Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
10 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
  1. 24 5月, 2016 1 次提交
  3. 20 5月, 2016 1 次提交
    • M
      Simplify SSL BIO buffering logic · 46417569
      Matt Caswell 提交于 
      The write BIO for handshake messages is bufferred so that we only write
out to the network when we have a complete flight. There was some
complexity in the buffering logic so that we switched buffering on and
off at various points through out the handshake. The only real reason to
do this was historically it complicated the state machine when you wanted
to flush because you had to traverse through the "flush" state (in order
to cope with NBIO). Where we knew up front that there was only going to
be one message in the flight we switched off buffering to avoid that.

In the new state machine there is no longer a need for a flush state so
it is simpler just to have buffering on for the whole handshake. This
also gives us the added benefit that we can simply call flush after every
flight even if it only has one message in it. This means that BIO authors
can implement their own buffering strategies and not have to be aware of
the state of the SSL object (previously they would have to switch off
their own buffering during the handshake because they could not rely on
a flush being received when they really needed to write data out). This
last point addresses GitHub Issue #322.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
      46417569
  5. 18 5月, 2016 1 次提交
  7. 17 5月, 2016 2 次提交
  9. 16 5月, 2016 1 次提交
  11. 10 5月, 2016 2 次提交
  13. 13 4月, 2016 3 次提交
  15. 11 4月, 2016 1 次提交
  17. 08 4月, 2016 2 次提交
    • R
      Add SSL_DANE typedef for consistency. · b9aec69a
      Rich Salz 提交于 
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      b9aec69a
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于 
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
  19. 28 3月, 2016 1 次提交
  21. 23 3月, 2016 1 次提交
  23. 21 3月, 2016 1 次提交
  25. 17 3月, 2016 1 次提交
  27. 10 3月, 2016 6 次提交
  29. 09 3月, 2016 1 次提交
  31. 08 3月, 2016 4 次提交
    • T
      GH787: Fix ALPN · 817cd0d5
      Todd Short 提交于 
      * Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      817cd0d5
    • M
      Add an ability to set the SSL read buffer size · dad78fb1
      Matt Caswell 提交于 
      This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      dad78fb1
    • M
      Implement write pipeline support in libssl · d102d9df
      Matt Caswell 提交于 
      Use the new pipeline cipher capability to encrypt multiple records being
written out all in one go. Two new SSL/SSL_CTX parameters can be used to
control how this works: max_pipelines and split_send_fragment.

max_pipelines defines the maximum number of pipelines that can ever be used
in one go for a single connection. It must always be less than or equal to
SSL_MAX_PIPELINES (currently defined to be 32). By default only one
pipeline will be used (i.e. normal non-parallel operation).

split_send_fragment defines how data is split up into pipelines. The number
of pipelines used will be determined by the amount of data provided to the
SSL_write call divided by split_send_fragment. For example if
split_send_fragment is set to 2000 and max_pipelines is 4 then:
SSL_write called with 0-2000 bytes == 1 pipeline used
SSL_write called with 2001-4000 bytes == 2 pipelines used
SSL_write called with 4001-6000 bytes == 3 pipelines used
SSL_write_called with 6001+ bytes == 4 pipelines used

split_send_fragment must always be less than or equal to max_send_fragment.
By default it is set to be equal to max_send_fragment. This will mean that
the same number of records will always be created as would have been
created in the non-parallel case, although the data will be apportioned
differently. In the parallel case data will be spread equally between the
pipelines.
Reviewed-by: NTim Hudson <tjh@openssl.org>
      d102d9df
    • R
      Lowercase name of SSL_validate_ct as it is an internal function · 4d482ee2
      Rob Percival 提交于 
      Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      4d482ee2
  33. 07 3月, 2016 1 次提交
    • E
      Rework the default cipherlist. · a556f342
      Emilia Kasper 提交于 
       - Always prefer forward-secure handshakes.
 - Consistently order ECDSA above RSA.
 - Next, always prefer AEADs to non-AEADs, irrespective of strength.
 - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
 - Prefer TLS v1.2 ciphers to legacy ciphers.
 - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
   list to reduce ClientHello bloat.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      a556f342
  35. 04 3月, 2016 1 次提交
  37. 29 2月, 2016 1 次提交
    • M
      Refactor the async wait fd logic · ff75a257
      Matt Caswell 提交于 
      Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      ff75a257
  39. 24 2月, 2016 1 次提交
  41. 23 2月, 2016 1 次提交
  43. 19 2月, 2016 1 次提交
    • R
      Remove outdated DEBUG flags. · d63a5e5e
      Rich Salz 提交于 
      Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d63a5e5e
  45. 18 2月, 2016 1 次提交
  47. 14 2月, 2016 2 次提交
  49. 12 2月, 2016 2 次提交