aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
Commit message (Collapse)AuthorAgeFilesLines
* Check validity, not just signing for all certificatesDr. Stephen Henson2017-02-211-2/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679)
* Set default validity flags.Dr. Stephen Henson2017-02-211-10/+30
| | | | | | | Set default validity flags if signature algorithms extension is not present. Preserve flags when checking chains. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679)
* remove md array: it is not used any more.Dr. Stephen Henson2017-02-213-107/+27
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2679)
* fix spelling of Camellia in commentPauli2017-02-211-2/+2
| | | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2337)
* Implementation of the ARIA cipher as described in RFC 5794.Pauli2017-02-211-4/+1
| | | | | | | | | | | | | | This implementation is written in endian agnostic C code. No attempt at providing machine specific assembly code has been made. This implementation expands the evptests by including the test cases from RFC 5794 and ARIA official site rather than providing an individual test case. Support for ARIA has been integrated into the command line applications, but not TLS. Implemented modes are CBC, CFB1, CFB8, CFB128, CTR, ECB and OFB128. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2337)
* Explicitly disallow DSA for TLS 1.3Dr. Stephen Henson2017-02-171-5/+12
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2667)
* Updates following review feedbackMatt Caswell2017-02-173-3/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Don't use an enum in the return type for a public API functionMatt Caswell2017-02-172-3/+3
| | | | | | We use an int instead. That means SSL_key_update() also should use an int. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Fix a shadowed global variable warningMatt Caswell2017-02-172-8/+8
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Updates following review feedbackMatt Caswell2017-02-174-7/+9
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Limit the number of KeyUpdate messages we can processMatt Caswell2017-02-173-0/+13
| | | | | | | | | | Too many KeyUpdate message could be inicative of a problem (e.g. an infinite KeyUpdate loop if the peer always responds to a KeyUpdate message with an "update_requested" KeyUpdate response), or (conceivably) an attack. Either way we limit the number of KeyUpdate messages we are prepared to handle. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Actually update the keys when a KeyUpdate message is sent or receivedMatt Caswell2017-02-176-51/+141
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* If we receive an "update_requested" KeyUpdate then respond with a KeyUpdateMatt Caswell2017-02-173-0/+20
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Add the ability for a server to receive a KeyUpdate messageMatt Caswell2017-02-171-1/+17
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Add a SSL_get_key_update_type() functionMatt Caswell2017-02-171-0/+5
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Add the ability for a client to send a KeyUpdate messageMatt Caswell2017-02-172-6/+19
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Add the ability for a client to receive a KeyUpdate messageMatt Caswell2017-02-174-0/+33
| | | | | | This just receives the message. It doesn't actually update any keys yet. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Add SSL_trace() support for KeyUpdate messagesMatt Caswell2017-02-171-1/+17
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Provide a function to send a KeyUpdate messageMatt Caswell2017-02-176-14/+67
| | | | | | This implements the server side KeyUpdate sending capability as well. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2609)
* Use tls_choose_sigalg for client auth.Dr. Stephen Henson2017-02-164-66/+19
| | | | | | | | | | For client auth call tls_choose_sigalg to select the certificate and signature algorithm. Use the selected algorithm in tls_construct_cert_verify. Remove obsolete tls12_get_sigandhash. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2643)
* Add client side support to tls_choose_sigalg.Dr. Stephen Henson2017-02-161-24/+54
| | | | | | | | | | | | | | | | Select appropriate signature algorithm and certificate for client authentication using tls_choose_sigalg. A lot of selection logic is very similar except not finding a certificate is not a fatal error: we just do not present a certificate. For TLS 1.2 and earlier we only check the current certificate is suitable (for compatibility with previous logic) for TLS 1.3 (where there are no compatibility issues) we support multiple client certificates for different algorithms. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2643)
* Remove an OPENSSL_assert() and replace with a soft assert and checkMatt Caswell2017-02-161-2/+3
| | | | | | | | Following on from CVE-2017-3733, this removes the OPENSSL_assert() check that failed and replaces it with a soft assert, and an explicit check of value with an error return if it fails. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Don't change the state of the ETM flags until CCS processingMatt Caswell2017-02-169-23/+36
| | | | | | | | | | | | | | | | | | | In 1.1.0 changing the ciphersuite during a renegotiation can result in a crash leading to a DoS attack. In master this does not occur with TLS (instead you get an internal error, which is still wrong but not a security issue) - but the problem still exists in the DTLS code. The problem is caused by changing the flag indicating whether to use ETM or not immediately on negotiation of ETM, rather than at CCS. Therefore, during a renegotiation, if the ETM state is changing (usually due to a change of ciphersuite), then an error/crash will occur. Due to the fact that there are separate CCS messages for read and write we actually now need two flags to determine whether to use ETM or not. CVE-2017-3733 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix warningDr. Stephen Henson2017-02-161-1/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2644)
