- 27 5月, 2021 2 次提交
- 17 3月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11344)
-
- 14 3月, 2020 2 次提交
-
-
由 Benjamin Kaduk 提交于
The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this session gets resumed. However, writing to the session is only thread-safe for initial handshakes, as at other times the session object may be in a shared cache and in use by another thread at the same time. Reflect this invariant in the code by only writing to s->session->cipher when it is currently NULL (we do not cache sessions with no cipher). The code prior to this change would never actually change the (non-NULL) cipher value in a session object, since our server enforces that (pre-TLS-1.3) resumptions use the exact same cipher as the initial connection, and non-abbreviated renegotiations have produced a new session object before we get to this point. Regardless, include logic to detect such a condition and abort the handshake if it occurs, to avoid any risk of inadvertently using the wrong cipher on a connection. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit 2e3ec2e1578977fca830a47fd7f521e290540e6d)
-
由 Benjamin Kaduk 提交于
TLS 1.3 maintains a separate keys chedule in the SSL object, but was writing to the 'master_key_length' field in the SSL_SESSION when generating the per-SSL master_secret. (The generate_master_secret SSL3_ENC_METHOD function needs an output variable for the master secret length, but the TLS 1.3 implementation just uses the output size of the handshake hash function to get the lengths, so the only natural-looking thing to use as the output length was the field in the session. This would potentially involve writing to a SSL_SESSION object that was in the cache (i.e., resumed) and shared with other threads, though. The thread-safety impact should be minimal, since TLS 1.3 requires the hash from the original handshake to be associated with the resumption PSK and used for the subsequent connection. This means that (in the resumption case) the value being written would be the same value that was previously there, so the only risk would be on architectures that can produce torn writes/reads for aligned size_t values. Since the value is essentially ignored anyway, just provide the address of a local dummy variable to generate_master_secret() instead. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943) (cherry picked from commit d74014c4b8740f28a54b562f799ad1e754b517b9)
-
- 27 2月, 2020 1 次提交
-
-
由 h00416433 提交于
Description:openssl 1.1.1d used bu libhapverify Team:OTHERS Feature or Bugfix:Feature Binary Source:Yes, it is PrivateCode(Yes/No):No Change-Id: I8968f9c0f146b587da17a3e603bd04fb7b4c505b Reviewed-on: http://mgit-tm.rnd.huawei.com/7842784Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com> Reviewed-by: Nhouyuezhou 00386575 <hou@huawei.com> Reviewed-by: Nlinyibin 00246405 <linyibin@huawei.com> Reviewed-by: Nweiping 00548480 <ping.wei@huawei.com>
-
- 31 1月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
If the servername cb decides to send back a warning alert then the handshake continues, but we should not signal to the client that the servername has been accepted. Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/10018) (cherry picked from commit cd624ccd41ac3ac779c1c7a7a1e63427ce9588dd)
-
由 Matt Caswell 提交于
The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername() was not quite right, and not entirely consistent with the RFC. The TLSv1.3 RFC explicitly says that SNI is negotiated on each handshake and the server is not required to associate it with the session. This was not quite reflected in the code so we fix that. Additionally there were some additional checks around early_data checking that the SNI between the original session and this session were consistent. In fact the RFC does not require any such checks, so they are removed. Finally the behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. We clarify the behaviour in various scenarios and also attempt to make it match historical behaviour as closely as possible. Fixes #8822 Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/10018) (cherry picked from commit 7955c1f16e72dc944677fd1dbf4b1300e75f1c84)
-
- 15 12月, 2019 1 次提交
-
-
由 Dmitry Belyavskiy 提交于
Large GOST ClientKeyExchange messages are sent by VipNet CSP, one of Russian certified products implementing GOST TLS, when a server certificate contains 512-bit keys. This behaviour was present in 1.0.2 branch and needs to be restored. Backport of #10376 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10376)
-
- 22 11月, 2019 1 次提交
-
-
由 Benjamin Kaduk 提交于
