Commit graph

1599 commits

Author SHA1 Message Date
Matt Caswell
6579603874 Only use the fallback mtu after 2 unsuccessful retransmissions if it is less
than the mtu we are already using

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 047f21593e)
2014-12-03 09:35:25 +00:00
Matt Caswell
3242e5938b If we really get a situation where the underlying mtu is less than the minimum
we will support then dtls1_do_write can go into an infinite loop. This commit
fixes that.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d3d9eef316)
2014-12-03 09:35:24 +00:00
Matt Caswell
35384e8e5b Fix dtls_query_mtu so that it will always either complete with an mtu that is
at least the minimum or it will fail.
There were some instances in dtls1_query_mtu where the final mtu can end up
being less than the minimum, i.e. where the user has set an mtu manually. This
shouldn't be allowed. Also remove dtls1_guess_mtu that, despite having
logic for guessing an mtu, was actually only ever used to work out the minimum
mtu to use.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1620a2e49c)
2014-12-03 09:35:24 +00:00
Matt Caswell
4c21e004a3 Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 59669b6abf)

Conflicts:
	ssl/d1_both.c
	ssl/ssl_lib.c
2014-12-03 09:35:23 +00:00
Matt Caswell
43e569921e The first call to query the mtu in dtls1_do_write correctly checks that the
mtu that we have received is not less than the minimum. If its less it uses the
minimum instead. The second call to query the mtu does not do that, but
instead uses whatever comes back. We have seen an instance in RT#3592 where we
have got an unreasonably small mtu come back. This commit makes both query
checks consistent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6abb0d1f8e)
2014-12-03 09:32:48 +00:00
Matt Caswell
8aaeec9f9a The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a)
2014-12-03 09:32:48 +00:00
Matt Caswell
8454d3f924 Verify that we have a sensible message len and fail if not
RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cf75017bfd)
2014-12-03 09:32:48 +00:00
Richard Levitte
14e9a78d47 [PR3597] Advance to the next state variant when reusing messages.
Previously, state variant was not advanced, which resulted in state
being stuck in the st1 variant (usually "_A").

This broke certificate callback retry logic when accepting connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.

Reported by Yichun Zhang (agentzh).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-28 23:31:45 +01:00
Matt Caswell
2db95e094d Fixed warning in ssl2_enc
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:44 +00:00
Matt Caswell
5fc8bb6ab7 Check EVP_Cipher return values for SSL2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:27 +00:00
Matt Caswell
244d0955ad Add checks to the return value of EVP_Cipher to prevent silent encryption failure.
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:02 +00:00
Matt Caswell
061e68c554 Remove redundant checks in ssl_cert_dup. This was causing spurious error messages when using GOST
PR#3613

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc3968a25c)
2014-11-27 20:53:58 +00:00
Matt Caswell
2184a14b62 Add include of ssl.h which is required by srtp.h
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit f67203836c)
2014-11-27 13:19:23 +00:00
Matt Caswell
2e84084fbc Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8a35dbb6d8)
2014-11-26 10:14:13 +00:00
Matt Caswell
26f9cfbdca Corrected comments in ssl.h about SSLv23_method and friends
PR#3574

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 3a0765882c)
2014-11-25 22:25:18 +00:00
David Benjamin
7fc5f4f117 Do not resume a session if the negotiated protocol version does not match
the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 9e189b9dc1)
2014-11-20 16:31:42 +01:00
Emilia Kasper
249a3e362f Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede)

Conflicts:
	CHANGES
	ssl/s3_srvr.c
2014-11-20 15:32:08 +01:00
Emilia Kasper
15d717f574 Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de2c7504eb)

Conflicts:
	CHANGES
2014-11-20 15:29:17 +01:00
Emilia Kasper
b8712b2b9a Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 980bc1ec61)

