Commit graph

69 commits

Author SHA1 Message Date
Dr. Stephen Henson
bc8923b1ec Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
2014-06-05 09:04:27 +01:00
Rob Stradling
c9a6ddafc5 Tidy up comments. 2013-09-16 15:07:52 +01:00
Rob Stradling
4b61f6d2a6 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-16 15:07:51 +01:00
Andy Polyakov
ec07246a08 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. 2013-02-01 15:34:09 +01:00
Ben Laurie
e130841bcc Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
2013-01-28 17:31:49 +00:00
Ben Laurie
af454b5bb0 Reduce version skew. 2012-06-08 09:18:47 +00:00
Dr. Stephen Henson
f1fa05b407 ABI compliance fixes.
Move new structure fields to end of structures.

Import library codes from 1.0.0 and recreate new ones.
2012-02-22 14:01:44 +00:00
Dr. Stephen Henson
aaa3850ccd Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 23:07:54 +00:00
Dr. Stephen Henson
bd6941cfaa PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
e065e6cda2 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:40 +00:00
Dr. Stephen Henson
2c7d978c2d PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Make SRP conformant to rfc 5054.

Changes are:

- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
- removal of unnecessary code in the client.
2011-11-25 00:18:10 +00:00
Ben Laurie
68b33cc5c7 Add Next Protocol Negotiation. 2011-11-13 21:55:42 +00:00
Dr. Stephen Henson
b81fde02aa Add server client certificate support for TLS v1.2 . This is more complex
than client side as we need to keep the handshake record cache frozen when
it contains all the records need to process the certificate verify message.
(backport from HEAD).
2011-05-20 14:58:45 +00:00
Dr. Stephen Henson
9472baae0d Backport TLS v1.2 support from HEAD.
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
2011-05-11 13:37:52 +00:00
Dr. Stephen Henson
74096890ba Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.

The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.

(backport from HEAD).
2011-05-11 12:56:38 +00:00
Ben Laurie
a149b2466e Add SRP. 2011-03-16 11:26:40 +00:00
Dr. Stephen Henson
eb17330837 Updates to conform with draft-ietf-tls-renegotiation-03.txt:
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
2010-01-06 17:37:38 +00:00
Dr. Stephen Henson
f88e0acb0e Update RI to match latest spec.
MCSV is now called SCSV.

Don't send SCSV if renegotiating.

Also note if RI is empty in debug messages.
2009-12-27 22:59:09 +00:00
Dr. Stephen Henson
675564835c New option to enable/disable connection to unpatched servers 2009-12-16 20:28:30 +00:00
Dr. Stephen Henson
10f99d7b77 Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:12 +00:00
Dr. Stephen Henson
bc9058d041 First cut of renegotiation extension. (port to 1.0.0-stable) 2009-11-09 18:45:42 +00:00
Dr. Stephen Henson
bfd502f027 Updates from HEAD. 2009-06-16 16:39:20 +00:00
Dr. Stephen Henson
cc1cb996f1 Submitted by: Artem Chuprina <ran@cryptocom.ru>
Reviewed by: steve@openssl.org

Fix to match latest GOST in TLS draft.
2009-05-28 18:10:47 +00:00
Ben Laurie
babb379849 Type-checked (and modern C compliant) OBJ_bsearch. 2008-10-12 14:32:47 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Dr. Stephen Henson
870d6541f2 Use accept flag for new session ticket write. 2007-09-23 15:55:15 +00:00
Bodo Möller
761772d7e1 Implement the Opaque PRF Input TLS extension
(draft-rescorla-tls-opaque-prf-input-00.txt), and do some cleanups and
bugfixes on the way.  In particular, this fixes the buffer bounds
checks in ssl_add_clienthello_tlsext() and in ssl_add_serverhello_tlsext().

