summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Change the actual default for returned asn1 strings to be utf8 in the code,beck2014-05-312-2/+2
| | | | | | | rather than only in the config file, to trip people up later. Found, and fix pleaded for by <spider@skuggor.se> who apparently spent hours chasing it down. ok miod@
* BUF_MEM_grow_clean() takes a size_t as the size argument. Remove false commentsmiod2014-05-314-18/+6
| | | | | | | mentioning it's an int, bogus (int) casts and bounds checks against INT_MAX (BUF_MEM_grow_clean has its own integer bounds checks). ok deraadt@
* Add a comment documenting where libssl depends upon the current (objectionable)miod2014-05-312-0/+2
| | | | behaviour of this code, to prevent people from blindly changing it.
* copy a comment placed in other files; req from miodderaadt2014-05-312-2/+6
|
* Some KNF and fix the vairable spelling.jsing2014-05-312-46/+32
|
* Move the cts128 and gcm128 tests to regress.jsing2014-05-319-924/+530
|
* More KNF.jsing2014-05-312-206/+244
|
* More manual OPENSSL_NO_EC and OPENSSL_NO_TLSEXT cleanup.jsing2014-05-318-28/+20
|
* unifdef -UDOXYGEN and manually remove the few doxygen comments that are notjsing2014-05-312-62/+0
| | | | | | wrapped in #ifdef DOXYGEN... Requested by miod@
* ECDH and ECDSA will not work overly well if there is no EC, so unifdefjsing2014-05-3116-100/+0
| | | | | | OPENSSL_NO_EC. ok tedu@
* TLS would not be entirely functional without extensions, so unifdefjsing2014-05-3130-360/+0
| | | | | | OPENSSL_NO_TLSEXT. ok tedu@
* Delete the extraneous "return" statement at the end of a void function.jca2014-05-311-2/+1
| | | | From Fritjof Bornebusch.
* KNF and other cleanup.jsing2014-05-312-266/+295
|
* Don't add potentially nasty stderr uses to dead CRYPTO_dbg_mem functions.deraadt2014-05-302-6/+6
| | | | | | | | But do use the abort(), which we are hoping all future vendors will move towards the more modern "do not flush streams"; hint hint, if you didn't do that already, there are grave risks because much software brings risk without that behaviour. We didn't cause the change.. POSIX did... ok beck
* Move sha256 and sha512 tests to regress and wire them up.jsing2014-05-307-332/+17
|
* Move the AES wrap test code into regress.jsing2014-05-304-264/+182
|
* More KNF.jsing2014-05-302-112/+146
|
* remove some #if 0 code. we don't need any more reminders that we're usingtedu2014-05-3038-802/+2
| | | | a not quite appropriate data structure. ok jsing
* Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS andjsing2014-05-3018-128/+100
| | | | | | SSL_USE_TLS1_2_CIPHERS. Largely based on OpenSSL head.
* Fix some more nasty stringyness in here by using asprintf instead of cruft.beck2014-05-302-20/+14
| | | | gets rid of the second last use of the awful DECIMAL_SIZE.
