- 30 10月, 2015 3 次提交
-
-
由 Matt Caswell 提交于
The new state machine code will split up the reading and writing of hanshake messages into discrete phases. In order to facilitate that the existing "get" type functions will be split into two halves: one to get the message and one to process it. The "send" type functions will also have all work relating to constructing the message split out into a separate function just for that. For some functions there will also be separate pre and post "work" phases to prepare or update state. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
This is the first drop of the new state machine code. The rewrite has the following objectives: - Remove duplication of state code between client and server - Remove duplication of state code between TLS and DTLS - Simplify transitions and bring the logic together in a single location so that it is easier to validate - Remove duplication of code between each of the message handling functions - Receive a message first and then work out whether that is a valid transition - not the other way around (the other way causes lots of issues where we are expecting one type of message next but actually get something else) - Separate message flow state from handshake state (in order to better understand each) - message flow state = when to flush buffers; handling restarts in the event of NBIO events; handling the common flow of steps for reading a message and the common flow of steps for writing a message etc - handshake state = what handshake message are we working on now - Control complexity: only the state machine can change state: keep all the state changes local to a file This builds on previous state machine related work: - Surface CCS processing in the state machine - Version negotiation rewrite Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
The function ssl3_get_message gets a whole message from the underlying bio and returns it to the state machine code. The new state machine code will split this into two discrete steps: get the message header and get the message body. This commit splits the existing function into these two sub steps to facilitate the state machine implementation. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 08 10月, 2015 1 次提交
-
-
由 Emilia Kasper 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 23 9月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The existing implementation of DTLSv1_listen() is fundamentally flawed. This function is used in DTLS solutions to listen for new incoming connections from DTLS clients. A client will send an initial ClientHello. The server will respond with a HelloVerifyRequest containing a unique cookie. The client the responds with a second ClientHello - which this time contains the cookie. Once the cookie has been verified then DTLSv1_listen() returns to user code, which is typically expected to continue the handshake with a call to (for example) SSL_accept(). Whilst listening for incoming ClientHellos, the underlying BIO is usually in an unconnected state. Therefore ClientHellos can come in from *any* peer. The arrival of the first ClientHello without the cookie, and the second one with it, could be interspersed with other intervening messages from different clients. The whole purpose of this mechanism is as a defence against DoS attacks. The idea is to avoid allocating state on the server until the client has verified that it is capable of receiving messages at the address it claims to come from. However the existing DTLSv1_listen() implementation completely fails to do this. It attempts to super-impose itself on the standard state machine and reuses all of this code. However the standard state machine expects to operate in a stateful manner with a single client, and this can cause various problems. A second more minor issue is that the return codes from this function are quite confused, with no distinction made between fatal and non-fatal errors. Most user code treats all errors as non-fatal, and simply retries the call to DTLSv1_listen(). This commit completely rewrites the implementation of DTLSv1_listen() and provides a stand alone implementation that does not rely on the existing state machine. It also provides more consistent return codes. Reviewed-by: NAndy Polyakov <appro@openssl.org>
-
- 12 8月, 2015 2 次提交
-
-
由 Guy Leaver (guleaver) 提交于
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the value of p set to 0 then a seg fault can occur. This commits adds a test to reject p, g and pub key parameters that have a 0 value (in accordance with RFC 5246) The security vulnerability only affects master and 1.0.2, but the fix is additionally applied to 1.0.1 for additional confidence. CVE-2015-1794 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Matt Caswell 提交于
