- Aug 04, 2016
-
-
David Woodhouse authored
Baroque, almost uncommented code triggers behaviour which is undefined by the C standard. You might quite reasonably not care that the code was broken on ones-complement machines, but if we support a ubsan build then we need to at least pretend to care. It looks like the special-case code for 64-bit big-endian is going to behave differently (and wrongly) on wrap-around, because it treats the values as signed. That seems wrong, and allows replay and other attacks. Surely you need to renegotiate and start a new epoch rather than wrapping around to sequence number zero again? Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org>
-
David Woodhouse authored
DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: -
David Woodhouse authored
Commit 3eb2aff4 ("Add support for minimum and maximum protocol version supported by a cipher") disabled all ciphers for DTLS1_BAD_VER. That wasn't helpful. Give them back. Reviewed-by:
-
David Woodhouse authored
DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so we have to make a special case for it. This does leave us with a set of macros which will evaluate their arguments more than once, but it's not a public-facing API and it's not like this is the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway. Reviewed-by:
-
David Woodhouse authored
The Change Cipher Spec message in this ancient pre-standard version of DTLS that Cisco are unfortunately still using in their products, is 3 bytes. Allow it. Reviewed-by:
-
David Woodhouse authored
Commit d8e8590e ("Fix missing return value checks in SCTP") made the DTLS handshake fail, even for non-SCTP connections, if SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER. Apply the trivial fix to make it succeed, since there's no real reason why it shouldn't even though we never need it. Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Benjamin Kaduk authored
The options RC4_CHUNK_LL, DES_PTR, and BF_PTR were removed by Rich in commit 3e9e810f but were still sticking around in a coupule configuration entries. Since they're unused, remove them. Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Rich Salz authored
Reviewed-by:Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Dr. Stephen Henson authored
Thanks to Shi Lei for reporting this issue. Reviewed-by: -
FdaSilvaYY authored
into a structure , to avoid any accident . Plus some few cleanups Reviewed-by:
-
JimC authored
- Commit a95ce7f builds *.manifest files on windows -- added them to .gitignore. - ignore pod -> html temp file Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
FdaSilvaYY authored
... get_by_fingerprint() and get_by_alias() Reviewed-by:
-
FdaSilvaYY authored
of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID Reviewed-by:
-
FdaSilvaYY authored
- append_ia5 - old_entry_print Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
The rationale is that installation from a tarball is a common task that everyone performs. For all other builds, we do specialised tests, and might as well build them directly in the checkout, which also gives us fuzz corpora. Reviewed-by:Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
The release scripts expect to see the date "xx XXX xxxx" in CHANGES. At some point the year got changed from xxxx to 2016. This changes it back. Reviewed-by:
-
- Aug 03, 2016
-
-
Richard Levitte authored
Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: -
Richard Levitte authored
The diverse notations used in INSTALL are not as self explanatory as we might imagine, so let's attempt a consistent notation for mandatory and optional pieces of a command line, and to explain the meaning of each notation. This does away with the bash notation used in one spot, as it isn't universally understood and will only confuse the unknowing more. Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Experience shows that pod2html changes directory during its process without properly adjusting the given source directory. Reviewed-by: -
Richard Levitte authored
Reviewed-by:
-
- Aug 02, 2016
-
-
Dr. Stephen Henson authored
Reviewed-by: -
Dr. Stephen Henson authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Matt Caswell authored
Fix the 80-test_ssl_test_ctx and 80-test_ssl_new tests when used with the no-nextprotoneg option Reviewed-by: -
FdaSilvaYY authored
extra spacing and 80 cols Reviewed-by:
-
- Aug 01, 2016
-
-
Richard Levitte authored
Instead, install the new one as openssl.cnf.dist (openssl.cnf-dist on VMS), and only install it as openssl.cnf if that file doesn't already exist. Also, don't install with exec privileges on VMS. Reviewed-by:
-
