Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
接近 2 年 前同步成功

通知 12
Star 18
Fork 1
T
Third Party Openssl
切换分支/标签
  1. 08 6月, 2018 1 次提交
  3. 29 5月, 2018 1 次提交
  5. 11 5月, 2018 1 次提交
  7. 25 4月, 2018 1 次提交
  9. 14 3月, 2018 1 次提交
  11. 07 3月, 2018 1 次提交
  13. 20 2月, 2018 1 次提交
  15. 13 2月, 2018 1 次提交
  17. 02 2月, 2018 1 次提交
    • T
      Add TLSv1.3 post-handshake authentication (PHA) · 9d75dce3
      Todd Short 提交于 
      Add SSL_verify_client_post_handshake() for servers to initiate PHA

Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.

Update SSL_CTX_set_verify()/SSL_set_verify() mode:

* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.

* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.

Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options

Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha

Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code

Update documentation

Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests

DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error

Update handshake context to deal with PHA.

The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.

After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.

This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
      9d75dce3
  19. 19 10月, 2017 1 次提交
  21. 17 10月, 2017 1 次提交
  23. 14 8月, 2017 1 次提交
  25. 17 7月, 2017 1 次提交
    • R
      Standardize apps use of -rand, etc. · 3ee1eac2
      Rich Salz 提交于 
      Standardized the -rand flag and added a new one:
    -rand file...
            Always reads the specified files
    -writerand file
            Always writes to the file on exit

For apps that use a config file, the RANDFILE config parameter reads
the file at startup (to seed the RNG) and write to it on exit if
the -writerand flag isn't used.

Ensured that every app that took -rand also took -writerand, and
made sure all of that agreed with all the documentation.

Fix error reporting in write_file and -rand
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3862)
      3ee1eac2
  27. 07 7月, 2017 1 次提交
  29. 19 6月, 2017 1 次提交
    • C
      s_client accepts host/port as positional argument. · 729ef856
      Cory Benfield 提交于 
      This allows the user to provide the target host and optional port to
openssl s_client as an optional positional argument, rather than as the
argument to the -connect flag. This rationalises the user experience of
s_client: given that the only logical purpose of s_client is to connect
to a host, it is difficult to understand why there is an (effectively
mandatory) command option to pass to make that happen.

This patch forbids providing *both* -connect and the positional
argument, because it would likely be too difficult to reconcile.
Otherwise, using the positional argument behaves exactly the same as
using -connect does.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1171)
      729ef856
  31. 17 6月, 2017 1 次提交
  33. 13 6月, 2017 1 次提交
  35. 06 6月, 2017 1 次提交
  37. 02 6月, 2017 1 次提交
  39. 28 4月, 2017 1 次提交
  41. 27 4月, 2017 1 次提交
  43. 25 4月, 2017 1 次提交
  45. 04 4月, 2017 1 次提交
  47. 30 3月, 2017 1 次提交
  49. 29 3月, 2017 1 次提交
  51. 03 3月, 2017 1 次提交
  53. 02 3月, 2017 1 次提交
  55. 22 2月, 2017 1 次提交
  57. 15 2月, 2017 1 次提交
  59. 08 2月, 2017 1 次提交
  61. 03 2月, 2017 1 次提交
  63. 18 11月, 2016 1 次提交
  65. 13 11月, 2016 1 次提交
  67. 02 11月, 2016 1 次提交
  69. 27 10月, 2016 1 次提交
  71. 18 10月, 2016 1 次提交
  73. 21 9月, 2016 1 次提交
  75. 15 9月, 2016 1 次提交
  77. 20 8月, 2016 1 次提交
  79. 06 8月, 2016 1 次提交