aboutsummaryrefslogtreecommitdiffstats
path: root/ssl/t1_enc.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix a double free in tls1_setup_key_blockMatt Caswell2016-05-191-1/+0
| | | | | | | | If p2 == NULL then p1 can get freed twice and a crash could occur. Issue reported by Shi Lei (Qihoo 360 Inc) Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Fix more URLs mangled by reformatMatt Caswell2015-12-191-1/+1
| | | | | | | | Fix some more URLs mangled by indent in the reformat. These ones don't exist in master so we have a separate commit. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Ensure all EVP calls have their returns checked where appropriateMatt Caswell2015-11-201-15/+33
| | | | | | | | There are lots of calls to EVP functions from within libssl There were various places where we should probably check the return value but don't. This adds these checks. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Sanity check EVP_CTRL_AEAD_TLS_AADMatt Caswell2015-04-301-2/+5
| | | | | | | | | | | | | | The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at least 13 bytes long. Add sanity checks to ensure that the length is at least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit c8269881093324b881b81472be037055571f73f3) Conflicts: ssl/record/ssl3_record.c
* Code style: space after 'if'Viktor Dukhovni2015-04-161-1/+1
| | | | Reviewed-by: Matt Caswell <gitlab@openssl.org>
* Ensure last_write_sequence is saved in DTLS1.2Matt Caswell2015-03-251-4/+4
| | | | | | | | | | | | | In DTLS, immediately prior to epoch change, the write_sequence is supposed to be stored in s->d1->last_write_sequence. The write_sequence is then reset back to 00000000. In the event of retransmits of records from the previous epoch, the last_write_sequence is restored. This commit fixes a bug in DTLS1.2 where the write_sequence was being reset before last_write_sequence was saved, and therefore retransmits are sent with incorrect sequence numbers. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit d5d0a1cb1347d4a8547e78aec56c50c528186e50)
* Add sanity check to PRFMatt Caswell2015-03-171-0/+5
| | | | | | | | | The function tls1_PRF counts the number of digests in use and partitions security evenly between them. There always needs to be at least one digest in use, otherwise this is an internal error. Add a sanity check for this. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 668f6f08c62177ab5893fc26ebb67053aafdffc8)
* Cleanse buffersMatt Caswell2015-03-111-0/+5
| | | | | | | Cleanse various intermediate buffers used by the PRF (backported version from master). Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fixed missing return value checks.Matt Caswell2015-02-271-9/+17
| | | | | | Added various missing return value checks in tls1_change_cipher_state. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Missing OPENSSL_free on error path.Eric Dequin2015-02-121-0/+1
| | | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 1d2932de4cefcc200f175863a42c311916269981)
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-1056/+1097
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Move more comments that confuse indentMatt Caswell2015-01-221-1/+2
| | | | | | | | | Conflicts: crypto/dsa/dsa.h demos/engines/ibmca/hw_ibmca.c ssl/ssl_locl.h Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix strange formatting by indentMatt Caswell2015-01-221-1/+2
| | | | | | | Conflicts: crypto/hmac/hmac.h Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix source where indent will not be able to copeMatt Caswell2015-01-221-1/+2
| | | | | | | | Conflicts: apps/ciphers.c ssl/s3_pkt.c Reviewed-by: Tim Hudson <tjh@openssl.org>
* Further comment amendments to preserve formatting prior to source reformatMatt Caswell2015-01-221-1/+2
| | | | | | | | | (cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5) Conflicts: crypto/x509v3/pcy_tree.c Reviewed-by: Tim Hudson <tjh@openssl.org>
* Clear warnings/errors within TLS_DEBUG code sectionsRichard Levitte2014-12-171-9/+5
| | | | Reviewed-by: Andy Polyakov <appro@openssl.org>
* Clear warnings/errors within KSSL_DEBUG code sectionsRichard Levitte2014-12-171-30/+30
| | | | Reviewed-by: Andy Polyakov <appro@openssl.org>
* Support TLS_FALLBACK_SCSV.Bodo Moeller2014-10-151-0/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix compilation with -DSSL_DEBUG -DTLS_DEBUG -DKSSL_DEBUGyogesh nagarkar2014-06-281-1/+1
| | | | | PR#3141 (cherry picked from commit d183545d4589f1e7a40190400b8b99ea3d1f7f97)
* Use correct digest when exporting keying material.Dr. Stephen Henson2014-05-301-1/+1
| | | | | PR#3319 (cherry picked from commit 84691390eae86befd33c83721dacedb539ae34e6)
* ssl/t1_enc.c: check EVP_MD_CTX_copy return value.Andy Polyakov2014-02-251-1/+2
| | | | | PR: 3201 (cherry picked from commit 03da57fe14f2de5bde9d4496a2ae9a4ae8879f88)
* ssl/t1_enc.c: optimize PRF (suggested by Intel).Andy Polyakov2014-01-031-9/+8
| | | | (cherry picked from commit e8b0dd57c0e9c53fd0708f0f458a7a2fd7a95c91)
* Fix DTLS retransmission from previous session.Dr. Stephen Henson2013-12-201-6/+11
