Skip to content
  1. Jun 26, 2019
    • Benjamin Kaduk's avatar
      Move 'shared_sigalgs' from cert_st to ssl_st · 915430a0
      Benjamin Kaduk authored
      
      
      It was only ever in cert_st because ssl_st was a public structure
      and could not be modified without breaking the API.  However, both
      structures are now opaque, and thus we can freely change their layout
      without breaking applications.  In this case, keeping the shared
      sigalgs in the SSL object prevents complications wherein they would
      inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run
      during a cert_cb).
      
      Fixes #9099
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/9157)
      
      (cherry picked from commit 29948ac80c1388cfeb0bd64539ac1fa6e0bb8990)
      915430a0
    • Benjamin Kaduk's avatar
      Revert "Delay setting the sig algs until after the cert_cb has been called" · 572492aa
      Benjamin Kaduk authored
      
      
      This reverts commit 524006dd1b80c1a86a20119ad988666a80d8d8f5.
      
      While this change did prevent the sigalgs from getting inadvertently
      clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be
      set when the cert_cb runs.  This, in turn, caused significant breakage,
      such as SSL_check_chain() failing to find any valid chain.  An alternate
      approach to fixing the issue from #7244 will follow.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/9157)
      
      (cherry picked from commit 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505)
      572492aa
    • Benjamin Kaduk's avatar
      Add regression test for #9099 · 9863b419
      Benjamin Kaduk authored
      
      
      Augment the cert_cb sslapitest to include a run that uses
      SSL_check_chain() to inspect the certificate prior to installing
      it on the SSL object.  If the check shows the certificate as not
      valid in that context, we do not install a certificate at all, so
      the handshake will fail later on in processing (tls_choose_sigalg()),
      exposing the indicated regression.
      
      Currently it fails, since we have not yet set the shared sigalgs
      by the time the cert_cb runs.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/9157)
      
      (cherry picked from commit 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4)
      9863b419
  2. Jun 24, 2019
  3. Jun 21, 2019
  4. Jun 19, 2019
  5. Jun 18, 2019
  6. Jun 15, 2019
  7. Jun 13, 2019
  8. Jun 12, 2019
  9. Jun 11, 2019
  10. Jun 10, 2019
  11. Jun 09, 2019
  12. Jun 07, 2019
  13. Jun 06, 2019
  14. Jun 04, 2019
  15. Jun 03, 2019
  16. May 31, 2019
  17. May 30, 2019