wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
12146 commits 20 branches 302 tags 153 MiB
Commit graph

1592 commits

Author SHA1 Message Date
Thijs Alkemade
7cb472bd0d Make disabling last cipher work. 2014-07-02 03:32:19 +01:00
Ben Laurie
22a10c89d7 Fix possible buffer overrun. 
(cherry picked from commit 2db3ea2929)

Conflicts:
	ssl/t1_lib.c
 2014-07-02 00:11:10 +01:00
Rich Salz
e67ddd19af RT 1528; misleading debug print, "pre-master" should be "master key" 2014-07-01 13:22:38 -04:00
Rich Salz
04f545a0d5 RT 1530; fix incorrect comment 2014-07-01 13:06:18 -04:00
Rich Salz
df8ef5f31a RT 1229; typo in comment "dont't"->"don't" 2014-07-01 13:02:57 -04:00
Dr. Stephen Henson
2580ab4ed7 Fix warning. 
(cherry picked from commit c97ec5631b)
 2014-07-01 13:37:04 +01:00
Ben Laurie
e3ba6a5f83 Make depend. 2014-06-30 16:03:29 +01:00
Ben Laurie
161e0a617d More constification. 2014-06-29 22:13:45 +01:00
Ben Laurie
8892ce7714 Constification - mostly originally from Chromium. 2014-06-29 21:05:23 +01:00
Dr. Stephen Henson
44724beead Fix memory leak. 
PR#2531
 2014-06-29 13:51:30 +01:00
Dr. Stephen Henson
0518a3e19e Don't disable state strings with no-ssl2 
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
 2014-06-28 00:54:32 +01:00
yogesh nagarkar
d183545d45 Fix compilation with -DSSL_DEBUG -DTLS_DEBUG -DKSSL_DEBUG 
PR#3141
 2014-06-28 00:40:26 +01:00
Ken Ballou
0b33bed969 Remove redundant check. 
PR#3174
 2014-06-27 23:19:39 +01:00
PK
e633248921 Add SHA256 Camellia ciphersuites from RFC5932 
PR#2800
 2014-06-27 18:24:05 +01:00
Tomas Mraz
0436369fcc Don't advertise ECC ciphersuits in SSLv2 compatible client hello. 
PR#3374
 2014-06-27 16:51:26 +01:00
Miod Vallat
2841d6ca9f Fix off-by-one errors in ssl_cipher_get_evp() 
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375
 2014-06-22 23:14:19 +01:00
Matt Caswell
cf1b08cdd7 Revert "Fix off-by-one errors in ssl_cipher_get_evp()" 
This reverts commit abfb989fe0.

Incorrect attribution
 2014-06-22 22:35:56 +01:00
Matt Caswell
339da43d6c Fixed Windows compilation failure 2014-06-22 20:16:47 +02:00
Felix Laurie von Massenbach
50cc4f7b3d Fix signed/unsigned comparisons. 2014-06-17 17:41:46 +01:00
Dr. Stephen Henson
3b77f01702 Accept CCS after sending finished. 
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
 2014-06-14 22:31:28 +01:00
Matt Caswell
687721a7dc Fixed incorrect return code handling in ssl3_final_finish_mac. 
Based on an original patch by Joel Sing (OpenBSD) who also originally identified the issue.
 2014-06-13 15:36:20 +01:00
Matt Caswell
043fd64689 Revert "Fixed incorrect return code handling in ssl3_final_finish_mac" 
This reverts commit 2f1dffa88e.

Missing attribution.
 2014-06-13 15:35:20 +01:00
Kurt Cancemi
abfb989fe0 Fix off-by-one errors in ssl_cipher_get_evp() 
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

