Commit graph

1338 commits

Author SHA1 Message Date
Andy Polyakov
4d8da30fc1 ssl/s3_[clnt|srvr].c: fix warnings. 2013-02-09 19:50:34 +01:00
Andy Polyakov
579f3a631e s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
(cherry picked from commit f93a41877d)
2013-02-08 21:37:07 +01:00
Andy Polyakov
47061af106 s3_cbc.c: get rid of expensive divisions [from master].
(cherry picked from commit e9baceab5a)
2013-02-08 17:00:46 +01:00
Ben Laurie
496681cd51 Remove extraneous brackets (clang doesn't like them). 2013-02-07 16:17:43 -08:00
Andy Polyakov
8545f73b89 ssl/[d1|s3]_pkt.c: harmomize orig_len handling. 2013-02-07 22:47:05 +01:00
Dr. Stephen Henson
32cc2479b4 Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
2013-02-07 21:06:37 +00:00
Adam Langley
f306b87d76 Fix for EXP-RC2-CBC-MD5
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
2013-02-06 16:05:40 +00:00
Dr. Stephen Henson
0d589ac150 make update 2013-02-04 21:29:41 +00:00
Dr. Stephen Henson
35d732fc2e Fix error codes. 2013-02-04 21:13:18 +00:00
Andy Polyakov
125093b59f e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
2013-02-02 19:35:09 +01:00
Andy Polyakov
ec07246a08 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. 2013-02-01 15:34:09 +01:00
Dr. Stephen Henson
04e45b52ee Don't access EVP_MD_CTX internals directly. 2013-02-01 14:12:27 +00:00
Andy Polyakov
d5371324d9 s3/s3_cbc.c: allow for compilations with NO_SHA256|512. 2013-02-01 10:31:59 +01:00
Andy Polyakov
36260233e7 ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
2013-02-01 10:31:52 +01:00
Andy Polyakov
cab13fc847 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
2013-02-01 10:31:23 +01:00
Dr. Stephen Henson
34ab3c8c71 typo. 2013-01-31 23:04:39 +00:00
Dr. Stephen Henson
b908e88ec1 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
2013-01-31 12:34:10 +00:00
Ben Laurie
014265eb02 Oops. Add missing file. 2013-01-28 18:24:55 +00:00
Ben Laurie
9f27de170d Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
2013-01-28 17:34:33 +00:00
Ben Laurie
6cb19b7681 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
2013-01-28 17:33:18 +00:00
Ben Laurie
e130841bcc Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
2013-01-28 17:31:49 +00:00
Ben Laurie
2ee798880a Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
2013-01-28 17:30:38 +00:00
Dr. Stephen Henson
7c3562947a reject zero length point format list or supported curves extensions 2012-11-22 14:15:25 +00:00
Dr. Stephen Henson
07eaaab2f6 add "missing" TLSv1.2 cipher alias 2012-11-15 19:15:20 +00:00
Dr. Stephen Henson
353e845120 Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
2012-09-21 14:01:59 +00:00
Richard Levitte
d1451f18d9 * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in
debugging code that's seldom used.
2012-09-21 13:08:28 +00:00
Ben Laurie
70d91d60bc Call OCSP Stapling callback after ciphersuite has been chosen, so the
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.

See http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-17 14:39:38 +00:00
Dr. Stephen Henson
c64c0e03d3 don't use pseudo digests for default values of keys 2012-06-27 14:11:40 +00:00
Ben Laurie
af454b5bb0 Reduce version skew. 2012-06-08 09:18:47 +00:00
Andy Polyakov
5b2bbf37fa s2_clnt.c: compensate for compiler bug [from HEAD]. 2012-05-16 18:22:27 +00:00
Dr. Stephen Henson
6e164e5c3d PR: 2811
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:32:26 +00:00
Dr. Stephen Henson
1b452133ae PR: 2806
Submitted by: PK <runningdoglackey@yahoo.com>

