Commit graph

86 commits

Author SHA1 Message Date
Dr. Stephen Henson
6c36ca4628 PR: 2240
Submitted by: Jack Lloyd <lloyd@randombit.net>, "Mounir IDRASSI" <mounir.idrassi@idrix.net>, steve
Reviewed by: steve

As required by RFC4492 an absent supported points format by a server is
not an error: it should be treated as equivalent to an extension only
containing uncompressed.
2010-11-25 12:27:39 +00:00
Dr. Stephen Henson
9c61c57896 using_ecc doesn't just apply to TLSv1 2010-11-25 11:51:46 +00:00
Dr. Stephen Henson
6e21ce592e fix CVE-2010-3864 2010-11-17 17:36:29 +00:00
Dr. Stephen Henson
36778eb231 PR: 1833
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix other cases not covered by original patch. (correct patch this time!)
2010-08-27 12:12:07 +00:00
Dr. Stephen Henson
c6dd154b3e oops, revert previous patch 2010-08-27 12:10:12 +00:00
Dr. Stephen Henson
35cae95032 PR: 1833
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix other cases not covered by original patch.
2010-08-27 11:57:42 +00:00
Dr. Stephen Henson
b4b15f68c0 Backport TLS v1.1 support from HEAD, ssl/ changes 2010-06-27 14:22:11 +00:00
Dr. Stephen Henson
e97359435e Fix warnings (From HEAD, original patch by Ben). 2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
989238802a Allow renegotiation if SSL_OP_LEGACY_SERVER_CONNECT is set as well as
initial connection to unpatched servers. There are no additional security
concerns in doing this as clients don't see renegotiation during an
attack anyway.
2010-02-17 18:38:10 +00:00
Dr. Stephen Henson
73ff97ad76 Simplify RI+SCSV logic:
1. Send SCSV is not renegotiating, never empty RI.
2. Send RI if renegotiating.
2010-01-07 19:05:03 +00:00
Dr. Stephen Henson
54bc369ad7 Alert to use is now defined in spec: update code 2009-12-17 15:42:43 +00:00
Dr. Stephen Henson
675564835c New option to enable/disable connection to unpatched servers 2009-12-16 20:28:30 +00:00
Dr. Stephen Henson
2456cd58c4 Allow initial connection (but no renegoriation) to servers which don't support
RI.

Reorganise RI checking code and handle some missing cases.
2009-12-14 13:55:39 +00:00
Dr. Stephen Henson
10f99d7b77 Add support for magic cipher suite value (MCSV). Make secure renegotiation
work in SSLv3: initial handshake has no extensions but includes MCSV, if
server indicates RI support then renegotiation handshakes include RI.

NB: current MCSV value is bogus for testing only, will be updated when we
have an official value.

Change mismatch alerts to handshake_failure as required by spec.

Also have some debugging fprintfs so we can clearly see what is going on
if OPENSSL_RI_DEBUG is set.
2009-12-08 13:15:12 +00:00
Dr. Stephen Henson
593222afe1 PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Add extension support to DTLS code mainly using existing implementation for
TLS.
2009-12-08 11:38:18 +00:00
Dr. Stephen Henson
3c44e92bcb Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:19:52 +00:00
Dr. Stephen Henson
73582b8117 add missing parts of reneg port, fix apps patch 2009-11-11 14:51:29 +00:00
Dr. Stephen Henson
e3738c49b8 If it is a new session don't send the old TLS ticket: send a zero length
ticket to request a new session.
2009-11-08 14:36:32 +00:00
Dr. Stephen Henson
3d0b604c14 Fix statless session resumption so it can coexist with SNI 2009-10-30 13:22:44 +00:00
Dr. Stephen Henson
2e9802b7a7 PR: 2028
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
2009-09-04 17:42:06 +00:00
Dr. Stephen Henson
18f8258a87 PR: 1629
Submitted by: Kaspar Brand <ossl-rt@velox.ch>
Approved by: steve@openssl.org

Don't use extensions if using SSLv3: this chokes some broken servers.
2009-04-28 22:01:53 +00:00
Ben Laurie
2bd45dc94c Apparently s->ctx could be NULL. (Coverity ID 147). 2008-12-29 16:15:27 +00:00
Ben Laurie
121f9e743c Apparently s->ctx could be NULL at this point (see earlier
test). (Coverity ID 148).
2008-12-29 16:13:49 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Ben Laurie
a9dbe71ee0 Back out pointless change. 2008-12-13 17:45:49 +00:00
Ben Laurie
ecd3370ba0 *** empty log message *** 2008-12-13 17:45:27 +00:00
Dr. Stephen Henson
12bf56c017 PR: 1574
Submitted by: Jouni Malinen <j@w1.fi>
Approved by: steve@openssl.org

Ticket override support for EAP-FAST.
2008-11-15 17:18:12 +00:00
Dr. Stephen Henson
e8da6a1d0f Fix from stable branch. 2008-09-03 22:17:11 +00:00
Bodo Möller
40a706286f From HEAD:
Fix double-free in TLS server name extensions which could lead to a remote
crash found by Codenomicon TLS test suite (CVE-2008-0891)

