Commit Graph

2635 Commits

Author SHA1 Message Date
Adam Langley
d031f11596 Remove |num_rounds| argument from chacha_core.
The function was hard-coded to 20 rounds already so the argument was
already useless. Thanks to Huzaifa Sidhpurwala for noticing.

Change-Id: I5f9d6ca6d46c6ab769b19820f8f918349544846d
2014-06-23 13:14:13 -07:00
Adam Langley
3213bed728 Remove GOST support code from ssl/
Also remove related quirk, SSL_OP_CRYPTOPRO_TLSEXT_BUG. Glue code is
left in for now.

Change-Id: Ic09593dabf7da6ba3904fffe59f322a7c7cb74f4
2014-06-23 12:26:07 -07:00
Adam Langley
ac61fa379f Implement TLS_FALLBACK_SCSV support for the client.
With this change, calling SSL_enable_fallback_scsv on a client SSL* will
cause the fallback SCSV to be sent.

This is intended to be set when the client is performing TLS fallback
after a failed connection. (This only happens if the application itself
implements this behaviour: OpenSSL does not do fallback automatically.)

The fallback SCSV indicates to the server that it should reject the
connection if the version indicated by the client is less than the
version supported by the server.

See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02.

Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 12:03:11 -07:00
Adam Langley
bbb42ffaf4 Silence spurious GCC warning.
Change-Id: Iae1d12a25184261fef175b39e5dbc84afb1c006c
2014-06-23 11:25:49 -07:00
Adam Langley
f3a95c4d67 Reduce elliptic curves and formats in ClientHello.
Advertise support of only the NIST curves P-521, P-384, and P-256, as
well as only uncompressed points.

(Imported from Chromium:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/openssl/patches.chromium/0005-reduce_client_hello_size.patch?revision=231571)

Change-Id: I0b509b182b224bdf7aa9a4ffed24c00495c2cf75
2014-06-20 15:50:41 -07:00
Adam Langley
4ac0b38cfc Try both old and new X.509 hashes.
Ensure the library can find the right files under /etc/ssl/certs when
running on older systems.

There are many symbolic links under /etc/ssl/certs created by using
hash of the PEM certificates in order for OpenSSL to find those
certificates. Openssl has a tool to help you create hash symbolic
links (tools/c_rehash). However newer versions of the library changed
the hash algorithm, which makes it unable to run properly on systems
that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid).

This patch gives a way to find a certificate according to its hash by
using both the old and new algorithms. http://crbug.com/111045 is used
to track this issue.

(Imported from Chromium:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/openssl/patches.chromium/0003-x509_hash_name_algorithm_change.patch?revision=231571)

Change-Id: Idbc27aba7685c991f8b94cfea38cf4f3f4b38adc
2014-06-20 15:31:01 -07:00
Adam Langley
3ffd70ec36 crypto/sha/asm/sha[1,512]-x86_64.pl: Windows build
This change stops the Intel, SHA instruction code from breaking the
Windows build.
2014-06-20 13:17:43 -07:00
Adam Langley
b0d5fb6c74 Add OPENSSL_str[n]casecmp
Windows has different names for these functions and also doesn't have
the strings.h header in which they appear.

This change adds tiny wrapper functions for Windows.
2014-06-20 13:17:43 -07:00
Adam Langley
94d86b1f67 Remove unused DANE macros. This should be the last DANE stuff...
(Imported from upstream's 23351c607b1cdcbef15b4052f2e9ebc4d2ecbd67)
2014-06-20 13:17:43 -07:00
Adam Langley
464f3a147c Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
(Imported from upstream's cfbc10fb327cf8535d6e9b402d1d03140d23d753)
2014-06-20 13:17:43 -07:00
Adam Langley
a433cbdc4f Accept CCS after sending finished.
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400

(Imported from upstream's 90d94ce39ecc2fad7fb2b8eb6bde0c669a65ee81)
2014-06-20 13:17:43 -07:00
Adam Langley
956665b32b sha1-x86_64.pl: add missing rex prefix in shaext.
PR: 3405

(Imported from upstream's 1f6d2076256761b44e7336b496ab0887f90cea69)
2014-06-20 13:17:42 -07:00
Adam Langley
8241005bfa Client-side namecheck wildcards.
A client reference identity of ".example.com" matches a server certificate
presented identity that is any sub-domain of "example.com" (e.g.
"www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct
child sub-domains (e.g. "www.sub.example.com"). (cherry picked from commit
e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357)

(Imported from upstream's 3cc8a3f2343cda796de90c127b9e907ca3ec2da5)
2014-06-20 13:17:42 -07:00
Adam Langley
4c65f3a2f1 Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index
validation before accessing arrays.

