#
94941cad |
| 30-Jun-2020 |
Miłosz Kaniewski |
Free pre_proc_exts in SSL_free() Usually it will be freed in tls_early_post_process_client_hello(). However if a ClientHello callback will be used and will return SSL_CLIENT_HELLO_RE
Free pre_proc_exts in SSL_free() Usually it will be freed in tls_early_post_process_client_hello(). However if a ClientHello callback will be used and will return SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello() may never come to the point where pre_proc_exts is freed. Fixes #12194 CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/12330)
show more ...
|
#
7cccecc0 |
| 16-Jun-2020 |
Matt Caswell |
Don't attempt to duplicate the BIO state in SSL_dup SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs configured for it. This did not work. Firstly the SSL
Don't attempt to duplicate the BIO state in SSL_dup SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs configured for it. This did not work. Firstly the SSL_dup code was passing a BIO ** as the destination argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that parameter. Any attempt to use this will either (1) fail silently, (2) crash or fail in some other strange way. Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make this work. Thirdly, if rbio == wbio in the original SSL object, then an attempt is made to up-ref the BIO in the new SSL object - even though it hasn't been set yet and is NULL. This results in a crash. This appears to have been broken for a very long time with at least some of the problems described above coming from SSLeay. The simplest approach is to just remove this capability from the function. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12180)
show more ...
|
#
f12dd991 |
| 12-Jun-2020 |
Matt Caswell |
Ensure that SSL_dup copies the min/max protocol version With thanks to Rebekah Johnson for reporting this issue. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from h
Ensure that SSL_dup copies the min/max protocol version With thanks to Rebekah Johnson for reporting this issue. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12180)
show more ...
|
#
260009d8 |
| 21-May-2020 |
Matt Caswell |
Update the various SSL group getting and setting functions A number of these functions returned a NID or an array of NIDs for the groups. Now that groups can come from the providers we d
Update the various SSL group getting and setting functions A number of these functions returned a NID or an array of NIDs for the groups. Now that groups can come from the providers we do not necessarily know the NID. Therefore we need to handle this in a clean way. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
show more ...
|
#
9d2d857f |
| 18-May-2020 |
Matt Caswell |
Modify libssl to discover supported groups based on available providers Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported
Modify libssl to discover supported groups based on available providers Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
show more ...
|
#
a6d36303 |
| 04-May-2020 |
Vadim Fedorenko |
TLSv1.3: additional checks in SSL_set_record_padding_callback Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.c
TLSv1.3: additional checks in SSL_set_record_padding_callback Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11589)
show more ...
|
#
263ff2c9 |
| 01-May-2020 |
Matt Caswell |
Check that Signature Algorithms are available before using them We should confirm that Signature Algorithms are actually available through the loaded providers before we offer or select
Check that Signature Algorithms are available before using them We should confirm that Signature Algorithms are actually available through the loaded providers before we offer or select them. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11834)
show more ...
|
#
c7f837cf |
| 01-Jun-2020 |
Tim Hudson |
undeprecate SSL_CTX_load_verify_locations and X509_STORE_load_locations The underlying functions remain and these are widely used. This undoes the deprecation part of PR8442 Rev
undeprecate SSL_CTX_load_verify_locations and X509_STORE_load_locations The underlying functions remain and these are widely used. This undoes the deprecation part of PR8442 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12001)
show more ...
|
#
5a5530a2 |
| 30-Mar-2020 |
Dmitry Belyavskiy |
New Russian TLS 1.2 implementation Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442)
|
#
35774d55 |
| 04-May-2020 |
Benjamin Kaduk |
Fix up whitespace nits introduced by PR #11416 Expand a couple literal tabs, and de-indent the body of a function. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged fr
Fix up whitespace nits introduced by PR #11416 Expand a couple literal tabs, and de-indent the body of a function. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11728)
show more ...
|
#
3bfacb5f |
| 16-Mar-2020 |
Benjamin Kaduk |
Add SSL_new_session_ticket() API This API requests that the TLS stack generate a (TLS 1.3) NewSessionTicket message the next time it is safe to do so (i.e., we do not have other data
Add SSL_new_session_ticket() API This API requests that the TLS stack generate a (TLS 1.3) NewSessionTicket message the next time it is safe to do so (i.e., we do not have other data pending write, which could be mid-record). For efficiency, defer actually generating/writing the ticket until there is other data to write, to avoid producing server-to-client traffic when not needed. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11416)
show more ...
|
#
852c2ed2 |
| 19-Dec-2019 |
Rich Salz |
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
#
1a37ee94 |
| 03-Apr-2020 |
Matt Caswell |
Ensure libssl uses the new library context aware CT code Ensure that when we create a CTLOG_STORE we use the new library context aware function. Also ensure that when we create
Ensure libssl uses the new library context aware CT code Ensure that when we create a CTLOG_STORE we use the new library context aware function. Also ensure that when we create a CT_POLICY_EVAL_CTX we associate it with the library context. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11483)
show more ...
