Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
0f32c841
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
大约 1 年 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
0f32c841
编写于
3月 21, 2007
作者:
B
Bodo Möller
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
stricter session ID context matching
上级
41a8d516
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
51 addition
and
23 deletion
+51
-23
CHANGES
CHANGES
+28
-2
ssl/ssl_sess.c
ssl/ssl_sess.c
+23
-21
未找到文件。
CHANGES
浏览文件 @
0f32c841
...
@@ -2,7 +2,7 @@
...
@@ -2,7 +2,7 @@
OpenSSL CHANGES
OpenSSL CHANGES
_______________
_______________
Changes between 0.9.8
e
and 0.9.9 [xx XXX xxxx]
Changes between 0.9.8
f
and 0.9.9 [xx XXX xxxx]
*) Change ssl_cipher_apply_rule(), the internal function that does
*) Change ssl_cipher_apply_rule(), the internal function that does
the work each time a ciphersuite string requests enabling
the work each time a ciphersuite string requests enabling
...
@@ -481,13 +481,26 @@
...
@@ -481,13 +481,26 @@
*) Change 'Configure' script to enable Camellia by default.
*) Change 'Configure' script to enable Camellia by default.
[NTT]
[NTT]
Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
Changes between 0.9.8e and 0.9.8f [xx XXX xxxx]
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
a ciphersuite string such as "DEFAULT:RSA" cannot enable
a ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
authentication-only ciphersuites.
[Bodo Moeller]
[Bodo Moeller]
Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
*) Since AES128 and AES256 (and similarly Camellia128 and
*) Since AES128 and AES256 (and similarly Camellia128 and
Camellia256) share a single mask bit in the logic of
Camellia256) share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
...
@@ -1526,6 +1539,19 @@
...
@@ -1526,6 +1539,19 @@
differing sizes.
differing sizes.
[Richard Levitte]
[Richard Levitte]
Changes between 0.9.7m and 0.9.7n [xx XXX xxxx]
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
*) Cleanse PEM buffers before freeing them since they may contain
*) Cleanse PEM buffers before freeing them since they may contain
...
...
ssl/ssl_sess.c
浏览文件 @
0f32c841
...
@@ -462,26 +462,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
...
@@ -462,26 +462,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
/* Now ret is non-NULL, and we own one of its reference counts. */
/* Now ret is non-NULL, and we own one of its reference counts. */
if
((
s
->
verify_mode
&
SSL_VERIFY_PEER
)
if
(
ret
->
sid_ctx_length
!=
s
->
sid_ctx_length
&&
(
!
s
->
sid_ctx_length
||
ret
->
sid_ctx_length
!=
s
->
sid_ctx_length
||
memcmp
(
ret
->
sid_ctx
,
s
->
sid_ctx
,
ret
->
sid_ctx_length
))
||
memcmp
(
ret
->
sid_ctx
,
s
->
sid_ctx
,
ret
->
sid_ctx_length
)))
{
{
/* We've found the session named by the client, but we don't
/* We've found the session named by the client, but we don't
* want to use it in this context. */
* want to use it in this context. */
if
(
s
->
sid_ctx_length
==
0
)
{
/* application should have used SSL[_CTX]_set_session_id_context
* -- we could tolerate this and just pretend we never heard
* of this session, but then applications could effectively
* disable the session cache by accident without anyone noticing */
SSLerr
(
SSL_F_SSL_GET_PREV_SESSION
,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED
);
fatal
=
1
;
goto
err
;
}
else
{
#if 0 /* The client cannot always know when a session is not appropriate,
#if 0 /* The client cannot always know when a session is not appropriate,
* so we shouldn't generate an error message. */
* so we shouldn't generate an error message. */
...
@@ -489,6 +475,22 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
...
@@ -489,6 +475,22 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
#endif
#endif
goto
err
;
/* treat like cache miss */
goto
err
;
/* treat like cache miss */
}
}
if
((
s
->
verify_mode
&
SSL_VERIFY_PEER
)
&&
s
->
sid_ctx_length
==
0
)
{
/* We can't be sure if this session is being used out of
* context, which is especially important for SSL_VERIFY_PEER.
* The application should have used SSL[_CTX]_set_session_id_context.
*
* For this error case, we generate an error instead of treating
* the event like a cache miss (otherwise it would be easy for
* applications to effectively disable the session cache by
* accident without anyone noticing).
*/
SSLerr
(
SSL_F_SSL_GET_PREV_SESSION
,
SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED
);
fatal
=
1
;
goto
err
;
}
}
if
(
ret
->
cipher
==
NULL
)
if
(
ret
->
cipher
==
NULL
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录