openssl - openssl

	Commit message (Collapse)	Author	Age	Files	Lines
*	Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free().	Shane Lontis	2021-04-12	1	-1/+1
\| \| \| \| \|	Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14785)
*	Add internal X509_add_certs_new(), which simplifies matters	Dr. David von Oheimb	2021-02-18	1	-1/+0
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14039)
*	Update copyright year	Matt Caswell	2021-02-18	3	-3/+3
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
*	Deprecate the libssl level SRP APIs	Matt Caswell	2021-02-12	3	-57/+92
\| \| \| \| \| \| \| \|	The low level SRP implementation has been deprecated with no replacement. Therefore the libssl level APIs need to be similarly deprecated. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
*	Simplify the EVP_PKEY_XXX_fromdata_XX methods.	Shane Lontis	2021-02-08	1	-2/+3
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The existing names such as EVP_PKEY_param_fromdata_settable were a bit confusing since the 'param' referred to key params not OSSL_PARAM. To simplify the interface a 'selection' parameter will be passed instead. The changes are: (1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init(). (2) EVP_PKEY_fromdata() has an additional selection parameter. (3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable(). EVP_PKEY_fromdata_settable() also uses a selection parameter. Fixes #12989 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14076)
*	Stop disabling TLSv1.3 if ec and dh are disabled	Matt Caswell	2021-02-05	1	-17/+32
\| \| \| \| \| \| \| \| \| \|	Even if EC and DH are disabled then we may still be able to use TLSv1.3 if we have groups that have been plugged in by an external provider. Fixes #13767 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
*	Update copyright year	Richard Levitte	2021-01-28	6	-6/+6
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)
*	TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY	Dr. David von Oheimb	2021-01-26	3	-1/+22
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906)
*	Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy	Tomas Mraz	2021-01-26	1	-4/+1
\| \| \| \| \|	Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
*	Deprecate EC_KEY + Update ec apps to use EVP_PKEY	Shane Lontis	2021-01-26	1	-6/+10
\| \| \| \| \| \| \| \| \|	Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
*	TEST: move cert, key, and CSR loading aux functions to new testutil/load.c	Dr. David von Oheimb	2021-01-13	3	-55/+6
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13762)
*	test cleanup: move helper .c and .h files to test/helpers/	Dr. David von Oheimb	2020-12-01	12	-0/+5273
	Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13568)