#
a6a2dd9f |
| 17-Jun-2022 |
Jiasheng Jiang |
apps/s_server.c: Add check for OPENSSL_strdup As the potential failure of the OPENSSL_strdup(), it should be better to check the return value and return error if fails. Sign
apps/s_server.c: Add check for OPENSSL_strdup As the potential failure of the OPENSSL_strdup(), it should be better to check the return value and return error if fails. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18595)
show more ...
|
#
a6d52f17 |
| 28-Apr-2022 |
Daniel Fiala |
s_serve: Report an error if init-connection fails without an attempt to read. Fixes: openssl#18047. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@op
s_serve: Report an error if init-connection fails without an attempt to read. Fixes: openssl#18047. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18154)
show more ...
|
#
e257d3e7 |
| 02-May-2022 |
JHH20 |
Remove duplicated #include headers CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl
Remove duplicated #include headers CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18220)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
fba140c7 |
| 12-Apr-2022 |
Dmitry Belyavskiy |
str[n]casecmp => OPENSSL_strncasecmp Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18069)
|
#
a3e53d56 |
| 08-Sep-2021 |
Todd Short |
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <ma
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8692)
show more ...
|
#
625b0990 |
| 07-Mar-2022 |
xkernel |
check the return value of BIO_new_file() Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1
check the return value of BIO_new_file() Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17820)
show more ...
|
#
fa17f5c9 |
| 05-Jan-2022 |
xkernel |
apps: several return value checks for BIO_new() Also check return value of functions that call BIO_new() internally such as dup_bio_out(). Reviewed-by: Matt Caswell <matt@openss
apps: several return value checks for BIO_new() Also check return value of functions that call BIO_new() internally such as dup_bio_out(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17421)
show more ...
|
#
aea68b0d |
| 01-Mar-2022 |
Hugo Landau |
s_server: Do not use SSL_sendfile when KTLS is not being used Fix a bug in `openssl s_server -WWW` where it would attempt to invoke `SSL_sendfile` if `-ktls -sendfile` was passed on the
s_server: Do not use SSL_sendfile when KTLS is not being used Fix a bug in `openssl s_server -WWW` where it would attempt to invoke `SSL_sendfile` if `-ktls -sendfile` was passed on the command line, even if KTLS has not actually been enabled, for example because it is not supported by the host. Since `SSL_sendfile` is only supported when KTLS is actually being used, this resulted in a failure to serve requests. Fixes #17503. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17788)
show more ...
|
#
ba0b60c6 |
| 16-Feb-2022 |
Jiasheng Jiang |
apps/s_server: Add missing check for BIO_new As the potential failure of the BIO_new(), it should be better to check the return value and return error if fails in order to avoid the derefere
apps/s_server: Add missing check for BIO_new As the potential failure of the BIO_new(), it should be better to check the return value and return error if fails in order to avoid the dereference of NULL pointer. And because 'bio_s_msg' is checked before being used everytime, which has no need to add the check. But 'bio_s_out' is not. And since the check 'if (bio_s_out == NULL)' is redundant, it can be removed to make the code succincter. Also the 'sbio' and so forth should be checked like the other places in the same file. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17710)
show more ...
|
#
0c590558 |
| 09-Feb-2022 |
Jiasheng Jiang |
s_server: Add check for OPENSSL_strdup Since the OPENSSL_strdup() may return NULL if allocation fails, the 'port' could be NULL. And then it will be used in do_server(), which can ac
s_server: Add check for OPENSSL_strdup Since the OPENSSL_strdup() may return NULL if allocation fails, the 'port' could be NULL. And then it will be used in do_server(), which can accept NULL as an valid parameter. That means that the system could run with a wrong parameter. Therefore it should be better to check it, like the other memory allocation. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17673)
show more ...
|
#
148b592d |
| 17-Jan-2022 |
Hubert Kario |
s_server: correctly handle 2^14 byte long records as the code uses BIO_gets, and it always null terminates the strings it reads, when it reads a record 2^14 byte long, it actually re
s_server: correctly handle 2^14 byte long records as the code uses BIO_gets, and it always null terminates the strings it reads, when it reads a record 2^14 byte long, it actually returns 2^14-1 bytes to the calling application, in general it returns size-1 bytes to the caller This makes the code sub-optimal (as every 2^14 record will need two BIO_gets() calls) and makes it impossible to use -rev option to test all plaintext lengths (like in openssl#15706) Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17538)
show more ...
