Revision tags: OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
#
555cbb32 |
| 12-Dec-2018 |
Todd Short |
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the s
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the ssl3_state_st structure into ssl_st and fixup any references. This should be faster than going through an indirection and due to fewer allocations, but I'm not seeing any significant performance improvement; it seems to be within the margin of error in timing. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7888)
show more ...
|
#
2c18d164 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in ssl/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a |
|
#
98732979 |
| 26-Oct-2018 |
Matt Caswell |
Separate ca_names handling for client and server SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0. If it was called on the client side then it was ignored. In 1.1
Separate ca_names handling for client and server SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0. If it was called on the client side then it was ignored. In 1.1.1 it now makes sense to have a CA list defined for both client and server (the client now sends it the the TLSv1.3 certificate_authorities extension). Unfortunately some applications were using the same SSL_CTX for both clients and servers and this resulted in some client ClientHellos being excessively large due to the number of certificate authorities being sent. This commit seperates out the CA list updated by SSL(_CTX)?_set_client_CA_list() and the more generic SSL(_CTX)?_set0_CA_list(). This means that SSL(_CTX)?_set_client_CA_list() still has no effect on the client side. If both CA lists are set then SSL(_CTX)?_set_client_CA_list() takes priority. Fixes #7411 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7503)
show more ...
|
#
75b68c9e |
| 12-Oct-2018 |
Tomas Mraz |
Unbreak SECLEVEL 3 regression causing it to not accept any ciphers. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #7391
|
Revision tags: OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i |
|
#
64a48fc7 |
| 13-Aug-2018 |
Richard Levitte |
Rename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list They add a single item, so the names give a false impression of what they do, making them hard to remember. Better to give the
Rename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list They add a single item, so the names give a false impression of what they do, making them hard to remember. Better to give them a somewhat better name. Fixes #6930 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6931)
show more ...
|
#
c6ea0883 |
| 14-Aug-2018 |
Tomas Mraz |
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even though they are not explicitly marked as using DH/ECDH. Revi
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even though they are not explicitly marked as using DH/ECDH. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6959)
show more ...
|
#
11d2641f |
| 17-Jul-2018 |
Matt Caswell |
Check that the public key OID matches the sig alg Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID i
Check that the public key OID matches the sig alg Using the rsa_pss_rsae_sha256 sig alg should imply that the key OID is rsaEncryption. Similarly rsa_pss_pss_sha256 implies the key OID is rsassaPss. However we did not check this and incorrectly tolerated a key OID that did not match the sig alg sent by the peer. Fixes #6611 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6732)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4 |
|
#
e6e9170d |
| 27-Mar-2018 |
Rich Salz |
Allow NULL for some _free routines. Based on the description in https://github.com/openssl/openssl/pull/5757, this re-implements the "allow NULL to be passed" behavior of a number of
Allow NULL for some _free routines. Based on the description in https://github.com/openssl/openssl/pull/5757, this re-implements the "allow NULL to be passed" behavior of a number of xxx_free routines. I also fixed up some egregious formatting errors that were nearby. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5761)
show more ...
|
Revision tags: OpenSSL_1_0_2o, OpenSSL_1_1_0h |
|
#
320a8127 |
| 26-Mar-2018 |
Matt Caswell |
Remove some code for a contributor that we cannot find This removes some code because we cannot trace the original contributor to get their agreement for the licence change (original com
Remove some code for a contributor that we cannot find This removes some code because we cannot trace the original contributor to get their agreement for the licence change (original commit e03ddfae). After this change there will be numerous failures in the test cases until someone rewrites the missing code. All *_free functions should accept a NULL parameter. After this change the following *_free functions will fail if a NULL parameter is passed: BIO_ACCEPT_free() BIO_CONNECT_free() BN_BLINDING_free() BN_CTX_free() BN_MONT_CTX_free() BN_RECP_CTX_free() BUF_MEM_free() COMP_CTX_free() ERR_STATE_free() TXT_DB_free() X509_STORE_free() ssl3_free() ssl_cert_free() SSL_SESSION_free() SSL_free() [skip ci] Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5757)
show more ...
