#
8fdc3734 |
| 25-Mar-2015 |
Rich Salz |
free NULL cleanup. This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free, EC_POINT_clear_free, EC_POINT_free Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
#
ca3a82c3 |
| 25-Mar-2015 |
Rich Salz |
free NULL cleanup This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free BIO_free BIO_free_all BIO_vfree Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
d6407083 |
| 24-Mar-2015 |
Rich Salz |
free NULL cleanup Start ensuring all OpenSSL "free" routines allow NULL, and remove any if check before calling them. This gets DH_free, DSA_free, RSA_free Reviewed-by: Matt
free NULL cleanup Start ensuring all OpenSSL "free" routines allow NULL, and remove any if check before calling them. This gets DH_free, DSA_free, RSA_free Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
Revision tags: OpenSSL_0_9_8zf, OpenSSL_1_0_0r, OpenSSL_1_0_1m, OpenSSL_1_0_2a |
|
#
2c382349 |
| 14-Mar-2015 |
Kurt Roeckx |
Remove ssl_cert_inst() It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: Dr. Stephen Henson <
Remove ssl_cert_inst() It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
#
10bf4fc2 |
| 10-Mar-2015 |
Rich Salz |
Merge OPENSSL_NO_EC{DH,DSA} into OPENSSL_NO_EC Suggested by John Foley <foleyj@cisco.com>. Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
9e9858d1 |
| 06-Feb-2015 |
Rich Salz |
dead code cleanup: #if 0 in ssl I left many "#if 0" lines, usually because I thought we would probably want to revisit them later, or because they provided some useful internal docum
dead code cleanup: #if 0 in ssl I left many "#if 0" lines, usually because I thought we would probably want to revisit them later, or because they provided some useful internal documentation tips. Reviewed-by: Andy Polyakov <appro@openssl.org>
show more ...
|
#
8dd94afb |
| 05-Feb-2015 |
Rich Salz |
Live code cleanup; #if 1 removal A few minor cleanups to remove pre-processor "#if 1" stuff. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
c660ec63 |
| 23-Jan-2015 |
Dr. Stephen Henson |
Rewrite ssl3_send_client_key_exchange to support extms. Rewrite ssl3_send_client_key_exchange to retain the premaster secret instead of using it immediately. This is needed beca
Rewrite ssl3_send_client_key_exchange to support extms. Rewrite ssl3_send_client_key_exchange to retain the premaster secret instead of using it immediately. This is needed because the premaster secret is used after the client key exchange message has been sent to compute the extended master secret. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
a00ae6c4 |
| 27-Jan-2015 |
Rich Salz |
OPENSSL_NO_xxx cleanup: many removals The following compile options (#ifdef's) are removed: OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY OPENSSL_NO_EVP OPENSSL_NO
OPENSSL_NO_xxx cleanup: many removals The following compile options (#ifdef's) are removed: OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY This diff is big because of updating the indents on preprocessor lines. Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_0_2, master-post-auto-reformat |
|
#
0f113f3e |
| 22-Jan-2015 |
Matt Caswell |
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>
|
Revision tags: OpenSSL_1_0_2-post-auto-reformat, OpenSSL_0_9_8-post-auto-reformat, OpenSSL_0_9_8-pre-auto-reformat, OpenSSL_1_0_0-post-auto-reformat, OpenSSL_1_0_0-pre-auto-reformat, OpenSSL_1_0_1-post-auto-reformat, OpenSSL_1_0_1-pre-auto-reformat, master-post-reformat, OpenSSL_0_9_8-pre-reformat, OpenSSL_0_9_8ze, OpenSSL_1_0_0-pre-reformat, OpenSSL_1_0_0q, OpenSSL_1_0_1-pre-reformat, OpenSSL_1_0_1l, master-pre-reformat, OpenSSL_1_0_2-pre-reformat, OpenSSL_0_9_8zd, OpenSSL_1_0_0p, OpenSSL_1_0_1k, OpenSSL_0_9_8-post-reformat, OpenSSL-fips-2_0_9, OpenSSL_1_0_1j, OpenSSL_1_0_0o, OpenSSL_0_9_8zc, OpenSSL_1_0_2-beta3, OpenSSL_0_9_8zb, OpenSSL_1_0_0n, OpenSSL_1_0_1i, OpenSSL_1_0_2-beta2, OpenSSL-fips-2_0_8, OpenSSL_1_0_1h, OpenSSL_1_0_0m, OpenSSL_0_9_8za, OpenSSL-fips-2_0_7, OpenSSL_1_0_1g, OpenSSL_1_0_2-beta1, OpenSSL_1_0_0l, OpenSSL_1_0_1f, OpenSSL-fips-2_0_6, OpenSSL-fips-2_0_5, OpenSSL-fips-2_0_4 |
|
#
b3b966fb |
| 02-Dec-2013 |
Jonas Maebe |
ssl_cert_dup: Fix memory leak Always use goto err on failure and call ssl_cert_free() on the error path so all fields and "ret" itself are freed Signed-off-by: Kurt Roeckx <kurt
ssl_cert_dup: Fix memory leak Always use goto err on failure and call ssl_cert_free() on the error path so all fields and "ret" itself are freed Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
45f55f6a |
| 30-Nov-2014 |
