This project is mirrored from https://github.com/openssl/openssl.git.
Pull mirroring failed .
Last successful update .
Last successful update .
- 28 Jan, 2021 4 commits
-
-
Richard Levitte authored
Reviewed-by:Tomas Mraz <tomas@openssl.org>
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13996)
-
Richard Levitte authored
An '#include <string.h>' was mistakenly removed from apps/ec.c and apps/ecparam.c Fixes #13986 Reviewed-by:
Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/13989)
-
- 27 Jan, 2021 3 commits
-
-
Matt Caswell authored
The dhparam test was failing to properly handle line endings when running a mingw configured build under wine. Fixes #13557 Reviewed-by:
-
Daniel Bevenius authored
Reviewed-by:
-
Richard Levitte authored
OSSL_PARAM_allocate_from_text() converted text values to UTF-8 OSSL_PARAMs with a simple strncpy(). However, if the text is EBCDIC, that won't become UTF-8. Therefore, it's made to convert from EBCDIC to ASCII on platforms where the native character encoding is the former. One might argue that the conversion should be the responsibility of the application. However, this is a helper function, and the calling application can't easily know what sort of OSSL_PARAM the input values are going to be used for. Reviewed-by:
Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13961)
-
- 26 Jan, 2021 16 commits
-
-
Dr. David von Oheimb authored
The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by:
-
Daiki Ueno authored
Since the pointer can be later be modified, the caller should have the responsibility to supply the address of that. Signed-off-by:
Daiki Ueno <dueno@redhat.com> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13951)
-
Richard Levitte authored
Partially fixes #13949 Reviewed-by:
-
Richard Levitte authored
This cleans away old misunderstandings of what can be done with OSSL_PARAM. Reviewed-by:
-
Tomas Mraz authored
Just comparison of the original parameter file with the -out output. Some test files have non-canonical encoding, so they are moved to a different directory. Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Matt Caswell authored
libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order to get the conv form and field type. Instead we provide EVP_PKEY level functions to do this. Reviewed-by:
-
Shane Lontis authored
Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by:
-
Shane Lontis authored
Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
- 25 Jan, 2021 4 commits
-
-
Richard Levitte authored
At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Fixes #13933 Reviewed-by:
-
Tomas Mraz authored
This key generation method is obsolete. Fixes #10111 Reviewed-by:
-
- 23 Jan, 2021 6 commits
-
-
Dr. David von Oheimb authored
Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new(). Minor further fixes in OSSL_HTTP_REQ_CTX.pod Fixes #13873 Reviewed-by:
-
Dr. David von Oheimb authored
Reviewed-by:
-
Dr. David von Oheimb authored
Reviewed-by:
-
Dr. David von Oheimb authored
Reviewed-by:
-
Dr. David von Oheimb authored
Reviewed-by:
-
Dr. David von Oheimb authored
Reviewed-by:
-
- 22 Jan, 2021 3 commits
-
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Whenever we set a private key in libssl, we first found the certificate that matched the key algorithm. Then we copied the key parameters from the private key into the public key for the certficate before finally checking that the private key matched the public key in the certificate. This makes no sense! Part of checking the private key is to make sure that the parameters match. It seems that this code has been present since SSLeay. Perhaps at some point it made sense to do this - but it doesn't any more. We remove that piece of code altogether. The previous code also had the undocumented side effect of removing the certificate if the key didn't match. This makes sense if you've just overwritten the parameters in the certificate with bad values - but doesn't seem to otherwise. I've also removed that error logic. Due to issue #13893, the public key associated with the certificate is always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from" key to legacy if the target is legacy, so this means that in libssl all private keys were always downgraded to legacy when they are first set in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the added benefit of removing that downgrade. Reviewed-by:
-
Matt Caswell authored
The legacy_asn1_ctrl_to_param implementation of ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_name() which returns an mdname. Previously we were using OBJ_sn2nid/OBJ_ln2nid to lookup that name in the OBJ database. However we might get an md name back that only exists in the namemap, not in the OBJ database. In that case we need to check the various aliases for the name, to see if one of those matches the name we are looking for. Reviewed-by:
-
- 21 Jan, 2021 4 commits
-
-
Richard Levitte authored
For Unix like environments, we may have so called "simple" shared library names (libfoo.so as opposed to libfoo.so.1.2), or we may have "import" library names associated with a DLL (libfoo.dll.a for libfoo.dll on Mingw and derivatives). So far, "import" library names were treated the same as "simple" shared library names, as some kind of normalization for the Unix way of doing things. We now shift to treat them separately, to make it clearer what is what. Fixes #13414, incidently Reviewed-by:
-
zsugabubus authored
Checking is performed after the read-only test so it catches such errors earlier. CLA: trivial Reviewed-by:
-
Tomas Mraz authored
Reviewed-by:
-
Tomas Mraz authored
It must be decoded from the ASN.1 integer before setting to the EVP_PKEY. Reviewed-by:
-
