Commit Graph

1651 Commits

Author SHA1 Message Date
Adam Langley
ce1cfe169a Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361

(Imported from upstream's 856a4585d6f7a856b90c93792cf1c1ed968d4a4b)
2014-06-20 13:17:40 -07:00
Adam Langley
caddf1c4de Use correct digest when exporting keying material.
PR#3319

(Imported from upstream's 87a0cbdf2ee539ea922f9cf7a4b7c2c03119891d)
2014-06-20 13:17:40 -07:00
Adam Langley
467c87e318 remove duplicate 0x for default RSASSA-PSS salt len
(Imported from upstream's 42d73874edb4eb6681b769d9850afebe97adf329)
2014-06-20 13:17:40 -07:00
Adam Langley
dc160f84f5 Fixes to host checking.
Fixes to host checking wild card support and add support for setting
host checking flags when verifying a certificate chain.

(Imported from upstream's a2219f6be36d12f02b6420dd95f819cf364baf1d)
2014-06-20 13:17:40 -07:00
Adam Langley
3e449b1b05 Don't allocate more than is needed in BUF_strndup()
(Imported from upstream's 4ceb430a468e8226175aa3f169c0e746877c17e1,
4f7236edc7d5c384bdb148faf7b23f887cf18f69 and
ed693e43329383c0d68455d83778cdc9748a074d)
2014-06-20 13:17:40 -07:00
Adam Langley
b4b9914f74 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(Imported from upstream's 2312a84ca17c5ac133581552df7024957cf15bc8)
2014-06-20 13:17:40 -07:00
Adam Langley
45fb1eca0d Sync with upstream's fix for PR#3321.
(Imported from upstream's f710c3f198c9980a1056bac9b4b9617554254671)
2014-06-20 13:17:40 -07:00
Adam Langley
041240485d Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317

(Imported from upstream's 8571902e238ba2ef1517185c2a662c03f51dc1bf and
1f5bce2dcebbb5059c2a5ecf4037432e8041cc07)
2014-06-20 13:17:40 -07:00
Adam Langley
9611cfcb9f safety check to ensure we dont send out beyond the users buffer
(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
2014-06-20 13:17:40 -07:00
Adam Langley
f77452c572 fix coverity issue 966597 - error line is not always initialised
(Imported from upstream's afe343c3a7077caeaad43a9f2ee7e5d7f70076e5)
2014-06-20 13:17:40 -07:00
Adam Langley
c8e91d5798 bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as noted by
Daniel Sands and co at Sandia. This was to handle the case that 2 or more
threads race to lazy-init the same context, but stunted all scalability in the
case where 2 or more threads are doing unrelated things! We favour the latter
case by punishing the former. The init work gets done by each thread that finds
the context to be uninitialised, and we then lock the "set" logic after that
work is done - the winning thread's work gets used, the losing threads throw
away what they've done.

(Imported from upstream's bf43446835bfd3f9abf1898a99ae20f2285320f3)
2014-06-20 13:17:40 -07:00
Adam Langley
cdf96e5886 Double free in i2o_ECPublicKey
PR: 3338

(Imported from upstream's e34af3ec2b1230a8a523d383f7de505f7cbd381d)
2014-06-20 13:17:40 -07:00
Adam Langley
eceb33d3af bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

(Imported from upstream's 3cc546a3bbcbf26cd14fc45fb133d36820ed0a75)
2014-06-20 13:17:40 -07:00
Adam Langley
6a57f92195 bn/asm/armv4-gf2m.pl, modes/asm/ghash-armv4.pl: faster multiplication algorithm suggested in following paper:
Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
Polynomial Multiplication on ARM Processors using the NEON Engine.

