Commit graph

107 commits

Author SHA1 Message Date
Dr. Stephen Henson
cbd64894ec Use enc_flags when deciding protocol variations.
Use the enc_flags field to determine whether we should use explicit IV,
signature algorithms or SHA256 default PRF instead of hard coding which
versions support each requirement.
2013-03-18 15:03:58 +00:00
Dr. Stephen Henson
388aff08dc Fix error codes. 2013-02-26 16:46:58 +00:00
Andy Polyakov
dd7e60bd70 ssl/*: revert "remove SSL_RECORD->orig_len" and merge "fix IV".
Revert is appropriate because binary compatibility is not an issue
in 1.1.
2013-02-08 10:20:48 +01:00
Andy Polyakov
2aec073a52 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c659f)
2013-02-06 14:19:10 +00:00
Ben Laurie
e33ac0e71d Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de170d)
2013-02-06 14:19:07 +00:00
Ben Laurie
93cab6b319 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681)
2013-02-06 14:19:07 +00:00
Ben Laurie
2acc020b77 Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
2013-02-06 14:19:07 +00:00
Ben Laurie
7c770d572a Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a)
2013-02-06 14:16:55 +00:00
Dr. Stephen Henson
36b5bb6f2f send out the raw SSL/TLS headers to the msg_callback and display them in SSL_trace 2012-12-07 23:42:33 +00:00
Dr. Stephen Henson
c3b1303387 PR: 2811
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:34:29 +00:00
Dr. Stephen Henson
293706e72c Partial workaround for PR#2771.
Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...
2012-04-17 13:21:19 +00:00
Andy Polyakov
fc90e42c86 e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag
countermeasure.

PR: 2778
2012-04-15 14:14:22 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
d18a0df0a6 make sure eivlen is initialised 2011-09-24 23:06:20 +00:00
Dr. Stephen Henson
28dd49faec Expand range of ctrls for AES GCM to support retrieval and setting of
invocation field.

Add complete support for AES GCM ciphersuites including all those in
RFC5288 and RFC5289.
2011-08-03 15:37:22 +00:00
Dr. Stephen Henson
3d52f1d52b PR: 2533
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Setting SSL_MODE_RELEASE_BUFFERS should be ignored for DTLS, but instead causes
the program to crash. This is due to missing version checks and is fixed with
this patch.
2011-05-25 15:20:49 +00:00
Dr. Stephen Henson
bbcf3a9b30 Some nextproto patches broke DTLS: fix 2011-05-25 14:31:47 +00:00
Dr. Stephen Henson
7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
2011-04-29 22:56:51 +00:00
Ben Laurie
edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Dr. Stephen Henson
e15320f652 Only use explicit IV if cipher is in CBC mode. 2010-11-14 17:47:45 +00:00
Ben Laurie
bf48836c7c Fixes to NPN from Adam Langley. 2010-09-05 17:14:01 +00:00
Dr. Stephen Henson
44959ee456 PR: 1833
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Support for abbreviated handshakes when renegotiating.
2010-08-26 14:23:52 +00:00
Ben Laurie
ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Bodo Möller
3e8b6485b3 Fix for "Record of death" vulnerability CVE-2010-0740.
Also, add missing CHANGES entry for CVE-2009-3245 (code changes submitted to this branch on 23 Feb 2010),
and further harmonize this version of CHANGES with the versions in the current branches.
2010-03-25 11:25:30 +00:00
Dr. Stephen Henson
00b525781b oops revert test code accidentally committed 2010-01-28 16:48:39 +00:00
Dr. Stephen Henson
d5e7f2f2c3 PR: 1949
Submitted by: steve@openssl.org

More robust fix and workaround for PR#1949. Don't try to work out if there
is any write pending data as this can be unreliable: always flush.
2010-01-26 19:47:37 +00:00
Dr. Stephen Henson
338a61b94e Add patch to crypto/evp which didn't apply from PR#2124 2009-12-09 15:01:39 +00:00
Dr. Stephen Henson
82e610e2cf Send no_renegotiation alert as required by spec. 2009-12-08 19:06:26 +00:00
Dr. Stephen Henson
637f374ad4 Initial experimental TLSv1.1 support 2009-12-07 13:31:02 +00:00
Dr. Stephen Henson
3f7c592082 Updates from 1.0.0-stable. 2009-07-14 15:30:05 +00:00
Dr. Stephen Henson
5c168710ac Update from 1.0.0-stable. 2009-07-13 11:44:30 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
cc7399e79c Changes from 1.0.0-stable. 2009-04-07 16:33:26 +00:00
Richard Levitte
c7ba21493a Hopefully resolve signed vs unsigned issue. 2009-01-28 07:09:23 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Ben Laurie
8aa02e97a7 Make sure a bad parameter to RSA_verify_PKCS1_PSS() doesn't lead to a crash.
(Coverity ID 135).
2008-12-29 13:35:08 +00:00
Lutz Jänicke
b8dfde2a36 Remove the DTLS1_BAD_VER thing from 0.9.9-dev. It is present in 0.9.8
but has been omitted from HEAD (0.9.9), see commit
  http://cvs.openssl.org/chngview?cn=16627
by appro.
2008-10-13 06:45:59 +00:00
Lutz Jänicke
7e7af0bc51 When the underlying BIO_write() fails to send a datagram, we leave the
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.
PR: #1703
Submitted by: David Woodhouse <dwmw2@infradead.org>
2008-10-10 10:41:35 +00:00
Bodo Möller
1cbf663a6c sanity check
PR: 1679
2008-08-13 19:45:06 +00:00
Bodo Möller
474b3b1cc8 Fix error codes for memory-saving patch.
Also, get rid of compile-time switch OPENSSL_NO_RELEASE_BUFFERS
because it was rather pointless (the new behavior has to be explicitly
requested by setting SSL_MODE_RELEASE_BUFFERS anyway).
2008-08-04 22:10:38 +00:00
Ben Laurie
8671b89860 Memory saving patch. 2008-06-03 02:48:34 +00:00
Dr. Stephen Henson
8164032a2e Fix warnings: computed value not use, incompatible pointer initialization
and cast from pointer to int of different size (linux-x86_64 and align).
2007-09-07 13:03:25 +00:00
Dr. Stephen Henson
81025661a9 Update ssl code to support digests other than MD5+SHA1 in handshake.
Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
2007-08-31 12:42:53 +00:00
Dr. Stephen Henson
b948e2c59e Update ssl library to support EVP_PKEY MAC API. Include generic MAC support. 2007-06-04 17:04:40 +00:00
Bodo Möller
1e24b3a09e fix support for receiving fragmented handshake messages 2006-11-29 14:45:50 +00:00
Andy Polyakov
a4d64c7f49 Align data payload for better performance. 2006-10-20 11:26:00 +00:00
Dr. Stephen Henson
566dda07ba New option SSL_OP_NO_COMP to disable compression. New ctrls to set
maximum send fragment size. Allocate I/O buffers accordingly.
2005-10-08 00:18:53 +00:00
Dr. Stephen Henson
09b6c2ef15 Make OPENSSL_NO_COMP compile again. 2005-09-30 23:35:33 +00:00
Bodo Möller
fbeaa3c47d Update util/ck_errf.pl script, and have it run automatically
during "make errors" and thus during "make update".

Fix lots of bugs that util/ck_errf.pl can detect automatically.
Various others of these are still left to fix; that's why
"make update" will complain loudly when run now.
2005-05-09 00:27:37 +00:00
Nils Larsch
9e5790ce21 backport fix from the stable branch 2005-05-03 10:00:16 +00:00