| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
need to have additional checks here.
|
| |
|
|
| |
with a failure if the NPN verification fails.
|
| |
|
|
|
|
| |
only that it returns -1 on failure.
pointed out by guenther@
|
| |
|
|
|
|
|
|
| |
use C99 array initialization syntax for strict C compilers.
from kinichiro, found building with HP/UX compiler
ok deraadt@, guenther@
|
| |
|
|
|
|
|
|
|
| |
Prefer this because it is the POSIX standard and has consistent behavior
across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
| |
|
|
| |
function was found broken in 1993, and later on in 1997?
|
| |
|
|
| |
in order to catch all negative sizes.
|
| |
|
|
|
|
| |
libcrypto has not been started yet.
ok schwarze@ miod@
|
| |
|
|
| |
not all versions of <linux/random.h> include <linux/types.h> by default
|
| |
|
|
|
|
|
|
|
|
|
| |
i looked a bit closer and found instances before Reno, so correct HISTORY.
References:
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/usr/src/ucb/dbx/defs.h
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/inetd.c
http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/lib/libc/string/strdup.c
ok deraadt@
|
| |
|
|
|
|
|
| |
Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.
ok deraadt@
|
| |
|
|
|
|
|
| |
Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.
ok deraadt@
|
| |
|
|
|
| |
looks good deraadt@
tweaks and ok millert@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
(I also forgot to credit doug for much of the initial markup in the
previous commit.)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
in case something wants to create massive amounts of environment, like
a bit more than 1/4 of a 32-bit address space. unrealistic -- but why
audit one code path, and not treat others the same? then you have to
re-engage everytime you see the code. read the news, that isn't what
developers do. At least if the code paths look the same, there is hope,
because they are easier to verify for correctness. developers need
to give other developers a chance to want to care.
|
| | |
|
| | |
|
| |
|
|
| |
ok doug@ jsing@
|
| |
|
|
|
| |
need to do it in ec_copy_parameters() prior to invoking EC_KEY_set_group().
ok doug@ jsing@
|
| |
|
|
|
|
| |
certificate, do not perform wildcard matching.
Suggested by Richard Moore (rich@kde)
ok tedu@
|
| |
|
|
|
|
| |
at least a domain label before the tld, as in *.example.org.
Suggested by Richard Moore (rich@kde)
ok tedu@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
X509_PURPOSE object (obtained with X509_PURPOSE_get0() instead of being
allocated in the function) to be freed if modifying that object would fail
due to a low memory condition, while this object would still be referenced
elsewhere.
Fix this by only cleaning the object if we did not allocate it here.
While there, fail early if either `name' or `sname' are NULL, rather than
allocating an object and realizing we have nothing to strdup() into it.
ok guenther@
|
| |
|
|
|
|
| |
if it fails, free the object we were about to push.
Factor error handling to avoid having four copies of about the same code.
ok guenther@
|
| |
|
|
|
|
| |
on a stack; if the latter fails, we need to free the object before returning
failure.
ok guenther@
|
| |
|
|
| |
ok guenther@
|
| |
|
|
| |
Tweaks and ok guenther@
|
| |
|
|
| |
ok deraadt@ guenther@
|
| |
|
|
| |
ok deraadt@ guenther@
|
| |
|
|
| |
ok miod
|
| |
|
|
|
|
|
| |
ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@
|
| |
|
|
|
|
| |
hand rolling the same code.
ok miod@
|
| |
|
|
|
|
|
|
| |
return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@
|
| | |
|
| | |
|
| |
|
|
|
| |
While there are no additional symbols, there is an additional command that
clients will potentially depend on.
|
| |
|
|
|
|
| |
if you're careful, cert only verification can be useful.
always enable both though, to avoid accidentally leaving one off.
ok jsing
|
| |
|
|
|
|
| |
default. This enables automatic handling of ephemeral EC keys.
Discussed with reyk@ and tedu@
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
| |
|
|
| |
ok tedu@, miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- don't define default_bits, allowing the compiled-in default (now 2048
bits) to take priority.
- add commented-out default_md line in case somebody needs an easy way
to change this.
- remove some sample sections which aren't really useful in the default
file (/etc/examples is the place for a more descriptive config, this
file should be barebones).
Help/OK jsing@. OKs on earlier diff (openssl.cnf only) from phessler@ aja@.
|
| |
|
|
|
|
|
|
|
|
| |
keys by default (instead of SHA1/3DES) and update documentation to match.
Another way to do this is s/NID_sha1/NID_sha256/ in src/crypto/rsa/rsa_ameth.c
("case ASN1_PKEY_CTRL_DEFAULT_MD_NID") but going with the more targetted method
above that only affects "openssl req" for now.
Help/OK jsing@. OKs on earlier diffs changing openssl.cnf from phessler@ aja@
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
