#
eb818d23 |
| 29-Jul-2020 |
John Baldwin |
Refactor the KTLS tests to minimize code duplication. Use the low 4 bits of the test number directly as flags for which of the connection sides should use KTLS or not for each test inste
Refactor the KTLS tests to minimize code duplication. Use the low 4 bits of the test number directly as flags for which of the connection sides should use KTLS or not for each test instead of having 16 nearly identical functions to do the same thing. This makes it easier to skip tests that aren't supported (e.g. KTLS RX on TLS 1.3). Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12111)
show more ...
|
#
5f2b7db0 |
| 18-Aug-2020 |
Richard Levitte |
TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex() test/evp_test.c and test/sslapitest.c are affected. This allows them to decode keys found in stanza files via provide
TEST: Use PEM_read_bio_PUBKEY_ex() and PEM_read_bio_PrivateKey_ex() test/evp_test.c and test/sslapitest.c are affected. This allows them to decode keys found in stanza files via provider decoder implementations when a library context other than the default should be used. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12673)
show more ...
|
#
ea9f6890 |
| 06-Aug-2020 |
Tomas Mraz |
sslapitest: Add test for premature call of SSL_export_keying_material Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12594)
|
#
6725682d |
| 24-Jul-2020 |
Shane Lontis |
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
Add X509 related libctx changes. - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
show more ...
|
#
865adf97 |
| 18-Jun-2020 |
Matt Caswell |
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*" The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the pr
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*" The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the previous namig convention. This reverts commit d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12186)
show more ...
|
#
8c2bfd25 |
| 11-Apr-2019 |
Todd Short |
Add SSL_get[01]_peer_certificate() Deprecate SSL_get_peer_certificte() and replace with SSL_get1_peer_certificate(). Add SSL_get0_peer_certificate. Reviewed-by: Paul Dale <p
Add SSL_get[01]_peer_certificate() Deprecate SSL_get_peer_certificte() and replace with SSL_get1_peer_certificate(). Add SSL_get0_peer_certificate. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8730)
show more ...
|
#
146aebc6 |
| 26-Jun-2020 |
Matt Caswell |
Add a test to check having a provider loaded without a groups still works As long as we have at least one provider loaded which offers some groups, it doesn't matter if we have others lo
Add a test to check having a provider loaded without a groups still works As long as we have at least one provider loaded which offers some groups, it doesn't matter if we have others loaded that don't. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12292)
show more ...
|
#
163b8016 |
| 23-Jun-2020 |
Martin Elshuber |
Add support to zeroize plaintext in S3 record layer Some applications want even all plaintext copies beeing zeroized. However, currently plaintext residuals are kept in rbuf within t
Add support to zeroize plaintext in S3 record layer Some applications want even all plaintext copies beeing zeroized. However, currently plaintext residuals are kept in rbuf within the s3 record layer. This patch add the option SSL_OP_CLEANSE_PLAINTEXT to its friends to optionally enable cleansing of decrypted plaintext data. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12251)
show more ...
|
#
aba03ae5 |
| 02-Jan-2020 |
Kurt Roeckx |
Reduce the security bits for MD5 and SHA1 based signatures in TLS This has as effect that SHA1 and MD5+SHA1 are no longer supported at security level 1, and that TLS < 1.2 is no longer s
Reduce the security bits for MD5 and SHA1 based signatures in TLS This has as effect that SHA1 and MD5+SHA1 are no longer supported at security level 1, and that TLS < 1.2 is no longer supported at the default security level of 1, and that you need to set the security level to 0 to use TLS < 1.2. Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #10787
show more ...
|
#
23c48d94 |
| 20-Jun-2020 |
Dr. Matthias St. Pierre |
Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12222)
|
#
49a36a52 |
| 16-Jun-2020 |
Matt Caswell |
Add an SSL_dup test Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12180)
|
#
0c13cdf8 |
| 21-May-2020 |
Matt Caswell |
Write a test provider to test the TLS-GROUPS capability Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
|
#
9d2d857f |
| 18-May-2020 |
Matt Caswell |
Modify libssl to discover supported groups based on available providers Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported
Modify libssl to discover supported groups based on available providers Now that we have added the TLS-GROUP capability to the default provider we can use that to discover the supported group list based on the loaded providers. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
show more ...
|
#
d9c2fd51 |
| 08-Jun-2020 |
Pauli |
The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_* functions are now EVP_MAC functions, usually with ctx in their names. Before 3.0 is released, the names are mu
The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_* functions are now EVP_MAC functions, usually with ctx in their names. Before 3.0 is released, the names are mutable and this prevents more inconsistencies being introduced. There are no functional or code changes. Just the renaming and a little reformatting. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11997)
show more ...
|
#
da4db160 |
| 25-Jan-2020 |
Vadim Fedorenko |
test: TLS1.3 and new ciphers for kTLS Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/
test: TLS1.3 and new ciphers for kTLS Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11589)
show more ...
|
#
b3842539 |
| 08-May-2020 |
Matt Caswell |
Implement a test for sigalgs not being present If sigalgs are not present we should not offer or accept them. We should test that we handle this correctly. Reviewed-by: Shane Lo
Implement a test for sigalgs not being present If sigalgs are not present we should not offer or accept them. We should test that we handle this correctly. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11834)
show more ...
|
#
e638112e |
| 15-May-2020 |
Dmitry Belyavskiy |
Test for the SSL_OP_IGNORE_UNEXPECTED_EOF option Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.o
Test for the SSL_OP_IGNORE_UNEXPECTED_EOF option Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11735)
show more ...
|
#
0b2b0be9 |
| 10-May-2020 |
raja-ashok |
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11785)
show more ...
|
#
90fc2c26 |
| 02-May-2020 |
Nikolay Morozov |
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11709)
show more ...
|
#
a96e6c34 |
| 01-May-2020 |
Matt Caswell |
Extend test_ssl_get_shared_ciphers Ensure we test scenarios where a FIPS peer is communication with a non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it doesn't ha
Extend test_ssl_get_shared_ciphers Ensure we test scenarios where a FIPS peer is communication with a non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it doesn't have, and that a FIPS server only chooses ciphersuites it can support. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11700)
show more ...
|
#
f0049b86 |
| 17-Mar-2020 |
Benjamin Kaduk |
Add test for SSL_new_session_ticket() Run a normal handshake and then request some extra tickets, checking that the new_session_cb is called the expected number of times. Since the
Add test for SSL_new_session_ticket() Run a normal handshake and then request some extra tickets, checking that the new_session_cb is called the expected number of times. Since the tickets are generated in the same way as other tickets, there should not be a need to verify that these specific ones can be used to resume. Run the test with both zero and a non-zero number of tickets issued in the initial handshake. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11416)
show more ...
|
#
fb121631 |
| 01-Apr-2020 |
Benjamin Kaduk |
sslapitest: only compile test when it will be used The test_ccs_change_cipher() test routine is used only when TLS 1.2 is enabled; to fix the strict-warnings build we should not try to
sslapitest: only compile test when it will be used The test_ccs_change_cipher() test routine is used only when TLS 1.2 is enabled; to fix the strict-warnings build we should not try to compile it when TLS 1.2 is disabled, either. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11458)
show more ...
|
#
852c2ed2 |
| 19-Dec-2019 |
Rich Salz |
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds
In OpenSSL builds, declare STACK for datatypes ... ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
#
4f6c7044 |
| 21-Mar-2020 |
Matt Caswell |
Re-enable FIPS testing in sslapitest.c Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
|