Commit graph

11743 commits

Author SHA1 Message Date
Dr. Stephen Henson
f90fd2b017 Print out Suite B status.
When using the -xcert option to test certificate validity print out
if we pass Suite B compliance. We print out "not tested" if we aren't
in Suite B mode.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 7d4cdededc)
2014-11-20 22:14:45 +00:00
Dr. Stephen Henson
8d325d1d36 Fix SuiteB chain checking logic.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7255ca99df)
2014-11-20 22:14:29 +00:00
David Benjamin
03d14f5887 Do not resume a session if the negotiated protocol version does not match
the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 9e189b9dc1)
2014-11-20 16:31:35 +01:00
Matt Caswell
6f71d7da64 When using EVP_PKEY_derive with a KDF set, a negative error from
ECDH_compute_key is silently ignored and the KDF is run on duff data

Thanks to github user tomykaira for the suggested fix.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8d02bebddf)
2014-11-20 15:21:37 +00:00
Emilia Kasper
0b9e82763f Clean up CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 31832e8ff1)

Conflicts:
	CHANGES
2014-11-20 15:19:42 +01:00
Emilia Kasper
e5f261df73 Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede)
2014-11-20 15:17:36 +01:00
Emilia Kasper
9baee0216f Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de2c7504eb)
2014-11-20 15:17:36 +01:00
Emilia Kasper
5d23e1303c Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 980bc1ec61)

Conflicts:
	ssl/s3_clnt.c
2014-11-20 15:17:30 +01:00
Emilia Kasper
f7c7aa69f7 Set s->hit when resuming from external pre-shared secret.
The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b3ba508af)
2014-11-20 15:09:45 +01:00
Emilia Kasper
ce5f32cfa7 Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a06cd5d056)
2014-11-20 15:09:45 +01:00
Matt Caswell
5891c226d8 Fix s_server -ssl2. Previously this reported "Error setting EC curve"
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 13d568661c)
2014-11-19 23:57:02 +00:00
Dr. Stephen Henson
017a15cbd2 New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 3881d8106d)
2014-11-19 22:54:30 +00:00
Dr. Stephen Henson
786370b1b0 Fix excert logic.
If no keyfile has been specified use the certificate file instead.

Fix typo: we need to check the chain is not NULL, not the chain file.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-19 22:50:00 +00:00
Dr. Stephen Henson
56e8dc542b Process signature algorithms before deciding on certificate.
The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice).
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-19 14:44:42 +00:00
Matt Caswell
9ef1d283fe Added RFC 7027 references
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:10:41 +00:00
Matt Caswell
5a4a949904 Fixed cms-test.pl for no-ec2m
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:10:23 +00:00
Matt Caswell
ffa69c1ced Added OPENSSL_NO_EC2M guards around the default EC curves
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:10:01 +00:00
Jan Hykel
305e2b4111 Don't use msg on error.
Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 012aa9ec76)
2014-11-17 12:41:47 +00:00
Dr. Stephen Henson
ba7aaa5622 Fix cross reference table generator.
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb8848)
2014-11-13 13:35:25 +00:00
Alok Menghrajani
2ad842b86a Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094de)
2014-11-12 21:05:01 +00:00
Michal Bozon
297a8fd4ac Correct timestamp output when clock_precision_digits > 0
PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
2014-11-12 20:52:52 +00:00
Matt Caswell
5b3a5e3e90 Fix free of garbage pointer. PR#3595
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426bf9)
2014-11-12 20:29:27 +00:00
Kurt Roeckx
40e214a23b Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:47:54 +01:00
Russell Coker
39679d858a Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-11-10 18:35:50 +01:00
Daniel Kahn Gillmor
0ec6898c67 Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203

Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants.  This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-10 10:58:49 +01:00
Andy Polyakov
1e10aee2a7 armv4cpuid.S: fix compilation error in pre-ARMv7 build.
PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 6696203963)
2014-10-30 20:31:50 +01:00
Andy Polyakov
34a136d90f md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7c)
2014-10-29 10:55:15 +01:00
Samuel Neves
42af669ff2 Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:42:22 +01:00
Emilia Kasper
4c75f4e5ca Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399)
2014-10-28 17:38:23 +01:00
Emilia Kasper
1380317483 Sync CHANGES
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-27 17:52:15 +01:00
Emilia Kasper
a35f7adf5c Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit fd28a41ec8)

Conflicts:
	ssl/ssltest.c
2014-10-27 16:33:28 +01:00
Dr. Stephen Henson
1ce95f1960 Copy negotiated parameters in SSL_set_SSL_CTX.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 14e14bf696)
2014-10-24 14:01:01 +01:00
Dr. Stephen Henson
51695b98f1 Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c800c27a8c)

Conflicts:

	ssl/ssl.h
	ssl/ssl_err.c
	ssl/ssl_locl.h
2014-10-24 13:57:23 +01:00
Dr. Stephen Henson
82182413a4 Parse custom extensions after SNI.
Since SNI will typically switch the SSL_CTX structure to the one
corresponding to the appopriate server we need to parse custom
extensions using the switched SSL_CTX not the original one. This
is done by parsing custom extensions *after* SNI.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-23 14:45:30 +01:00
Andy Polyakov
0ce2dbfb5b Add missing credit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9f4bd9d5f9)
2014-10-22 09:38:40 +02:00
Bodo Moeller
981545e1e7 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:39:26 +02:00
Bodo Moeller
d60de314f4 When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:32:09 +02:00
Kurt Roeckx
b6ece4c1fc Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952)
2014-10-21 21:04:09 +02:00
Tim Hudson
bb086221dd no-ssl2 with no-ssl3 does not mean drop the ssl lib
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit c882abd522)
2014-10-20 15:26:16 +10:00
Kurt Cancemi
b4b8969df8 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:32 +02:00
Matt Caswell
010d37621d Updates to NEWS file
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-10-15 08:54:27 -04:00
Matt Caswell
84d4f99d31 Updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:54:26 -04:00
Geoff Thorpe
82180dcc0a Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:54:26 -04:00
Dr. Stephen Henson
c2b90b398d Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
2014-10-15 08:54:26 -04:00
Matt Caswell
c2a2ff3f0a Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	util/mkdef.pl
	util/ssleay.num

Conflicts:
	util/mkdef.pl
2014-10-15 08:54:26 -04:00
Matt Caswell
d64b6c980c Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:54:26 -04:00
Bodo Moeller
05df9b9ae5 Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:48:00 +02:00
Andy Polyakov
3e3cc471c2 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 69d5747f90)
2014-10-15 11:12:24 +02:00
Bodo Moeller
80fb4820cb Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 10:50:53 +02:00
Bodo Moeller
2229fe5b94 Oop: revert unintentional change committed along with
TLS_FALLBACK_SCSV support, restoring a reviewed state instead.

Reviewed-by: Stephen Henson (steve@openssl.org)
2014-10-15 04:50:13 +02:00