Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
10 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
  1. 17 5月, 2016 1 次提交
  3. 16 5月, 2016 3 次提交
  5. 09 5月, 2016 1 次提交
  7. 06 5月, 2016 1 次提交
    • M
      Handle no async jobs in libssl · fc7f190c
      Matt Caswell 提交于 
      If the application has limited the size of the async pool using
ASYNC_init_thread() then we could run out of jobs while trying to start a
libssl io operation. However libssl was failing to handle this and treating
it like a fatal error. It should not be fatal...we just need to retry when
there are jobs available again.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      fc7f190c
  9. 29 4月, 2016 2 次提交
  11. 28 4月, 2016 1 次提交
  13. 27 4月, 2016 1 次提交
  15. 22 4月, 2016 1 次提交
    • V
      Enabled DANE only when at least one TLSA RR was added · 9f6b22b8
      Viktor Dukhovni 提交于 
      It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).

With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.

Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
are no longer ignored.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      9f6b22b8
  17. 11 4月, 2016 1 次提交
  19. 08 4月, 2016 3 次提交
    • R
      Add SSL_DANE typedef for consistency. · b9aec69a
      Rich Salz 提交于 
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      b9aec69a
    • A
      Clean-up *_DEBUG options. · 463a7b8c
      Andy Polyakov 提交于 
      Since NDEBUG is defined unconditionally on command line for release
builds, we can omit *_DEBUG options in favour of effective "all-on"
in debug builds exercised though CI.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      463a7b8c
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于 
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
  21. 06 4月, 2016 1 次提交
  23. 05 4月, 2016 2 次提交
  25. 30 3月, 2016 1 次提交
  27. 21 3月, 2016 1 次提交
  29. 18 3月, 2016 1 次提交
  31. 11 3月, 2016 1 次提交
  33. 10 3月, 2016 5 次提交
  35. 09 3月, 2016 2 次提交
  37. 08 3月, 2016 9 次提交
    • T
      GH787: Fix ALPN · 817cd0d5
      Todd Short 提交于 
      * Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      817cd0d5
    • M
      Fix erroneous fall thgrough in switch statement · 07077415
      Matt Caswell 提交于 
      Fix an erroenous fall through when setting the max_pipelines value.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      07077415
    • M
      Add an SSL_has_pending() function · 49580f25
      Matt Caswell 提交于 
      This is similar to SSL_pending() but just returns a 1 if there is data
pending in the internal OpenSSL buffers or 0 otherwise (as opposed to
SSL_pending() which returns the number of bytes available). Unlike
SSL_pending() this will work even if "read_ahead" is set (which is the
case if you are using read pipelining, or if you are doing DTLS). A 1
return value means that we have unprocessed data. It does *not* necessarily
indicate that there will be application data returned from a call to
SSL_read(). The unprocessed data may not be application data or there
could be errors when we attempt to parse the records.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      49580f25
    • M
      Add an ability to set the SSL read buffer size · dad78fb1
      Matt Caswell 提交于 
      This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      dad78fb1
    • M
      Implement read pipeline support in libssl · 94777c9c
      Matt Caswell 提交于 
      Read pipelining is controlled in a slightly different way than with write
pipelining. While reading we are constrained by the number of records that
the peer (and the network) can provide to us in one go. The more records
we can get in one go the more opportunity we have to parallelise the
processing.

There are two parameters that affect this:
* The number of pipelines that we are willing to process in one go. This is
controlled by max_pipelines (as for write pipelining)
* The size of our read buffer. A subsequent commit will provide an API for
adjusting the size of the buffer.

Another requirement for this to work is that "read_ahead" must be set. The
read_ahead parameter will attempt to read as much data into our read buffer
as the network can provide. Without this set, data is read into the read
buffer on demand. Setting the max_pipelines parameter to a value greater
than 1 will automatically also turn read_ahead on.

Finally, the read pipelining as currently implemented will only parallelise
the processing of application data records. This would only make a
difference for renegotiation so is unlikely to have a significant impact.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      94777c9c
    • M
      Implement write pipeline support in libssl · d102d9df
      Matt Caswell 提交于 
      Use the new pipeline cipher capability to encrypt multiple records being
written out all in one go. Two new SSL/SSL_CTX parameters can be used to
control how this works: max_pipelines and split_send_fragment.

max_pipelines defines the maximum number of pipelines that can ever be used
in one go for a single connection. It must always be less than or equal to
SSL_MAX_PIPELINES (currently defined to be 32). By default only one
pipeline will be used (i.e. normal non-parallel operation).

split_send_fragment defines how data is split up into pipelines. The number
of pipelines used will be determined by the amount of data provided to the
SSL_write call divided by split_send_fragment. For example if
split_send_fragment is set to 2000 and max_pipelines is 4 then:
SSL_write called with 0-2000 bytes == 1 pipeline used
SSL_write called with 2001-4000 bytes == 2 pipelines used
SSL_write called with 4001-6000 bytes == 3 pipelines used
SSL_write_called with 6001+ bytes == 4 pipelines used

split_send_fragment must always be less than or equal to max_send_fragment.
By default it is set to be equal to max_send_fragment. This will mean that
the same number of records will always be created as would have been
created in the non-parallel case, although the data will be apportioned
differently. In the parallel case data will be spread equally between the
pipelines.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      d102d9df
    • R
      Use s->session->peer instead of calling SSL_get_peer_certificate(s) · 3f3c7d26
      Rob Percival 提交于 
      Avoids modifying certificate reference count, and thereby avoids locking.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      3f3c7d26
    • R
      Lowercase name of SSL_validate_ct as it is an internal function · 4d482ee2
      Rob Percival 提交于 
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      4d482ee2
    • R
      CT code now calls X509_free() after calling SSL_get_peer_certificate() · 1cb437be
      Rob Percival 提交于 
      Without this, the peer certificate would never be deleted, resulting in
a memory leak.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      1cb437be
  39. 04 3月, 2016 1 次提交
  41. 03 3月, 2016 1 次提交