Conflicts:
	ssl/d1_clnt.c
	ssl/s3_clnt.c
2014-11-20 15:26:26 +01:00
Emilia Kasper
1eaccbef57 Set s->hit when resuming from external pre-shared secret.
The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b3ba508af)
2014-11-20 15:20:17 +01:00
Emilia Kasper
e2f69f5ce7 Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a06cd5d056)
2014-11-20 15:20:16 +01:00
Dr. Stephen Henson
821bee4333 New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 3881d8106d)

Conflicts:
	util/mkdef.pl
2014-11-19 22:57:51 +00:00
Matt Caswell
8b6205c484 Added OPENSSL_NO_EC2M guards around the preferred EC curve list
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:15:28 +00:00
Emilia Kasper
9bdedec0cf Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399)

Conflicts:
	CHANGES
2014-10-28 17:41:49 +01:00
Emilia Kasper
f63fa8b10a Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit fd28a41ec8)

Conflicts:
	ssl/ssltest.c
2014-10-27 16:36:19 +01:00
Bodo Moeller
d47aebbb47 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:40:41 +02:00
Bodo Moeller
08931f1cd6 When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:32:30 +02:00
Kurt Roeckx
6ce9687b5a Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952)
2014-10-21 21:08:14 +02:00
Geoff Thorpe
26a59d9b46 Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:51:50 -04:00
Dr. Stephen Henson
7fd4ce6a99 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
2014-10-15 08:51:50 -04:00
Matt Caswell
d9d09a8d0f Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:50 -04:00
Matt Caswell
2b0532f398 Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an origi
issue and patch developed by the LibreSSL project. Further analysis of the i
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:49 -04:00
Richard Levitte
f79bb32926 Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:24 +02:00
Richard Levitte
7a3809fd97 Adjust VMS build to Unix build. Most of all, make it so the disabled
algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:08 +02:00
Richard Levitte
fc586d2955 Update the VMS build according to the latest unixly build. Partly provided by Zoltan Arpadffy <arpadffy@polarhome.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:32 +02:00
Richard Levitte
17d45dec4d Make sure that disabling the MAYLOSEDATA3 warning is only done when the compiler supports it. Otherwise, there are warnings about it lacking everywhere, which is quite tedious to read through while trying to check for other warnings.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:47:12 +02:00
Bodo Moeller
6bfe55380a Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:05:42 +02:00
Dr. Stephen Henson
4e05aedbca Preserve digests for SNI.
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 23:21:14 +01:00
Emilia Kasper
8d507aee7c RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
2014-09-24 15:52:41 +02:00
Adam Langley
133145686e This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6d)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 15:46:26 +02:00
Emilia Kasper
0f04b004ac RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:17:41 +02:00
Tim Hudson
81e3a6055c Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
2014-09-22 06:34:25 +10:00
Erik Auerswald
b537ea9ce4 RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e)
2014-09-08 11:23:10 -04:00
Adam Langley
13ce52be1b psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
2014-09-05 12:22:50 +02:00
Emilia Kasper
e7169a5835 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401)

Conflicts:
	test/Makefile
2014-08-28 17:07:07 +02:00
Adam Langley
391f3b5708 RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82f)
2014-08-22 15:53:14 +02:00
Matt Caswell
0ed8e95c4b Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:29:28 +01:00
Dr. Stephen Henson
03ebf85f77 Fix SRP ciphersuites.
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-12 20:42:27 +01:00
Dr. Stephen Henson
30fbe92c78 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
2014-08-09 00:13:27 +01:00
Dr. Stephen Henson
d15d17bb64 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
83764a989d Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Gabor Tyukasz
86788e1ee6 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Käsper
88ae012c80 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
David Benjamin
fc4f4cdb8b Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
4e0fbdc4ec Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
0c37aed3f3 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
099ccdb808 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
9871417fb7 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
fc7804ec39 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
e7b9d9be48 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
2172d4f63c Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
c34091d47e make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:23:49 +01:00
Dr. Stephen Henson
36e8c39899 Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4)