Correct ciphersuite signature algorithm definitions.
2012-05-10 18:24:32 +00:00
Dr. Stephen Henson
d414a5a0f0 Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 15:10:15 +00:00
Richard Levitte
9eb4460e68 Don't forget to install srtp.h as well 2012-05-10 15:01:22 +00:00
Dr. Stephen Henson
6984d16671 oops, revert unrelated change 2012-05-10 13:38:18 +00:00
Dr. Stephen Henson
5b9d0995a1 Reported by: Solar Designer of Openwall
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:34:22 +00:00
Dr. Stephen Henson
c76b7a1a82 Don't try to use unvalidated composite ciphers in FIPS mode 2012-04-26 18:49:45 +00:00
Dr. Stephen Henson
502dfeb8de Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
2012-04-25 23:08:44 +00:00
Andy Polyakov
5bbed29518 s23_clnt.c: ensure interoperability by maitaining client "version capability"
vector contiguous [from HEAD].
PR: 2802
2012-04-25 22:07:23 +00:00
Dr. Stephen Henson
dedfe959dd correct error code 2012-04-18 14:53:48 +00:00
Bodo Möller
4d936ace08 Disable SHA-2 ciphersuites in < TLS 1.2 connections.
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
2012-04-17 15:20:17 +00:00
Dr. Stephen Henson
89bd25eb26 Additional workaround for PR#2771
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
2012-04-17 14:41:23 +00:00
Dr. Stephen Henson
4a1cf50187 Partial workaround for PR#2771.
Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...
2012-04-17 13:20:19 +00:00
Andy Polyakov
32e12316e5 OPENSSL_NO_SOCK fixes [from HEAD].
PR: 2791
Submitted by: Ben Noordhuis
2012-04-16 17:43:15 +00:00
Andy Polyakov
c2770c0e0e s3_srvr.c: fix typo [from HEAD].
PR: 2538
2012-04-15 17:23:41 +00:00
Andy Polyakov
371056f2b9 e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag
countermeasure [from HEAD].

PR: 2778
2012-04-15 14:23:03 +00:00
Andy Polyakov
3f98d7c0b5 ssl/ssl_ciph.c: interim solution for assertion in d1_pkt.c(444) [from HEAD].
PR: 2778
2012-04-04 20:51:27 +00:00
Dr. Stephen Henson
63e8f16737 PR: 2778(part)
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>

Time is always encoded as 4 bytes, not sizeof(Time).
2012-03-31 18:02:43 +00:00
Dr. Stephen Henson
418044cbab Experimental workaround to large client hello issue (see PR#2771).
If OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
2012-03-29 19:08:54 +00:00
Dr. Stephen Henson
78c5d2a9bb use client version when deciding whether to send supported signature algorithms extension 2012-03-21 21:32:57 +00:00
Andy Polyakov
9cc42cb091 ssl/t1_enc.c: pay attention to EVP_CIPH_FLAG_CUSTOM_CIPHER [from HEAD]. 2012-03-13 19:21:15 +00:00
Dr. Stephen Henson
267c950c5f Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Add more extension names in s_cb.c extension printing code.
2012-03-09 18:37:41 +00:00
Dr. Stephen Henson
ce1605b508 PR: 2756
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS timeout handling.
2012-03-09 15:52:20 +00:00
Dr. Stephen Henson
25bfdca16a PR: 2755
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
2012-03-06 13:47:27 +00:00
Dr. Stephen Henson
9c284f9651 PR: 2748
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix possible DTLS timer deadlock.
2012-03-06 13:24:16 +00:00
Dr. Stephen Henson
a54ce007e6 PR: 2739
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix padding bugs in Heartbeat support.
2012-02-27 16:38:10 +00:00
Dr. Stephen Henson
f1fa05b407 ABI compliance fixes.
Move new structure fields to end of structures.

Import library codes from 1.0.0 and recreate new ones.
2012-02-22 14:01:44 +00:00
Dr. Stephen Henson
b935714237 typo 2012-02-17 17:31:32 +00:00
Dr. Stephen Henson
a8314df902 Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
2012-02-16 15:25:39 +00:00
Dr. Stephen Henson
d40abf1689 Submitted by: Eric Rescorla <ekr@rtfm.com>
Further fixes for use_srtp extension.
2012-02-11 22:53:48 +00:00
Dr. Stephen Henson
c489ea7d01 PR: 2704
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>

Fix srp extension.
2012-02-10 20:08:49 +00:00
Dr. Stephen Henson
943cc09d8a Submitted by: Eric Rescorla <ekr@rtfm.com>
Fix encoding of use_srtp extension to be compliant with RFC5764
2012-02-10 00:03:37 +00:00
Dr. Stephen Henson
fc6800d19f Modify client hello version when renegotiating to enhance interop with
some servers.
2012-02-09 15:41:44 +00:00
Dr. Stephen Henson
adcea5a043 return error if md is NULL 2012-01-22 13:12:50 +00:00
Dr. Stephen Henson
2dc4b0dbe8 Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
2012-01-18 18:14:56 +00:00
Andy Polyakov
c8e0b5d7b6 1.0.1-specific OPNESSL vs. OPENSSL typo.
PR: 2613
Submitted by: Leena Heino
2012-01-15 13:42:50 +00:00
Dr. Stephen Henson
285d9189c7 PR: 2652
Submitted by: Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>

