#
65c76cd2 |
| 24-Sep-2019 |
Daniil Zotkin |
Do not print extensions in Certificate message for TLS1.2 and lower According to RFC8446 CertificateEntry in Certificate message contains extensions that were not present in the Certific
Do not print extensions in Certificate message for TLS1.2 and lower According to RFC8446 CertificateEntry in Certificate message contains extensions that were not present in the Certificate message in RFC5246. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9994)
show more ...
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
#
555cbb32 |
| 12-Dec-2018 |
Todd Short |
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the s
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the ssl3_state_st structure into ssl_st and fixup any references. This should be faster than going through an indirection and due to fewer allocations, but I'm not seeing any significant performance improvement; it seems to be within the margin of error in timing. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7888)
show more ...
|
Revision tags: OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g, OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16, OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15 |
|
#
558ea847 |
| 15-Nov-2016 |
Richard Levitte |
Remove heartbeats completely Fixes #4856 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1928)
|
#
2c18d164 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in ssl/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
|
#
d6c46adf |
| 19-Aug-2018 |
Erik Forsberg |
Fix ssl/t1_trce.c to parse certificate chains Fixes #6994 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Yang <yang
Fix ssl/t1_trce.c to parse certificate chains Fixes #6994 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/7009)
show more ...
|
#
35e742ec |
| 18-Jul-2018 |
Matt Caswell |
Update code for the final RFC version of TLSv1.3 (RFC8446) Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/op
Update code for the final RFC version of TLSv1.3 (RFC8446) Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
show more ...
|
#
73cc84a1 |
| 14-May-2018 |
Matt Caswell |
Suport TLSv1.3 draft 28 Also retains support for drafts 27 and 26 Fixes #6257 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl
Suport TLSv1.3 draft 28 Also retains support for drafts 27 and 26 Fixes #6257 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6258)
show more ...
|
#
32c69853 |
| 26-Apr-2018 |
Dr. Matthias St. Pierre |
Fix mixed indentation (and other whitespace issues) Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6094)
|
#
d8fa9324 |
| 04-Apr-2018 |
cedral |
Visual Studio 2017 debug build warning error on 32 bit build Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://g
Visual Studio 2017 debug build warning error on 32 bit build Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5799)
show more ...
|
#
83cf3423 |
| 30-Mar-2018 |
Matt Caswell |
Update trace code to know about GOST ciphersuites Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openss
Update trace code to know about GOST ciphersuites Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5808)
show more ...
|
#
161ff6c5 |
| 23-Mar-2018 |
Philippe Antoine |
Adds multiple checks to avoid buffer over reads Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@
Adds multiple checks to avoid buffer over reads Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5675)
show more ...
|
#
63ff89ab |
| 21-Mar-2018 |
Philippe Antoine |
Fixes integer underflow with SSL_trace support Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/ope
Fixes integer underflow with SSL_trace support Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5706)
show more ...
|
#
dd07e68b |
| 16-Feb-2018 |
Dr. Matthias St. Pierre |
Fix miscellaneous typos in docs and source - d2i_PKC8PrivateKey -> d2i_PKCS8PrivateKey - bechmark -> benchmark - ciperhsuite -> ciphersuite - EncyptedPreMasterSecret -> Encrypted
Fix miscellaneous typos in docs and source - d2i_PKC8PrivateKey -> d2i_PKCS8PrivateKey - bechmark -> benchmark - ciperhsuite -> ciphersuite - EncyptedPreMasterSecret -> EncryptedPreMasterSecret Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5570)
show more ...
|
#
61cd0c94 |
| 12-Mar-2018 |
Matt Caswell |
Fix enable-ssl-trace Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5600)
|
#
d420729b |
| 08-Mar-2018 |
FdaSilvaYY |
Duplicate entries ssl_handshake_tbl trace entries... ... and add some missing known values. Sort ssl/tls extension array list Reviewed-by: Matt Caswell <matt@openssl.org> Re
Duplicate entries ssl_handshake_tbl trace entries... ... and add some missing known values. Sort ssl/tls extension array list Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5304)
show more ...
