aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* capi_get_provname: Check return valuesKurt Roeckx2014-12-041-6/+12
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* ssl_create_cipher_list: check whether push onto cipherstack succeedsJonas Maebe2014-12-041-1/+6
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* ssl_cert_dup: Fix memory leakJonas Maebe2014-12-041-22/+2
| | | | | | | | Always use goto err on failure and call ssl_cert_free() on the error path so all fields and "ret" itself are freed Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* dtls1_new: free s on error pathKurt Roeckx2014-12-041-4/+9
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* dtls1_heartbeat: check for NULL after allocating s->cert->ctypesJonas Maebe2014-12-041-0/+5
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* dtls1_process_heartbeat: check for NULL after allocating bufferJonas Maebe2014-12-041-0/+2
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* capi_get_key: check for NULL after allocating keyJonas Maebe2014-12-041-0/+2
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* capi_cert_get_fname: check for NULL after allocating wfnameJonas Maebe2014-12-041-0/+2
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* capi_get_provname: free name on error if it was malloc'edJonas Maebe2014-12-041-0/+2
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* pkey_gost_mac_keygen: check for NULL after allocating keydataJonas Maebe2014-12-041-0/+2
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* pkey_gost_ctrl: check for NULL after allocating pctx->shared_ukmJonas Maebe2014-12-041-0/+5
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Update changes to indicate that SSLv2 support has been removedKurt Roeckx2014-12-041-0/+4
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* Remove incorrect code inadvertently introduced through commit 59669b6ab.Matt Caswell2014-12-041-4/+0
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Remove SSLv2 supportKurt Roeckx2014-12-0469-5569/+229
| | | | | | The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: Richard Levitte <levitte@openssl.org>
* New location on website for binaries.Rich Salz2014-12-031-1/+1
| | | | Reviewed-by: Bodo Moeller <bodo@openssl.org>
* Remove "#if 0" codeMatt Caswell2014-12-031-22/+0
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Only use the fallback mtu after 2 unsuccessful retransmissions if it is lessMatt Caswell2014-12-031-1/+5
| | | | | | than the mtu we are already using Reviewed-by: Tim Hudson <tjh@openssl.org>
* Updates to s_client and s_server to remove the constant 28 (for IPv4 headerMatt Caswell2014-12-032-4/+30
| | | | | | | and UDP header) when setting an mtu. This constant is not always correct (e.g. if using IPv6). Use the new DTLS_CTRL functions instead. Reviewed-by: Tim Hudson <tjh@openssl.org>
* If we really get a situation where the underlying mtu is less than the minimumMatt Caswell2014-12-031-1/+4
| | | | | | | we will support then dtls1_do_write can go into an infinite loop. This commit fixes that. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix dtls_query_mtu so that it will always either complete with an mtu that isMatt Caswell2014-12-031-37/+24
| | | | | | | | | | | at least the minimum or it will fail. There were some instances in dtls1_query_mtu where the final mtu can end up being less than the minimum, i.e. where the user has set an mtu manually. This shouldn't be allowed. Also remove dtls1_guess_mtu that, despite having logic for guessing an mtu, was actually only ever used to work out the minimum mtu to use. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)Matt Caswell2014-12-036-30/+74
| | | | | | | | | | and instead use the value provided by the underlying BIO. Also provide some new DTLS_CTRLs so that the library user can set the mtu without needing to know this constant. These new DTLS_CTRLs provide the capability to set the link level mtu to be used (i.e. including this IP/UDP overhead). The previous DTLS_CTRLs required the library user to subtract this overhead first. Reviewed-by: Tim Hudson <tjh@openssl.org>
* There are a number of instances throughout the code where the constant 28 isMatt Caswell2014-12-032-4/+46
| | | | | | | | | | | | used with no explanation. Some of this was introduced as part of RT#1929. The value 28 is the length of the IP header (20 bytes) plus the UDP header (8 bytes). However use of this constant is incorrect because there may be instances where a different value is needed, e.g. an IPv4 header is 20 bytes but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP). This commit introduces a new BIO_CTRL that provides the value to be used for this mtu "overhead". It will be used by subsequent commits. Reviewed-by: Tim Hudson <tjh@openssl.org>
* The first call to query the mtu in dtls1_do_write correctly checks that theMatt Caswell2014-12-031-9/+13
| | | | | | | | | | mtu that we have received is not less than the minimum. If its less it uses the minimum instead. The second call to query the mtu does not do that, but instead uses whatever comes back. We have seen an instance in RT#3592 where we have got an unreasonably small mtu come back. This commit makes both query checks consistent. Reviewed-by: Tim Hudson <tjh@openssl.org>
* The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from beingMatt Caswell2014-12-032-3/+11
| | | | | | | automatically updated, and we should use the one provided instead. Unfortunately there are a couple of locations where this is not respected. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Verify that we have a sensible message len and fail if notMatt Caswell2014-12-031-2/+8
