Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 09 1月, 2018 3 次提交
  3. 04 12月, 2017 1 次提交
  5. 13 11月, 2017 1 次提交
  7. 06 11月, 2017 1 次提交
  9. 21 10月, 2017 1 次提交
    • K
      Various clean-ups · b2555168
      KaoruToda 提交于 
      Add a check for NULL return in t1_lib.c.
    Since return type of ssl_cert_lookup_by_idx is pointer and unify coding
    style, I changed from zero to NULL in ssl_cert.c.

Remove unnecessary space for ++.

Fix incorrect condition
    Expression is always false because 'else if' condition matches previous
    condition.  SInce the next line of 'else if' condition has substituted
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if'
    condition should compare with NID_X9_62_characteristic_two_field.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4562)
      b2555168
  11. 07 10月, 2017 1 次提交
  13. 06 10月, 2017 2 次提交
  15. 26 9月, 2017 8 次提交
  17. 23 9月, 2017 2 次提交
  19. 22 9月, 2017 1 次提交
  21. 20 9月, 2017 2 次提交
  23. 30 8月, 2017 1 次提交
  25. 13 7月, 2017 4 次提交
  27. 29 6月, 2017 1 次提交
  29. 25 6月, 2017 1 次提交
    • B
      Disallow DSA/SHA1/etc. for pure TLS 1.3 ClientHellos · 6ffeb269
      Benjamin Kaduk 提交于 
      In draft-ietf-tls-tls13-20 Appendix B we find that:

   This section describes protocol types and constants.  Values listed
   as _RESERVED were used in previous versions of TLS and are listed
   here for completeness.  TLS 1.3 implementations MUST NOT send them
   but might receive them from older TLS implementations.

Similarly, in section 4.2.3 we see:

   Legacy algorithms  Indicates algorithms which are being deprecated
      because they use algorithms with known weaknesses, specifically
      SHA-1 which is used in this context with either with RSA using
      RSASSA-PKCS1-v1_5 or ECDSA.  These values refer solely to
      signatures which appear in certificates (see Section 4.4.2.2) and
      are not defined for use in signed TLS handshake messages.
      Endpoints SHOULD NOT negotiate these algorithms but are permitted
      to do so solely for backward compatibility.  Clients offering
      these values MUST list them as the lowest priority (listed after
      all other algorithms in SignatureSchemeList).  TLS 1.3 servers
      MUST NOT offer a SHA-1 signed certificate unless no valid
      certificate chain can be produced without it (see
      Section 4.4.2.2).

However, we are currently sending the SHA2-based DSA signature schemes
and many SHA1-based schemes, which is in contradiction with the specification.

Because TLS 1.3 support will appear in OpenSSL 1.1, we are bound by
stability requirements to continue to offer the DSA signature schemes
and the deprecated hash algorithms.  at least until OpenSSL 1.2.
However, for pure TLS 1.3 clients that do not offer lower TLS versions,
we can be compliant.  Do so, and leave a note to revisit the issue when
we are permitted to break with sacred historical tradition.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3326)
      6ffeb269
  31. 21 6月, 2017 7 次提交
  33. 16 6月, 2017 1 次提交
  35. 09 6月, 2017 1 次提交
  37. 22 5月, 2017 1 次提交