Commit graph

208 commits

Author SHA1 Message Date
Dr. Stephen Henson
4054d95eb9 Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
(cherry picked from commit 7f6e957864)

Conflicts:

	ssl/s3_srvr.c
2014-07-05 13:31:53 +01:00
Dr. Stephen Henson
c97e457d53 Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
2014-06-03 16:30:37 +01:00
David Ramos
268ae49453 Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
(cherry picked from commit 673c42b238)
2014-06-01 14:31:30 +01:00
Serguei E. Leontiev
f7c4fe519b Replace manual ASN1 decoder with ASN1_get_object
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.

PR#3335
(cherry picked from commit b0308dddd1cc6a8e1de803ef29ba6da25ee072c2)
2014-05-12 18:41:49 +01:00
Andy Polyakov
71a1ac9398 ssl/s3_[clnt|srvr].c: fix warnings and linking error. 2013-02-09 19:48:34 +01:00
Ben Laurie
bb65e3f22b Backport OCSP Stapling fix. 2012-10-04 15:16:12 +00:00
Andy Polyakov
0041925844 s3_srvr.c: fix typo [from HEAD].
PR: 2538
2012-04-15 17:23:23 +00:00
Dr. Stephen Henson
25128a11fb Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
2012-02-16 15:21:46 +00:00
Dr. Stephen Henson
9004c53107 Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 15:27:54 +00:00
Dr. Stephen Henson
22d89c501e Submitted by: Adam Langley <agl@chromium.org>
Reviewed by: steve

Fix memory leaks.
2012-01-04 14:24:48 +00:00
Bodo Möller
e935440ad7 (EC)DH memory handling fixes.
Submitted by: Adam Langley
2011-09-05 10:25:21 +00:00
Dr. Stephen Henson
38c42c6eea set encodedPoint to NULL after freeing it 2011-05-19 16:18:25 +00:00
Dr. Stephen Henson
6d65d44b95 fix for CVE-2010-4180 2010-12-02 18:24:55 +00:00
Dr. Stephen Henson
b3c17a4805 Get correct GOST private key instead of just assuming the last one is
correct: this isn't always true if we have more than one certificate.
2010-11-14 13:50:29 +00:00
Dr. Stephen Henson
fbe2c6b33e Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and
1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
2010-02-27 23:04:10 +00:00
Dr. Stephen Henson
57749b1b9f PR: 1949
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
2010-01-26 19:46:30 +00:00
Dr. Stephen Henson
f4f2b52995 oops 2010-01-26 13:56:15 +00:00
Dr. Stephen Henson
c7d5edbf5e export OPENSSL_isservice and make update 2010-01-26 13:55:33 +00:00
Dr. Stephen Henson
ef1b6b2cf2 The fix for PR#1949 unfortunately broke cases where the BIO_CTRL_WPENDING
ctrl is incorrectly implemented (e.g. some versions of Apache). As a workaround
call both BIO_CTRL_INFO and BIO_CTRL_WPENDING if it returns zero. This should
both address the original bug and retain compatibility with the old behaviour.
2010-01-24 13:54:07 +00:00
Dr. Stephen Henson
ad8ee3d7d1 If legacy renegotiation is not permitted then send a fatal alert if a patched
server attempts to renegotiate with an unpatched client.
2010-01-22 18:49:19 +00:00
Dr. Stephen Henson
4cba294d79 Client side compression algorithm sanity checks: ensure old compression
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
2010-01-01 14:39:51 +00:00
Dr. Stephen Henson
e642fd7a1c Compression handling on session resume was badly broken: it always
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
2010-01-01 00:44:36 +00:00
Dr. Stephen Henson
10f99d7b77 Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:12 +00:00
Dr. Stephen Henson
593222afe1 PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Add extension support to DTLS code mainly using existing implementation for
TLS.
2009-12-08 11:38:18 +00:00
Dr. Stephen Henson
d5b8c46499 PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:41:42 +00:00
Dr. Stephen Henson
3d0b604c14 Fix statless session resumption so it can coexist with SNI 2009-10-30 13:22:44 +00:00
Dr. Stephen Henson
9769137a43 Typo presumably... 2009-09-06 17:55:40 +00:00
Dr. Stephen Henson
2e9802b7a7 PR: 2028
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
2009-09-04 17:42:06 +00:00
Dr. Stephen Henson
887c250852 Update from 0.9.8-stable. 2009-06-26 15:04:22 +00:00
Dr. Stephen Henson
72d668c332 Update from HEAD. 2009-06-24 13:30:07 +00:00
Dr. Stephen Henson
bfd502f027 Updates from HEAD. 2009-06-16 16:39:20 +00:00
Dr. Stephen Henson
55708796af Update from HEAD. 2009-06-13 20:47:09 +00:00
Dr. Stephen Henson
b61a84c8e6 Fix WIN32 warnings. 2009-04-22 15:40:54 +00:00
Dr. Stephen Henson
21fb688d26 Some fixes for kerberos builds. 2009-04-21 22:20:12 +00:00
Dr. Stephen Henson
b452f43322 PR: 1751
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Compatibility patches for Cisco VPN client DTLS.
2009-04-19 18:03:13 +00:00
Dr. Stephen Henson
bab534057b Updatde from stable branch. 2009-01-07 23:44:27 +00:00
Ben Laurie
4a94003a51 srvr_ecdh cannot be NULL at this point (Coverity ID 232). 2009-01-02 12:49:07 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Ben Laurie
6ba71a7173 Handle the unlikely event that BIO_get_mem_data() returns -ve. 2008-12-27 02:00:38 +00:00
Dr. Stephen Henson
12bf56c017 PR: 1574
Submitted by: Jouni Malinen <j@w1.fi>
Approved by: steve@openssl.org

