#
462f4f4b |
| 15-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_EC guards from libssl Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
|
#
54e3efff |
| 20-Jan-2021 |
Matt Caswell |
Make sure we don't use sigalgs that are not available We may have compiled in sigalg values that we can't support at runtime. Make sure we only use sigalgs that are actually enabled.
Make sure we don't use sigalgs that are not available We may have compiled in sigalg values that we can't support at runtime. Make sure we only use sigalgs that are actually enabled. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
306b8e7e |
| 20-Jan-2021 |
Matt Caswell |
Add the nist group names as aliases for the normal TLS group names By recognising the nist group names directly we can avoid having to call EC_curve_nist2nid in libssl, which is not avai
Add the nist group names as aliases for the normal TLS group names By recognising the nist group names directly we can avoid having to call EC_curve_nist2nid in libssl, which is not available in a no-ec build. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
8b1db5d3 |
| 13-Jan-2021 |
Matt Caswell |
Make supported_groups code independent of EC and DH The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was
Make supported_groups code independent of EC and DH The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was based on those guards. However we now need it to work even in a no-ec and no-dh build, because new groups might be added from providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
ddf8f1ce |
| 13-Jan-2021 |
Matt Caswell |
Ensure default supported groups works even with no-ec and no-dh The default supported groups code was disabled in the event of a build with no-ec and no-dh. However now that providers ca
Ensure default supported groups works even with no-ec and no-dh The default supported groups code was disabled in the event of a build with no-ec and no-dh. However now that providers can add there own groups (which might not fit into either of these categories), this is no longer appropriate. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
5b64ce89 |
| 13-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
08cea586 |
| 01-Feb-2021 |
Matt Caswell |
Remove some TODO(OpenSSL1.2) references We had a couple of stray references to OpenSSL1.2 in libssl. We just reword the comments to remove those references without changing any behav
Remove some TODO(OpenSSL1.2) references We had a couple of stray references to OpenSSL1.2 in libssl. We just reword the comments to remove those references without changing any behaviour. The first one in t1_lib.c is a technical non-compliance in the TLSv1.3 spec where, under some circumstances, we offer DSA sigalgs even in a ClientHello that eventually negotiates TLSv1.3. We explicitly chose to accept this behaviour in 1.1.1 and we're not planning to change it for 3.0. The second one in s3_lib.c is regarnding the behaviour of SSL_set_tlsext_host_name(). Technically you shouldn't be able to call this from a server - but we allow it and just ignore it rather than raising an error. The TODO suggest we consider raising an error instead. However, with 3.0 we are trying to minimise breaking changes so I suggest not making this change now. Fixes #13161 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/14037)
show more ...
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
#
3d34bedf |
| 18-Jan-2021 |
Matt Caswell |
Add EVP_PKEY functions to get EC conv form and field type libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order to get the conv form and field type. Instead we provide
Add EVP_PKEY functions to get EC conv form and field type libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order to get the conv form and field type. Instead we provide EVP_PKEY level functions to do this. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
show more ...
|
#
5b5eea4b |
| 15-Oct-2020 |
Shane Lontis |
Deprecate EC_KEY + Update ec apps to use EVP_PKEY Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@open
Deprecate EC_KEY + Update ec apps to use EVP_PKEY Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
show more ...
|
#
becbacd7 |
| 07-Jan-2021 |
Michael Baentsch |
Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-impleme
Adding TLS group name retrieval Function SSL_group_to_name() added, together with documentation and tests. This now permits displaying names of internal and external provider-implemented groups. Partial fix of #13767 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13785)
show more ...
|
#
d8975dec |
| 18-Nov-2020 |
Richard Levitte |
TLS: Use EVP_PKEY_get_group_name() to get the group name For the moment, we translate the result to a NID, because that's still used in several locations in libssl. Future development s
TLS: Use EVP_PKEY_get_group_name() to get the group name For the moment, we translate the result to a NID, because that's still used in several locations in libssl. Future development should change all the internals to be name based instead. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13436)
show more ...
|
#
a73a1892 |
| 04-Dec-2020 |
Richard Levitte |
EVP: constify the EVP_PKEY_get_*_param() argument |pkey| Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.co
EVP: constify the EVP_PKEY_get_*_param() argument |pkey| Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13436)
show more ...
