- Jan 23, 2017
-
-
Matt Caswell authored
The flag SSL_VERIFY_CLIENT_ONCE is documented as follows: B<Server mode:> only request a client certificate on the initial TLS/SSL handshake. Do not ask for a client certificate again in case of a renegotiation. This flag must be used together with SSL_VERIFY_PEER. B<Client mode:> ignored But the implementation actually did nothing. After the server sends its ServerKeyExchange message, the code was checking s->session->peer to see if it is NULL. If it was set then it did not ask for another client certificate. However s->session->peer will only be set in the event of a resumption, but a ServerKeyExchange message is only sent in the event of a full handshake (i.e. no resumption). The documentation suggests that the original intention was for this to have an effect on renegotiation, and resumption doesn't come into it. The fix is to properly check for renegotiation, not whether there is already a client certificate in the session. As far as I can tell this has been broken for a *long* time. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1982)
-
Bernd Edlinger authored
Reviewed-by:
Kurt Roeckx <kurt@openssl.org> Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
-
- Jan 21, 2017
-
-
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
Up to 4% depending on benchmark. Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Gaétan Njinang authored
The difference between the AIX MD5 password algorithm and the standard MD5 password algorithm is that in AIX there is no magic string while in the standard MD5 password algorithm the magic string is "$1$" Documentation of '-aixmd5' option of 'openssl passwd' command is added. 1 test is added in test/recipes/20-test-passwd.t Reviewed-by:
-
- Jan 20, 2017
-
-
Richard Levitte authored
When setting the digest parameter for DSA parameter generation, the signature MD was set instead of the parameter generation one. Fortunately, that's also the one that was used for parameter generation, but it ultimately meant the parameter generator MD and the signature MD would always be the same. Fixes github issue #2016 Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- Jan 19, 2017
-
-
Markus Triska authored
CLA: trivial Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
- Jan 18, 2017
-
-
Rich Salz authored
Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1597)
-
Rich Salz authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
FdaSilvaYY authored
... mostly related to some old discarded modules . Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
Markus Triska authored
Reviewed-by:
-
- Jan 17, 2017
-
-
EasySec authored
Reviewed-by:
-
- Jan 16, 2017
-
-
xemdetia authored
CLA: trivial Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:
-
- Jan 15, 2017
-
-
Kurt Roeckx authored
Found by oss-fuzz Reviewed-by:Andy Polyakov <appro@openssl.org> GH: #2231
-
Kurt Roeckx authored
Reviewed-by: -
Kurt Roeckx authored
Found by afl Reviewed-by: -
Dr. Stephen Henson authored
Reviewed-by:
Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2224)
-
Dr. Stephen Henson authored
Add certifcate selection tests: the certificate type is selected by cipher string and signature algorithm. Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- Jan 13, 2017
-
-
Rich Salz authored
Reviewed-by:
-
Richard Levitte authored
RUN_ONCE really just returns 0 on failure or whatever the init function returned. By convention, however, the init function must return 0 on failure and 1 on success. This needed to be clarified. Reviewed-by:
-
Richard Levitte authored
The use of EXFLAG_SET requires the inclusion of openssl/x509v3.h. openssl/ocsp.h does that, except when OCSP is disabled. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Jan 12, 2017
-
-
Rich Salz authored
Also, if want SHA1 then use the pre-computed value if there. Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Still needs to be documented, somehow/somewhere. The env var OPENSSL_MALLOC_FAILURES controls how often malloc/realloc should fail. It's a set of fields separated by semicolons. Each field is a count and optional percentage (separated by @) which defaults to 100. If count is zero then it lasts "forever." For example: 100;@25 means the first 100 allocations pass, then the rest have a 25% chance of failing until the program exits or crashes. If env var OPENSSL_MALLOC_FD parses as a positive integer, a record of all malloc "shouldfail" tests is written to that file descriptor. If a malloc will fail, and OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE is not set (platform specific), then a backtrace will be written to the descriptor when a malloc fails. This can be useful because a malloc may fail but not be checked, and problems will only occur later. Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
