Commit graph

10492 commits

Author SHA1 Message Date
Dr. Stephen Henson
25c9fa6026 Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d)
2014-01-04 14:00:44 +00:00
Dr. Stephen Henson
d2dc33d57c update NEWS 2014-01-02 19:02:28 +00:00
Dr. Stephen Henson
f3dcc8411e Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
2014-01-02 15:12:48 +00:00
Dr. Stephen Henson
1c2c5e402a Don't use rdrand engine as default unless explicitly requested.
(cherry picked from commit 8f68678989)
2013-12-22 16:08:01 +00:00
Dr. Stephen Henson
34628967f1 Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
2013-12-20 23:12:18 +00:00
Dr. Stephen Henson
a6c62f0c25 Ignore NULL parameter in EVP_MD_CTX_destroy. 2013-12-20 22:52:41 +00:00
Dr. Stephen Henson
ca989269a2 Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
2013-12-19 21:04:28 +00:00
Andy Polyakov
2ec4181ba9 sha512.c: fullfull implicit API contract in SHA512_Transform.
SHA512_Transform was initially added rather as tribute to tradition
than for practucal reasons. But use was recently found in ssl/s3_cbc.c
and it turned to be problematic on platforms that don't tolerate
misasligned references to memory and lack assembly subroutine.
(cherry picked from commit cdd1acd788)
2013-12-18 23:03:03 +01:00
Dr. Stephen Henson
0294b2be5f Check EVP errors for handshake digests.
Partial mitigation of PR#3200
2013-12-18 13:26:10 +00:00
Dr. Stephen Henson
f1068a1ab7 Get FIPS checking logic right.
We need to lock when *not* in FIPS mode.
(cherry picked from commit 57c4e42d75)
2013-12-10 12:54:55 +00:00
Dr. Stephen Henson
cadde467a8 remove obsolete STATUS file 2013-12-10 00:10:53 +00:00
Dr. Stephen Henson
c2bdcba347 Add release dates to NEWS 2013-12-09 23:55:12 +00:00
Dr. Stephen Henson
60df657b3a make update 2013-12-08 13:23:14 +00:00
Dr. Stephen Henson
17a2d0801f Avoid multiple locks in FIPS mode.
PR: 3176.

In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is
performed in either a single threaded context (when the PRNG is first
initialised) or under a lock (reseeding). To avoid multiple locks disable
use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes.
(cherry picked from commit 53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)
2013-12-08 13:23:14 +00:00
Andy Polyakov
accb3007ac bn/asm/x86_64-mont5.pl: comply with Win64 ABI.
PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit c5d5f5bd0f)
2013-12-04 00:03:46 +01:00
Dr. Stephen Henson
b13dff6141 Simplify and update openssl.spec 2013-11-27 15:38:04 +00:00
Andy Polyakov
4ade6a8ca4 srp/srp_grps.h: make it Compaq C-friendly.
PR: 3165
Submitted by: Daniel Richard G.
(cherry picked from commit 2df9ec01d5)
(cherry picked from commit 0de70011ad)
2013-11-12 22:20:45 +01:00
Andy Polyakov
00fadef414 modes/asm/ghash-alpha.pl: update from HEAD.
PR: 3165
(cherry picked from commit 220d1e5353)
2013-11-12 22:01:31 +01:00
Andy Polyakov
7ed244a0b3 Make Makefiles OSF-make-friendly.
PR: 3165
(cherry picked from commit d1cf23ac86)
2013-11-12 22:01:20 +01:00
Dr. Stephen Henson
e94a23876c Fix memory leak.
(cherry picked from commit 16bc45ba95)
2013-11-11 23:55:40 +00:00
Dr. Stephen Henson
041f681943 Typo.
(cherry picked from commit 5c50462e1e)
2013-11-11 22:24:40 +00:00
Andy Polyakov
afec9f57da Makefile.org: make FIPS build work with BSD make.
(cherry picked from commit 60adefa610)
2013-11-10 23:08:25 +01:00
Dr. Stephen Henson
0ec1a77891 Check for missing components in RSA_check.
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
2013-11-09 15:09:21 +00:00
Dr. Stephen Henson
62c2b6d944 Document RSAPublicKey_{in,out} options.
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
2013-11-09 15:09:21 +00:00
Andy Polyakov
5b98979712 engines/ccgost/gost89.h: make word32 defintion unconditional.
Original definition depended on __LONG_MAX__ that is not guaranteed to
be present. As we don't support platforms with int narrower that 32 bits
it's appropriate to make defition inconditional.

