- 17 5月, 2017 1 次提交
-
-
由 Matt Caswell 提交于
An alert message is 2 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such alerts across multiple records (some of which could be empty). In practice it make no sense to send an empty alert record, or to fragment one. TLSv1.3 prohibts this altogether and other libraries (BoringSSL, NSS) do not support this at all. Supporting it adds significant complexity to the record layer, and its removal is unlikely to cause inter-operability issues. The DTLS code for this never worked anyway and it is not supported at a protocol level for DTLS. Similarly fragmented DTLS handshake records only work at a protocol level where at least the handshake message header exists within the record. DTLS code existed for trying to handle fragmented handshake records smaller than this size. This code didn't work either so has also been removed. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3476)
-
- 12 5月, 2017 1 次提交
-
-
由 Bernd Edlinger 提交于
- Mostly missing fall thru comments - And uninitialized value used in sslapitest.c Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3440)
-
- 11 5月, 2017 13 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Only applies if we're not doing psk. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
We abort if we read a message like this. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
We should be validating that. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Previously we sent a decode_error alert. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Make sure we are using the correct alert codes as per the spec. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
-
由 Dr. Stephen Henson 提交于
Add "single part" digest sign and verify functions. These sign and verify a message in one function. This simplifies some operations and it will later be used as the API for algorithms which do not support the update/final mechanism (e.g. PureEdDSA). Reviewed-by: NAndy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3409)
-
- 10 5月, 2017 6 次提交
-
-
由 Matt Caswell 提交于
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes #2180 Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3425)
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3430)
-
由 Matt Caswell 提交于
It is invalid if we receive an HRR but no change will result in ClientHello2. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
-
由 Matt Caswell 提交于
If an HRR gets sent without a key_share (e.g. cookie only) then the code fails when it should not. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
-
由 Matt Caswell 提交于
It is illegal in a TLSv1.3 ClientHello to send anything other than the NULL compression method. We should send an alert if we find anything else there. Previously we were ignoring this error. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3410)
-
- 08 5月, 2017 4 次提交
-
-
由 Matt Caswell 提交于
When using the -trace option with TLSv1.3 all records appear as "application data". This adds the ability to see the inner content type too. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3408)
-
由 Matt Caswell 提交于
This trace option does not appear in Configure as a separate option and is undocumented. It can be switched on using "-DOPENSSL_SSL_TRACE_CRYPTO", however this does not compile in master or in any 1.1.0 released version. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3408)
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3395)
-
由 Matt Caswell 提交于
The TLSv1.3 spec says that a server SHOULD send supported_groups in the EE message if there is a group that it prefers to the one used in the key_share. Clients MAY act on that. At the moment we don't do anything with it on the client side, but that may change in the future. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3395)
-
- 04 5月, 2017 6 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
-
由 Matt Caswell 提交于
SSL_CTX_use_serverinfo_ex() et al were always processing data as if it was V2 format, even if it was V1. This bug was masked because, although we had a test which loaded V1 serverinfo data from a file, the function SSL_CTX_use_serverinfo_file() transparently converts V1 data to V2 before calling SSL_CTX_use_serverinfo_ex(). Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
-
由 Matt Caswell 提交于
This reverts commit 1608d658. This is the wrong fix for this issue. The next commit provides a better fix. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
-
由 Todd Short 提交于
|version| "could" be used uninitialized here, not really, but the compiler doesn't understand the flow Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3373)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3371)
-
由 Todd Short 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3374)
-
- 03 5月, 2017 5 次提交
-
-
由 Matt Caswell 提交于
Ensure that serverinfo only gets added for the first Certificate in a list. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
-
由 Matt Caswell 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
-
由 Matt Caswell 提交于
We already did this for ServerHello and EncryptedExtensions. We should be doing it for Certificate and HelloRetryRequest as well. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
-
由 Matt Caswell 提交于
This enables us to know what messages the extensions are relevant for in TLSv1.3. The new file format is not compatible with the previous one so we call it SERVERINFOV2. Reviewed-by: NRich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
-
由 Matt Caswell 提交于
Fixes #2442 Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3367)
-
- 02 5月, 2017 1 次提交
-
-
由 Todd Short 提交于
Add padding callback for application control Standard block_size callback Documentation and tests included Configuration file/s_client/s_srver option Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3130)
-
- 27 4月, 2017 1 次提交
-
-
由 Graham Edgecombe 提交于
This fixes a segfault if a NULL parse_cb is passed to SSL_CTX_add_{client,server}_custom_ext, which was supported in the pre-1.1.1 implementation. This behaviour is consistent with the other custom_ext_*_old_cb_wrap functions, and with the new SSL_CTX_add_custom_ext function. CLA: trivial Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3310)
-
- 26 4月, 2017 2 次提交
-
-
由 Tatsuhiro Tsujikawa 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3244)
-
由 Tatsuhiro Tsujikawa 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3244)
-