PR#3375

(Imported from upstream's 3d86077427f93dc46b18fee706b567ec32ac232a)
2014-06-20 13:17:42 -07:00
Adam Langley
006779a02c Add benchmarks for hash functions to bssl speed. 2014-06-20 13:17:42 -07:00
Adam Langley
cb5dd63e5e Add support for Intel SHA extension.
(Imported from upstream's 70fddbe32a7b3400a6ad0a9265f2c0ed72988d27)
2014-06-20 13:17:42 -07:00
Adam Langley
87750b433a Added OPENSSL_assert check as per PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de>
(Imported from upstream's 955bfbc2686153b50aebb045a42d96e5b026e29c)
2014-06-20 13:17:42 -07:00
Adam Langley
0823800db3 Remove unimplemented functions.
(Imported from upstream's 5af09776cecd193a2f2c9a078abd90618fbea55c)
2014-06-20 13:17:42 -07:00
Adam Langley
20c57547d0 ghash-x86_64.pl: optimize for upcoming Atom.
(Imported from upstream's 66aeaec067680e4a4ab956dcf30a295aaba07e2c)
2014-06-20 13:17:42 -07:00
Adam Langley
0fbf33a691 Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally
identified the issue.

(Imported from upstream's 728bd41a159ea16a60111e7c1120ec2a005507b3)
2014-06-20 13:17:42 -07:00
Adam Langley
e044fe4bc7 Fix null pointer errors.
PR#3394

(Imported from upstream's cea5a1d5f255a6a186cd7944c4a312612da965f3)
2014-06-20 13:17:42 -07:00
Adam Langley
8314351bcc Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.

(Imported from upstream's 05b2210476d3b2b0f24159112ccaea65e55831e5)
2014-06-20 13:17:42 -07:00
Adam Langley
6acf476eb6 Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption set the
CCS_OK flag.

(Imported from upstream's a21f350a76b34b66dcaf9c1676baec945f32e980)
2014-06-20 13:17:41 -07:00
Adam Langley
bed2214b3e Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

(Imported from upstream's eb6508d50c9a314b88ac155bd378cbd79a117c92)
2014-06-20 13:17:41 -07:00
Adam Langley
ce7f9caa98 Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.

(Imported from upstream's 77719aefb8f549ccc7f04222174889615d62057b)
2014-06-20 13:17:41 -07:00
Adam Langley
ec48ffc1fe Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.

(Imported from upstream's 9d2c9dd1e1a452939a733b638d180bb308ce72a9)
2014-06-20 13:17:41 -07:00
Adam Langley
895780572b Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without
recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

(Imported from upstream's 8942b92c7cb5fa144bd79b7607b459d0b777164c)
2014-06-20 13:17:41 -07:00
Adam Langley
d06eddd15c Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.

(Imported from upstream's e5f706590c7b1f19ca34415593aebdb6cbef355b)
2014-06-20 13:17:41 -07:00
Adam Langley
b7bf53c808 Check there is enough room for extension.
(Imported from upstream's 56b94a38b9a2197210a110c4a01a39ac75b34ce8)
2014-06-20 13:17:41 -07:00
Adam Langley
fb5cd20236 Free up s->d1->buffered_app_data.q properly.
PR#3286

(Imported from upstream's d52eb82781eff1f8245ae9c16c84db765f037cbe)
2014-06-20 13:17:41 -07:00
Adam Langley
f10a63b050 Typo: set i to -1 before goto.
PR#3302

(Imported from upstream's 646886682373e76dee233f7b918dec0c83e180fc)
2014-06-20 13:17:41 -07:00
Adam Langley
d74d7d030c Added SSLErr call for internal error in dtls1_buffer_record
(Imported from upstream's de8a5b523f38377c8e0d9098ebff880749156db6)
2014-06-20 13:17:41 -07:00
Adam Langley
3a54f9e015 Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug.
PR#3362

