290 Commits

Author	SHA1	Message	Date
Bob Beck	2fab90bb5e	4.0-POST-CLANG-FORMAT-WEBKIT ... Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> (Merged from https://github.com/openssl/openssl/pull/29242)	2025-12-09 00:28:19 -07:00
Richard Levitte	96459b12aa	Rename SSL_CERT_LOOKUP.nid to pkey_nid ... Hopefully, this will help further clarify the intent of this SSL_CERT_LOOKUP field to future developer. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/29027)	2025-10-30 19:03:25 +01:00
Eugene Syromiatnikov	351caebeac	ssl: use array memory (re)allocation routines ... Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/28059)	2025-08-08 12:22:10 -04:00
martin	b1b4b154fd	Add support for TLS 1.3 OCSP multi-stapling for server certs ... Co-authored-by: Michael Krueger Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20945)	2025-07-25 17:24:37 +02:00
Matt Caswell	4b148ebb66	Ensure we pass the user SSL object for the SSL_set_verify callback ... When calling the verify callback we need to ensure we supply the user SSL object, and not any internal SSL object. Fixes #27830 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/27838)	2025-06-17 16:12:39 -04:00
openssl-machine	0c679f5566	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Release: yes	2025-03-12 13:35:59 +00:00
Tomas Mraz	be5965acad	add_uris_recursive(): Avoid OSSL_STORE_INFO leak on error ... Fixes #26480 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26511)	2025-02-25 15:50:45 +01:00
Frederik Wedel-Heinen	00fbc96988	Adds missing checks of return from XXX_up_ref(). ... Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26294)	2025-02-18 16:32:59 +01:00
Hugo Landau	bf55326752	libssl: Move SSL object unwrapping macros to separate header ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23334)	2025-02-17 11:27:32 -05:00
Viktor Dukhovni	3252fe646b	Avoid calling ssl_load_sigalgs in tls1_set_sigalgs_list ... - The signature algorithms are already loaded in SSL_CTX_new() - Calling ssl_load_sigalgs() again is non-productive, and does not look thread safe. - And of course avoiding the call is cheaper. - Also fix broken loop test in ssl_cert_lookup_by_pkey() Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26671)	2025-02-12 03:13:07 +11:00
Neil Horman	dc10ffc283	Fix potential use-after-free in REF_PRINT_COUNT ... We use REF_PRINT_COUNT to dump out the value of various reference counters in our code However, we commonly use this macro after an increment or decrement. On increment its fine, but on decrement its not, because the macro dereferences the object holding the counter value, which may be freed by another thread, as we've given up our ref count to it prior to using the macro. The rule is that we can't reference memory for an object once we've released our reference, so lets fix this by altering REF_PRINT_COUNT to accept the value returned by CRYPTO_[UP|DOWN]_REF instead. The eliminates the need to dereference the memory the object points to an allows us to use the call after we release our reference count Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25664)	2024-12-10 14:58:08 +01:00
Matt Caswell	dc84829cc5	Make sure we use the correct SSL object when making a callback ... When processing a callback within libssl that applies to TLS the original SSL object may have been created for TLS directly, or for QUIC. When making the callback we must make sure that we use the correct SSL object. In the case of QUIC we must not use the internal only SSL object. Fixes #25788 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25874)	2024-11-07 12:05:34 +01:00
Зишан Мирза	3ef1b7426b	Check file name for not being NULL before opening it ... Fixes #24416 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25458)	2024-09-26 20:35:26 +02:00
FdaSilvaYY	2bb83824bb	ssl: rework "e_os.h" inclusions ... - Remove e_os.h include from "ssl_local.h" - Added e_os.h into the files that need it now. - Move e_os.h to be the very first include Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14344)	2024-09-05 17:02:51 +02:00
Tomas Mraz	7ed6de997f	Copyright year updates ... Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes	2024-09-05 09:35:49 +02:00
