#
e0c4e43e |
| 01-Aug-2022 |
Hugo Landau |
BIO_sendmmsg/BIO_recvmmsg (API only) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/189
BIO_sendmmsg/BIO_recvmmsg (API only) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18923)
show more ...
|
#
948cf521 |
| 04-Apr-2022 |
Hugo Landau |
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@op
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18038)
show more ...
|
#
dfb39f73 |
| 07-Mar-2022 |
Tomas Mraz |
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative
Replace handling of negative verification result with SSL_set_retry_verify() Provide a different mechanism to indicate that the application wants to retry the verification. The negative result of the callback function now indicates an error again. Instead the SSL_set_retry_verify() can be called from the callback to indicate that the handshake should be suspended. Fixes #17568 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17825)
show more ...
|
#
a3e53d56 |
| 08-Sep-2021 |
Todd Short |
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <ma
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8692)
show more ...
|
#
f6f56f47 |
| 24-Feb-2022 |
Arran Cudbard-Bell |
async_posix: Allow custom stack allocation functions to be specified for POSIX contexts Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merg
async_posix: Allow custom stack allocation functions to be specified for POSIX contexts Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17762)
show more ...
|
#
42659159 |
| 22-Feb-2022 |
Matt Caswell |
Undeprecate OPENSSL_VERSION_NUMBER and OpenSSL_version_num() This macro and function were deprecated in the documentation but not in the source. Following an OTC vote the deprec
Undeprecate OPENSSL_VERSION_NUMBER and OpenSSL_version_num() This macro and function were deprecated in the documentation but not in the source. Following an OTC vote the deprecation has been removed from the documentation. See https://github.com/openssl/technical-policies/issues/26 Fixes #17517 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17750)
show more ...
|
#
13a53fbf |
| 25-Oct-2021 |
Phus Lu |
add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order() The function/macro allow user get groups/extensions without memory allcations. So we could calculate the ssl fignerpri
add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order() The function/macro allow user get groups/extensions without memory allcations. So we could calculate the ssl fignerprint(ja3) in low cost. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16910)
show more ...
|
#
6be83cc6 |
| 15-Dec-2021 |
Dr. David von Oheimb |
OSSL_CMP_CTX: rename get/set function for trustedStore This makes the naming more consistent, in a backward-compatible way Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fr
OSSL_CMP_CTX: rename get/set function for trustedStore This makes the naming more consistent, in a backward-compatible way Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17277)
show more ...
|
#
839ffdd1 |
| 01-Oct-2021 |
Richard Levitte |
EVP: Allow a fallback for operations that work with an EVP_PKEY Functions like EVP_PKEY_sign_init() do an implicit fetch of the operation implementation (EVP_SIGNATURE in this case), the
EVP: Allow a fallback for operations that work with an EVP_PKEY Functions like EVP_PKEY_sign_init() do an implicit fetch of the operation implementation (EVP_SIGNATURE in this case), then get the KEYMGMT from the same provider, and tries to export the key there if necessary. If an export of the key isn't possible (because the provider that holds the key is an HSM and therefore can't export), we would simply fail without looking any further. This change modifies the behaviour a bit by trying a second fetch of the operation implementation, but specifically from the provider of the EVP_PKEY that's being used. This is done with the same properties that were used with the initial operation implementation fetch, and should therefore be safe, allowing only what those properties allow. Fixes #16614 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16725)
show more ...
|
#
561e5cda |
| 06-Jul-2021 |
Pauli |
err: remove ERR_GET_FUNC() This is problematic in 3.0 because the function codes are all defined as zero. This leads to either every error matching or no error ever matching. Both a
err: remove ERR_GET_FUNC() This is problematic in 3.0 because the function codes are all defined as zero. This leads to either every error matching or no error ever matching. Both are problematic for users. The OTC vote resolved to remove this function completely. Fixes #15946 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16004)
show more ...
|
#
b6298a7f |
| 09-Jun-2021 |
Pauli |
util: convert SHA* one shots back to being functions Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from http
util: convert SHA* one shots back to being functions Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15668)
show more ...
|
#
3d9d1ce5 |
| 01-Jun-2021 |
Matt Caswell |
Add documentation for newly added ASN1 functions Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openss
Add documentation for newly added ASN1 functions Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15591)
show more ...
|
#
31b7f23d |
| 28-May-2021 |
Tomas Mraz |
Add documentation of the old names kept as alias macros Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
|
#
ed576acd |
| 21-May-2021 |
Tomas Mraz |
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_,
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
show more ...
