Commit graph

1768 commits

Author SHA1 Message Date
Matt Caswell
5e60396fe7 Added 1.0.1i CHANGES and NEWS updates
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-25 21:29:25 +01:00
Emilia Kasper
e9128d9401 Note i2d_re_X509_tbs and related changes in CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-23 18:26:42 +02:00
Andy Polyakov
d2a1226b81 CHANGES: mention ECP_NISTZ256.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 507efe7372)
2014-09-23 14:56:46 +02:00
Dr. Stephen Henson
2102c53caa Add CHANGES entry for SCT viewer code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b2774f6e17)
2014-09-05 13:45:45 +01:00
Bodo Moeller
be804523cf Clean up CHANGES files: If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.
2014-08-01 18:38:56 +02:00
Bodo Moeller
d5213519c0 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org
2014-08-01 17:27:59 +02:00
Andy Polyakov
0ae6ba18ab CHANGES: mention new platforms.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-07-22 20:18:06 +02:00
Dr. Stephen Henson
22db480daf Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs.
2014-07-04 13:42:05 +01:00
Richard Levitte
68a1e0bc35 Bring in the 1.0.1g to 1.0.1h changes into CHANGES. 2014-06-12 12:22:24 +02:00
Richard Levitte
ed6c278f60 Small cleanup, double entry in CHANGES. 2014-06-12 12:18:13 +02:00
mancha
e6a01b47e4 Fix version documentation.
Specify -f is for compilation flags. Add -d to synopsis section.

(cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1)

Closes #78.
2014-04-26 11:20:00 +01:00
mancha
3f1b3d9675 Fix eckey_priv_encode()
Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.
2014-04-24 19:31:49 +00:00
Ben Laurie
3b21abfd6c Fix double frees.
Conflicts:
	CHANGES
2014-04-22 17:00:52 +01:00
Dr. Stephen Henson
13738d5fa1 update CHANGES 2014-04-07 21:56:34 +01:00
Dr. Stephen Henson
7e840163c0 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023b8)
2014-04-07 19:25:34 +01:00
Dr. Stephen Henson
6411b83e52 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda)

Conflicts:

	CHANGES
2014-04-05 20:49:09 +01:00
Dr. Stephen Henson
e9b4b8afbd Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
(cherry picked from commit 66e8211c0b)
2014-04-01 16:39:35 +01:00
Dr. Stephen Henson
0a9f7780e5 Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483)

Conflicts:

	CHANGES
2014-03-12 14:23:21 +00:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
802db0fab2 Sync CHANGES 2014-01-07 15:41:11 +00:00
Dr. Stephen Henson
b9fa413a08 Use algorithm specific chains for certificates.
Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm
specific chains instead of the shared chain.

Update docs.
(cherry picked from commit a4339ea3ba)

Conflicts:

	CHANGES
2014-01-03 22:45:20 +00:00
Dr. Stephen Henson
8c6d8c2a49 Backport TLS padding extension from master. 2013-12-13 15:29:26 +00:00
Dr. Stephen Henson
25f93585a7 Exetended OAEP support.
Extend OAEP support. Generalise the OAEP padding functions to support
arbitrary digests. Extend EVP_PKEY RSA method to handle the new OAEP
padding functions and add ctrls to set the additional parameters.
(cherry picked from commit 271fef0ef3)

Conflicts:

	CHANGES
2013-10-01 14:01:17 +01:00
Dr. Stephen Henson
c6f3386577 EVP support for wrapping algorithms.
Add support for key wrap algorithms via EVP interface.

Generalise AES wrap algorithm and add to modes, making existing
AES wrap algorithm a special case.

