#
d781d247 |
| 21-Feb-2017 |
Matt Caswell |
Provide an SSL_read_early() function for reading early data Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2737)
|
#
49e7fe12 |
| 21-Feb-2017 |
Matt Caswell |
Provide functions to write early data We provide SSL_write_early() which *must* be called first on a connection (prior to any other IO function including SSL_connect()/SSL_do_handshake()
Provide functions to write early data We provide SSL_write_early() which *must* be called first on a connection (prior to any other IO function including SSL_connect()/SSL_do_handshake()). Also SSL_write_early_finish() which signals the end of early data. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2737)
show more ...
|
#
3fc8d856 |
| 17-Feb-2017 |
Matt Caswell |
Construct the ticket_early_data_info extension Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2737)
|
#
6b1bb98f |
| 23-Jan-2017 |
Benjamin Kaduk |
Add SSL_CTX early callback Provide a callback interface that gives the application the ability to adjust the nascent SSL object at the earliest stage of ClientHello processing, immed
Add SSL_CTX early callback Provide a callback interface that gives the application the ability to adjust the nascent SSL object at the earliest stage of ClientHello processing, immediately after extensions have been collected but before they have been processed. This is akin to BoringSSL's "select_certificate_cb" (though it is not API compatible), and as the name indicates, one major use is to examine the supplied server name indication and select what certificate to present to the client. However, it can also be used to make more sweeping configuration changes to the SSL object according to the selected server identity and configuration. That may include adjusting the permitted TLS versions, swapping out the SSL_CTX object (as is traditionally done in a tlsext_servername_callback), changing the server's cipher list, and more. We also wish to allow an early callback to indicate that it needs to perform additional work asynchronously and resume processing later. To that effect, refactor the second half of tls_process_client_hello() into a subroutine to be called at the post-processing stage (including the early callback itself), to allow the callback to result in remaining in the same work stage for a later call to succeed. This requires allocating for and storing the CLIENTHELLO_MSG in the SSL object to be preserved across such calls, but the storage is reclaimed after ClientHello processing finishes. Information about the CliehtHello is available to the callback by means of accessor functions that can only be used from the early callback. This allows extensions to make use of the existing internal parsing machinery without exposing structure internals (e.g., of PACKET), so that applications do not have to write fragile parsing code. Applications are encouraged to utilize an early callback and not use a servername_callback, in order to avoid unexpected behavior that occurs due to the relative order of processing between things like session resumption and the historical servername callback. Also tidy up nearby style by removing unnecessary braces around one-line conditional bodies. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
show more ...
|
#
ccb8e6e0 |
| 30-Jan-2017 |
Benjamin Kaduk |
Export SSL_bytes_to_cipher_list() Move ssl_bytes_to_cipher_list() to ssl_lib.c and create a public wrapper around it. This lets application early callbacks easily get SSL_CIPHER obj
Export SSL_bytes_to_cipher_list() Move ssl_bytes_to_cipher_list() to ssl_lib.c and create a public wrapper around it. This lets application early callbacks easily get SSL_CIPHER objects from the raw ciphers bytes without having to reimplement the parsing code. In particular, they do not need to know the details of the sslv2 format ClientHello's ciphersuite specifications. Document the new public function, including the arguably buggy behavior of modifying the supplied SSL object. On the face of it, such a function should be able to be pure, just a direct translation of wire octets to internal data structures. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2279)
show more ...
|
#
53d1d07d |
| 09-Feb-2017 |
Matt Caswell |
Add a SSL_get_key_update_type() function Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
|
#
44c04a2e |
| 08-Feb-2017 |
Matt Caswell |
Provide a function to send a KeyUpdate message This implements the server side KeyUpdate sending capability as well. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from http
Provide a function to send a KeyUpdate message This implements the server side KeyUpdate sending capability as well. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
show more ...
|
#
377c5e98 |
| 27-Jan-2017 |
Dr. Stephen Henson |
make update Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2301)
|
#
2faa1b48 |
| 20-Jan-2017 |
Cory Benfield |
Add support for key logging callbacks. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/p
Add support for key logging callbacks. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1646)
show more ...
