Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
b1fe6ca1
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
b1fe6ca1
编写于
25年前
作者:
B
Bodo Möller
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Store verify_result with sessions to avoid potential security hole.
上级
91895a59
变更
9
隐藏空白更改
内联
并排
Showing
9 changed file
with
54 addition
and
6 deletion
+54
-6
CHANGES
CHANGES
+11
-0
crypto/x509/x509_vfy.h
crypto/x509/x509_vfy.h
+1
-0
ssl/s2_clnt.c
ssl/s2_clnt.c
+1
-1
ssl/s2_srvr.c
ssl/s2_srvr.c
+1
-0
ssl/s3_srvr.c
ssl/s3_srvr.c
+1
-0
ssl/ssl.h
ssl/ssl.h
+5
-1
ssl/ssl_asn1.c
ssl/ssl_asn1.c
+26
-4
ssl/ssl_sess.c
ssl/ssl_sess.c
+3
-0
ssl/ssltest.c
ssl/ssltest.c
+5
-0
未找到文件。
CHANGES
浏览文件 @
b1fe6ca1
...
...
@@ -4,6 +4,17 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
*) For servers, store verify_result in SSL_SESSION data structure
(and add it to external session representation).
This is needed when client certificate verifications fails,
but an application-provided verification callback (set by
SSL_CTX_set_cert_verify_callback) allows accepting the session
anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
but returns 1): When the session is reused, we have to set
ssl->verify_result to the appropriate error code to avoid
security holes.
[Bodo Moeller, problem pointed out by Lutz Jaenicke]
*) Fix a bug in the new PKCS#7 code: it didn't consider the
case in PKCS7_dataInit() where the signed PKCS7 structure
didn't contain any existing data because it was being created.
...
...
This diff is collapsed.
Click to expand it.
crypto/x509/x509_vfy.h
浏览文件 @
b1fe6ca1
...
...
@@ -234,6 +234,7 @@ struct x509_store_state_st /* X509_STORE_CTX */
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
#define X509_V_OK 0
/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
#define X509_V_ERR_UNABLE_TO_GET_CRL 3
...
...
This diff is collapsed.
Click to expand it.
ssl/s2_clnt.c
浏览文件 @
b1fe6ca1
...
...
@@ -445,7 +445,7 @@ static int get_server_hello(SSL *s)
CRYPTO_w_unlock(CRYPTO_LOCK_X509);
#else
s
->
session
->
peer
=
s
->
session
->
sess_cert
->
peer_key
->
x509
;
/* peer_key->x509 has been set by ssl2_set_certificate. */
/* peer_key->x509 has been set by ssl2_set_certificate. */
CRYPTO_add
(
&
s
->
session
->
peer
->
references
,
1
,
CRYPTO_LOCK_X509
);
#endif
...
...
This diff is collapsed.
Click to expand it.
ssl/s2_srvr.c
浏览文件 @
b1fe6ca1
...
...
@@ -921,6 +921,7 @@ static int request_certificate(SSL *s)
X509_free
(
s
->
session
->
peer
);
s
->
session
->
peer
=
x509
;
CRYPTO_add
(
&
x509
->
references
,
1
,
CRYPTO_LOCK_X509
);
s
->
session
->
verify_result
=
s
->
verify_result
;
ret
=
1
;
goto
end
;
}
...
...
This diff is collapsed.
Click to expand it.
ssl/s3_srvr.c
浏览文件 @
b1fe6ca1
...
...
@@ -1627,6 +1627,7 @@ static int ssl3_get_client_certificate(SSL *s)
if
(
s
->
session
->
peer
!=
NULL
)
/* This should not be needed */
X509_free
(
s
->
session
->
peer
);
s
->
session
->
peer
=
sk_X509_shift
(
sk
);
s
->
session
->
verify_result
=
s
->
verify_result
;
/* With the current implementation, sess_cert will always be NULL
* when we arrive here. */
...
...
This diff is collapsed.
Click to expand it.
ssl/ssl.h
浏览文件 @
b1fe6ca1
...
...
@@ -215,7 +215,8 @@ typedef struct ssl_method_st
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
* Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
* Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
* Compression [5] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
* Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer'
* Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
* }
* Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
...
...
@@ -249,6 +250,9 @@ typedef struct ssl_session_st
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509
*
peer
;
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
long
verify_result
;
/* only for servers */
int
references
;
long
timeout
;
...
...
This diff is collapsed.
Click to expand it.
ssl/ssl_asn1.c
浏览文件 @
b1fe6ca1
...
...
@@ -60,6 +60,7 @@
#include <stdlib.h>
#include <openssl/asn1_mac.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "ssl_locl.h"
typedef
struct
ssl_session_asn1_st
...
...
