#
2478d3b7 |
| 14-Jun-2024 |
Frederik Wedel-Heinen |
Cleanup of unused functions and macros in ssl_local.h Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.
Cleanup of unused functions and macros in ssl_local.h Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24648)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
2bb83824 |
| 20-Feb-2021 |
FdaSilvaYY |
ssl: rework "e_os.h" inclusions - Remove e_os.h include from "ssl_local.h" - Added e_os.h into the files that need it now. - Move e_os.h to be the very first include Review
ssl: rework "e_os.h" inclusions - Remove e_os.h include from "ssl_local.h" - Added e_os.h into the files that need it now. - Move e_os.h to be the very first include Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14344)
show more ...
|
#
f21ededc |
| 01-Aug-2024 |
FdaSilvaYY |
ssl: factorize and improved hex conversion code Add inline qualifier to avoid exporting a function for one unique use Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-b
ssl: factorize and improved hex conversion code Add inline qualifier to avoid exporting a function for one unique use Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24968)
show more ...
|
#
668fdb59 |
| 18-Jul-2024 |
FdaSilvaYY |
ssl: remove stdio.h and sprintf use from libssl. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/
ssl: remove stdio.h and sprintf use from libssl. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24968)
show more ...
|
#
ed7a8bfd |
| 30-Jul-2024 |
Tomas Mraz |
ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider Avoid using a fetched cipher that is decrypt-only which is the case for 3DES from the fips provider. Add a decryp
ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider Avoid using a fetched cipher that is decrypt-only which is the case for 3DES from the fips provider. Add a decrypt-only parameter to the EVP_CIPHER and test it in libssl when fetching. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25028)
show more ...
|
#
962431d5 |
| 13-Sep-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
that open brace { should be on the previous line Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed
that open brace { should be on the previous line Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)
show more ...
|
#
21dfb975 |
| 04-Jul-2024 |
Stephen Farrell |
Extend TLSv1.3 record layer padding API calls Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex() to allow separate padding block size values for handshake messages a
Extend TLSv1.3 record layer padding API calls Added SSL_set_block_padding_ex() and SSL_CTX_set_block_padding_ex() to allow separate padding block size values for handshake messages and application data messages. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24796)
show more ...
|
#
2ebbe2d7 |
| 31-May-2024 |
Matt Caswell |
Fix SSL_select_next_proto Ensure that the provided client list is non-NULL and starts with a valid entry. When called from the ALPN callback the client list should already have been
Fix SSL_select_next_proto Ensure that the provided client list is non-NULL and starts with a valid entry. When called from the ALPN callback the client list should already have been validated by OpenSSL so this should not cause a problem. When called from the NPN callback the client list is locally configured and will not have already been validated. Therefore SSL_select_next_proto should not assume that it is correctly formatted. We implement stricter checking of the client protocol list. We also do the same for the server list while we are about it. CVE-2024-5535 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24716)
show more ...
|
#
8f250985 |
| 20-Jun-2024 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Fix typos found by codespell Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/24691)
|
#
00a6d074 |
| 30-Apr-2024 |
Alexander Kanavin |
ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time Adjust the manpages at the same time so that only the new functions are being presented. Fixes: #23648 S
ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time Adjust the manpages at the same time so that only the new functions are being presented. Fixes: #23648 Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24307)
show more ...
|
#
86c9bb13 |
| 17-May-2024 |
Alexander Kanavin |
ssl_sess.c: deprecate SSL_CTX_flush_sessions in favour of _ex() replacement The original function is using long for time and is therefore not Y2038-safe. Signed-off-by: Alexande
ssl_sess.c: deprecate SSL_CTX_flush_sessions in favour of _ex() replacement The original function is using long for time and is therefore not Y2038-safe. Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24307)
show more ...
|
#
21819f78 |
| 26-Apr-2024 |
Tomas Mraz |
Make conf_diagnostics apply also to the SSL conf errors Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/opens
Make conf_diagnostics apply also to the SSL conf errors Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24275)
show more ...
|
#
3dcd8513 |
| 01-Mar-2024 |
Neil Horman |
Make a failure in ktls_sendfile a syscall error a failure in ktls_sendfile results in an error in ERR_LIB_SSL, but its really a syscall error, since ktls_sendfile just maps to a call to
Make a failure in ktls_sendfile a syscall error a failure in ktls_sendfile results in an error in ERR_LIB_SSL, but its really a syscall error, since ktls_sendfile just maps to a call to the sendfile syscall. Encode it as such Fixes #23722 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23723)
show more ...
