- May 20, 2016
-
-
Matt Caswell authored
In the new state machine if using nbio and we get the header of a handshake message is one record with the body in the next, with an nbio event in the middle, then the connection was failing. This is because s->init_num was getting reset. We should only reset it after we have read the whole message. RT#4394 Reviewed-by: Andy Polyakov <appro@openssl.org>
-
David Benjamin authored
ChangeCipherSpec messages have a defined value. They also may not occur in the middle of a handshake message. The current logic will accept a ChangeCipherSpec with value 2. It also would accept up to three bytes of handshake data before the ChangeCipherSpec which it would discard (because s->init_num gets reset). Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in. RT#4391 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
The write BIO for handshake messages is bufferred so that we only write out to the network when we have a complete flight. There was some complexity in the buffering logic so that we switched buffering on and off at various points through out the handshake. The only real reason to do this was historically it complicated the state machine when you wanted to flush because you had to traverse through the "flush" state (in order to cope with NBIO). Where we knew up front that there was only going to be one message in the flight we switched off buffering to avoid that. In the new state machine there is no longer a need for a flush state so it is simpler just to have buffering on for the whole handshake. This also gives us the added benefit that we can simply call flush after every flight even if it only has one message in it. This means that BIO authors can implement their own buffering strategies and not have to be aware of the state of the SSL object (previously they would have to switch off their own buffering during the handshake because they could not rely on a flush being received when they really needed to write data out). This last point addresses GitHub Issue #322. Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Richard Levitte authored
RT#4543 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Rich Salz authored
Add doc-nit-check to help find future issues. Make podchecker be almost clean. Remove trailing whitespace. Tab expansion Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- May 19, 2016
-
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
RT#1817 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
the fact that it's community-supported target. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
GH: #102 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Andy Polyakov authored
Defintions of macros similar to _XOPEN_SOURCE belong in command line or in worst case prior first #include directive in source. As for macros is was allegedly controlling. One can argue that we are probably better off demanding S_IS* macros but there are systems that just don't comply, hence this compromise solution... Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
In the X509 app check that the obtained public key is valid before we attempt to use it. Issue reported by Yuan Jochen Kang. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Ben Laurie authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Viktor Dukhovni authored
Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Viktor Dukhovni authored
PEM_read(), PEM_read_bio(), PEM_get_EVP_CIPHER_INFO() and PEM_do_header(). Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
- May 18, 2016
-
-
Mat authored
adds missing check for defined(__GNUC__) Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1094)
-
Cynh authored
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> GH: #1017
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
STORE doesn't exist for now HMAC doesn't have any error codes Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
- Adjust mkerr.pl to produce the line length we used for source reformating. - Have mkerr.pl keep track of preprocessor directive indentation Among others, do not spuriously throw away a #endif at the end of header files. - Make sure mkerr.pl specifies any header inclusion correctly Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Viktor Dukhovni authored
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot continue due to malloc failure. Also, when X509_verify_cert() returns <= 0 make sure that the verification status does not remain X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns an error without setting an appropriate value of ctx->error. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
hesiod authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/526)
-
Richard Levitte authored
RT#1466 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
RT#1466 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Also adds 'esc_2254' to the possible command line name options RT#1466 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
Tidy up and simplify OBJ_dup() and OBJ_create(). Sanity check added OIDs: don't allow duplicates. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
A number of the METHOD functions weren't properly handling malloc failures. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
There were some unchecked calls to OPENSSL_strdup(). Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
In the CAPI engine there were some unchecked calls to OPENSSL_strdup(). GH Issue #830 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
FdaSilvaYY authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
FdaSilvaYY authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
FdaSilvaYY authored
Discard useless static engine_id Add a const qualifier Fix some spelling Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-