1. 23 9月, 2017 1 次提交
  2. 31 8月, 2017 2 次提交
  3. 11 8月, 2017 1 次提交
  4. 10 8月, 2017 1 次提交
    • B
      Don't modify resumed session objects · e3743355
      Benjamin Kaduk 提交于
      If s->hit is set, s->session corresponds to a session created on
      a previous connection, and is a data structure that is potentially
      shared across other SSL objects.  As such, there are thread-safety
      issues with modifying the structure without taking its lock (and
      of course all corresponding read accesses would also need to take
      the lock as well), which have been observed to cause double-frees.
      
      Regardless of thread-safety, the resumed session object is intended
      to reflect parameters of the connection that created the session,
      and modifying it to reflect the parameters from the current connection
      is confusing.  So, modifications to the session object during
      ClientHello processing should only be performed on new connections,
      i.e., those where s->hit is not set.
      
      The code mostly got this right, providing such checks when processing
      SNI and EC point formats, but the supported groups (formerly
      supported curves) extension was missing it, which is fixed by this commit.
      
      However, TLS 1.3 makes the suppported_groups extension mandatory
      (when using (EC)DHE, which is the normal case), checking for the group
      list in the key_share extension processing.  But, TLS 1.3 only [0] supports
      session tickets for session resumption, so the session object in question
      is the output of d2i_SSL_SESSION(), and will not be shared across SSL
      objects.  Thus, it is safe to modify s->session for TLS 1.3 connections.
      
      [0] A psk_find_session callback can also be used, but the restriction that
      each callback execution must produce a distinct SSL_SESSION structure
      can be documented when the psk_find_session callback documentation is
      completed.
      Reviewed-by: NAndy Polyakov <appro@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4123)
      e3743355
  5. 18 7月, 2017 1 次提交
  6. 07 7月, 2017 1 次提交
  7. 21 6月, 2017 2 次提交
  8. 16 6月, 2017 1 次提交
  9. 07 6月, 2017 1 次提交
  10. 19 5月, 2017 1 次提交
    • M
      Try to be more consistent about the alerts we send · fb34a0f4
      Matt Caswell 提交于
      We are quite inconsistent about which alerts get sent. Specifically, these
      alerts should be used (normally) in the following circumstances:
      
      SSL_AD_DECODE_ERROR = The peer sent a syntactically incorrect message
      SSL_AD_ILLEGAL_PARAMETER = The peer sent a message which was syntactically
      correct, but a parameter given is invalid for the context
      SSL_AD_HANDSHAKE_FAILURE = The peer's messages were syntactically and
      semantically correct, but the parameters provided were unacceptable to us
      (e.g. because we do not support the requested parameters)
      SSL_AD_INTERNAL_ERROR = We messed up (e.g. malloc failure)
      
      The standards themselves aren't always consistent but I think the above
      represents the best interpretation.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/3480)
      fb34a0f4
  11. 17 5月, 2017 1 次提交
  12. 11 5月, 2017 2 次提交
  13. 10 5月, 2017 1 次提交
  14. 08 5月, 2017 2 次提交
  15. 20 4月, 2017 1 次提交
  16. 07 4月, 2017 1 次提交
  17. 16 3月, 2017 1 次提交
  18. 05 3月, 2017 1 次提交
  19. 03 3月, 2017 6 次提交
  20. 16 2月, 2017 1 次提交
    • M
      Don't change the state of the ETM flags until CCS processing · 28a31a0a
      Matt Caswell 提交于
      In 1.1.0 changing the ciphersuite during a renegotiation can result in
      a crash leading to a DoS attack. In master this does not occur with TLS
      (instead you get an internal error, which is still wrong but not a security
      issue) - but the problem still exists in the DTLS code.
      
      The problem is caused by changing the flag indicating whether to use ETM
      or not immediately on negotiation of ETM, rather than at CCS. Therefore,
      during a renegotiation, if the ETM state is changing (usually due to a
      change of ciphersuite), then an error/crash will occur.
      
      Due to the fact that there are separate CCS messages for read and write
      we actually now need two flags to determine whether to use ETM or not.
      
      CVE-2017-3733
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      28a31a0a
  21. 14 2月, 2017 3 次提交
  22. 30 1月, 2017 8 次提交