#
4a532de9 |
| 26-Jul-2022 |
Matt Caswell |
Add a CHANGES.md entry for the record layer changes Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl
Add a CHANGES.md entry for the record layer changes Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
show more ...
|
#
ce602bb0 |
| 16-Jun-2022 |
Matt Caswell |
Add some documentation for the BIO_s_mem() datagram capability Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.
Add some documentation for the BIO_s_mem() datagram capability Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18596)
show more ...
|
#
cbb1cda6 |
| 20-Jul-2022 |
Dr. David von Oheimb |
CHANGES.md: Add entries for contributions to 3.1 by DDvO Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@open
CHANGES.md: Add entries for contributions to 3.1 by DDvO Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18833)
show more ...
|
#
ddb13b28 |
| 06-Jun-2022 |
Tomas Mraz |
Use as small dh key size as possible to support the security Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real
Use as small dh key size as possible to support the security Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. We use minimum key sizes as defined in RFC7919. For arbitrary parameters we cannot know whether they are safe primes (we could test but that would be too inefficient) we have to keep generating large keys. However we now set a small dh->length when we are generating safe prime parameters because we know it is safe to use small keys with them. That means users need to regenerate the parameters if they want to take the performance advantage of small private key. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
show more ...
|
#
e393064e |
| 14-Jun-2022 |
Kan |
Update the default macsaltlen and Add the configure for macsaltlen Fixed #18489 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by
Update the default macsaltlen and Add the configure for macsaltlen Fixed #18489 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18550)
show more ...
|
#
5317b6ee |
| 22-Mar-2022 |
Hugo Landau |
Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/op
Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17937)
show more ...
|
#
de85a9de |
| 20-Jun-2022 |
Matt Caswell |
Update CHANGES.md and NEWS.md for new release Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes
|
#
8a66b2f9 |
| 24-May-2022 |
Pauli |
changes: add note saying the locale based strcasecmp has been replaced Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from ht
changes: add note saying the locale based strcasecmp has been replaced Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/18389)
show more ...
|
#
a425c0fe |
| 04-Apr-2022 |
Kijin Kim |
Add more SRTP protection profiles Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18030)
|
#
8b97bfcc |
| 12-May-2022 |
Dmitry Belyavskiy |
Missing changes entry about OPENSSL_str[n]casecmp Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/opens
Missing changes entry about OPENSSL_str[n]casecmp Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18302)
show more ...
|
#
cac25075 |
| 03-May-2022 |
Tomas Mraz |
CHANGES.md: Attribute the OPENSSL_LH_flush() fix properly Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes
|
#
73e044bd |
| 26-Apr-2022 |
Matt Caswell |
Update CHANGES and NEWS for new release Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
7c78932b |
| 10-Oct-2021 |
Daiki Ueno |
KTLS: Enable KTLS for receiving as well in TLS 1.3 This removes a guard condition that prevents KTLS being enabled for receiving in TLS 1.3. Use the correct sequence number and BIO for
KTLS: Enable KTLS for receiving as well in TLS 1.3 This removes a guard condition that prevents KTLS being enabled for receiving in TLS 1.3. Use the correct sequence number and BIO for receive vs transmit offload. Co-authored-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
show more ...
|
#
77d7b6ee |
| 22-Mar-2022 |
Hugo Landau |
Remove statistics tracking from LHASH Fixes #17928. Supercedes #17931. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Toma
Remove statistics tracking from LHASH Fixes #17928. Supercedes #17931. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17935)
show more ...
|
#
a40398a1 |
| 14-Mar-2022 |
Matt Caswell |
Update CHANGES/NEWS for new release Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
dfb39f73 |
| 07-Mar-2022 |
Tomas Mraz |
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative result of the callback function now indicates an error again. Instead the SSL_set_retry_verify() can be called from the callback to indicate that the handshake should be suspended. Fixes #17568 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17825)
show more ...
|
#
a3e53d56 |
| 08-Sep-2021 |
Todd Short |
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <ma
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8692)
show more ...
|
#
b139a956 |
| 22-Feb-2022 |
Nicola Tuveri |
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@opens
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
#
522a32ef |
| 16-Feb-2022 |
Oleg Pekar |
Add changes logs caption for the next release 1.1.1n Co-authored-by: Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Revie
Add changes logs caption for the next release 1.1.1n Co-authored-by: Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/17714)
show more ...
