Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
9 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
  1. 14 3月, 2020 1 次提交
    • B
      Add test that changes ciphers on CCS · 2f0dab7e
      Benjamin Kaduk 提交于 
      The TLS (pre-1.3) ChangeCipherState message is usually used to indicate
the switch from the unencrypted to encrypted part of the handshake.
However, it can also be used in cases where there is an existing
session (such as during resumption handshakes) or when changing from
one cipher to a different one (such as during renegotiation when the
cipher list offered by the client has changed).  This test serves
to exercise such situations, allowing us to detect whether session
objects are being modified in cases when they must remain immutable
for thread-safety purposes.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 3cd14e5e65011660ad8e3603cf871c8366b565fd)
      2f0dab7e
  3. 12 2月, 2020 1 次提交
  5. 31 1月, 2020 1 次提交
  7. 28 9月, 2019 1 次提交
  9. 04 9月, 2019 1 次提交
  11. 14 8月, 2019 1 次提交
  13. 27 6月, 2019 1 次提交
    • B
      Add regression test for #9099 · 9863b419
      Benjamin Kaduk 提交于 
      Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object.  If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.

Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)

(cherry picked from commit 7cb8fb07e8b71dc1fdcb0de10af7fed4347f6ea4)
      9863b419
  15. 03 6月, 2019 1 次提交
  17. 26 2月, 2019 1 次提交
  19. 23 2月, 2019 1 次提交
  21. 15 2月, 2019 1 次提交
    • M
      Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages · 37857e9b
      Matt Caswell 提交于 
      The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.

This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.

This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.

Fixes #8069
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)

(cherry picked from commit 4af5836b55442f31795eff6c8c81ea7a1b8cf94b)
      37857e9b
  23. 24 1月, 2019 1 次提交
    • M
      Make sure we trigger retransmits in DTLS testing · f9ad0abb
      Matt Caswell 提交于 
      During a DTLS handshake we may need to periodically handle timeouts in the
DTLS timer to ensure retransmits due to lost packets are performed. However,
one peer will always complete a handshake before the other. The DTLS timer
stops once the handshake has finished so any handshake messages lost after
that point will not automatically get retransmitted simply by calling
DTLSv1_handle_timeout(). However attempting an SSL_read implies a
DTLSv1_handle_timeout() and additionally will process records received from
the peer. If those records are themselves retransmits then we know that the
peer has not completed its handshake yet and a retransmit of our final
flight automatically occurs.
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)

(cherry picked from commit 80c455d5ae405e855391e298a2bf8a24629dd95d)
      f9ad0abb
  25. 05 12月, 2018 1 次提交
  27. 12 11月, 2018 1 次提交
  29. 30 10月, 2018 1 次提交
  31. 15 10月, 2018 1 次提交
  33. 22 9月, 2018 1 次提交
  35. 07 9月, 2018 2 次提交
  37. 04 9月, 2018 1 次提交
  39. 20 8月, 2018 2 次提交
  41. 19 7月, 2018 1 次提交
  43. 17 7月, 2018 3 次提交
  45. 06 7月, 2018 1 次提交
  47. 04 7月, 2018 1 次提交
  49. 03 7月, 2018 1 次提交
  51. 02 7月, 2018 2 次提交
  53. 27 6月, 2018 4 次提交
  55. 23 5月, 2018 2 次提交
  57. 22 5月, 2018 1 次提交
  59. 21 5月, 2018 1 次提交
    • M
      Don't cache stateless tickets in TLSv1.3 · ee94ec2e
      Matt Caswell 提交于 
      In TLSv1.2 and below we always cache new sessions by default on the server
side in the internal cache (even when we're using session tickets). This is
in order to support resumption from a session id.

In TLSv1.3 there is no session id. It is only possible to resume using the
ticket. Therefore, in the default case,  there is no point in caching the
session in the internal store.

There is still a reason to call the external cache new session callback
because applications may be using the callbacks just to know about when
sessions are created (and not necessarily implementing a full cache). If
the application also implements the remove session callback then we are
forced to also store it in the internal cache so that we can create
timeout events. Otherwise the external cache could just fill up
indefinitely.

This mostly addresses the issue described in #5628. That issue also proposes
having an option to not create full stateless tickets when using the
internal cache. That aspect hasn't been addressed yet.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6293)
      ee94ec2e
  61. 17 5月, 2018 1 次提交