| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
Without this check, we potentially look up to 3 characters before
the start of a malloc'd segment, which could provoke a crash under
certain (weird afaik) circumstances.
Fixes 17404; bugfix on 0.2.6.3-alpha.
|
|
Now that x509_get_not{Before,After} are functions in OpenSSL 1.1
(not yet releasesd), we need to define a variant that takes a const
pointer to X509 and returns a const pointer to ASN1_time.
Part of 17237. I'm not convinced this is an openssl bug or a tor
bug. It might be just one of those things.
|
|
(which isn't correct.)
Fixes bug 17047; bugfix on 0.2.7.2-alpha, introduced by the merge in
0030765e04d8dfe3dfaf8124b01a4d578b7d8ceb, apparently.
|
|
|
|
|
|
clang complains that the address of struct member in an assert in
SSL_SESSION_get_master_key is always non-NULL.
Instead, check each pointer argument is non-NULL before using it.
Fix on f90a704f1258 from 27 May 2015, not in any released version of tor.
|
|
|
|
* Use `TLS_method()` instead of the deprecated `SSLv23_method()`
* Fix one missed conversion to `SSL_CIPHER_get_id()`
|
|
|
|
Unused variable warnings were still generated under some versions of OpenSSL.
Instead, make sure all variables are used under all versions.
Fix on 496df21c89d1, not in any released version of tor.
|
|
Conflicts:
src/common/tortls.c
|
|
Repairs build with libressl
|
|
If OpenSSL accepts my patch to introduce these functions, they'll
be a way to help Tor work with OpenSSL 1.1.
|
|
|
|
Fixed numerous conflicts, and ported code to use new base64 api.
|
|
|
|
An earlier version of these tests was broken; now they're a nicer,
more robust, more black-box set of tests. The key is to have each
test check a handshake message that is wrong in _one_ way.
|
|
If the OpenSSL team accepts my patch to add an
SSL_get_client_ciphers function, this patch will make Tor use it
when available, thereby working better with openssl 1.1.
|
|
We previously used this function instead of SSL_set_cipher_list() to
set up a stack of client SSL_CIPHERs for these reasons:
A) In order to force a particular order of the results.
B) In order to be able to include dummy entries for ciphers that
this build of openssl did not support, so we could impersonate
Firefox harder.
But we no longer do B, since we merged proposal 198 and stopped
lying about what ciphers we know.
And A was actually pointless, since I had misread the implementation
of SSL_set_cipher_list(). It _does_ do some internal sorting, but
that is pre-sorting on the master list of ciphers, not sorting on
the user's preferred order.
|
|
This reverts commit 67964cfa787461bc56380fe46439fd5c9863bb4f.
It was the cause of #16153, and was not in any released Tor. We need
a better solution for getting session->ciphers.
|
|
This reverts commit 67964cfa787461bc56380fe46439fd5c9863bb4f.
It was the cause of #16153, and was not in any released Tor. We need
a better solution for getting session->ciphers.
|
|
As OpenSSL >= 1.0.0 is now required, ECDHE is now mandatory. The group
has to be validated at runtime, because of RedHat lawyers (P224 support
is entirely missing in the OpenSSL RPM, but P256 is present and is the
default).
Resolves ticket #16140.
|
|
|
|
|
|
|
|
Conflicts:
src/test/testing_common.c
|
|
|
|
|
|
|
|
|
|
This should help openssl 1.1. On pre-1.1, we double-check that these
two methods give us the same list, since the underlying code is awfully
hairy.
|
|
The key here is to never touch ssl->cipher_list directly, but only
via SSL_get_ciphers(). But it's not so simple.
See, if there is no specialized cipher_list on the SSL object,
SSL_get_ciphers returns the cipher_list on the SSL_CTX. But we sure
don't want to modify that one! So we need to use
SSL_set_cipher_list first to make sure that we really have a cipher
list on the SSL object.
|
|
|
|
|
|
|
|
|
|
This field was only needed to work with the now-long-gone (I hope,
except for some horrible apples) openssl 0.9.8l; if your headers say
you have openssl 1.1, you won't even need it.
|
|
|
|
Also, add some sample tests to be examples.
|
|
|
|
Incidently, this fixes a bug where the maximum value was never used when
only using crypto_rand_int(). For instance this example below in
rendservice.c never gets to INTRO_POINT_LIFETIME_MAX_SECONDS.
int intro_point_lifetime_seconds =
INTRO_POINT_LIFETIME_MIN_SECONDS +
crypto_rand_int(INTRO_POINT_LIFETIME_MAX_SECONDS -
INTRO_POINT_LIFETIME_MIN_SECONDS);
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
|
|
The paths are already in the directory search path of the compiler therefore no
need to include them in the source code.
|
|
|
|
|
|
|
|
Prefer not to use a couple of deprecated functions; include more
headers in tortls.c
This is part of ticket 14188.
|
|
apparantly, "pragma GCC diagnostic push/pop" don't exist with older versions.
Fixes bug in 740e592790f570c446cbb5e6d4a77f842f75; bug not in any
released Tor.
|
