generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
8,781 Commits 16 Branches 258 Tags
Commit Graph

1093 Commits

Author SHA1 Message Date
Andy Polyakov
33ccde59a1 ssl/s3_cbc.c: uint64_t portability fix. 
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc8473856a43556d41d8dac5605f4ba1f91)
 2013-02-05 16:50:35 +00:00
Dr. Stephen Henson
1909df070f Don't access EVP_MD internals directly. 2013-02-05 16:50:35 +00:00
Dr. Stephen Henson
924b117422 Timing fix mitigation for FIPS mode. 
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to HMAC_Update to hash additonal blocks
to cover any timing differences caused by removal of padding.
 2013-02-05 16:50:34 +00:00
Dr. Stephen Henson
99f5093347 The cbc functions shouldn't be inside #ifdef OPENSSL_NO_TLSEXT 2013-02-05 16:50:34 +00:00
Ben Laurie
be88529753 Update DTLS code to match CBC decoding in TLS. 
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de170d1b7bef3d46d41382dc4dafde8b3900)
(cherry picked from commit 5e4ca556e970edb8a7f364fcb6ee6818a965a60b)

Conflicts:
	ssl/d1_enc.c
	ssl/d1_pkt.c
	ssl/s3_pkt.c
 2013-02-05 16:50:33 +00:00
Ben Laurie
b3a959a337 Don't crash when processing a zero-length, TLS >= 1.1 record. 
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681f600b2f165e4adc57547b097b475fd)
(cherry picked from commit 2c948c1bb218f4ae126e14fd3453d42c62b93235)

Conflicts:
	ssl/s3_enc.c
 2013-02-05 16:50:33 +00:00
Ben Laurie
2928cb4c82 Fixups. 2013-02-05 16:50:33 +00:00
Ben Laurie
a33e6702a0 Oops. Add missing file. 
(cherry picked from commit 014265eb02e26f35c8db58e2ccbf100b0b2f0072)
(cherry picked from commit 7721c53e5e9fe4c90be420d7613559935a96a4fb)
 2013-02-05 16:50:33 +00:00
Ben Laurie
35a65e814b Make CBC decoding constant time. 
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
	ssl/d1_enc.c
	ssl/s3_enc.c
	ssl/s3_pkt.c
	ssl/ssl3.h
	ssl/ssl_algs.c
	ssl/t1_enc.c
 2013-02-05 16:50:32 +00:00
Ben Laurie
2708813166 Add and use a constant-time memcmp. 
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a246d648ecddadc5b91367bee4a5d98)

Conflicts:
	crypto/crypto.h
	ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)

Conflicts:
	crypto/crypto.h
	ssl/d1_pkt.c
	ssl/s3_pkt.c
 2013-02-05 16:50:32 +00:00
Dr. Stephen Henson
42aa3ec4f2 PR: 2888 
Reported by: Daniel Black <daniel.black@openquery.com>

Support renewing session tickets (backport from HEAD).
 2012-12-10 16:45:39 +00:00
Dr. Stephen Henson
71a2440ee5 backport OCSP fix enhancement 2012-10-05 13:02:31 +00:00
Ben Laurie
48bcdad0d5 Backport OCSP fix. 2012-10-05 12:50:24 +00:00
Richard Levitte
c06271bc35 * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in 
debugging code that's seldom used.
 2012-09-21 13:08:32 +00:00
Dr. Stephen Henson
36dd4cba3d Sanity check record length before skipping explicit IV in DTLS 
to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
 2012-05-10 14:33:11 +00:00
Dr. Stephen Henson
0b1cf4a139 PR: 2778(part) 
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>

