| f5680cd0 | 14-May-2021 |
Matt Caswell |
Add a CHANGES entry for fully pluggable groups
Fixes #12283
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lont
Add a CHANGES entry for fully pluggable groups
Fixes #12283
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15282)
show more ...
|
| f2ceefc3 | 13-May-2021 |
Shane Lontis |
Add doc for ERR_clear_last_mark().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15258) |
| 00b8706c | 13-May-2021 |
Shane Lontis |
Fix OSSL_DECODER_new_for_pkey() selection parameter documentation
Fixes #14518
EVP_PKEY_fromdata() already defines this value so we link to this
documentation, 0 is also added a
Fix OSSL_DECODER_new_for_pkey() selection parameter documentation
Fixes #14518
EVP_PKEY_fromdata() already defines this value so we link to this
documentation, 0 is also added as a possible input value.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15260)
show more ...
|
| a1f63873 | 13-May-2021 |
Shane Lontis |
Fix compiler error when using config option 'enable-acvp-tests'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15264) |
| b422ba3d | 14-May-2021 |
Richard Levitte |
Adapt 80-test_cmp_http.t and its data for random accept ports
Fixes #14694
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/o
Adapt 80-test_cmp_http.t and its data for random accept ports
Fixes #14694
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15281)
show more ...
|
| a12da5da | 14-May-2021 |
Richard Levitte |
APPS: Make the cmp Mock server output the accept address and port
Fixes #14694
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/opens
APPS: Make the cmp Mock server output the accept address and port
Fixes #14694
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15281)
show more ...
|
| e2daf6f1 | 16-May-2021 |
Pauli |
ci: remove the checksum CI script
This script introduces a security vulnerability where the OpenSSL github
repository can be modified which opens a window for an attacker.
Revie
ci: remove the checksum CI script
This script introduces a security vulnerability where the OpenSSL github
repository can be modified which opens a window for an attacker.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reported-by: Nikita Stupin
show more ...
|
| 6dc56df2 | 17-Mar-2021 |
Benjamin Kaduk |
Add extensive test coverage for SSL_get_negotiated_group()
This is nearly comprehensive, but we cannot exercise the functionality
for PSK-only TLS 1.3 resumption, since openssl talking t
Add extensive test coverage for SSL_get_negotiated_group()
This is nearly comprehensive, but we cannot exercise the functionality
for PSK-only TLS 1.3 resumption, since openssl talking to openssl will
always negotiate psk_dhe_ke.
Exercise both the TLS 1.3 and 1.2 cases, for initial handshakes
and resumptions, and for ECDHE and FFDHE.
Since RFC 7919 named groups (for FFDHE) are only supported for TLS 1.3,
the TLS 1.2 versions of those scenarios expect to get NID_undef since
the key exchange was not performed using a named group.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
show more ...
|
| f89d3d69 | 17-Mar-2021 |
Benjamin Kaduk |
move group lists out of test_key_exchange() in preparation for reuse
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750) |
| 75d48520 | 16-Mar-2021 |
Benjamin Kaduk |
Extend SSL_get_negotiated_group() tests for TLS 1.2
We don't implement RFC 7919 named groups for TLS 1.2, so we can
only test the ECDHE case for non-TLS-1.3.
Interestingly, thou
Extend SSL_get_negotiated_group() tests for TLS 1.2
We don't implement RFC 7919 named groups for TLS 1.2, so we can
only test the ECDHE case for non-TLS-1.3.
Interestingly, though the test_key_exchange() routine claimed to
be exercising ffdhe2048 with TLS 1.2, the configured ciphers were
incompatible with DHE key exchange, so we ended up just using RSA
key transport and not doing an ephemeral key exchange at all.
Reconfigure the tests to actually exercise ephemeral key exchange
for both the EC and FF cases (even though we don't use the named
group information for the finite-field case).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
show more ...
|
| c22ad9b6 | 16-Mar-2021 |
Benjamin Kaduk |
Regenerate testsid.pem
Convert this file to the new format, that includes the kex_group
integer value. This is needed in order for the round-trip conversion
test to return the same
Regenerate testsid.pem
Convert this file to the new format, that includes the kex_group
integer value. This is needed in order for the round-trip conversion
test to return the same value as the initial input.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
show more ...
|
| aa6bd216 | 16-Mar-2021 |
Benjamin Kaduk |
Promote SSL_get_negotiated_group() for non-TLSv1.3
It can be useful to know what group was used for the handshake's
key exchange process even on non-TLS 1.3 connections. Allow this
Promote SSL_get_negotiated_group() for non-TLSv1.3
It can be useful to know what group was used for the handshake's
key exchange process even on non-TLS 1.3 connections. Allow this
API, new in OpenSSL 3.0.0, to be used on other TLS versions as well.
