Commit graph

1336 commits

Author SHA1 Message Date
Tim Hudson
6a60b41431 fix coverity issue 966597 - error line is not always initialised 2014-05-08 00:00:08 +01:00
Matt Caswell
90600a5e3b Fixed spelling error in error message. Fix supplied by Marcos Marado 2014-05-01 00:23:57 +01:00
Ben Laurie
725c5f1ad3 Fix use after free. 2014-04-23 07:33:17 +01:00
Ben Laurie
9c8dc84ac1 Fix double frees. 2014-04-22 17:02:37 +01:00
Steven M. Schweda
a74bee5fc7 VMS build fix #2. 2014-04-08 17:23:03 +01:00
Steven M. Schweda
55c9e24875 VMS build fix for older compilers. 2014-04-07 23:14:11 +01:00
Dr. Stephen Henson
96db9023b8 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
2014-04-07 17:53:31 +01:00
Dr. Stephen Henson
51624dbdae Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda)

Conflicts:

	CHANGES
	ssl/tls1.h
2014-04-05 20:52:59 +01:00
Dr. Stephen Henson
e0660c6257 typo
(cherry picked from commit a029788b0e)
2014-03-10 15:48:43 +00:00
Dr. Stephen Henson
32171e4e07 Fix for WIN32 builds with KRB5
(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
2014-02-26 15:33:09 +00:00
Andy Polyakov
48e6edabed ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201
(cherry picked from commit 03da57fe14)
2014-02-25 22:24:24 +01:00
Dr. Stephen Henson
4a55631e4d Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a49)

Conflicts:

	CHANGES
	ssl/t1_lib.c
2014-02-05 15:42:04 +00:00
Dr. Stephen Henson
9614d2c676 Check i before r[i].
PR#3244
2014-01-28 15:10:27 +00:00
Kaspar Brand
eb85ee9a88 Omit initial status request callback check.
PR#3178
2014-01-16 13:49:38 +00:00
Zoltan Arpadffy
fa2026dc88 VMS fixes 2014-01-11 22:42:37 +00:00
Dr. Stephen Henson
c0dd71c97c Fix warning
PR#3220
2014-01-08 13:36:27 +00:00
Dr. Stephen Henson
197e0ea817 Fix for TLS record tampering bug CVE-2013-4353 2014-01-06 14:35:04 +00:00
Dr. Stephen Henson
c776a3f398 make update 2014-01-06 13:33:27 +00:00
Dr. Stephen Henson
25c9fa6026 Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d)
2014-01-04 14:00:44 +00:00
Dr. Stephen Henson
f3dcc8411e Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
2014-01-02 15:12:48 +00:00
Dr. Stephen Henson
34628967f1 Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
2013-12-20 23:12:18 +00:00
Dr. Stephen Henson
ca989269a2 Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
2013-12-19 21:04:28 +00:00
Dr. Stephen Henson
0294b2be5f Check EVP errors for handshake digests.
Partial mitigation of PR#3200
2013-12-18 13:26:10 +00:00
Dr. Stephen Henson
60df657b3a make update 2013-12-08 13:23:14 +00:00
Dr. Stephen Henson
ddfe486e4c Enable PSK in FIPS mode.
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129c1)
2013-11-06 14:40:01 +00:00
Robin Seggelmann
025f7dbdd1 DTLS/SCTP Finished Auth Bug
PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce)
(cherry picked from commit b9ef52b078)
2013-11-01 22:44:20 +00:00
Nick Mathewson
453ca706cc Fix another gmt_unix_time case in server_random 2013-10-20 15:14:40 -07:00
Dr. Stephen Henson
5e1ff664f9 Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.
2013-10-20 12:23:27 +01:00
Ben Laurie
833a896681 More cleanup. 2013-10-19 12:37:15 +01:00
Ben Laurie
34e43b909f Cleanup. 2013-10-19 12:34:15 +01:00
Ben Laurie
62036c6fc3 Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable 2013-10-19 11:46:32 +01:00
Nick Mathewson
2583270191 Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.
2013-10-09 10:37:53 -04:00
Nick Mathewson
3da721dac9 Refactor {client,server}_random to call an intermediate function
I'll be using this to make an option for randomizing the time.
2013-10-09 10:28:42 -04:00
Nick Mathewson
f4c93b46ed Do not include a timestamp in the ServerHello Random field.
Instead, send random bytes.
2013-09-16 13:44:10 -04:00
Nick Mathewson
4af793036f Do not include a timestamp in the ClientHello Random field.
Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
2013-09-16 13:44:10 -04:00
Rob Stradling
c9a6ddafc5 Tidy up comments. 2013-09-16 15:07:52 +01:00
Rob Stradling
f4a51970d2 Use TLS version supplied by client when fingerprinting Safari. 2013-09-16 15:07:52 +01:00
Rob Stradling
937f125efc Fix compilation with no-ec and/or no-tlsext. 2013-09-16 15:07:52 +01:00
Rob Stradling
4b61f6d2a6 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-16 15:07:51 +01:00
Michael Tuexen
83a3af9f4e DTLS message_sequence number wrong in rehandshake ServerHello
This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daac0)
2013-08-13 18:55:41 +01:00
Michael Tuexen
76bf0cf27c DTLS handshake fix.
Reported by: Prashant Jaikumar <rmstar@gmail.com>

Fix handling of application data received before a handshake.
(cherry picked from commit 0c75eeacd3)
2013-08-08 13:32:11 +01:00
Dr. Stephen Henson
0e9dd387ea Set s->d1 to NULL after freeing it.
(cherry picked from commit 04638f2fc3)
2013-04-08 18:40:28 +01:00
Dr. Stephen Henson
9c95ff968a Disable compression for DTLS.
The only standard compression method is stateful and is incompatible with
DTLS.
(cherry picked from commit e14b8410ca)
2013-03-19 13:47:29 +00:00
Michael Tuexen
3972dbe462 Avoid unnecessary fragmentation.
(cherry picked from commit 80ccc66d7e)
2013-03-18 14:33:09 +00:00
David Woodhouse
9fe4603b82 Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e)
2013-02-12 15:16:05 +00:00
Dr. Stephen Henson
147dbb2fe3 Fix for SSL_get_certificate
Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.
2013-02-11 18:24:03 +00:00
Dr. Stephen Henson
cbf9b4aed3 Fix in ssltest is no-ssl2 configured 2013-02-11 18:17:50 +00:00
Andy Polyakov
0898147090 ssl/*: fix linking errors with no-srtp. 2013-02-09 19:52:07 +01:00
Andy Polyakov
4d8da30fc1 ssl/s3_[clnt|srvr].c: fix warnings. 2013-02-09 19:50:34 +01:00
Andy Polyakov
579f3a631e s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
(cherry picked from commit f93a41877d)
2013-02-08 21:37:07 +01:00