summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Provide ssl_version_string() function, which uses one of those modern Cjsing2014-07-128-56/+62
| | | | | | | | constructs (a switch statement) and returns the appropriate string defined by SSL_TXT_* for the given version, including support for DTLSv1 and DTLSv1-bad. Use this function in SSL_get_version() and SSL_SESSION_print(). ok beck@
* In openssl_startup(), call SSL_library_init() and SSL_load_error_strings().jsing2014-07-128-28/+10
| | | | | | | | This allows us to remove the ERR_load_crypto_strings() call, along with the various SSL_load_error_strings() and OpenSSL_add_ssl_algorithms() calls scattered around the place. ok beck@
* Make the BLOCK_CIPHER_{generic,custom} macros expand to more readable structmiod2014-07-121-67/+102
| | | | definitions using C99 field initializers. No functional change.
* Remove extra parenthesis.jsing2014-07-122-4/+4
|
* need_cert is now always true, so remove the variable and associatedjsing2014-07-122-66/+42
| | | | | | conditionals. ok miod@
* openssl(1) is only built as a single monolithic binary, so just calljsing2014-07-1239-154/+47
| | | | | | load_config() once when we start. ok miod@
* jsing and I are investigating removal of all? most? 'getenv from library'deraadt2014-07-121-1/+3
| | | | | | | instances. This one for OPENSSL_ALLOW_PROXY_CERTS gets turned off first, especially since it had this special comment: /* A hack to keep people who don't want to modify their software happy */ ok beck jsing
* A few fixes/improvements:miod2014-07-121-20/+19
| | | | | | | | | | | | | | | | - first, BN_free == BN_clear_free in our libcrypto, so we do not need to treat CBIGNUM (crypto BN) separately from BIGNUM (regular BN). - then, in bn_i2c(), since BN_bn2bin returns BN_num_bytes(input), take advantage of this to avoid calling BN_num_bytes() a second time. BN_num_bytes() is cheap, but this not a reason to perform redundant work. - finally, in bn_c2i, if bn_new() fails, return early. Otherwise BN_bin2bn will try to create a BN too, and although this will probably fail since we were already out of memory, if we are on a threaded process and suddenly the allocation succeeds, we will leak it since it will never be stored in *pval. ok jsing@
* Make sure the return value of X509_NAME_oneline(, NULL,) is checked againstmiod2014-07-122-5/+13
| | | | | NULL. ok deraadt@ guenther@ jsing@
* if (x) FOO_free(x) -> FOO_free(x).miod2014-07-1266-563/+327
| | | | | | | Improves readability, keeps the code smaller so that it is warmer in your cache. review & ok deraadt@
* Principle of least surprise: make CMAC_CTX_free(), OCSP_REQ_CTX_free() andmiod2014-07-123-3/+12
| | | | | X509_STORE_CTX_free() accept NULL pointers as input without dereferencing them, like all the other well-behaved *_CTX_free() functions do.
* Remove remnants from PSK, KRB5 and SRP.jsing2014-07-1216-318/+86
| | | | ok beck@ miod@
* typosmiod2014-07-123-5/+5
|
* Place comments in a block above the if statement, rather than attemptingjsing2014-07-124-94/+126
| | | | | to interleave them within the conditions. Also fix wrapping and indentation.
* Make disabling last cipher work.guenther2014-07-122-18/+18
| | | | | From Thijs Alkemade via OpenSSL trunk ok miod@
* -DOPENSSL_NO_KRB5 is no longer neededderaadt2014-07-121-2/+2
| | | | ok guenther
* enough churn, a crank is advised by guenther..deraadt2014-07-122-2/+2
|
* As reported by David Ramos, most consumer of ssl_get_message() perform latemiod2014-07-116-106/+296
| | | | | | | | | | | | | | | | | | bounds check, after reading the 2-, 3- or 4-byte size of the next chunk to process. But the size fields themselves are not checked for being entirely contained in the buffer. Since reading past your bounds is bad practice, and may not possible if you are using a secure memory allocator, we need to add the necessary bounds check, at the expense of some readability. As a bonus, a wrong size GOST session key will now trigger an error instead of a printf to stderr and it being handled as if it had the correct size. Creating this diff made my eyes bleed (in the real sense); reviewing it made guenther@'s and beck@'s eyes bleed too (in the literal sense). ok guenther@ beck@
* Provide LIBRESSL_VERSION_NUMBER for people who use such things tobeck2014-07-111-1/+2
| | | | | detect versions distinct from OPENSSL_BLAH_WOOF.. ok jsing@ tedu@ deraadt@
* missing \deraadt2014-07-111-2/+2
|
* formattingbeck2014-07-111-4/+6
| | | | ok bcook@
* Modify formatting to make portable's life a lot easier.beck2014-07-111-7/+6
| | | | ok miod@ bcook@
* adapt addapt spelling to adapt; request from miodderaadt2014-07-111-3/+3
|
* Huge documentation update for libcrypto and libssl, mostly from Matt Caswell,miod2014-07-1169-192/+1405
| | | | | | Jeff Trawick, Jean-Paul Calderone, Michal Bozon, Jeffrey Walton and Rich Salz, via OpenSSL trunk (with some parts not applying to us, such as SSLv2 support, at least partially removed).