Conflicts:

	ssl/Makefile
	util/mkdef.pl
2014-07-24 19:43:25 +01:00
Dr. Stephen Henson
67bde7d465 Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f)
2014-07-15 18:23:44 +01:00
Dr. Stephen Henson
2054eb771e Add ECC extensions with DTLS.
PR#3449
2014-07-15 12:20:30 +01:00
Dr. Stephen Henson
ee5a8d3e31 Use more common name for GOST key exchange.
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
2014-07-14 18:31:54 +01:00
Peter Mosmans
704422ce1e Add names of GOST algorithms.
PR#3440
(cherry picked from commit 924e5eda2c)
2014-07-13 18:31:36 +01:00
Dr. Stephen Henson
c923132e9d Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
(cherry picked from commit 7f6e957864)
2014-07-05 13:30:55 +01:00
Thijs Alkemade
b2cb6dc1ef Make disabling last cipher work.
(cherry picked from commit 7cb472bd0d)
2014-07-02 03:32:50 +01:00
Ben Laurie
2db3ea2929 Fix possible buffer overrun. 2014-07-01 23:39:17 +01:00
Dr. Stephen Henson
295befec25 Fix memory leak.
PR#2531
(cherry picked from commit 44724beead)
2014-06-29 13:52:03 +01:00
Dr. Stephen Henson
d8b11e75cb Don't disable state strings with no-ssl2
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
(cherry picked from commit 0518a3e19e)
2014-06-28 00:56:42 +01:00
yogesh nagarkar
0df7959d43 Fix compilation with -DSSL_DEBUG -DTLS_DEBUG -DKSSL_DEBUG
PR#3141
(cherry picked from commit d183545d45)
2014-06-28 00:41:49 +01:00
Ken Ballou
6daba1dc6a Remove redundant check.
PR#3174
(cherry picked from commit fd331c0bb9b557903dd2ce88398570a3327b5ef0)
2014-06-27 23:18:21 +01:00
Tomas Mraz
cf0156622a Don't advertise ECC ciphersuits in SSLv2 compatible client hello.
PR#3374
(cherry picked from commit 0436369fcc)
2014-06-27 16:52:05 +01:00
Miod Vallat
ad212c1ed1 Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375
2014-06-22 23:20:39 +01:00
Matt Caswell
e1bce59fd3 Revert "Fix off-by-one errors in ssl_cipher_get_evp()"
This reverts commit 29411a0c7a.

Incorrect attribution.
2014-06-22 23:20:19 +01:00
Dr. Stephen Henson
9beb75d3c4 Accept CCS after sending finished.
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41)
2014-06-14 22:26:10 +01:00
Matt Caswell
042ef467ee Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally identified the issue.
2014-06-13 15:53:29 +01:00
Matt Caswell
01736e6c41 Revert "Fixed incorrect return code handling in ssl3_final_finish_mac"
This reverts commit 9ab788aa23.

Missing attribution
2014-06-13 15:53:08 +01:00
Kurt Cancemi
29411a0c7a Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

