[openssl] master update
Matt Caswell
matt at openssl.org
Thu Feb 4 12:29:43 UTC 2021
The branch master has been updated
via af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3 (commit)
via 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b (commit)
from a7246ea645b5d4c5ca7bde3dad4fcd6e63e11896 (commit)
- Log -----------------------------------------------------------------
commit af4d6c26af0bfaa837589b4fe39ec4942dd4c5b3
Author: Matt Caswell <matt at openssl.org>
Date: Mon Feb 1 17:31:05 2021 +0000
Remove a DSA related TODO
There are no instances of the macros that this comment is referring to
being used anywhere within current master. All of the macros were
deprecated by commit f41ac0e. Therefore this TODO should just be removed.
Fixes #13020
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14038)
commit 08cea586c9d0fd2fcf99ec1eacb7736a34139d8b
Author: Matt Caswell <matt at openssl.org>
Date: Mon Feb 1 15:45:44 2021 +0000
Remove some TODO(OpenSSL1.2) references
We had a couple of stray references to OpenSSL1.2 in libssl. We just
reword the comments to remove those references without changing any
behaviour.
The first one in t1_lib.c is a technical non-compliance in the TLSv1.3
spec where, under some circumstances, we offer DSA sigalgs even in a
ClientHello that eventually negotiates TLSv1.3. We explicitly chose to
accept this behaviour in 1.1.1 and we're not planning to change it for
3.0.
The second one in s3_lib.c is regarnding the behaviour of
SSL_set_tlsext_host_name(). Technically you shouldn't be able to call
this from a server - but we allow it and just ignore it rather than
raising an error. The TODO suggest we consider raising an error instead.
However, with 3.0 we are trying to minimise breaking changes so I suggest
not making this change now.
Fixes #13161
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14037)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/dsa.h | 4 ----
ssl/s3_lib.c | 1 -
ssl/t1_lib.c | 5 ++++-
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 681058597b..eacc6caa28 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -98,10 +98,6 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
/* typedef struct dsa_st DSA; */
/* typedef struct dsa_method DSA_METHOD; */
-/*
- * TODO(3.0): consider removing the ASN.1 encoding and decoding when
- * deserialization is completed elsewhere.
- */
# define d2i_DSAparams_fp(fp, x) \
(DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
(char *(*)())d2i_DSAparams, (fp), \
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ae27add6df..a6c87ad75d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3491,7 +3491,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#endif
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
/*
- * TODO(OpenSSL1.2)
* This API is only used for a client to set what SNI it will request
* from the server, but we currently allow it to be used on servers
* as well, which is a programming error. Currently we just clear
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c777a86eb7..7328c8e2b1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2036,7 +2036,10 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
/* DSA is not allowed in TLS 1.3 */
if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
return 0;
- /* TODO(OpenSSL1.2) fully axe DSA/etc. in ClientHello per TLS 1.3 spec */
+ /*
+ * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3
+ * spec
+ */
if (!s->server && !SSL_IS_DTLS(s) && s->s3.tmp.min_ver >= TLS1_3_VERSION
&& (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
|| lu->hash_idx == SSL_MD_MD5_IDX
More information about the openssl-commits
mailing list