PR#3375
 2014-06-12 21:11:00 +01:00
Matt Caswell
d84ba7ea23 Added OPENSSL_assert check as per PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de> 2014-06-12 20:40:54 +01:00
Andy Polyakov
77a27a5066 Enable multi-block support by default. 2014-06-11 20:40:51 +02:00
Matt Caswell
2f1dffa88e Fixed incorrect return code handling in ssl3_final_finish_mac 2014-06-10 23:31:50 +01:00
Mike Bland
3ead9f3798 Create test/testutil.h for unit test helper macros 
Defines SETUP_TEST_FIXTURE and EXECUTE_TEST, and updates ssl/heartbeat_test.c
using these macros. SETUP_TEST_FIXTURE makes use of the new TEST_CASE_NAME
macro, defined to use __func__ or __FUNCTION__ on platforms that support those
symbols, or to use the file name and line number otherwise. This should fix
several reported build problems related to lack of C99 support.
 2014-06-10 19:20:25 +01:00
Dr. Stephen Henson
7a9d59c148 Fix null pointer errors. 
PR#3394
 2014-06-10 14:47:29 +01:00
Dr. Stephen Henson
447280ca7b SRP ciphersuite correction. 
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
 2014-06-09 12:09:52 +01:00
Dr. Stephen Henson
1bea384fd5 Update strength_bits for 3DES. 
Fix strength_bits to 112 for 3DES.
 2014-06-09 12:09:52 +01:00
Dr. Stephen Henson
fb8d9ddb9d Make tls_session_secret_cb work with CVE-2014-0224 fix. 
If application uses tls_session_secret_cb for session resumption
set the CCS_OK flag.
 2014-06-07 15:27:23 +01:00
Dr. Stephen Henson
c43a55407d Add official extension value. 
Encrypt then MAC now has an official extension value, see:

http://www.ietf.org/id/draft-ietf-tls-encrypt-then-mac-02.txt
 2014-06-07 15:27:23 +01:00
Dr. Stephen Henson
5111672b8e Update value to use a free bit. 2014-06-05 13:27:11 +01:00
Dr. Stephen Henson
410e444b71 Fix for CVE-2014-0195 
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef7448)
 2014-06-05 13:23:05 +01:00
Dr. Stephen Henson
a91be10833 Fix for CVE-2014-0224 
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec)
 2014-06-05 13:22:42 +01:00
Dr. Stephen Henson
a7c682fb6f Additional CVE-2014-0224 protection. 
Return a fatal error if an attempt is made to use a zero length
master secret.
(cherry picked from commit 006cd7083f)
 2014-06-05 13:22:24 +01:00
Dr. Stephen Henson
b4322e1de8 Fix CVE-2014-0221 
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(cherry picked from commit d3152655d5)
 2014-06-05 13:22:03 +01:00
Dr. Stephen Henson
a5362db460 Fix CVE-2014-3470 
Check session_cert is not NULL before dereferencing it.
(cherry picked from commit 8011cd56e3)
 2014-06-05 13:21:50 +01:00
David Benjamin
c7f267397e Check there is enough room for extension. 2014-06-02 23:55:56 +01:00
zhu qun-ying
470990fee0 Free up s->d1->buffered_app_data.q properly. 
PR#3286
 2014-06-02 23:55:55 +01:00
Sami Farin
13b7896022 Typo: set i to -1 before goto. 
PR#3302
 2014-06-02 14:22:07 +01:00
Matt Caswell
a5510df337 Added SSLErr call for internal error in dtls1_buffer_record 2014-06-01 21:36:25 +01:00
David Ramos
d1e1aeef8f Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362 2014-06-01 21:36:25 +01:00
Dr. Stephen Henson
01f2f18f3c Option to disable padding extension. 
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
 2014-06-01 18:15:21 +01:00
David Ramos
92d81ba622 Allocate extra space when NETSCAPE_HANG_BUG defined. 
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
 2014-06-01 14:27:22 +01:00
Dr. Stephen Henson
4fdf91742e Use correct digest when exporting keying material. 
PR#3319
 2014-05-31 13:43:02 +01:00
Dr. Stephen Henson
7ce79a5bfd Don't compile heartbeat test code on Windows (for now). 2014-05-31 13:43:02 +01:00
Juli Mallett
487dac87e3 Fix cast of boolean where cast of LHS intended. 
Closes #74.
 2014-05-26 13:16:12 +01:00
Matt Caswell
955376fde3 Fix for non compilation with TLS_DEBUG defined 2014-05-24 23:55:27 +01:00
Martin Kaiser
189ae368d9 Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352 2014-05-24 00:02:24 +01:00