- Feb 23, 2017
-
-
Benjamin Kaduk authored
Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
-
Benjamin Kaduk authored
Split off the portions that mutate the SSL object into a separate function that the state machine calls, so that the public API can be a pure function. (It still needs the SSL parameter in order to determine what SSL_METHOD's get_cipher_by_char() routine to use, though.) Instead of returning the stack of ciphers (functionality that was not used internally), require using the output parameter, and add a separate output parameter for the SCSVs contained in the supplied octets, if desired. This lets us move to the standard return value convention. Also make both output stacks optional parameters. Reviewed-by:
-
Benjamin Kaduk authored
Move ssl_bytes_to_cipher_list() to ssl_lib.c and create a public wrapper around it. This lets application early callbacks easily get SSL_CIPHER objects from the raw ciphers bytes without having to reimplement the parsing code. In particular, they do not need to know the details of the sslv2 format ClientHello's ciphersuite specifications. Document the new public function, including the arguably buggy behavior of modifying the supplied SSL object. On the face of it, such a function should be able to be pure, just a direct translation of wire octets to internal data structures. Reviewed-by:
-
Benjamin Kaduk authored
Now that we have made SCSVs into more of a first-class object, provide a way for the bytes-to-SSL_CIPHER conversion to actually return them. Add a flag 'all' to ssl_get_cipher_by_char to indicate that we want all the known ciphers, not just the ones valid for encryption. This will, in practice, let the caller retrieve the SCSVs. Reviewed-by:
-
Benjamin Kaduk authored
Just as we have a table of ssl3_ciphers, add a table of ssl3_scsvs, to contain SSL_CIPHER objects for these non-valid ciphers. This will allow for unified handling of such indicators, especially as we are preparing to pass them around between functions. Since the 'valid' field is not set for the SCSVs, they should not be used for anything requiring a cryptographic cipher (as opposed to something being stuck in a cipher-shaped hole in the TLS wire protocol). Reviewed-by:
-
Benjamin Kaduk authored
We'll be adding a field of this type to struct ssl_st in a subsequent commit, and need the type definition to be in scope already. Also move up the RAW_EXTENSION definition that it depends on. Reviewed-by:
-
Benjamin Kaduk authored
Keep track of the length of the pre_proc_exts array. Reviewed-by:
-
Benjamin Kaduk authored
Modify the API of tls_collect_extensions() to be able to output the number of extensions that are known (i.e., the length of its 'res' output). This number can never be zero on a successful return due to the builtin extensions list, but use a separate output variable so as to not overload the return value semantics. Having this value easily available will give consumers a way to avoid repeating the calculation. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2727)
-
Richard Levitte authored
The library files are built with symbol names as is, while the application is built with the default uppercase-all-symbols mode. That's fine for public APIs, because we have __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H automatically telling the compiler how to treat the public header files. However, we don't have the same setup for internal library APIs, since they are usually only used by the libraries. Because apps/rehash.c uses a library internal header file, we have to surround that inclusion with the same kind of pragmas found in __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, or we get unresolved symbols when building no-shared. Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2725)
-
Pauli authored
Reviewed-by:
-
Richard Levitte authored
The generation number is ';nnn' at the end of the file name fetched with readdir(). Because rehash checks for specific extensions and doesn't expect an additional generation number, the easiest is to massage the received file name early by simply removing the generation number. Reviewed-by:
-
- Feb 22, 2017
-
-
Richard Levitte authored
Also, don't exit with an error code Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Bernd Edlinger authored
There has never been any gcc option of that kind. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Rich Salz authored
Prevent that memory beyond the last element is accessed if every element of group->poly[] is non-zero Reviewed-by:
-
Richard Levitte authored
A spelling error prevented it from building correctly. Furthermore, we need to be more careful when to add a / at the end of the dirname and when not. Reviewed-by:
-
Richard Levitte authored
opendir(), readdir() and closedir() have been available on VMS since version 7.0. Reviewed-by:
-
Rob Percival authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Rob Percival authored
Reviewed-by:
-
Rob Percival authored
Reviewed-by:
-
Rob Percival authored
TODO(robpercival): Should actually test that the output certificate contains the poison extension. Reviewed-by:
-
Rob Percival authored
This makes it a little easier to create a pre-certificate. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Richard Levitte authored
The condition wasn't quite right Reviewed-by:
-
- Feb 21, 2017
-
-
Bernd Edlinger authored
Reviewed-by:
-
Andy Polyakov authored
One of the reasons for why masm/ml64 is not [fully] supported is that it's problematic to support multiple versions. But latest one usually works and/or it's lesser problem to make it work. So idea here is to have a "whistle" when it breaks, so that problems can be evaluated as they emerge. It's kind of "best effort" thing, as opposite to "full support". Reviewed-by: -
Dmitry Belyavskiy authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Dmitry Belyavskiy authored
commands. Reviewed-by:
-
Rich Salz authored
Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Set default validity flags if signature algorithms extension is not present. Preserve flags when checking chains. Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Hikar authored
CLA: trivial. Reviewed-by:
-
Pauli authored
The sh_add_to_list function will overwrite subsequent slots in the free list for small allocations. This causes a segmentation fault if the writes goes off the end of the secure memory. I've not investigated if this problem can overwrite memory without the segmentation fault, but it seems likely. This fix limits the minsize to the sizeof of the SH_LIST structure (which also has a side effect of properly aligning the pointers). The alternative would be to return an error if minsize is too small. Reviewed-by:
-
