Commit graph

10620 commits

Author SHA1 Message Date
Robin Seggelmann
f596e3c491 DTLS/SCTP struct authchunks Bug
PR: 2809

DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH.  It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
2013-10-30 14:37:22 +00:00
Robin Seggelmann
9fb523adce DTLS/SCTP Finished Auth Bug
PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
2013-10-30 14:37:22 +00:00
Ben Laurie
cecf4d98d0 Remove unused variable. 2013-10-21 03:34:00 +01:00
Nick Mathewson
070e40e2f5 Fix another gmt_unix_time case in server_random 2013-10-20 15:08:58 -07:00
Nick Mathewson
d757097bbc Do not include a timestamp in the Client/ServerHello Random field.
Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
is set.

This is a forward-port of commits:
  4af793036f
  f4c93b46ed
  3da721dac9
  2583270191

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.

    * If the PRNG output is prone to repeat itself, ephemeral
      handshakes (and who knows what else besides) are broken.
2013-10-20 15:03:24 -07:00
Steve Marquess
7b112c2766 Remove gratuitous patent references 2013-10-20 22:19:47 +01:00
Dr. Stephen Henson
03ee8c2ed7 Fix no-ssl-trace 2013-10-20 22:07:33 +01:00
Dr. Stephen Henson
3495842bb0 Prevent use of RSA+MD5 in TLS 1.2 by default.
Removing RSA+MD5 from the default signature algorithm list
prevents its use by default.