(Imported from upstream's 8de85b00484e7e4ca6f0b6e174fb1dc97db91281)
2014-06-20 13:17:41 -07:00
Adam Langley
a09d2127ea Set default global mask to UTF8 only.
(Imported from upstream's 08b172b975bcd5854f9201b9f89d05dc330adb79)
2014-06-20 13:17:41 -07:00
Adam Langley
ce1cfe169a Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361

(Imported from upstream's 856a4585d6f7a856b90c93792cf1c1ed968d4a4b)
2014-06-20 13:17:40 -07:00
Adam Langley
caddf1c4de Use correct digest when exporting keying material.
PR#3319

(Imported from upstream's 87a0cbdf2ee539ea922f9cf7a4b7c2c03119891d)
2014-06-20 13:17:40 -07:00
Adam Langley
467c87e318 remove duplicate 0x for default RSASSA-PSS salt len
(Imported from upstream's 42d73874edb4eb6681b769d9850afebe97adf329)
2014-06-20 13:17:40 -07:00
Adam Langley
dc160f84f5 Fixes to host checking.
Fixes to host checking wild card support and add support for setting
host checking flags when verifying a certificate chain.

(Imported from upstream's a2219f6be36d12f02b6420dd95f819cf364baf1d)
2014-06-20 13:17:40 -07:00
Adam Langley
3e449b1b05 Don't allocate more than is needed in BUF_strndup()
(Imported from upstream's 4ceb430a468e8226175aa3f169c0e746877c17e1,
4f7236edc7d5c384bdb148faf7b23f887cf18f69 and
ed693e43329383c0d68455d83778cdc9748a074d)
2014-06-20 13:17:40 -07:00
Adam Langley
b4b9914f74 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(Imported from upstream's 2312a84ca17c5ac133581552df7024957cf15bc8)
2014-06-20 13:17:40 -07:00
Adam Langley
45fb1eca0d Sync with upstream's fix for PR#3321.
(Imported from upstream's f710c3f198c9980a1056bac9b4b9617554254671)
2014-06-20 13:17:40 -07:00
Adam Langley
041240485d Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317

(Imported from upstream's 8571902e238ba2ef1517185c2a662c03f51dc1bf and
1f5bce2dcebbb5059c2a5ecf4037432e8041cc07)
2014-06-20 13:17:40 -07:00
Adam Langley
9611cfcb9f safety check to ensure we dont send out beyond the users buffer
(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
2014-06-20 13:17:40 -07:00
Adam Langley
f77452c572 fix coverity issue 966597 - error line is not always initialised
(Imported from upstream's afe343c3a7077caeaad43a9f2ee7e5d7f70076e5)
2014-06-20 13:17:40 -07:00
Adam Langley
c8e91d5798 bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as noted by
Daniel Sands and co at Sandia. This was to handle the case that 2 or more
threads race to lazy-init the same context, but stunted all scalability in the
case where 2 or more threads are doing unrelated things! We favour the latter
case by punishing the former. The init work gets done by each thread that finds
the context to be uninitialised, and we then lock the "set" logic after that
work is done - the winning thread's work gets used, the losing threads throw
away what they've done.

(Imported from upstream's bf43446835bfd3f9abf1898a99ae20f2285320f3)
2014-06-20 13:17:40 -07:00
Adam Langley
cdf96e5886 Double free in i2o_ECPublicKey
PR: 3338

(Imported from upstream's e34af3ec2b1230a8a523d383f7de505f7cbd381d)
2014-06-20 13:17:40 -07:00
Adam Langley
eceb33d3af bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

(Imported from upstream's 3cc546a3bbcbf26cd14fc45fb133d36820ed0a75)
2014-06-20 13:17:40 -07:00
Adam Langley
6a57f92195 bn/asm/armv4-gf2m.pl, modes/asm/ghash-armv4.pl: faster multiplication algorithm suggested in following paper:
Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
Polynomial Multiplication on ARM Processors using the NEON Engine.

http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf

(Imported from upstream's 0fb3d5b4fdc76b8d4a4700d03480cda135c6c117)
2014-06-20 13:17:40 -07:00
Adam Langley
89b73fbafa aes/asm/bsaes-x86_64.pl: Atom-specific optimization.
(Imported from upstream's ffdff9f12f028e4075b473a2a21e51c5bcc2bbd9)
2014-06-20 13:17:40 -07:00
Adam Langley
4a35a93a12 Fix use after free.
(Imported from upstream's a0fe2e72c48166c9c4bb423397723de1fb6227b0)
2014-06-20 13:17:40 -07:00