* If the application uses tls_session_secret_cb for session resumption, setmiod2014-07-112-4/+6
| | | | the CCS_OK flag. From OpenSSL trunk.
* Avoid invoking EVP_CIPHER_CTX_cleanup() on uninitialized memory; frommiod2014-07-111-2/+2
| | | | Coverity via OpenSSL trunk
* Fix a memory leak in BIO_free() which no current BIO can trigger; OpenSSLmiod2014-07-111-4/+3
| | | | PR #3439 via OpenSSL trunk
* Prevent infinite loop during configuration file parsing; OpenSSL PR #2985miod2014-07-111-2/+2
| | | | via OpenSSL trunk.
* Missing bounds check in do_PVK_body(); OpenSSL RT #2277, from OpenSSL trunk,miod2014-07-111-4/+10
| | | | but without a memory leak.
* OPENSSL_ALGORITHM_DEFINES has been removed from conf.h, no need for it nowtedu2014-07-111-8/+2
|
* In RSA_eay_private_encrypt(), correctly return the smaller BN; OpenSSLmiod2014-07-111-2/+2
| | | | PR #3418 via OpenSSL trunk
* In ssl3_get_cert_verify(), allow for larger messages to accomodate keysmiod2014-07-112-6/+4
| | | | | larger than 4096-bit RSA which the most paranoid of us are using; OpenSSL PR #319 via OpenSSL trunk.
* it has been 4888 days since the transient feature to define short macrostedu2014-07-111-58/+1
| | | | | for apps that haven't had time to make the appropriate changes was added. time's up.
* Apparently better fix for OpenSSL PR #3397 (Joyent bug #7704), from OpenSSLmiod2014-07-111-2/+2
| | | | trunk
* Also make these files parsable by pod2man..beck2014-07-111-6/+6
| | | | ok bcook@
* Make this file parsable by pod2man without errors.beck2014-07-111-6/+6
| | | | ok bcook@
* In ASN1_get_object(), reject primitive encodings using the indefinite lengthmiod2014-07-111-1/+4
| | | | constructed form. OpenSSL PR #2438 via OpenSSL trunk
* Fix copy for CCM, GCM and XTS.miod2014-07-111-12/+70
| | | | | | | | Internal pointers in CCM, GCM and XTS contexts should either be NULL or set to point to the appropriate key schedule. This needs to be adjusted when copying contexts. OpenSSL PR #3272 with further fixes, from OpenSSL trunk
* In asn1_get_length(), tolerate leading zeroes in BER encoding.miod2014-07-111-5/+8
| | | | OpenSSL PR #2746 via OpenSSL trunk
* In EVP_PBE_alg_add don't use the underlying NID for the ciphermiod2014-07-111-2/+2
| | | | as it may have a non-standard key size; OpenSSL PR #3206 via OpenSSL trunk.
* additional features: no buffer freelists and no heartbleedtedu2014-07-111-0/+3
|
* no compression is also a feature of libressltedu2014-07-111-0/+4
|
* move all the feature settings to a common header.tedu2014-07-111-0/+72
| | | | probably ok beck jsing miod
* Tolerate critical AKID in CRLs; OpenSSL PR #3014 via OpenSSL trunk, andmiod2014-07-111-7/+8
| | | | also update the comments to reflect what the code now does.
* Fix OID encoding for single components. OpenSSL PR #2556 via OpenSSL trunk.miod2014-07-111-1/+1
| | | | (be sure to make cleandir and make includes before building)
* More memory leaks and unchecked allocations; OpenSSL PR #3403 via OpenSSLmiod2014-07-114-7/+19
| | | | trunk. (note we had already fixed some of the issues in that PR independently)
* Make sure BN_sqr never returns negative numbers.miod2014-07-111-1/+2
| | | | OpenSSL PR #3400 via OpenSSL trunk.
* Accept CCS again after `finished' has been sent by the client; at this pointmiod2014-07-112-10/+12
| | | | | | | keys have been correctly set up so it is ok to accept CCS from the server. Without renegotiation can sometimes fail. OpenSSL PR #3400 via OpenSSL trunk.
* In dtls1_clear_queues(), free buffered_add_data.q correctly, it's made ofmiod2014-07-112-8/+8
| | | | | | DTLS1_RECORD_DATA, not hm_fragment. OpenSSL PR #3286 via OpenSSL trunk.
* Fix version number processing in cms_sd_set_version(); OpenSSL PR #3249 viamiod2014-07-111-3/+3
| | | | OpenSSL trunk.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-21 18:49:45 +0000