| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok miod@ jsing@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issetugid() API is supposed to make a strong promise where "0
means it is safe to look at the environment". Way back in the past
someone on the OpenSSL team responded to the environment access danger
by creating a wrapper called OPENSSL_issetugid, and went to use it a
number of places. However, by default on systems lacking true
issetugid(), OPENSSL_issetugid returns 0. 0 indicating safely. False
safety. Which means OPENSSL_issetugid() fails to make any sort of
promise about safety, in fact it is just the opposite.
Can you believe the OpenSSL team?
This nastiness was noticed over the years, however noone could gain traction
and get it fixed in OpenSSL. Also see a paragraph about this in
http://www.tedunangst.com/flak/post/worst-common-denominator-programming
ok jsing
|
| |
|
|
| |
Discussed with/requested by deraadt@ at the conclusion of s2k15.
|
| |
|
|
| |
Requested by deraadt@
|
| |
|
|
|
|
|
|
|
|
|
| |
instead of disk. OpenSSL didn't provide a built-in API from loading
certificates in a chroot'ed process that doesn't have direct access to
the files. X509_STORE_load_mem() provides a new backend that will be
used by libssl and libtls to implement such privsep-friendly
functionality.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There used to be a strong reluctance to provide this cipher in LibreSSL in the
past, because the licence terms under which Cammelia was released by NTT were
free-but-not-in-the-corners, by restricting the right to modify the source
code, as well retaining the right to enforce their patents against anyone
in the future.
However, as stated in http://www.ntt.co.jp/news/news06e/0604/060413a.html ,
NTT changed its mind and made this code truly free. We only wish there had
been more visibility of this, for we could have had enabled Cammelia
earlier (-:
Licence change noticed by deraadt@. General agreement from the usual LibreSSL
suspects.
Crank libcrypto.so minor version due to the added symbols.
|
| |
|
|
|
|
|
|
|
| |
This functionality was already available (and optional), and used in the
bowels of the ASN.1 code. This exposes it as a public interface, which will
be used by the upcoming GOST code.
Crank libcrypto minor version.
From Dmitry Eremin-Solenikov.
|
| |
|
|
|
| |
cases and breaks TLS 1.2; crank libcrypto.so minor version out of safety and
to be able to tell broken versions apart easily.
|
| |
|
|
| |
is
|
| |
|
|
| |
ChaCha context. Other changes will also ride this crank.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
of 64-bit data, and only used by DTLS, to libssl where it belongs.
Remove pqueue_print() which is a debugging interface and serves no useful
purpose, except for the regress test, which grows its own pqueue_print()
routine.
Bump libcrypto major and libssl minor.
WARNING: do not update your tree right now, more changes are coming, which
will ride the libcrypto major bump.
|
| | |
|
| |
|
|
|
|
|
| |
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.
ok tedu@
|
| | |
|
| |
|
|
|
| |
next few moments, don't rush your update.
Requested by deraadt@
|
| | |
|
| |
|
|
| |
and libssl major (ssl_check_clienthello_tlsext split into two functions)
|
|
|
as configuration files; split manpages and .pc files between libcrypto and
libssl.
No functional change, only there to make engineering easier, and libcrypto
sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
