Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 02 2月, 2021 19 次提交
  3. 01 2月, 2021 2 次提交
  5. 29 1月, 2021 1 次提交
  7. 28 1月, 2021 12 次提交
  9. 27 1月, 2021 4 次提交
    • M
      Fix running mingw dhparam test under wine · b1eae34b
      Matt Caswell 提交于 
      The dhparam test was failing to properly handle line endings when
running a mingw configured build under wine.

Fixes #13557
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13923)
      b1eae34b
    • D
      Fix typo in thread_once comments · fa2a7490
      Daniel Bevenius 提交于 
      Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NTomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13964)
      fa2a7490
    • R
      Fix OSSL_PARAM_allocate_from_text() for EBCDIC · eeb09f1b
      Richard Levitte 提交于 
      OSSL_PARAM_allocate_from_text() converted text values to UTF-8
OSSL_PARAMs with a simple strncpy().  However, if the text is EBCDIC,
that won't become UTF-8.  Therefore, it's made to convert from EBCDIC
to ASCII on platforms where the native character encoding is the
former.

One might argue that the conversion should be the responsibility of
the application.  However, this is a helper function, and the calling
application can't easily know what sort of OSSL_PARAM the input values
are going to be used for.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NPaul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13961)
      eeb09f1b
    • D
      TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY · 0c3eb279
      Dr. David von Oheimb 提交于 
      The client-side cert verification callback function may not only return
as usual for success or 0 for failure, but also -1,
typically on failure verifying the server certificate.
This makes the handshake suspend and return control to the calling application
with SSL_ERROR_WANT_RETRY_VERIFY.
The app can for instance fetch further certificates or cert status information
needed for the verification.
Calling SSL_connect() again resumes the connection attempt
by retrying the server certificate verification step.
This process may even be repeated if need be.

The core implementation of the feature is in ssl/statem/statem_clnt.c,
splitting tls_process_server_certificate() into a preparation step
that just copies the certificates received from the server to s->session->peer_chain
(rather than having them in a local variable at first) and returns to the state machine,
and a post-processing step in tls_post_process_server_certificate() that can be repeated:
Try verifying the current contents of s->session->peer_chain basically as before,
but give the verification callback function the chance to pause connecting and
make the TLS state machine later call tls_post_process_server_certificate() again.
Otherwise processing continues as usual.

The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod
and SSL_want.pod.

This adds two tests:
* A generic test in test/helpers/handshake.c
  on the usability of the new server cert verification retry feature.
  It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto-
  generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored).
* A test in test/sslapitest.c that demonstrates the effectiveness of the approach
  for augmenting the cert chain provided by the server in between SSL_connect() calls.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13906)
      0c3eb279
  11. 26 1月, 2021 2 次提交