* Set current certificate to selected certificate.Dr. Stephen Henson2017-02-151-0/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2637)
* Rework error handling of custom_ext_meth_add towards strong exception safety.Bernd Edlinger2017-02-151-5/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2636)
* Skip curve check if sigalg doesn't specify a curve.Dr. Stephen Henson2017-02-151-2/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Use CERT_PKEY pointer instead of indexDr. Stephen Henson2017-02-155-28/+21
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Simplify tls_construct_server_key_exchangeDr. Stephen Henson2017-02-151-72/+58
| | | | | | | Use negotiated signature algorithm and certificate index in tls_construct_key_exchange instead of recalculating it. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Use cert_index and sigalgDr. Stephen Henson2017-02-157-104/+23
| | | | | | | | | Now the certificate and signature algorithm is set in one place we can use it directly insetad of recalculating it. The old functions ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no longer required. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Add sigalg for earlier TLS versionsDr. Stephen Henson2017-02-152-20/+145
| | | | | | | | | | | | | | Update tls_choose_sigalg to choose a signature algorithm for all versions of TLS not just 1.3. For TLS 1.2 we choose the highest preference signature algorithm for the chosen ciphersuite. For TLS 1.1 and earlier the signature algorithm is determined by the ciphersuite alone. For RSA we use a special MD5+SHA1 signature algorithm. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Change tls_choose_sigalg so it can set errors and alerts.Dr. Stephen Henson2017-02-154-7/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* add ssl_has_certDr. Stephen Henson2017-02-152-13/+13
| | | | | | | Add inline function ssl_has_cert which checks to see if a certificate and private key for a given index are not NULL. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2623)
* Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.Bernd Edlinger2017-02-141-2/+2
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2618)
* Fix no-ec compilationMatt Caswell2017-02-142-1/+8
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2624)
* Remove a double call to ssl3_send_alert()Matt Caswell2017-02-141-2/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Fix a bogus uninit variable warningMatt Caswell2017-02-141-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Add a bytestogroup macroMatt Caswell2017-02-143-3/+6
| | | | | | For converting the 2 byte group id into an unsigned int. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Various style fixes following review feedbackMatt Caswell2017-02-143-11/+11
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Add trace support for HelloRetryRequestMatt Caswell2017-02-141-10/+38
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Implement support for resumption with a HelloRetryRequestMatt Caswell2017-02-145-99/+160
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Add client side support for parsing Hello Retry RequestMatt Caswell2017-02-145-52/+199
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Add server side support for creating the Hello Retry Request messageMatt Caswell2017-02-147-23/+165
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* Make the context available to the extensions parse and construction funcsMatt Caswell2017-02-144-218/+259
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2341)
* mem leak on error path and error propagation fixYuchi2017-02-141-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2559)
* Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGNDr. Stephen Henson2017-02-107-53/+33
| | | | | | | | | The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to support two different keys for RSA signing and decrypt. However this was never implemented and we only ever set one key and the other was always NULL. Replace with single SSL_PKEY_RSA type. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2587)
* Check index >= 0 as 0 is a valid index.Dr. Stephen Henson2017-02-101-1/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2587)
* Don't read uninitialised data for short session IDs.David Benjamin2017-02-091-4/+12
| | | | | | | | | | | | | | | | | | | | | | | While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes from an |SSL_SESSION|'s |session_id| array, the hash function would do so with without considering if all those bytes had been written to. This change checks |session_id_length| before possibly reading uninitialised memory. Since the result of the hash function was already attacker controlled, and since a lookup of a short session ID will always fail, it doesn't appear that this is anything more than a clean up. In particular, |ssl_get_prev_session| uses a stack-allocated placeholder |SSL_SESSION| as a lookup key, so the |session_id| array may be uninitialised. This was originally found with libFuzzer and MSan in https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7, then by Robert Swiecki with honggfuzz and MSan here. Thanks to both. Reviewed-by: Geoff Thorpe <geoff@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2583)
* SSL_get_shared_sigalgs: handle negative idx parameterPeter Wu2017-02-091-0/+1
| | | | | | | | | | | | | | When idx is negative (as is the case with do_print_sigalgs in apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read). Even if the pointer is not dereferenced, this is undefined behavior. Change the user not to use "-1" as index since the function is documented to return 0 on out-of-range values. Tested with `openssl s_server` and `curl -k https://localhost:4433`. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2349)
* Fix crash in tls13_encMatt Caswell2017-02-081-1/+12
| | | | | | | | | If s->s3->tmp.new_cipher is NULL then a crash can occur. This can happen if an alert gets sent after version negotiation (i.e. we have selected TLSv1.3 and ended up in tls13_enc), but before a ciphersuite has been selected. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2575)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-04 06:56:38 +0000