Commit Graph

2382 Commits

Author SHA1 Message Date
Adam Langley
dacb502cf4 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

(Imported from upstream's 6411b83e52fdfd0d3563d50a4dc00838b142fb2c)
2014-06-20 13:17:39 -07:00
Adam Langley
e2c2f60c44 Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.

(Imported from upstream's e9b4b8afbd129adc18d3fe71ca2ab34fe61d8640)
2014-06-20 13:17:39 -07:00
Adam Langley
db4f9521b5 Fix memory leak with client auth.
(Imported from upstream's bc5ec653ba65fedb1619c8182088497de8a97a70)
2014-06-20 13:17:39 -07:00
Adam Langley
64c2223310 Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
2014-06-20 13:17:39 -07:00
Adam Langley
dff7b9e11b Allow duplicate certs in ssl_build_cert_chain
(Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
2014-06-20 13:17:39 -07:00
Adam Langley
33685b82ec dh/check.c: check BN_CTX_get's return value.
(Imported from upstream's fe69e6be6e551c04d9d6a186c7fee1e635313ca6)
2014-06-20 13:17:39 -07:00
Adam Langley
e0ddf2706a For self signed root only indicate one error.
(Imported from upstream's bdfc0e284c89dd5781259cc19aa264aded538492.)
2014-06-20 13:17:39 -07:00
Adam Langley
8f5b6b9b0f perlasm/x86asm.pl: recognize elf-1 denoting old ELF platforms.
(Imported from upstream's ca88a1d439f72f124d0f23e2d130e56bbcbb93a9)
2014-06-20 13:17:39 -07:00
Adam Langley
9612b766ae perlasm/x86gas.pl: limit special OPENSSL_ia32cap_P treatment to ELF.
(Imported from upstream's 5615196f7bd467f1e56e275bf740a62caa04d107.)
2014-06-20 13:17:39 -07:00
Adam Langley
9a7cb38882 rc4/asm/rc4-586.pl: allow for 386-only build.
(Imported from upstream's 1f59eb5f111149eb0cf5cdc2b378cfa0fbdfa9c3)
2014-06-20 13:17:39 -07:00
Adam Langley
43134282d0 sha/asm/sha256-586.pl: don't try to compile SIMD with no-sse2.
(Imported from upstream's d00ae7cf7019847c5d35728b01b22461a01bb336)
2014-06-20 13:17:39 -07:00
Adam Langley
bd97c20c77 sha/asm/sha512-x86_64.pl: fix compilation error on Solaris.
(Imported from upstream's f92926e33175b0ef874244ba7d66dd987a862750)
2014-06-20 13:17:39 -07:00
Adam Langley
9f61d7f4a1 ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201

(Imported from upstream's 8d08627c940900998d02a0dff0566db736efb94f)
2014-06-20 13:17:38 -07:00
Adam Langley
c83b1ceae2 x509/by_dir.c: fix run-away pointer.
fix run-away pointer (and potential SEGV) when adding duplicates in
add_cert_dir.

PR: 3261
Reported by: Marian Done

(Imported from upstream's 83fe7b9c8321d5ffb6bfe67df85ed66ceb97102f)
2014-06-20 13:17:38 -07:00
Adam Langley
f669c2d91a New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

(Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
2014-06-20 13:17:38 -07:00
Adam Langley
5685363771 aes/asm/aesni-x86[_64].pl: minor Atom-specific performance tweak.
(Imported from upstream's 2d4d9623da229162ad4377174526af3c01b1707a)
2014-06-20 13:17:38 -07:00
Adam Langley
114a711f8b aes/asm/aesni-x86_64.pl: further optimization for Atom Silvermont.
Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].

(Imported from upstream's b347341c75656cf8bc039bd0ea5e3571c9299687)
2014-06-20 13:17:38 -07:00
Adam Langley
a993a70d6d Include self-signed flag in certificates.
Include self-signed flag in certificates by checking SKID/AKID as well as
issuer and subject names. Although this is an incompatible change it should
have little impact in pratice because self-issued certificates that are not
self-signed are rarely encountered.

(Imported from upstream's c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf)
2014-06-20 13:17:38 -07:00
Adam Langley
ec72cf5a1c Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also performed
on the TA and the callback notified with ok==1. For consistency do the same for
chains where the TA is not self signed.

