summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use V_ASN1_UNDEF instead of -1.miod2015-07-201-7/+7
| | | | | | | Make sure ASN1_primitive_new() will return NULL in *pval in all error situations. ok bcook@ doug@
* Check the return value of asn1_enc_save(). ok bcook@ doug@miod2015-07-201-2/+4
|
* When freeing an X509_CRL, if freeing the user-maintained meth_data fails,miod2015-07-201-3/+4
| | | | | do not forgot to nevertheless keep freeing the other fields. ok doug@ guenther@
* In X509_PKEY_new(), make sure all allocation failures push an error to themiod2015-07-201-7/+15
| | | | | error stack, not only the first one. ok guenther@ doug@
* Remove OpenSSL engine RSAX.doug2015-07-196-703/+5
| | | | | | | | | OpenSSL stopped building it last year and removed it this year. Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1. Also cranked major version in libcrypto, libssl and libtls. "fine with me" bcook@ miod@
* Allow *_free() functions in libssl to handle NULL input.doug2015-07-199-9/+34
| | | | | | This mimics free()'s behavior which makes error handling simpler. ok bcook@ miod@
* Drop stupid (int) casts for the arguments of malloc() and friends. This ismiod2015-07-199-24/+24
| | | | | not 16-bit MS-DOS anymore. ok bcook@ tedu@
* unifdef -UCBC_HANDLES_TRUNCATED_IOmiod2015-07-191-19/+1
| | | | ok bcook@ doug@
* Verify ASN1 objects types before attempting to access them as a particularmiod2015-07-192-2/+6
| | | | | type. ok guenther@ doug@
* Convert ssl3_get_certificate_request to CBS.doug2015-07-192-62/+66
| | | | ok miod@
* Fix symbol collision with libtls.doug2015-07-197-36/+36
| | | | | | Pointed out by guenther. ok guenther@
* Add TLS_method, TLS_client_method and TLS_server_method.doug2015-07-199-9/+321
| | | | | | | | | | | | | | | | Use these instead of SSLv23_*method when you want to make sure TLS is used. By default, we disable SSLv3 but it's still possible for the user to re-enable it. TLS_*method does not allow SSLv3. Both BoringSSL and (next version of) OpenSSL have these methods. However, they have changed the implementation significantly. We will as well, but not right now. Riding the libssl major bump. ok miod@ bcook@
* Crank major and remove legacy variables.doug2015-07-196-30/+6
| | | | | | Libtls is riding this crank. ok miod@ bcook@
* Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()miod2015-07-192-8/+16
| | | | | fails, check its return value and correctly mop up after ourselves. ok beck@ doug@
* Put explicit braces around assignment used in a conditional.miod2015-07-191-2/+2
| | | | ok bcook@ doug@
* Remove the logic responsible for outputting most AES-NI instructions asmiod2015-07-193-107/+0
| | | | | | | | | raw byte sequences. The toolchains have had some time to update and assemble the instructions correctly (except for p{ins,ext}rd which are not supported yet by as(1) under OpenBSD, but will be fixed shortly). Inspired by a discussion between tedu@ and John-Mark Gurney. Verified to still work on Mac OS X and average Linux distros by bcook@
* Replace `.byte 0x48,0x83,0xEC,0x08' with `sub \$8,%rsp' which is exactly themiod2015-07-191-2/+2
| | | | same four bytes, unobfuscated.
* Simplify X509_STORE_CTX_init and make it safe with stack variables.doug2015-07-191-58/+55
| | | | | | | The current version is not safe with stack variables because it may return prematurely with a partially constructed object on error. ok miod@ a while back
* Remove case that can never happen.doug2015-07-191-5/+1
| | | | | | | It's a little convoluted due to gotos, but at that point, pci is always NULL. Spotted by Coverity 21702. ok miod@ beck@ bcook@
* Fix Coverity 72742 - ret is overwritten immediately after this.beck2015-07-191-2/+1
| | | | ok doug@
* Assign p to CBS_data since it is used later.doug2015-07-192-4/+6
| | | | | | The p initialization was hiding this bug but Coverity 126279 saw it. ok miod@ bcook@ beck@
* abort when ENGINE_remove fails, fix Coverity 21656bcook2015-07-191-5/+2
| | | | ok doug@, beck@
* Convert dtls1_get_message_header to CBS and change to int.doug2015-07-186-32/+74
| | | | | | | Changed return value from void to int. It should never return an error given that the input length is not checked yet. ok miod@
* rand_err doesn't exist anymore, coverity 78808beck2015-07-181-3/+3
| | | | ok doug@
* Coverity 21651beck2015-07-181-3/+7
| | | | ok doug@
* Convert dtls1_get_record to CBS.doug2015-07-182-42/+56
| | | | ok miod@, input + ok jsing@
* Remove repeated code in dtls1_get_record.doug2015-07-182-80/+32