Kurt Roeckx |
Remove SSLv2 support The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
fc3968a2 |
| 27-Nov-2014 |
Matt Caswell |
Remove redundant checks in ssl_cert_dup. This was causing spurious error messages when using GOST PR#3613 Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
ecf4d660 |
| 10-Aug-2014 |
Dr. Stephen Henson |
Custom extension revision. Use the same structure for client and server custom extensions. Add utility functions in new file t1_ext.c. Use new utility functions to handle custom
Custom extension revision. Use the same structure for client and server custom extensions. Add utility functions in new file t1_ext.c. Use new utility functions to handle custom server and client extensions and remove a lot of code duplication. Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
#
b83294fe |
| 05-Aug-2014 |
Dr. Stephen Henson |
Revision of custom extension code. Move custom extension structures from SSL_CTX to CERT structure. This change means the form can be revised in future without binary compatibil
Revision of custom extension code. Move custom extension structures from SSL_CTX to CERT structure. This change means the form can be revised in future without binary compatibility issues. Also since CERT is part of SSL structures so per-SSL custom extensions could be supported in future as well as per SSL_CTX. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
show more ...
|
#
9330a85e |
| 21-Apr-2014 |
Kaspar Brand |
Fix SSL_CTX_get{first,next}_certificate. Fix typo that stopped SSL_CTX_get_{first,next}_certificate from working.
|
#
f8dd55bb |
| 05-Apr-2014 |
Dr. Stephen Henson |
For more than 160 bits of security disable SHA1 HMAC
|
#
b362ccab |
| 15-Dec-2013 |
Dr. Stephen Henson |
Security framework. Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected inclu
Security framework. Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
show more ...
|
#
09599b52 |
| 22-Jan-2014 |
Dr. Stephen Henson |
Auto DH support. Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1);
Auto DH support. Add auto DH parameter support. This is roughly equivalent to the ECDH auto curve selection but for DH. An application can just call SSL_CTX_set_auto_dh(ctx, 1); and appropriate DH parameters will be used based on the size of the server key. Unlike ECDH there is no way a peer can indicate the range of DH parameters it supports. Some peers cannot handle DH keys larger that 1024 bits for example. In this case if you call: SSL_CTX_set_auto_dh(ctx, 2); Only 1024 bit DH parameters will be used. If the server key is 7680 bits or more in size then 8192 bit DH parameters will be used: these will be *very* slow. The old export ciphersuites aren't supported but those are very insecure anyway.
show more ...
|
#
e970f63d |
| 27-Mar-2014 |
Dr. Stephen Henson |
Update chain building function. Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_
Update chain building function. Don't clear verification errors from the error queue unless SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set. If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can issue warnings. (cherry picked from commit 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
show more ...
|
#
7c5718be |
| 24-Mar-2014 |
Emilia Kasper |
Allow duplicate certs in ssl_build_cert_chain
|
#
d628885e |
| 09-Mar-2014 |
Dr. Stephen Henson |
Simplify ssl_add_cert_chain logic.
|
#
358d352a |
| 23-Feb-2014 |
Dr. Stephen Henson |
Only set current certificate to valid values. When setting the current certificate check that it has a corresponding private key.
|
#
13dc3ce9 |
| 23-Feb-2014 |
Dr. Stephen Henson |
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order a
New chain building flags. New flags to build certificate chains. The can be used to rearrange the chain so all an application needs to do is add all certificates in arbitrary order and then build the chain to check and correct them. Add verify error code when building chain. Update docs.
show more ...
|
#
0f78819c |
| 02-Feb-2014 |
Dr. Stephen Henson |
New ctrl to set current certificate. New ctrl sets current certificate based on certain criteria. Currently two options: set the first valid certificate as current and set the next v
New ctrl to set current certificate. New ctrl sets current certificate based on certain criteria. Currently two options: set the first valid certificate as current and set the next valid certificate as current. Using these an application can iterate over all certificates in an SSL_CTX or SSL structure.
show more ...
|