OpenVMS fixes.
2012-01-05 14:30:08 +00:00
Bodo Möller
409d2a1b71 Fix for builds without DTLS support.
Submitted by: Brian Carlstrom
2012-01-05 10:22:39 +00:00
Dr. Stephen Henson
e0b9678d7f PR: 2671
Submitted by: steve

Update maximum message size for certifiate verify messages to support
4096 bit RSA keys again as TLS v1.2 messages is two bytes longer.
2012-01-05 00:28:29 +00:00
Dr. Stephen Henson
166dea6ac8 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Send fatal alert if heartbeat extension has an illegal value.
2012-01-05 00:23:31 +00:00
Dr. Stephen Henson
0044739ae5 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
2012-01-04 23:52:05 +00:00
Dr. Stephen Henson
4e44bd3650 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 23:13:29 +00:00
Dr. Stephen Henson
aaa3850ccd Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 23:07:54 +00:00
Dr. Stephen Henson
1cb4d65b87 Submitted by: Adam Langley <agl@chromium.org>
Reviewed by: steve

Fix memory leaks.
2012-01-04 14:25:28 +00:00
Dr. Stephen Henson
7b2dd292bc only send heartbeat extension from server if client sent one 2012-01-03 22:03:07 +00:00
Dr. Stephen Henson
d9834ff24b make update 2012-01-02 16:41:11 +00:00
Dr. Stephen Henson
bd6941cfaa PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
5c05f69450 make update 2011-12-27 14:38:27 +00:00
Dr. Stephen Henson
b300fb7734 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
2011-12-27 14:23:22 +00:00
Dr. Stephen Henson
f89af47438 PR: 2326
Submitted by: Tianjie Mao <tjmao@tjmao.net>
Reviewed by: steve

Fix incorrect comma expressions and goto f_err as alert has been set.
2011-12-26 19:38:09 +00:00
Dr. Stephen Henson
e065e6cda2 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:40 +00:00
Dr. Stephen Henson
60553cc209 typo 2011-12-23 15:03:16 +00:00
Dr. Stephen Henson
2d4c9ab518 delete unimplemented function from header file, update ordinals 2011-12-23 14:10:35 +00:00
Dr. Stephen Henson
242f8d644c remove prototype for deleted SRP function 2011-12-22 16:01:23 +00:00
Dr. Stephen Henson
f5575cd167 New ctrl values to clear or retrieve extra chain certs from an SSL_CTX.
New function to retrieve compression method from SSL_SESSION structure.

Delete SSL_SESSION_get_id_len and SSL_SESSION_get0_id functions
as they duplicate functionality of SSL_SESSION_get_id. Note: these functions
have never appeared in any release version of OpenSSL.
2011-12-22 15:01:16 +00:00
Ben Laurie
dd0ddc3e78 Fix DTLS. 2011-12-20 15:05:03 +00:00
Dr. Stephen Henson
b8a22c40e0 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Remove unnecessary code for srp and to add some comments to
s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
2011-12-14 22:18:03 +00:00
Ben Laurie
96fe35e7d4 Remove redundant TLS exporter. 2011-12-13 14:35:12 +00:00
Ben Laurie
e87afb1518 SSL export fixes (from Adam Langley). 2011-12-13 14:25:11 +00:00
Dr. Stephen Henson
7454cba4fa fix error discrepancy 2011-12-07 12:28:50 +00:00
Ben Laurie
a0cf79e841 Fix exporter. 2011-12-02 16:49:32 +00:00
Ben Laurie
825e1a7c56 Fix warnings. 2011-12-02 14:39:41 +00:00
Bodo Möller
9f2b453338 Resolve a stack set-up race condition (if the list of compression
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
2011-12-02 12:51:41 +00:00
Dr. Stephen Henson
2c7d978c2d PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Make SRP conformant to rfc 5054.

Changes are:

- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
- removal of unnecessary code in the client.
2011-11-25 00:18:10 +00:00
Ben Laurie
8cd897a42c Don't send NPN during renegotiation. 2011-11-24 18:22:06 +00:00
Ben Laurie
1dc44d3130 Indent. 2011-11-24 16:51:15 +00:00
Dr. Stephen Henson
d7125d8d85 move internal functions to ssl_locl.h 2011-11-21 22:52:01 +00:00
Dr. Stephen Henson
43716567f5 bcmp doesn't exist on all platforms, replace with memcmp 2011-11-21 22:29:16 +00:00
Ben Laurie
b1d7429186 Add TLS exporter. 2011-11-15 23:51:22 +00:00
Ben Laurie
060a38a2c0 Add DTLS-SRTP. 2011-11-15 23:02:16 +00:00