As was done for ciphers, supported groups, and EC point formats in https://github.com/openssl/openssl/pull/9162, only write the negotiated SNI hostname value to the session object when not resuming, even for TLS 1.3 resumptions. Otherwise, when using a stateful session cache (as is done by default when 0-RTT data is enabled), we can have multiple SSLs active using the same in-memory session object, which leads to double-frees and similar race conditions in the SNI handler prior to this commit. Fortunately, since draft-ietf-tls-tls13-22, there is no requirement that the SNI hostname be preserved across TLS 1.3 resumption, and thus not a need to continually update the session object with the "current" value (to be used when producing session tickets, so that the subsequent resumption can be checked against the current value). So we can just relax the logic and only write to the session object for initial handshakes. This still leaves us in a somewhat inconsistent state, since if the SNI value does change across handshakes, the session object will continue to record the initial handshake's value, even if that bears no relation to the current handshake. The current SSL_get_servername() implementation prefers the value from the session if s->hit, but a more complete fix for that and related issues is underway in https://github.com/openssl/openssl/pull/10018; there is no need to wait for the complete fix for SNI name handling in order to close the race condition and avoid runtime crashes. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10441) (cherry picked from commit 2a5385511051d33be8d2b20d7669d8b1862fe510)
-
- 12 11月, 2019 1 次提交
-
-
由 Ido Ben-Natan 提交于
The resumption_label variable when CHARSET_EBCDIC was enabled, was misspelled. Instead of evaluating to 'res binder' as expected, it evaluated to 'red binder'. CLA: trivial Reviewed-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10396) (cherry picked from commit 6ed12cec7216c3e81b58f5cafa41775e456feaee)
-
- 08 11月, 2019 1 次提交
-
-
由 z00416851 提交于
Description:openssl开源社区安全补丁 Team:EMUI Feature or Bugfix:Feature Binary Source:NA PrivateCode(Yes/No):No Change-Id: Ia942e70461a3a5337de001ab0f40604776fe8f91 Reviewed-on: http://mgit-tm.rnd.huawei.com/6664137Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com> Reviewed-by: Nyanglijun 00294367 <yanglijun@huawei.com> Reviewed-by: Nluomeiling 00216346 <luomeiling@huawei.com> Reviewed-by: Nshenchunlong 00356424 <shenchunlong@huawei.com>
-
- 10 10月, 2019 1 次提交
-
-
由 Artiom Vaskov 提交于
ssl/statem/statem_lib.c: make servercontext/clientcontext arrays of chars instead of char pointers to fix EBCDIC builds. Fixes #9869 CLA:trivial Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9878)
-
- 03 10月, 2019 1 次提交
-
-
由 NaveenShivanna86 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9653) (cherry picked from commit e7c27a6c3716843f8412fd96311b70ac84b785f9)
-
- 28 9月, 2019 1 次提交
-
-
由 Dr. Matthias St. Pierre 提交于
Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9681)
-
- 06 9月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
If a TLSv1.3 server configured to respond to the status_request extension also attempted to send a CertificateRequest then it was incorrectly inserting a non zero length status_request extension into that message. The TLSv1.3 RFC does allow that extension in that message but it must always be zero length. In fact we should not be sending the extension at all in that message because we don't support it. Fixes #9767 Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9780) (cherry picked from commit debb64a0ca43969eb3f043aa8895a4faa7f12b6e)
-
- 14 8月, 2019 1 次提交
-
-
由 opensslonzos-github 提交于
Fix a few places where calling ossl_isdigit does the wrong thing on EBCDIC based systems. Replaced with ascii_isdigit. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9556) (cherry picked from commit 48102247ff513d4c57b40b19c1d432f37b9e4b02)
-
- 01 8月, 2019 1 次提交
-
-
由 raja-ashok 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9471) (cherry picked from commit 59b2cb2638dda3e07385ad36a41f0e141b36987b)
-
- 26 7月, 2019 1 次提交
-
-
由 David Benjamin 提交于
tls_parse_stoc_key_share was generating a new EVP_PKEY public/private keypair and then overrides it with the server public key, so the generation was a waste anyway. Instead, it should create a parameters-only EVP_PKEY. (This is a consequence of OpenSSL using the same type for empty key, empty key with key type, empty key with key type + parameters, public key, and private key. As a result, it's easy to mistakenly mix such things up, as happened here.) Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9445) (cherry picked from commit 166c0b98fd6e8b1bb341397642527a9396468f6c)