* more: no need to null check before free; ok guentherderaadt2014-05-308-8/+8
|
* more: no need for null check before freederaadt2014-05-3088-424/+206
| | | | ok tedu guenther
* While working on another diff I ended up looking to see why on earth thejsing2014-05-304-80/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | DTLS code had a chunk that checked to see if the SSL version was *not* DTLS. Turns out that this is inside a big #if 0 block with a comment explaining why DTLS will never need this code... The DTLS code was clearly written by wholesale copying the SSLv3 code. Any code not applicable to DTLS was seemingly #if 0'd or commented out and left for others to find. d1_pkt.c is copied from s3_pkt.c and it has a do_dtls1_write() function that has the same function signature as do_ssl3_write(), except that the create_empty_fragement (yes, that is the spelling in ssl_locl.h) argument is unused for DTLS (although there is code that pretends to use it) since it uses explicit IV (as the comment notes). Instead of leaving this turd lying around, nuke the #if 0'd code (along with the check for *not* DTLS) and remove the pointless create_empty_fragment argument given the only two do_dtls1_write() calls specify zero. This kind of thing also makes you wonder how much actual peer review occurred before the code was initially committed... ok beck@
* Rework parse_name() so that variable declaration is separate from functionjsing2014-05-301-37/+50
| | | | | | | based initialisation, use more readable variable names and use a goto rather than duplicating the frees for the error and non-error paths... ok beck@
* remove CONST_STRICT. ok beck deraadttedu2014-05-306-28/+2
|
* no need for null check before free. from Brendan MacDonelltedu2014-05-3039-112/+57
|
* Don't write out more than we have allocated in obj_txt, as the glorybeck2014-05-302-2/+4
| | | | | that is OBJ_obj2txt() can return a larger value.. ok tedu@
* remove some of the bigger lies, as applicable to libressl.tedu2014-05-302-18/+6
|
* I do not have time to describe how bad the realloc() uses in here, nowderaadt2014-05-292-8/+4
| | | | | | | being relaced by reallocarray(). you will have to look at the diff. there can be no explanations for the extra casts. as beck says, "Don't go towards the light theo!" ok beck tedu
* trivial realloc -> reallocarrayderaadt2014-05-291-2/+1
|
* the comment says RAND_pseudo_bytes should be RAND_bytes. make it so.tedu2014-05-292-12/+2
| | | | ok deraadt
* we no longer care that these aren't used for ssl2tedu2014-05-292-4/+4
|
* ok, next pass after review: when possible, put the reallocarray argumentsderaadt2014-05-2917-27/+27
| | | | in the "size_t nmemb, size_t size"
* convert 53 malloc(a*b) to reallocarray(NULL, a, b). that is 53deraadt2014-05-2951-93/+109
| | | | | | | | | potential integer overflows easily changed into an allocation return of NULL, with errno nicely set if need be. checks for an allocations returning NULL are commonplace, or if the object is dereferenced (quite normal) will result in a nice fault which can be detected & repaired properly. ok tedu
* Everything sane has stdio, and FILE *. we don't need ifdefs for this.beck2014-05-2982-338/+0
| | | | ok to firebomb from tedu@
* remove back compat that was already disabled back in 1998.tedu2014-05-292-16/+0
| | | | from Alexander Schrijver
* Make make includes work again without kssl.hbeck2014-05-291-2/+2
|
* Any sane platform has stdio. Stop pretending we will ever use a platformbeck2014-05-2918-64/+0
| | | | | that does not. "fire bomb" tedu@
* kssl is dead.tedu2014-05-291-68/+0
|
* no space before labeltedu2014-05-294-54/+54
|
* line up else bettertedu2014-05-292-10/+4
|
* define -DLIBRESSL_INTERNAL in here so we don't use nastiesbeck2014-05-291-2/+2
| | | | ok deraadt@
* consistent bracestedu2014-05-292-26/+26
|
* unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.tedu2014-05-2926-434/+0
| | | | ok deraadt jsing
* repair KNF indentderaadt2014-05-292-2/+2
|
* use calloc, from Benjamin Baiertedu2014-05-292-10/+2
|
* Make it substantially easier to identify protocol version requirementsjsing2014-05-2916-18/+164
| | | | | | | | | | | | | | by adding an enc_flags field to the ssl3_enc_method, specifying four flags that are used with this field and providing macros for evaluating these conditions. Currently the version requirements are identified by continually checking the version number and other criteria. This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2, since they have different enc_flags from TLS v1. Based on changes in OpenSSL head. No objection from miod@
* When you have functions that perform specific functions, use them.jsing2014-05-292-36/+18
| | | | | | | | EVP_CIPHER_CTX_free() does a NULL check, then calls EVP_CIPHER_CTX_cleanup() and frees the memory. COMP_CTX_free() also had its own NULL check, so there is no point in duplicating that here. ok beck@
* Fix another two cases where the return value of ssl_replace_hash() isjsing2014-05-292-16/+36
| | | | | | | | | | | | | | | unchecked. In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case. Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed. ok miod@
* Add missing NULL checks for calls to ssl_replace_hash(). This functionjsing2014-05-291-2/+6
| | | | | | | calls EVP_MD_CTX_create(), which will return NULL if it fails to allocate memory. ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-26 03:46:16 +0000