Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 24 8月, 2016 4 次提交
  3. 23 8月, 2016 19 次提交
  5. 22 8月, 2016 17 次提交
    • M
      Fix no-des · 1c55e372
      Matt Caswell 提交于 
      The PKCS12 command line utility is not available if no-des is used.
Reviewed-by: NRich Salz <rsalz@openssl.org>
      1c55e372
    • R
      RT2676: Reject RSA eponent if even or 1 · 464d59a5
      Rich Salz 提交于 
      Also, re-organize RSA check to use goto err.
Add a test case.
Try all checks, not just stopping at first (via Richard Levitte)
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
      464d59a5
    • R
      Configure: Properly cache the configured compiler command · a66234bc
      Richard Levitte 提交于 
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      a66234bc
    • K
      Fix a memory leak in EC_GROUP_get_ecparameters() · 0110a470
      Kazuki Yamaguchi 提交于 
      The variable 'buffer', allocated by EC_POINT_point2buf(), isn't
free'd on the success path.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      0110a470
    • K
      Expose alloc functions for EC{PK,}PARAMETERS · 9ba6f347
      Kazuki Yamaguchi 提交于 
      Declare EC{PK,}PARAMETERS_{new,free} functions in public headers. The
free functions are necessary because EC_GROUP_get_ec{pk,}parameters()
was made public by commit 60b350a3 ("RT3676: Expose ECgroup i2d
functions").
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      9ba6f347
    • F
      Fix loopargs_t object duplication into ASYNC context · fb2141c7
      FdaSilvaYY 提交于 
      Code was relying on an implicit data-sharing through duplication of
loopargs_t pointer-members made by ASYNC_start_job().

Now share structure address instead of structure content.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      fb2141c7
    • R
      Avoid more compiler warnings for use of uninitialised variables · 0038ad48
      Richard Levitte 提交于 
      Reviewed-by: NAndy Polyakov <appro@openssl.org>
      0038ad48
    • R
      Make 'openssl req -x509' more equivalent to 'openssl req -new' · 599e5904
      Richard Levitte 提交于 
      The following would fail, or rather, freeze:

    openssl genrsa -out rsa2048.pem 2048
    openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem

In that case, the second command wants to read a certificate request
from stdin, because -x509 wasn't fully flagged as being for creating
something new.  This changes makes it fully flagged.

RT#4655
Reviewed-by: NAndy Polyakov <appro@openssl.org>
      599e5904
    • A
      bn/asm/x86[_64]-mont*.pl: implement slightly alternative page-walking. · 3ba1ef82
      Andy Polyakov 提交于 
      Original strategy for page-walking was adjust stack pointer and then
touch pages in order. This kind of asks for double-fault, because
if touch fails, then signal will be delivered to frame above adjusted
stack pointer. But touching pages prior adjusting stack pointer would
upset valgrind. As compromise let's adjust stack pointer in pages,
touching top of the stack. This still asks for double-fault, but at
least prevents corruption of neighbour stack if allocation is to
overstep the guard page.

Also omit predict-non-taken hints as they reportedly trigger illegal
instructions in some VM setups.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      3ba1ef82
    • M
      Choose a ciphersuite for testing that won't be affected by "no-*" options · fe34735c
      Matt Caswell 提交于 
      The previous ciphersuite broke in no-ec builds.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      fe34735c
    • K
      Fix overflow check in BN_bn2dec() · 099e2968
      Kazuki Yamaguchi 提交于 
      Fix an off by one error in the overflow check added by 07bed46f
("Check for errors in BN_bn2dec()").
Reviewed-by: NStephen Henson <steve@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
      099e2968
    • R
      ssltestlib: Tell compiler we don't care about the value when we don't · 1c288878
      Richard Levitte 提交于 
      In mempacket_test_read(), we've already fetched the top value of the
stack, so when we shift the stack, we don't care for the value.  The
compiler needs to be told, or it will complain harshly when we tell it
to be picky.
Reviewed-by: NMatt Caswell <matt@openssl.org>
      1c288878
    • A
      crypto/pkcs12: facilitate accessing data with non-interoperable password. · 1194ea8d
      Andy Polyakov 提交于 
      Originally PKCS#12 subroutines treated password strings as ASCII.
It worked as long as they were pure ASCII, but if there were some
none-ASCII characters result was non-interoperable. But fixing it
poses problem accessing data protected with broken password. In
order to make asscess to old data possible add retry with old-style
password.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      1194ea8d
    • A
      crypto/pkcs12: default to UTF-8. · b799aef8
      Andy Polyakov 提交于 
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      b799aef8
    • A
      Add PKCS#12 UTF-8 interoperability test. · 70bf33d1
      Andy Polyakov 提交于 
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      70bf33d1
    • A
      crypto/pkcs12: add UTF8 support. · 9e6b2f54
      Andy Polyakov 提交于 
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      9e6b2f54
    • M
      Prevent DTLS Finished message injection · 5cb4d646
      Matt Caswell 提交于 
      Follow on from CVE-2016-2179