|
Revision tags: OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1 |
|
#
3c7d0945 |
| 09-Jan-2018 |
Richard Levitte |
Update copyright years on all files merged since Jan 1st 2018 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
|
#
3e41defe |
| 11-Dec-2017 |
Tomas Mraz |
Avoid only exact duplicates when creating the accepted CA names list This avoids situations where third party client is unable to recognize that the client certificate was issued by the
Avoid only exact duplicates when creating the accepted CA names list This avoids situations where third party client is unable to recognize that the client certificate was issued by the same CA with name differring only by case or insignificant characters. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4731)
show more ...
|
#
cbe29648 |
| 07-Dec-2017 |
Rich Salz |
Consistent formatting for sizeof(foo) Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4872)
|
Revision tags: OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
#
7a908204 |
| 26-Oct-2017 |
Paul Yang |
Simplify the stack reservation Use the newly introduced sk_TYPE_new_reserve API to simplify the reservation of stack as creating it. Reviewed-by: Tim Hudson <tjh@openssl.org>
Simplify the stack reservation Use the newly introduced sk_TYPE_new_reserve API to simplify the reservation of stack as creating it. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4592)
show more ...
|
#
b2555168 |
| 21-Oct-2017 |
KaoruToda |
Various clean-ups Add a check for NULL return in t1_lib.c. Since return type of ssl_cert_lookup_by_idx is pointer and unify coding style, I changed from zero to NULL in ssl_c
Various clean-ups Add a check for NULL return in t1_lib.c. Since return type of ssl_cert_lookup_by_idx is pointer and unify coding style, I changed from zero to NULL in ssl_cert.c. Remove unnecessary space for ++. Fix incorrect condition Expression is always false because 'else if' condition matches previous condition. SInce the next line of 'else if' condition has substituted TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if' condition should compare with NID_X9_62_characteristic_two_field. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4562)
show more ...
|
#
26a7d938 |
| 17-Oct-2017 |
KaoruToda |
Remove parentheses of return. Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt
Remove parentheses of return. Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
show more ...
|
#
32f3b98d |
| 08-Oct-2017 |
Andy Polyakov |
crypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4492)
|
#
f32b0abe |
| 28-Sep-2017 |
Pauli |
Remove unnecessary #include <openssl/lhash.h> directives. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4431)
|
#
e431363f |
| 18-Sep-2017 |
Pauli |
Add stack space reservations. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4386)
|
#
07016a8a |
| 23-Aug-2017 |
Pauli |
Move e_os.h to be the very first include. cryptilib.h is the second. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged fro
Move e_os.h to be the very first include. cryptilib.h is the second. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
cd420b0b |
| 21-Aug-2017 |
Pauli |
Move the REF_PRINT support from e_os.h to internal/refcount.h. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://
Move the REF_PRINT support from e_os.h to internal/refcount.h. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
677963e5 |
| 18-Aug-2017 |
Pauli |
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files
e_os.h removal from other headers and source files. Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and ssl/ssl_locl.h). Added e_os.h into the files that need it now. Directly reference internal/nelem.h when required. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4188)
show more ...
|
#
b379fe6c |
| 25-Aug-2017 |
Richard Levitte |
NO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard This is a vestige from pre-1.1.0 OpenSSL Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.c
NO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard This is a vestige from pre-1.1.0 OpenSSL Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4256)
show more ...
|
#
cd933ebd |
| 08-Jul-2017 |
Dr. Stephen Henson |
Move certificate table to header file so it can be tested. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
|
#
c04cd728 |
| 28-Jun-2017 |
Dr. Stephen Henson |
Add certificate properties table. Add certificate table giving properties of each certificate index: specifically the NID associated with the index and the the auth mask value for an
Add certificate properties table. Add certificate table giving properties of each certificate index: specifically the NID associated with the index and the the auth mask value for any cipher the certificate can be used with. This will be used to generalise certificate handling instead of hard coding algorithm specific cases. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
show more ...
|
#
aa8f3d76 |
| 15-Jun-2017 |
Rich Salz |
Modify Sun copyright to follow OpenSSL style Approved by Oracle. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/358
Modify Sun copyright to follow OpenSSL style Approved by Oracle. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/3585)
show more ...
|