| | | | | | | | The "if" is a bit ugly, but this does remove a lot of repetitive code. This will be converted to CBS later as well. ok miod@ jsing@ roughly ok with it after seeing the CBS version
* Dead code, Coverity 78798beck2015-07-181-3/+1
| | | | ok bcook@ doug@
* Coverity ID 78910 - Yet another stupid API designed to not show failures. do thebeck2015-07-181-6/+8
| | | | | | | | | | lease worst alternative and do nothing rather than dereference NULL, but having a function with fundamentally broken API to simply make a list of strings, sort them, and call a function with each string as an argument is really quite silly.... and of course it was exposed API that the ecosystem uses that we can't delete.. yet. ok miod@ doug@
* Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER workaround.doug2015-07-1810-58/+26
| | | | | | This was a hack to work around problems on IE 6 with SSLv3. ok miod@ bcook@
* Check the return value of ASN1_STRING_set(), for it may fail to allocatemiod2015-07-182-6/+14
| | | | | memory. Coverity CID 24810, 24846. ok bcook@ doug@
* Remove support for the SSL_OP_TLS_D5_BUG compat hack from SSLeay.doug2015-07-186-28/+22
| | | | | | | | This is a 17 year old workaround from SSLeay 0.9.0b. It was for clients that send RSA client key exchange in TLS using SSLv3 format (no length prefix). ok jsing@
* Fix leak found by coverity, issue 78897 - which also brough tobeck2015-07-183-25/+33
| | | | | | light that the child counting was broken in the original code. this is still fugly, but this preserves all the existing goo. ok doug@
* delete doubled words;schwarze2015-07-174-4/+4
| | | | patch from Theo Buehler <theo at math dot ethz dot ch>
* extenstion -> extensionmiod2015-07-171-1/+1
|
* Convert ssl_parse_serverhello_use_srtp_ext to CBS.doug2015-07-174-24/+34
| | | | ok miod@ jsing@
* Remove compat hack that disabled ECDHE-ECDSA on OS X.doug2015-07-1710-208/+26
| | | | | | | | | For a few old releases, ECDHE-ECDSA was broken on OS X. This option cannot differentiate between working and broken OS X so it disabled ECDHE-ECDSA support on all OS X >= 10.6. 10.8-10.8.3 were the faulty releases but these are no longer relevant. Tested on OS X 10.10 by jsing. ok jsing@
* Remove workaround for TLS padding bug from SSLeay days.doug2015-07-1712-74/+24
| | | | | | | | | OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years. Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5. ok jsing@
* Bump LIBRESSL_VERSION defines.bcook2015-07-161-3/+7
| | | | | | | Moving forward, software should expect that LIBRESSL_VERSION_TEXT and LIBRESSL_VERSION_NUMBER will increment for each LibreSSL-portable release. ok deraadt@, beck@
* Enforce V_ASN1_OCTET_STRING type before accessing the object as octet string;miod2015-07-161-2/+4
| | | | | from OpenSSL (RT #3683) ok doug@ jsing@
* After reading a password with terminal echo off, restore the terminal toguenther2015-07-161-6/+5
| | | | | | | its original state instead of blindly turning echo on. problem reported on the openssl-dev list by William Freeman ok miod@ beck@
* Explicitely cast a char into unsigned long before shifting it left by 24, formiod2015-07-161-2/+2
| | | | | | | | | | | this would promote it to int for the shift, and then cast to unsigned long, sign-extending it if sizeof(long) > sizeof(int). This was not a problem because the computed value was explicitely range checked afterwards, with an upper bound way smaller than 1U<<31, but it's better practice to cast correctly. ok beck@
* Check return value of all used functions in OCSP_REQUEST_print(); coversmiod2015-07-161-5/+9
| | | | Coverity CID 78796; ok beck@
* Make sure the `reject negative sizes' logic introduced in 1.34 is actuallymiod2015-07-161-3/+4
| | | | | applied to all code paths. ok beck@ bcook@ doug@ guenther@
* check n before cbs_init, coverity - ID 125063beck2015-07-152-6/+18
| | | | ok bcook@ miod@
* test for n<0 before use in CBS_init - mostly to shut up coverity.beck2015-07-156-22/+66
| | | | reluctant ok miod@
* Flense out dead code, we don't do ecdhe_clnt_cert.beck2015-07-154-374/+150
| | | | | coverity ID's 21691 21698 ok miod@, "Fry it" jsing@
* Fix inverted test in previous. Commit message told what we intended, butmiod2015-07-151-2/+2
| | | | we did not notice my fingers slipping. Noticed by bcook@
* Remove dead code. Coverity CID 21688miod2015-07-151-4/+1
| | | | ok beck@
* Fix two theoretical NULL pointer dereferences which can only happen if youmiod2015-07-151-4/+9
| | | | | | | | have seriously corrupted your memory; Coverity CID 21708 and 21721. While there, plug a memory leak upon error in x509_name_canon(). ok bcook@ beck@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-23 02:47:07 +0000