#
38b051a1 |
| 20-Jun-2022 |
Tomas Mraz |
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
show more ...
|
#
7bf2e4d7 |
| 04-May-2022 |
Pauli |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by:
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18236)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
948cf521 |
| 04-Apr-2022 |
Hugo Landau |
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@op
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18038)
show more ...
|
#
b139a956 |
| 22-Feb-2022 |
Nicola Tuveri |
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@opens
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
#
66914fc0 |
| 22-Feb-2022 |
Nicola Tuveri |
[ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This co
[ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
#
79b2a2f2 |
| 18-Dec-2021 |
Dr. David von Oheimb |
add OSSL_STACK_OF_X509_free() for commonly used pattern Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)
|
#
c1c1bb7c |
| 03-Dec-2021 |
Matt Caswell |
Fix invalid handling of verify errors in libssl In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. Th
Fix invalid handling of verify errors in libssl In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY. That return code is supposed to only ever be returned if an application is using an app verify callback to complete replace the use of X509_verify(). Applications may not be written to expect that return code and could therefore crash (or misbehave in some other way) as a result. CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>
show more ...
|
#
e3f03624 |
| 14-Nov-2021 |
Peiwei Hu |
BIO_read_filename: fix return check Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fr
BIO_read_filename: fix return check Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17033)
show more ...
|
#
c3b5fa4a |
| 22-Sep-2021 |
slontis |
Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@ope
Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16656)
show more ...
|
#
657489e8 |
| 21-Jun-2021 |
Hubert Kario |
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cro
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cross-references so that they remain consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15853)
show more ...
|
#
d7b5c648 |
| 18-Jun-2021 |
Pauli |
ssl: do not choose auto DH groups that are weaker than the security level Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
ssl: do not choose auto DH groups that are weaker than the security level Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15818)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
4e4ae840 |
| 24-Feb-2021 |
Shane Lontis |
Fix NULL access in ssl_build_cert_chain() when ctx is NULL. Fixes #14294 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from
Fix NULL access in ssl_build_cert_chain() when ctx is NULL. Fixes #14294 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14295)
show more ...
|
Revision tags: openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
5b64ce89 |
| 13-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
bf973d06 |
| 28-Dec-2020 |
Dr. David von Oheimb |
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_has
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13762)
show more ...
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
13c45372 |
| 16-Oct-2020 |
Matt Caswell |
Only disabled what we need to in a no-dh build no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quit
Only disabled what we need to in a no-dh build no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quite so much. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
show more ...
|
#
c48ffbcc |
| 04-Nov-2020 |
Richard Levitte |
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_add_data() to an SSLfatal_data() call. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
#
6849b73c |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
Revision tags: openssl-3.0.0-alpha7 |
|
#
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
#
d8652be0 |
| 24-Sep-2020 |
Matt Caswell |
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged fro
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
e6623cfb |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/1
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
Revision tags: openssl-3.0.0-alpha6 |
|
#
6725682d |
| 24-Jul-2020 |
Shane Lontis |
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
show more ...
|
Revision tags: openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
#
92dc275f |
| 14-May-2020 |
Richard Levitte |
SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys Fixes #11720 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl
SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys Fixes #11720 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11828)
show more ...
|
#
64e54bf5 |
| 26-Apr-2020 |
Pauli |
coverity 1462581 Dereference after null check Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11651)
|