Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 18 7月, 2016 5 次提交
    • M
      Try and make the transition tests for CKE message clearer · 0f512756
      Matt Caswell 提交于 
      The logic testing whether a CKE message is allowed or not was a little
difficult to follow. This tries to clean it up.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      0f512756
    • M
      Simplify key_exchange_expected() logic · 7d2c13a7
      Matt Caswell 提交于 
      The static function key_exchange_expected() used to return -1 on error.
Commit 361a1191 changed that so that it can never fail. This means that
some tidy up can be done to simplify error handling in callers of that
function.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      7d2c13a7
    • M
      Make sure we call ssl3_digest_cached_records() when necessary · 149c2ef5
      Matt Caswell 提交于 
      Having received a ClientKeyExchange message instead of a Certificate we
know that we are not going to receive a CertificateVerify message. This
means we can free up the handshake_buffer. However we better call
ssl3_digest_cached_records() instead of just freeing it up, otherwise we
later try and use it anyway and a core dump results. This could happen,
for example, in SSLv3 where we send a CertificateRequest but the client
sends no Certificate message at all. This is valid in SSLv3 (in TLS
clients are required to send an empty Certificate message).

Found using the BoringSSL test suite.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      149c2ef5
    • M
      Fix SSLv3 alert if no Client Ceritifcate sent after a request for one · 672f3337
      Matt Caswell 提交于 
      In TLS if the server sends a CertificateRequest and the client does not
provide one, if the server cannot continue it should send a
HandshakeFailure alert. In SSLv3 the same should happen, but instead we
were sending an UnexpectedMessage alert. This is incorrect - the message
isn't unexpected - it is valid for the client not to send one - its just
that we cannot continue without one.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      672f3337
    • M
      Prepare the client certificate earlier · 05c4f1d5
      Matt Caswell 提交于 
      Move the preparation of the client certificate to be post processing work
after reading the CertificateRequest message rather than pre processing
work prior to writing the Certificate message. As part of preparing the
client certificate we may discover that we do not have one available. If
we are also talking SSLv3 then we won't send the Certificate message at
all. However, if we don't discover this until we are about to send the
Certificate message it is too late and we send an empty one anyway. This
is wrong for SSLv3.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      05c4f1d5
  3. 15 7月, 2016 1 次提交
  5. 13 7月, 2016 1 次提交
  7. 02 7月, 2016 1 次提交
    • M
      Avoid an overflow in constructing the ServerKeyExchange message · 1e16987f
      Matt Caswell 提交于 
      We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.

Addresses an OCAP Audit issue.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      1e16987f
  9. 29 6月, 2016 1 次提交
  11. 22 6月, 2016 1 次提交
    • D
      Make RSA key exchange code actually constant-time. · 5b8fa431
      David Benjamin 提交于 
      Using RSA_PKCS1_PADDING with RSA_private_decrypt is inherently unsafe.
The API requires writing output on success and touching the error queue
on error. Thus, although the padding check itself is constant-time as of
294d1e36, and the logic after the
decryption in the SSL code is constant-time as of
adb46dbc, the API boundary in the middle
still leaks whether the padding check succeeded, giving us our
much-loved Bleichenbacher padding oracle.

Instead, PKCS#1 padding must be handled by the caller which uses
RSA_NO_PADDING, in timing-sensitive code integrated with the
Bleichenbacher mitigation. Removing PKCS#1 padding in constant time is
actually much simpler when the expected length is a constant (and if
it's not a constant, avoiding a padding oracle seems unlikely), so just
do it inline.
Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@openssl.org>

GH: #1222
      5b8fa431
  13. 19 6月, 2016 1 次提交
  15. 16 6月, 2016 1 次提交
  17. 10 6月, 2016 2 次提交
    • L
      RT3720 Increment session miss counter properly · 4f6eaa59
      Laszlo Kovacs 提交于 
      Reviewed-by: NKurt Roeckx <kurt@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      4f6eaa59
    • T
      Fix session ticket and SNI · 5c753de6
      Todd Short 提交于 
      When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
      5c753de6
  19. 04 6月, 2016 2 次提交
  21. 20 5月, 2016 3 次提交
    • M
      Ensure async IO works with new state machine · 1689e7e6
      Matt Caswell 提交于 
      In the new state machine if using nbio and we get the header of a
handshake message is one record with the body in the next, with an nbio
event in the middle, then the connection was failing. This is because
s->init_num was getting reset. We should only reset it after we have
read the whole message.

