- 13 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Use the PACKET API to process an incoming server Certificate message. Reviewed-by: NEmilia Käsper <emilia@openssl.org>
-
- 12 8月, 2015 2 次提交
-
-
由 Rich Salz 提交于
This was obsolete in 2001. This is not the same as Gost94 digest. Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Guy Leaver (guleaver) 提交于
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the value of p set to 0 then a seg fault can occur. This commits adds a test to reject p, g and pub key parameters that have a 0 value (in accordance with RFC 5246) The security vulnerability only affects master and 1.0.2, but the fix is additionally applied to 1.0.1 for additional confidence. CVE-2015-1794 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 03 8月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
The handling of incoming CCS records is a little strange. Since CCS is not a handshake message it is handled differently to normal handshake messages. Unfortunately whilst technically it is not a handhshake message the reality is that it must be processed in accordance with the state of the handshake. Currently CCS records are processed entirely within the record layer. In order to ensure that it is handled in accordance with the handshake state a flag is used to indicate that it is an acceptable time to receive a CCS. Previously this flag did not exist (see CVE-2014-0224), but the flag should only really be considered a workaround for the problem that CCS is not visible to the state machine. Outgoing CCS messages are already handled within the state machine. This patch makes CCS visible to the TLS state machine. A separate commit will handle DTLS. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 30 7月, 2015 2 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Add support for RSAPSK, DHEPSK and ECDHEPSK client side. Update various checks to ensure certificate and server key exchange messages are only expected when required. Update message handling. PSK server key exchange parsing now expects an identity hint prefix for all PSK server key exchange messages. PSK client key exchange message requests PSK identity and key for all PSK key exchange ciphersuites and includes identity in message. Update flags for RSA, DH and ECDH so they are also used in PSK. Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 27 7月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
This flag was not set anywhere within the codebase (only read). It could only be set by an app reaching directly into s->s3->flags and setting it directly. However that method became impossible when libssl was opaquified. Even in 1.0.2/1.0.1 if an app set the flag directly it is only relevant to ssl3_connect(), which calls SSL_clear() during initialisation that clears any flag settings. Therefore it could take effect if the app set the flag after the handshake has started but before it completed. It seems quite unlikely that any apps really do this (especially as it is completely undocumented). The purpose of the flag is suppress flushing of the write bio on the client side at the end of the handshake after the client has written the Finished message whilst resuming a session. This enables the client to send application data as part of the same flight as the Finished message. This flag also controls the setting of a second flag SSL3_FLAGS_POP_BUFFER. There is an interesting comment in the code about this second flag in the implementation of ssl3_write: /* This is an experimental flag that sends the * last handshake message in the same packet as the first * use data - used to see if it helps the TCP protocol during * session-id reuse */ It seems the experiment did not work because as far as I can tell nothing is using this code. The above comment has been in the code since SSLeay. This commit removes support for SSL3_FLAGS_DELAY_CLIENT_FINISHED, as well as the associated SSL3_FLAGS_POP_BUFFER. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 29 6月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 24 6月, 2015 2 次提交
-
-
由 Dr. Stephen Henson 提交于
The PSK identity hint should be stored in the SSL_SESSION structure and not in the parent context (which will overwrite values used by other SSL structures with the same SSL_CTX). Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Dr. Stephen Henson 提交于
Rewrite ssl3_digest_cached_records handling. Only digest cached records if digest array is NULL: this means it is safe to call ssl3_digest_cached_records multiple times (subsequent calls are no op). Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer if digest array is NULL. Add additional "keep" parameter to ssl3_digest_cached_records to indicate if the handshake buffer should be retained after digesting cached records (needed for TLS 1.2 client authentication). Reviewed-by: NMatt Caswell <matt@openssl.org>
-
- 22 6月, 2015 5 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
If RSA or DSA is disabled we will never use a ciphersuite with RSA/DSA authentication as it is already filtered out by the cipher list logic. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
