| #
eb818d23 |
| 29-Jul-2020 |
John Baldwin |
Refactor the KTLS tests to minimize code duplication.
Use the low 4 bits of the test number directly as flags for which of
the connection sides should use KTLS or not for each test inste
Refactor the KTLS tests to minimize code duplication.
Use the low 4 bits of the test number directly as flags for which of
the connection sides should use KTLS or not for each test instead of
having 16 nearly identical functions to do the same thing.
This makes it easier to skip tests that aren't supported (e.g. KTLS RX
on TLS 1.3).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)
show more ...
|
| #
5f2b7db0 |
| 18-Aug-2020 |
Richard Levitte |
TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex()
test/evp_test.c and test/sslapitest.c are affected. This allows them
to decode keys found in stanza files via provide
TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex()
test/evp_test.c and test/sslapitest.c are affected. This allows them
to decode keys found in stanza files via provider decoder implementations
when a library context other than the default should be used.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12673)
show more ...
|
| #
ea9f6890 |
| 06-Aug-2020 |
Tomas Mraz |
sslapitest: Add test for premature call of SSL_export_keying_material
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
|
| #
6725682d |
| 24-Jul-2020 |
Shane Lontis |
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
show more ...
|
| #
865adf97 |
| 18-Jun-2020 |
Matt Caswell |
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the pr
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
show more ...
|
| #
8c2bfd25 |
| 11-Apr-2019 |
Todd Short |
Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.
Reviewed-by: Paul Dale <p
Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
show more ...
|
| #
146aebc6 |
| 26-Jun-2020 |
Matt Caswell |
Add a test to check having a provider loaded without a groups still works
As long as we have at least one provider loaded which offers some
groups, it doesn't matter if we have others lo
Add a test to check having a provider loaded without a groups still works
As long as we have at least one provider loaded which offers some
groups, it doesn't matter if we have others loaded that don't.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12292)
show more ...
|
| #
163b8016 |
| 23-Jun-2020 |
Martin Elshuber |
Add support to zeroize plaintext in S3 record layer
Some applications want even all plaintext copies beeing
zeroized. However, currently plaintext residuals are kept in rbuf
within t
Add support to zeroize plaintext in S3 record layer
Some applications want even all plaintext copies beeing
zeroized. However, currently plaintext residuals are kept in rbuf
within the s3 record layer.
This patch add the option SSL_OP_CLEANSE_PLAINTEXT to its friends to
optionally enable cleansing of decrypted plaintext data.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12251)
show more ...
|
| #
aba03ae5 |
| 02-Jan-2020 |
Kurt Roeckx |
Reduce the security bits for MD5 and SHA1 based signatures in TLS
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer s
Reduce the security bits for MD5 and SHA1 based signatures in TLS
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787
show more ...
|
| #
23c48d94 |
| 20-Jun-2020 |
Dr. Matthias St. Pierre |
Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)
|
| #
49a36a52 |
| 16-Jun-2020 |
Matt Caswell |
Add an SSL_dup test
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12180)
|
| #
0c13cdf8 |
| 21-May-2020 |
Matt Caswell |
Write a test provider to test the TLS-GROUPS capability
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
|
| #
9d2d857f |
| 18-May-2020 |
Matt Caswell |
Modify libssl to discover supported groups based on available providers
Now that we have added the TLS-GROUP capability to the default provider
we can use that to discover the supported
Modify libssl to discover supported groups based on available providers
Now that we have added the TLS-GROUP capability to the default provider
we can use that to discover the supported group list based on the loaded
providers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
show more ...
|
| #
d9c2fd51 |
| 08-Jun-2020 |
Pauli |
The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*
functions are now EVP_MAC functions, usually with ctx in their names.
Before 3.0 is released, the names are mu
The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*
functions are now EVP_MAC functions, usually with ctx in their names.
Before 3.0 is released, the names are mutable and this prevents more
inconsistencies being introduced.
There are no functional or code changes.
Just the renaming and a little reformatting.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11997)
show more ...
|
| #
da4db160 |
| 25-Jan-2020 |
Vadim Fedorenko |
test: TLS1.3 and new ciphers for kTLS
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/
test: TLS1.3 and new ciphers for kTLS
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)
show more ...
|
| #
b3842539 |
| 08-May-2020 |
Matt Caswell |
Implement a test for sigalgs not being present
If sigalgs are not present we should not offer or accept them. We should
test that we handle this correctly.
Reviewed-by: Shane Lo
Implement a test for sigalgs not being present
If sigalgs are not present we should not offer or accept them. We should
test that we handle this correctly.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11834)
show more ...
|
| #
e638112e |
| 15-May-2020 |
Dmitry Belyavskiy |
Test for the SSL_OP_IGNORE_UNEXPECTED_EOF option
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.o
Test for the SSL_OP_IGNORE_UNEXPECTED_EOF option
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11735)
show more ...
|
| #
0b2b0be9 |
| 10-May-2020 |
raja-ashok |
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11785)
show more ...
|
| #
90fc2c26 |
| 02-May-2020 |
Nikolay Morozov |
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11709)
show more ...
|
| #
a96e6c34 |
| 01-May-2020 |
Matt Caswell |
Extend test_ssl_get_shared_ciphers
Ensure we test scenarios where a FIPS peer is communication with a
non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it
doesn't ha
Extend test_ssl_get_shared_ciphers
Ensure we test scenarios where a FIPS peer is communication with a
non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it
doesn't have, and that a FIPS server only chooses ciphersuites it can
support.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11700)
show more ...
|
| #
f0049b86 |
| 17-Mar-2020 |
Benjamin Kaduk |
Add test for SSL_new_session_ticket()
Run a normal handshake and then request some extra tickets,
checking that the new_session_cb is called the expected number of
times. Since the
Add test for SSL_new_session_ticket()
Run a normal handshake and then request some extra tickets,
checking that the new_session_cb is called the expected number of
times. Since the tickets are generated in the same way as other
tickets, there should not be a need to verify that these specific ones
can be used to resume.
Run the test with both zero and a non-zero number of tickets issued in the
initial handshake.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11416)
show more ...
|
| #
fb121631 |
| 01-Apr-2020 |
Benjamin Kaduk |
sslapitest: only compile test when it will be used
The test_ccs_change_cipher() test routine is used only when TLS 1.2
is enabled; to fix the strict-warnings build we should not try to
sslapitest: only compile test when it will be used
The test_ccs_change_cipher() test routine is used only when TLS 1.2
is enabled; to fix the strict-warnings build we should not try to
compile it when TLS 1.2 is disabled, either.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11458)
show more ...
|
| #
852c2ed2 |
| 19-Dec-2019 |
Rich Salz |
In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.
Deprecate stack-of-block
Better documentation
Move some ASN1 struct typedefs to types.h
Update ParseC to handle this. Most of all, ParseC needed to be more
consistent. The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns. There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
show more ...
|
| #
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
|
| #
4f6c7044 |
| 21-Mar-2020 |
Matt Caswell |
Re-enable FIPS testing in sslapitest.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
|
