| Commit message (Collapse) | Author | Files | Lines |
|---|
|
ok schwarze@
|
|
|
|
|
|
and reference gethostby*(3) and /etc/hosts instead.
Say that setnetent(3), getnetent(3), and endnetent(3) now do nothing.
With feedback from guenther and significant help from deraadt@.
|
|
While here, stop implying plans to support additional address
families in the future, and do not call gethostbyname2(3) "advanced".
OK deraadt@ guenther@
|
|
getnetent(3), and endnetent(3) do nothing, just like sethostent(3),
gethostent(3), and endhostent(3) years ago.
OK deraadt@ guenther@
|
|
of OpenSSL commit c0caa945f6ef30363e0d01d75155f20248403df4 to our
version of this function.
ok beck, jsing
Original commit message:
commit c0caa945f6ef30363e0d01d75155f20248403df4
Author: Pauli <paul.dale@oracle.com>
Date: Wed Nov 1 06:58:13 2017 +1000
Address a timing side channel whereby it is possible to determine some
information about the length of the scalar used in DSA operations from
a large number (2^32) of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)]
|
|
this is OpennSSL commit 4a089bbdf11f9e231cc68f42bba934c954d81a49.
ok beck, jsing
Original commit message:
commit 4a089bbdf11f9e231cc68f42bba934c954d81a49
Author: Pauli <paul.dale@oracle.com>
Date: Wed Nov 1 06:58:39 2017 +1000
Address a timing side channel whereby it is possible to determine some
information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)]
|
|
in preparation for pledgepath
ok deraadt@
|
|
|
|
to some parameters of some functions. Update the documentation.
Add a few additional missing const qualifiers while here.
|
|
show the public data type name "LHASH_OF(SSL_SESSION)" instead.
|
|
and avoid the internal, undocumented names "struct ssl_st *"
and "struct ssl_ctx_st *".
|
|
to some parameters and return values of some functions.
Update the documentation.
|
|
|
|
BIO_f_asn1() will be taken care of later.
Tested in a bulk by sthen
ok bcook jca jsing
|
|
previous commit.
|
|
ok jsing (as part of a larger diff)
|
|
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.
this went through a i386 bulk by sthen
ok jsing
|
|
grepability.
Req. by jsing
|
|
|
|
|
|
ok bcook
|
|
Annotate them.
|
|
|
|
While here, include a patch from tb@
adding the missing return type to ENGINE_ctrl() in the SYNOPSIS.
|
|
|
|
|
|
|
|
|
|
* Correct documentation of DH_new(3), DH_free(3), DSA_new(3), DSA_free(3),
RSA_new(3), and RSA_free(3) with respect to reference counting.
* Stop referencing engine(3).
|
|
and more concise.
* Correct the description of the return values of DH_set_method(3)
and DSA_set_method(3).
* Stop referencing engine(3).
|
|
* Add three missing const qualifiers to function prototypes.
* Correct the argument type of RSA_new_method(3).
* Remove duplicate decsription of RSA_flags(3) and RSA_new_method(3).
* Make the description of method selection simpler, more precise,
and more concise.
* Correct description of the return value of RSA_set_method(3).
* Stop referencing engine(3).
|
|
|
|
covering the remaining functions that were documented in engine(3),
except for seven functions that are completely pointless and that
were merely listed but not really documented.
|
|
covering 60% of the documented functions). The old, abominable
engine(3) manual page shall die soon.
|
|
to accept a NULL argument. Document that.
While here, make the related sentences more precise and less verbose.
Tweaks and OK tb@.
|
|
simplifies the caller side.
tested by & ok inoguchi; discussed with schwarze
|
|
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
|
SSL_OP_TLS_ROLLBACK_BUG to no longer have any effect.
Update the manual page.
|
|
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
|
because it was (1) woefully incomplete, (2) partially outdated
and wrong, (3) in parts imprecisely worded and hard to understand,
(4) excessively technical for a section 1 manual, (5) of excessive
size for this particular page, (6) and didn't belong here in the
first place because it essentially tried to document a C API -
SSL_CTX_set_cipher_list(3), which is now documented, so point to it.
|
|
collecting the information by inspecting the source code.
|
|
|
|
this to be "overridden" by the user supplied callback.
ok jsing@
|
|
triggered by OpenSSL commit a73d990e Feb 27 19:02:24 2018 +0100,
but with different content
|
|
|
|
suppresses any future config file loading.
ok schwarze@ with a nit from jsing@
|
|
Now that everything goes through the same code path, we can remove a layer
of indirection and just call ssl3_{read,write,peek} directly.
ok beck@ inoguchi@
|
|
These flags enabled experimental behaviour in the write path, which nothing
uses. Removing this code greatly simplifies ssl3_write().
ok beck@ inoguchi@ sthen@ tb@
|
