Commit Graph

5286 Commits

Author SHA1 Message Date
Adam Langley
735107652b Const correctness.
This change fixes a number of build warnings.
2014-06-20 13:17:36 -07:00
Adam Langley
858a88daf2 Equal preference cipher groups.
This change implements equal-preference groups of cipher suites. This
allows, for example, a server to prefer one of AES-GCM or ChaCha20
ciphers, but to allow the client to pick which one. When coupled with
clients that will boost AES-GCM in their preferences when AES-NI is
present, this allows us to use AES-GCM when the hardware exists and
ChaCha20 otherwise.
2014-06-20 13:17:35 -07:00
Adam Langley
c26c802a89 Implement ECDHE-PSK-WITH-AES-128-GCM-SHA256. 2014-06-20 13:17:35 -07:00
Adam Langley
d493d5289d CBC record splitting.
This patch removes support for empty records (which is almost
universally disabled via SSL_OP_ALL) and adds optional support for 1/n-1
record splitting.

The latter is not enabled by default, since it's not typically used on
servers, but it should be enabled in web browsers since there are known
attacks in that case (see BEAST).
2014-06-20 13:17:35 -07:00
Adam Langley
509e5ed201 Optionally no cert request if ChannelID.
This change allows a server be to configured to skip a
CertificateRequest if the client presented a ChannelID.
2014-06-20 13:17:35 -07:00
Adam Langley
5c270c590d Use AEAD for AES256-GCM. 2014-06-20 13:17:35 -07:00
Adam Langley
77b7e63311 Adjust stack pointer in AES-NI CBC decryption.
This change adjusts the stack pointer during CBC decryption. The code
was previously using the red zone across function calls and valgrind
thinks that the "unused" stack is undefined after a function call.
2014-06-20 13:17:35 -07:00
Adam Langley
409766d218 Add function to recover RSA CRT params.
Some RSA private keys are specified with only n, e and d. Although we
can use these keys directly, it's nice to have a uniform representation
that includes the precomputed CRT values. This change adds a function
that can recover the primes from a minimal private key of that form.
2014-06-20 13:17:35 -07:00
Adam Langley
88dfe26ff8 Add AEAD speed tests to the tool binary. 2014-06-20 13:17:35 -07:00
Adam Langley
de0b202684 ChaCha20-Poly1305 support. 2014-06-20 13:17:35 -07:00
Adam Langley
d8983ce0f2 Use AEAD for AES-GCM in TLS. 2014-06-20 13:17:35 -07:00
Adam Langley
dfe3053086 AEAD tests. 2014-06-20 13:17:34 -07:00
Adam Langley
c9fb37504f SSL AEAD support.
This change allows AEADs to be used in ssl/ to implement SSL/TLS
ciphersuites.
2014-06-20 13:17:34 -07:00
Adam Langley
fd772a5aeb AEAD interface.
This change adds an AEAD interface to EVP and an AES-GCM implementation
suitable for use in TLS.
2014-06-20 13:17:34 -07:00
Adam Langley
a5fa5b7bb6 tls1_change_cipher_state rewrite
The previous version of the function made adding AEAD changes very
difficult. This change should be a semantic no-op - it should be purely
a cleanup.
2014-06-20 13:17:34 -07:00
Adam Langley
1b9d47735c Optionally don't store client's cipher list.
This change causes the client's list of ciphers to be freed as soon as
we have sent a server-hello. This saves small, but useful, amount of
memory.
2014-06-20 13:17:34 -07:00
Adam Langley
0b5c1ac8ad TLS 1.1 ciphers.
This patch adds support for a different cipher list when the connection
is using TLS 1.1. This is intended to support the case where we want to
use AES with >= TLS 1.1 clients but RC4 otherwise because of the BEAST
attack.
2014-06-20 13:17:34 -07:00
Adam Langley
acff73f227 Constant-time, RSA PMS processing.
This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.
2014-06-20 13:17:34 -07:00
Adam Langley
7d0a1d680c Fix padding side-channels.
This patch tweaks the OAEP padding check to be slightly more constant
time and rewrites the PKCS#1 v1.5 padding check to the same end.
2014-06-20 13:17:34 -07:00
Adam Langley
f71a27920a Fix EC crash.
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----
2014-06-20 13:17:34 -07:00
Adam Langley
27ae9ed774 Small prime generation.
Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
2014-06-20 13:17:34 -07:00
Adam Langley
61bb3ddfab Ensure that x**0 mod 1 = 0. 2014-06-20 13:17:34 -07:00
Adam Langley
ebebf87d6d Add needed volatile qualifications.
Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.
2014-06-20 13:17:33 -07:00
Adam Langley
4d4bff89bb Cipher family functions.
This change adds functions to check membership of various cipher
families. Clients and servers need this in order to optimise the size of
records because different families have different amounts of prefix and
postfix overhead.
2014-06-20 13:17:33 -07:00
Adam Langley
48105fa215 Empty record limit.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.
2014-06-20 13:17:33 -07:00
Adam Langley
d4b4f085d9 Safe (EC)DSA nonces.
This change causes (EC)DSA nonces be to calculated by hashing the
message and private key along with entropy.
2014-06-20 13:17:33 -07:00
Adam Langley
6aea58d0ea Check for invalid divisors in BN_div. 2014-06-20 13:17:33 -07:00
Adam Langley
1258b6a756 ChannelID support.
Implement ChannelID as both a client and server.
2014-06-20 13:17:33 -07:00
Adam Langley
75872534c2 Optionally, retain only SHA-256 of client cert.
Adds an option to retain only the SHA256 of a client certificate in
memory and in the serialized session state.
2014-06-20 13:17:33 -07:00
Adam Langley
95f22882a7 Add function to test headers agree.
Add a function to test that structure sizes match inside and outside of
OpenSSL.
2014-06-20 13:17:33 -07:00
Adam Langley
75b833cc81 OpenSSL: make final reduction in Montgomery multiplication constant-time.
(The issue was reported by Shay Gueron.)

The final reduction in Montgomery multiplication computes if (X >= m) then X =
X - m else X = X

In OpenSSL, this was done by computing T = X - m,  doing a constant-time
selection of the *addresses* of X and T, and loading from the resulting
address. But this is not cache-neutral.

This patch changes the behaviour by loading both X and T into registers, and
doing a constant-time selection of the *values*.

TODO(fork): only some of the fixes from the original patch still apply to
the 1.0.2 code.
2014-06-20 13:17:33 -07:00
Adam Langley
b36a3156b6 Add another bn modexp test.
Add a test based on multiplication optimizations from OpenSSL HEAD
(1.1.0-dev) Based on openssl-SNAP-20111003
2014-06-20 13:17:33 -07:00
Adam Langley
520ed0446c GOT-relative lookups in RC4 code. 2014-06-20 13:17:32 -07:00
Adam Langley
b2ce05839b Add support for asynchronous session lookup. 2014-06-20 13:17:32 -07:00
Adam Langley
adb739e1e5 False Start support.
(Called "cut through" for historical reasons in this patch.)

Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes.  With this
patch, clients can negotiate SSL connections in 1-RTT even when
performing full-handshakes.
2014-06-20 13:17:32 -07:00
Adam Langley
95c29f3cd1 Inital import.
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta).

(This change contains substantial changes from the original and
effectively starts a new history.)
2014-06-20 13:17:32 -07:00