Move test code to evptests.txt
(cherry picked from commit 97cf1f6c28)

Conflicts:

	CHANGES
2013-10-01 14:01:17 +01:00
Dr. Stephen Henson
7c23127fde Add functions to set ECDSA_METHOD structure.
Add various functions to allocate and set the fields of an ECDSA_METHOD
structure.
(cherry picked from commit 94c2f77a62)
2013-09-18 01:23:40 +01:00
Bodo Moeller
8b9722a3c0 Merge branch 'OpenSSL_1_0_2-stable' of openssl.net:openssl into OpenSSL_1_0_2-stable 2013-09-17 09:59:14 +02:00
Bodo Moeller
8c149cfd83 Sync with version from master. 2013-09-17 09:55:27 +02:00
Rob Stradling
86a66deb7e Update CHANGES. 2013-09-16 14:03:22 +01:00
Bodo Moeller
1b9a59c36a Sync CHANGES and NEWS files. 2013-09-16 14:54:34 +02:00
Dr. Stephen Henson
904348a492 Time difference functions.
Backport of ASN1_TIME_diff and OPENSSL_gmtime_diff functions from master
branch.
2013-08-19 21:55:07 +01:00
Dr. Stephen Henson
171c4da568 Add -rev test option to s_server to just reverse order of characters received
by client and send back to server. Also prints an abbreviated summary of
the connection parameters.
(cherry picked from commit 4f3df8bea2)
2013-08-19 14:13:38 +01:00
Dr. Stephen Henson
04611fb0f1 Add -brief option to s_client and s_server to summarise connection details.
New option -verify_quiet to shut up the verify callback unless there is
an error.

(manually applied from commit 2a7cbe77b3)
2013-08-19 14:13:24 +01:00
Trevor
e27711cfdd Trying cherrypick:
Add support for arbitrary TLS extensions.

Contributed by Trevor Perrin.

Conflicts:

	CHANGES
	ssl/ssl.h
	ssl/ssltest.c
	test/testssl

Fix compilation due to #endif.

Cherrypicking more stuff.

Cleanup of custom extension stuff.

serverinfo rejects non-empty extensions.

Omit extension if no relevant serverinfo data.

Improve error-handling in serverinfo callback.

Cosmetic cleanups.

s_client documentation.

s_server documentation.

SSL_CTX_serverinfo documentation.

Cleaup -1 and NULL callback handling for custom extensions, add tests.

Cleanup ssl_rsa.c serverinfo code.

Whitespace cleanup.

Improve comments in ssl.h for serverinfo.

Whitespace.

Cosmetic cleanup.

Reject non-zero-len serverinfo extensions.

Whitespace.

Make it build.

Conflicts:

	test/testssl
2013-07-03 11:53:30 +01:00
Dr. Stephen Henson
57912ed329 Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
2013-01-18 15:38:13 +00:00
Dr. Stephen Henson
e318431e54 New option to add CRLs for s_client and s_server. 2013-01-18 14:37:14 +00:00
Dr. Stephen Henson
6a10f38daa initial support for delta CRL generations by diffing two full CRLs 2013-01-17 18:51:50 +00:00
Dr. Stephen Henson
75f535315a New functions to set lookup_crls callback and to retrieve internal X509_STORE
from X509_STORE_CTX.
2013-01-17 16:32:33 +00:00
Dr. Stephen Henson
2aa3ef78b6 print out issuer and subject unique identifier fields in certificates 2013-01-16 15:08:34 +00:00
Dr. Stephen Henson
5c8d41be85 Generalise OCSP I/O functions to support dowloading of other ASN1
structures using HTTP. Add wrapper function to handle CRL download.
2013-01-15 18:01:31 +00:00
Dr. Stephen Henson
15387e4ce0 Delegate command line handling for many common options in s_client/s_server to
the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.

(backport from HEAD)
2012-12-29 14:16:41 +00:00
Dr. Stephen Henson
49ef33fa34 add SSL_CONF functions and documentation (backport from HEAD) 2012-12-29 13:30:56 +00:00
Dr. Stephen Henson
bc200e691c SSL/TLS record tracing code (backport from HEAD). 2012-12-26 22:40:46 +00:00
Dr. Stephen Henson
78b5d89ddf Add support for printing out and retrieving EC point formats extension.
(backport from HEAD)
2012-12-26 18:13:49 +00:00
Dr. Stephen Henson
1520e6c084 Add ctrl and utility functions to retrieve raw cipher list sent by client in
client hello message. Previously this could only be retrieved on an initial
connection and it was impossible to determine the cipher IDs of any uknown
ciphersuites.
(backport from HEAD)
2012-12-26 16:25:06 +00:00
Dr. Stephen Henson
ccf6a19e2d Add three Suite B modes to TLS code, supporting RFC6460.
(backport from HEAD)
2012-12-26 16:17:40 +00:00
Dr. Stephen Henson
ba8bdea771 add suite B chain validation flags and associated verify errors
(backport from HEAD)
2012-12-26 16:01:31 +00:00
Dr. Stephen Henson
6660baee66 Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.