PR: 3165
(cherry picked from commit 96180cac04)
2013-11-08 23:09:26 +01:00
Andy Polyakov
9abbf5cce7 modes/asm/ghash-alpha.pl: make it work with older assembler.
PR: 3165
(cherry picked from commit d24d1d7daf)
2013-11-08 23:09:13 +01:00
Dr. Stephen Henson
ddfe486e4c Enable PSK in FIPS mode.
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129c1)
2013-11-06 14:40:01 +00:00
Dr. Stephen Henson
834d30bc63 Initialise context before using it.
(cherry picked from commit a4947e4e06)
2013-11-06 13:19:23 +00:00
Ben Laurie
e26faa9e0c PBKDF2 should be efficient. Contributed by Christian Heimes
<christian@python.org>.
2013-11-03 17:33:54 +00:00
Robin Seggelmann
025f7dbdd1 DTLS/SCTP Finished Auth Bug
PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce)
(cherry picked from commit b9ef52b078)
2013-11-01 22:44:20 +00:00
Robin Seggelmann
44f4934bde DTLS/SCTP struct authchunks Bug
PR: 2809

DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH.  It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
(cherry picked from commit f596e3c491)
(cherry picked from commit b814081136)
2013-11-01 22:44:06 +00:00
Nick Mathewson
453ca706cc Fix another gmt_unix_time case in server_random 2013-10-20 15:14:40 -07:00
Dr. Stephen Henson
5e1ff664f9 Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.
2013-10-20 12:23:27 +01:00
Ben Laurie
833a896681 More cleanup. 2013-10-19 12:37:15 +01:00
Ben Laurie
34e43b909f Cleanup. 2013-10-19 12:34:15 +01:00
Ben Laurie
62036c6fc3 Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable 2013-10-19 11:46:32 +01:00
Andy Polyakov
68dd8512b7 MIPS assembly pack: get rid of deprecated instructions.
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a9b)
2013-10-13 13:19:12 +02:00
Andy Polyakov
bbf9f3c654 aes/asm/bsaes-x86_64.pl: update from master.
Performance improvement and Windows-specific bugfix (PR#3139).
(cherry picked from commit 9ed6fba2b4)
2013-10-12 21:50:15 +02:00
Nick Mathewson
2583270191 Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.
2013-10-09 10:37:53 -04:00
Nick Mathewson
3da721dac9 Refactor {client,server}_random to call an intermediate function
I'll be using this to make an option for randomizing the time.
2013-10-09 10:28:42 -04:00
Andy Polyakov
eb22b7ec75 evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0da)

Resolved conflicts:

	crypto/evp/e_des3.c
2013-10-03 11:11:44 +02:00
Ben Laurie
b93916149d Constification. 2013-10-01 14:53:18 +01:00
Dr. Stephen Henson
82f42a1d2e Typo.
(cherry picked from commit 415ece7301)
2013-09-30 14:20:42 +01:00
Dr. Stephen Henson
a4870de5aa Disable Dual EC DRBG.
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
2013-09-22 18:24:12 +01:00
Dr. Stephen Henson
39aabe59c8 Fix warning. 2013-09-22 18:24:12 +01:00
Nick Mathewson
f4c93b46ed Do not include a timestamp in the ServerHello Random field.
Instead, send random bytes.
2013-09-16 13:44:10 -04:00
Nick Mathewson
4af793036f Do not include a timestamp in the ClientHello Random field.
Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
2013-09-16 13:44:10 -04:00
Rob Stradling
13bca90ac5 Update CHANGES. 2013-09-16 15:17:37 +01:00
Rob Stradling
c9a6ddafc5 Tidy up comments. 2013-09-16 15:07:52 +01:00
Rob Stradling
f4a51970d2 Use TLS version supplied by client when fingerprinting Safari. 2013-09-16 15:07:52 +01:00