Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
切换分支/标签
  1. 19 5月, 2016 3 次提交
  3. 17 5月, 2016 1 次提交
  5. 16 5月, 2016 2 次提交
  7. 14 5月, 2016 1 次提交
  9. 09 5月, 2016 1 次提交
  11. 06 5月, 2016 1 次提交
    • M
      Handle no async jobs in libssl · fc7f190c
      Matt Caswell 提交于 
      If the application has limited the size of the async pool using
ASYNC_init_thread() then we could run out of jobs while trying to start a
libssl io operation. However libssl was failing to handle this and treating
it like a fatal error. It should not be fatal...we just need to retry when
there are jobs available again.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      fc7f190c
  13. 05 5月, 2016 1 次提交
  15. 03 5月, 2016 1 次提交
    • T
      Issue #719: · 5f18bc58
      TJ Saunders 提交于 
      If no serverinfo extension is found in some cases, do not abort the handshake,
but simply omit/skip that extension.

Check for already-registered serverinfo callbacks during serverinfo
registration.

Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the
same serverinfo per certificate, for servers with multiple server certificates.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      5f18bc58
  17. 02 5月, 2016 1 次提交
  19. 22 4月, 2016 1 次提交
    • V
      Enabled DANE only when at least one TLSA RR was added · 9f6b22b8
      Viktor Dukhovni 提交于 
      It is up to the caller of SSL_dane_tlsa_add() to take appropriate
action when no records are added successfully or adding some records
triggers an internal error (negative return value).

With this change the caller can continue with PKIX if desired when
none of the TLSA records are usable, or take some appropriate action
if DANE is required.

Also fixed the internal ssl_dane_dup() function to properly initialize
the TLSA RR stack in the target SSL handle.  Errors in ssl_dane_dup()
are no longer ignored.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      9f6b22b8
  21. 14 4月, 2016 1 次提交
  23. 13 4月, 2016 2 次提交
  25. 11 4月, 2016 1 次提交
  27. 08 4月, 2016 2 次提交
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于 
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
    • V
      Fix client verify mode to check SSL_VERIFY_PEER · c636c1c4
      Viktor Dukhovni 提交于 
      The original check for != SSL_VERIFY_NONE can give surprising results
when flags SSL_VERIFY_PEER is not set, but other flags are.  Note
that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
of all other flag bits.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      c636c1c4
  29. 28 3月, 2016 1 次提交
  31. 23 3月, 2016 1 次提交
  33. 21 3月, 2016 1 次提交
  35. 19 3月, 2016 1 次提交
  37. 13 3月, 2016 1 次提交
  39. 10 3月, 2016 5 次提交
  41. 08 3月, 2016 5 次提交
  43. 04 3月, 2016 1 次提交
  45. 03 3月, 2016 1 次提交
  47. 29 2月, 2016 1 次提交
    • M
      Refactor the async wait fd logic · ff75a257
      Matt Caswell 提交于 
      Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      ff75a257
  49. 28 2月, 2016 1 次提交
    • J
      RT4354: Add some cross-refs · e0b5108c
      Jeffrey Walton 提交于 
      Stack Overflow has a number of questions related to mutual authentication,
the client and its certificate. Those visiting the man pages for functions
like SSL_CTX_use_certificate and SSL_CTX_load_verify_locations don't
receive the benefit of a cross reference to SSL_CTX_set_client_CA_list.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      e0b5108c
  51. 27 2月, 2016 1 次提交
  53. 24 2月, 2016 1 次提交