#
2a538551 |
| 13-Nov-2019 |
Benjamin Kaduk |
Fix a race condition in SNI handling As was done for ciphers, supported groups, and EC point formats in https://github.com/openssl/openssl/pull/9162, only write the negotiated SNI ho
Fix a race condition in SNI handling As was done for ciphers, supported groups, and EC point formats in https://github.com/openssl/openssl/pull/9162, only write the negotiated SNI hostname value to the session object when not resuming, even for TLS 1.3 resumptions. Otherwise, when using a stateful session cache (as is done by default when 0-RTT data is enabled), we can have multiple SSLs active using the same in-memory session object, which leads to double-frees and similar race conditions in the SNI handler prior to this commit. Fortunately, since draft-ietf-tls-tls13-22, there is no requirement that the SNI hostname be preserved across TLS 1.3 resumption, and thus not a need to continually update the session object with the "current" value (to be used when producing session tickets, so that the subsequent resumption can be checked against the current value). So we can just relax the logic and only write to the session object for initial handshakes. This still leaves us in a somewhat inconsistent state, since if the SNI value does change across handshakes, the session object will continue to record the initial handshake's value, even if that bears no relation to the current handshake. The current SSL_get_servername() implementation prefers the value from the session if s->hit, but a more complete fix for that and related issues is underway in https://github.com/openssl/openssl/pull/10018; there is no need to wait for the complete fix for SNI name handling in order to close the race condition and avoid runtime crashes. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10441)
show more ...
|
#
6ed12cec |
| 09-Nov-2019 |
Ido Ben-Natan |
Fix misspelled resumption_label for CHARSET_EBCDIC The resumption_label variable when CHARSET_EBCDIC was enabled, was misspelled. Instead of evaluating to 'res binder' as expected, it ev
Fix misspelled resumption_label for CHARSET_EBCDIC The resumption_label variable when CHARSET_EBCDIC was enabled, was misspelled. Instead of evaluating to 'res binder' as expected, it evaluated to 'red binder'. CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10396)
show more ...
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|
#
48102247 |
| 08-Aug-2019 |
opensslonzos-github |
Add missing EBCDIC strings Fix a few places where calling ossl_isdigit does the wrong thing on EBCDIC based systems. Replaced with ascii_isdigit. Reviewed-by: Tomas Mraz <tm
Add missing EBCDIC strings Fix a few places where calling ossl_isdigit does the wrong thing on EBCDIC based systems. Replaced with ascii_isdigit. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9556)
show more ...
|
#
59b2cb26 |
| 28-Jul-2019 |
raja-ashok |
Use allow_early_data_cb from SSL instead of SSL_CTX Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl
Use allow_early_data_cb from SSL instead of SSL_CTX Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9471)
show more ...
|
#
dd6b2706 |
| 16-Jul-2019 |
Pauli |
Remove tab characters from C source files. Some have been creeping into the source code. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/open
Remove tab characters from C source files. Some have been creeping into the source code. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/9397)
show more ...
|
#
cd0fb43c |
| 18-Jun-2019 |
Matt Caswell |
Following the previous 2 commits also move ecpointformats out of session The previous 2 commits moved supported groups and ciphers out of the session object to avoid race conditions. We
Following the previous 2 commits also move ecpointformats out of session The previous 2 commits moved supported groups and ciphers out of the session object to avoid race conditions. We now also move ecpointformats for consistency. There does not seem to be a race condition with access to this data since it is only ever set in a non-resumption handshake. However, there is no reason for it to be in the session. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9162)
show more ...
|
#
65dc5c3c |
| 13-Jun-2019 |
Matt Caswell |
Fix no-ec with no-dh Make sure that the combination of no-ec with no-dh builds successfully. If neither ec or dh are available then TLSv1.3 is not possible. Reviewed-by: Richard
Fix no-ec with no-dh Make sure that the combination of no-ec with no-dh builds successfully. If neither ec or dh are available then TLSv1.3 is not possible. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9156)
show more ...