PR#3375
2014-06-12 21:15:54 +01:00
Matt Caswell
9ab788aa23 Fixed incorrect return code handling in ssl3_final_finish_mac 2014-06-10 23:28:10 +01:00
Mike Bland
5a0d057e49 Create test/testutil.h for unit test helper macros
Defines SETUP_TEST_FIXTURE and EXECUTE_TEST, and updates ssl/heartbeat_test.c
using these macros. SETUP_TEST_FIXTURE makes use of the new TEST_CASE_NAME
macro, defined to use __func__ or __FUNCTION__ on platforms that support those
symbols, or to use the file name and line number otherwise. This should fix
several reported build problems related to lack of C99 support.
2014-06-10 19:27:45 +01:00
Dr. Stephen Henson
aa59369b4c Fix null pointer errors.
PR#3394
(cherry picked from commit 7a9d59c148)
2014-06-10 14:48:07 +01:00
Dr. Stephen Henson
18c7f2fce8 SRP ciphersuite correction.
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
(cherry picked from commit a86b88acc373ac1fb0ca709a5fb8a8fa74683f67)
2014-06-09 12:09:49 +01:00
Dr. Stephen Henson
6a8d6f039a Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.
(cherry picked from commit 837c203719205ab19b5609b2df7151be8df05687)
2014-06-09 12:09:49 +01:00
Dr. Stephen Henson
0d4d2e02eb Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption
set the CCS_OK flag.
(cherry picked from commit 953c592572e8811b7956cc09fbd8e98037068b58)
2014-06-07 15:27:21 +01:00
Dr. Stephen Henson
8011cd56e3 Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
d3152655d5 Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
006cd7083f Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
bc8923b1ec Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
1632ef7448 Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
2014-06-05 09:04:27 +01:00
David Benjamin
ebda73f867 Check there is enough room for extension.
(cherry picked from commit 7d89b3bf42e4b4067371ab33ef7631434e41d1e4)
2014-06-02 19:00:02 +01:00
zhu qun-ying
bcc311668e Free up s->d1->buffered_app_data.q properly.
PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
2014-06-02 14:40:18 +01:00
Sami Farin
1dd26414df Typo: set i to -1 before goto.
PR#3302
(cherry picked from commit 9717f01951f976f76dd40a38d9fc7307057fa4c4)
2014-06-02 14:22:06 +01:00
Matt Caswell
056389eb1c Added SSLErr call for internal error in dtls1_buffer_record 2014-06-01 21:38:01 +01:00
David Ramos
a07856a08d Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362 2014-06-01 21:37:47 +01:00
Dr. Stephen Henson
aaed77c55e Option to disable padding extension.
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
2014-06-01 16:50:37 +01:00
David Ramos
673c42b238 Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
2014-06-01 14:30:10 +01:00
Dr. Stephen Henson
28e117f49f Use correct digest when exporting keying material.
PR#3319
(cherry picked from commit 84691390eae86befd33c83721dacedb539ae34e6)
2014-05-31 13:43:01 +01:00
Dr. Stephen Henson
46bfc05480 Don't compile heartbeat test code on Windows (for now).
(cherry picked from commit 2c575907d2c8601a18716f718ce309ed4e1f1783)
2014-05-31 13:43:01 +01:00
Matt Caswell
8ca7d12430 Fixed Windows compilation failure 2014-05-27 00:26:55 +01:00
Matt Caswell
a6f5b991eb Fix for non compilation with TLS_DEBUG defined 2014-05-24 23:56:58 +01:00
Mike Bland
756587dcb9 Fix heartbeat_test for -DOPENSSL_NO_HEARTBEATS
Replaces the entire test with a trivial implementation when
OPENSSL_NO_HEARTBEATS is defined.
2014-05-22 22:05:26 +01:00
Dr. Stephen Henson
4519e7b839 For portability use BUF_strndup instead of strndup.
(cherry picked from commit dcca7b13e9)
2014-05-20 11:23:23 +01:00
Mike Bland
ab0d964259 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(based on commit 35cb55988b75573105eefd00d27d0138eebe40b1)
2014-05-19 18:23:24 +01:00
Ben Laurie
dac3654e2d Allow the maximum value. 2014-05-19 18:21:39 +01:00
Ben Laurie
989d87cb1a Fix signed/unsigned warning. 2014-05-19 18:20:54 +01:00
Kurt Roeckx
69526a354d Check sk_SSL_CIPHER_num() after assigning sk. 2014-05-12 23:01:06 +01:00
Serguei E. Leontiev
2223317bef Replace manual ASN1 decoder with ASN1_get_object
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.

