- 04 11月, 2021 1 次提交
-
-
由 Bernd Edlinger 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16956)
-
- 02 6月, 2021 1 次提交
-
-
由 Pauli 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15539)
-
- 01 6月, 2021 1 次提交
-
-
由 Tomas Mraz 提交于
For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
-
- 16 5月, 2021 1 次提交
-
-
由 Benjamin Kaduk 提交于
It can be useful to know what group was used for the handshake's key exchange process even on non-TLS 1.3 connections. Allow this API, new in OpenSSL 3.0.0, to be used on other TLS versions as well. Since pre-TLS-1.3 key exchange occurs only on full handshakes, this necessitates adding a field to the SSL_SESSION object to carry the group information across resumptions. The key exchange group in the SSL_SESSION can also be relevant in TLS 1.3 when the resumption handshake uses the "psk_ke" key-exchange mode, so also track whether a fresh key exchange was done for TLS 1.3. Since the new field is optional in the ASN.1 sense, there is no need to increment SSL_SESSION_ASN1_VERSION (which incurs strong incompatibility churn). Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14750)
-
- 25 3月, 2021 1 次提交
-
-
由 Matt Caswell 提交于
Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org>
-
- 08 3月, 2021 1 次提交
-
-
由 Matt Caswell 提交于
If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable group available. This check was not always working Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/14430)
-
- 18 2月, 2021 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
-
- 05 2月, 2021 3 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
-
由 Matt Caswell 提交于
The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was based on those guards. However we now need it to work even in a no-ec and no-dh build, because new groups might be added from providers. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
-
由 Matt Caswell 提交于
The default supported groups code was disabled in the event of a build with no-ec and no-dh. However now that providers can add there own groups (which might not fit into either of these categories), this is no longer appropriate. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
-
- 03 12月, 2020 1 次提交
-
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13577)
-
- 11 11月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_add_data() to an SSLfatal_data() call. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
-
- 20 10月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
We do the same thing for the "get1" version. In reality this has broader use than just TLS (it can also be used in CMS), and "encodedpoint" only makes sense when you are talking about EC based algorithms. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13105)
-
- 14 10月, 2020 1 次提交
-
-
由 Nicola Tuveri 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13018)
-
- 13 9月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
-
由 Matt Caswell 提交于
We fix 3 problems with safestack: - Including an openssl header file without linking against libcrypto can cause compilation failures (even if the app does not otherwise need to link against libcrypto). See issue #8102 - Recent changes means that applications in no-deprecated builds will need to include additional macro calls in the source code for all stacks that they need to use - which is an API break. This changes avoids that necessity. - It is not possible to write code using stacks that works in both a no-deprecated and a normal build of OpenSSL. See issue #12707. Fixes #12707 Contains a partial fix for #8102. A similar PR will be needed for hash to fully fix. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
-
- 19 6月, 2020 3 次提交
-
-
由 Matt Caswell 提交于
The supported_groups extension only supported EC groups in DTLS. Therefore we shouldn't send it in a no-ec build. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
由 Matt Caswell 提交于
If EVP_PKEY_copy_parameters() failed in libssl we did not provide a very helpful error message. We provide a better one. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
由 Matt Caswell 提交于
Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
- 05 6月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
We were downgrading to legacy keys at various points in libssl in order to get or set an encoded point. Now that the encoded point functions work with provided keys this is no longer necessary. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11898)
-
- 24 4月, 2020 1 次提交
-
-
由 Rich Salz 提交于
... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
-
- 23 4月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
-
- 08 4月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
The transfer of TLS encodedpoint to backends isn't yet fully supported in provider implementations. This is a temporary measure so as not to get stuck in other development. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11358)
-
- 06 2月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
We modify libssl to use explicitly fetched ciphers, digests and other algorithms as required based on the configured library context and property query string for the SSL_CTX that is being used. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
-
- 29 9月, 2019 1 次提交
-
-
由 Dr. Matthias St. Pierre 提交于
Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
-
- 26 7月, 2019 1 次提交
-
-
由 David Benjamin 提交于
tls_parse_stoc_key_share was generating a new EVP_PKEY public/private keypair and then overrides it with the server public key, so the generation was a waste anyway. Instead, it should create a parameters-only EVP_PKEY. (This is a consequence of OpenSSL using the same type for empty key, empty key with key type, empty key with key type + parameters, public key, and private key. As a result, it's easy to mistakenly mix such things up, as happened here.) Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9445)
-
- 18 6月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
The previous 2 commits moved supported groups and ciphers out of the session object to avoid race conditions. We now also move ecpointformats for consistency. There does not seem to be a race condition with access to this data since it is only ever set in a non-resumption handshake. However, there is no reason for it to be in the session. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9162)
-
- 17 6月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happen. It also fixes no-ec which was previously broken. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9156)
-
- 12 6月, 2019 1 次提交
-
-
由 raja-ashok 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8178)
-
- 30 4月, 2019 1 次提交
-
-
由 Todd Short 提交于
With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the ssl3_state_st structure into ssl_st and fixup any references. This should be faster than going through an indirection and due to fewer allocations, but I'm not seeing any significant performance improvement; it seems to be within the margin of error in timing. Reviewed-by: NPaul Yang <yang.yang@baishancloud.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7888)
-
- 05 3月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Sessions must be immutable once they can be shared with multiple threads. We were breaking that rule by writing the ticket index into it during the handshake. This can lead to incorrect behaviour, including failed connections in multi-threaded environments. Reported by David Benjamin. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8383)
-
- 15 2月, 2019 1 次提交
-
-
由 Todd Short 提交于
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3910)
-
- 06 12月, 2018 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
-
- 08 11月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
use_ecc() was always returning 1 because there are default (TLSv1.3) ciphersuites that use ECC - even if those ciphersuites are disabled by other options. Fixes #7471 Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7479)
-
- 22 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
We need to ensure that the min-max version range we use when constructing the ClientHello is the same range we use when we validate the version selected by the ServerHello. Otherwise this may appear as a fallback or downgrade. Fixes #6964 Reviewed-by: NViktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
-
- 20 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit function call is required for a client to indicate support for post-handshake auth. Fixes #6933. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
-
- 15 8月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
- 15 5月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Also retains support for drafts 27 and 26 Fixes #6257 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6258)
-
- 27 3月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
The alpn_selected value in the session should be NULL before we first populate it if this is a new session. We assert to make sure it is. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5715)
-
- 21 3月, 2018 1 次提交
-
-
由 Peter Wu 提交于
Fixes regression from #5667. Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5701)
-