|
#
dbc6268f |
| 13-Jun-2019 |
Matt Caswell |
Allow TLSv1.3 in a no-ec build Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happ
Allow TLSv1.3 in a no-ec build Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happen. It also fixes no-ec which was previously broken. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9156)
show more ...
|
#
555cbb32 |
| 12-Dec-2018 |
Todd Short |
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the s
Collapse ssl3_state_st (s3) into ssl_st With the removal of SSLv2, the s3 structure is always allocated, so there is little point in having it be an allocated pointer. Collapse the ssl3_state_st structure into ssl_st and fixup any references. This should be faster than going through an indirection and due to fewer allocations, but I'm not seeing any significant performance improvement; it seems to be within the margin of error in timing. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7888)
show more ...
|
#
c96ce52c |
| 01-Mar-2019 |
Matt Caswell |
Don't write the tick_identity to the session Sessions must be immutable once they can be shared with multiple threads. We were breaking that rule by writing the ticket index into it duri
Don't write the tick_identity to the session Sessions must be immutable once they can be shared with multiple threads. We were breaking that rule by writing the ticket index into it during the handshake. This can lead to incorrect behaviour, including failed connections in multi-threaded environments. Reported by David Benjamin. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8383)
show more ...
|
Revision tags: OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
#
088dfa13 |
| 10-Jul-2017 |
Todd Short |
Add option to disable Extended Master Secret Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is se
Add option to disable Extended Master Secret Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3910)
show more ...
|
#
23fed8ba |
| 04-Jan-2019 |
Matt Caswell |
Don't complain if we receive the cryptopro extension in the ClientHello The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unof
Don't complain if we receive the cryptopro extension in the ClientHello The cryptopro extension is supposed to be unsolicited and appears in the ServerHello only. Additionally it is unofficial and unregistered - therefore we should really treat it like any other unknown extension if we see it in the ClientHello. Fixes #7747 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7984)
show more ...
|
#
673e0bbb |
| 04-Jan-2019 |
Dmitry Belyavskiy |
Restore compatibility with GOST2001 implementations. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/op
Restore compatibility with GOST2001 implementations. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7985)
show more ...
|
#
2c18d164 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in ssl/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
|
#
0fb2815b |
| 04-Dec-2018 |
Matt Caswell |
Fix some SSL_export_keying_material() issues Fix some issues in tls13_hkdf_expand() which impact the above function for TLSv1.3. In particular test that we can use the maximum label leng
Fix some SSL_export_keying_material() issues Fix some issues in tls13_hkdf_expand() which impact the above function for TLSv1.3. In particular test that we can use the maximum label length in TLSv1.3. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7755)
show more ...
|
#
98732979 |
| 26-Oct-2018 |
Matt Caswell |
Separate ca_names handling for client and server SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0. If it was called on the client side then it was ignored. In 1.1
Separate ca_names handling for client and server SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0. If it was called on the client side then it was ignored. In 1.1.1 it now makes sense to have a CA list defined for both client and server (the client now sends it the the TLSv1.3 certificate_authorities extension). Unfortunately some applications were using the same SSL_CTX for both clients and servers and this resulted in some client ClientHellos being excessively large due to the number of certificate authorities being sent. This commit seperates out the CA list updated by SSL(_CTX)?_set_client_CA_list() and the more generic SSL(_CTX)?_set0_CA_list(). This means that SSL(_CTX)?_set_client_CA_list() still has no effect on the client side. If both CA lists are set then SSL(_CTX)?_set_client_CA_list() takes priority. Fixes #7411 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7503)
show more ...
|
#
2aaa0b14 |
| 22-Oct-2018 |
Benjamin Kaduk |
Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives
Restore sensible "sess_accept" counter tracking Commit 9ef9088c1585e13b9727796f15f77da64dbbe623 switched the SSL/SSL_CTX statistics counters to using Thread-Sanitizer-friendly primitives. However, it erroneously converted an addition of -1 (for s->session_ctx->stats.sess_accept) to an addition of +1, since that is the only counter API provided by the internal tsan_assist.h header until the previous commit. This means that for each accepted (initial) connection, the session_ctx's counter would get doubly incremented, and the (switched) ctx's counter would also get incremented. Restore the counter decrement so that each accepted connection increments exactly one counter exactly once (in net effect). Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7464)
show more ...