Ticket override support for EAP-FAST.
2008-11-15 17:18:12 +00:00
Bodo Möller
837f2fc7a4 Make sure that SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG can't
enable disabled ciphersuites.
2008-09-22 21:22:47 +00:00
Bodo Möller
fcbdde0dfe oops 2008-09-14 18:16:07 +00:00
Bodo Möller
e65bcbcef0 Fix SSL state transitions.
Submitted by: Nagendra Modadugu
2008-09-14 14:02:07 +00:00
Dr. Stephen Henson
305514000c Do not discard cached handshake records during resumed sessions:
they are used for mac computation.
2008-09-03 12:36:16 +00:00
Dr. Stephen Henson
8a2062fefe Update from stable branch. 2008-04-30 16:14:02 +00:00
Dr. Stephen Henson
d26c905c67 Update from stable branch. 2008-04-29 16:44:51 +00:00
Dr. Stephen Henson
dc634aff25 Don't send zero length session ID if stateless session resupmtion is
successful. Check be seeing if there is a cache hit.
2008-04-25 16:27:04 +00:00
Dr. Stephen Henson
0e1dba934f 1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure

2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).

3. Changes to EVP
	- adding of function EVP_PKEY_CTX_get0_peerkey
	- Make function EVP_PKEY_derive_set_peerkey work for context with
	  ENCRYPT operation, because we use peerkey field in the context to
	  pass non-ephemeral secret key to GOST encrypt operation.
	- added EVP_PKEY_CTRL_SET_IV control command. It is really
	  GOST-specific, but it is used in SSL code, so it has to go
	  in some header file, available during libssl compilation

4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data

5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
  make debugging output which depends on constants defined there, work
  and other KSSL_DEBUG output fixes

6. Declaration of real GOST ciphersuites, two authentication methods
   SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST

7. Implementation  of these methods.

8. Support for sending unsolicited serverhello extension if GOST
  ciphersuite is selected. It is require for interoperability with
  CryptoPro CSP 3.0 and 3.6 and controlled by
  SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
  This constant is added to SSL_OP_ALL, because it does nothing, if
  non-GOST ciphersuite is selected, and all implementation of GOST
  include compatibility with CryptoPro.

9. Support for CertificateVerify message without length field. It is
   another CryptoPro bug, but support is made unconditional, because it
   does no harm for draft-conforming implementation.

10. In tls1_mac extra copy of stream mac context is no more done.
  When I've written currently commited code I haven't read
  EVP_DigestSignFinal manual carefully enough and haven't noticed that
  it does an internal digest ctx copying.

This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
Andy Polyakov
3ce54f35b3 Make ssl compile [from 098-stable, bug is masked by default]. 2007-10-14 14:09:13 +00:00
Andy Polyakov
7432d073af Switch to RFC-compliant version encoding in DTLS. 2007-09-30 18:53:54 +00:00