- Aug 08, 2016
-
-
Emilia Kasper authored
OPENSSL_NO_NEXTPROTONEG only disables NPN, not ALPN Reviewed-by:Richard Levitte <levitte@openssl.org>
-
Emilia Kasper authored
Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by:
-
- Aug 06, 2016
-
-
JimC authored
Commit 3eb2aff4 renamed a field of ssl_cipher_st from algorithm_ssl -> min_tls but neglected to update the fprintf reference which is included by -DCIPHER_DEBUG Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1417)
-
Richard Levitte authored
I bug in perl's File::Spec->canonpath() was uncovered. There's nothing we can do about it (except re-implementing canonpath()), except working around the problem (a directory rename) and reporting the issue to the perl module developers. Reviewed-by: -
Tomas Mraz authored
Add colon when printing Registered ID. Remove extra space when printing DirName. Reviewed-by:
Kurt Roeckx <kurt@openssl.org> Reviewed-by:
-
Rob Percival authored
In one failure case, it used to return -1. That failure case (CTLOG_new() returning NULL) was not usefully distinct from all of the other failure cases. Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
-
- Aug 05, 2016
-
-
klemens authored
Reviewed-by:
-
klemens authored
Reviewed-by:
-
Rob Percival authored
This is an entirely useless function, given that CTLOG is publicly immutable. Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
These functions are: SSL_use_certificate_file SSL_use_RSAPrivateKey_file SSL_use_PrivateKey_file SSL_CTX_use_certificate_file SSL_CTX_use_RSAPrivateKey_file SSL_CTX_use_PrivateKey_file SSL_use_certificate_chain_file Internally, they use BIO_s_file(), which is defined and implemented at all times, even when OpenSSL is configured no-stdio. Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
The macros that produce PEM_write_FOO() andd PEM_read_FOO() only do so unless 'no-stdio' has been configured. mkdef.pl should mimic that by marking those functions with the "STDIO" algo. Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
These were guarded by $disabled{tests}. However, 'tests' is disabled if we configure 'no-stdio', which means that we don't detect the lack of OPENSSL_NO_STDIO guards in our public header files. So we move the generation and build of test/buildtest_*.c to be unconditional. Reviewed-by: -
Dr. Stephen Henson authored
Thanks to Hanno Böck for reporting this bug. Reviewed-by: -
Emilia Kasper authored
Should result in more accurate header file coverage, see https://github.com/eddyxu/cpp-coveralls/issues/54 Reviewed-by:
-
Emilia Kasper authored
Run tests with coverage and report to coveralls.io For simplicity, this currently only adds a single target in a configuration that attempts to maximize coverage. The true CI coverage from all the various builds may be a little larger. The coverage run has the following configuration: - no-asm: since we can't track asm coverage anyway, might as well measure the non-asm code coverage. - Enable various disabled-by-default options: - rc5 - md2 - ec_nistp_64_gcc_128 - ssl3 - ssl3-method - weak-ssl-ciphers Finally, observe that no-pic implies no-shared, and therefore running both builds in the matrix is redundant. Reviewed-by:
-
Dr. Stephen Henson authored
Thank to Shi Lei for reporting this bug. Reviewed-by: -
Rich Salz authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by:Emilia Käsper <emilia@openssl.org>
-
Richard Levitte authored
We mark small comments with a dash immediately following the starting /*. However, *INDENT-(ON|OFF)* comments shouldn't be treated that way, or indent will ignore them if we do. Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Dániel Bakai authored
Reviewed-by:
-
- Aug 04, 2016
-
-
David Woodhouse authored
Reviewed-by:
-
David Woodhouse authored
Baroque, almost uncommented code triggers behaviour which is undefined by the C standard. You might quite reasonably not care that the code was broken on ones-complement machines, but if we support a ubsan build then we need to at least pretend to care. It looks like the special-case code for 64-bit big-endian is going to behave differently (and wrongly) on wrap-around, because it treats the values as signed. That seems wrong, and allows replay and other attacks. Surely you need to renegotiate and start a new epoch rather than wrapping around to sequence number zero again? Reviewed-by:
-
David Woodhouse authored
DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: -
David Woodhouse authored
Commit 3eb2aff4 ("Add support for minimum and maximum protocol version supported by a cipher") disabled all ciphers for DTLS1_BAD_VER. That wasn't helpful. Give them back. Reviewed-by:
-
David Woodhouse authored
DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so we have to make a special case for it. This does leave us with a set of macros which will evaluate their arguments more than once, but it's not a public-facing API and it's not like this is the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway. Reviewed-by:
-
David Woodhouse authored
The Change Cipher Spec message in this ancient pre-standard version of DTLS that Cisco are unfortunately still using in their products, is 3 bytes. Allow it. Reviewed-by:
-
David Woodhouse authored
Commit d8e8590e ("Fix missing return value checks in SCTP") made the DTLS handshake fail, even for non-SCTP connections, if SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER. Apply the trivial fix to make it succeed, since there's no real reason why it shouldn't even though we never need it. Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Benjamin Kaduk authored
The options RC4_CHUNK_LL, DES_PTR, and BF_PTR were removed by Rich in commit 3e9e810f but were still sticking around in a coupule configuration entries. Since they're unused, remove them. Reviewed-by:
-
Rich Salz authored
Reviewed-by: -
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Dr. Stephen Henson authored
Thanks to Shi Lei for reporting this issue. Reviewed-by: -
FdaSilvaYY authored
into a structure , to avoid any accident . Plus some few cleanups Reviewed-by:
-
JimC authored
- Commit a95ce7f builds *.manifest files on windows -- added them to .gitignore. - ignore pod -> html temp file Reviewed-by:
-
