Commit graph

1747 commits

Author SHA1 Message Date
Emilia Kasper
10a70da729 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 14:54:51 +02:00
Matt Caswell
0d6d10d97d Prepare for 1.0.2b-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:34:56 +00:00
Matt Caswell
3df69d3aef Prepare for 1.0.2a release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:31:16 +00:00
Matt Caswell
da947c9758 Update CHANGES for release
Update CHANGES file with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
a8b1e52ff4 Fix CHANGES discrepancies
There were some discrepancies in the CHANGES file between the 1.0.1 version
and 1.0.2. This corrects it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
d6e903d188 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Kurt Roeckx
f417997a32 Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-07 23:02:19 +01:00
Matt Caswell
06aab26874 Prepare for 1.0.2a-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-22 16:16:24 +00:00
Matt Caswell
4ac0329582 Prepare for 1.0.2 release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-22 16:12:26 +00:00
Matt Caswell
ba7e998d5b Updates to CHANGES for 1.0.2
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-22 15:14:15 +00:00
Dr. Stephen Henson
a936ba1148 use correct credit in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e38825)
2015-01-06 22:41:27 +00:00
Dr. Stephen Henson
4b4c1fcc88 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 12:45:10 +00:00
Andy Polyakov
1cfd7cf3cc CHANGES: mention "universal" ARM support.
This is re-commit without unrelated modification.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0548505f4c)
2015-01-06 12:15:40 +01:00
Andy Polyakov
2996157127 Revert "CHANGES: mention "universal" ARM support."
This reverts commit caeed719fe.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 12:12:15 +01:00
Andy Polyakov
caeed719fe CHANGES: mention "universal" ARM support.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4fec915069)
2015-01-06 11:21:12 +01:00
Dr. Stephen Henson
4aaf1e493c ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f876964)
2015-01-05 23:34:57 +00:00
Adam Langley
d9b277e085 Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99)
2015-01-05 17:33:02 +01:00
Dr. Stephen Henson
85cfc188c0 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 684400ce19)
2015-01-05 14:36:06 +00:00
David Benjamin
03d14f5887 Do not resume a session if the negotiated protocol version does not match
the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 9e189b9dc1)
2014-11-20 16:31:35 +01:00
Emilia Kasper
0b9e82763f Clean up CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 31832e8ff1)

Conflicts:
	CHANGES
2014-11-20 15:19:42 +01:00
Emilia Kasper
e5f261df73 Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede)
2014-11-20 15:17:36 +01:00
Emilia Kasper
9baee0216f Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de2c7504eb)
2014-11-20 15:17:36 +01:00
Emilia Kasper
4c75f4e5ca Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399)
2014-10-28 17:38:23 +01:00
Emilia Kasper
1380317483 Sync CHANGES
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-27 17:52:15 +01:00
Andy Polyakov
0ce2dbfb5b Add missing credit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9f4bd9d5f9)
2014-10-22 09:38:40 +02:00
Matt Caswell
84d4f99d31 Updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:54:26 -04:00
Bodo Moeller
a46c705214 Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:04:55 +02:00
Bodo Moeller
c578fe37d9 DTLS 1.2 support has been added to 1.0.2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-02 17:58:10 +02:00
Dr. Stephen Henson
5df07a7210 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:24:04 +01:00
Matt Caswell
5e60396fe7 Added 1.0.1i CHANGES and NEWS updates
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-25 21:29:25 +01:00
Emilia Kasper
e9128d9401 Note i2d_re_X509_tbs and related changes in CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-23 18:26:42 +02:00
Andy Polyakov
d2a1226b81 CHANGES: mention ECP_NISTZ256.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 507efe7372)
2014-09-23 14:56:46 +02:00
Dr. Stephen Henson
2102c53caa Add CHANGES entry for SCT viewer code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b2774f6e17)
2014-09-05 13:45:45 +01:00
Bodo Moeller
be804523cf Clean up CHANGES files: If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.
2014-08-01 18:38:56 +02:00
Bodo Moeller
d5213519c0 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org
2014-08-01 17:27:59 +02:00
Andy Polyakov
0ae6ba18ab CHANGES: mention new platforms.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-07-22 20:18:06 +02:00
Dr. Stephen Henson
22db480daf Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs.
2014-07-04 13:42:05 +01:00
Richard Levitte
68a1e0bc35 Bring in the 1.0.1g to 1.0.1h changes into CHANGES. 2014-06-12 12:22:24 +02:00
Richard Levitte
ed6c278f60 Small cleanup, double entry in CHANGES. 2014-06-12 12:18:13 +02:00
mancha
e6a01b47e4 Fix version documentation.
Specify -f is for compilation flags. Add -d to synopsis section.

(cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1)

Closes #78.
2014-04-26 11:20:00 +01:00
mancha
3f1b3d9675 Fix eckey_priv_encode()
Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.
2014-04-24 19:31:49 +00:00
Ben Laurie
3b21abfd6c Fix double frees.
Conflicts:
	CHANGES
2014-04-22 17:00:52 +01:00
Dr. Stephen Henson
13738d5fa1 update CHANGES 2014-04-07 21:56:34 +01:00
Dr. Stephen Henson
7e840163c0 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023b8)
2014-04-07 19:25:34 +01:00
Dr. Stephen Henson
6411b83e52 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda)

Conflicts:

	CHANGES
2014-04-05 20:49:09 +01:00
Dr. Stephen Henson
e9b4b8afbd Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
(cherry picked from commit 66e8211c0b)
2014-04-01 16:39:35 +01:00
Dr. Stephen Henson
0a9f7780e5 Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483)

Conflicts:

	CHANGES
2014-03-12 14:23:21 +00:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
802db0fab2 Sync CHANGES 2014-01-07 15:41:11 +00:00
Dr. Stephen Henson
b9fa413a08 Use algorithm specific chains for certificates.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.
(cherry picked from commit a4339ea3ba)

Conflicts:

	CHANGES
2014-01-03 22:45:20 +00:00