|
#
b6461792 |
| 20-Mar-2024 |
Richard Levitte |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Lan
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)
show more ...
|
#
7984fa68 |
| 05-Mar-2024 |
Matt Caswell |
Fix unconstrained session cache growth in TLSv1.3 In TLSv1.3 we create a new session object for each ticket that we send. We do this by duplicating the original session. If SSL_OP_NO_TIC
Fix unconstrained session cache growth in TLSv1.3 In TLSv1.3 we create a new session object for each ticket that we send. We do this by duplicating the original session. If SSL_OP_NO_TICKET is in use then the new session will be added to the session cache. However, if early data is not in use (and therefore anti-replay protection is being used), then multiple threads could be resuming from the same session simultaneously. If this happens and a problem occurs on one of the threads, then the original session object could be marked as not_resumable. When we duplicate the session object this not_resumable status gets copied into the new session object. The new session object is then added to the session cache even though it is not_resumable. Subsequently, another bug means that the session_id_length is set to 0 for sessions that are marked as not_resumable - even though that session is still in the cache. Once this happens the session can never be removed from the cache. When that object gets to be the session cache tail object the cache never shrinks again and grows indefinitely. CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042)
show more ...
|
#
e53a7ccd |
| 22-Mar-2024 |
Jiasheng Jiang |
Alter the check Alter the check since 0 md size is an error. Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed
Alter the check Alter the check since 0 md size is an error. Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23940)
show more ...
|
#
165797c7 |
| 22-Mar-2024 |
Jiasheng Jiang |
ssl/ssl_lib.c: Add the check before cast from int to unsigned Add the check before cast from int to unsigned to avoid integer overflow since EVP_MD_get_size() may return negative numbers.
ssl/ssl_lib.c: Add the check before cast from int to unsigned Add the check before cast from int to unsigned to avoid integer overflow since EVP_MD_get_size() may return negative numbers. Fixes: 919ba00942 ("DANE support structures, constructructors and accessors") Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23940)
show more ...
|
#
4169d58c |
| 20-Nov-2023 |
Alex Bozarth |
Allow provider sigalgs in SignatureAlgorithms conf Though support for provider-based signature algorithms was added in ee58915 this functionality did not work with the SignatureAlgorithm
Allow provider sigalgs in SignatureAlgorithms conf Though support for provider-based signature algorithms was added in ee58915 this functionality did not work with the SignatureAlgorithms configuration command. If SignatureAlgorithms is set then the provider sigalgs are not used and instead it used the default value. This PR adds a check against the provider-base sigalg list when parsing the SignatureAlgorithms value. Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com> Fixes #22761 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/22779)
show more ...
|
#
715a74a6 |
| 13-Feb-2024 |
Frederik Wedel-Heinen |
Removes record_queue struct which is no longer useful. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openss
Removes record_queue struct which is no longer useful. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23571)
show more ...
|
#
5c16e9d3 |
| 14-Feb-2024 |
Hugo Landau |
QUIC: Fix SSL_ctrl operation for QSSOs Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Revie
QUIC: Fix SSL_ctrl operation for QSSOs Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23581)
show more ...
|
#
12c0d72c |
| 13-Feb-2024 |
Hugo Landau |
Fix SSL_export_keying_material for QUIC Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/
Fix SSL_export_keying_material for QUIC Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23567) (cherry picked from commit 498d4e4c4f4a1e220cfa64cfcc76174e2f656fd0)
show more ...
|
#
99a5cfc1 |
| 07-Feb-2024 |
Hugo Landau |
QUIC APL: Move NULL pointer check to quic_impl.c Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.or
QUIC APL: Move NULL pointer check to quic_impl.c Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23360)
show more ...
|
#
e203d1b5 |
| 22-Jan-2024 |
Hugo Landau |
QUIC: Add new error codes for tuning API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (
QUIC: Add new error codes for tuning API Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23360)
show more ...
|
#
fb1a0bb9 |
| 08-Sep-2023 |
Hugo Landau |
QLOG: Wire title-setting code to QUIC_CHANNEL and SSL_CTX Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/
QLOG: Wire title-setting code to QUIC_CHANNEL and SSL_CTX Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22037)
show more ...
|
#
89dd87e1 |
| 01-Feb-2024 |
Hugo Landau |
libssl: Make some global mutable structures constant x Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://githu
libssl: Make some global mutable structures constant x Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23450)
show more ...
|