#
1fbab1dc |
| 17-Mar-2016 |
Rich Salz |
Remove Netware and OS/2 Reviewed-by: Richard Levitte <levitte@openssl.org>
|
Revision tags: OpenSSL_1_0_1s, OpenSSL_1_0_2g, OpenSSL_1_1_0-pre3, OpenSSL-fips-2_0_12 |
|
#
0d5301af |
| 02-Feb-2016 |
Kurt Roeckx |
Use minimum and maximum protocol version instead of version fixed methods Reviewed-by: Viktor Dukhovni <viktor@openssl.org> MR: #1824
|
#
049f3655 |
| 07-Mar-2016 |
FdaSilvaYY |
Fix cert leaks in s_server Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
817cd0d5 |
| 05-Mar-2016 |
Todd Short |
GH787: Fix ALPN * Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out
GH787: Fix ALPN * Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out if unexpectedly received. * clean up ssl3_free() no need to explicitly clear when doing memset * document ALPN functions Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
#
e2d5183d |
| 07-Mar-2016 |
Matt Caswell |
Fix s_server/s_client handling of the split_send_frag argument Ensure that a value of 0 is correctly handled for the split_send_frag argument. Reviewed-by: Tim Hudson <tjh@opens
Fix s_server/s_client handling of the split_send_frag argument Ensure that a value of 0 is correctly handled for the split_send_frag argument. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
0df80881 |
| 16-Feb-2016 |
Matt Caswell |
Add documentation for new s_server/s_client options Document the new split_send_frag, max_pipelines and read_buf options. Reviewed-by: Tim Hudson <tjh@openssl.org>
|
#
fd068d50 |
| 12-Feb-2016 |
Matt Caswell |
Ensure s_client and s_server work when read_ahead is set Previously s_client and s_server relied on using SSL_pending() which does not take into account read_ahead. For read pipelining t
Ensure s_client and s_server work when read_ahead is set Previously s_client and s_server relied on using SSL_pending() which does not take into account read_ahead. For read pipelining to work, read_ahead gets set automatically. Therefore s_client and s_server have been converted to use SSL_has_pending() instead. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_0_1r, OpenSSL_1_0_2f, OpenSSL_1_1_0-pre2 |
|
#
dad78fb1 |
| 13-Jan-2016 |
Matt Caswell |
Add an ability to set the SSL read buffer size This capability is required for read pipelining. We will only read in as many records as will fit in the read buffer (and the network can p
Add an ability to set the SSL read buffer size This capability is required for read pipelining. We will only read in as many records as will fit in the read buffer (and the network can provide in one go). The bigger the buffer the more records we can process in parallel. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_1_0-pre1, OpenSSL_0_9_8zh, OpenSSL_1_0_0t, OpenSSL_1_0_1q, OpenSSL_1_0_2e |
|
#
032c6d21 |
| 22-Sep-2015 |
Matt Caswell |
Add pipeline support to s_server and s_client Add the options min_send_frag and max_pipelines to s_server and s_client in order to control pipelining capabilities. This will only have an
Add pipeline support to s_server and s_client Add the options min_send_frag and max_pipelines to s_server and s_client in order to control pipelining capabilities. This will only have an effect if a pipeline capable cipher is used (such as the one provided by the dasync engine). Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
8731a4fc |
| 02-Mar-2016 |
Rich Salz |
ISSUE 43: Add BIO_sock_shutdown This replaces SHUTDOWN/SHUTDOWN2 with BIO_closesocket. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
1c03c81f |
| 29-Feb-2016 |
J Mohan Rao Arisankala |
GH764: s_server: trace option fall through in s_server cmd: specifying -trace option, falls through and turn-on security_debug Signed-off-by: Rich Salz <rsalz@openssl.org> R
GH764: s_server: trace option fall through in s_server cmd: specifying -trace option, falls through and turn-on security_debug Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
d6316025 |
| 27-Feb-2016 |
J Mohan Rao Arisankala |
using macro inside the case. Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
b07c703f |
| 27-Feb-2016 |
J Mohan Rao Arisankala |
fix build with no-srtp - srtp_profiles variable is defined when building with SRTP, keeping the variable usage also under ifndef OPENSSL_NO_SRTP - alpn help option was kept under ifn
