mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
d9a7510747
openssl/crypto/err
History
Matt Caswell d9a7510747 Teach the RSA implementation about TLS RSA Key Transport 
In TLSv1.2 a pre-master secret value is passed from the client to the
server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange
message. As well as the normal formatting rules for RSA PKCA1 type 2
padding TLS imposes some additional rules about what constitutes a well
formed key. Specifically it must be exactly the right length and
encode the TLS version originally requested by the client (as opposed to
the actual negotiated version) in its first two bytes.

All of these checks need to be done in constant time and, if they fail,
then the TLS implementation is supposed to continue anyway with a random
key (and therefore the connection will fail later on). This avoids
padding oracle type attacks.

This commit implements this within the RSA padding code so that we keep
all the constant time padding logic in one place. A later commit will
remove it from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)
2019-12-05 16:12:18 +00:00
..
build.info ERR: Add new building blocks for reporting errors 2019-07-31 06:42:45 +02:00
err_all.c Cleanup: move remaining providers/common/include/internal/*.h 2019-10-10 14:12:15 +02:00
err_blocks.c Reorganize local header files 2019-09-28 20:26:35 +02:00
err_local.h Reorganize local header files 2019-09-28 20:26:35 +02:00
err_prn.c Check the return from OPENSSL_buf2hexstr() 2019-11-29 14:21:55 +00:00
err.c SERIALIZER: add support for serializing EVP_PKEYs 2019-11-29 20:55:16 +01:00
openssl.ec SERIALIZER: New API for serialization of objects through providers 2019-11-29 20:54:48 +01:00
openssl.txt Teach the RSA implementation about TLS RSA Key Transport 2019-12-05 16:12:18 +00:00
README

README 

Adding new libraries
--------------------

When adding a new sub-library to OpenSSL, assign it a library number
ERR_LIB_XXX, define a macro XXXerr() (both in err.h), add its
name to ERR_str_libraries[] (in crypto/err/err.c), and add
ERR_load_XXX_strings() to the ERR_load_crypto_strings() function
(in crypto/err/err_all.c). Finally, add an entry:

    L      XXX     xxx.h   xxx_err.c

to crypto/err/openssl.ec, and add xxx_err.c to the Makefile.
Running make errors will then generate a file xxx_err.c, and
add all error codes used in the library to xxx.h.

Additionally the library include file must have a certain form.
Typically it will initially look like this:

    #ifndef HEADER_XXX_H
    #define HEADER_XXX_H

    #ifdef __cplusplus
    extern "C" {
    #endif

    /* Include files */

    #include <openssl/bio.h>
    #include <openssl/x509.h>

    /* Macros, structures and function prototypes */


    /* BEGIN ERROR CODES */

The BEGIN ERROR CODES sequence is used by the error code
generation script as the point to place new error codes, any text
after this point will be overwritten when make errors is run.
The closing #endif etc will be automatically added by the script.

The generated C error code file xxx_err.c will load the header
files stdio.h, openssl/err.h and openssl/xxx.h so the
header file must load any additional header files containing any
definitions it uses.