RT#4394
Reviewed-by: NAndy Polyakov <appro@openssl.org>
      1689e7e6
    • D
      Tighten up logic around ChangeCipherSpec. · 1257adec
      David Benjamin 提交于 
      ChangeCipherSpec messages have a defined value. They also may not occur
in the middle of a handshake message. The current logic will accept a
ChangeCipherSpec with value 2. It also would accept up to three bytes of
handshake data before the ChangeCipherSpec which it would discard
(because s->init_num gets reset).

Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in.

RT#4391
Reviewed-by: NAndy Polyakov <appro@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      1257adec
    • M
      Simplify SSL BIO buffering logic · 46417569
      Matt Caswell 提交于 
      The write BIO for handshake messages is bufferred so that we only write
out to the network when we have a complete flight. There was some
complexity in the buffering logic so that we switched buffering on and
off at various points through out the handshake. The only real reason to
do this was historically it complicated the state machine when you wanted
to flush because you had to traverse through the "flush" state (in order
to cope with NBIO). Where we knew up front that there was only going to
be one message in the flight we switched off buffering to avoid that.

In the new state machine there is no longer a need for a flush state so
it is simpler just to have buffering on for the whole handshake. This
also gives us the added benefit that we can simply call flush after every
flight even if it only has one message in it. This means that BIO authors
can implement their own buffering strategies and not have to be aware of
the state of the SSL object (previously they would have to switch off
their own buffering during the handshake because they could not rely on
a flush being received when they really needed to write data out). This
last point addresses GitHub Issue #322.
Reviewed-by: NAndy Polyakov <appro@openssl.org>
      46417569
  23. 19 5月, 2016 1 次提交
  25. 18 5月, 2016 1 次提交
  27. 17 5月, 2016 4 次提交
  29. 14 5月, 2016 1 次提交
  31. 13 5月, 2016 1 次提交
  33. 11 5月, 2016 2 次提交
  35. 06 5月, 2016 1 次提交
  37. 29 4月, 2016 3 次提交
  39. 27 4月, 2016 1 次提交
  41. 22 4月, 2016 1 次提交
    • M
      Don't set peer_tmp until we have finished constructing it · ee85fc1d
      Matt Caswell 提交于 
      If we fail halfway through constructing the peer_tmp EVP_PKEY but we have
already stored it in s->s3->peer_tmp then if anything tries to use it then
it will likely fail. This was causing s_client to core dump in the
sslskewith0p test. s_client was trying to print out the connection
parameters that it had negotiated so far. Arguably s_client should not do
that if the connection has failed...but given it is existing functionality
it's easier to fix libssl.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      ee85fc1d
  43. 09 4月, 2016 1 次提交
  45. 08 4月, 2016 3 次提交
    • V
      Suppress CT callback as appropriate · 43341433
      Viktor Dukhovni 提交于 
      Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      43341433
    • V
      Fix client verify mode to check SSL_VERIFY_PEER · c636c1c4
      Viktor Dukhovni 提交于 
      The original check for != SSL_VERIFY_NONE can give surprising results
when flags SSL_VERIFY_PEER is not set, but other flags are.  Note
that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
of all other flag bits.
Signed-off-by: NRob Percival <robpercival@google.com>
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      c636c1c4
    • D
      Fix memory leak on invalid CertificateRequest. · 6afef8b1
      David Benjamin 提交于 
      Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NStephen Henson <steve@openssl.org>
      6afef8b1
  47. 05 4月, 2016 1 次提交