1. 26 9月, 2017 3 次提交
  2. 23 9月, 2017 1 次提交
  3. 14 9月, 2017 1 次提交
  4. 09 9月, 2017 2 次提交
  5. 07 9月, 2017 1 次提交
    • B
      Restore historical behavior for absent ServerHello extensions · 1c259bb5
      Benjamin Kaduk 提交于
      In OpenSSL 1.1.0, when there were no extensions added to the ServerHello,
      we did not write the extension data length bytes to the end of the
      ServerHello; this is needed for compatibility with old client implementations
      that do not support TLS extensions (such as the default configuration of
      OpenSSL 0.9.8).  When ServerHello extension construction was converted
      to the new extensions framework in commit
      7da160b0, this behavior was inadvertently
      limited to cases when SSLv3 was negotiated (and similarly for ClientHellos),
      presumably since extensions are not defined at all for SSLv3.  However,
      extensions for TLS prior to TLS 1.3 have been defined in separate
      RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such
      should be considered an optional protocol feature in those cases.
      
      Accordingly, be conservative in what we send, and skip the extensions block
      when there are no extensions to be sent, regardless of the TLS/SSL version.
      (TLS 1.3 requires extensions and can safely be treated differently.)
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/4296)
      1c259bb5
  6. 04 9月, 2017 1 次提交
  7. 01 9月, 2017 3 次提交
  8. 31 8月, 2017 7 次提交
  9. 30 8月, 2017 3 次提交
  10. 18 8月, 2017 1 次提交
  11. 15 8月, 2017 1 次提交
    • B
      Move ALPN handling from finalizer to delayed call · 5626f634
      Benjamin Kaduk 提交于
      Commit 02f0274e moved ALPN processing
      into an extension finalization function, as the only documented ordering
      requirement from previous commits was that ALPN processing occur after
      SNI processing, and SNI processing is performed before the extension
      finalization step.  However, it is useful for applications'
      alpn_select callbacks to run after ciphersuite selection as well -- at
      least one application protocol specification (HTTP/2) imposes restrictions
      on which ciphersuites are usable with that protocol.  Since it is generally
      more preferrable to have a successful TLS connection with a default application
      protocol than to fail the TLS connection and not be able to have the preferred
      application protocol, it is good to give the alpn_select callback information
      about the ciphersuite to be used, so that appropriate restrctions can be
      enforced in application code.
      
      Accordingly, split the ALPN handling out into a separate tls_handl_alpn()
      function akin to tls_handle_status_request(), called from
      tls_post_process_client_hello().  This is an alternative to resuscitating
      ssl_check_clienthello_tlsext_late(), something of an awkwward name itself.
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4070)
      5626f634
  12. 11 8月, 2017 1 次提交
  13. 10 8月, 2017 1 次提交
    • B
      Don't modify resumed session objects · e3743355
      Benjamin Kaduk 提交于
      If s->hit is set, s->session corresponds to a session created on
      a previous connection, and is a data structure that is potentially
      shared across other SSL objects.  As such, there are thread-safety
      issues with modifying the structure without taking its lock (and
      of course all corresponding read accesses would also need to take
      the lock as well), which have been observed to cause double-frees.
      
      Regardless of thread-safety, the resumed session object is intended
      to reflect parameters of the connection that created the session,
      and modifying it to reflect the parameters from the current connection
      is confusing.  So, modifications to the session object during
      ClientHello processing should only be performed on new connections,
      i.e., those where s->hit is not set.
      
      The code mostly got this right, providing such checks when processing
      SNI and EC point formats, but the supported groups (formerly
      supported curves) extension was missing it, which is fixed by this commit.
      
      However, TLS 1.3 makes the suppported_groups extension mandatory
      (when using (EC)DHE, which is the normal case), checking for the group
      list in the key_share extension processing.  But, TLS 1.3 only [0] supports
      session tickets for session resumption, so the session object in question
      is the output of d2i_SSL_SESSION(), and will not be shared across SSL
      objects.  Thus, it is safe to modify s->session for TLS 1.3 connections.
      
      [0] A psk_find_session callback can also be used, but the restriction that
      each callback execution must produce a distinct SSL_SESSION structure
      can be documented when the psk_find_session callback documentation is
      completed.
      Reviewed-by: NAndy Polyakov <appro@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4123)
      e3743355
  14. 03 8月, 2017 3 次提交
    • R
      Add a DRBG to each SSL object · ae3947de
      Rich Salz 提交于
      Give each SSL object it's own DRBG, chained to the parent global
      DRBG which is used only as a source of randomness into the per-SSL
      DRBG.  This is used for all session, ticket, and pre-master secret keys.
      It is NOT used for ECDH key generation which use only the global
      DRBG. (Doing that without changing the API is tricky, if not impossible.)
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/4050)
      ae3947de
    • R
      Switch from ossl_rand to DRBG rand · 75e2c877
      Rich Salz 提交于
      If RAND_add wraps around, XOR with existing. Add test to drbgtest that
      does the wrap-around.
      
      Re-order seeding and stop after first success.
      
      Add RAND_poll_ex()
      
      Use the DF and therefore lower RANDOMNESS_NEEDED.  Also, for child DRBG's,
      mix in the address as the personalization bits.
      
      Centralize the entropy callbacks, from drbg_lib to rand_lib.
      (Conceptually, entropy is part of the enclosing application.)
      Thanks to Dr. Matthias St Pierre for the suggestion.
      
      Various code cleanups:
          -Make state an enum; inline RANDerr calls.
          -Add RAND_POLL_RETRIES (thanks Pauli for the idea)
          -Remove most RAND_seed calls from rest of library
          -Rename DRBG_CTX to RAND_DRBG, etc.
          -Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
           implementation of NIST DRBG.
          -Remove blocklength
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/4019)
      75e2c877
    • M
      Move ossl_assert · 67dc995e
      Matt Caswell 提交于
      Move the definition of ossl_assert() out of e_os.h which is intended for OS
      specific things. Instead it is moved into internal/cryptlib.h.
      
      This also changes the definition to remove the (int) cast.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4073)
      67dc995e
  15. 01 8月, 2017 2 次提交
  16. 21 7月, 2017 1 次提交
  17. 18 7月, 2017 2 次提交
  18. 13 7月, 2017 3 次提交
  19. 07 7月, 2017 3 次提交