Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
切换分支/标签
  1. 31 3月, 2020 2 次提交
  3. 29 3月, 2020 1 次提交
  5. 25 3月, 2020 3 次提交
  7. 23 3月, 2020 1 次提交
  9. 20 3月, 2020 1 次提交
  11. 19 3月, 2020 4 次提交
  13. 17 3月, 2020 6 次提交
  15. 14 3月, 2020 6 次提交
    • B
      Add test that changes ciphers on CCS · 2f0dab7e
      Benjamin Kaduk 提交于 
      The TLS (pre-1.3) ChangeCipherState message is usually used to indicate
the switch from the unencrypted to encrypted part of the handshake.
However, it can also be used in cases where there is an existing
session (such as during resumption handshakes) or when changing from
one cipher to a different one (such as during renegotiation when the
cipher list offered by the client has changed).  This test serves
to exercise such situations, allowing us to detect whether session
objects are being modified in cases when they must remain immutable
for thread-safety purposes.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 3cd14e5e65011660ad8e3603cf871c8366b565fd)
      2f0dab7e
    • B
      Code to thread-safety in ChangeCipherState · 44bad9cb
      Benjamin Kaduk 提交于 
      The server-side ChangeCipherState processing stores the new cipher
in the SSL_SESSION object, so that the new state can be used if
this session gets resumed.  However, writing to the session is only
thread-safe for initial handshakes, as at other times the session
object may be in a shared cache and in use by another thread at the
same time.  Reflect this invariant in the code by only writing to
s->session->cipher when it is currently NULL (we do not cache sessions
with no cipher).  The code prior to this change would never actually
change the (non-NULL) cipher value in a session object, since our
server enforces that (pre-TLS-1.3) resumptions use the exact same
cipher as the initial connection, and non-abbreviated renegotiations
have produced a new session object before we get to this point.
Regardless, include logic to detect such a condition and abort the
handshake if it occurs, to avoid any risk of inadvertently using
the wrong cipher on a connection.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 2e3ec2e1578977fca830a47fd7f521e290540e6d)
      44bad9cb
    • B
      Don't write to the session when computing TLS 1.3 keys · 910c8ffa
      Benjamin Kaduk 提交于 
      TLS 1.3 maintains a separate keys chedule in the SSL object, but
was writing to the 'master_key_length' field in the SSL_SESSION
when generating the per-SSL master_secret.  (The generate_master_secret
SSL3_ENC_METHOD function needs an output variable for the master secret
length, but the TLS 1.3 implementation just uses the output size of
the handshake hash function to get the lengths, so the only natural-looking
thing to use as the output length was the field in the session.
This would potentially involve writing to a SSL_SESSION object that was
in the cache (i.e., resumed) and shared with other threads, though.

The thread-safety impact should be minimal, since TLS 1.3 requires the
hash from the original handshake to be associated with the resumption
PSK and used for the subsequent connection.  This means that (in the
resumption case) the value being written would be the same value that was
previously there, so the only risk would be on architectures that can
produce torn writes/reads for aligned size_t values.

Since the value is essentially ignored anyway, just provide the
address of a local dummy variable to generate_master_secret() instead.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit d74014c4b8740f28a54b562f799ad1e754b517b9)
      910c8ffa
    • B
      Fix whitespace nit in ssl_generate_master_secret() · a666af9f
      Benjamin Kaduk 提交于 
      Use a space after a comma.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 1866a0d380fc361d9be2ca0509de0f2281505db5)
      a666af9f
    • B
      doc: fix spelling of TYPE_get_ex_new_index · cf900cbc
      Benjamin Kaduk 提交于 
      The generated macros are TYPE_get_ex_new_index() (to match
CRYPTO_get_ex_new_index()), not TYPE_get_new_ex_index(), even though
the latter spelling seems more natural.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit fe41c06e69613b1a4814b3e3cdbf460f2678ec99)
      cf900cbc
    • B
      Additional updates to SSL_CTX_sess_set_get_cb.pod · d3133cc7
      Benjamin Kaduk 提交于 
      Generally modernize the language.

Refer to TLS instead of SSL/TLS, and try to have more consistent
usage of commas and that/which.

Reword some descriptions to avoid implying that a list of potential
reasons for behavior is an exhaustive list.

Clarify how get_session_cb() is only called on servers (i.e., in general,
and that it's given the session ID proposed by the client).

Clarify the semantics of the get_cb()'s "copy" argument.
The behavior seems to have changed in commit
8876bc05, though the behavior prior
to that commit was not to leave the reference-count unchanged if
*copy was not written to -- instead, libssl seemed to assume that the
callback already had incremented the reference count.
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)

(cherry picked from commit 06f876837a8ec76b28c42953731a156c0c3700e2)
      d3133cc7
  17. 13 3月, 2020 1 次提交
  19. 12 3月, 2020 1 次提交
  21. 11 3月, 2020 2 次提交
  23. 09 3月, 2020 3 次提交
  25. 08 3月, 2020 1 次提交
  27. 07 3月, 2020 1 次提交
  29. 06 3月, 2020 4 次提交
  31. 05 3月, 2020 1 次提交
  33. 28 2月, 2020 1 次提交
  35. 27 2月, 2020 1 次提交