Commit graph

72 commits

Author SHA1 Message Date
Andy Polyakov
dd7e60bd70 ssl/*: revert "remove SSL_RECORD->orig_len" and merge "fix IV".
Revert is appropriate because binary compatibility is not an issue
in 1.1.
2013-02-08 10:20:48 +01:00
Andy Polyakov
2aec073a52 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c659f)
2013-02-06 14:19:10 +00:00
Ben Laurie
e33ac0e71d Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de170d)
2013-02-06 14:19:07 +00:00
Ben Laurie
93cab6b319 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681)
2013-02-06 14:19:07 +00:00
Ben Laurie
2acc020b77 Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
2013-02-06 14:19:07 +00:00
Dr. Stephen Henson
81f57e5a69 oops, typo 2012-08-28 23:19:25 +00:00
Dr. Stephen Henson
1cf218bcaa New compile time option OPENSSL_SSL_TRACE_CRYPTO, when set this passes
all derived keys to the message callback.

Add code to SSL_trace to include support for printing out keys.
2012-08-28 23:17:28 +00:00
Dr. Stephen Henson
27dfffd5b7 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 23:16:15 +00:00
Dr. Stephen Henson
8f119a0357 set FIPS permitted flag before initalising digest 2011-05-31 16:24:19 +00:00
Dr. Stephen Henson
f37f20ffd3 PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2011-05-20 14:56:29 +00:00
Dr. Stephen Henson
086e32a6c7 Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
Dr. Stephen Henson
7409d7ad51 Initial incomplete TLS v1.2 support. New ciphersuites added, new version
checking added, SHA256 PRF support added.

At present only RSA key exchange ciphersuites work with TLS v1.2 as the
new signature format is not yet implemented.
2011-04-29 22:56:51 +00:00
Ben Laurie
c8bbd98a2b Fix warnings. 2010-06-12 14:13:23 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
220bd84911 Updates from 1.0.0-stable 2009-04-06 15:22:01 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Ben Laurie
85e878f224 Die earlier if hash is NULL. (Coverity IDs 137 & 138). 2008-12-29 11:54:56 +00:00
Ben Laurie
0e941da6fa Die earlier if we have no hash function. 2008-12-29 11:46:44 +00:00
Ben Laurie
6ba71a7173 Handle the unlikely event that BIO_get_mem_data() returns -ve. 2008-12-27 02:00:38 +00:00
Dr. Stephen Henson
8164032a2e Fix warnings: computed value not use, incompatible pointer initialization
and cast from pointer to int of different size (linux-x86_64 and align).
2007-09-07 13:03:25 +00:00
Dr. Stephen Henson
81025661a9 Update ssl code to support digests other than MD5+SHA1 in handshake.
Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
2007-08-31 12:42:53 +00:00
Dr. Stephen Henson
b948e2c59e Update ssl library to support EVP_PKEY MAC API. Include generic MAC support. 2007-06-04 17:04:40 +00:00
Bodo Möller
52b8dad8ec Reorganize the data used for SSL ciphersuite pattern matching.
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.
2007-02-17 06:45:38 +00:00
Nils Larsch
cc684e330b ensure that the EVP_CIPHER_CTX object is initialized
PR: 1490
2007-02-16 20:34:15 +00:00
Nils Larsch
ddac197404 add initial support for RFC 4279 PSK SSL ciphersuites
PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch
2006-03-10 23:06:27 +00:00
Bodo Möller
d32f888db1 prepare for additional RFC3546 alerts 2006-01-07 20:33:16 +00:00
Bodo Möller
f7914dbf9a make sure that the unrecognized_name alert actually gets sent
Submitted by: Peter Sylvester
2006-01-07 20:29:50 +00:00
Dr. Stephen Henson
d08b6b44ba Fix compilation without OPENSSL_NO_COMP :-) 2005-10-01 00:40:34 +00:00
Dr. Stephen Henson
09b6c2ef15 Make OPENSSL_NO_COMP compile again. 2005-09-30 23:35:33 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00
Geoff Thorpe
d8ec0dcf45 Avoid some shadowed variable names.
Submitted by: Nils Larsch
2003-11-04 00:51:32 +00:00
Geoff Thorpe
2754597013 A general spring-cleaning (in autumn) to fix up signed/unsigned warnings.
I have tried to convert 'len' type variable declarations to unsigned as a
means to address these warnings when appropriate, but when in doubt I have
used casts in the comparisons instead. The better solution (that would get
us all lynched by API users) would be to go through and convert all the
function prototypes and structure definitions to use unsigned variables
except when signed is necessary. The proliferation of (signed) "int" for
strictly non-negative uses is unfortunate.
2003-10-29 20:24:15 +00:00
Bodo Möller
ea513641d0 comments 2003-02-12 14:17:41 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Lutz Jänicke
7b63c0fa8c Reorder inclusion of header files:
des_old.h redefines crypt:
#define crypt(b,s)\
        DES_crypt((b),(s))

