| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
ok doug@ jsing@
|
|
need to do it in ec_copy_parameters() prior to invoking EC_KEY_set_group().
ok doug@ jsing@
|
|
certificate, do not perform wildcard matching.
Suggested by Richard Moore (rich@kde)
ok tedu@
|
|
at least a domain label before the tld, as in *.example.org.
Suggested by Richard Moore (rich@kde)
ok tedu@
|
|
X509_PURPOSE object (obtained with X509_PURPOSE_get0() instead of being
allocated in the function) to be freed if modifying that object would fail
due to a low memory condition, while this object would still be referenced
elsewhere.
Fix this by only cleaning the object if we did not allocate it here.
While there, fail early if either `name' or `sname' are NULL, rather than
allocating an object and realizing we have nothing to strdup() into it.
ok guenther@
|
|
if it fails, free the object we were about to push.
Factor error handling to avoid having four copies of about the same code.
ok guenther@
|
|
on a stack; if the latter fails, we need to free the object before returning
failure.
ok guenther@
|
|
ok guenther@
|
|
Tweaks and ok guenther@
|
|
ok deraadt@ guenther@
|
|
ok deraadt@ guenther@
|
|
ok miod
|
|
ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@
|
|
hand rolling the same code.
ok miod@
|
|
return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@
|
|
|
|
|
|
While there are no additional symbols, there is an additional command that
clients will potentially depend on.
|
|
if you're careful, cert only verification can be useful.
always enable both though, to avoid accidentally leaving one off.
ok jsing
|
|
default. This enables automatic handling of ephemeral EC keys.
Discussed with reyk@ and tedu@
|
|
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
|
ok tedu@, miod@
|
|
- don't define default_bits, allowing the compiled-in default (now 2048
bits) to take priority.
- add commented-out default_md line in case somebody needs an easy way
to change this.
- remove some sample sections which aren't really useful in the default
file (/etc/examples is the place for a more descriptive config, this
file should be barebones).
Help/OK jsing@. OKs on earlier diff (openssl.cnf only) from phessler@ aja@.
|
|
keys by default (instead of SHA1/3DES) and update documentation to match.
Another way to do this is s/NID_sha1/NID_sha256/ in src/crypto/rsa/rsa_ameth.c
("case ASN1_PKEY_CTRL_DEFAULT_MD_NID") but going with the more targetted method
above that only affects "openssl req" for now.
Help/OK jsing@. OKs on earlier diffs changing openssl.cnf from phessler@ aja@
|
|
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
|
if a NULL stack was passed as argument. Fix this by returning NULL early in
that case.
|
|
so that applies to both the ressl client and server.
|
|
configured.
Discussed with several.
ok bcook@
|
|
than rerolling our own key clearing code.
ok tedu@
|
|
X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon
failure, for we did not allocate it and it might not come from the heap,
such as in check_crl_path() in this very same file where X509_STORE_CTX_init()
gets invoked with a stack address.
ok bcook@
|
|
memcpy().
ok bcook@
|
|
parameter, correctly set param->name to NULL after having freed it.
ok bcook@
|
|
|
|
ok jsing@ miod@
|
|
Now that ressl config takes copies of the keys passed to it, the keys need
to be explicitly cleared. While this can be done by calling the appropriate
functions with a NULL pointer, it is simpler and more obvious to call one
function that does this for you.
ok tedu@
|
|
read the PEM-encoded certificate chain from memory instead of a file.
This idea is derived from an older implementation in relayd that was
needed to use the function with a privep'ed process in a chroot. Now
it is time to get it into LibreSSL to make the API more privsep-
friendly and to make it available for other programs and the ressl
library.
ok jsing@ miod@
|
|
ok bcook@
|
|
for it may be NULL. Do not leak memory upon error.
ok bcook@
|
|
manual field fiddling to create an ASN1_INTEGER object, instead of using
M_ASN1_INTEGER_new() which will allocate sizeof(long) bytes.
That person had probably never looked into malloc(3) and never heard of
allocation size rounding.
Thus, replace the obfuscated code with M_ASN1_INTEGER_new() followed by
ASN1_INTEGER_set(), to achieve a similar result, without the need for
/* version == 0 */ comments.
ok bcook@
|
|
caller worrying about leaks or lifetimes.
after feedback from jsing
|
|
fixed.
|
|
the 64-bit code has to be disabled under OpenBSD/hppa.
|
|
cases and breaks TLS 1.2; crank libcrypto.so minor version out of safety and
to be able to tell broken versions apart easily.
|
|
ok miod@
|
|
Based on OpenSSL.
ok miod@
|
|
ok tedu@
|
|
X509_STORE_get1_certs(), X509_STORE_get1_crls(): check the result of
allocations.
ok tedu@
|
|
the first EVP block.
ok tedu@
|
|
ok tedu@
|