Note that the opaque PRF Input TLS extension is not compiled by default;
see CHANGES.
2007-09-21 06:54:24 +00:00
Dr. Stephen Henson
81025661a9 Update ssl code to support digests other than MD5+SHA1 in handshake.
Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
2007-08-31 12:42:53 +00:00
Dr. Stephen Henson
6434abbfc6 RFC4507 (including RFC4507bis) TLS stateless session resumption support
for OpenSSL.
2007-08-11 23:18:29 +00:00
Dr. Stephen Henson
b948e2c59e Update ssl library to support EVP_PKEY MAC API. Include generic MAC support. 2007-06-04 17:04:40 +00:00
Andy Polyakov
a4d64c7f49 Align data payload for better performance. 2006-10-20 11:26:00 +00:00
Bodo Möller
89bbe14c50 Ciphersuite string bugfixes, and ECC-related (re-)definitions. 2006-06-14 17:40:31 +00:00
Andy Polyakov
be7b4458f2 Keep disclaiming 16-bit platform support. For now remove WIN16 references
from .h files...
2005-12-18 19:11:37 +00:00
Dr. Stephen Henson
566dda07ba New option SSL_OP_NO_COMP to disable compression. New ctrls to set
maximum send fragment size. Allocate I/O buffers accordingly.
2005-10-08 00:18:53 +00:00
Dr. Stephen Henson
09b6c2ef15 Make OPENSSL_NO_COMP compile again. 2005-09-30 23:35:33 +00:00
Andy Polyakov
dffdb56b7f "Liberate" dtls from BN dependency. Fix bug in replay/update. 2005-06-07 22:21:14 +00:00
Richard Levitte
188b05792f pqueue and dtls uses 64-bit values. Unfortunately, OpenSSL doesn't
have a uniform representation for those over all architectures, so a
little bit of hackery is needed.

Contributed by nagendra modadugu <nagendra@cs.stanford.edu>
2005-05-30 22:34:37 +00:00
Dr. Stephen Henson
6c61726b2a Lots of Win32 fixes for DTLS.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
2005-04-27 16:27:14 +00:00
Bodo Möller
480506bd49 remove some functions from exported headers 2005-04-26 18:18:35 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Richard Levitte
31be2daa06 Small bugfixes to the KSSL implementation.
PR: 349
2002-11-26 10:09:36 +00:00
Richard Levitte
28c8a911bd Typos.
PR: 189
2002-10-15 20:30:56 +00:00
Richard Levitte
437d1ed49f Typos.
PR: 189
2002-10-15 20:29:09 +00:00
Richard Levitte
ef0baf60aa Typo 2002-10-10 08:32:39 +00:00
Richard Levitte
7ba3a4c3d2 RFC 2712 redefines the codes for use of Kerberos 5 in SSL/TLS.
PR: 189
2002-10-10 07:59:03 +00:00
Bodo Möller
ea26226046 ECC ciphersuite support
Submitted by: Douglas Stebila <douglas.stebila@sun.com>
(Authors: Vipul Gupta and Sumit Gupta, Sun Microsystems Laboratories)
2002-08-09 08:56:08 +00:00
Bodo Möller
82b0bf0b87 Implement known-IV countermeasure.
Fix length checks in ssl3_get_client_hello().

Use s->s3->in_read_app_data differently to fix ssl3_read_internal().
2002-04-13 22:47:20 +00:00
Richard Levitte
cf1b7d9664 Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.

I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
2001-02-19 16:06:34 +00:00
Richard Levitte
f9b3bff6f7 First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu> 2000-11-30 22:53:34 +00:00
Richard Levitte
ef33b97050 Using checks of the existence of HEADER_{foo}_H in other header files
was a really bad idea.  For example, the following:

	#include <x509.h>
	#include <bio.h>
	#include <asn1.h>

would make sure that things like ASN1_UTCTIME_print() wasn't defined
unless you moved the inclusion of bio.h to above the inclusion of
x509.h.  The reason is that x509.h includes asn1.h, and the
declaration of ASN1_UTCTIME_print() depended on the definition of
HEADER_BIO_H.  That's what I call an obscure bug.

Instead, this change makes sure that whatever header files are needed
for the correct process of one header file are included automagically,
and that the definitions of, for example, BIO-related things are
dependent on the absence of the NO_{foo} macros.  This is also
consistent with the way parts of OpenSSL can be excluded at will.
2000-06-09 10:41:35 +00:00