- Jun 11, 2016
-
-
Kurt Roeckx authored
Reviewed-by:Rich Salz <rsalz@openssl.org> GH: #1172
-
Kurt Roeckx authored
Found by tis-interpreter Reviewed-by: -
Kurt Roeckx authored
Found by tis-interpreter Reviewed-by:
-
- Jun 10, 2016
-
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
The TS_RESP_verify_response() function is used for verifying the response from a TSA. You can set the provided TS_VERIFY_CTX with different flags depending on what aspects of the response you wish to verify. A seg fault will occur if you supply the TS_VFY_SIGNER or TS_VFY_TSA_NAME flags without also specifying TS_VFY_SIGNATURE. Reviewed-by: -
Matt Caswell authored
Most of the no-dtls* builds were failing due to one test which had an incorrect "skip" condition. Reviewed-by:Andy Polyakov <appro@openssl.org>
-
Matt Caswell authored
Add some information about the location of the default directory and the default file. RT#1051 Reviewed-by: -
Rich Salz authored
If a user specifies -unix, -6, etc., then the program tries to use the last one specified. This is confusing code and leads to scripting errors. Instead, allow only one type. Reviewed-by: -
Ben Laurie authored
Reviewed-by:Richard Levitte <levitte@openssl.org>
-
Ben Laurie authored
Reviewed-by: -
Ben Laurie authored
Reviewed-by:
-
- Jun 09, 2016
-
-
Laszlo Kovacs authored
Reviewed-by:
Kurt Roeckx <kurt@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org>
-
Emilia Kasper authored
We already test in EC_POINT_oct2point that points are on the curve. To be on the safe side, move this check to EC_POINT_set_affine_coordinates_* so as to also check point coordinates received through some other method. We do not check projective coordinates, though, as - it's unlikely that applications would be receiving this primarily internal representation from untrusted sources, and - it's possible that the projective setters are used in a setting where performance matters. Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Also fix typo noted on GitHub. Suppport typedef and #define to find-doc-nits Reviewed-by: -
Rich Salz authored
Files like dh.pod, etc., mostly duplicated the API-specific pod files. Removed the duplicated content; that often mean the whole file could be removed. Some of the content about internals got moved into README files in the source tree. Some content (e.g., err.pod) got moved into other pod pages. Annotate generic pages, remove dup NAME Reviewed-by: -
Rich Salz authored
Partially document the ASN1 template stuff, and its use for i2d/d2i and PEM I/O. Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Todd Short authored
When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by:
Emilia Käsper <emilia@openssl.org> Reviewed-by:
-
- Jun 08, 2016
-
-
Jeffrey Walton authored
Various fixes to get the following to compile: ./config no-asm -ansi -D_DEFAULT_SOURCE RT4479 RT4480 Reviewed-by:
-
Rich Salz authored
GH1098: Add X509_get_pathlen() (and a test) GH1097: Add SSL_is_dtls() function. Documented. Reviewed-by: -
Kurt Cancemi authored
This change also avoids calling strlen twice when srclen is 0 Reviewed-by:
-
Todd Short authored
Sessions are stored on the session_ctx, which doesn't change after SSL_set_SSL_CTX(). Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Jun 07, 2016
-
-
Matt Caswell authored
The previous commit changed how we handle out-of-context empty records. This commit adds some tests for the various scenarios. There are three tests: 1: Check that if we inject an out-of-context empty record then we fail 2: Check that if we inject an in-context empty record then we succeed 3: Check that if we inject too many in-context empty records then we fail. Reviewed-by: -
Matt Caswell authored
Previously if we received an empty record we just threw it away and ignored it. Really though if we get an empty record of a different content type to what we are expecting then that should be an error, i.e. we should reject out of context empty records. This commit makes the necessary changes to achieve that. RT#4395 Reviewed-by: -
Matt Caswell authored
The number of read pipelines should be reset in the event of reuse of an SSL object. Reviewed-by: -
Matt Caswell authored
The previous commit fixed a bug with BN_mod_word() which would have been caught if we had a test for it. This commit adds one. Reviewed-by: -
Matt Caswell authored
On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems) then BN_mod_word() can return incorrect results if the supplied modulus is too big. RT#4501 Reviewed-by: -
Rich Salz authored
Make d2i_X509 a generic d2i/i2d manpage. Pull common stuff out of other d2i/i2d docs. Update find-doc-nits to know about "generic" manpages. Cleanup some overlap. Fix up a bunch of other references. Reviewed-by: -
Rich Salz authored
The asdf.pod filename must have asdf in its NAME section. also check for names existing as a different filename (via Levitte) Reviewed-by:
Viktor Dukhovni <viktor@openssl.org>
-
Rob Percival authored
Reviewed-by:
-
Matt Caswell authored
We just do the getters/setter for tlsext_status_type. This could be extended for others in the future. Reviewed-by: -
Matt Caswell authored
And also for SSL_CTX_get_tlsext_status_type() Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Alessandro Ghedini authored
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine if the client requested the certificate status, but SSL is now opaque. Reviewed-by:
-