|
#
5fcb97c6 |
| 20-Mar-2020 |
Matt Caswell |
Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405)
show more ...
|
#
075b1f2f |
| 10-Feb-2020 |
Shane Lontis |
Fix coverity issues CID : 1458169 RESOURCE LEAK ffc_params_generate.c - False positive, but addressed another Leak in adjacent code CID : 1458171 UNCHECKED RET apps/pkeyutl.c CID : 1
Fix coverity issues CID : 1458169 RESOURCE LEAK ffc_params_generate.c - False positive, but addressed another Leak in adjacent code CID : 1458171 UNCHECKED RET apps/pkeyutl.c CID : 1458173 DEAD CODE ffc_params_generate.c CID : 1458174 RESOURCE LEAK ssl_lib.c Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11048)
show more ...
|
#
0618b62c |
| 12-Feb-2020 |
Matt Caswell |
Fix a mem leak in libssl Make sure we free up any ENGINE references after we have finished using them. Fixes #11064 Reviewed-by: Richard Levitte <levitte@openssl.org>
Fix a mem leak in libssl Make sure we free up any ENGINE references after we have finished using them. Fixes #11064 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11070)
show more ...
|
#
709b5e8a |
| 06-Feb-2020 |
Matt Caswell |
Fix no-engine We don't need to check if an engine has a cipher/digest in a no-engine build. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://gith
Fix no-engine We don't need to check if an engine has a cipher/digest in a no-engine build. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11031)
show more ...
|
#
c8f6c28a |
| 16-Jan-2020 |
Matt Caswell |
Explicitly fetch ciphers and digests in libssl We modify libssl to use explicitly fetched ciphers, digests and other algorithms as required based on the configured library context and
Explicitly fetch ciphers and digests in libssl We modify libssl to use explicitly fetched ciphers, digests and other algorithms as required based on the configured library context and property query string for the SSL_CTX that is being used. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
show more ...
|
#
7955c1f1 |
| 25-Sep-2019 |
Matt Caswell |
Fix SSL_get_servername() and SNI behaviour The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername() was not quite right, and not entirely consistent with the RFC.
Fix SSL_get_servername() and SNI behaviour The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername() was not quite right, and not entirely consistent with the RFC. The TLSv1.3 RFC explicitly says that SNI is negotiated on each handshake and the server is not required to associate it with the session. This was not quite reflected in the code so we fix that. Additionally there were some additional checks around early_data checking that the SNI between the original session and this session were consistent. In fact the RFC does not require any such checks, so they are removed. Finally the behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. We clarify the behaviour in various scenarios and also attempt to make it match historical behaviour as closely as possible. Fixes #8822 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/10018)
show more ...
|
#
8f21260b |
| 15-Jan-2020 |
Matt Caswell |
Make sure we use RAND_bytes_ex and RAND_priv_bytes_ex in libssl Now that libssl knows about libctx we should use it wherever we generate a random number. Reviewed-by: Shane Lont
Make sure we use RAND_bytes_ex and RAND_priv_bytes_ex in libssl Now that libssl knows about libctx we should use it wherever we generate a random number. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10927)
show more ...
|
#
ba18627e |
| 16-Jan-2020 |
Matt Caswell |
Introduce SSL_CTX_new_with_libex() We add the ability to specify an OPENSSL_CTX (which may be NULL for the default context) and a property query string for use during algorithm fetch
Introduce SSL_CTX_new_with_libex() We add the ability to specify an OPENSSL_CTX (which may be NULL for the default context) and a property query string for use during algorithm fetch operations. For example, in this way one SSL_CTX could be used the default provider, and another one could be used with the FIPS provider. At this stage we don't use these values. That will come later. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10866)
show more ...
|
#
00db8c60 |
| 05-Nov-2019 |
Richard Levitte |
Update source files for pre-3.0 deprecation Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10364)
|
#
6dcb100f |
| 06-Mar-2019 |
Richard Levitte |
X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI This is a wrapper around OSSL_STORE. This also adds necessary support functions: - X509_STORE_load_fi
X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI This is a wrapper around OSSL_STORE. This also adds necessary support functions: - X509_STORE_load_file - X509_STORE_load_path - X509_STORE_load_store - SSL_add_store_cert_subjects_to_stack - SSL_CTX_set_default_verify_store - SSL_CTX_load_verify_file - SSL_CTX_load_verify_dir - SSL_CTX_load_verify_store and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations, as they aren't extensible. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8442)
show more ...
|
#
712c0942 |
| 23-Aug-2019 |
John Baldwin |
Simplify NO_KTLS path in SSL_sendfile. Avoid tripping over errno values from previous system calls in the thread and just hardcode the specific error. BIO_get_ktls_send() should nev
Simplify NO_KTLS path in SSL_sendfile. Avoid tripping over errno values from previous system calls in the thread and just hardcode the specific error. BIO_get_ktls_send() should never be true in the NO_KTLS path, so the #ifdef could be moved even higher up to assume that error path in the NO_KTLS case instead. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10045)
show more ...
|