Commit graph

12466 commits

Author SHA1 Message Date
Samuel Neves
d2fa182988 Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:40:45 +01:00
Emilia Kasper
d663df2399 Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-10-28 17:35:59 +01:00
Emilia Kasper
49b0dfc502 Add missing CHANGES interval [1.0.1h, 1.0.1i]
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-27 19:53:21 +01:00
Emilia Kasper
18a2d293f1 Sync CHANGES
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-27 17:51:34 +01:00
Emilia Kasper
fd28a41ec8 Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-10-27 16:25:17 +01:00
Dr. Stephen Henson
14e14bf696 Copy negotiated parameters in SSL_set_SSL_CTX.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-24 13:46:37 +01:00
Dr. Stephen Henson
c800c27a8c Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-24 13:46:37 +01:00
Andy Polyakov
3ff08e1dde ecp_nistz256 update.
Facilitate switch to custom scatter-gather routines. This modification
does not change algorithms, only makes it possible to implement
alternative. This is achieved by a) moving precompute table to assembly
(perlasm parses ecp_nistz256_table.c and is free to rearrange data to
match gathering algorithm); b) adhering to explicit scatter subroutine
(which for now is simply a memcpy). First implementations that will use
this option are 32-bit assembly implementations, ARMv4 and x86, where
equivalent of current read-whole-table-select-single-value algorithm
is too time-consuming. [On side note, switching to scatter-gather on
x86_64 would allow to improve server-side ECDSA performance by ~5%].

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-10-23 16:08:44 +02:00
Andy Polyakov
b06f7d9ac0 Configure: add ios64 target.
Reviewed-by: Steve Marquess <marquess@openssl.org>
2014-10-23 16:04:01 +02:00
Andy Polyakov
9f4bd9d5f9 Add missing credit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-22 09:35:51 +02:00
Bodo Moeller
98f1ac7df5 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:43:08 +02:00
Bodo Moeller
8cb30232ed When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:24:42 +02:00
Kurt Roeckx
392fa7a952 Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-21 20:45:15 +02:00
Tim Hudson
c882abd522 no-ssl2 with no-ssl3 does not mean drop the ssl lib
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-10-20 15:12:17 +10:00
Kurt Cancemi
87d388c955 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
2014-10-17 11:41:39 +02:00
Tim Hudson
c6e9b39ce8 Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/Makefile
2014-10-15 17:00:06 +02:00
Richard Levitte
7f09a8773b Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	crypto/evp/evp_enc.c
	crypto/rsa/rsa_oaep.c
	crypto/rsa/rsa_pk1.c
2014-10-15 17:00:06 +02:00
Matt Caswell
ed13270d2e Updates to NEWS file
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-10-15 08:56:16 -04:00
Matt Caswell
53afbe12ba Updates CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:56:16 -04:00
Geoff Thorpe
62f45cc27d Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:56:16 -04:00
Dr. Stephen Henson
7482705548 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-10-15 08:56:16 -04:00
Matt Caswell
3dd814ac4d Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	util/mkdef.pl
	util/ssleay.num
2014-10-15 08:56:16 -04:00
Matt Caswell
e659eff2c0 Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:56:16 -04:00
Bodo Moeller
0b382a8e8d Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:48:14 +02:00
Andy Polyakov
69d5747f90 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-15 11:10:08 +02:00
Bodo Moeller
fb0e87fb67 Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 10:43:50 +02:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Dr. Stephen Henson
ffa08b3242 Remove reference to deleted md4.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-10-11 13:37:44 +01:00
Dr. Stephen Henson
f3014206a2 Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 13:23:29 +01:00
Matt Caswell
e0fdea3e49 Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-06 23:42:13 +01:00
Ben Laurie
71614df485 Fix single makefile.
Reviewed-by: Geoffrey Thorpe <geoff@geoffthorpe.net>
2014-10-06 18:07:55 +01:00
Rich Salz
5aed169305 RT3462: Document actions when data==NULL
If data is NULL, return the size needed to hold the
derived key.  No other API to do this, so document
the behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-10-03 10:39:00 -04:00
Bodo Moeller
429a25b97d DTLS 1.2 support has been added to 1.0.2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-02 17:56:40 +02:00
Andy Polyakov
ae4af7a067 crypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-01 23:59:14 +02:00
Rich Salz
df8c39d522 RT3549: Remove obsolete files in crypto
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-10-01 16:05:47 -04:00
Rich Salz
d5f34443ad RT2910: Remove des.c and its Makefile target
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-30 16:44:10 -04:00
Rich Salz
9208640a36 RT2309: Fix podpage MMNNFFPPS->MNNFFPPS
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-09-30 16:31:11 -04:00
Dr. Stephen Henson
4b6dee2b14 Parse custom extensions after internal extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-30 20:10:50 +01:00
Andy Polyakov
55c7a4cf11 e_os.h: refine inline override logic (to address warnings in debug build).
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-09-30 21:05:33 +02:00
Andy Polyakov
323154be33 crypto/bn/bn_nist.c: bring original failing code back for reference.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-09-30 21:00:44 +02:00
Dr. Stephen Henson
7c4776251e Add additional explanation to CHANGES entry.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:25:10 +01:00
Dr. Stephen Henson
1cfd255c91 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:01:05 +01:00
Rich Salz
3d81ec5b92 Remove #ifdef's for IRIX_CC_BUG
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-25 14:43:24 -04:00
Rich Salz
008bef521c RT3544: Must update TABLE after Configure change
Also add comment to Configure reminding people to do that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-25 13:18:22 -04:00
Emilia Kasper
fdc35a9d3e Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-25 13:46:08 +02:00
Dr. Stephen Henson
5886354dcc Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-09-25 00:03:27 +01:00
Andy Polyakov
8b07c005fe crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-09-25 00:42:26 +02:00
Andy Polyakov
40155f4089 e_os.h: allow inline functions to be compiled by legacy compilers.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-09-25 00:32:56 +02:00
Rich Salz
92c7846372 RT3544: Remove MWERKS support
The following #ifdef tests were all removed:
	__MWERKS__
	MAC_OS_pre_X
	MAC_OS_GUSI_SOURCE
	MAC_OS_pre_X
	OPENSSL_SYS_MACINTOSH_CLASSIC
	OPENSSL_SYS_MACOSX_RHAPSODY

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-24 18:07:29 -04:00
Emilia Kasper
4aac102f75 RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 16:19:18 +02:00