#
7f2f0ac7 |
| 20-May-2022 |
Matt Caswell |
Make the record layer directly aware of EtM We no longer have to go through the SSL object to discover whether EtM has been negotiated. Reviewed-by: Hugo Landau <hlandau@openssl
Make the record layer directly aware of EtM We no longer have to go through the SSL object to discover whether EtM has been negotiated. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
show more ...
|
#
cc110a0a |
| 10-May-2022 |
Matt Caswell |
Implement KTLS in the new read record layer code Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/op
Implement KTLS in the new read record layer code Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
show more ...
|
#
4030869d |
| 12-Apr-2022 |
Matt Caswell |
Convert ssl3_get_record to tls_read_record We move the old ssl3_get_record function to conform with the new record layer design. Reviewed-by: Hugo Landau <hlandau@openssl.org>
Convert ssl3_get_record to tls_read_record We move the old ssl3_get_record function to conform with the new record layer design. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
show more ...
|
#
e2d5742b |
| 07-Apr-2022 |
Matt Caswell |
Transfer the functionality from ssl3_read_n to the new record layer This transfers the low level function ssl3_read_n to the new record layer. We temporarily make the read_n function a t
Transfer the functionality from ssl3_read_n to the new record layer This transfers the low level function ssl3_read_n to the new record layer. We temporarily make the read_n function a top level record layer function. Eventually, in later commits in this refactor, we will remove it as a top level function and it will just be called from read_record. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18132)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14 |
|
#
f84ab284 |
| 30-Mar-2021 |
Benjamin Kaduk |
make update Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14749)
|
#
08a337fa |
| 04-May-2021 |
Rich Salz |
Remove all trace of FIPS_mode functions Removed error codes, and the mention of the functions. This removal is already documented in the CHANGES doc. Reviewed-by: Shane Lontis <
Remove all trace of FIPS_mode functions Removed error codes, and the mention of the functions. This removal is already documented in the CHANGES doc. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15140)
show more ...
|
#
c0f4400c |
| 30-Apr-2021 |
Dmitry Belyavskiy |
Use OCSP-specific error code for clarity Fixes #12735 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://gi
Use OCSP-specific error code for clarity Fixes #12735 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/xxxxx)
show more ...
|
Revision tags: OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
462f4f4b |
| 15-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_EC guards from libssl Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
|
#
8b1db5d3 |
| 13-Jan-2021 |
Matt Caswell |
Make supported_groups code independent of EC and DH The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was
Make supported_groups code independent of EC and DH The supported groups code was checking the OPENSSL_NO_EC and OPENSSL_NO_DH guards in order to work, and the list of default groups was based on those guards. However we now need it to work even in a no-ec and no-dh build, because new groups might be added from providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9 |
|
#
e337b824 |
| 12-Nov-2020 |
Richard Levitte |
ERR: Rebuild all generated error headers and source files This is the result of 'make errors ERROR_REBUILD=-rebuild' Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from htt
ERR: Rebuild all generated error headers and source files This is the result of 'make errors ERROR_REBUILD=-rebuild' Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13392)
show more ...
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
#
5a2d0ef3 |
| 20-Nov-2020 |
Richard Levitte |
Clean away extraneous library specific FETCH_FAILED reason codes Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13467)
|
#
14a6c6a4 |
| 12-Nov-2020 |
Richard Levitte |
ERR: Rebuild all generated error headers and source files This is the result of 'make errors ERROR_REBUILD=-rebuild' Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from ht
ERR: Rebuild all generated error headers and source files This is the result of 'make errors ERROR_REBUILD=-rebuild' Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13390)
show more ...
|
Revision tags: openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
#
8b17fbaf |
| 28-Sep-2020 |
Nicola Tuveri |
[ssl] Support ssl_encapsulate on server side Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13018)
|
#
a011b586 |
| 28-Sep-2020 |
Nicola Tuveri |
[ssl] Support ssl_decapsulate on client side Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13018)
|
Revision tags: OpenSSL_1_1_1h |
|
#
7cd1420b |
| 27-Aug-2020 |
Matt Caswell |
Improve some error messages if a digest is not available If a digest is not available we just get an "internal error" error message - which isn't very helpful for diagnosing problems. In
Improve some error messages if a digest is not available If a digest is not available we just get an "internal error" error message - which isn't very helpful for diagnosing problems. Instead we explicitly state that we couldn't find a suitable digest. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12733)
show more ...
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3 |
|
#
db9592c1 |
| 22-May-2020 |
Matt Caswell |
Provider a better error message if we fail to copy parameters If EVP_PKEY_copy_parameters() failed in libssl we did not provide a very helpful error message. We provide a better one.
