[openssl] master update

Matt Caswell matt at openssl.org
Thu Feb 4 12:29:43 UTC 2021

The branch master has been updated
       via  af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit)
       via  08cea586c9d0fd2fcf99ec1eacb7736a34139d8b (commit)
      from  a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit)

- Log -----------------------------------------------------------------
commit af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Feb 1 17:31:05 2021 +0000

    Remove a DSA related TODO
    There are no instances of the macros that this comment is referring to
    being used anywhere within current master. All of the macros were
    deprecated by commit f41ac0e. Therefore this TODO should just be removed.
    Fixes #13020
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14038)

commit 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Feb 1 15:45:44 2021 +0000

    Remove some TODO(OpenSSL1.2) references
    We had a couple of stray references to OpenSSL1.2 in libssl. We just
    reword the comments to remove those references without changing any
    The first one in t1_lib.c is a technical non-compliance in the TLSv1.3
    spec where, under some circumstances, we offer DSA sigalgs even in a
    ClientHello that eventually negotiates TLSv1.3. We explicitly chose to
    accept this behaviour in 1.1.1 and we're not planning to change it for
    The second one in s3_lib.c is regarnding the behaviour of
    SSL_set_tlsext_host_name(). Technically you shouldn't be able to call
    this from a server - but we allow it and just ignore it rather than
    raising an error. The TODO suggest we consider raising an error instead.
    However, with 3.0 we are trying to minimise breaking changes so I suggest
    not making this change now.
    Fixes #13161
    Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
    (Merged from https://github.com/openssl/openssl/pull/14037)


Summary of changes:
 include/openssl/dsa.h | 4 ----
 ssl/s3_lib.c          | 1 -
 ssl/t1_lib.c          | 5 ++++-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 681058597b..eacc6caa28 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -98,10 +98,6 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 /* typedef struct dsa_st DSA; */
 /* typedef struct dsa_method DSA_METHOD; */
- * TODO(3.0): consider removing the ASN.1 encoding and decoding when
- * deserialization is completed elsewhere.
- */
 #   define d2i_DSAparams_fp(fp, x) \
         (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
                            (char *(*)())d2i_DSAparams, (fp), \
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ae27add6df..a6c87ad75d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3491,7 +3491,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
-         * TODO(OpenSSL1.2)
          * This API is only used for a client to set what SNI it will request
          * from the server, but we currently allow it to be used on servers
          * as well, which is a programming error.  Currently we just clear
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c777a86eb7..7328c8e2b1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2036,7 +2036,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
     /* DSA is not allowed in TLS 1.3 */
     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
         return 0;
-    /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
+    /*
+     * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
+     * spec
+     */
     if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION
         && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
             || lu->hash_idx == SSL_MD_MD5_IDX

More information about the openssl-commits mailing list