#
3ef1b742 |
| 13-Sep-2024 |
Зишан Мирза |
Check file name for not being NULL before opening it Fixes #24416 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from h
Check file name for not being NULL before opening it Fixes #24416 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25458)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
2bb83824 |
| 20-Feb-2021 |
FdaSilvaYY |
ssl: rework "e_os.h" inclusions - Remove e_os.h include from "ssl_local.h" - Added e_os.h into the files that need it now. - Move e_os.h to be the very first include Review
ssl: rework "e_os.h" inclusions - Remove e_os.h include from "ssl_local.h" - Added e_os.h into the files that need it now. - Move e_os.h to be the very first include Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14344)
show more ...
|
#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
5cec58bd |
| 31-Jul-2024 |
Clemens Lang |
Speed up SSL_add_{file,dir}_cert_subjects_to_stack The X509_NAME comparison function converts its arguments to DER using i2d_X509_NAME before comparing the results using memcmp(). For ev
Speed up SSL_add_{file,dir}_cert_subjects_to_stack The X509_NAME comparison function converts its arguments to DER using i2d_X509_NAME before comparing the results using memcmp(). For every invocation of the comparison function (of which there are many when loading many certificates), it allocates two buffers of the appropriate size for the DER encoding. Switching to static buffers (possibly of X509_NAME_MAX size as defined in crypto/x509/x_name.c) would not work with multithreaded use, e.g., when two threads sort two separate STACK_OF(X509_NAME)s at the same time. A suitable re-usable buffer could have been added to the STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument, or a pointer to the STACK_OF(X509_NAME) – but it does not. Instead, copy the solution chosen in SSL_load_client_CA_file() by filling an LHASH_OF(X509_NAME) with all existing names in the stack and using that to deduplicate, rather than relying on sk_X509_NAME_find(), which ends up being very slow. Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local LHASH_OF(X509_NAME)s over the complete directory it is processing. In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack() twice, once on a directory with one entry, and once with a directory with 1000 certificates, and repeats this in a loop 10 times, this change yields a speed-up of 5.32: | Benchmark 1: ./bench 10 dir-1 dir-1000 | Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s] | Range (min … max): 6.658 s … 6.711 s 10 runs | | Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 | Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s] | Range (min … max): 1.244 s … 1.286 s 10 runs | | Summary | LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran | 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000 In the worst case scenario where many entries are added to a stack that is then repeatedly used to add more certificates, and with a larger test size, the speedup is still very significant. With 15000 certificates, a single pass to load them, followed by attempting to load a subset of 1000 of these 15000 certificates, followed by a single certificate, the new approach is ~85 times faster: | Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1 | Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s] | Range (min … max): 173.774 s … 185.594 s 10 runs | | Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 | Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s] | Range (min … max): 2.057 s … 2.167 s 10 runs | | Summary | LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran | 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1 Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25056)
show more ...
|
#
1cf2f823 |
| 13-Sep-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Remove trailing whitespace Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb
Remove trailing whitespace Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)
show more ...
|
#
5fb44336 |
| 27-Nov-2023 |
Hugo Landau |
Make ssl_cert_info read-only Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (M
Make ssl_cert_info read-only Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/22828)
show more ...
|
#
43a07d6d |
| 21-Jun-2023 |
Pauli |
tls: update to structure based atomics Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2
tls: update to structure based atomics Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21260)
show more ...
|
#
3155b5a9 |
| 20-Apr-2023 |
Tomas Mraz |
Fix regression of no-posix-io builds Instead of using stat() to check if a file is a directory we just skip . and .. as a workaround. Reviewed-by: Hugo Landau <hlandau@openssl.o
Fix regression of no-posix-io builds Instead of using stat() to check if a file is a directory we just skip . and .. as a workaround. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20786)
show more ...
|
Revision tags: openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
3c95ef22 |
| 27-Jan-2021 |
Todd Short |
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit t
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
show more ...
|
#
b36e677f |
| 14-Mar-2023 |
Pauli |
Coverity 1521490: resource leak Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/2
Coverity 1521490: resource leak Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20504)
show more ...
|
#
ee58915c |
| 26-Sep-2022 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
first cut at sigalg loading Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19312)
|
#
1dc35d44 |
| 21-Feb-2023 |
olszomal |
Skip subdirectories in SSL_add_dir_cert_subjects_to_stack() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.
Skip subdirectories in SSL_add_dir_cert_subjects_to_stack() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20312)
show more ...
|
#
b67cb09f |
| 09-Aug-2021 |
Todd Short |
Add support for compressed certificates (RFC8879) * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive)
Add support for compressed certificates (RFC8879) * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
38b051a1 |
| 20-Jun-2022 |
Tomas Mraz |
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
show more ...
|
#
7bf2e4d7 |
| 04-May-2022 |
Pauli |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by:
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18236)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
948cf521 |
| 04-Apr-2022 |
Hugo Landau |
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@op
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18038)
show more ...
|
#
b139a956 |
| 22-Feb-2022 |
Nicola Tuveri |
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@opens
[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
#
66914fc0 |
| 22-Feb-2022 |
Nicola Tuveri |
[ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This co
[ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
#
79b2a2f2 |
| 18-Dec-2021 |
Dr. David von Oheimb |
add OSSL_STACK_OF_X509_free() for commonly used pattern Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)
|
#
c1c1bb7c |
| 03-Dec-2021 |
Matt Caswell |
Fix invalid handling of verify errors in libssl In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. Th
Fix invalid handling of verify errors in libssl In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY. That return code is supposed to only ever be returned if an application is using an app verify callback to complete replace the use of X509_verify(). Applications may not be written to expect that return code and could therefore crash (or misbehave in some other way) as a result. CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>
show more ...
|
#
e3f03624 |
| 14-Nov-2021 |
Peiwei Hu |
BIO_read_filename: fix return check Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fr
BIO_read_filename: fix return check Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17033)
show more ...
|
#
c3b5fa4a |
| 22-Sep-2021 |
slontis |
Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@ope
Change TLS RC4 cipher strength check to be data driven. This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16656)
show more ...
|
#
657489e8 |
| 21-Jun-2021 |
Hubert Kario |
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cro
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cross-references so that they remain consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15853)
show more ...
|