- 08 Jun, 2016 1 commit
-
-
Richard Levitte authored
Reviewed-by:Matt Caswell <matt@openssl.org>
-
- 07 Jun, 2016 18 commits
-
-
Matt Caswell authored
The previous commit changed how we handle out-of-context empty records. This commit adds some tests for the various scenarios. There are three tests: 1: Check that if we inject an out-of-context empty record then we fail 2: Check that if we inject an in-context empty record then we succeed 3: Check that if we inject too many in-context empty records then we fail. Reviewed-by:Andy Polyakov <appro@openssl.org>
-
Matt Caswell authored
Previously if we received an empty record we just threw it away and ignored it. Really though if we get an empty record of a different content type to what we are expecting then that should be an error, i.e. we should reject out of context empty records. This commit makes the necessary changes to achieve that. RT#4395 Reviewed-by: -
Matt Caswell authored
The number of read pipelines should be reset in the event of reuse of an SSL object. Reviewed-by: -
Matt Caswell authored
The previous commit fixed a bug with BN_mod_word() which would have been caught if we had a test for it. This commit adds one. Reviewed-by: -
Matt Caswell authored
On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems) then BN_mod_word() can return incorrect results if the supplied modulus is too big. RT#4501 Reviewed-by: -
Rich Salz authored
Make d2i_X509 a generic d2i/i2d manpage. Pull common stuff out of other d2i/i2d docs. Update find-doc-nits to know about "generic" manpages. Cleanup some overlap. Fix up a bunch of other references. Reviewed-by: -
Rich Salz authored
The asdf.pod filename must have asdf in its NAME section. also check for names existing as a different filename (via Levitte) Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
Viktor Dukhovni <viktor@openssl.org>
-
Rob Percival authored
Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1186)
-
Matt Caswell authored
We just do the getters/setter for tlsext_status_type. This could be extended for others in the future. Reviewed-by: -
Matt Caswell authored
And also for SSL_CTX_get_tlsext_status_type() Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Alessandro Ghedini authored
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine if the client requested the certificate status, but SSL is now opaque. Reviewed-by:
-
Rich Salz authored
GH1180: Local variable sometimes unused GH1181: Missing close paren. Thanks to <wipedout@yandex.ru> for reporting these. Reviewed-by: -
Cesar Pereida authored
Reviewed-by:
-
Cesar Pereida authored
Reviewed-by:
-
Rich Salz authored
Also tweaks to find-doc-nits, including name/synopsis checking. Ironically, it also reports on duplicated doc names :) Reviewed-by: -
Matt Caswell authored
If using threads and OpenSSL is loaded via dlopen(), and subsequently closed again via dlclose() *before* the threads are destroyed, then OpenSSL will not free up the per thread resources. We need to document this restriction, and provide some guidance on what to do about it. I did some testing and discovered/verified a few of things (at least this is the behaviour on Linux): - Using OpenSSL via dlopen in a mutli-threaded app does leak memory if threads are destroyed after dlcose() is called. - In a single threaded environment, or if threads are destroyed prior to dlclose() being called, then no memory is leaked - Using the RTLD_NODELETE flag to dlopen solves the above problem - Interestingly the OpenSSL atexit() handler gets called when dlclose() is called rather than at application exit (I was worred that it might crash if there was an atexit() handler for a function that has been unloaded) - RTLD_NODELETE is a non-standard flag - but it does seem to be fairly widely supported. As far as I could determine (via google), at least Linux, Solaris, OpenBSD, FreeBSD, HP-UX all seem to support it. I also tested on Windows (using LoadLibrary instead of dlopen and FreeLibrary instead of dlclose) and experienced similar behaviour, except that (AFAIK) there is no equivalent of RTLD_NODELETE on Windows. GitHub Issue #653 Reviewed-by:
-
- 06 Jun, 2016 9 commits
-
-
Rich Salz authored
Update script to look for period or POD markup in NAME section, and fix them. Reviewed-by: -
Viktor Szakats authored
Reviewed-by:
-
Richard Levitte authored
If we're going to redirect STDERR and STDOUT, it's better to do it by the book. This fix is a straight copy of examples in the perlfunc manual. Reviewed-by: -
Richard Levitte authored
The directories for the final products were never registered, it was plain luck that intermediary files were in the same place and registered the directory anyway. Also, scripts are generated directly from source (binaries go through intermadiary object files), so we need to explicitely make sure to avoid registering the source directory unless it's an in source build. Reviewed-by:
-
Matt Caswell authored
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch off the constant time implementation for RSA, DSA and DH have been made no-ops and deprecated. Reviewed-by: -
Matt Caswell authored
The dsa_ossl.c file defined a couple of multi-line macros, but then only used each one once. The macros just serve to complicate the code and make it more difficult to understand what is really going on. Hence they are removed. Reviewed-by: -
Cesar Pereida authored
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. CVE-2016-2178 Reviewed-by:
-
Andy Polyakov authored
Some of the instructions used in latest additions are extension ones. There is no real reason to limit ourselves to specific processors, so [re-]adhere to base instruction set. RT#4548 Reviewed-by: -
Richard Levitte authored
In rare cases, the shell we run test programs in may have complaints. Shut those up unless testing verbosely. Reviewed-by:
-
- 05 Jun, 2016 9 commits
-
-
Rich Salz authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Viktor Dukhovni authored
Reviewed-by: -
FdaSilvaYY authored
Reviewed-by:
Kurt Roeckx <kurt@openssl.org> Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
FdaSilvaYY authored
Return directly NULL after ASN1_STRING_set, as it already has set an error code. Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
- 04 Jun, 2016 3 commits
-
-
Richard Levitte authored
Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Reviewed-by:
-