This scheme leads to failure, if header files with the OS's true definition
of crypt() are processed _after_ des_old.h was processed. This is e.g. the
case on HP-UX with unistd.h.
As evp.h now again includes des.h (which includes des_old.h), this problem
only came up after this modification.
Solution: move header files (indirectly) including e_os.h before the header
files (indirectly) including evp.h.
Submitted by:
Reviewed by:
PR:
2002-07-10 07:01:54 +00:00
Bodo Möller
d1d0be3cd2 emtpy fragments are not necessary for SSL_eNULL
(but noone uses it anyway)

fix t1_enc.c: use OPENSSL_NO_RC4, not NO_RC4
2002-07-09 08:49:09 +00:00
Bodo Möller
c21506ba02 New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling CBC
vulnerability workaround (included in SSL_OP_ALL).

PR: #90
2002-06-14 12:21:11 +00:00
Bodo Möller
82b0bf0b87 Implement known-IV countermeasure.
Fix length checks in ssl3_get_client_hello().

Use s->s3->in_read_app_data differently to fix ssl3_read_internal().
2002-04-13 22:47:20 +00:00
Bodo Möller
287973746e Fix memory leak. 2001-10-22 13:59:36 +00:00
Dr. Stephen Henson
581f1c8494 Modify EVP cipher behaviour in a similar way
to digests to retain compatibility.
2001-10-17 00:37:12 +00:00
Dr. Stephen Henson
20d2186c87 Retain compatibility of EVP_DigestInit() and EVP_DigestFinal()
with existing code.

Modify library to use digest *_ex() functions.
2001-10-16 01:24:29 +00:00
Bodo Möller
965b6dad44 comment 2001-09-24 07:56:45 +00:00
Bodo Möller
ee60d9fb28 Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
reveal whether illegal block cipher padding was found or a MAC
verification error occured.

In ssl/s2_pkt.c, verify that the purported number of padding bytes is in
the legal range.
2001-09-20 18:35:52 +00:00
Ben Laurie
dbad169019 Really add the EVP and all of the DES changes. 2001-07-30 23:57:25 +00:00
Dr. Stephen Henson
323f289c48 Change all calls to low level digest routines in the library and
applications to use EVP. Add missing calls to HMAC_cleanup() and
don't assume HMAC_CTX can be copied using memcpy().

Note: this is almost identical to the patch submitted to openssl-dev
by Verdon Walker <VWalker@novell.com> except some redundant
EVP_add_digest_()/EVP_cleanup() calls were removed and some changes
made to avoid compiler warnings.
2001-06-19 22:30:40 +00:00
Bodo Möller
285b42756a pay attention to blocksize before attempting decryption 2001-06-15 18:05:09 +00:00
Richard Levitte
44e48abc44 Use memmove() instead of memcpy() on areas that may overlap.
Spotted by Nalin Dahyabhai <nalin@redhat.com>
2001-06-07 04:42:34 +00:00
Bodo Möller
027e257b1d Avoid assert() in the library. 2001-04-08 13:47:51 +00:00
Richard Levitte
42748c084e Resize a local buffer to accomodate the size requirements of AES.
Protect against future mistakes with an assert().
2001-04-08 05:41:42 +00:00