http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf

(Imported from upstream's 0fb3d5b4fdc76b8d4a4700d03480cda135c6c117)
2014-06-20 13:17:40 -07:00
Adam Langley
89b73fbafa aes/asm/bsaes-x86_64.pl: Atom-specific optimization.
(Imported from upstream's ffdff9f12f028e4075b473a2a21e51c5bcc2bbd9)
2014-06-20 13:17:40 -07:00
Adam Langley
4a35a93a12 Fix use after free.
(Imported from upstream's a0fe2e72c48166c9c4bb423397723de1fb6227b0)
2014-06-20 13:17:40 -07:00
Adam Langley
548523fd5e Extension checking fixes.
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309

(Imported from upstream's 5cd5e0219d2e9a8c1f2fec3d867f38179c3a86af)
2014-06-20 13:17:40 -07:00
Adam Langley
56475207be Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

(Imported from upstream's 7e840163c06c7692b796a93e3fa85a93136adbb2)
2014-06-20 13:17:39 -07:00
Adam Langley
45ba42a94c vpaes-[x86_64|ppc].pl: fix typo, which for some reason triggers rkhunter.
(Imported from upstream's dacb698ada2579bccfc3d88662f8cca75fb1b9aa)
2014-06-20 13:17:39 -07:00
Adam Langley
dacb502cf4 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

(Imported from upstream's 6411b83e52fdfd0d3563d50a4dc00838b142fb2c)
2014-06-20 13:17:39 -07:00
Adam Langley
e2c2f60c44 Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.

(Imported from upstream's e9b4b8afbd129adc18d3fe71ca2ab34fe61d8640)
2014-06-20 13:17:39 -07:00
Adam Langley
db4f9521b5 Fix memory leak with client auth.
(Imported from upstream's bc5ec653ba65fedb1619c8182088497de8a97a70)
2014-06-20 13:17:39 -07:00
Adam Langley
64c2223310 Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
2014-06-20 13:17:39 -07:00
Adam Langley
dff7b9e11b Allow duplicate certs in ssl_build_cert_chain
(Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
2014-06-20 13:17:39 -07:00
Adam Langley
33685b82ec dh/check.c: check BN_CTX_get's return value.
(Imported from upstream's fe69e6be6e551c04d9d6a186c7fee1e635313ca6)
2014-06-20 13:17:39 -07:00
Adam Langley
e0ddf2706a For self signed root only indicate one error.
(Imported from upstream's bdfc0e284c89dd5781259cc19aa264aded538492.)
2014-06-20 13:17:39 -07:00
Adam Langley
8f5b6b9b0f perlasm/x86asm.pl: recognize elf-1 denoting old ELF platforms.
(Imported from upstream's ca88a1d439f72f124d0f23e2d130e56bbcbb93a9)
2014-06-20 13:17:39 -07:00
Adam Langley
9612b766ae perlasm/x86gas.pl: limit special OPENSSL_ia32cap_P treatment to ELF.
(Imported from upstream's 5615196f7bd467f1e56e275bf740a62caa04d107.)
2014-06-20 13:17:39 -07:00
Adam Langley
9a7cb38882 rc4/asm/rc4-586.pl: allow for 386-only build.
(Imported from upstream's 1f59eb5f111149eb0cf5cdc2b378cfa0fbdfa9c3)
2014-06-20 13:17:39 -07:00
Adam Langley
43134282d0 sha/asm/sha256-586.pl: don't try to compile SIMD with no-sse2.
(Imported from upstream's d00ae7cf7019847c5d35728b01b22461a01bb336)
2014-06-20 13:17:39 -07:00
Adam Langley
bd97c20c77 sha/asm/sha512-x86_64.pl: fix compilation error on Solaris.
(Imported from upstream's f92926e33175b0ef874244ba7d66dd987a862750)
2014-06-20 13:17:39 -07:00
Adam Langley
9f61d7f4a1 ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201

(Imported from upstream's 8d08627c940900998d02a0dff0566db736efb94f)
2014-06-20 13:17:38 -07:00
Adam Langley
c83b1ceae2 x509/by_dir.c: fix run-away pointer.
fix run-away pointer (and potential SEGV) when adding duplicates in
add_cert_dir.

