#
d7b5c648 |
| 18-Jun-2021 |
Pauli |
ssl: do not choose auto DH groups that are weaker than the security level Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
ssl: do not choose auto DH groups that are weaker than the security level Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15818)
show more ...
|
#
4e4ae840 |
| 24-Feb-2021 |
Shane Lontis |
Fix NULL access in ssl_build_cert_chain() when ctx is NULL. Fixes #14294 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from
Fix NULL access in ssl_build_cert_chain() when ctx is NULL. Fixes #14294 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14295)
show more ...
|
#
5b64ce89 |
| 13-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged
Remove OPENSSL_NO_DH guards from libssl This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
bf973d06 |
| 28-Dec-2020 |
Dr. David von Oheimb |
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_has
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13762)
show more ...
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
13c45372 |
| 16-Oct-2020 |
Matt Caswell |
Only disabled what we need to in a no-dh build no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quit
Only disabled what we need to in a no-dh build no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quite so much. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
show more ...
|
#
c48ffbcc |
| 04-Nov-2020 |
Richard Levitte |
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_
SSL: refactor all SSLfatal() calls Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_add_data() to an SSLfatal_data() call. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
#
6849b73c |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://
Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)
show more ...
|
Revision tags: openssl-3.0.0-alpha7 |
|
#
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
#
d8652be0 |
| 24-Sep-2020 |
Matt Caswell |
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged fro
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
e6623cfb |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/1
Fix safestack issues in x509.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
Revision tags: openssl-3.0.0-alpha6 |
|
#
6725682d |
| 24-Jul-2020 |
Shane Lontis |
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
show more ...
|
Revision tags: openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
#
92dc275f |
| 14-May-2020 |
Richard Levitte |
SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys Fixes #11720 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl
SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys Fixes #11720 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11828)
show more ...
|
#
64e54bf5 |
| 26-Apr-2020 |
Pauli |
coverity 1462581 Dereference after null check Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11651)
|
Revision tags: openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e, OpenSSL_1_0_2u |
|
#
852c2ed2 |
| 19-Dec-2019 |
Rich Salz |
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
#
a959b4fa |
| 01-Apr-2020 |
Matt Caswell |
Use X509_STORE_CTX_new_with_libctx() in libssl Libssl is OPENSSL_CTX aware so we should use it when creating an X509_STORE_CTX. Reviewed-by: Richard Levitte <levitte@openssl.org
Use X509_STORE_CTX_new_with_libctx() in libssl Libssl is OPENSSL_CTX aware so we should use it when creating an X509_STORE_CTX. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11457)
show more ...
|
#
9f0f53b7 |
| 20-Mar-2020 |
Matt Caswell |
Explicitly cache X509v3 extensions in libssl Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: Tomas Mraz <tmraz@fedor
Explicitly cache X509v3 extensions in libssl Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11409)
show more ...
|
#
ee669781 |
| 10-Nov-2019 |
Richard Levitte |
SSL: Document SSL_add_{file,dir,store}_cert_subjects_to_stack() This also removes the incorrect documentation comments by those functions, and fixes a bug in SSL_add_store_cert_subjects_
SSL: Document SSL_add_{file,dir,store}_cert_subjects_to_stack() This also removes the incorrect documentation comments by those functions, and fixes a bug in SSL_add_store_cert_subjects_to_stack(), where the condition for recursive addition was 'depth == 0' when it should be 'depth > 0'. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10402)
show more ...
|
Revision tags: OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d, OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s |
|
#
6dcb100f |
| 06-Mar-2019 |
Richard Levitte |
X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI This is a wrapper around OSSL_STORE. This also adds necessary support functions: - X509_STORE_load_fi
X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI This is a wrapper around OSSL_STORE. This also adds necessary support functions: - X509_STORE_load_file - X509_STORE_load_path - X509_STORE_load_store - SSL_add_store_cert_subjects_to_stack - SSL_CTX_set_default_verify_store - SSL_CTX_load_verify_file - SSL_CTX_load_verify_dir - SSL_CTX_load_verify_store and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations, as they aren't extensible. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8442)
show more ...
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
#
ff988500 |
| 31-Jul-2019 |
Rich Salz |
Replace FUNCerr with ERR_raise_data Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/p
Replace FUNCerr with ERR_raise_data Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9496)
show more ...
|
#
46160e6f |
| 16-Jul-2019 |
Rich Salz |
Deprecate SYSerr, add new FUNCerr macro Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/o
Deprecate SYSerr, add new FUNCerr macro Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9072)
show more ...
|
#
56c3a135 |
| 11-Jun-2019 |
Rich Salz |
Add ERR_put_func_error, and use it. Change SYSerr to have the function name; remove SYS_F_xxx defines Add a test and documentation. Use get_last_socket_err, which removes some ifdef'
Add ERR_put_func_error, and use it. Change SYSerr to have the function name; remove SYS_F_xxx defines Add a test and documentation. Use get_last_socket_err, which removes some ifdef's in OpenSSL code. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9072)
show more ...
|
#
29948ac8 |
| 13-Jun-2019 |
Benjamin Kaduk |
Move 'shared_sigalgs' from cert_st to ssl_st It was only ever in cert_st because ssl_st was a public structure and could not be modified without breaking the API. However, both stru
Move 'shared_sigalgs' from cert_st to ssl_st It was only ever in cert_st because ssl_st was a public structure and could not be modified without breaking the API. However, both structures are now opaque, and thus we can freely change their layout without breaking applications. In this case, keeping the shared sigalgs in the SSL object prevents complications wherein they would inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run during a cert_cb). Fixes #9099 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9157)
show more ...
|