|
#
0e1d6ecf |
| 27-Feb-2018 |
Matt Caswell |
Add X448/Ed448 support to libssl Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5470)
|
#
9d75dce3 |
| 18-Dec-2017 |
Todd Short |
Add TLSv1.3 post-handshake authentication (PHA) Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have ce
Add TLSv1.3 post-handshake authentication (PHA) Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have certificates initially configured, but use a certificate callback. Update SSL_CTX_set_verify()/SSL_set_verify() mode: * Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after the initial handshake. * Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless of when the certificate authentication takes place; either initial handshake, re-negotiation, or post-handshake authentication. Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options Add support to s_client: * Enabled automatically when cert is configured * Can be forced enabled via -force_pha Add support to s_server: * Use 'c' to invoke PHA in s_server * Remove some dead code Update documentation Update unit tests: * Illegal use of PHA extension * TLSv1.3 certificate tests DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is implemented, it's PHA support state machine may need to be different. Add a TODO and a #error Update handshake context to deal with PHA. The handshake context for TLSv1.3 post-handshake auth is up through the ClientFinish message, plus the CertificateRequest message. Subsequent Certificate, CertificateVerify, and Finish messages are based on this handshake context (not the Certificate message per se, but it's included after the hash). KeyUpdate, NewSessionTicket, and prior Certificate Request messages are not included in post-handshake authentication. After the ClientFinished message is processed, save off the digest state for future post-handshake authentication. When post-handshake auth occurs, copy over the saved handshake context into the "main" handshake digest. This effectively discards the any KeyUpdate or NewSessionTicket messages and any prior post-handshake authentication. This, of course, assumes that the ID-22 did not mean to include any previous post-handshake authentication into the new handshake transcript. This is implied by section 4.4.1 that lists messages only up to the first ClientFinished. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
show more ...
|
#
36c91d13 |
| 26-Jan-2018 |
Benjamin Kaduk |
Fix ssl-trace with TLS 1.3 draft-23 PSS sigalgs The latest TLS 1.3 draft split the RSA-PSS signature schemes into two versions that indicate the OID of the RSA key being used. This f
Fix ssl-trace with TLS 1.3 draft-23 PSS sigalgs The latest TLS 1.3 draft split the RSA-PSS signature schemes into two versions that indicate the OID of the RSA key being used. This forced us to rename the preprocessor defines for the sigalg values, and the ssl-trace code was not adopted to match, since it was not enabled int the default build. Belatedly update the ssl_sigalg_tbl in the trace code to match. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5174)
show more ...
|
#
3c7d0945 |
| 09-Jan-2018 |
Richard Levitte |
Update copyright years on all files merged since Jan 1st 2018 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
|
#
818b625d |
| 02-Jan-2018 |
Matt Caswell |
Fix trace of TLSv1.3 Certificate Request message A TLSv1.3 Certificate Request message was issuing a "Message length parse error" using the -trace option to s_server/s_client. R
Fix trace of TLSv1.3 Certificate Request message A TLSv1.3 Certificate Request message was issuing a "Message length parse error" using the -trace option to s_server/s_client. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5008)
show more ...
|
#
597c51bc |
| 05-Dec-2017 |
Matt Caswell |
Merge HRR into ServerHello Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4701)
|
#
88050dd1 |
| 03-Nov-2017 |
Matt Caswell |
Update ServerHello to new draft-22 format The new ServerHello format is essentially now the same as the old TLSv1.2 one, but it must additionally include supported_versions. The version
Update ServerHello to new draft-22 format The new ServerHello format is essentially now the same as the old TLSv1.2 one, but it must additionally include supported_versions. The version field is fixed at TLSv1.2, and the version negotiation happens solely via supported_versions. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4701)
show more ...
|
#
06312c47 |
| 11-Sep-2017 |
FdaSilvaYY |
SSL Trace improvements A fix formatting fixes. SSL Trace: internal constification - static trace tables - trace methods arguments SSL Trace: enhance error message
SSL Trace improvements A fix formatting fixes. SSL Trace: internal constification - static trace tables - trace methods arguments SSL Trace: enhance error message when tracing an invalid extension packet ... instead of just "Message length parse error!". SSL trace: add Maximum-Fragment-Length TLS extension log support Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4353)
show more ...
|
#
ee1ed1d3 |
| 31-Jul-2017 |
David Benjamin |
Fix the names of older ciphers. The names of these ciphers have an "SSL_" prefix, but the RFC names use "TLS_": https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#t
Fix the names of older ciphers. The names of these ciphers have an "SSL_" prefix, but the RFC names use "TLS_": https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 This dates back to these ciphers being originally defined in SSLv3. As SSLv3 is on its way out anyway and this is a new set of APIs, consistently use the TLS names. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4007)
show more ...
|