|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| 
| | in libtls.  This gives tls_write() a similar short write semantics
as write(2).  So implementing daemons with libevent buffers will
be easier and workarounds in syslogd and httpd can be removed.
OK tedu@ beck@ reyk@ | 
| | 
| 
| 
| | ok bcook@ doug@ | 
| | 
| 
| 
| 
| | Fixes Coverity 117506, 117507, 117508
ok doug@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | lease worst alternative and do nothing rather than dereference NULL, but having
a function with fundamentally broken API to simply make a list of strings, sort them,
and call a function with each string as an argument is really quite silly....
and of course it was exposed API that the ecosystem uses that we can't delete.. yet.
ok miod@ doug@ | 
| | 
| 
| 
| 
| 
| | This was a hack to work around problems on IE 6 with SSLv3.
ok miod@ bcook@ | 
| | |  | 
| | 
| 
| 
| 
| | The tests will fail all the same.
Fixes Coverity 78811 21659 21658 21657. Discussed with beck@ | 
| | 
| 
| 
| | ok doug@, miod@, guenther@ | 
| | 
| 
| 
| 
| | memory. Coverity CID 24810, 24846.
ok bcook@ doug@ | 
| | 
| 
| 
| 
| 
| 
| 
| | This is a 17 year old workaround from SSLeay 0.9.0b.  It was for
clients that send RSA client key exchange in TLS using SSLv3 format
(no length prefix).
ok jsing@ | 
| | 
| 
| 
| | OK tedu@ | 
| | |  | 
| | 
| 
| 
| | ok deraadt jeremy | 
| | 
| 
| 
| 
| 
| | light that the child counting was broken in the original code.
this is still fugly, but this preserves all the existing goo.
ok doug@ | 
| | 
| 
| 
| | patch from Theo Buehler <theo at math dot ethz dot ch> | 
| | |  | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ bcook@ beck@ | 
| | 
| 
| 
| | ok miod@ bcook@ beck@ | 
| | 
| 
| 
| | ok miod@ bcook@ beck@ | 
| | 
| 
| 
| | ok miod@ bcook@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | For a few old releases, ECDHE-ECDSA was broken on OS X.  This option
cannot differentiate between working and broken OS X so it disabled
ECDHE-ECDSA support on all OS X >= 10.6.  10.8-10.8.3 were the faulty
releases but these are no longer relevant.  Tested on OS X 10.10 by jsing.
ok jsing@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | OpenSSL doesn't remember which clients were impacted and the
functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@ | 
| | 
| 
| 
| 
| 
| 
| | Moving forward, software should expect that LIBRESSL_VERSION_TEXT and
LIBRESSL_VERSION_NUMBER will increment for each LibreSSL-portable release.
ok deraadt@, beck@ | 
| | 
| 
| 
| 
| | from OpenSSL (RT #3683)
ok doug@ jsing@ | 
| | 
| 
| 
| | ok miod@, bcook@ | 
| | 
| 
| 
| | ok miod@ | 
| | 
| 
| 
| 
| 
| 
| | its original state instead of blindly turning echo on.
problem reported on the openssl-dev list by William Freeman
ok miod@ beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | this would promote it to int for the shift, and then cast to unsigned long,
sign-extending it if sizeof(long) > sizeof(int).
This was not a problem because the computed value was explicitely range
checked afterwards, with an upper bound way smaller than 1U<<31, but it's
better practice to cast correctly.
ok beck@ | 
| | 
| 
| 
| | Coverity CID 78796; ok beck@ | 
| | 
| 
| 
| 
| | applied to all code paths.
ok beck@ bcook@ doug@ guenther@ | 
| | 
| 
| 
| | ok bcook@ miod@ | 
| | 
| 
| 
| | reluctant ok miod@ | 
| | 
| 
| 
| 
| | coverity ID's 21691 21698
ok miod@, "Fry it" jsing@ | 
| | 
| 
| 
| | we did not notice my fingers slipping. Noticed by bcook@ | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| | have seriously corrupted your memory; Coverity CID 21708 and 21721.
While there, plug a memory leak upon error in x509_name_canon().
ok bcook@ beck@ | 
| | 
| 
| 
| | ok miod@ | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| 
| | Coverity CID 21739 and more.
ok bcook@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | int_TS_RESP_verify_token(). Coverity CID 21710.
Looking further, int_TS_RESP_verify_token() will only initialize signer to
something non-NULL if TS_VFY_SIGNATURE is set in ctx->flags. But guess what?
TS_REQ_to_TS_VERIFY_CTX() in ts/ts_verify_ctx.c, which is the TS_VERIFY_CTX
constructor, explicitely clears this bit, with:
        ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
followed by more conditional flag clears.
Of course, nothing prevents the user to fiddle with ctx->flags afterwards. This
is exactly what ts.c in usr.bin/openssl does. This is gross, mistakes will
happen.
ok beck@ | 
| | 
| 
| 
| 
| 
| | seed_in == NULL case. Since this situation is an error anyway, bail out
early.
with and ok beck@ | 
| | 
| 
| 
| | ok doug@ | 
| | 
| 
| 
| 
| 
| | Previously, it returned '1' regardless of whether is succeeded or failed. This is now fixed in the OpenSSL master branch as well. Thanks to Kinichiro Inoguchi for pointing it out.
ok @deraadt | 
| | 
| 
| 
| 
| 
| 
| 
| | Unlike the other conversions, this only partially converts the function
for now.  This is the second to last function which still uses the n2l3
macro.  That macro is deprecated since we're using CBS.
ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ |