#
00a6d074 |
| 30-Apr-2024 |
Alexander Kanavin |
ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time Adjust the manpages at the same time so that only the new functions are being presented. Fixes: #23648 S
ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time Adjust the manpages at the same time so that only the new functions are being presented. Fixes: #23648 Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24307)
show more ...
|
#
86c9bb13 |
| 17-May-2024 |
Alexander Kanavin |
ssl_sess.c: deprecate SSL_CTX_flush_sessions in favour of _ex() replacement The original function is using long for time and is therefore not Y2038-safe. Signed-off-by: Alexande
ssl_sess.c: deprecate SSL_CTX_flush_sessions in favour of _ex() replacement The original function is using long for time and is therefore not Y2038-safe. Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24307)
show more ...
|
#
05752478 |
| 26-Apr-2024 |
Matt Caswell |
Move the ability to load the dasync engine into ssltestlib.c The sslapitest has a helper function to load the dasync engine which is useful for testing pipelining. We would like to have
Move the ability to load the dasync engine into ssltestlib.c The sslapitest has a helper function to load the dasync engine which is useful for testing pipelining. We would like to have the same facility from sslbuffertest, so we move the function to the common location ssltestlib.c Follow on from CVE-2024-4741 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24395)
show more ...
|
#
f6e46980 |
| 09-May-2024 |
Tomas Mraz |
sslapitest.c: With fips skip tests depending on X25519 and X448 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github
sslapitest.c: With fips skip tests depending on X25519 and X448 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24347)
show more ...
|
#
b6a5e801 |
| 01-Dec-2023 |
Rajeev Ranjan |
Add support for integrity-only cipher suites for TLS v1.3 - add test vectors for tls1_3 integrity-only ciphers - recmethod_local.h: add new member for MAC - tls13_meth.c: add MAC onl
Add support for integrity-only cipher suites for TLS v1.3 - add test vectors for tls1_3 integrity-only ciphers - recmethod_local.h: add new member for MAC - tls13_meth.c: add MAC only to tls 1.3 - tls13_enc.c: extend function to add MAC only - ssl_local.h: add ssl_cipher_get_evp_md_mac() - s3_lib.c: add the new ciphers and add #ifndef OPENSSL_NO_INTEGRITY_ONLY_CIPHERS - ssl_ciph.c : add ssl_cipher_get_evp_md_mac() and use it - tls13secretstest.c: add dummy test function - Configure: add integrity-only-ciphers option - document the new ciphers Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22903)
show more ...
|
#
c8dddc61 |
| 29-Apr-2024 |
Matt Caswell |
Add a test for the session_secret_cb Ensure that if a session_secret_cb is being used that a connection can be successfully made Reviewed-by: Neil Horman <nhorman@openssl.org>
Add a test for the session_secret_cb Ensure that if a session_secret_cb is being used that a connection can be successfully made Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24309)
show more ...
|
#
1848c561 |
| 25-Mar-2024 |
Matt Caswell |
Fix intermittent sslapitest early data related failures Early data is time sensitive. We have an approx 8 second allowance between writing the early data and reading it. If we exceed tha
Fix intermittent sslapitest early data related failures Early data is time sensitive. We have an approx 8 second allowance between writing the early data and reading it. If we exceed that time tests will fail. This can sometimes (rarely) occur in normal CI operation. We can try and detect this and just ignore the result of such test failures if the test has taken too long. We assume anything over 7 seconds is too long. This is a partial fix for #22605 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23966)
show more ...
|
#
afb6ce0d |
| 25-Mar-2024 |
Matt Caswell |
Use OSSL_TIME instead of using arithmetic directly on time_t We have functions for adding/subtracting time. We should use them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Revie
Use OSSL_TIME instead of using arithmetic directly on time_t We have functions for adding/subtracting time. We should use them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23966)
show more ...
|
#
972ee925 |
| 16-Apr-2024 |
Tim Perry |
Use empty renegotiate extension instead of SCSV for TLS > 1.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com
Use empty renegotiate extension instead of SCSV for TLS > 1.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24161)
show more ...
|
#
b6461792 |
| 20-Mar-2024 |
Richard Levitte |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Lan
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)
show more ...
|
#
4a3e8f08 |
| 15-Jul-2022 |
Matt Caswell |
Add a test for session cache overflow Test sessions behave as we expect even in the case that an overflow occurs when adding a new session into the session cache. Related to CVE
Add a test for session cache overflow Test sessions behave as we expect even in the case that an overflow occurs when adding a new session into the session cache. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042)
show more ...
|
#
cfeaf33a |
| 05-Mar-2024 |
Matt Caswell |
Extend the multi_resume test for simultaneous resumptions Test what happens if the same session gets resumed multiple times at the same time - and one of them gets marked as not_resumabl
Extend the multi_resume test for simultaneous resumptions Test what happens if the same session gets resumed multiple times at the same time - and one of them gets marked as not_resumable. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042)
show more ...
|
#
0447cd69 |
| 04-Mar-2024 |
Matt Caswell |
Add a test for session cache handling Repeatedly create sessions to be added to the cache and ensure we never exceed the expected size. Related to CVE-2024-2511 Reviewe
Add a test for session cache handling Repeatedly create sessions to be added to the cache and ensure we never exceed the expected size. Related to CVE-2024-2511 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24042)
show more ...
|
#
2b4cea1e |
| 14-Dec-2023 |
Tomas Mraz |
Add test for ignoring unknown sigalgs and groups marked with ? Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://
Add test for ignoring unknown sigalgs and groups marked with ? Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/23050)
show more ...
|
#
f4ed6eed |
| 19-Feb-2024 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
SSL_set1_groups_list(): Fix memory corruption with 40 groups and more Fixes #23624 The calculation of the size for gid_arr reallocation was wrong. A multiplication by gid_arr ar
SSL_set1_groups_list(): Fix memory corruption with 40 groups and more Fixes #23624 The calculation of the size for gid_arr reallocation was wrong. A multiplication by gid_arr array item size was missing. Testcase is added. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23625)
show more ...
|
#
ffc853bc |
| 09-Jun-2023 |
Ijtaba Hussain |
Extended SSL_SESSION functions using time_t Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/opens
Extended SSL_SESSION functions using time_t Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21206)
show more ...
|
#
5de8c49d |
| 16-Jan-2024 |
Matt Caswell |
Extend the testing of resetting/clearing an SSL connection SSL_clear() explicitly clears an SSL object to enable it to be reused. You can have a similar effect by calling SSL_set_accept_
Extend the testing of resetting/clearing an SSL connection SSL_clear() explicitly clears an SSL object to enable it to be reused. You can have a similar effect by calling SSL_set_accept_state() or SSL_set_connect_state(). We extend the testing of SSL_clear() to use these other methods. We also ensure we test the case where we have unread bufferred data that needs to be cleared. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23256)
show more ...
|
#
563f4be8 |
| 02-Jan-2024 |
Matt Caswell |
Add a KTLS test where we write long app data records Check that we can write and read back long app data records when using KTLS. Reviewed-by: Tomas Mraz <tomas@openssl.org>
Add a KTLS test where we write long app data records Check that we can write and read back long app data records when using KTLS. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23182)
show more ...
|
#
164a541b |
| 22-Dec-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Fix new typos found by codespell Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23133)
|
#
5df160f1 |
| 11-Dec-2023 |
Tomas Mraz |
test_export_key_mat(): Long context support works with new fips provider only Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merg
test_export_key_mat(): Long context support works with new fips provider only Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23007)
show more ...
|
#
7765d25f |
| 29-Nov-2023 |
Matt Caswell |
Add a test for late loading of an ENGINE in TLS Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-b
Add a test for late loading of an ENGINE in TLS Confirm that using an ENGINE works as expected with TLS even if it is loaded late (after construction of the SSL_CTX). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/22864)
show more ...
|
#
71583393 |
| 30-Nov-2023 |
Markus Minichmayr |
Test various combinations of `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX` Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged
Test various combinations of `SSL_OP_ALLOW_NO_DHE_KEX` and `SSL_OP_PREFER_NO_DHE_KEX` Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22883)
show more ...
|
#
ef9d8f2f |
| 23-Oct-2023 |
Daiki Ueno |
Accept longer context for TLS 1.2 exporters While RFC 5705 implies that the maximum length of context for exporters to be 65535 bytes as the length is embedded in uint16, the current
Accept longer context for TLS 1.2 exporters While RFC 5705 implies that the maximum length of context for exporters to be 65535 bytes as the length is embedded in uint16, the current implementation enforces much smaller limit, which is less than 1024 bytes. This removes the restriction by dynamically allocating memory. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22465)
show more ...
|
#
3860ef2a |
| 05-Oct-2023 |
Tomas Mraz |
QUIC: Test connection with large client and server cert chains Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github
QUIC: Test connection with large client and server cert chains Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22476)
show more ...
|
#
74efc547 |
| 25-Oct-2023 |
Pauli |
sslapitest: add cast to avoid compiler error Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.or
sslapitest: add cast to avoid compiler error Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22500)
show more ...
|