Print out results of checks for each candidate chain tested in
s_server/s_client.
(backport from HEAD)
2012-12-26 15:27:44 +00:00
Dr. Stephen Henson
25d4c9254c Abort handshake if signature algorithm used not supported by peer.
(backport from HEAD)
2012-12-26 15:27:24 +00:00
Dr. Stephen Henson
44adfeb6c0 check EC tmp key matches preferences
(backport from HEAD)
2012-12-26 15:27:04 +00:00
Dr. Stephen Henson
b762acadeb Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
2012-12-26 15:21:53 +00:00
Dr. Stephen Henson
b28fbdfa7d New function ssl_set_client_disabled to set masks for any ciphersuites
that are disabled for this session (as opposed to always disabled by
configuration).
(backport from HEAD)
2012-12-26 14:55:46 +00:00
Dr. Stephen Henson
a897502cd9 Add new ctrl to retrieve client certificate types, print out
details in s_client.

Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.

Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
(backport from HEAD)
2012-12-26 14:51:37 +00:00
Dr. Stephen Henson
04c32cddaa Separate client and server permitted signature algorithm support: by default
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
(backport from HEAD)
2012-12-26 14:44:56 +00:00
Dr. Stephen Henson
623a5e24cb Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
(backport from HEAD)
2012-12-26 14:43:51 +00:00
Dr. Stephen Henson
bd9fc1d667 New functions to retrieve certificate signatures and signature OID NID.
(backport from HEAD)
2012-12-26 14:31:05 +00:00
Dr. Stephen Henson
484f876235 Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
(backport from HEAD)
2012-12-26 14:26:53 +00:00
Dr. Stephen Henson
c70a1fee71 Reorganise supported signature algorithm extension processing.
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
(backport from HEAD)
2012-12-26 14:26:16 +00:00
Dr. Stephen Henson
0b362de5f5 Add support for application defined signature algorithms for use with
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
(backport from HEAD)
2012-12-26 14:25:29 +00:00
Dr. Stephen Henson
d312f7be37 Make it possible to delete all certificates from an SSL structure.
(backport from HEAD)
2012-12-26 14:18:50 +00:00
Dr. Stephen Henson
70cd3c6b95 Integrate host, email and IP address checks into X509_verify.
Add new verify options to set checks.

