| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The previous code meant that a caller could set the locking callback, after
which CRYPTO_get_locking_callback() would return non-NULL. Some existing
code depends on this behaviour, specifically to identify if lock handling
has been configured. As such, always returning NULL from
CRYPTO_get_locking_callback() can result in unexpected application
behaviour.
ok bcook@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If DTLS sees a HelloVerifyRequest the transcript is reset - the previous
tls1_init_finished_mac() function could be called multiple times and would
discard any existing state. The replacement tls1_transcript_init() is more
strict and fails if a transcript already exists.
Provide an explicit tls1_transcript_reset() function and call it from the
appropriate places. This also lets us make DTLS less of a special snowflake
and call tls1_transcript_init() in the same place as used for TLS.
ok beck@ tb@
|
| |
|
|
|
|
| |
now that there is essentially no malloc.conf;
text tweaked by deraadt; ok otto deraadt
|
| |
|
|
|
|
|
|
|
|
|
| |
libs have it, it is a function that is considered harmful, so:
Delete malloc_usable_size(). It is a function that blurs the line
between malloc managed memory and application managed memory and
exposes some of the internal workings of malloc. If an application
relies on that, it is likely to break using another implementation
of malloc. If you want usable size x, just allocate x bytes. ok
deraadt@ and other devs
|
| |
|
|
|
|
|
|
| |
here could creates non-uniformity since very short fetches of 0 would
be excluded. blocks of 0 are just as random as any other data, including
blocks of 4 4 4.. This is a misguided attempt to identify errors from the
entropy churn/gather code doesn't make sense, errors don't happen.
ok bcook
|
| |
|
|
| |
PROTO_NORMAL(). Problem noted by deraadt@
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
In TLSv1.2, if the client does not send a signature algorithms extension
then for RSA key exchange a signature algorithm of {sha1,rsa} is implied.
The MD5+SHA1 hash only applies to older versions of TLS, which do not
support sigalgs.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
joel's line of thinking about it
|
| |
|
|
|
| |
sigalg for MD5_SHA1 and using it as the non sigalgs default
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
for a timing vullnerability in ECDSA signature generation (CVE-2018-0735).
Note that the blinding that we introduced back in June for ECDSA and DSA
should mitigate this and related issues. This simply adds an additional
layer of protection.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
| |
instead of 'uint16_t'
Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.
OK tb@ and jsing@
|
| |
|
|
| |
From Edgar Pettijohn III
|
| |
|
|
| |
Makes connections to outlook.office365.com work
|
| | |
|
| | |
|
| |
|
|
| |
Spotted by maestre@, ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok bcook
|
| |
|
|
|
|
| |
hex_encode() function and use byte arrays instead of strings to store
the expected values. Snatch and tweak hexdump() from beck's key_schedule
test to pretty-print data in case of failure.
|
| |
|
|
|
| |
Include check for appropriate RSA key size when used with PSS.
ok tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
| |
the server child could be delayed. In this case wait a second and
check again.
|
| | |
|
| | |
|
| |
|
|
| |
ok beck inoguchi
|
| |
|
|
| |
ok beck inoguchi
|
| | |
|
| |
|
|
|
|
|
| |
Used by unbound's DNS over TLS implementation to do server name
verification.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
tweaks from jsing and myself. The SM2/SM3/SM4 algorithms are mandatory
for legal use of cryptography within China and [are] widely applied in
the country, covering identification/financial cards, contactless,
TPM 2.0 and PKI.
ok beck inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements automatic thread support initialization in libcrypto.
This does not remove any functions from the ABI, but does turn them into
no-ops. Stub implementations of pthread_mutex_(init|lock|unlock) are
provided for ramdisks.
This does not implement the new OpenSSL 1.1 thread API internally,
keeping the original CRYTPO_lock / CRYPTO_add_lock functions for library
locking. For -portable, crypto_lock.c can be reimplemented with
OS-specific primitives as needed.
ok beck@, tb@, looks sane guenther@
|
| |
|
|
|
| |
Regression found by Perl module p5-IO-Socket-SSL tests.
with beck@ tb@
|
| | |
|
| |
|
|
|
|
| |
lightly tested, but will need sanity checks and regress test changes
before being added to any sigalgs list for real
ok jsing@ tb@
|
| |
|
|
|
|
| |
to allow for adding PSS, Nuke the now unneejded guard around the PSS
algorithms in the sigalgs table
ok jsing@ tb@
|
| |
|
|
|
| |
directory. Keep all log files for easier debugging. Name regress
target names consistently.
|
| |
|
|
| |
ok jsing@
|
| | |
|
| |
|
|
|
| |
all combinations of LibreSSL, OpenSSL 1.0.2, and OpenSSL 1.1. It
is currently disabled for TLS 1.3 as this needs more setup.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Provide a tls13_handshake_active_action() function to reduce code
duplication and replace tls13_handshake_get_sender().
- Add an INVALID message_type, so we can explicitly detect invalid
conditions.
- Implement skeletons for the tls13_handshake_send_action() and
tls13_handshake_recv_action() functions.
- OR in the NEGOTIATED value at the end of recving or sending a server
hello so that we switch to the next chain in the state table.
ok tb@
|
| | |
|