PR#3335
(cherry picked from commit b0308dddd1cc6a8e1de803ef29ba6da25ee072c2)
2014-05-12 18:41:50 +01:00
Matt Caswell
b107586c0c Fixed NULL pointer dereference. See PR#3321 2014-05-12 00:43:33 +01:00
Günther Noack
15c1ac03c8 Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317
2014-05-11 23:57:14 +01:00
Tim Hudson
4d8cca8a7e safety check to ensure we dont send out beyond the users buffer 2014-05-11 13:29:59 +01:00
Tim Hudson
6a60b41431 fix coverity issue 966597 - error line is not always initialised 2014-05-08 00:00:08 +01:00
Matt Caswell
90600a5e3b Fixed spelling error in error message. Fix supplied by Marcos Marado 2014-05-01 00:23:57 +01:00
Ben Laurie
725c5f1ad3 Fix use after free. 2014-04-23 07:33:17 +01:00
Ben Laurie
9c8dc84ac1 Fix double frees. 2014-04-22 17:02:37 +01:00
Steven M. Schweda
a74bee5fc7 VMS build fix #2. 2014-04-08 17:23:03 +01:00
Steven M. Schweda
55c9e24875 VMS build fix for older compilers. 2014-04-07 23:14:11 +01:00
Dr. Stephen Henson
96db9023b8 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
2014-04-07 17:53:31 +01:00
Dr. Stephen Henson
51624dbdae Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda)

Conflicts:

	CHANGES
	ssl/tls1.h
2014-04-05 20:52:59 +01:00
Dr. Stephen Henson
e0660c6257 typo
(cherry picked from commit a029788b0e)
2014-03-10 15:48:43 +00:00
Dr. Stephen Henson
32171e4e07 Fix for WIN32 builds with KRB5
(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
2014-02-26 15:33:09 +00:00
Andy Polyakov
48e6edabed ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201
(cherry picked from commit 03da57fe14)
2014-02-25 22:24:24 +01:00
Dr. Stephen Henson
4a55631e4d Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a49)

Conflicts:

	CHANGES
	ssl/t1_lib.c
2014-02-05 15:42:04 +00:00
Dr. Stephen Henson
9614d2c676 Check i before r[i].
PR#3244
2014-01-28 15:10:27 +00:00
Kaspar Brand
eb85ee9a88 Omit initial status request callback check.
PR#3178
2014-01-16 13:49:38 +00:00
Zoltan Arpadffy
fa2026dc88 VMS fixes 2014-01-11 22:42:37 +00:00
Dr. Stephen Henson
c0dd71c97c Fix warning
PR#3220
2014-01-08 13:36:27 +00:00
Dr. Stephen Henson
197e0ea817 Fix for TLS record tampering bug CVE-2013-4353 2014-01-06 14:35:04 +00:00
Dr. Stephen Henson
c776a3f398 make update 2014-01-06 13:33:27 +00:00
Dr. Stephen Henson
25c9fa6026 Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d)
2014-01-04 14:00:44 +00:00
Dr. Stephen Henson
f3dcc8411e Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
2014-01-02 15:12:48 +00:00
Dr. Stephen Henson
34628967f1 Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
2013-12-20 23:12:18 +00:00
Dr. Stephen Henson
ca989269a2 Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
2013-12-19 21:04:28 +00:00
Dr. Stephen Henson
0294b2be5f Check EVP errors for handshake digests.
Partial mitigation of PR#3200
2013-12-18 13:26:10 +00:00
Dr. Stephen Henson
60df657b3a make update 2013-12-08 13:23:14 +00:00
Dr. Stephen Henson
ddfe486e4c Enable PSK in FIPS mode.
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129c1)
2013-11-06 14:40:01 +00:00
Robin Seggelmann
025f7dbdd1 DTLS/SCTP Finished Auth Bug
PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce)
(cherry picked from commit b9ef52b078)
2013-11-01 22:44:20 +00:00
Nick Mathewson
453ca706cc Fix another gmt_unix_time case in server_random 2013-10-20 15:14:40 -07:00
Dr. Stephen Henson
5e1ff664f9 Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.
2013-10-20 12:23:27 +01:00
Ben Laurie
833a896681 More cleanup. 2013-10-19 12:37:15 +01:00
Ben Laurie
34e43b909f Cleanup. 2013-10-19 12:34:15 +01:00
Ben Laurie
62036c6fc3 Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable 2013-10-19 11:46:32 +01:00
Nick Mathewson
2583270191 Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.
2013-10-09 10:37:53 -04:00
Nick Mathewson
3da721dac9 Refactor {client,server}_random to call an intermediate function
I'll be using this to make an option for randomizing the time.
2013-10-09 10:28:42 -04:00
Nick Mathewson
f4c93b46ed Do not include a timestamp in the ServerHello Random field.
Instead, send random bytes.
2013-09-16 13:44:10 -04:00
Nick Mathewson
4af793036f Do not include a timestamp in the ClientHello Random field.
Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
2013-09-16 13:44:10 -04:00
Rob Stradling
c9a6ddafc5 Tidy up comments. 2013-09-16 15:07:52 +01:00
Rob Stradling
f4a51970d2 Use TLS version supplied by client when fingerprinting Safari. 2013-09-16 15:07:52 +01:00
Rob Stradling
937f125efc Fix compilation with no-ec and/or no-tlsext. 2013-09-16 15:07:52 +01:00
Rob Stradling
4b61f6d2a6 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-16 15:07:51 +01:00
Michael Tuexen
83a3af9f4e DTLS message_sequence number wrong in rehandshake ServerHello
This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daac0)
2013-08-13 18:55:41 +01:00
Michael Tuexen
76bf0cf27c DTLS handshake fix.
Reported by: Prashant Jaikumar <rmstar@gmail.com>

