Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
3c95ef22 |
| 27-Jan-2021 |
Todd Short |
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit t
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
show more ...
|
#
c6d14bfd |
| 10-Mar-2023 |
VeronikaNguyen |
Added `CERTIFICATE_VERIFY_MAX_LENGTH` constant - Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539 (2 bytes for the algorithm identifier + 2 bytes of signature length + 65535 bytes o
Added `CERTIFICATE_VERIFY_MAX_LENGTH` constant - Set `CERTIFICATE_VERIFY_MAX_LENGTH` to 65539 (2 bytes for the algorithm identifier + 2 bytes of signature length + 65535 bytes of signature) - Changed `SSL3_RT_MAX_PLAIN_LENGTH` to `CERTIFICATE_VERIFY_MAX_LENGTH` in `statem_srvr.c` and `statem_clnt.c` Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20486)
show more ...
|
#
b67cb09f |
| 09-Aug-2021 |
Todd Short |
Add support for compressed certificates (RFC8879) * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive)
Add support for compressed certificates (RFC8879) * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)
show more ...
|
#
ac44deaf |
| 23-Sep-2022 |
Todd Short |
Test TLS extension ordering Adding extensions is fragile, with the TLSEXT_TYPE entry needing to be located at TLSEXT_IDX in the array. This adds a test to ensure extensions are
Test TLS extension ordering Adding extensions is fragile, with the TLSEXT_TYPE entry needing to be located at TLSEXT_IDX in the array. This adds a test to ensure extensions are in the correct order. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19269)
show more ...
|
#
67ec6d2b |
| 12-Aug-2022 |
Matt Caswell |
Use an enum for the return value from a construction function Construction return values are no longer boolean but can return 3 different values, so we use an enum to represent them.
Use an enum for the return value from a construction function Construction return values are no longer boolean but can return 3 different values, so we use an enum to represent them. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18990)
show more ...
|
#
38b051a1 |
| 20-Jun-2022 |
Tomas Mraz |
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
e1c12271 |
| 31-Dec-2021 |
yangyangtiantianlonglong |
Delete unused param about get_construct_message_f Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/open
Delete unused param about get_construct_message_f Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17385)
show more ...
|
#
e54f0c9b |
| 23-Jun-2021 |
Matt Caswell |
Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the the
Avoid "excessive message size" for session tickets We received a report of an "excessive message size" for a received session ticket. Our maximum size was significantly less than the theoretical maximum. The server may put any data it likes in the session ticket including (for example) the full certificate chain so we should be able to handle longer tickets. Update the value to the maximum allowed by the spec. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15877)
show more ...
|
#
f42e68dc |
| 19-Apr-2021 |
Matt Caswell |
Defer Finished MAC handling until after state transition In TLS we process received messages like this: 1) Read Message Header 2) Validate and transition state based on received
Defer Finished MAC handling until after state transition In TLS we process received messages like this: 1) Read Message Header 2) Validate and transition state based on received message type 3) Read Message Body 4) Process Message In DTLS we read messages like this: 1) Read Message Header and Body 2) Validate and transition state based on received message type 3) Process Message The difference is because of the stream vs datagram semantics of the underlying transport. In both TLS and DTLS we were doing finished MAC processing as part of reading the message body. This means that in DTLS this was occurring *before* the state transition has been validated. A crash was occurring in DTLS if a Finished message was sent in an invalid state due to assumptions in the code that certain variables would have been setup by the time a Finished message arrives. To avoid this problem we shift the finished MAC processing to be after the state transition in DTLS. Thanks to github user @bathooman for reporting this issue. Fixes #14906 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14930)
show more ...
|
#
6dd4b77a |
| 09-Mar-2021 |
Shane Lontis |
Add ossl_gost symbols Partial fix for #12964 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14473)
|
#
462f4f4b |
| 15-Jan-2021 |
Matt Caswell |
Remove OPENSSL_NO_EC guards from libssl Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
|
#
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
|
#
0c3eb279 |
| 16-Jan-2021 |
Dr. David von Oheimb |
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for fai
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906)
show more ...
|
#
3aff5b4b |
| 15-Jan-2021 |
Michael Baentsch |
Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt
Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13874)
show more ...
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3 |
|
#
00c405b3 |
| 04-Jun-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12043)
|
Revision tags: openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f |
|
#
5a5530a2 |
| 30-Mar-2020 |
Dmitry Belyavskiy |
New Russian TLS 1.2 implementation Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442)
|
Revision tags: OpenSSL_1_1_1e, OpenSSL_1_0_2u |
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|