Clemens Lang	5cec58bdff	Speed up SSL_add_{file,dir}_cert_subjects_to_stack ... The X509_NAME comparison function converts its arguments to DER using i2d_X509_NAME before comparing the results using memcmp(). For every invocation of the comparison function (of which there are many when loading many certificates), it allocates two buffers of the appropriate size for the DER encoding. Switching to static buffers (possibly of X509_NAME_MAX size as defined in crypto/x509/x_name.c) would not work with multithreaded use, e.g., when two threads sort two separate STACK_OF(X509_NAME)s at the same time. A suitable re-usable buffer could have been added to the STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument, or a pointer to the STACK_OF(X509_NAME) – but it does not. Instead, copy the solution chosen in SSL_load_client_CA_file() by filling an LHASH_OF(X509_NAME) with all existing names in the stack and using that to deduplicate, rather than relying on sk_X509_NAME_find(), which ends up being very slow. Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local LHASH_OF(X509_NAME)s over the complete directory it is processing. In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack() twice, once on a directory with one entry, and once with a directory with 1000 certificates, and repeats this in a loop 10 times, this change yields a speed-up of 5.32: | Benchmark 1: ./bench 10 dir-1 dir-1000 | Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s] | Range (min … max): 6.658 s … 6.711 s 10 runs | | Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 | Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s] | Range (min … max): 1.244 s … 1.286 s 10 runs | | Summary | LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran | 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000 In the worst case scenario where many entries are added to a stack that is then repeatedly used to add more certificates, and with a larger test size, the speedup is still very significant. With 15000 certificates, a single pass to load them, followed by attempting to load a subset of 1000 of these 15000 certificates, followed by a single certificate, the new approach is ~85 times faster: | Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1 | Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s] | Range (min … max): 173.774 s … 185.594 s 10 runs | | Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 | Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s] | Range (min … max): 2.057 s … 2.167 s 10 runs | | Summary | LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran | 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1 Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25056)	2024-08-01 17:28:18 +02:00
Dimitri Papadopoulos	1cf2f8231e	Remove trailing whitespace ... Found by running the checkpatch.pl Linux script to enforce coding style. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22097)	2024-07-22 06:55:35 -04:00
Hugo Landau	5fb4433606	Make ssl_cert_info read-only ... Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/22828)	2023-11-27 07:51:33 +00:00
Pauli	43a07d6dd4	tls: update to structure based atomics ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21260)	2023-07-01 21:18:25 +10:00
Tomas Mraz	3155b5a90e	Fix regression of no-posix-io builds ... Instead of using stat() to check if a file is a directory we just skip . and .. as a workaround. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20786)	2023-04-25 11:32:20 +02:00
Todd Short	3c95ef22df	RFC7250 (RPK) support ... Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)	2023-03-28 13:49:54 -04:00
Pauli	b36e677f8f	Coverity 1521490: resource leak ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20504)	2023-03-15 19:58:07 +11:00
Michael Baentsch	ee58915cfd	first cut at sigalg loading ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19312)	2023-02-24 11:02:48 +11:00
olszomal	1dc35d44f3	Skip subdirectories in SSL_add_dir_cert_subjects_to_stack() ... Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20312)	2023-02-23 20:10:58 +11:00
Todd Short	b67cb09f8d	Add support for compressed certificates (RFC8879) ... * Compressed Certificate extension (server/client) * Server certificates (send/receive) * Client certificate (send/receive) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18186)	2022-10-18 09:30:22 -04:00
Richard Levitte	e077455e9e	Stop raising ERR_R_MALLOC_FAILURE in most places ... Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)	2022-10-05 14:02:03 +02:00
Tomas Mraz	38b051a1fe	SSL object refactoring using SSL_CONNECTION object ... Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)	2022-07-28 10:04:28 +01:00
Pauli	7bf2e4d7f0	tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above ... This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18236)	2022-05-08 16:58:00 +10:00
Matt Caswell	fecb3aae22	Update copyright year ... Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes	2022-05-03 13:34:51 +01:00