Fix handling of application data received before a handshake.
(cherry picked from commit 0c75eeacd3)
2013-08-08 13:32:11 +01:00
Dr. Stephen Henson
0e9dd387ea Set s->d1 to NULL after freeing it.
(cherry picked from commit 04638f2fc3)
2013-04-08 18:40:28 +01:00
Dr. Stephen Henson
9c95ff968a Disable compression for DTLS.
The only standard compression method is stateful and is incompatible with
DTLS.
(cherry picked from commit e14b8410ca)
2013-03-19 13:47:29 +00:00
Michael Tuexen
3972dbe462 Avoid unnecessary fragmentation.
(cherry picked from commit 80ccc66d7e)
2013-03-18 14:33:09 +00:00
David Woodhouse
9fe4603b82 Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e)
2013-02-12 15:16:05 +00:00
Dr. Stephen Henson
147dbb2fe3 Fix for SSL_get_certificate
Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.
2013-02-11 18:24:03 +00:00
Dr. Stephen Henson
cbf9b4aed3 Fix in ssltest is no-ssl2 configured 2013-02-11 18:17:50 +00:00
Andy Polyakov
0898147090 ssl/*: fix linking errors with no-srtp. 2013-02-09 19:52:07 +01:00
Andy Polyakov
4d8da30fc1 ssl/s3_[clnt|srvr].c: fix warnings. 2013-02-09 19:50:34 +01:00
Andy Polyakov
579f3a631e s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
(cherry picked from commit f93a41877d)
2013-02-08 21:37:07 +01:00
Andy Polyakov
47061af106 s3_cbc.c: get rid of expensive divisions [from master].
(cherry picked from commit e9baceab5a)
2013-02-08 17:00:46 +01:00
Ben Laurie
496681cd51 Remove extraneous brackets (clang doesn't like them). 2013-02-07 16:17:43 -08:00
Andy Polyakov
8545f73b89 ssl/[d1|s3]_pkt.c: harmomize orig_len handling. 2013-02-07 22:47:05 +01:00
Dr. Stephen Henson
32cc2479b4 Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
2013-02-07 21:06:37 +00:00
Adam Langley
f306b87d76 Fix for EXP-RC2-CBC-MD5
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
2013-02-06 16:05:40 +00:00
Dr. Stephen Henson
0d589ac150 make update 2013-02-04 21:29:41 +00:00
Dr. Stephen Henson
35d732fc2e Fix error codes. 2013-02-04 21:13:18 +00:00
Andy Polyakov
125093b59f e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
2013-02-02 19:35:09 +01:00
Andy Polyakov
ec07246a08 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. 2013-02-01 15:34:09 +01:00
Dr. Stephen Henson
04e45b52ee Don't access EVP_MD_CTX internals directly. 2013-02-01 14:12:27 +00:00
Andy Polyakov
d5371324d9 s3/s3_cbc.c: allow for compilations with NO_SHA256|512. 2013-02-01 10:31:59 +01:00
Andy Polyakov
36260233e7 ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
2013-02-01 10:31:52 +01:00
Andy Polyakov
cab13fc847 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
2013-02-01 10:31:23 +01:00
Dr. Stephen Henson
34ab3c8c71 typo. 2013-01-31 23:04:39 +00:00
Dr. Stephen Henson
b908e88ec1 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
2013-01-31 12:34:10 +00:00
Ben Laurie
014265eb02 Oops. Add missing file. 2013-01-28 18:24:55 +00:00
Ben Laurie
9f27de170d Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
2013-01-28 17:34:33 +00:00
Ben Laurie
6cb19b7681 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
2013-01-28 17:33:18 +00:00
Ben Laurie
e130841bcc Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
2013-01-28 17:31:49 +00:00
Ben Laurie
2ee798880a Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
2013-01-28 17:30:38 +00:00
Dr. Stephen Henson
7c3562947a reject zero length point format list or supported curves extensions 2012-11-22 14:15:25 +00:00
Dr. Stephen Henson
07eaaab2f6 add "missing" TLSv1.2 cipher alias 2012-11-15 19:15:20 +00:00
Dr. Stephen Henson
353e845120 Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
2012-09-21 14:01:59 +00:00
Richard Levitte
d1451f18d9 * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in
debugging code that's seldom used.
2012-09-21 13:08:28 +00:00
Ben Laurie
70d91d60bc Call OCSP Stapling callback after ciphersuite has been chosen, so the
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.

