Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
提交 1c9ed1d8 编写于 作者: K Kurt Roeckx
浏览文件
操作

Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support. 

Suggested by David Benjamin
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NViktor Dukhovni <openssl-users@dukhovni.org>

MR: #1520
上级 933d1085
隐藏空白更改
内联 并排
Showing with 10 addition and 40 deletion
include/openssl/ssl.h
浏览文件 @ 1c9ed1d8
...@@ -362,11 +362,11 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, ...@@ -362,11 +362,11 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
/* Dead forever, see CVE-2010-4180. */ /* Dead forever, see CVE-2010-4180. */
# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0U # define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x0U
# define SSL_OP_TLSEXT_PADDING 0x00000010U # define SSL_OP_TLSEXT_PADDING 0x00000010U
# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020U # define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x0U
# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U
/* Ancient SSLeay version, retained for compatibility */ /* Ancient SSLeay version, retained for compatibility */
# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0 # define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0
# define SSL_OP_TLS_D5_BUG 0x00000100U # define SSL_OP_TLS_D5_BUG 0x0U
/* Removed from OpenSSL 1.1.0 */ /* Removed from OpenSSL 1.1.0 */
# define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0U # define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0U
......
ssl/record/ssl3_buffer.c
浏览文件 @ 1c9ed1d8
...@@ -159,10 +159,6 @@ int ssl3_setup_read_buffer(SSL *s) ...@@ -159,10 +159,6 @@ int ssl3_setup_read_buffer(SSL *s)
if (b->buf == NULL) { if (b->buf == NULL) {
len = SSL3_RT_MAX_PLAIN_LENGTH len = SSL3_RT_MAX_PLAIN_LENGTH
+ SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
s->s3->init_extra = 1;
len += SSL3_RT_MAX_EXTRA;
}
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
if (ssl_allow_compression(s)) if (ssl_allow_compression(s))
len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
......
ssl/record/ssl3_record.c
浏览文件 @ 1c9ed1d8
...@@ -193,25 +193,11 @@ int ssl3_get_record(SSL *s) ...@@ -193,25 +193,11 @@ int ssl3_get_record(SSL *s)
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
short version; short version;
unsigned mac_size; unsigned mac_size;
size_t extra;
unsigned empty_record_count = 0; unsigned empty_record_count = 0;
rr = RECORD_LAYER_get_rrec(&s->rlayer); rr = RECORD_LAYER_get_rrec(&s->rlayer);
sess = s->session; sess = s->session;
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
extra = SSL3_RT_MAX_EXTRA;
else
extra = 0;
if (extra && !s->s3->init_extra) {
/*
* An application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
* ssl3_setup_buffers() was done
*/
SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
return -1;
}
again: again:
/* check if we have the header */ /* check if we have the header */
if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) || if ((RECORD_LAYER_get_rstate(&s->rlayer) != SSL_ST_READ_BODY) ||
...@@ -349,7 +335,7 @@ int ssl3_get_record(SSL *s) ...@@ -349,7 +335,7 @@ int ssl3_get_record(SSL *s)
*/ */
/* check is not needed I believe */ /* check is not needed I believe */
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) { if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; al = SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
goto f_err; goto f_err;
...@@ -453,7 +439,7 @@ int ssl3_get_record(SSL *s) ...@@ -453,7 +439,7 @@ int ssl3_get_record(SSL *s)
if (i < 0 || mac == NULL if (i < 0 || mac == NULL
|| CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
enc_err = -1; enc_err = -1;
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra + mac_size) if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size)
enc_err = -1; enc_err = -1;
} }
...@@ -473,7 +459,7 @@ int ssl3_get_record(SSL *s) ...@@ -473,7 +459,7 @@ int ssl3_get_record(SSL *s)
/* r->length is now just compressed */ /* r->length is now just compressed */
if (s->expand != NULL) { if (s->expand != NULL) {
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + extra) { if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; al = SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG); SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_COMPRESSED_LENGTH_TOO_LONG);
goto f_err; goto f_err;
...@@ -485,7 +471,7 @@ int ssl3_get_record(SSL *s) ...@@ -485,7 +471,7 @@ int ssl3_get_record(SSL *s)
} }
} }
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH + extra) { if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW; al = SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
goto f_err; goto f_err;
......
ssl/s3_lib.c
浏览文件 @ 1c9ed1d8
...@@ -3402,8 +3402,6 @@ void ssl3_free(SSL *s) ...@@ -3402,8 +3402,6 @@ void ssl3_free(SSL *s)
void ssl3_clear(SSL *s) void ssl3_clear(SSL *s)
{ {
int init_extra;
ssl3_cleanup_key_block(s); ssl3_cleanup_key_block(s);
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.ciphers_raw); OPENSSL_free(s->s3->tmp.ciphers_raw);
...@@ -3427,7 +3425,6 @@ void ssl3_clear(SSL *s) ...@@ -3427,7 +3425,6 @@ void ssl3_clear(SSL *s)
s->s3->is_probably_safari = 0; s->s3->is_probably_safari = 0;
#endif /* !OPENSSL_NO_EC */ #endif /* !OPENSSL_NO_EC */
init_extra = s->s3->init_extra;
ssl3_free_digest_list(s); ssl3_free_digest_list(s);
if (s->s3->alpn_selected) { if (s->s3->alpn_selected) {
...@@ -3436,7 +3433,6 @@ void ssl3_clear(SSL *s) ...@@ -3436,7 +3433,6 @@ void ssl3_clear(SSL *s)
} }
memset(s->s3, 0, sizeof(*s->s3)); memset(s->s3, 0, sizeof(*s->s3));
s->s3->init_extra = init_extra;
ssl_free_wbio_buffer(s); ssl_free_wbio_buffer(s);
......
ssl/ssl_locl.h
浏览文件 @ 1c9ed1d8
...@@ -1188,8 +1188,6 @@ typedef struct ssl3_state_st { ...@@ -1188,8 +1188,6 @@ typedef struct ssl3_state_st {
/* flags for countermeasure against known-IV weakness */ /* flags for countermeasure against known-IV weakness */
int need_empty_fragments; int need_empty_fragments;
int empty_fragment_done; int empty_fragment_done;
/* The value of 'extra' when the buffers were initialized */
int init_extra;
/* used during startup, digest all incoming/outgoing packets */ /* used during startup, digest all incoming/outgoing packets */
BIO *handshake_buffer; BIO *handshake_buffer;
/* /*
......
ssl/statem/statem_srvr.c
浏览文件 @ 1c9ed1d8
...@@ -2227,18 +2227,12 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) ...@@ -2227,18 +2227,12 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
enc_premaster = *pkt; enc_premaster = *pkt;
} else { } else {
PACKET orig = *pkt;
if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster) if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
|| PACKET_remaining(pkt) != 0) { || PACKET_remaining(pkt) != 0) {
/* Try SSLv3 behaviour for TLS. */ al = SSL_AD_DECODE_ERROR;
if (s->options & SSL_OP_TLS_D5_BUG) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
enc_premaster = orig; SSL_R_LENGTH_MISMATCH);
} else { goto f_err;
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_LENGTH_MISMATCH);
goto f_err;
}
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册