-
- 27 6月, 2019 1 次提交
-
-
由 Benjamin Kaduk 提交于
This reverts commit 524006dd1b80c1a86a20119ad988666a80d8d8f5. While this change did prevent the sigalgs from getting inadvertently clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be set when the cert_cb runs. This, in turn, caused significant breakage, such as SSL_check_chain() failing to find any valid chain. An alternate approach to fixing the issue from #7244 will follow. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9157) (cherry picked from commit 6f34d7bc7d0c7fcd86c6f2772f26e42c925d8505)
-
- 18 6月, 2019 3 次提交
-
-
由 Matt Caswell 提交于
The previous 2 commits moved supported groups and ciphers out of the session object to avoid race conditions. We now also move ecpointformats for consistency. There does not seem to be a race condition with access to this data since it is only ever set in a non-resumption handshake. However, there is no reason for it to be in the session. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9176)
-
由 Matt Caswell 提交于
Similarly to the previous commit we were storing the peer offered list of ciphers in the session. In practice there is no need for this information to be avilable from one resumption to the next since this list is specific to a particular handshake. Since the session object is supposed to be immutable we should not be updating it once we have decided to resume. The solution is to remove the session list out of the session object. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9176)
-
由 Matt Caswell 提交于
In TLSv1.3 the supported groups can be negotiated each time a handshake occurs, regardless of whether we are resuming or not. We should not store the supported groups information in the session because session objects can be shared between multiple threads and we can end up with race conditions. For most users this won't be seen because, by default, we use stateless tickets in TLSv1.3 which don't get shared. However if you use SSL_OP_NO_TICKET (to get stateful tickets in TLSv1.3) then this can happen. The answer is to move the supported the supported group information into the SSL object instead. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9176)
-
- 03 6月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
If we receive a KeyUpdate message (update requested) from the peer while we are in the middle of a write, we should defer sending the responding KeyUpdate message until after the current write is complete. We do this by waiting to send the KeyUpdate until the next time we write and there is no pending write data. This does imply a subtle change in behaviour. Firstly the responding KeyUpdate message won't be sent straight away as it is now. Secondly if the peer sends multiple KeyUpdates without us doing any writing then we will only send one response, as opposed to previously where we sent a response for each KeyUpdate received. Fixes #8677 Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/8773) (cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99)
-
- 30 5月, 2019 1 次提交
-
-
由 z00415736 提交于
This reverts commit dfe61e61. Change-Id: I397f096843a3952cc6df1ef76ac6e666ac466195 Reviewed-on: http://mgit-tm.rnd.huawei.com/5015417Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com> Reviewed-by: Nwangyanbo 00291255 <wangyanbo3@huawei.com> Reviewed-by: Ntenghui 00211420 <th.tenghui@huawei.com>
-
- 28 5月, 2019 2 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9034)
-
由 z00415736 提交于
This reverts commit 487cd50bbe2cd30aedfcb35fda706061c05628e9. Change-Id: I03d4dcc6246c1037abc8afc34ddec50ba0a8451f Reviewed-on: http://mgit-tm.rnd.huawei.com/5004161Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com> Reviewed-by: Ngaokui 00368537 <gaokui1@huawei.com> Reviewed-by: Nliwei 00495960 <sirius.liwei@huawei.com>
-
- 27 5月, 2019 1 次提交
-
-
由 z00415736 提交于
Description:D-Transport: Connection Setup on Server side Team:OTHERS Feature or Bugfix:Feature Binary Source:No PrivateCode(Yes/No):No Change-Id: I1214f2f74b233555f2903a23990640852e42cca6 Reviewed-on: http://mgit-tm.rnd.huawei.com/4999713Reviewed-by: Nwangyanbo 00291255 <wangyanbo3@huawei.com> Tested-by: Npublic jenkins <public_jenkins@notesmail.huawei.com> Reviewed-by: Ngaokui 00368537 <gaokui1@huawei.com> Reviewed-by: Ntenghui 00211420 <th.tenghui@huawei.com>
-
- 28 3月, 2019 1 次提交
-
-
由 Paul Monson 提交于
CLA: trivial Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8590) (cherry picked from commit 0b885f72c2b18c57173e134a03ed013cd1ac361e)
-
