- Feb 26, 2017
-
-
Andy Polyakov authored
Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Richard Levitte authored
There are cases when, if you pass a NULL UI_METHOD, the called function will use an internal default. This is well and good, but there may be cases when this is undesirable and one would rather send in a UI that does absolutely nothing (sort of a /dev/null). UI_null() is the UI_METHOD for this purpose. Reviewed-by:
-
- Feb 25, 2017
-
-
Andy Polyakov authored
This is initial and minimal single-block implementation. Reviewed-by: -
Andy Polyakov authored
Effectively it's minor size optimization, 5-6% per affected subroutine. Reviewed-by: -
Andy Polyakov authored
On pre-Skylake best optimization strategy was balancing port-specific instructions, while on Skylake minimizing the sheer amount appears more sensible. Reviewed-by: -
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- Feb 24, 2017
-
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Emilia Kasper authored
- Reject fractional seconds - Reject offsets - Check that the date/time digits are in valid range. - Add documentation for X509_cmp_time GH issue 2620 Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
-
Andy Polyakov authored
Since CI is engaged on per merge request basis, it can be wasteful to run each request through all the tests, especially those resource consuming. Idea is to mark most of tests as "extended" and provide a way to opt-in by marking last commit with [extended tests] tag. It's still not as optimal as one could wish, as decision to skip a test still requires machine time, and it's taken in configured environment, i.e. with updates and additional packages installed... Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Bernd Edlinger authored
Avoid a -Wundef warning in refcount.h Avoid a -Wundef warning in o_str.c Avoid a -Wundef warning in testutil.h Include internal/cryptlib.h before openssl/stack.h to avoid use of undefined symbol OPENSSL_API_COMPAT. Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
-
Dr. Stephen Henson authored
The certificate types used to be held in a fixed length array or (if it was too long) a malloced buffer. This was done to retain binary compatibility. The code can be simplified now SSL is opaque by always using a malloced buffer. Reviewed-by:
-
- Feb 23, 2017
-
-
Pauli authored
Reviewed-by:
-
Todd Short authored
If ret is allocated, it may be leaked on error. Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:Matt Caswell <matt@openssl.org> GH: #2732
-
Kurt Roeckx authored
Reviewed-by:
-
Benjamin Kaduk authored
Make sure that we can stop handshake processing and resume it later. Also check that the cipher list and compression methods are sane. Unfortunately, we don't have the client-side APIs needed to force a specific (known) session ID to be sent in the ClientHello, so that accessor cannot be tested here. Reviewed-by:
-
Benjamin Kaduk authored
Certain callback APIs allow the callback to request async processing by trickling a particular error value up the stack to the application as an error return from the handshake function. In those cases, SSL_want() returns a code specific to the type of async processing needed. The create_ssl_connection() helper function for the tests is very helpful for several things, including creating API tests. However, it does not currently let us test the async processing functionality of these callback interfaces, because the special SSL error codes are treated as generic errors and the helper continues to loop until it reaches its maximum iteration count. Add a new parameter, 'want', that indicates an expected/desired special SSL error code, so that the helper will terminate when either side reports that error, giving control back to the calling function and allowing the test to proceed. Reviewed-by:
-
Benjamin Kaduk authored
create_ssl_connection() prints out the results if SSL_accept() and/or SSL_connect() fail, but was reusing the client return value when printing about SSL_accept() failures. Reviewed-by:
-
Benjamin Kaduk authored
Reviewed-by:
-
Benjamin Kaduk authored
Plumb things through in the same place as the SNI callback, since we recommend that the early callback replace (and supplement) the SNI callback, and add a few test cases. Reviewed-by:
-
Benjamin Kaduk authored
Provide a callback interface that gives the application the ability to adjust the nascent SSL object at the earliest stage of ClientHello processing, immediately after extensions have been collected but before they have been processed. This is akin to BoringSSL's "select_certificate_cb" (though it is not API compatible), and as the name indicates, one major use is to examine the supplied server name indication and select what certificate to present to the client. However, it can also be used to make more sweeping configuration changes to the SSL object according to the selected server identity and configuration. That may include adjusting the permitted TLS versions, swapping out the SSL_CTX object (as is traditionally done in a tlsext_servername_callback), changing the server's cipher list, and more. We also wish to allow an early callback to indicate that it needs to perform additional work asynchronously and resume processing later. To that effect, refactor the second half of tls_process_client_hello() into a subroutine to be called at the post-processing stage (including the early callback itself), to allow the callback to result in remaining in the same work stage for a later call to succeed. This requires allocating for and storing the CLIENTHELLO_MSG in the SSL object to be preserved across such calls, but the storage is reclaimed after ClientHello processing finishes. Information about the CliehtHello is available to the callback by means of accessor functions that can only be used from the early callback. This allows extensions to make use of the existing internal parsing machinery without exposing structure internals (e.g., of PACKET), so that applications do not have to write fragile parsing code. Applications are encouraged to utilize an early callback and not use a servername_callback, in order to avoid unexpected behavior that occurs due to the relative order of processing between things like session resumption and the historical servername callback. Also tidy up nearby style by removing unnecessary braces around one-line conditional bodies. Reviewed-by:
-
