summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* fourth batch of perlpod(1) to mdoc(7) conversionschwarze2015-02-2337-1276/+2521
|
* While slick, this isn't accessing multiple directories concurrently, soguenther2015-02-221-29/+35
| | | | | | | | using *at functions is equivalent to chdir()ing, which eases portability. Tested with mixes of absolute and relative paths. Eliminate a FILE leak too. prodded by jsing@
* Bump libcrypto and libssl majors, due to various recent churn.jsing2015-02-224-4/+4
| | | | Discussed with/requested by deraadt@ at the conclusion of s2k15.
* Reluctantly add server-side support for TLS_FALLBACK_SCSV.jsing2015-02-2215-25/+159
| | | | | | | | | | | | | | | | | | | | | | | | | | This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol. TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends. Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols. Diff is loosely based on OpenSSL with some inspiration from BoringSSL. Discussed with beck@ and miod@. ok bcook@
* There is not much point constructing an SSL_CIPHER, then callingjsing2015-02-222-14/+6
| | | | | ssl3_cipher_get_value() to get the cipher suite value that we just put in the struct - use the cipher suite value directly.
* Remove IMPLEMENT_STACK_OF noops.jsing2015-02-224-8/+4
|
* Update for recent verify related naming changes.jsing2015-02-222-28/+28
|
* Bump libtls major due to symbol removal.jsing2015-02-221-3/+2
|
* Rename tls_config_insecure_noverifyhost() tojsing2015-02-224-21/+20
| | | | | | | tls_config_insecure_noverifyname(), so that it is more accurate and keeps inline with the distinction between DNS hostname and server name. Requested by tedu@ during s2k15.
* Check return values when setting dheparams and ecdhecurve for the defaultjsing2015-02-221-11/+14
| | | | configuration.
* In the interests of being secure by default, make the default TLS ciphersjsing2015-02-222-2/+17
| | | | | | | be those that are TLSv1.2 with AEAD and PFS. Provide a "compat" mode that allows the previous default ciphers to be selected. Discussed with tedu@ during s2k15.
* explain how tls_accept_socket works.tedu2015-02-211-2/+9
|
* tls_config_set_protocols is really void. Greg Martin.tedu2015-02-211-3/+3
|
* fill out docs a bit more, notably the read/write again behaviors.tedu2015-02-211-3/+27
| | | | ok jsing
* If BN_rand() or BN_pseudo_rand() are called with a NULL rnd argument,jsing2015-02-192-6/+16
| | | | | | | | | BN_bin2bn() will helpfully allocate a BN which is then leaked. Avoid this by explicitly checking for NULL at the start of the bnrand() function. Fixes Coverity ID 78831. ok miod@
* BN_free() has its own NULL check.jsing2015-02-191-14/+7
|
* KNF.jsing2015-02-191-766/+834
|
* fix coverity 105350 and 10345beck2015-02-181-1/+2
| | | | ok miod@, doug@
* Memory leak in error path. Coverity CID 78822.miod2015-02-172-16/+18
| | | | ok doug@
* Amend documentation for AI_ADDRCONFIGjca2015-02-161-2/+4
| | | | ok jmc@
* third batch of perlpod(1) to mdoc(7) conversionschwarze2015-02-1625-1367/+2121
|
* Add more error checking and free resources in bytestringtest.doug2015-02-161-26/+47
|
* Avoid calling BN_CTX_end() on a context that wasn't started.doug2015-02-152-8/+8
| | | | | | | | | | | In dsa_builtin_paramgen(), if BN_MONT_CTX_new() fails, the BN_CTX_new() call above it will have allocated a ctx without calling BN_CTX_start() on it. The error handling calls BN_CTX_end() when ctx is allocated. Move the BN_MONT_CTX_new() call up so it will fail first without splitting up the BN_CTX_new() and BN_CTX_start(). tweak + ok miod@, ok bcook@
* Use "In" to mark up include files, instead of wrongly wrapping with Aq.bentley2015-02-151-3/+3
| | | | | | | Aq is not the same as <> in non-ASCII situations, so this caused incorrect output in some places. And it provided no semantics besides. ok schwarze@
* Regenmiod2015-02-156-528/+564
|
* s/tls_load_keys/tls_load_file/jsing2015-02-151-2/+2
|
* Document tls_config_parse_protocols() and update documentation forjsing2015-02-152-5/+27
| | | | tls_config_set_protocols().
* Fix various memory leaks by not exiting so abruptly from failed tests.miod2015-02-151-579/+507
|
* Remove ancient gcc workaround on mips.miod2015-02-151-3/+2
|
* Memory leak. Coverity CID 78865miod2015-02-151-2/+3
|
* Wrong logic; Coverity CID 78894miod2015-02-151-1/+1
|
* If we decide to discard the provided seed buffer because its size is notmiod2015-02-152-16/+12
| | | | | | | | large enough, do it correctly so that the local seed buffer on the stack gets properly initialized in the first iteration of the loop. While there, remove an outdated and bogus comment. Coverity CID 21785 ok doug@ jsing@
* Check ASN1_OCTET_STRING_new() for failure. Coverity CID 78904miod2015-02-152-12/+16
| | | | ok doug@
* In ec_wNAF_mul(), move the declaration of tmp_wNAF higher in scope, so thatmiod2015-02-152-12/+10
| | | | | all the function's exit paths can make sure it gets freed. Coverity CID 78861 tweaks & ok doug@ jsing@
* lsearch and lfind return void *tedu2015-02-151-4/+4
|
* Support for nc -T on IPv6 addresses.jca2015-02-141-7/+16
| | | | ok sthen@
* Remove asn1_ex_i2c() prototype, now that this function has been made static;miod2015-02-142-4/+2
| | | | reminded by bcook@
* Words read better when they are separated by spaces.miod2015-02-142-2/+2
|
* 1.18 would introduce a possible out-of-bounds access in the error path;miod2015-02-142-14/+10
| | | | | Coverity CID 105346 ok doug@
* Remove DEBUG_PKCS5V2 code.miod2015-02-142-50/+2
|
* Unchecked allocations in x509_name_canon().miod2015-02-142-2/+10
| | | | ok doug@ jsing@
* Memory leak upon error in X509_add1_{trust,reject}_object.miod2015-02-142-14/+46
| | | | ok doug@
* Manually expand IMPLEMENT_EXTERN_ASN1 macro (the only occurence in crypto).jsing2015-02-142-6/+20
| | | | Only change to generated assembly is due to line numbers.
* Remove IMPLEMENT_COMPAT_ASN1() and related support code. Nothing uses it inmiod2015-02-1410-282/+14
| | | | | | libcrypto/libssl, and nothing seems to use it in the wild, apart from embedded copies of OpenSSL. ok jsing@
* Make asn1_ex_i2c() static. ok jsing@miod2015-02-142-4/+8
|
* Memory leak in `should not happen' condition; Coverity CID 78889.miod2015-02-142-8/+8
| | | | ok doug@ jsing@
* Memory leak upon error; Coverity CID 78857miod2015-02-142-2/+8
| | | | | ok doug@ jsing@ CVy: Committing in .
* Check i2d_name_canon() for failure (negative return). Coverity CID 78888.miod2015-02-142-12/+16
| | | | ok doug@ jsing@
* Possible NULL pointer dereferences. Coverity CID 21719, 21732.miod2015-02-144-6/+14
| | | | ok doug@ jsing@
* Potential NULL dereference in the error path; Coverity CID 21720miod2015-02-142-4/+4
| | | | ok doug@ jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 00:38:41 +0000