- 05 3月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Sessions must be immutable once they can be shared with multiple threads. We were breaking that rule by writing the ticket index into it during the handshake. This can lead to incorrect behaviour, including failed connections in multi-threaded environments. Reported by David Benjamin. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8383) (cherry picked from commit c96ce52ce293785b54a42d119c457aef739cc2ce)
-
- 26 2月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8347)
-
- 23 2月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
Prior to this commit we were keeping a count of how many KeyUpdates we have processed and failing if we had had too many. This simplistic approach is not sufficient for long running connections. Since many KeyUpdates would not be a particular good DoS route anyway, the simplest solution is to simply remove the key update count. Fixes #8068 Reviewed-by: NKurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/8299) (cherry picked from commit 3409a5ff8a44ddaf043d83ed22e657ae871be289)
-
- 15 2月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message exchange in TLSv1.3. Unfortunately experience has shown that this confuses some applications who mistake it for a TLSv1.2 renegotiation. This means that KeyUpdate messages are not handled properly. This commit removes the use of SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake message exchange. Individual post-handshake messages are still signalled in the normal way. This is a potentially breaking change if there are any applications already written that expect to see these TLSv1.3 events. However, without it, KeyUpdate is not currently usable for many applications. Fixes #8069 Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8096) (cherry picked from commit 4af5836b55442f31795eff6c8c81ea7a1b8cf94b)
-
- 01 2月, 2019 1 次提交
-
-
由 Michael Tuexen 提交于
When computing the end-point shared secret, don't take the terminating NULL character into account. Please note that this fix breaks interoperability with older versions of OpenSSL, which are not fixed. Fixes #7956 Reviewed-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7957) (cherry picked from commit 09d62b336d9e2a11b330d45d4f0f3f37cbb0d674)
-
- 24 1月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
This commit erroneously kept the DTLS timer running after the end of the handshake. This is not correct behaviour and shold be reverted. This reverts commit f7506416. Fixes #7998 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8047) (cherry picked from commit bcc1f3e2baa9caa83a0a94bd19fb37488ef3ee57)
-
- 09 1月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
We were setting a limit of SSL3_RT_MAX_PLAIN_LENGTH on the size of the ClientHello. AFAIK there is nothing in the standards that requires this limit. The limit goes all the way back to when support for extensions was first added for TLSv1.0. It got converted into a WPACKET max size in 1.1.1. Most likely it was originally added to avoid the complexity of having to grow the init_buf in the middle of adding extensions. With WPACKET this is irrelevant since it will grow automatically. This issue came up when an attempt was made to send a very large certificate_authorities extension in the ClientHello. We should just remove the limit. Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NViktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7424) (cherry picked from commit 7835e97b6ff5cd94a10c5aeac439f4aa145a77b2)
-
- 07 1月, 2019 1 次提交
-
-
由 Matt Caswell 提交于
The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unofficial and unregistered - therefore we should really treat it like any other unknown extension if we see it in the ClientHello. Fixes #7747 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7984) (cherry picked from commit 23fed8ba0ec895e1b2a089cae380697f15170afc)
-
- 06 1月, 2019 1 次提交
-
-
由 Dmitry Belyavskiy 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7985) (cherry picked from commit 673e0bbbe4b9cbd19a247c0b18c171bb0421915a)
-
- 05 12月, 2018 1 次提交
-
-
由 Matt Caswell 提交于
Fix some issues in tls13_hkdf_expand() which impact the above function for TLSv1.3. In particular test that we can use the maximum label length in TLSv1.3. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7755) (cherry picked from commit 0fb2815b873304d145ed00283454fc9f3bd35e6b)
-
- 27 11月, 2018 1 次提交
-
-
由 Paul Yang 提交于
If compile OpenSSL with SSL_DEBUG macro, some test cases will cause the process crashed in the debug code. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7707) (cherry picked from commit 5a4481f0e0bbf836c7f41805e84617784cb6b1db)
-