- 20 May, 2016 9 commits
-
-
Rich Salz authored
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE Make lhash stuff opaque. Use typedefs for function pointers; makes the code simpler. Remove CHECKED_xxx macros. Add documentation; remove old X509-oriented doc. Add API-compat names for entire old API Reviewed-by:Dr. Stephen Henson <steve@openssl.org>
-
Richard Levitte authored
Reviewed-by:Andy Polyakov <appro@openssl.org>
-
Richard Levitte authored
Giving setbuf() a 64-bit pointer isn't faulty, as the argument is passed by a 64-bit register anyway, so you only get a warning (MAYLOSEDATA2) pointing out that only the least significant 32 bits will be used. However, we know that a FILE* returned by fopen() and such really is a 32-bit pointer (a study of the system header files make that clear), so we temporarly turn off that warning when calling setbuf(). Reviewed-by: -
Matt Caswell authored
This adds an async IO test. There are two test runs. The first one does a normal handshake with lots of async IO events. The second one does the same but this time breaks up all the written records into multiple records of one byte in length. We do this all the way up until the CCS. Reviewed-by: -
Matt Caswell authored
In the new state machine if using nbio and we get the header of a handshake message is one record with the body in the next, with an nbio event in the middle, then the connection was failing. This is because s->init_num was getting reset. We should only reset it after we have read the whole message. RT#4394 Reviewed-by: -
David Benjamin authored
ChangeCipherSpec messages have a defined value. They also may not occur in the middle of a handshake message. The current logic will accept a ChangeCipherSpec with value 2. It also would accept up to three bytes of handshake data before the ChangeCipherSpec which it would discard (because s->init_num gets reset). Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in. RT#4391 Reviewed-by:
Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
The write BIO for handshake messages is bufferred so that we only write out to the network when we have a complete flight. There was some complexity in the buffering logic so that we switched buffering on and off at various points through out the handshake. The only real reason to do this was historically it complicated the state machine when you wanted to flush because you had to traverse through the "flush" state (in order to cope with NBIO). Where we knew up front that there was only going to be one message in the flight we switched off buffering to avoid that. In the new state machine there is no longer a need for a flush state so it is simpler just to have buffering on for the whole handshake. This also gives us the added benefit that we can simply call flush after every flight even if it only has one message in it. This means that BIO authors can implement their own buffering strategies and not have to be aware of the state of the SSL object (previously they would have to switch off their own buffering during the handshake because they could not rely on a flush being received when they really needed to write data out). This last point addresses GitHub Issue #322. Reviewed-by: -
Richard Levitte authored
RT#4543 Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
-
Rich Salz authored
Add doc-nit-check to help find future issues. Make podchecker be almost clean. Remove trailing whitespace. Tab expansion Reviewed-by:Richard Levitte <levitte@openssl.org>
-
- 19 May, 2016 15 commits
-
-
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Dr. Stephen Henson authored
RT#1817 Reviewed-by: -
Andy Polyakov authored
the fact that it's community-supported target. Reviewed-by: -
Andy Polyakov authored
GH: #102 Reviewed-by: -
Andy Polyakov authored
Defintions of macros similar to _XOPEN_SOURCE belong in command line or in worst case prior first #include directive in source. As for macros is was allegedly controlling. One can argue that we are probably better off demanding S_IS* macros but there are systems that just don't comply, hence this compromise solution... Reviewed-by: -
Matt Caswell authored
In the X509 app check that the obtained public key is valid before we attempt to use it. Issue reported by Yuan Jochen Kang. Reviewed-by:Viktor Dukhovni <viktor@openssl.org>
-
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Ben Laurie authored
Reviewed-by:
-
Viktor Dukhovni authored
Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by:Tim Hudson <tjh@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: -
Viktor Dukhovni authored
PEM_read(), PEM_read_bio(), PEM_get_EVP_CIPHER_INFO() and PEM_do_header(). Reviewed-by:
-
- 18 May, 2016 16 commits
-
-
Mat authored
adds missing check for defined(__GNUC__) Reviewed-by:
-
Cynh authored
Signed-off-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
STORE doesn't exist for now HMAC doesn't have any error codes Reviewed-by: -
Richard Levitte authored
- Adjust mkerr.pl to produce the line length we used for source reformating. - Have mkerr.pl keep track of preprocessor directive indentation Among others, do not spuriously throw away a #endif at the end of header files. - Make sure mkerr.pl specifies any header inclusion correctly Reviewed-by: -
Viktor Dukhovni authored
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot continue due to malloc failure. Also, when X509_verify_cert() returns <= 0 make sure that the verification status does not remain X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns an error without setting an appropriate value of ctx->error. Reviewed-by: -
Viktor Dukhovni authored
Reviewed-by: -
hesiod authored
Reviewed-by:
-
Richard Levitte authored
RT#1466 Reviewed-by: -
Richard Levitte authored
RT#1466 Reviewed-by: -
Richard Levitte authored
Also adds 'esc_2254' to the possible command line name options RT#1466 Reviewed-by: -
Dr. Stephen Henson authored
Tidy up and simplify OBJ_dup() and OBJ_create(). Sanity check added OIDs: don't allow duplicates. Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
A number of the METHOD functions weren't properly handling malloc failures. Reviewed-by: -
Matt Caswell authored
There were some unchecked calls to OPENSSL_strdup(). Reviewed-by:
-