See http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-17 14:39:38 +00:00
Dr. Stephen Henson
c64c0e03d3 don't use pseudo digests for default values of keys 2012-06-27 14:11:40 +00:00
Ben Laurie
af454b5bb0 Reduce version skew. 2012-06-08 09:18:47 +00:00
Andy Polyakov
5b2bbf37fa s2_clnt.c: compensate for compiler bug [from HEAD]. 2012-05-16 18:22:27 +00:00
Dr. Stephen Henson
6e164e5c3d PR: 2811
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:32:26 +00:00
Dr. Stephen Henson
1b452133ae PR: 2806
Submitted by: PK <runningdoglackey@yahoo.com>

Correct ciphersuite signature algorithm definitions.
2012-05-10 18:24:32 +00:00
Dr. Stephen Henson
d414a5a0f0 Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 15:10:15 +00:00
Richard Levitte
9eb4460e68 Don't forget to install srtp.h as well 2012-05-10 15:01:22 +00:00
Dr. Stephen Henson
6984d16671 oops, revert unrelated change 2012-05-10 13:38:18 +00:00
Dr. Stephen Henson
5b9d0995a1 Reported by: Solar Designer of Openwall
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:34:22 +00:00
Dr. Stephen Henson
c76b7a1a82 Don't try to use unvalidated composite ciphers in FIPS mode 2012-04-26 18:49:45 +00:00
Dr. Stephen Henson
502dfeb8de Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
2012-04-25 23:08:44 +00:00
Andy Polyakov
5bbed29518 s23_clnt.c: ensure interoperability by maitaining client "version capability"
vector contiguous [from HEAD].
PR: 2802
2012-04-25 22:07:23 +00:00