@@ -73,14 +74,15 @@ typedef struct ssl_session_asn1_st
ASN1_OCTET_STRING
key_arg
;
ASN1_INTEGER
time
;
ASN1_INTEGER
timeout
;
ASN1_INTEGER
verify_result
;
}
SSL_SESSION_ASN1
;
int
i2d_SSL_SESSION
(
SSL_SESSION
*
in
,
unsigned
char
**
pp
)
{
#define LSIZE2 (sizeof(long)*2)
int
v1
=
0
,
v2
=
0
,
v3
=
0
,
v4
=
0
;
int
v1
=
0
,
v2
=
0
,
v3
=
0
,
v4
=
0
,
v5
=
0
;
unsigned
char
buf
[
4
],
ibuf1
[
LSIZE2
],
ibuf2
[
LSIZE2
];
unsigned
char
ibuf3
[
LSIZE2
],
ibuf4
[
LSIZE2
];
unsigned
char
ibuf3
[
LSIZE2
],
ibuf4
[
LSIZE2
]
,
ibuf5
[
LSIZE2
]
;
long
l
;
SSL_SESSION_ASN1
a
;
M_ASN1_I2D_vars
(
in
);
...
...
@@ -156,6 +158,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
ASN1_INTEGER_set
(
&
(
a
.
timeout
),
in
->
timeout
);
}
if
(
in
->
verify_result
!=
X509_V_OK
)
{
a
.
verify_result
.
length
=
LSIZE2
;
a
.
verify_result
.
type
=
V_ASN1_INTEGER
;
a
.
verify_result
.
data
=
ibuf5
;
ASN1_INTEGER_set
(
&
a
.
verify_result
,
in
->
verify_result
);
}
M_ASN1_I2D_len
(
&
(
a
.
version
),
i2d_ASN1_INTEGER
);
M_ASN1_I2D_len
(
&
(
a
.
ssl_version
),
i2d_ASN1_INTEGER
);
M_ASN1_I2D_len
(
&
(
a
.
cipher
),
i2d_ASN1_OCTET_STRING
);
...
...
@@ -170,6 +180,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if
(
in
->
peer
!=
NULL
)
M_ASN1_I2D_len_EXP_opt
(
in
->
peer
,
i2d_X509
,
3
,
v3
);
M_ASN1_I2D_len_EXP_opt
(
&
a
.
session_id_context
,
i2d_ASN1_OCTET_STRING
,
4
,
v4
);
if
(
in
->
verify_result
!=
X509_V_OK
)
M_ASN1_I2D_len_EXP_opt
(
&
(
a
.
verify_result
),
i2d_ASN1_INTEGER
,
5
,
v5
);
M_ASN1_I2D_seq_total
();
...
...
@@ -188,7 +200,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
M_ASN1_I2D_put_EXP_opt
(
in
->
peer
,
i2d_X509
,
3
,
v3
);
M_ASN1_I2D_put_EXP_opt
(
&
a
.
session_id_context
,
i2d_ASN1_OCTET_STRING
,
4
,
v4
);
if
(
in
->
verify_result
!=
X509_V_OK
)
M_ASN1_I2D_put_EXP_opt
(
&
a
.
verify_result
,
i2d_ASN1_INTEGER
,
5
,
v5
);
M_ASN1_I2D_finish
();
}
...
...
@@ -322,6 +335,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
else
ret
->
sid_ctx_length
=
0
;
ai
.
length
=
0
;
M_ASN1_D2I_get_EXP_opt
(
aip
,
d2i_ASN1_INTEGER
,
5
);
if
(
ai
.
data
!=
NULL
)
{
ret
->
verify_result
=
ASN1_INTEGER_get
(
aip
);
Free
(
ai
.
data
);
ai
.
data
=
NULL
;
ai
.
length
=
0
;
}
else
ret
->
verify_result
=
X509_V_OK
;
M_ASN1_D2I_Finish
(
a
,
SSL_SESSION_free
,
SSL_F_D2I_SSL_SESSION
);
}
This diff is collapsed.
Click to expand it.
ssl/ssl_sess.c
浏览文件 @
b1fe6ca1
...
...
@@ -112,6 +112,7 @@ SSL_SESSION *SSL_SESSION_new(void)
}
memset
(
ss
,
0
,
sizeof
(
SSL_SESSION
));
ss
->
verify_result
=
1
;
/* avoid 0 (= X509_V_OK) just in case */
ss
->
references
=
1
;
ss
->
timeout
=
60
*
5
+
4
;
/* 5 minute timeout by default */
ss
->
time
=
time
(
NULL
);
...
...
@@ -190,6 +191,7 @@ int ssl_get_new_session(SSL *s, int session)
ss
->
sid_ctx_length
=
s
->
sid_ctx_length
;
s
->
session
=
ss
;
ss
->
ssl_version
=
s
->
version
;
ss
->
verify_result
=
X509_V_OK
;
return
(
1
);
}
...
...
@@ -320,6 +322,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
if
(
s
->
session
!=
NULL
)
SSL_SESSION_free
(
s
->
session
);
s
->
session
=
ret
;
s
->
verify_result
=
s
->
session
->
verify_result
;
return
(
1
);
err:
...
...
This diff is collapsed.
Click to expand it.
ssl/ssltest.c
浏览文件 @
b1fe6ca1
...
...
@@ -398,6 +398,11 @@ bad:
SSL_CTX_set_verify
(
c_ctx
,
SSL_VERIFY_PEER
,
verify_callback
);
}
{
int
session_id_context
=
0
;
SSL_CTX_set_session_id_context
(
s_ctx
,
(
void
*
)
&
session_id_context
,
sizeof
session_id_context
);
}
c_ssl
=
SSL_new
(
c_ctx
);
s_ssl
=
SSL_new
(
s_ctx
);
...
...
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
新手
引导
客服
返回
顶部