Provider a better error message if we fail to copy parameters If EVP_PKEY_copy_parameters() failed in libssl we did not provide a very helpful error message. We provide a better one. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
show more ...
|
Revision tags: openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f |
|
#
092a5c71 |
| 30-Mar-2020 |
Dmitry Belyavskiy |
Constants for new GOST TLS 1.2 ciphersuites Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442)
|
#
9bf475fc |
| 13-Apr-2020 |
Dr. Matthias St. Pierre |
mkerr: remove legacy guards from generated error headers In pull request #9333, legacy guards were added to the generated error headers, but the mkerr.pl script was not adjusted accordin
mkerr: remove legacy guards from generated error headers In pull request #9333, legacy guards were added to the generated error headers, but the mkerr.pl script was not adjusted accordingly. So the legacy guards were removed by subsequent `make update` calls. Fixing the mkerr.pl script properly was disproportionately complicated by the fact that adding legacy guards only made sense for files which already existed in version 1.1.1. To keep things simple, it was decided to drop the legacy guards from the generated headers entirely. Fixes #10569 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11541)
show more ...
|
Revision tags: OpenSSL_1_1_1e |
|
#
abd86cec |
| 13-Mar-2020 |
Matt Caswell |
Use a fetched version of SHA256 in tls_process_new_session_ticket() We use the SHA256 digest of the ticket as a "fake" session id. We should ensure that the SHA256 implementation is fetc
Use a fetched version of SHA256 in tls_process_new_session_ticket() We use the SHA256 digest of the ticket as a "fake" session id. We should ensure that the SHA256 implementation is fetched from the appropriate provider. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11356)
show more ...
|
#
2e3ec2e1 |
| 24-Jan-2020 |
Benjamin Kaduk |
Code to thread-safety in ChangeCipherState The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this ses
Code to thread-safety in ChangeCipherState The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this session gets resumed. However, writing to the session is only thread-safe for initial handshakes, as at other times the session object may be in a shared cache and in use by another thread at the same time. Reflect this invariant in the code by only writing to s->session->cipher when it is currently NULL (we do not cache sessions with no cipher). The code prior to this change would never actually change the (non-NULL) cipher value in a session object, since our server enforces that (pre-TLS-1.3) resumptions use the exact same cipher as the initial connection, and non-abbreviated renegotiations have produced a new session object before we get to this point. Regardless, include logic to detect such a condition and abort the handshake if it occurs, to avoid any risk of inadvertently using the wrong cipher on a connection. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943)
show more ...
|
#
d924dbf4 |
| 17-Jan-2020 |
Matt Caswell |
Detect EOF while reading in libssl If we hit an EOF while reading in libssl then we will report an error back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add an er
Detect EOF while reading in libssl If we hit an EOF while reading in libssl then we will report an error back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. Contains a partial fix for #10880 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10907)
show more ...
|
Revision tags: OpenSSL_1_0_2u |
|
#
936c2b9e |
| 05-Nov-2019 |
Richard Levitte |
Update source files for deprecation at 3.0 Previous macros suggested that from 3.0, we're only allowed to deprecate things at a major version. However, there's no policy stating thi
Update source files for deprecation at 3.0 Previous macros suggested that from 3.0, we're only allowed to deprecate things at a major version. However, there's no policy stating this, but there is for removal, saying that to remove something, it must have been deprecated for 5 years, and that removal can only happen at a major version. Meanwhile, the semantic versioning rule is that deprecation should trigger a MINOR version update, which is reflected in the macro names as of this change. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10364)
show more ...
|
#
d86167ec |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Add legacy include guards to public header files For every public header file, the old include guard definition needs to be added in addition to the new one include/openssl/file
Add legacy include guards to public header files For every public header file, the old include guard definition needs to be added in addition to the new one include/openssl/file.h: #ifndef OPENSSL_FILE_H # define OPENSSL_FILE_H # pragma once # include <openssl/macros.h> # if !OPENSSL_API_3 # define HEADER_FILE_H # endif ... This is going to ensure that applications which use the old include guards externally, for example like this #ifndef HEADER_FILE_H # include <openssl/file.h> #endif will not fail to compile. In addition to the legacy guard, the public header files also receive a '# pragma once' directive. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
#
ae4186b0 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Fix header file include guard names Make the include guards consistent by renaming them systematically according to the naming conventions below For the public header files (in
Fix header file include guard names Make the include guards consistent by renaming them systematically according to the naming conventions below For the public header files (in the 'include/openssl' directory), the guard names try to match the path specified in the include directives, with all letters converted to upper case and '/' and '.' replaced by '_'. For the private header files files, an extra 'OSSL_' is added as prefix. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|