Commit graph

10924 commits

Author SHA1 Message Date
Emilia Kasper
249a3e362f Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede)

Conflicts:
	CHANGES
	ssl/s3_srvr.c
2014-11-20 15:32:08 +01:00
Emilia Kasper
15d717f574 Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de2c7504eb)

Conflicts:
	CHANGES
2014-11-20 15:29:17 +01:00
Emilia Kasper
b8712b2b9a Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 980bc1ec61)

Conflicts:
	ssl/d1_clnt.c
	ssl/s3_clnt.c
2014-11-20 15:26:26 +01:00
Emilia Kasper
1eaccbef57 Set s->hit when resuming from external pre-shared secret.
The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b3ba508af)
2014-11-20 15:20:17 +01:00
Emilia Kasper
e2f69f5ce7 Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a06cd5d056)
2014-11-20 15:20:16 +01:00
Dr. Stephen Henson
821bee4333 New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 3881d8106d)

Conflicts:
	util/mkdef.pl
2014-11-19 22:57:51 +00:00
Matt Caswell
8b6205c484 Added OPENSSL_NO_EC2M guards around the preferred EC curve list
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:15:28 +00:00
Jan Hykel
e5cf62b04d Don't use msg on error.
Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 012aa9ec76)
2014-11-17 12:42:15 +00:00
Dr. Stephen Henson
b1edca2a4c Fix cross reference table generator.
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb8848)
2014-11-13 13:35:58 +00:00
Alok Menghrajani
e7768ebbd2 Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094de)
2014-11-12 21:05:24 +00:00
Michal Bozon
329a76c085 Correct timestamp output when clock_precision_digits > 0
PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
2014-11-12 20:54:10 +00:00
Matt Caswell
bbb76be9b5 Fix free of garbage pointer. PR#3595
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426bf9)
2014-11-12 20:31:27 +00:00
Kurt Roeckx
b726b8a60c Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:48:34 +01:00
Russell Coker
e298409c34 Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-11-10 18:36:09 +01:00
Andy Polyakov
25012d5e79 md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7c)
2014-10-29 10:55:48 +01:00
Samuel Neves
09b7de77b3 Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:50:44 +01:00
Emilia Kasper
9bdedec0cf Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399)

Conflicts:
	CHANGES
2014-10-28 17:41:49 +01:00
Emilia Kasper
f63fa8b10a Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit fd28a41ec8)

Conflicts:
	ssl/ssltest.c
2014-10-27 16:36:19 +01:00
Bodo Moeller
d47aebbb47 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:40:41 +02:00
Bodo Moeller
08931f1cd6 When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:32:30 +02:00
Kurt Roeckx
6ce9687b5a Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952)
2014-10-21 21:08:14 +02:00
Tim Hudson
20e610580e no-ssl2 with no-ssl3 does not mean drop the ssl lib
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit c882abd522)
2014-10-20 15:25:55 +10:00
Andy Polyakov
4fa17211bb e_os.h: refine inline override logic (to address warnings in debug build).
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 55c7a4cf11)
2014-10-17 11:53:02 +02:00
Andy Polyakov
d8d40fc676 e_os.h: allow inline functions to be compiled by legacy compilers.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 40155f4089)
2014-10-17 11:52:47 +02:00
Kurt Cancemi
3c7fcdfdd4 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:42 +02:00
Matt Caswell
e356ac5c06 Prepare for 1.0.1k-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:55:20 +01:00
Matt Caswell
872e681c00 Prepare for 1.0.1j release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:54:46 +01:00
Matt Caswell
38b71ba8ff Updates to NEWS
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-10-15 08:51:50 -04:00
Matt Caswell
f8cf36c298 Add updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:51:50 -04:00
Geoff Thorpe
26a59d9b46 Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:51:50 -04:00
Dr. Stephen Henson
7fd4ce6a99 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
2014-10-15 08:51:50 -04:00
Matt Caswell
d9d09a8d0f Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:50 -04:00
Matt Caswell
2b0532f398 Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an origi
issue and patch developed by the LibreSSL project. Further analysis of the i
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:49 -04:00
Bodo Moeller
7d07c75c5b Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:47:39 +02:00
Andy Polyakov
f34297db80 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 69d5747f90)
2014-10-15 11:13:14 +02:00
Tim Hudson
e2e5326e5b Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-10-15 10:49:51 +02:00
Richard Levitte
592c6e1191 Add the constant time test to the VMS build and tests
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	test/maketests.com
	test/tests.com
2014-10-15 10:49:44 +02:00
Richard Levitte
8202802fad Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:35 +02:00
Richard Levitte
f79bb32926 Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:24 +02:00
Richard Levitte
7a3809fd97 Adjust VMS build to Unix build. Most of all, make it so the disabled
algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:08 +02:00
Richard Levitte
f13a149088 Make sure test/tests.com exit gracefully, even when openssl.exe wasn't properly built.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:55 +02:00
Richard Levitte
fc586d2955 Update the VMS build according to the latest unixly build. Partly provided by Zoltan Arpadffy <arpadffy@polarhome.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:32 +02:00
Richard Levitte
17d45dec4d Make sure that disabling the MAYLOSEDATA3 warning is only done when the compiler supports it. Otherwise, there are warnings about it lacking everywhere, which is quite tedious to read through while trying to check for other warnings.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:47:12 +02:00
Bodo Moeller
6bfe55380a Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:05:42 +02:00
Dr. Stephen Henson
4e05aedbca Preserve digests for SNI.
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 23:21:14 +01:00
Matt Caswell
bf3e200eb4 Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49)
2014-10-06 23:46:25 +01:00
Dr. Stephen Henson
55614f89f0 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:22:32 +01:00
Emilia Kasper
b1620443f3 Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:47:16 +02:00
Dr. Stephen Henson
4ed98b6e25 Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcc)
2014-09-25 00:06:59 +01:00
Andy Polyakov
3a33923515 crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005fe)
2014-09-25 00:47:18 +02:00