OpenSSL Valhalla Rampage

Tearing apart OpenSSL, one arcane VMS hack at a time.

Like what OpenBSD is doing to OpenSSL? Donate here.
  • ask me anything
  • submit a post
  • rss
  • archive
  • faq
  • Donate to OpenBSD
  • Follow us on Twitter
  • LibreSSL 2.1.1 released

    LibreSSL now turns off SSL 3 by default as a fix for POODLE. Thanks to the awesome people that have made this possible. Remember to donate!

    • 10 years ago
    • 9 notes
    • #openbsd
    • #libressl
    • #release
    9 Comments
  • LibreSSL 2.1.0 released

    Many thanks to all of the awesome hackers that have made this release possible. Again, if you like the work that OpenBSD is doing, please donate here

    • 10 years ago
    • 3 notes
    • #openbsd
    • #libressl
    • #release
    3 Comments
  • Add ressl_config_clear_keys()

    Provide a ressl config function that explicitly clears keys. Now that ressl config takes copies of the keys passed to it, the keys need to be explicitly cleared. While this can be done by calling the appropriate functions with a NULL pointer, it is simpler and more obvious to call one function that does this for you.

    — jsing

    • 10 years ago
    • 1 notes
    • #openbsd
    • #libressl
    • #ressl
    • #cleanup
    1 Comments
  • Add SSL_CTX_use_certificate_chain()

    Add a new API function SSL_CTX_use_certificate_chain() that allows to read the PEM-encoded certificate chain from memory instead of a file. This idea is derived from an older implementation in relayd that was needed to use the function with a privep'ed process in a chroot. Now it is time to get it into LibreSSL to make the API more privsep- friendly and to make it available for other programs and the ressl library.

    — reyk

    • 10 years ago
    • 2 notes
    • #openbsd
    • #openssl
    • #libressl
    • #ressl
    2 Comments
  • Don't overzealously free(3) what you did not allocate

    X509v3_add_ext(): do not free stuff we did not allocate in the error path.

    — miod

    • 10 years ago
    • #openbsd
    • #openssl
    • #libressl
    0 Comments
  • Don't dereference when NULL, also don't leak memory

    X509_TRUST_add(): check X509_TRUST_get0() return value before dereferencing it, for it may be NULL. Do not leak memory upon error.

    — miod

    • 10 years ago
    • 1 notes
    • #openbsd
    • #openssl
    • #libressl
    • #memory leaks
    • #null dereference
    1 Comments
  • Don't avoid your own API for the sake of misguided cleverness

    Someone ™ thought it was smart to save memory by using malloc(1) and manual field fiddling to create an ASN1_INTEGER object, instead of using M_ASN1_INTEGER_new() which will allocate sizeof(long) bytes. That person had probably never looked into malloc(3) and never heard of allocation size rounding.

    Thus, replace the obfuscated code with M_ASN1_INTEGER_new() followed by ASN1_INTEGER_set(), to achieve a similar result, without the need for /* version == 0 */ comments.

    — miod

    • 10 years ago
    • 5 notes
    • #openbsd
    • #openssl
    • #libressl
    5 Comments
  • Config interface should own its own memory

    revamp the config interface to own memory. easier to use correctly without caller worrying about leaks or lifetimes.

    — tedu

    • 10 years ago
    • 2 notes
    • #openbsd
    • #libressl
    • #ressl
    2 Comments
  • Re-enable ghash assembly on hppa

    Revert r1.5 and reenable assembler version of ghash now that it has been fixed.

    — miod

    • 10 years ago
    • #openbsd
    • #openssl
    • #libressl
    0 Comments
  • Disable more ghash hppa assembler

    Doh, rev 1.4 had left out one routine with both 32-bit and 64-bit code, where the 64-bit code has to be disabled under OpenBSD/hppa.

    — miod

    • 10 years ago
    • #openbsd
    • #openssl
    • #libressl
    0 Comments
© 2014–2025 William Orr
Next page
    • Page 1 / 49