make errors wants things in a different order to the way things are currently defined in the header files. The easiest fix is to just let it reorder it. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 03 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The handling of incoming CCS records is a little strange. Since CCS is not a handshake message it is handled differently to normal handshake messages. Unfortunately whilst technically it is not a handhshake message the reality is that it must be processed in accordance with the state of the handshake. Currently CCS records are processed entirely within the record layer. In order to ensure that it is handled in accordance with the handshake state a flag is used to indicate that it is an acceptable time to receive a CCS. Previously this flag did not exist (see CVE-2014-0224), but the flag should only really be considered a workaround for the problem that CCS is not visible to the state machine. Outgoing CCS messages are already handled within the state machine. This patch makes CCS visible to the TLS state machine. A separate commit will handle DTLS. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 02 6月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Miscellaneous updates following review comments on the version negotiation rewrite patches. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 13 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Remove RFC2712 Kerberos support from libssl. This code and the associated standard is no longer considered fit-for-purpose. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 09 5月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Add SSL_use_certiicate_chain file functions: this is works the same way as SSL_CTX_use_certificate_chain_file but for an SSL structure. Update SSL_CONF code to use the new function. Update docs. Update ordinals. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 22 4月, 2015 1 次提交
-
-
由 Emilia Kasper 提交于
EAP-FAST session resumption relies on handshake message lookahead to determine server intentions. Commits 980bc1ec and 7b3ba508 removed the lookahead so broke session resumption. This change partially reverts the commits and brings the lookahead back in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not support regular session tickets, the lookahead now only checks for a Finished message. Regular handshakes are unaffected by this change. Reviewed-by: NDavid Benjamin <davidben@chromium.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 24 3月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
It was saying that it was an illegal parameter / unsupported cipher Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 23 3月, 2015 2 次提交
-
-
由 Matt Caswell 提交于
Change ssl_set_handshake_header from return void to returning int, and handle error return code appropriately. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 15 3月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: NDr. Stephen Henson <steve@openssl.org>
-
- 22 1月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 16 12月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 11 12月, 2014 1 次提交
-
-
由 Jonas Maebe 提交于
Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 05 12月, 2014 1 次提交
-
-
由 Emilia Kasper 提交于
Odd-length lists should be rejected everywhere upon parsing. Nevertheless, be extra careful and add guards against off-by-one reads. Also, drive-by replace inexplicable double-negation with an explicit comparison. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 04 12月, 2014 1 次提交
-
-
由 Kurt Roeckx 提交于
The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 28 11月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 19 11月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
The supported signature algorithms extension needs to be processed before the certificate to use is decided and before a cipher is selected (as the set of shared signature algorithms supported may impact the choice). Reviewed-by: NMatt Caswell <matt@openssl.org> (cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c) Conflicts: ssl/ssl.h ssl/ssl_err.c
-
- 24 10月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 15 10月, 2014 1 次提交
-
-
由 Bodo Moeller 提交于
Reviewed-by: NStephen Henson <steve@openssl.org>
-
- 22 8月, 2014 1 次提交
-
-
由 Emilia Kasper 提交于
Use existing error code SSL_R_RECORD_TOO_SMALL for too many empty records. For ease of backporting the patch to release branches. Reviewed-by: NBodo Moeller <bodo@openssl.org>
-
- 07 8月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Check SRP parameters when they are received so we can send back an appropriate alert. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 05 7月, 2014 1 次提交
-
-
由 Ben Laurie 提交于
-
- 04 7月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
-
- 01 5月, 2014 1 次提交
-
-
由 Matt Caswell 提交于
-
- 28 3月, 2014 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
-
- 06 11月, 2013 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 25 9月, 2013 1 次提交
-
-
由 Ben Laurie 提交于
Conflicts: apps/s_server.c
-
- 18 9月, 2013 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 06 9月, 2013 1 次提交
-
-
由 Scott Deboy 提交于
Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
-
- 14 6月, 2013 1 次提交
-
-
由 Adam Langley 提交于
in order to prevent ssl3_get_record from never returning. Reported by "oftc_must_be_destroyed" and George Kadianakis.
-
- 13 6月, 2013 1 次提交
-
-
由 Trevor 提交于
Contributed by Trevor Perrin.
-
- 14 4月, 2013 1 次提交
-
-
由 Dr. Stephen Henson 提交于
-
- 09 4月, 2013 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Check for Suite B support using method flags instead of version numbers: anything supporting TLS 1.2 cipher suites will also support Suite B. Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
-