- 29 1月, 2016 6 次提交
-
-
由 Emilia Kasper 提交于
The use of the uninitialized buffer in the RNG has no real security benefits and is only a nuisance when using memory sanitizers. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Matt Caswell 提交于
During precomputation if the group given is well known then we memcpy a well known precomputation. However we go the wrong label in the code and don't store the data properly. Consequently if we call have_precompute_mult the data isn't there and we return 0. RT#3600 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The function DH_check_pub_key() was missing some return value checks in some calls to BN functions. RT#4278 Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
PR#4277 Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Rich Salz 提交于
These tests are not built, and only usable as hand-tests so not worth moving into our test framework. This closes https://github.com/openssl/openssl/pull/561 and RT 4252 Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 28 1月, 2016 7 次提交
-
-
由 Matt Caswell 提交于
Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same DH exponent. A simple mitigation is to ensure that y^q (mod p) == 1 CVE-2016-0701 Issue reported by Antonio Sanso. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Viktor Dukhovni 提交于
This fixes clang compilation problem with size_t NUMPRIMES and int loop counters. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Also turn B<foo> into foo() in the pod page. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Viktor Dukhovni 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Rich Salz 提交于
Also cleaned up bn_prime.pl to current coding style. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Rich Salz 提交于
Many options for supporting optimizations for legacy crypto on legacy platforms have been removed. This simplifies the source code and does not really penalize anyone. DES_PTR (always on) DES_RISC1, DES_RISC2 (always off) DES_INT (always 'unsigned int') DES_UNROLL (always on) BF_PTR (always on) BF_PTR2 (removed) MD2_CHAR, MD2_LONG (always 'unsigned char') IDEA_SHORT, IDEA_LONG (always 'unsigned int') RC2_SHORT, RC2_LONG (always 'unsigned int') RC4_LONG (only int and char (for assembler) are supported) RC4_CHUNK (always long), RC_CHUNK_LL (removed) RC4_INDEX (always on) And also make D_ENCRYPT macro more clear (@appro) This is done in consultation with Andy. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
由 Richard Levitte 提交于
Some files that are automatically generated still had those comments added by the generating scripts. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 27 1月, 2016 1 次提交
-
-
由 Rich Salz 提交于
This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
- 26 1月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
Now that we're using templates, we should warn people not to edit the resulting file. We do it through util/dofile.pl, which is enhanced with an option to tell what file it was called from. We also change the calls so the template files are on the command line instead of being redirected through standard input. That way, we can display something like this (example taken from include/openssl/opensslconf.h): /* WARNING: do not edit! */ /* Generated by Configure from include/openssl/opensslconf.h.in */ Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 25 1月, 2016 2 次提交
-
-
由 Rich Salz 提交于
Move opensslconf.h.in to include/openssl. Split off DES,BN,RC4 stuff into separate header file templates in crypto/include/internal/*_conf.h.in Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
This is an internal facility, never documented, not for public consumption. Move it into ssl (where it's only used for DTLS). I also made the typedef's for pqueue and pitem follow our style: they name structures, not pointers. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 24 1月, 2016 4 次提交
-
-
由 FdaSilvaYY 提交于
Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NRich Salz <rsalz@openssl.org> GH: #580
-
由 FdaSilvaYY 提交于
Simplify BUF_MEM init. code Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NRich Salz <rsalz@openssl.org> GH: #580
-
由 Todd Short 提交于
When experimental-store is enabled, it does not compile due to the change to opaque data structures. Change CRYPTO_add() to EVP_PKEY_up_ref() as needed. Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NRich Salz <rsalz@openssl.org> RT: #4263, GH: #579
-
由 mrpre 提交于
Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 23 1月, 2016 1 次提交
-
-
由 Richard Levitte 提交于
The turn has come to have crypto/opensslconf.h.in get run through util/dofile.pl. The consequence is that a large number of variables get moved to the %config table. Also, the string variables $openssl_*, which were populated with cpp lines, all being of the form "#define SOMETHING", were converted into ARRAY refs in %config values, containing just the list of macros to be defined. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 21 1月, 2016 5 次提交
-
-
由 Billy Brumley 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Viktor Dukhovni 提交于
Returning untrusted is enough for for full chains that end in self-signed roots, because when explicit trust is specified it suppresses the default blanket trust of self-signed objects. But for partial chains, this is not enough, because absent a similar trust-self-signed policy, non matching EKUs are indistinguishable from lack of EKU constraints. Therefore, failure to match any trusted purpose must trigger an explicit reject. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Viktor Dukhovni 提交于
When DANE-EE(3) matches or either of DANE-EE/PKIX-EE fails, we don't build a chain at all, but rather succeed or fail with just the leaf certificate. In either case also check for Suite-B violations. As unlikely as it may seem that anyone would enable both DANE and Suite-B, we should do what the application asks. Took the opportunity to eliminate the "cb" variables in x509_vfy.c, just call ctx->verify_cb(ok, ctx) Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NBen Laurie <ben@openssl.org>
-
由 Richard Levitte 提交于
Reviewed-by: NBen Laurie <ben@openssl.org>
-
- 20 1月, 2016 4 次提交
-
-
由 Rich Salz 提交于
Also remove depend/local_depend. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Rename 'update' to 'generate'. Rather than recurse, just explicitly call the three generate targets directly. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The GOST engine is now out of date and is removed by this commit. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/BinariesReviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 19 1月, 2016 3 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Dr. Stephen Henson 提交于
Add EVP_PKEY algorithm for TLS1 PRF. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Viktor Dukhovni 提交于
It seems risky in the context of cross-signed certificates when the same certificate might have multiple potential issuers. Also rarely used, since chains in OpenSSL typically only employ self-signed trust-anchors, whose self-signatures are not checked, while untrusted certificates are generally ephemeral. Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 18 1月, 2016 3 次提交
-
-
由 Corinna Vinschen 提交于
Signed-off-by: NCorinna Vinschen <vinschen@redhat.com> Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
由 Rich Salz 提交于
Remove lint, tags, dclean, tests. This is prep for a new makedepend scheme. This is temporary pending unified makefile, and might help it. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 17 1月, 2016 3 次提交
-
-
由 Rich Salz 提交于
Author: Remi Gacogne <rgacogne-github@coredump.fr> GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of a OCSP_SINGLERESP. It is possible to do it the other way around using OCSP_resp_find(), but this is more efficient when you have a tree indexed by OCSP_CERTID, like haproxy does. (This is also RT4251) Author: Marek Klein <kleinmrk@gmail.com> GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a OCSP_BASICRESP GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO Signed-off-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Rich Salz 提交于
Missed the camellia EVP update. Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
-
由 Viktor Dukhovni 提交于
While empty inputs to SSL_set1_host() clear the reference identifier list. Reviewed-by: NRich Salz <rsalz@openssl.org>
-