| | | | | | | For DTLS we might need to retransmit messages from the previous session so keep a copy of write context in DTLS retransmission buffers instead of replacing it after sending CCS. CVE-2013-6450. (cherry picked from commit 34628967f1e65dc8f34e000f0f5518e21afbfc7b)
* Check EVP errors for handshake digests.Dr. Stephen Henson2013-12-181-5/+6
| | | | | Partial mitigation of PR#3200 (cherry picked from commit 0294b2be5f4c11e60620c0018674ff0e17b14238)
* Enable TLS 1.2 ciphers in DTLS 1.2.Dr. Stephen Henson2013-09-181-1/+1
| | | | | | Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in DTLS 1.2 mode too. (cherry picked from commit 4221c0dd3004117c63b182af5e8ab345b7265902)
* Use enc_flags when deciding protocol variations.Dr. Stephen Henson2013-09-181-3/+3
| | | | | | | | | | | Use the enc_flags field to determine whether we should use explicit IV, signature algorithms or SHA256 default PRF instead of hard coding which versions support each requirement. (cherry picked from commit cbd64894ec687c6f37d8e43c16dff78e63f6be87) Conflicts: ssl/ssl_locl.h
* ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.Andy Polyakov2013-02-061-3/+7
| | | | | | Kludge alert. This is arranged by passing padding length in unused bits of SSL3_RECORD->type, so that orig_len can be reconstructed. (cherry picked from commit 8bfd4c659f180a6ce34f21c0e62956b362067fba)
* Timing fix mitigation for FIPS mode.Dr. Stephen Henson2013-02-061-0/+7
| | | | | | | | | We have to use EVP in FIPS mode so we can only partially mitigate timing differences. Make an extra call to EVP_DigestSignUpdate to hash additonal blocks to cover any timing differences caused by removal of padding. (cherry picked from commit b908e88ec15aa0a74805e3f2236fc4f83f2789c2)
* Update DTLS code to match CBC decoding in TLS.Ben Laurie2013-02-061-4/+0
| | | | | | This change updates the DTLS code to match the constant-time CBC behaviour in the TLS. (cherry picked from commit 9f27de170d1b7bef3d46d41382dc4dafde8b3900)
* Don't crash when processing a zero-length, TLS >= 1.1 record.Ben Laurie2013-02-061-4/+9
| | | | | | | | The previous CBC patch was bugged in that there was a path through enc() in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left at the previous value which could suggest that the packet was a sufficient length when it wasn't. (cherry picked from commit 6cb19b7681f600b2f165e4adc57547b097b475fd)
* Make CBC decoding constant time.Ben Laurie2013-02-061-76/+55
| | | | | | | | | | | | | | This patch makes the decoding of SSLv3 and TLS CBC records constant time. Without this, a timing side-channel can be used to build a padding oracle and mount Vaudenay's attack. This patch also disables the stitched AESNI+SHA mode pending a similar fix to that code. In order to be easy to backport, this change is implemented in ssl/, rather than as a generic AEAD mode. In the future this should be changed around so that HMAC isn't in ssl/, but crypto/ as FIPS expects. (cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
* SSL/TLS record tracing code (backport from HEAD).Dr. Stephen Henson2012-12-261-0/+42
|
* * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately inRichard Levitte2012-09-211-1/+1
| | | | debugging code that's seldom used.
* Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 andDr. Stephen Henson2012-05-101-0/+2
| | | | | | | | DTLS to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333)
* ssl/t1_enc.c: pay attention to EVP_CIPH_FLAG_CUSTOM_CIPHER [from HEAD].Andy Polyakov2012-03-131-1/+4
|
* Remove redundant TLS exporter.Ben Laurie2011-12-131-33/+0
|
* SSL export fixes (from Adam Langley).Ben Laurie2011-12-131-29/+29
|
* Fix exporter.Ben Laurie2011-12-021-4/+13
|
* Fix warnings.Ben Laurie2011-12-021-1/+1
|
* PR: 1794Dr. Stephen Henson2011-11-251-3/+0
| | | | | | | | | | | | | | | Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr> Reviewed by: steve Make SRP conformant to rfc 5054. Changes are: - removal of the addition state after client hello - removal of all pre-rfc srp alert ids - sending a fatal alert when there is no srp extension but when the server wants SRP - removal of unnecessary code in the client.
* bcmp doesn't exist on all platforms, replace with memcmpDr. Stephen Henson2011-11-211-4/+4
|
* Add TLS exporter.Ben Laurie2011-11-151-0/+89
|
* Backport GCM support from HEAD.Dr. Stephen Henson2011-08-041-3/+19
|
* Back-port TLS AEAD framework [from HEAD].Andy Polyakov2011-07-211-16/+65
|
* Don't round up partitioned premaster secret length if there is only oneDr. Stephen Henson2011-05-311-0/+2
| | | | | digest in use: this caused the PRF to fail for an odd premaster secret length.
* add FIPS support to ssl: doesn't do anything on this branch yet as there is ↵Dr. Stephen Henson2011-05-191-0/+2
| | | | no FIPS compilation support
* Backport TLS v1.2 support from HEAD.Dr. Stephen Henson2011-05-111-7/+18
| | | | | This includes TLS v1.2 server and client support but at present client certificate support is not implemented.
* Add SRP.Ben Laurie2011-03-161-0/+3
|
* Don't use decryption_failed alert for TLS v1.1 or later.Dr. Stephen Henson2011-01-041-0/+2
|
* use generalised mac API for SSL key generationDr. Stephen Henson2010-11-241-28/+34
|
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-09 22:16:59 +0000