Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
11 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 18 7月, 2016 3 次提交
    • M
      Try and make the transition tests for CKE message clearer · 0f512756
      Matt Caswell 提交于 
      The logic testing whether a CKE message is allowed or not was a little
difficult to follow. This tries to clean it up.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      0f512756
    • M
      Make sure we call ssl3_digest_cached_records() when necessary · 149c2ef5
      Matt Caswell 提交于 
      Having received a ClientKeyExchange message instead of a Certificate we
know that we are not going to receive a CertificateVerify message. This
means we can free up the handshake_buffer. However we better call
ssl3_digest_cached_records() instead of just freeing it up, otherwise we
later try and use it anyway and a core dump results. This could happen,
for example, in SSLv3 where we send a CertificateRequest but the client
sends no Certificate message at all. This is valid in SSLv3 (in TLS
clients are required to send an empty Certificate message).

Found using the BoringSSL test suite.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      149c2ef5
    • M
      Fix SSLv3 alert if no Client Ceritifcate sent after a request for one · 672f3337
      Matt Caswell 提交于 
      In TLS if the server sends a CertificateRequest and the client does not
provide one, if the server cannot continue it should send a
HandshakeFailure alert. In SSLv3 the same should happen, but instead we
were sending an UnexpectedMessage alert. This is incorrect - the message
isn't unexpected - it is valid for the client not to send one - its just
that we cannot continue without one.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
      672f3337
  3. 02 7月, 2016 1 次提交
    • M
      Avoid an overflow in constructing the ServerKeyExchange message · 1e16987f
      Matt Caswell 提交于 
      We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.

Addresses an OCAP Audit issue.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      1e16987f
  5. 22 6月, 2016 1 次提交
    • D
      Make RSA key exchange code actually constant-time. · 5b8fa431
      David Benjamin 提交于 
      Using RSA_PKCS1_PADDING with RSA_private_decrypt is inherently unsafe.
The API requires writing output on success and touching the error queue
on error. Thus, although the padding check itself is constant-time as of
294d1e36, and the logic after the
decryption in the SSL code is constant-time as of
adb46dbc, the API boundary in the middle
still leaks whether the padding check succeeded, giving us our
much-loved Bleichenbacher padding oracle.

Instead, PKCS#1 padding must be handled by the caller which uses
RSA_NO_PADDING, in timing-sensitive code integrated with the
Bleichenbacher mitigation. Removing PKCS#1 padding in constant time is
actually much simpler when the expected length is a constant (and if
it's not a constant, avoiding a padding oracle seems unlikely), so just
do it inline.
Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@openssl.org>

GH: #1222
      5b8fa431
  7. 16 6月, 2016 1 次提交
  9. 10 6月, 2016 1 次提交
    • T
      Fix session ticket and SNI · 5c753de6
      Todd Short 提交于 
      When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
      5c753de6
  11. 04 6月, 2016 1 次提交
  13. 18 5月, 2016 1 次提交
  15. 17 5月, 2016 4 次提交
  17. 14 5月, 2016 1 次提交
  19. 11 5月, 2016 2 次提交
  21. 29 4月, 2016 1 次提交
  23. 27 4月, 2016 1 次提交
  25. 09 4月, 2016 1 次提交
  27. 05 4月, 2016 2 次提交
  29. 28 3月, 2016 1 次提交
  31. 22 3月, 2016 1 次提交
  33. 21 3月, 2016 1 次提交
  35. 25 2月, 2016 1 次提交
  37. 23 2月, 2016 1 次提交
  39. 19 2月, 2016 1 次提交
    • R
      Remove outdated DEBUG flags. · d63a5e5e
      Rich Salz 提交于 
      Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d63a5e5e
  41. 13 2月, 2016 1 次提交
  43. 12 2月, 2016 1 次提交
  45. 01 2月, 2016 1 次提交
  47. 27 1月, 2016 1 次提交
    • R
      Remove /* foo.c */ comments · 34980760
      Rich Salz 提交于 
      This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      34980760
  49. 20 1月, 2016 1 次提交
  51. 19 1月, 2016 1 次提交
  53. 12 1月, 2016 1 次提交
  55. 08 1月, 2016 1 次提交
  57. 02 1月, 2016 2 次提交
    • V
      Protocol version selection and negotiation rewrite · 4fa52141
      Viktor Dukhovni 提交于 
      The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.
Reviewed-by: NKurt Roeckx <kurt@openssl.org>
      4fa52141
    • K
      Add support for minimum and maximum protocol version · 7946ab33
      Kurt Roeckx 提交于 
      Reviewed-by: NViktor Dukhovni <viktor@openssl.org>
      7946ab33
  59. 01 1月, 2016 1 次提交
  61. 24 12月, 2015 2 次提交