fix build with no-srtp - srtp_profiles variable is defined when building with SRTP, keeping the variable usage also under ifndef OPENSSL_NO_SRTP - alpn help option was kept under ifndef OPENSSL_NO_SRTP Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
ba810815 |
| 27-Feb-2016 |
Rich Salz |
RT2275: use BIO_sock_nbio() Now that BIO_sock_nbio is available, use it in the apps. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
380f18ed |
| 24-Feb-2016 |
Emilia Kasper |
CVE-2016-0798: avoid memory leak in SRP The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly
CVE-2016-0798: avoid memory leak in SRP The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
b5292f7b |
| 31-Jan-2016 |
Flavio Medeiros |
GH480: Don't break statements with CPP stuff. This is also RT 4137 Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Andy Polyakov <appro@openssl.org>
|
#
a773b52a |
| 14-Feb-2016 |
Rich Salz |
Remove unused parameters from internal functions Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
dba31777 |
| 14-Feb-2016 |
Rich Salz |
Remove JPAKE Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
#
18295f0c |
| 14-Feb-2016 |
Richard Levitte |
Make sure to use unsigned char for is*() functions On some platforms, the implementation is such that a signed char triggers a warning when used with is*() functions. On others, the
Make sure to use unsigned char for is*() functions On some platforms, the implementation is such that a signed char triggers a warning when used with is*() functions. On others, the behavior is outright buggy when presented with a char that happens to get promoted to a negative integer. The safest thing is to cast the char that's used to an unsigned char. Reviewed-by: Andy Polyakov <appro@openssl.org>
show more ...
|
#
32eabe34 |
| 09-Feb-2016 |
A J Mohan Rao |
GH646: Update help for s_server command. * added missing help option messages * ecdh_single option is removed as it is a no-op and not an option supported in earlier vers
GH646: Update help for s_server command. * added missing help option messages * ecdh_single option is removed as it is a no-op and not an option supported in earlier versions * ssl_ctx_security_debug() was invoked before ctx check for NULL * trusted_first option can be removed, as it is always enabled in 1.1. But not removed the option, require confirmation. Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
7b9f8f7f |
| 08-Feb-2016 |
Matt Caswell |
Auto init/deinit libcrypto This builds on the previous commit to auto initialise/deinitialise libcrypto. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
b577fd0b |
| 08-Feb-2016 |
Dr. Stephen Henson |
Deprecate undocumented SSL_cache_hit(). Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a real function. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
3edeb622 |
| 05-Feb-2016 |
Matt Caswell |
Make DTLSv1_listen a first class function and change its type The DTLSv1_listen function exposed details of the underlying BIO abstraction and did not properly allow for IPv6. This commi
Make DTLSv1_listen a first class function and change its type The DTLSv1_listen function exposed details of the underlying BIO abstraction and did not properly allow for IPv6. This commit changes the "peer" argument to be a BIO_ADDR and makes it a first class function (rather than a ctrl) to ensure proper type checking. Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
ab69ac00 |
| 02-Feb-2016 |
Richard Levitte |
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle A
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default |host| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the |family| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
show more ...
|
#
d858c876 |
| 02-Feb-2016 |
Richard Levitte |
Refactoring BIO: Adapt BIO_s_datagram and all that depends on it The control commands that previously took a struct sockaddr * have been changed to take a BIO_ADDR * instead. Re
Refactoring BIO: Adapt BIO_s_datagram and all that depends on it The control commands that previously took a struct sockaddr * have been changed to take a BIO_ADDR * instead. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
show more ...
|