If a broken implementation attempts to use RSA+MD5 anyway the sanity
checking of signature algorithms will cause a fatal alert.
(cherry picked from commit 77a0f740d00ecf8f6b01c0685a2f858c3f65a3dd)
2013-10-20 22:07:33 +01:00
Ben Laurie
face65dab8 Add clang debug target. 2013-10-20 13:23:14 +01:00
Andy Polyakov
e41a49c625 PPC assembly pack: make new .size directives profiler-friendly.
Suggested by: Anton Blanchard
(cherry picked from commit 76c15d790e)
2013-10-15 23:42:18 +02:00
Dr. Stephen Henson
3a55a42bff Add brainpool curves to NID table too.
(cherry picked from commit 6699cb8491)
2013-10-15 12:09:54 +01:00
Dr. Stephen Henson
72550c52ed Fix warning.
(cherry picked from commit f6983769c1bcd6c3c6b6bbfbbc41848f6dccf127)
2013-10-15 11:33:58 +01:00
Dr. Stephen Henson
a9d0c56de1 Add test vectors from RFC7027
(cherry picked from commit 8ba2d4ed7f128e400693562efd35985068c45e4d)
2013-10-15 11:33:58 +01:00
Dr. Stephen Henson
469bcb0c24 RFC7027 (Brainpool for TLS) support.
(cherry picked from commit 695e8c36528f9c3275f5f56e9633ac6a0c11f2e3)
2013-10-15 11:33:58 +01:00
Andy Polyakov
43ce9cdde9 PPC assembly pack: update from master branch.
Includes multiple updates: AES module to comply with more ABI
flavors, SHA512 for PPC32, .size directives.
2013-10-15 00:31:45 +02:00
Andy Polyakov
011f89893c Add support for Cygwin-x86_64.
PR: 3110
Submitted by Corinna Vinschen.
(cherry picked from commit b3ef742cbb)
2013-10-14 16:59:05 +02:00
Andy Polyakov
958608ca1c Initial aarch64 bits.
(cherry picked from commit 039081b809)
2013-10-13 19:24:22 +02:00
Andy Polyakov
1aecb23f5b MIPS assembly pack: get rid of deprecated instructions.
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a9b)
2013-10-13 13:18:21 +02:00
Andy Polyakov
9ed6fba2b4 aes/asm/bsaes-x86_64.pl: update from master.
Performance improvement and Windows-specific bugfix (PR#3139).
2013-10-12 21:47:54 +02:00
Andy Polyakov
df5c435c0b bn/asm/rsax-avx2.pl: minor optimization [for Decoded ICache].
(cherry picked from commit fa104be35e)
2013-10-10 23:09:54 +02:00
Ben Laurie
1ebaf97c44 Constification. 2013-10-07 12:44:40 +01:00
Ben Laurie
c8c6914aac Merge branch 'OpenSSL_1_0_2-stable' into pre-aead 2013-10-05 21:20:24 +01:00
Andy Polyakov
c99028f252 evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0da)
2013-10-05 21:09:50 +01:00
Andy Polyakov
90d8c5862b perlasm/sparcv9_modes.pl: make it work even with seasoned perl.
PR: 3130
(cherry picked from commit 6b2cae0c16)
2013-10-05 21:09:39 +01:00
Ben Laurie
2d5dd00f9e Merge branch 'OpenSSL_1_0_2-stable' into agl-1.0.2aead 2013-10-04 12:59:03 +01:00
Ben Laurie
cb52183836 Tidy. 2013-10-04 12:58:08 +01:00
Ben Laurie
ab3b624b0c Merge branch 'OpenSSL_1_0_2-stable' into agl-1.0.2aead 2013-10-04 12:48:24 +01:00
Ben Laurie
7c81de9a91 Make it build and test. 2013-10-03 19:02:58 +01:00
Andy Polyakov
4dfac659ff evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0da)
2013-10-03 10:57:45 +02:00
Andy Polyakov
66e0f9db08 perlasm/sparcv9_modes.pl: make it work even with seasoned perl.
PR: 3130
(cherry picked from commit 6b2cae0c16)
2013-10-03 10:45:36 +02:00
Adam Langley
a2eef41993 AEAD Tests.
Add tests for AEAD functions: AES-128-GCM, AES-256-GCM and
ChaCha20+Poly1305.
2013-10-01 15:34:44 -04:00
Adam Langley
9a8646510b chacha20poly1305
Add support for Chacha20 + Poly1305.
2013-10-01 14:59:22 -04:00
Adam Langley
fa03d0117a Use AEAD for AES-GCM.
Switches AES-GCM ciphersuites to use AEAD interfaces.
2013-10-01 13:09:12 -04:00
Adam Langley
03614034e9 AEAD support in ssl/
This change allows AEADs to be used in ssl/ to implement SSL/TLS
ciphersuites.
2013-10-01 12:49:50 -04:00
Adam Langley
444b1d416b AEAD support.
This change adds an AEAD interface to EVP and an AES-GCM implementation
suitable for use in TLS.
2013-10-01 12:30:52 -04:00
Adam Langley
4055ca1f9e Rework tls1_change_cipher_state.
The previous version of the function made adding AEAD changes very
difficult. This change should be a semantic no-op - it should be purely
a cleanup.
2013-10-01 11:31:30 -04:00
Ben Laurie
7a216dfee5 Constification. 2013-10-01 14:51:04 +01:00
Dr. Stephen Henson
a78b21fc67 Update cms docs.
(cherry picked from commit dfcb42c68e)
2013-10-01 14:01:19 +01:00
Ben Laurie
a808002bc3 Correctly test for no-ec.
(cherry picked from commit d5605699a1)
2013-10-01 14:01:19 +01:00
Dr. Stephen Henson
2fc368c111 Don't run ECDH CMS tests if EC disabled.
(cherry picked from commit b85f8afe37)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
6ed3af7d50 Add X9.42 DH test.
(cherry picked from commit bbc098ffb3)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
d037e0d30c New CMS tests.
Add some ECDH CMS tests.
(cherry picked from commit 5cdc25a754)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
51cb950904 Add X9.42 DH certificate to S/MIME test
(cherry picked from commit 75787fd833)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
4bfa88bb4c Scripts to recreate S/MIME test certificates.
Add a script to generate keys and certificates for the S/MIME and CMS
tests.

Update certificates and add EC examples.
(cherry picked from commit a0957d5505)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
9d1e475db6 Custom key wrap option for cms utility.
(cherry picked from commit 5711885a2b)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
3e792793f6 add cofactor ECDH support from fips branch
(cherry picked from commit a3a2e3a43d)
2013-10-01 14:01:18 +01:00
Ben Laurie
ac5cb33356 Fix compile errors.
(cherry picked from commit a0aaa5660a)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
aaf74259ec CMS RFC2631 X9.42 DH enveloped data support.
(cherry picked from commit bd59f2b91d)

Conflicts:

	crypto/dh/dh.h
	crypto/dh/dh_err.c

Sync error codes with 1.0.1.
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
ecf9ceb90d Minor optimisation to KDF algorithm.
Don't need to use temporary buffer if remaining length equals digest length.
(cherry picked from commit 3f6b6f0b8c)
2013-10-01 14:01:18 +01:00
Dr. Stephen Henson
5c4ff8ad37 Add KDF for DH.
Add X9.42 DH KDF. Move sharedinfo generation code to CMS library as the
same structure is used by DH and ECDH.

Move ASN1_OBJECT typedef to ossl_typ.h so it can be picked up by dh headers
without the need to use ASN1.
(cherry picked from commit dc1ce3bc64)
2013-10-01 14:01:18 +01:00