(Imported from upstream's b07e4f2f46fc286c306353d5e362cbc22c8547fb)
2014-06-20 13:17:38 -07:00
Adam Langley
35163dc925 Add cert_self_signed function to simplify verify.
(Imported from upstream's ced6dc5cefca57b08e077951a9710c33b709e99e)
2014-06-20 13:17:38 -07:00
Adam Langley
a216d03d0e Simplify X509_STORE_CTX_get1_chain.
(Imported from upstream's bf2d129194d5a8f2ccf5ff5261ab755e4fc9f98e)
2014-06-20 13:17:38 -07:00
Adam Langley
d81f801f6d ghash-x86[_64].pl: ~15% improvement on Atom Silvermont
(other processors unaffected).

(Imported from upstream's 7078d93307d795cec577ec4a792b72fffed551ab)
2014-06-20 13:17:38 -07:00
Adam Langley
b6333d600e Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only

(Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and
3bff195dca617c4ec1630945fef93b792b418cc8)
2014-06-20 13:17:38 -07:00
Adam Langley
6d43d0c4d6 Add extension free function.
(Imported from upstream's 984a30423d70126ed1df30e4b52962398cdaa9b6.)
2014-06-20 13:17:38 -07:00
Adam Langley
29db55944b Remove redundant accessor.
You can do the same thing, and more, with X509_ALGOR_[gs]et0().

(Imported from upstream's 40b0d0765ec8d34654be099456dc1dfb6e1bd3ff)
2014-06-20 13:17:37 -07:00
Adam Langley
7b29449086 AES-NI asm update from master.
(Imported from upstream's 5572bc4e2fb485c0d85bd5b4ec430ae0af65f7ea)
2014-06-20 13:17:37 -07:00
Adam Langley
5c6ca976c8 Update SHA asm from master.
(Imported from upstream's 729d334106e6ef3a2b2f4f9cb2520669a07ae79d)
2014-06-20 13:17:37 -07:00
Adam Langley
bdf8acc2d2 Add more accessors.
(Imported from upstream's cacdfcb2479984d9bfcc79b623118d8af6fea169)
2014-06-20 13:17:37 -07:00
Adam Langley
b152b3d4ed Add accessor for x509.cert_info.
(Imported from upstream's 519ad9b3845c475d29db8b84b59bde7edecb4e70.)
2014-06-20 13:17:37 -07:00
Adam Langley
6887edb917 Improvements in constant-time OAEP decoding.
This change adds a new function, BN_bn2bin_padded, that attempts, as
much as possible, to serialise a BIGNUM in constant time.

This is used to avoid some timing leaks in RSA decryption.
2014-06-20 13:17:37 -07:00
Adam Langley
aacec17a63 Add client functionality to helper tool. 2014-06-20 13:17:37 -07:00
Adam Langley
c5c0c7e853 Split the speed tests into their own file. 2014-06-20 13:17:37 -07:00
Adam Langley
80842bdb44 Fix test of first of 255 CBC padding bytes.
Thanks to Peter Gijsels for pointing out that if a CBC record has 255
bytes of padding, the first was not being checked.
2014-06-20 13:17:37 -07:00
Adam Langley
cd8128d618 This change merges upstream's updated ppc-xlate.pl. 2014-06-20 13:17:37 -07:00
Adam Langley
01797e309f psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
2014-06-20 13:17:37 -07:00
Adam Langley
aed2306b9d Refactor ssl3_send_client_verify.
The original logic was a confusing spaghetti and mixed up initialization
for all the different cases together.
2014-06-20 13:17:37 -07:00
Adam Langley
28acbbc2d6 Add SSL_get_client_certificate_types.
Exposes the certificate_types parameter in a CertificateRequest.

Transplanted from https://codereview.chromium.org/254723002/
2014-06-20 13:17:36 -07:00
Adam Langley
64bda23cad Base64 padding fix.
https://rt.openssl.org/Ticket/Display.html?id=2608

Previously, this input to the base64 code:

================================================================================-

Would cause the output length of EVP_DecodeUpdate to be negative. When
that happened in the base64 BIO, it would crash. In PEM decoding, the
ASN.1 code actually maintains signed lengths and manages to simply error
out!
2014-06-20 13:17:36 -07:00
Adam Langley
c3174b7b2d Move ECC extensions to end.
Move ECC SSL extensions to the end.