|
#
60690b5b |
| 12-Sep-2018 |
Richard Levitte |
ssl/statem: Don't compare size_t with less than zero Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7194)
|
#
f01344cb |
| 07-Sep-2018 |
Matt Caswell |
Do not reset SNI data in SSL_do_handshake() PR #3783 introduce coded to reset the server side SNI state in SSL_do_handshake() to ensure any erroneous config time SNI changes are clea
Do not reset SNI data in SSL_do_handshake() PR #3783 introduce coded to reset the server side SNI state in SSL_do_handshake() to ensure any erroneous config time SNI changes are cleared. Unfortunately SSL_do_handshake() can be called mid-handshake multiple times so this is the wrong place to do this and can mean that any SNI data is cleared later on in the handshake too. Therefore move the code to a more appropriate place. Fixes #7014 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/7149)
show more ...
|
#
2c0267fd |
| 04-Sep-2018 |
Ben Kaduk |
Restore historical SSL_get_servername() behavior Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 modified the state machine to clean up stale ext.hostname values from SSL objects in the
Restore historical SSL_get_servername() behavior Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 modified the state machine to clean up stale ext.hostname values from SSL objects in the case when SNI was not negotiated for the current handshake. This is natural from the TLS perspective, since this information is an extension that the client offered but we ignored, and since we ignored it we do not need to keep it around for anything else. However, as documented in https://github.com/openssl/openssl/issues/7014 , there appear to be some deployed code that relies on retrieving such an ignored SNI value from the client, after the handshake has completed. Because the 1.1.1 release is on a stable branch and should preserve the published ABI, restore the historical behavior by retaining the ext.hostname value sent by the client, in the SSL structure, for subsequent retrieval. [extended tests] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7115)
show more ...
|
#
b5b993b2 |
| 20-Aug-2018 |
Matt Caswell |
Use the same min-max version range on the client consistently We need to ensure that the min-max version range we use when constructing the ClientHello is the same range we use when we v
Use the same min-max version range on the client consistently We need to ensure that the min-max version range we use when constructing the ClientHello is the same range we use when we validate the version selected by the ServerHello. Otherwise this may appear as a fallback or downgrade. Fixes #6964 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
show more ...
|
#
9ef9088c |
| 29-Jul-2018 |
Andy Polyakov |
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
show more ...
|
#
1c4aa31d |
| 30-May-2018 |
Benjamin Kaduk |
Normalize SNI hostname handling for SSL and SSL_SESSION In particular, adhere to the rule that we must not modify any property of an SSL_SESSION object once it is (or might be) in a
Normalize SNI hostname handling for SSL and SSL_SESSION In particular, adhere to the rule that we must not modify any property of an SSL_SESSION object once it is (or might be) in a session cache. Such modifications are thread-unsafe and have been observed to cause crashes at runtime. To effect this change, standardize on the property that SSL_SESSION->ext.hostname is set only when that SNI value has been negotiated by both parties for use with that session. For session resumption this is trivially the case, so only new handshakes are affected. On the client, the new semantics are that the SSL->ext.hostname is for storing the value configured by the caller, and this value is used when constructing the ClientHello. On the server, SSL->ext.hostname is used to hold the value received from the client. Only if the SNI negotiation is successful will the hostname be stored into the session object; the server can do this after it sends the ServerHello, and the client after it has received and processed the ServerHello. This obviates the need to remove the hostname from the session object in case of failed negotiation (a change that was introduced in commit 9fb6cb810b769abbd60f11ef6e936a4e4456b19d in order to allow TLS 1.3 early data when SNI was present in the ClientHello but not the session being resumed), which was modifying cached sessions in certain cases. (In TLS 1.3 we always produce a new SSL_SESSION object for new connections, even in the case of resumption, so no TLS 1.3 handshakes were affected.) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6378)
show more ...
|
#
c9598459 |
| 07-Jun-2018 |
Matt Caswell |
Add setters to set the early_data callback Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openss
Add setters to set the early_data callback Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6469)
show more ...
|