|
#
cbb85bda |
| 27-Nov-2020 |
Matt Caswell |
Fix builds that specify both no-dh and no-ec Various sections of code assumed that at least one of dh or ec would be available. We also now also need to handle cases where a provider has
Fix builds that specify both no-dh and no-ec Various sections of code assumed that at least one of dh or ec would be available. We also now also need to handle cases where a provider has a key exchange algorithm and TLS-GROUP that we don't know about. Fixes #13536 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13549)
show more ...
|
#
a68eee67 |
| 20-Nov-2020 |
Matt Caswell |
Move some libssl global variables into SSL_CTX disabled_enc_mask et al were global. Now that cipher loading is done individually for each SSL_CTX, based on the libctx configured for that
Move some libssl global variables into SSL_CTX disabled_enc_mask et al were global. Now that cipher loading is done individually for each SSL_CTX, based on the libctx configured for that SSL_CTX this means that some things will be disabled for one SSL_CTX but not for another. The global variables set up the potential for different SSL_CTXs to trample on each other. We move these variables into the SSL_CTX structure. Fixes #12040 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13465)
show more ...
|
#
091f6074 |
| 14-Oct-2020 |
Matt Caswell |
Convert TLS auto DH parameters to use EVP_PKEY Previously a DH object was constructed and then assigned to an EVP_PKEY. Instead we now construct the EVP_PKEY directly instead. R
Convert TLS auto DH parameters to use EVP_PKEY Previously a DH object was constructed and then assigned to an EVP_PKEY. Instead we now construct the EVP_PKEY directly instead. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
show more ...
|
#
c48ffbcc |
| 04-Nov-2020 |
Richard Levitte |
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_add_data() to an SSLfatal_data() call. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
#
6849b73c |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
#
90a2576b |
| 13-Oct-2020 |
Shane Lontis |
Rename EVP_MAC_size() to EVP_MAC_CTX_get_mac_size(). Fixes #11320 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13116)
|
#
301fcb28 |
| 14-Oct-2020 |
Matt Caswell |
Concentrate deprecated libssl API usage in one file We create a new file ssl/tls_depr.c to contain functions that need to call deprecated APIs in libssl. This enables us to remove OP
Concentrate deprecated libssl API usage in one file We create a new file ssl/tls_depr.c to contain functions that need to call deprecated APIs in libssl. This enables us to remove OPENSSL_SUPPRESS_DEPRECATED from a number of other libssl files. The deprecated API usage is either related to ENGINEs and is needed to continue to support applications that use such ENGINEs. Or they are needed to support some deprecated public libssl APIs. One other file remains in libssl that still uses deprecated APIs: s3_cbc.c This is needed to support the deprecated SSLv3. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13135)
show more ...
|
#
c1a74f59 |
| 27-Sep-2020 |
Nicola Tuveri |
Define OSSL_CAPABILITY_TLS_GROUP_IS_KEM Note that with this commit the optional parameter is introduced, but libssl still ignores it. Reviewed-by: Matt Caswell <matt@openssl.org
Define OSSL_CAPABILITY_TLS_GROUP_IS_KEM Note that with this commit the optional parameter is introduced, but libssl still ignores it. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13018)
show more ...
|
#
7f80980f |
| 22-Sep-2020 |
Shane Lontis |
Fix ssl_hmac_new() so that it uses the propq Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12944)
|
#
e6623cfb |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/1
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
#
6ac1cd10 |
| 02-Sep-2020 |
Matt Caswell |
Fix safestack issues in ssl.h We fix 3 problems with safestack: - Including an openssl header file without linking against libcrypto can cause compilation failures (even if the app
Fix safestack issues in ssl.h We fix 3 problems with safestack: - Including an openssl header file without linking against libcrypto can cause compilation failures (even if the app does not otherwise need to link against libcrypto). See issue #8102 - Recent changes means that applications in no-deprecated builds will need to include additional macro calls in the source code for all stacks that they need to use - which is an API break. This changes avoids that necessity. - It is not possible to write code using stacks that works in both a no-deprecated and a normal build of OpenSSL. See issue #12707. Fixes #12707 Contains a partial fix for #8102. A similar PR will be needed for hash to fully fix. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
#
865adf97 |
| 18-Jun-2020 |
Matt Caswell |
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*" The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the pr
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*" The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the previous namig convention. This reverts commit d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12186)
show more ...
|