- 18 5月, 2021 10 次提交
-
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15245)
-
由 Rich Salz 提交于
Picking up late suggestions to PR #6909 by Philip Prindeville <philipp@redfish-solutions.com>. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15249)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
More theoretical than real but easy and cheap to check for. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
Theoretically, the IV length can come back negative which would explode. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
This actually fixes a more subtle problem that wasn't detected which could cause memory leaks. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
Clean up some of the null checking in the http server code. This also "fixes" the false positive from coverity CID 1484883. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15300)
-
由 Pauli 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15301)
-
- 17 5月, 2021 7 次提交
-
-
由 Matt Caswell 提交于
If the child provider context data gets cleaned up before all usage of providers has finished then a use-after-free can occur. We change the priority of this data so that it gets freed later. Fixes #15284 Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15286)
-
由 Rich Salz 提交于
Add -client_renegotiation flag support. The -client_renegotiation flag is equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app, the config code, and the documentation. Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to always enable it, but there are so many tests so this is the easiest thing to do. Add a test where client tries to renegotiate and it fails as expected. Add a test where server tries to renegotiate and it succeeds. The second test is supported by a new flag, -immediate_renegotiation, which is ignored on the client. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15184)
-
由 Petr Gotthard 提交于
Walking through the `map` modifies the pointer passed to the `unquery` operation. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15295)
-
由 Matt Caswell 提交于
Fixes #12283 Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15282)
-
由 Shane Lontis 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15258)
-
由 Shane Lontis 提交于
Fixes #14518 EVP_PKEY_fromdata() already defines this value so we link to this documentation, 0 is also added as a possible input value. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15260)
-
由 Shane Lontis 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15264)
-
- 16 5月, 2021 9 次提交
-
-
由 Richard Levitte 提交于
Fixes #14694 Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15281)
-
由 Richard Levitte 提交于
Fixes #14694 Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15281)
-
由 Pauli 提交于
This script introduces a security vulnerability where the OpenSSL github repository can be modified which opens a window for an attacker. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reported-by: Nikita Stupin
-
由 Benjamin Kaduk 提交于
This is nearly comprehensive, but we cannot exercise the functionality for PSK-only TLS 1.3 resumption, since openssl talking to openssl will always negotiate psk_dhe_ke. Exercise both the TLS 1.3 and 1.2 cases, for initial handshakes and resumptions, and for ECDHE and FFDHE. Since RFC 7919 named groups (for FFDHE) are only supported for TLS 1.3, the TLS 1.2 versions of those scenarios expect to get NID_undef since the key exchange was not performed using a named group. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
由 Benjamin Kaduk 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
由 Benjamin Kaduk 提交于
We don't implement RFC 7919 named groups for TLS 1.2, so we can only test the ECDHE case for non-TLS-1.3. Interestingly, though the test_key_exchange() routine claimed to be exercising ffdhe2048 with TLS 1.2, the configured ciphers were incompatible with DHE key exchange, so we ended up just using RSA key transport and not doing an ephemeral key exchange at all. Reconfigure the tests to actually exercise ephemeral key exchange for both the EC and FF cases (even though we don't use the named group information for the finite-field case). Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
由 Benjamin Kaduk 提交于
Convert this file to the new format, that includes the kex_group integer value. This is needed in order for the round-trip conversion test to return the same value as the initial input. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
由 Benjamin Kaduk 提交于
It can be useful to know what group was used for the handshake's key exchange process even on non-TLS 1.3 connections. Allow this API, new in OpenSSL 3.0.0, to be used on other TLS versions as well. Since pre-TLS-1.3 key exchange occurs only on full handshakes, this necessitates adding a field to the SSL_SESSION object to carry the group information across resumptions. The key exchange group in the SSL_SESSION can also be relevant in TLS 1.3 when the resumption handshake uses the "psk_ke" key-exchange mode, so also track whether a fresh key exchange was done for TLS 1.3. Since the new field is optional in the ASN.1 sense, there is no need to increment SSL_SESSION_ASN1_VERSION (which incurs strong incompatibility churn). Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
由 Richard Levitte 提交于
i2d_provided() - which is the internal provider data function for i2d_KeyParams(), i2d_PrivateKey(), i2d_PublicKey() - didn't treat the returned length from OSSL_ENCODER_to_data() quite as well as it should have. A simple added flag that records the state of |*pp| before calling OSSL_ENCODER_to_data() fixes the problem. Fixes #14655 Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/15277)
-
- 15 5月, 2021 14 次提交
-
-
由 Matt Caswell 提交于
Loading it earlier causes some of the later testing to pass when it should fail and masked a bug. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15270)
-
由 Matt Caswell 提交于
We were deferring the initial creation of the child providers until the first fetch. This is a carry over from an earlier iteration of the child lib ctx development and is no longer necessary. In fact we need to init the child providers immediately otherwise not all providers quite init correctly. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15270)
-
由 Tomas Mraz 提交于
Fixes #15223 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15271)
-
由 Pauli 提交于
Fixes #13358 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15259)
-
由 Matt Caswell 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15269)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Also clean up max_resp_len and add OSSL_HTTP_REQ_CTX_get_resp_len(). Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Also clean up OSSL_HTTP_REQ_CTX_nbio() states and make it more efficient. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Also improve doc of OSSL_parse_url() and OSSL_HTTP_parse_url(). Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Both at API and at CLI level (for the CMP app only, so far) there is a new parameter/option: keep_alive. * 0 means HTTP connections are not kept open after receiving a response, which is the default behavior for HTTP 1.0. * 1 means that persistent connections are requested. * 2 means that persistent connections are required, i.e., in case the server does not grant them an error occurs. For the CMP app the default value is 1, which means preferring to keep the connection open. For all other internal uses of the HTTP client (fetching an OCSP response, a cert, or a CRL) it does not matter because these operations just take one round trip. If the client application requested or required a persistent connection and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX * as long as it wants to send further requests and OSSL_HTTP_is_alive() returns nonzero, else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close(). In case the client application keeps the OSSL_HTTP_REQ_CTX * but the connection then dies for any reason at the server side, it will notice this obtaining an I/O error when trying to send the next request. This requires extending the HTTP header parsing and rearranging the high-level HTTP client API. In particular: * Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(), OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close(). * Split the timeout functionality accordingly and improve default behavior. * Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected(). * Extend struct ossl_http_req_ctx_st accordingly. Use the new feature for the CMP client, which requires extending related transaction management of CMP client and test server. Update the documentation and extend the tests accordingly. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15053)
-