|
#
e0d00d79 |
| 16-Feb-2022 |
Oleg Pekar |
Fixed the date of changes of 1.1.1m Fixed the date in the heading of "Changes between 1.1.1l and 1.1.1m" to 14 Dec 2021 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Revie
Fixed the date of changes of 1.1.1m Fixed the date in the heading of "Changes between 1.1.1l and 1.1.1m" to 14 Dec 2021 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/17714)
show more ...
|
#
63b996e7 |
| 09-Jun-2021 |
Andrey Matyukov |
AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. Vectorized 'stitched' encrypt + ghash implementation of AES-GCM enabled with AVX512 vAES and vPCLMULQDQ instructions (available starting
AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. Vectorized 'stitched' encrypt + ghash implementation of AES-GCM enabled with AVX512 vAES and vPCLMULQDQ instructions (available starting Intel's IceLake micro-architecture). The performance details for representative IceLake Server and Client platforms are shown below Performance data: OpenSSL Speed KBs/Sec Intel(R) Xeon(R) Platinum 8380 CPU @ 2.30GHz (1Core/1Thread) Payload in Bytes 16 64 256 1024 8192 16384 AES-128-GCM Baseline 478708.27 1118296.96 2428092.52 3518199.4 4172355.99 4235762.07 Patched 534613.95 2009345.55 3775588.15 5059517.64 8476794.88 8941541.79 Speedup 1.12 1.80 1.55 1.44 2.03 2.11 AES-256-GCM Baseline 399237.27 961699.9 2136377.65 2979889.15 3554823.37 3617757.5 Patched 475948.13 1720128.51 3462407.12 4696832.2 7532013.16 7924953.91 Speedup 1.19 1.79 1.62 1.58 2.12 2.19 Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz (1Core/1Thread) Payload in Bytes 16 64 256 1024 8192 16384 AES-128-GCM Baseline 259128.54 570756.43 1362554.16 1990654.57 2359128.88 2401671.58 Patched 292139.47 1079320.95 2001974.63 2829007.46 4510318.59 4705314.41 Speedup 1.13 1.89 1.47 1.42 1.91 1.96 AES-256-GCM Baseline 236000.34 550506.76 1234638.08 1716734.57 2011255.6 2028099.99 Patched 247256.32 919731.34 1773270.43 2553239.55 3953115.14 4111227.29 Speedup 1.05 1.67 1.44 1.49 1.97 2.03 Reviewed-by: TJ O'Dwyer, Marcel Cornu, Pablo de Lara Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17239)
show more ...
|
#
13a53fbf |
| 25-Oct-2021 |
Phus Lu |
add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order() The function/macro allow user get groups/extensions without memory allcations. So we could calculate the ssl fignerpri
add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order() The function/macro allow user get groups/extensions without memory allcations. So we could calculate the ssl fignerprint(ja3) in low cost. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16910)
show more ...
|
#
e180bf64 |
| 27-Jan-2022 |
Pauli |
aes: make the no-asm constant time code path not the default After OMC and OTC discussions, the 95% performance loss resulting from the constant time code was deemed excessive for someth
aes: make the no-asm constant time code path not the default After OMC and OTC discussions, the 95% performance loss resulting from the constant time code was deemed excessive for something outside of our security policy. The option to use the constant time code exists as it was in OpenSSL 1.1.1. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17600)
show more ...
|
#
1d28ada1 |
| 22-Jan-2022 |
Darshan Sen |
Allow empty passphrase in PEM_write_bio_PKCS8PrivateKey_nid() Signed-off-by: Darshan Sen <raisinten@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-b
Allow empty passphrase in PEM_write_bio_PKCS8PrivateKey_nid() Signed-off-by: Darshan Sen <raisinten@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17507)
show more ...
|
#
59ccb72c |
| 14-Jan-2022 |
Darshan Sen |
Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey() When `PEM_write_bio_PKCS8PrivateKey()` was passed an empty passphrase string, `OPENSSL_memdup()` was incorrectly getting us
Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey() When `PEM_write_bio_PKCS8PrivateKey()` was passed an empty passphrase string, `OPENSSL_memdup()` was incorrectly getting used for 0 bytes size allocation, which resulted in malloc failures. Fixes: https://github.com/openssl/openssl/issues/17506 Signed-off-by: Darshan Sen <raisinten@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17507)
show more ...
|