PR: 3261
Reported by: Marian Done

(Imported from upstream's 83fe7b9c8321d5ffb6bfe67df85ed66ceb97102f)
2014-06-20 13:17:38 -07:00
Adam Langley
f669c2d91a New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

(Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
2014-06-20 13:17:38 -07:00
Adam Langley
5685363771 aes/asm/aesni-x86[_64].pl: minor Atom-specific performance tweak.
(Imported from upstream's 2d4d9623da229162ad4377174526af3c01b1707a)
2014-06-20 13:17:38 -07:00
Adam Langley
114a711f8b aes/asm/aesni-x86_64.pl: further optimization for Atom Silvermont.
Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].

(Imported from upstream's b347341c75656cf8bc039bd0ea5e3571c9299687)
2014-06-20 13:17:38 -07:00
Adam Langley
a993a70d6d Include self-signed flag in certificates.
Include self-signed flag in certificates by checking SKID/AKID as well as
issuer and subject names. Although this is an incompatible change it should
have little impact in pratice because self-issued certificates that are not
self-signed are rarely encountered.

(Imported from upstream's c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf)
2014-06-20 13:17:38 -07:00
Adam Langley
ec72cf5a1c Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also performed
on the TA and the callback notified with ok==1. For consistency do the same for
chains where the TA is not self signed.

(Imported from upstream's b07e4f2f46fc286c306353d5e362cbc22c8547fb)
2014-06-20 13:17:38 -07:00
Adam Langley
35163dc925 Add cert_self_signed function to simplify verify.
(Imported from upstream's ced6dc5cefca57b08e077951a9710c33b709e99e)
2014-06-20 13:17:38 -07:00
Adam Langley
a216d03d0e Simplify X509_STORE_CTX_get1_chain.
(Imported from upstream's bf2d129194d5a8f2ccf5ff5261ab755e4fc9f98e)
2014-06-20 13:17:38 -07:00
Adam Langley
d81f801f6d ghash-x86[_64].pl: ~15% improvement on Atom Silvermont
(other processors unaffected).

(Imported from upstream's 7078d93307d795cec577ec4a792b72fffed551ab)
2014-06-20 13:17:38 -07:00
Adam Langley
b6333d600e Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only

(Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and
3bff195dca617c4ec1630945fef93b792b418cc8)
2014-06-20 13:17:38 -07:00
Adam Langley
6d43d0c4d6 Add extension free function.
(Imported from upstream's 984a30423d70126ed1df30e4b52962398cdaa9b6.)
2014-06-20 13:17:38 -07:00
Adam Langley
29db55944b Remove redundant accessor.
You can do the same thing, and more, with X509_ALGOR_[gs]et0().

(Imported from upstream's 40b0d0765ec8d34654be099456dc1dfb6e1bd3ff)
2014-06-20 13:17:37 -07:00
Adam Langley
7b29449086 AES-NI asm update from master.
(Imported from upstream's 5572bc4e2fb485c0d85bd5b4ec430ae0af65f7ea)
2014-06-20 13:17:37 -07:00
Adam Langley
5c6ca976c8 Update SHA asm from master.
(Imported from upstream's 729d334106e6ef3a2b2f4f9cb2520669a07ae79d)
2014-06-20 13:17:37 -07:00
Adam Langley
bdf8acc2d2 Add more accessors.
(Imported from upstream's cacdfcb2479984d9bfcc79b623118d8af6fea169)
2014-06-20 13:17:37 -07:00
Adam Langley
b152b3d4ed Add accessor for x509.cert_info.
(Imported from upstream's 519ad9b3845c475d29db8b84b59bde7edecb4e70.)
2014-06-20 13:17:37 -07:00
Adam Langley
6887edb917 Improvements in constant-time OAEP decoding.
This change adds a new function, BN_bn2bin_padded, that attempts, as
much as possible, to serialise a BIGNUM in constant time.

This is used to avoid some timing leaks in RSA decryption.
2014-06-20 13:17:37 -07:00
Adam Langley
aacec17a63 Add client functionality to helper tool. 2014-06-20 13:17:37 -07:00