(backport from HEAD)
2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
45da1efcdb Backport X509 hostname, IP address and email checking code from HEAD. 2012-12-19 15:01:59 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Ben Laurie
5f4cf08864 Make verify return errors. 2012-12-13 15:49:15 +00:00
Dr. Stephen Henson
9d2006d8ed add -trusted_first option and verify flag (backport from HEAD) 2012-09-26 13:50:42 +00:00
Andy Polyakov
988037fe18 MIPS assembly pack: jumbo update from HEAD. 2012-09-19 20:59:18 +00:00
Dr. Stephen Henson
dc14441757 Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
2012-09-11 13:35:14 +00:00
Ben Laurie
da8512aaff Call OCSP Stapling callback after ciphersuite has been chosen, so the
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.  See
http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-11 12:00:25 +00:00
Andy Polyakov
0e05b51fe5 Add linux-x32 target [from HEAD]. 2012-08-29 14:12:10 +00:00
Ben Laurie
4e14996e8a Missing from previous commit. 2012-05-29 18:39:32 +00:00
Dr. Stephen Henson
1dded7f7e8 Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower perfomance) FIPS implementations outside FIPS mode.
2012-05-13 18:40:12 +00:00
Dr. Stephen Henson
482f238069 PR: 2813
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.
2012-05-11 13:53:23 +00:00
Dr. Stephen Henson
5e145e54cc PR: 2811
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:33:34 +00:00
Dr. Stephen Henson
e7c8483891 Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 16:03:36 +00:00
Dr. Stephen Henson
24547c23ca Reported by: Solar Designer of Openwall
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:44:24 +00:00
Dr. Stephen Henson
a56f9a612b Don't try to use unvalidated composite ciphers in FIPS mode 2012-04-26 18:51:26 +00:00
Andy Polyakov
0ae89cf32e CHANGES: clarify. 2012-04-26 07:34:09 +00:00
Andy Polyakov
7e0c9630a3 CHANGES: fix typos and clarify. 2012-04-26 07:24:28 +00:00
Dr. Stephen Henson
a6df6702c6 Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
2012-04-25 23:06:31 +00:00
Andy Polyakov
f69abd5321 s23_clnt.c: ensure interoperability by maitaining client "version capability"
vector contiguous [from HEAD].
PR: 2802
2012-04-25 22:07:03 +00:00
Dr. Stephen Henson
d6ef8165bb update date 2012-04-19 16:21:49 +00:00
Dr. Stephen Henson
564a503b1b Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-04-19 16:19:07 +00:00
Bodo Möller
bb3add20f3 Disable SHA-2 ciphersuites in < TLS 1.2 connections.
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
2012-04-17 15:21:29 +00:00
Dr. Stephen Henson
48e0f6667b Additional workaround for PR#2771
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
2012-04-17 14:47:14 +00:00
Dr. Stephen Henson
c3cb069108 transparently handle X9.42 DH parameters
(backport from HEAD)
2012-04-07 20:42:44 +00:00
Dr. Stephen Henson
491734eb21 Initial experimental support for X9.42 DH parameter format to handle
RFC5114 parameters and X9.42 DH public and private keys.
(backport from HEAD)
2012-04-07 20:22:11 +00:00
Dr. Stephen Henson
e811eff5a9 Add RFC5114 DH parameters to OpenSSL. Add test data to dhtest.
(backport from HEAD)
2012-04-07 12:19:50 +00:00
Dr. Stephen Henson
e46c807e4f Add support for automatic ECDH temporary key parameter selection. When
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
(backport from HEAD)
2012-04-06 20:15:50 +00:00
Dr. Stephen Henson
6b870763ac Initial revision of ECC extension handling.
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
(backport from HEAD)
2012-04-06 20:12:35 +00:00
Dr. Stephen Henson
5505818199 New ctrls to retrieve supported signature algorithms and curves and
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
(backport from HEAD)
2012-04-06 19:29:49 +00:00
Dr. Stephen Henson
a068a1d0e3 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
(backport from HEAD)
2012-04-06 17:35:01 +00:00
Dr. Stephen Henson
37b16c84bb Add support for distinct certificate chains per key type and per SSL
structure.

Before this the only way to add a custom chain was in the parent SSL_CTX
(which is shared by all key types and SSL structures) or rely on auto
chain building (which is performed on each handshake) from the trust store.
(backport from HEAD)
2012-04-06 17:22:48 +00:00
Dr. Stephen Henson
c523eb98d1 Backport DH client certificate support (from HEAD) 2012-04-06 11:34:42 +00:00
Dr. Stephen Henson
0ffa49970b Backport support for fixed DH ciphersuites (from HEAD) 2012-04-06 11:33:12 +00:00
Andy Polyakov
54543b954c CHANGES: harmonize with 1.0.0 and 1.0.1. 2012-03-31 18:56:07 +00:00
Dr. Stephen Henson
b911523977 set version to 1.0.2-dev 2012-03-22 15:29:21 +00:00
Dr. Stephen Henson
f3dcae15ac prepare for 1.0.1 release 2012-03-14 12:04:40 +00:00
Dr. Stephen Henson
08e4c7a967 correct CHANGES 2012-02-23 22:13:59 +00:00
Dr. Stephen Henson
a8314df902 Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
2012-02-16 15:25:39 +00:00
Dr. Stephen Henson
0cd7a0325f Additional compatibility fix for MDC2 signature format.
Update RSA EVP_PKEY_METHOD to use the OCTET STRING form of MDC2 signature:
this will make all versions of MDC2 signature equivalent.
2012-02-15 14:14:01 +00:00
Dr. Stephen Henson
16b7c81d55 An incompatibility has always existed between the format used for RSA
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.

This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.

Add detection in RSA_verify so either format works.

Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
2012-02-15 14:00:09 +00:00