WebSphere Application Server 7.0 appears to be intolerant of an empty
extension at the end. To that end, also ensure we never send an empty
padding extension.
2014-06-20 13:17:36 -07:00
Adam Langley
c6c8ae8fae Fix use-after-free after a deferred alert.
The KLEE folks (who do symbolic execution of code) found a crash:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
2014-06-20 13:17:36 -07:00
Adam Langley
0289c73051 Fix TLS-PSK identity hint implementation issues.
PSK identity hint can be stored in SSL_CTX and in SSL/SSL_SESSION,
similar to other TLS parameters, with the value in SSL/SSL_SESSION
taking precedence over the one in SSL_CTX. The value in SSL_CTX is
shared (used as the default) between all SSL instances associated
with that SSL_CTX, whereas the value in SSL/SSL_SESSION is confined
to that particular TLS/SSL connection/session.

The existing implementation of TLS-PSK does not correctly distinguish
between PSK identity hint in SSL_CTX and in SSL/SSL_SESSION. This
change fixes these issues:
1. SSL_use_psk_identity_hint does nothing and returns "success" when
   the SSL object does not have an associated SSL_SESSION.
2. On the client, the hint in SSL_CTX (which is shared between
   multiple SSL instances) is overwritten with the hint received from
   server or reset to NULL if no hint was received.
3. On the client, psk_client_callback is invoked with the hint from
   SSL_CTX rather than from current SSL/SSL_SESSION (i.e., the one
   received from the server). Issue #2 above masks this issue.
4. On the server, the hint in SSL/SSL_SESSION is ignored and the hint
   from SSL_CTX is sent to the client.
5. On the server, the hint in SSL/SSL_SESSION is reset to the one in
   SSL_CTX after the ClientKeyExchange message step.

This change fixes the issues by:
* Adding storage for the hint in the SSL object. The idea being that
  the hint in the associated SSL_SESSION takes precedence.
* Reading the hint during the handshake only from the associated
  SSL_SESSION object.
* Initializing the hint in SSL object with the one from the SSL_CTX
  object.
* Initializing the hint in SSL_SESSION object with the one from the
  SSL object.
* Making SSL_use_psk_identity_hint and SSL_get_psk_identity_hint
  set/get the hint to/from SSL_SESSION associated with the provided
  SSL object, or, if no SSL_SESSION is available, set/get the hint
  to/from the provided SSL object.
* Removing code which resets the hint during handshake.
2014-06-20 13:17:36 -07:00
Adam Langley
aeb088ac09 EC infinity fix.
Fix handling of points at infinity in ec_GFp_simple_points_make_affine.
When inverting an array of Z coordinates, the algorithm is supposed to
treat any 0 essentially like a 1 to remain in the multiplicative group;
however, for one of the cases, we incorrectly multiplied by 0 and thus
ended up with garbage.
2014-06-20 13:17:36 -07:00
Adam Langley
a5dc545bbc Set SID from SSL_CTX
This change ensures that the session ID context of an SSL* is updated
when its SSL_CTX is updated.
2014-06-20 13:17:36 -07:00
Adam Langley
dc9b141127 Early callback support. 2014-06-20 13:17:36 -07:00
Adam Langley
b0c235ed36 TLS extension limit check fixes.
Fix limit checks in ssl_add_clienthello_tlsext and
ssl_add_serverhello_tlsext.

Some of the limit checks reference p rather than ret. p is the original
buffer position, not the current one. Fix those and rename p to orig so
it's clearer.
2014-06-20 13:17:36 -07:00
Adam Langley
2970779684 Fallback SCSV.
This patch adds server-side support for TLS_FALLBACK_SCSV (see
http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01).
2014-06-20 13:17:36 -07:00
Adam Langley
735107652b Const correctness.
This change fixes a number of build warnings.
2014-06-20 13:17:36 -07:00
Adam Langley
858a88daf2 Equal preference cipher groups.
This change implements equal-preference groups of cipher suites. This
allows, for example, a server to prefer one of AES-GCM or ChaCha20
ciphers, but to allow the client to pick which one. When coupled with
clients that will boost AES-GCM in their preferences when AES-NI is
present, this allows us to use AES-GCM when the hardware exists and
ChaCha20 otherwise.
2014-06-20 13:17:35 -07:00
Adam Langley
c26c802a89 Implement ECDHE-PSK-WITH-AES-128-GCM-SHA256. 2014-06-20 13:17:35 -07:00
Adam Langley
d493d5289d CBC record splitting.
This patch removes support for empty records (which is almost
universally disabled via SSL_OP_ALL) and adds optional support for 1/n-1
record splitting.

The latter is not enabled by default, since it's not typically used on
servers, but it should be enabled in web browsers since there are known
attacks in that case (see BEAST).
2014-06-20 13:17:35 -07:00