As numerous comments indicate the certificate and key array is not an appopriate structure to store the peers certificate: so remove it and just the s->session->peer instead. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 09 6月, 2015 2 次提交
-
-
由 Kurt Roeckx 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> MR #588
-
由 Kurt Roeckx 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> MR #588
-
- 04 6月, 2015 2 次提交
-
-
由 Matt Caswell 提交于
Remove a comment that suggested further clean up was required. DH_free() performs the necessary cleanup. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Matt Caswell 提交于
The session object on the client side is initially created during construction of the ClientHello. If the client is DTLS1.2 capable then it will store 1.2 as the version for the session. However if the server is only DTLS1.0 capable then when the ServerHello comes back the client switches to using DTLS1.0 from then on. However the session version does not get updated. Therefore when the client attempts to resume that session the server throws an alert because of an incorrect protocol version. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 02 6月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 25 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Version negotiation was broken (one of the late changes in the review process broke it). The problem is that TLS clients do not set first_packet, whereas TLS/DTLS servers and DTLS clients do. The simple fix is to set first_packet for TLS clients too. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 23 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: NRich Salz <rsalz@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
- 21 5月, 2015 1 次提交
-
-
由 Kurt Roeckx 提交于
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 19 5月, 2015 4 次提交
-
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Reviewed-by: NRich Salz <rsalz@openssl.org>
-
由 Dr. Stephen Henson 提交于
Move per-connection state out of the CERT structure: which should just be for shared configuration data (e.g. certificates to use). In particular move temporary premaster secret, raw ciphers, peer signature algorithms and shared signature algorithms. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 16 5月, 2015 3 次提交
-
-
由 Matt Caswell 提交于
Move these functions into t1_clnt.c, t1_srvr.c and t1_meth.c and take advantage of the existing tls1_get*_method() functions that all the other methods are using. Since these now have to support SSLv3 anyway we might as well use the same set of get functions for both TLS and SSLv3. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
由 Matt Caswell 提交于
Miscellaneous updates following review comments on the version negotiation rewrite patches. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
由 Matt Caswell 提交于
Continuing from the previous commit this changes the way we do client side version negotiation. Similarly all of the s23* "up front" state machine code has been avoided and again things now work much the same way as they already did for DTLS, i.e. we just do most of the work in the ssl3_get_server_hello() function. Reviewed-by: NKurt Roeckx <kurt@openssl.org>
-
- 13 5月, 2015 1 次提交
-
-
由 Matt Caswell 提交于
Remove RFC2712 Kerberos support from libssl. This code and the associated standard is no longer considered fit-for-purpose. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 11 5月, 2015 1 次提交
-
-
由 Rich Salz 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 07 5月, 2015 1 次提交
-
-
由 Dr. Stephen Henson 提交于
If server requests a certificate, but the client doesn't send one, cache digested records. This is an optimisation and ensures the correct finished mac is used when extended master secret is used with client authentication. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 06 5月, 2015 2 次提交
-
-
由 Rich Salz 提交于
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr) for memset and memcpy. Remove needless casts for those functions. For memset, replace alternative forms of zero with 0. Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Ensure all fatal errors transition into the new error state on the client side. Reviewed-by: NRich Salz <rsalz@openssl.org>
-
- 02 5月, 2015 2 次提交
-
-
由 Rich Salz 提交于
After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: NTim Hudson <tjh@openssl.org>
-
由 Rich Salz 提交于
There were a dozen-plus instances of this construct: if (0) { label: ..... } Reviewed-by: NTim Hudson <tjh@openssl.org>
-
- 01 5月, 2015 3 次提交
-
-
由 Rich Salz 提交于
Don't check for NULL before calling OPENSSL_free Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Add OPENSSL_clear_free which merges cleanse and free. (Names was picked to be similar to BN_clear_free, etc.) Removed OPENSSL_freeFunc macro. Fixed the small simple ones that are left: CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Rich Salz 提交于
Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: NRichard Levitte <levitte@openssl.org>
-