Since pre-TLS-1.3 key exchange occurs only on full handshakes, this
necessitates adding a field to the SSL_SESSION object to carry the
group information across resumptions. The key exchange group in the
SSL_SESSION can also be relevant in TLS 1.3 when the resumption handshake
uses the "psk_ke" key-exchange mode, so also track whether a fresh key
exchange was done for TLS 1.3.
Since the new field is optional in the ASN.1 sense, there is no need
to increment SSL_SESSION_ASN1_VERSION (which incurs strong incompatibility
churn).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
show more ...
|
| a8457b4c | 14-May-2021 |
Richard Levitte |
ASN1: Fix i2d_provided() return value
i2d_provided() - which is the internal provider data function for
i2d_KeyParams(), i2d_PrivateKey(), i2d_PublicKey() - didn't treat the
returned
ASN1: Fix i2d_provided() return value
i2d_provided() - which is the internal provider data function for
i2d_KeyParams(), i2d_PrivateKey(), i2d_PublicKey() - didn't treat the
returned length from OSSL_ENCODER_to_data() quite as well as it should
have. A simple added flag that records the state of |*pp| before
calling OSSL_ENCODER_to_data() fixes the problem.
Fixes #14655
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15277)
show more ...
|
| 52282716 | 13-May-2021 |
Matt Caswell |
Load the default provider into the p_test provider later
Loading it earlier causes some of the later testing to pass when it should
fail and masked a bug.
Reviewed-by: Tomas Mra
Load the default provider into the p_test provider later
Loading it earlier causes some of the later testing to pass when it should
fail and masked a bug.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15270)
show more ...
|
| 36a89c04 | 13-May-2021 |
Matt Caswell |
Init the child providers immediately on creation of the child libctx
We were deferring the initial creation of the child providers until the
first fetch. This is a carry over from an ear
Init the child providers immediately on creation of the child libctx
We were deferring the initial creation of the child providers until the
first fetch. This is a carry over from an earlier iteration of the child
lib ctx development and is no longer necessary. In fact we need to init
the child providers immediately otherwise not all providers quite init
correctly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15270)
show more ...
|
| 773f1c33 | 13-May-2021 |
Tomas Mraz |
Add make update-fips-checksums to release.sh script
Fixes #15223
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from h
Add make update-fips-checksums to release.sh script
Fixes #15223
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15271)
show more ...
|
| af352165 | 13-May-2021 |
Pauli |
doc: document all functions in provider-base(7)
Fixes #13358
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15259) |
| a113826e | 13-May-2021 |
Matt Caswell |
Fix a memleak on an error path in the pkcs12 test helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/opens
Fix a memleak on an error path in the pkcs12 test helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15269)
show more ...
|
| 647a5dbf | 11-May-2021 |
Dr. David von Oheimb |
Add OSSL_ prefix to HTTP_DEFAULT_MAX_{LINE_LENGTH,RESP_LEN}
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053) |
| e2c38c1a | 04-May-2021 |
Dr. David von Oheimb |
http_client.c: Rename internal fields and functions for consistency
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053) |
| be799eb7 | 04-May-2021 |
Dr. David von Oheimb |
HTTP client: Allow streaming of response data (with possibly indefinite length)
Also clean up max_resp_len and add OSSL_HTTP_REQ_CTX_get_resp_len().
Reviewed-by: Tomas Mraz <tomas@o
HTTP client: Allow streaming of response data (with possibly indefinite length)
Also clean up max_resp_len and add OSSL_HTTP_REQ_CTX_get_resp_len().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
show more ...
|
| 8b5ca511 | 04-May-2021 |
Dr. David von Oheimb |
HTTP client: Allow streaming of request data (for POST method)
Also clean up OSSL_HTTP_REQ_CTX_nbio() states and make it more efficient.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
HTTP client: Allow streaming of request data (for POST method)
Also clean up OSSL_HTTP_REQ_CTX_nbio() states and make it more efficient.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
show more ...
|
| 82990287 | 03-May-2021 |
Dr. David von Oheimb |
HTTP client API: Generalize to arbitrary request and response contents
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053) |
| 22fe2b12 | 01-May-2021 |
Dr. David von Oheimb |
OSSL_HTTP_transfer(): Fix error reporting in case rctx->server is NULL
Also improve doc of OSSL_parse_url() and OSSL_HTTP_parse_url().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
OSSL_HTTP_transfer(): Fix error reporting in case rctx->server is NULL
Also improve doc of OSSL_parse_url() and OSSL_HTTP_parse_url().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
show more ...
|
| 8801240b | 01-May-2021 |
Dr. David von Oheimb |
OSSL_HTTP_get(): Do not close connection if redirect to same server
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053) |