Hugo Landau	948cf52179	Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions ... Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18038)	2022-04-06 18:21:11 +02:00
Nicola Tuveri	b139a95665	[ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 ... Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)	2022-03-01 10:51:03 +02:00
Nicola Tuveri	66914fc024	[ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH alias ... `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)	2022-03-01 10:51:03 +02:00
Dr. David von Oheimb	79b2a2f2ee	add OSSL_STACK_OF_X509_free() for commonly used pattern ... Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)	2021-12-21 12:11:49 +01:00
Matt Caswell	c1c1bb7c5e	Fix invalid handling of verify errors in libssl ... In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY. That return code is supposed to only ever be returned if an application is using an app verify callback to complete replace the use of X509_verify(). Applications may not be written to expect that return code and could therefore crash (or misbehave in some other way) as a result. CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>	2021-12-14 13:48:34 +00:00
Peiwei Hu	e3f0362407	BIO_read_filename: fix return check ... Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17033)	2021-11-16 17:34:11 +01:00
slontis	c3b5fa4ab7	Change TLS RC4 cipher strength check to be data driven. ... This is a same pattern as used in PR #16652 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16656)	2021-09-23 14:17:33 +02:00
Hubert Kario	657489e812	cross-reference the DH and RSA SECLEVEL to level of security mappings ... Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cross-references so that they remain consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15853)	2021-06-23 09:26:15 +10:00
Pauli	d7b5c648d6	ssl: do not choose auto DH groups that are weaker than the security level ... Fixes #15808 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15818)	2021-06-19 15:49:46 +10:00
Shane Lontis	4e4ae84056	Fix NULL access in ssl_build_cert_chain() when ctx is NULL. ... Fixes #14294 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14295)	2021-03-03 16:16:19 +10:00
Matt Caswell	5b64ce89b0	Remove OPENSSL_NO_DH guards from libssl ... This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that libssl is entirely using the EVP APIs and implementations can be plugged in via providers it is no longer needed to disable DH at compile time in libssl. Instead it should detect at runtime whether DH is available from the loaded providers. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)	2021-02-05 15:20:36 +00:00
Richard Levitte	4333b89f50	Update copyright year ... Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999)	2021-01-28 13:54:57 +01:00
Dr. David von Oheimb	bf973d0697	Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1 ... Deprecate X509_NAME_hash() Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13762)	2021-01-13 09:09:36 +01:00
Matt Caswell	13c453728c	Only disabled what we need to in a no-dh build ... no-dh disables the low level API for DH. However, since we're now using the high level EVP API in most places we don't need to disable quite so much. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)	2020-11-18 14:14:52 +00:00
Richard Levitte	c48ffbcca1	SSL: refactor all SSLfatal() calls ... Since SSLfatal() doesn't take a function code any more, we drop that argument everywhere. Also, we convert all combinations of SSLfatal() and ERR_add_data() to an SSLfatal_data() call. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)	2020-11-11 12:12:23 +01:00
Richard Levitte	6849b73ccc	Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call ... This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13316)	2020-11-11 12:12:11 +01:00
Dr. Matthias St. Pierre	b425001010	Rename OPENSSL_CTX prefix to OSSL_LIB_CTX ... Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)	2020-10-15 11:59:53 +01:00
Matt Caswell	d8652be06e	Run the withlibctx.pl script ... Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)	2020-10-01 09:25:20 +01:00
Matt Caswell	e6623cfbff	Fix safestack issues in x509.h ... Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)	2020-09-13 11:09:45 +01:00
Shane Lontis	6725682d77	Add X509 related libctx changes. ... - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)	2020-07-24 22:53:27 +10:00
Richard Levitte	92dc275f95	SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys ... Fixes #11720 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11828)	2020-05-15 16:43:31 +02:00