- Feb 03, 2016
-
-
Emilia Kasper authored
CRIME protection: disable compression by default, even if OpenSSL is compiled with zlib enabled. Applications can still enable compression by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using the SSL_CONF library to configure compression. SSL_CONF continues to work as before: SSL_CONF_cmd(ctx, "Options", "Compression") enables compression. SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now no-op by default). The command-line switch has changed from -no_comp to -comp. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Feb 01, 2016
-
-
Emilia Kasper authored
PACKET contents should be read-only. To achieve this, also - constify two user callbacks - constify BUF_reverse. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Jan 30, 2016
-
-
Rich Salz authored
There was an unused macro in ssl_locl.h that used an internal type, so I removed it. Move bio_st from bio.h to ossl_type.h Reviewed-by: Andy Polyakov <appro@openssl.org>
-
- Jan 29, 2016
-
-
Emilia Kasper authored
The use of the uninitialized buffer in the RNG has no real security benefits and is only a nuisance when using memory sanitizers. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Jan 28, 2016
-
-
Matt Caswell authored
Add details about the latest issues fixed in the forthcoming release. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Rich Salz authored
Many options for supporting optimizations for legacy crypto on legacy platforms have been removed. This simplifies the source code and does not really penalize anyone. DES_PTR (always on) DES_RISC1, DES_RISC2 (always off) DES_INT (always 'unsigned int') DES_UNROLL (always on) BF_PTR (always on) BF_PTR2 (removed) MD2_CHAR, MD2_LONG (always 'unsigned char') IDEA_SHORT, IDEA_LONG (always 'unsigned int') RC2_SHORT, RC2_LONG (always 'unsigned int') RC4_LONG (only int and char (for assembler) are supported) RC4_CHUNK (always long), RC_CHUNK_LL (removed) RC4_INDEX (always on) And also make D_ENCRYPT macro more clear (@appro) This is done in consultation with Andy. Reviewed-by: Andy Polyakov <appro@openssl.org>
-
- Jan 25, 2016
-
-
Richard Levitte authored
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Jan 21, 2016
-
-
Richard Levitte authored
--prefix is now exclusively used for software and manual installation. --openssldir is not exclusively used as a default location for certs, keys and the default openssl.cnf. This change is made to bring clarity, to have the two less intertwined, and to be more compatible with the usual ways of software installation. Please change your habits and scripts to use --prefix rather than --openssldir for installation location now. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Jan 19, 2016
-
-
Matt Caswell authored
The GOST engine is now out of date and is removed by this commit. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/Binaries Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 15, 2016
-
-
Rich Salz authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Jan 14, 2016
-
-
Benjamin Kaduk authored
The entropy-gathering daemon is used only on a small number of machines. Provide a configure knob so that EGD support can be disabled by default but re-enabled on those systems that do need it. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
- Jan 12, 2016
-
-
Rich Salz authored
Create Makefile's from Makefile.in Rename Makefile.org to Makefile.in Rename Makefiles to Makefile.in Address review feedback from Viktor and Richard Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Richard Levitte authored
Reviewed-by: Stephen Henson <steve@openssl.org>
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Jan 11, 2016
-
-
Rich Salz authored
Fix the docs, and refactor some common code. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Jan 08, 2016
-
-
Viktor Dukhovni authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Provide backwards-compatiblity for functions, macros and include files if OPENSSL_API_COMPAT is either not defined or defined less than the version number of the release in which the feature was deprecated. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 07, 2016
-
-
Rich Salz authored
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this. If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery. (Thanks to Jakob Bohm for the suggestion!) Make the "change wrapper functions" be the only paradigm. Wrote documentation! Format the 'set func' functions so their paramlists are legible. Format some multi-line comments. Remove ability to get/set the "memory debug" functions at runtme. Remove MemCheck_* and CRYPTO_malloc_debug_init macros. Add CRYPTO_mem_debug(int flag) function. Add test/memleaktest. Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 02, 2016
-
-
Viktor Dukhovni authored
The protocol selection code is now consolidated in a few consecutive short functions in a single file and is table driven. Protocol-specific constraints that influence negotiation are moved into the flags field of the method structure. The same protocol version constraints are now applied in all code paths. It is now much easier to add new protocol versions without reworking the protocol selection logic. In the presence of "holes" in the list of enabled client protocols we no longer select client protocols below the hole based on a subset of the constraints and then fail shortly after when it is found that these don't meet the remaining constraints (suiteb, FIPS, security level, ...). Ideally, with the new min/max controls users will be less likely to create "holes" in the first place. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
Kurt Roeckx authored
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Dec 15, 2015
-
-
Rich Salz authored
Reviewed-by: Ben Laurie <ben@openssl.org>
-
Matt Caswell authored
s_server was trying to set the ECDH curve when no-ec was defined. This also highlighted the fact that the -no_ecdhe option to s_server is broken, and doesn't make any sense any more (ECDHE is on by default and the only way it can be disabled is through the cipherstring). Therefore this commit removes the option. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
- Dec 13, 2015
-
-
Rich Salz authored
(Documentation update was in the MR but not the commit. Oops.) Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
- Dec 11, 2015
-
-
Matt Caswell authored
The link to the OCB patent pdf changed, so the link in CHANGES needs to be updated. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Dec 10, 2015
-
-
Matt Caswell authored
Misc updates to the CHANGES and NEWS files ready for the alpha release. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Dec 09, 2015
-
-
Dr. Stephen Henson authored
Todo: update documentation. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Dec 07, 2015
-
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Dec 05, 2015
-
-
Kurt Roeckx authored
Reviewed-by: Rich Salz <rsalz@openssl.org> MR: #364
-
- Dec 04, 2015
-
-
Kurt Roeckx authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Kurt Roeckx authored
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but only when SSL_{CTX_}set_ecdh_auto() was called to turn it on. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Kurt Roeckx authored
This only gets used to set a specific curve without actually checking that the peer supports it or not and can therefor result in handshake failures that can be avoided by selecting a different cipher. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
- Dec 01, 2015
-
-
Rich Salz authored
Add CRYPTO_free_ex_index (for shared libraries) Unify and complete the documentation for all "ex_data" API's and objects. Replace xxx_get_ex_new_index functions with a macro. Added an exdata test. Renamed the ex_data internal datatypes. Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Nov 20, 2015
-
-
Matt Caswell authored
Add some clarifications to the async documentation. Also changed ASYNC_pause_job() so that it returns success if you are not within the context of a job. This is so that engines can be used either asynchronously or synchronously and can treat an error from ASYNC_pause_job() as a real error. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Add a CHANGES entry for the new async code. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Nov 17, 2015
-
-
Rich Salz authored
Final part of flushing out SSLEay API's. Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- Oct 30, 2015
-
-
Rich Salz authored
All instances of SSLeay (any combination of case) were replaced with the case-equivalent OpenSSL. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove all the defines for the old state machines states. Mapping old to new is probably going to cause more problems than it solves so it is probably better to just remove them. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer supported. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Rename the enum HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE to ensure there are no namespace clashes, and convert it into a typedef. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-