|
#
e304d3e2 |
| 15-Nov-2016 |
Matt Caswell |
Remove a hack from ssl_test_old ssl_test_old was reaching inside the SSL structure and changing the internal BIO values. This is completely unneccessary, and was causing an abort in the
Remove a hack from ssl_test_old ssl_test_old was reaching inside the SSL structure and changing the internal BIO values. This is completely unneccessary, and was causing an abort in the test when enabling TLSv1.3. I also removed the need for ssl_test_old to include ssl_locl.h. This required the addition of some missing accessors for SSL_COMP name and id fields. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
7ee8627f |
| 07-Sep-2016 |
Matt Caswell |
Convert libssl writing for size_t Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
eda75751 |
| 06-Sep-2016 |
Matt Caswell |
Further libssl size_t-ify of reading Writing still to be done Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
045bd047 |
| 05-Oct-2016 |
David Woodhouse |
Add DTLS_get_data_mtu() function We add ssl_cipher_get_overhead() as an internal function, to avoid having too much ciphersuite-specific knowledge in DTLS_get_data_mtu() itself. It's
Add DTLS_get_data_mtu() function We add ssl_cipher_get_overhead() as an internal function, to avoid having too much ciphersuite-specific knowledge in DTLS_get_data_mtu() itself. It's going to need adjustment for TLSv1.3... but then again, so is fairly much *all* of the SSL_CIPHER handling. This bit is in the noise. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
Revision tags: OpenSSL_1_1_0-pre1, OpenSSL_0_9_8zh, OpenSSL_1_0_0t, OpenSSL_1_0_1q, OpenSSL_1_0_2e, OpenSSL_1_0_1p, OpenSSL_1_0_2d, OpenSSL-fips-2_0_11, OpenSSL_1_0_1o, OpenSSL_1_0_2c, OpenSSL_0_9_8zg, OpenSSL_1_0_0s, OpenSSL_1_0_1n, OpenSSL_1_0_2b, OpenSSL-fips-2_0_10 |
|
#
b50052db |
| 31-Mar-2015 |
Todd Short |
Add SSL_CTX_set1_cert_store() For convenience, combine getting a new ref for the new SSL_CTX with assigning the store and freeing the old one. Reviewed-by: Matt Caswell <matt@op
Add SSL_CTX_set1_cert_store() For convenience, combine getting a new ref for the new SSL_CTX with assigning the store and freeing the old one. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1755)
show more ...
|
#
fddfc0af |
| 06-Aug-2016 |
Remi Gacogne |
Add missing session id and tlsext_status accessors * SSL_SESSION_set1_id() * SSL_SESSION_get0_id_context() * SSL_CTX_get_tlsext_status_cb() * SSL_CTX_get_tlsext_status_arg()
Add missing session id and tlsext_status accessors * SSL_SESSION_set1_id() * SSL_SESSION_get0_id_context() * SSL_CTX_get_tlsext_status_cb() * SSL_CTX_get_tlsext_status_arg() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
e9281323 |
| 12-Aug-2016 |
Rich Salz |
GH1446: Add SSL_SESSION_get0_cipher Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1451)
|
#
72c76581 |
| 05-Aug-2016 |
Richard Levitte |
make update Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
65e2d672 |
| 21-Jul-2016 |
Matt Caswell |
Simplify and rename SSL_set_rbio() and SSL_set_wbio() SSL_set_rbio() and SSL_set_wbio() are new functions in 1.1.0 and really should be called SSL_set0_rbio() and SSL_set0_wbio(). The ol
Simplify and rename SSL_set_rbio() and SSL_set_wbio() SSL_set_rbio() and SSL_set_wbio() are new functions in 1.1.0 and really should be called SSL_set0_rbio() and SSL_set0_wbio(). The old implementation was not consistent with what "set0" means though as there were special cases around what happens if the rbio and wbio are the same. We were only ever taking one reference on the BIO, and checking everywhere whether the rbio and wbio are the same so as not to double free. A better approach is to rename the functions to SSL_set0_rbio() and SSL_set0_wbio(). If an existing BIO is present it is *always* freed regardless of whether the rbio and wbio are the same or not. It is therefore the callers responsibility to ensure that a reference is taken for *each* usage, i.e. one for the rbio and one for the wbio. The legacy function SSL_set_bio() takes both the rbio and wbio in one go and sets them both. We can wrap up the old behaviour in the implementation of that function, i.e. previously if the rbio and wbio are the same in the call to this function then the caller only needed to ensure one reference was passed. This behaviour is retained by internally upping the ref count. This commit was inspired by BoringSSL commit f715c423224. RT#4572 Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
3307000d |
| 12-Jul-2016 |
Viktor Dukhovni |
Make update Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
e417070c |
| 08-Jun-2016 |
Rich Salz |
Add some accessor API's GH1098: Add X509_get_pathlen() (and a test) GH1097: Add SSL_is_dtls() function. Documented. Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
ade82832 |
| 01-Jun-2016 |
Rich Salz |
Remove NOEXIST entries checkpoint before release. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
befe31cd |
| 31-May-2016 |
Matt Caswell |
make update Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
6546e9b2 |
| 09-May-2016 |
Alessandro Ghedini |
Add SSL_client_version() getter function Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
4b6b8487 |
| 11-Apr-2016 |
Lyon Chen |
Add SSL_SESSION_get0_hostname() Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
72d3bcd1 |
| 13-Apr-2016 |
Richard Levitte |
Cleanup libcrypto.num and make update Reviewed-by: Matt Caswell <matt@openssl.org>
|