|
#
79b2a2f2 |
| 18-Dec-2021 |
Dr. David von Oheimb |
add OSSL_STACK_OF_X509_free() for commonly used pattern Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)
|
#
2e3b8292 |
| 08-Dec-2021 |
Tianjia Zhang |
apps/s_server: Correct s_server to return the correct file path When s_server responds to a file data with the -WWW parameter, it always gets a path named "GET". In this case, we need to
apps/s_server: Correct s_server to return the correct file path When s_server responds to a file data with the -WWW parameter, it always gets a path named "GET". In this case, we need to skip the "GET /" character to get the correct file path. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17231)
show more ...
|
#
d9f07357 |
| 27-Aug-2021 |
Dr. David von Oheimb |
APPS: Improve diagnostics on missing/extra args and unknown cipher/digest Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16450)
|
#
40649e36 |
| 14-Nov-2021 |
Peiwei Hu |
SSL_export_keying_material: fix return check Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pu
SSL_export_keying_material: fix return check Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17028)
show more ...
|
#
2ff286c2 |
| 21-Jun-2021 |
Dr. David von Oheimb |
Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/
Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
show more ...
|
#
af5e63e1 |
| 28-Oct-2021 |
Felipe Gasper |
Revise s_client and s_server verbiage re secure renegotiation. Since TLS v1.3 eschews renegotiation entirely it’s misleading to have these apps say it’s “not supported” when in fact the
Revise s_client and s_server verbiage re secure renegotiation. Since TLS v1.3 eschews renegotiation entirely it’s misleading to have these apps say it’s “not supported” when in fact the TLS version is new enough not to need renegotiation at all. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16937)
show more ...
|
#
8b09a9c7 |
| 14-Oct-2021 |
Matt Caswell |
Fix the s_server psk_server_cb for use in DTLS Commit 0007ff257c added a protocol version check to psk_server_cb but failed to take account of DTLS causing DTLS based psk connections to
Fix the s_server psk_server_cb for use in DTLS Commit 0007ff257c added a protocol version check to psk_server_cb but failed to take account of DTLS causing DTLS based psk connections to fail. Fixes #16707 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/16838)
show more ...
|
#
e2ef7f12 |
| 15-Sep-2021 |
Tianjia Zhang |
apps/s_server: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s
apps/s_server: Add ktls option From openssl-3.0.0-alpha15, KTLS is turned off by default, even if KTLS feature in compilation, which makes it difficult to use KTLS through s_server/s_client, so a parameter option 'ktls' is added to enable KTLS through cmdline. At the same time, SSL_sendfile() depends on KTLS feature to work properly, make parameters sendfile depend on parameters ktls. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16609)
show more ...
|
#
0007ff25 |
| 06-Jul-2021 |
Matt Caswell |
Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1.
Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16008)
show more ...
|
#
1f3f8a3d |
| 25-Jun-2021 |
Pauli |
apps: address potential memory leaks Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15910)
|
#
04fb4ec8 |
| 14-Jun-2021 |
Hubert Kario |
s_server: make -rev option easier to find (mention echo) Since the service is echo-like (see TCP port 7 from RFC 862 or gnutls-serv --echo), make it easier to find by mentioning "echo" i
s_server: make -rev option easier to find (mention echo) Since the service is echo-like (see TCP port 7 from RFC 862 or gnutls-serv --echo), make it easier to find by mentioning "echo" in the description of it in the help message an man page Also fixes the man page inconsistency ("sends it back to the server") Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/15739)
show more ...
|
#
5bbe2134 |
| 13-Jun-2021 |
Rich Salz |
Remove "-immedate_renegotiation" option Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged
Remove "-immedate_renegotiation" option Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15415)
show more ...
|
#
ef044913 |
| 09-Jun-2021 |
Shane Lontis |
Fix s_server app to not report an error when using a non DH certificate. Fixes #15071 It always tries loading the cert as DH which previously did not produce an error. The error
Fix s_server app to not report an error when using a non DH certificate. Fixes #15071 It always tries loading the cert as DH which previously did not produce an error. The errors are not suppressed for these operations. The output now matches previous versions of OpenSSL. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15670)
show more ...
|