia5 - old_entry_print Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
The rationale is that installation from a tarball is a common task that everyone performs. For all other builds, we do specialised tests, and might as well build them directly in the checkout, which also gives us fuzz corpora. Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The release scripts expect to see the date "xx XXX xxxx" in CHANGES. At some point the year got changed from xxxx to 2016. This changes it back. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Aug 03, 2016
-
-
Richard Levitte authored
Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
The diverse notations used in INSTALL are not as self explanatory as we might imagine, so let's attempt a consistent notation for mandatory and optional pieces of a command line, and to explain the meaning of each notation. This does away with the bash notation used in one spot, as it isn't universally understood and will only confuse the unknowing more. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Experience shows that pod2html changes directory during its process without properly adjusting the given source directory. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Aug 02, 2016
-
-
Dr. Stephen Henson authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-