Time is always encoded as 4 bytes, not sizeof(Time).
 2012-03-31 18:02:23 +00:00
Dr. Stephen Henson
48819f4d54 fix error code 2012-03-12 14:50:55 +00:00
Dr. Stephen Henson
b0cbdd3eba manually patch missing part of PR#2756 2012-03-12 12:46:52 +00:00
Dr. Stephen Henson
5016107550 PR: 2756 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS timeout handling.
 2012-03-09 15:51:56 +00:00
Dr. Stephen Henson
725713f74a PR: 2755 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions. [0.9.8 version of patch]
 2012-03-07 15:14:16 +00:00
Dr. Stephen Henson
6720779c7e revert PR#2755: it breaks compilation 2012-03-06 18:25:33 +00:00
Dr. Stephen Henson
b2a2c6af2a PR: 2755 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
 2012-03-06 13:45:47 +00:00
Dr. Stephen Henson
4e7f6d380d PR: 2748 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix possible DTLS timer deadlock.
 2012-03-06 13:20:20 +00:00
Dr. Stephen Henson
843fc7b681 Fix bug in CVE-2011-4619: check we have really received a client hello 
before rejecting multiple SGC restarts.
 2012-02-16 15:21:17 +00:00
Dr. Stephen Henson
096327a99a Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
 2012-01-18 13:12:08 +00:00
Bodo Möller
dd016b0570 Fix for builds without DTLS support. 
Submitted by: Brian Carlstrom
 2012-01-05 10:21:49 +00:00
Dr. Stephen Henson
eebefe35e7 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de> 
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
 2012-01-04 19:10:16 +00:00
Dr. Stephen Henson
e643112dd8 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 18:54:17 +00:00
Dr. Stephen Henson
21c4b25959 Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 18:52:18 +00:00
Dr. Stephen Henson
0c214e0153 Submitted by: Adam Langley <agl@chromium.org> 
Reviewed by: steve

Fix memory leaks.
 2012-01-04 14:25:10 +00:00
Dr. Stephen Henson
6c61cfbe03 PR: 2326 
Submitted by: Tianjie Mao <tjmao@tjmao.net>
Reviewed by: steve

Fix incorrect comma expressions and goto f_err as alert has been set.
 2011-12-26 19:38:28 +00:00
Bodo Möller
740da44f20 Resolve a stack set-up race condition (if the list of compression 
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
 2011-12-02 12:50:44 +00:00
Dr. Stephen Henson
8794569a08 PR: 2628 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Send alert instead of assertion failure for incorrectly formatted DTLS
fragments.
 2011-10-27 13:06:26 +00:00
Bodo Möller
dacd94b9c8 Oops: this change (http://cvs.openssl.org/chngview?cn=21503) 
wasn't right for 0.9.8-stable (it's actually a fix for
http://cvs.openssl.org/chngview?cn=14494, which introduced
SSL_CTRL_SET_MAX_SEND_FRAGMENT).
 2011-10-19 13:53:41 +00:00
Bodo Möller
f7d514f449 In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 
Submitted by: Bob Buckholz <bbuckholz@google.com>
 2011-10-13 13:04:40 +00:00
Dr. Stephen Henson
3cf0a38b3e fix signed/unsigned warning 2011-09-26 17:05:00 +00:00
Dr. Stephen Henson
fc4015329f PR: 2602 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
 2011-09-23 13:35:32 +00:00
Bodo Möller
db45308477 (EC)DH memory handling fixes. 
Submitted by: Adam Langley
 2011-09-05 10:25:15 +00:00
Dr. Stephen Henson
6a662a45f3 PR: 2573 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS buffering and decryption bug.
 2011-09-01 14:01:36 +00:00
Dr. Stephen Henson
ac02a4b68a PR: 2555 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS sequence number bug
 2011-07-20 15:17:20 +00:00
Dr. Stephen Henson
4ba063d3c5 PR: 2550 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS HelloVerifyRequest Timer bug
 2011-07-20 15:12:58 +00:00
Dr. Stephen Henson
cc0931e36b PR: 2543 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Correctly handle errors in DTLSv1_handle_timeout()
 2011-06-22 15:29:36 +00:00
Dr. Stephen Henson
c4b2eb24b3 PR: 2529 
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Call ssl_new() to reallocate SSL BIO internals if we want to replace
the existing internal SSL structure.
 2011-05-25 15:15:43 +00:00
Dr. Stephen Henson
2c77c5c8db Oops use up to date patch for PR#2506 2011-05-25 14:29:39 +00:00
Dr. Stephen Henson
1eb38c563f PR: 2506 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fully implement SSL_clear for DTLS.
 2011-05-25 12:28:42 +00:00
Dr. Stephen Henson
fa657871ed PR: 2505 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS session resumption timer bug.
 2011-05-25 12:24:03 +00:00
Dr. Stephen Henson
be70b3adce set encodedPoint to NULL after freeing it 2011-05-19 16:18:39 +00:00
Dr. Stephen Henson
7116a41129 PR: 2462 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS Retransmission Buffer Bug
 2011-04-03 17:15:23 +00:00
Dr. Stephen Henson
7143acab25 PR: 2458 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Don't change state when answering DTLS ClientHello.
 2011-04-03 16:26:33 +00:00
Dr. Stephen Henson
11d4086d8e PR: 2457 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS fragment reassembly bug.
 2011-04-03 15:49:26 +00:00