The investigation and analysis of CVE-2016-2179 highlighted a related flaw.

This commit fixes a security "near miss" in the buffered message handling
code. Ultimately this is not currently believed to be exploitable due to
the reasons outlined below, and therefore there is no CVE for this on its
own.

The issue this commit fixes is a MITM attack where the attacker can inject
a Finished message into the handshake. In the description below it is
assumed that the attacker injects the Finished message for the server to
receive it. The attack could work equally well the other way around (i.e
where the client receives the injected Finished message).

The MITM requires the following capabilities:
- The ability to manipulate the MTU that the client selects such that it
is small enough for the client to fragment Finished messages.
- The ability to selectively drop and modify records sent from the client
- The ability to inject its own records and send them to the server

The MITM forces the client to select a small MTU such that the client
will fragment the Finished message. Ideally for the attacker the first
fragment will contain all but the last byte of the Finished message,
with the second fragment containing the final byte.

During the handshake and prior to the client sending the CCS the MITM
injects a plaintext Finished message fragment to the server containing
all but the final byte of the Finished message. The message sequence
number should be the one expected to be used for the real Finished message.

OpenSSL will recognise that the received fragment is for the future and
will buffer it for later use.

After the client sends the CCS it then sends its own Finished message in
two fragments. The MITM causes the first of these fragments to be
dropped. The OpenSSL server will then receive the second of the fragments
and reassemble the complete Finished message consisting of the MITM
fragment and the final byte from the real client.

The advantage to the attacker in injecting a Finished message is that
this provides the capability to modify other handshake messages (e.g.
the ClientHello) undetected. A difficulty for the attacker is knowing in
advance what impact any of those changes might have on the final byte of
the handshake hash that is going to be sent in the "real" Finished
message. In the worst case for the attacker this means that only 1 in
256 of such injection attempts will succeed.

It may be possible in some situations for the attacker to improve this such
that all attempts succeed. For example if the handshake includes client
authentication then the final message flight sent by the client will
include a Certificate. Certificates are ASN.1 objects where the signed
portion is DER encoded. The non-signed portion could be BER encoded and so
the attacker could re-encode the certificate such that the hash for the
whole handshake comes to a different value. The certificate re-encoding
would not be detectable because only the non-signed portion is changed. As
this is the final flight of messages sent from the client the attacker
knows what the complete hanshake hash value will be that the client will
send - and therefore knows what the final byte will be. Through a process
of trial and error the attacker can re-encode the certificate until the
modified handhshake also has a hash with the same final byte. This means
that when the Finished message is verified by the server it will be
correct in all cases.

In practice the MITM would need to be able to perform the same attack
against both the client and the server. If the attack is only performed
against the server (say) then the server will not detect the modified
handshake, but the client will and will abort the connection.
Fortunately, although OpenSSL is vulnerable to Finished message
injection, it is not vulnerable if *both* client and server are OpenSSL.
The reason is that OpenSSL has a hard "floor" for a minimum MTU size
that it will never go below. This minimum means that a Finished message
will never be sent in a fragmented form and therefore the MITM does not
have one of its pre-requisites. Therefore this could only be exploited
if using OpenSSL and some other DTLS peer that had its own and separate
Finished message injection flaw.

The fix is to ensure buffered messages are cleared on epoch change.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
      5cb4d646