| | | | | | | | | | RT#3592 provides an instance where the OPENSSL_assert that this commit replaces can be hit. I was able to recreate this issue by forcing the underlying BIO to misbehave and come back with very small mtu values. This happens the second time around the while loop after we have detected that the MTU has been exceeded following the call to dtls1_write_bytes. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Use the SSLv23 method by defaultKurt Roeckx2014-12-022-15/+0
| | | | | | If SSLv2 and SSLv3 are both disabled we still support SSL/TLS. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove all .cvsignore filesRich Salz2014-11-2895-502/+0
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Check for FindNextFile when defining it rather than FindFirstFileRichard Levitte2014-11-281-1/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* [PR3597] Advance to the next state variant when reusing messages.Richard Levitte2014-11-281-0/+1
| | | | | | | | | | | | | | | | Previously, state variant was not advanced, which resulted in state being stuck in the st1 variant (usually "_A"). This broke certificate callback retry logic when accepting connections that were using SSLv2 ClientHello (hence reusing the message), because their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required for the retry code path. Reported by Yichun Zhang (agentzh). Signed-off-by: Piotr Sikora <piotr@cloudflare.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Correct some layout issues, convert all remaining tabs to appropriate ↵Richard Levitte2014-11-281-9/+8
| | | | | | amounts of spaces. Reviewed-by: Matt Caswell <matt@openssl.org>
* Improves the proxy certificates howto doc.Alok Menghrajani2014-11-281-106/+91
| | | | | | | | | The current documentation contains a bunch of spelling and grammar mistakes. I also found it hard to understand some paragraphs, so here is my attempt to improve its readability. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix warning in ssl2_encMatt Caswell2014-11-271-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove more references to dtls1_encMatt Caswell2014-11-272-2/+0
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Check EVP_Cipher return values for SSL2Matt Caswell2014-11-273-6/+15
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Delete unused fileMatt Caswell2014-11-272-283/+2
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add checks to the return value of EVP_Cipher to prevent silent encryption ↵Matt Caswell2014-11-273-4/+4
| | | | | | | | failure. PR#1767 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove redundant checks in ssl_cert_dup. This was causing spurious error ↵Matt Caswell2014-11-271-29/+0
| | | | | | | | messages when using GOST PR#3613 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Tidy up ocsp help outputMatt Caswell2014-11-271-46/+46
| | | | Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Add documentation on -timeout option in the ocsp utilityAndré Guerreiro2014-11-272-0/+5
| | | | | | PR#3612 Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* NetWare compilation fix.Guenter2014-11-271-1/+1
| | | | | | | | | Workaround for NetWare CodeWarrior compiler which doesn't properly lookup includes when in same directory as the C file which includes it. PR#3569 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Updates to X509_NAME_get_index_by_NID.pod submitted by user Bernardh via the ↵Matt Caswell2014-11-271-0/+4
| | | | | | | | wiki Minor changes made by Matt Caswell Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Updates to X509_NAME_add_entry_by_txt.pod submitted by user Bernardh via the ↵Matt Caswell2014-11-271-6/+6
| | | | | | | | wiki Minor changes made by Matt Caswell. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Updates to EVP_PKEY_encrypt.pod submitted by user Bernardh via the wikiMatt Caswell2014-11-271-3/+9
| | | | | | Minor changes made by Matt Caswell. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Add include of ssl.h which is required by srtp.hMatt Caswell2014-11-271-1/+3
| | | | Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Fixed memory leak due to incorrect freeing of DTLS reassembly bit maskMatt Caswell2014-11-263-6/+4
| | | | | | PR#3608 Reviewed-by: Tim Hudson <tjh@openssl.org>
* Corrected comments in ssl.h about SSLv23_method and friendsMatt Caswell2014-11-251-3/+3
| | | | | | PR#3574 Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Print out Suite B status.Dr. Stephen Henson2014-11-201-2/+7
| | | | | | | When using the -xcert option to test certificate validity print out if we pass Suite B compliance. We print out "not tested" if we aren't in Suite B mode. Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix SuiteB chain checking logic.Dr. Stephen Henson2014-11-201-7/+4
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* RT2679: Fix error if keysize too shortAnnie Yousar2014-11-202-2/+6
| | | | | | | | | In keygen, return KEY_SIZE_TOO_SMALL not INVALID_KEYBITS. ** I also increased the minimum from 256 to 512, which is now documented in CHANGES file. ** Reviewed-by: Matt Caswell <matt@openssl.org>
* RT3488: Update doc for OPENSSL_configRich Salz2014-11-202-33/+23
| | | | | | | | | Fix CONF_load_modules to CONF_modules_load. Document that it calls exit. Advise against using it now. Add an error print to stderr. Reviewed-by: Matt Caswell <matt@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-03 16:49:11 +0000