Reviewed by: openssl-security@openssl.org

Obtained from: jorton@redhat.com
2008-05-28 22:15:48 +00:00
Dr. Stephen Henson
8a2062fefe Update from stable branch. 2008-04-30 16:14:02 +00:00
Dr. Stephen Henson
c78bba2343 Oops! 2008-04-29 16:46:46 +00:00
Dr. Stephen Henson
d26c905c67 Update from stable branch. 2008-04-29 16:44:51 +00:00
Dr. Stephen Henson
8e3b2dbb31 Disable debugging fprintf. 2008-04-25 11:33:32 +00:00
Geoff Thorpe
1e26a8baed Fix a variety of warnings generated by some elevated compiler-fascism,
OPENSSL_NO_DEPRECATED, etc. Steve, please double-check the CMS stuff...
2008-03-16 21:05:46 +00:00
Dr. Stephen Henson
0e1dba934f 1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure

2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).

3. Changes to EVP
	- adding of function EVP_PKEY_CTX_get0_peerkey
	- Make function EVP_PKEY_derive_set_peerkey work for context with
	  ENCRYPT operation, because we use peerkey field in the context to
	  pass non-ephemeral secret key to GOST encrypt operation.
	- added EVP_PKEY_CTRL_SET_IV control command. It is really
	  GOST-specific, but it is used in SSL code, so it has to go
	  in some header file, available during libssl compilation

4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data

5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
  make debugging output which depends on constants defined there, work
  and other KSSL_DEBUG output fixes

6. Declaration of real GOST ciphersuites, two authentication methods
   SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST

7. Implementation  of these methods.

8. Support for sending unsolicited serverhello extension if GOST
  ciphersuite is selected. It is require for interoperability with
  CryptoPro CSP 3.0 and 3.6 and controlled by
  SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
  This constant is added to SSL_OP_ALL, because it does nothing, if
  non-GOST ciphersuite is selected, and all implementation of GOST
  include compatibility with CryptoPro.

9. Support for CertificateVerify message without length field. It is
   another CryptoPro bug, but support is made unconditional, because it
   does no harm for draft-conforming implementation.

10. In tls1_mac extra copy of stream mac context is no more done.
  When I've written currently commited code I haven't read
  EVP_DigestSignFinal manual carefully enough and haven't noticed that
  it does an internal digest ctx copying.

This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
Dr. Stephen Henson
76c3ef7446 Fix from stable branch. 2007-10-18 11:42:47 +00:00
Dr. Stephen Henson
04e2ab2c02 Move no status notification to ssl_check_serverhello_tlsext() to ensure
no status is notified even if no server extensions are present.
2007-09-28 17:45:11 +00:00
Dr. Stephen Henson
67c8e7f414 Support for certificate status TLS extension. 2007-09-26 21:56:59 +00:00
Bodo Möller
02c27b113c properly handle length-zero opaque PRF input values
(which are pointless, but still might occur)
2007-09-23 11:30:53 +00:00
Bodo Möller
761772d7e1 Implement the Opaque PRF Input TLS extension
(draft-rescorla-tls-opaque-prf-input-00.txt), and do some cleanups and
bugfixes on the way.  In particular, this fixes the buffer bounds
checks in ssl_add_clienthello_tlsext() and in ssl_add_serverhello_tlsext().

Note that the opaque PRF Input TLS extension is not compiled by default;
see CHANGES.
2007-09-21 06:54:24 +00:00
Dr. Stephen Henson
956006b741 Use SHA256 for ticket HMAC if possible. 2007-08-20 12:35:20 +00:00
Dr. Stephen Henson
525de5d335 OPENSSL_NO_TLS1 WIN32 build support. Fix so normal build works again. 2007-08-12 23:59:05 +00:00
Dr. Stephen Henson
367eb1f125 Fix warning and make no-tlsext work. 2007-08-12 18:56:14 +00:00
Dr. Stephen Henson
ddd3a617ca Remove debugging fprintfs, fix typo. 2007-08-12 17:06:28 +00:00
Dr. Stephen Henson
6434abbfc6 RFC4507 (including RFC4507bis) TLS stateless session resumption support
for OpenSSL.
2007-08-11 23:18:29 +00:00
Bodo Möller
a291745eeb fix function codes for error 2007-04-24 01:06:19 +00:00
Bodo Möller
52b8dad8ec Reorganize the data used for SSL ciphersuite pattern matching.
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.
2007-02-17 06:45:38 +00:00
Dr. Stephen Henson
42182852f5 Constify version strings is ssl lib. 2007-01-21 16:06:05 +00:00
Bodo Möller
89bbe14c50 Ciphersuite string bugfixes, and ECC-related (re-)definitions. 2006-06-14 17:40:31 +00:00
Bodo Möller
a4974de937 clarification 2006-04-03 14:11:23 +00:00