|
Revision tags: openssl-3.0.0-alpha17 |
|
#
d2f82495 |
| 18-May-2021 |
Matt Caswell |
Cleanup the missing*.txt files One macro existed that was added since 1.1.1 and was undocumented. This had been added to missingmacro.txt. This is the wrong approach and so has been
Cleanup the missing*.txt files One macro existed that was added since 1.1.1 and was undocumented. This had been added to missingmacro.txt. This is the wrong approach and so has been removed from there. There were some entries in missingcrypto.txt that don't exist as functions at all. There were also some which were in fact documented. Additionally 2 entries from missingcrypto.txt have been moved to missingmacro.txt. These entries existed in 1.1.1 and were undocumented. In master they have been deprecated and compatibility macros for them implemented. The replacement functions have been documented. An entry in missingcrypto111.txt was not in alphabetical order (and was also) duplicated, but the equivalent entry in missingcrypto.txt was in the correct place. This has been corrected to make comparisons between the files easier. Finally a function has been added to missingcrypto111.txt. This function did exist in 1.1.1 and was undocumented. Its unclear why this wasn't in missingcrypto111.txt to start with. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15333)
show more ...
|
#
f04bb0bc |
| 11-May-2021 |
Rich Salz |
Slightly reformat ssl.h.in Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https:
Slightly reformat ssl.h.in Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15230)
show more ...
|
Revision tags: openssl-3.0.0-alpha16 |
|
#
8f965908 |
| 04-May-2021 |
Dr. David von Oheimb |
HTTP client: Minimal changes that include the improved API This is a minimal version of pull request #15053 including all the proposed improvements to the HTTP client API and its documen
HTTP client: Minimal changes that include the improved API This is a minimal version of pull request #15053 including all the proposed improvements to the HTTP client API and its documentation but only those code adaptations strictly needed for it. The proposed new features include * support for persistent connections (keep-alive), * generalization to arbitrary request and response types, and * support for streaming BIOs for request and response data. The related API changes include: * Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(), OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close(). * Split the timeout functionality accordingly and improve default behavior. * Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15147)
show more ...
|
Revision tags: openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k |
|
#
f9253152 |
| 20-Mar-2021 |
Dr. David von Oheimb |
Add convenience functions and macros for asymmetric key generation Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen(). Also export auxiliary function OSSL_EC_curve_nid
Add convenience functions and macros for asymmetric key generation Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen(). Also export auxiliary function OSSL_EC_curve_nid2name() and improve deprecation info on RSA and EC key generation/management functions. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14695)
show more ...
|
#
4d49b685 |
| 29-Mar-2021 |
Dr. David von Oheimb |
Crypto: Add deprecation compatibility declarations for SHA* message digest functions Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc. Reviewed-by: Paul
Crypto: Add deprecation compatibility declarations for SHA* message digest functions Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14741)
show more ...
|
#
a07b0bfb |
| 04-May-2021 |
Dr. David von Oheimb |
Deprecate X509{,_CRL}_http_nbio() and simplify their definition This is done by making use of OCSP_REQ_CTX_nbio_d2i(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from h
Deprecate X509{,_CRL}_http_nbio() and simplify their definition This is done by making use of OCSP_REQ_CTX_nbio_d2i(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15131)
show more ...
|
#
7031f582 |
| 30-Apr-2021 |
Dr. David von Oheimb |
OCSP: Minor improvements of documentation and header file Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15103)
|
Revision tags: openssl-3.0.0-alpha13, openssl-3.0.0-alpha12 |
|
#
636a9345 |
| 18-Feb-2021 |
Matt Caswell |
Note that the OSSL_CORE_MAKE_FUNC macro is reserved The OSSL_CORE_MAKE_FUNC macro has been added since 1.1.1 and is undocumented. However it is not intended for application use and so we
Note that the OSSL_CORE_MAKE_FUNC macro is reserved The OSSL_CORE_MAKE_FUNC macro has been added since 1.1.1 and is undocumented. However it is not intended for application use and so we document it as "reserved". Fixes #13192 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14232)
show more ...
|
#
18b207c7 |
| 17-Feb-2021 |
Matt Caswell |
Add documentation for the macro OPENSSL_VERSION_PREREQ This macro was added since 1.1.1 but had no associated documentation. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-
Add documentation for the macro OPENSSL_VERSION_PREREQ This macro was added since 1.1.1 but had no associated documentation. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14232)
show more ...
|
Revision tags: OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
0c3eb279 |
| 16-Jan-2021 |
Dr. David von Oheimb |
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for fai
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906)
show more ...
|
#
c9603dfa |
| 18-Jan-2021 |
Dr. David von Oheimb |
OCSP HTTP: Restore API of undocumented and recently deprecated functions Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method s
OCSP HTTP: Restore API of undocumented and recently deprecated functions Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new(). Minor further fixes in OSSL_HTTP_REQ_CTX.pod Fixes #13873 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898)
show more ...
|