| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
suite uses ephemeral keys. This avoids an issue where an ECHDE cipher suite can
effectively be downgraded to ECDH, if the server omits the ServerKeyExchange
message and has provided a certificate with an ECC public key.
Issue reported to OpenSSL by Karthikeyan Bhargavan.
Based on OpenSSL.
Fixes CVE-2014-3572.
ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
access to the certificates. SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were four bugs fixed by this patch:
* dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since
s->s3->rbuf was memset, rdata->rbuf is the only pointer left which
points to the old rbuf. On error, rdata is freed so there will not
be any way of freeing this memory unless we do it here.
* Changed the return code of dtls1_buffer_record() to differentiate
between queue full (0) and error (-1). See below as this differs
from upstream.
* Handle errors if calls to dtls1_buffer_record() fail with -1.
Previously, it did not check the return value.
* Changed the way receipts are recorded. Previously, it was recorded
when processed successfully (whether buffered or not) in
dtls1_process_record(). Now, it records when it is handled in
dtls1_get_record(): either when it is entered into the queue to buffer
for the next epoch or when it is processed directly. Processing
buffered records does not add a receipt because it needed one in
order to get into the queue.
The above bugs combined contributed to an eventual DoS through memory
exhaustion. The memory leak came from dtls1_buffer_record()'s error
handling. The error handling can be triggered by a duplicate record
or malloc failure. It was possible to add duplicate records because
they were not being dropped. The faulty receipts logic did not detect
replays when dealing with records for the next epoch. Additionally,
dtls1_buffer_record()'s return value was not checked so an attacker
could send repeated replay records for the next epoch.
Reported to OpenSSL by Chris Mueller.
Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f
and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300.
Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue
is full or when malloc() or pitem_new() fails. They return -1 on error
including !ssl3_setup_buffers() which is another failure to allocate
memory.
BoringSSL and LibreSSL changed the return code for dtls1_buffer_record()
to be 1 on success, 0 when the queue is full and -1 on error.
input + ok bcook@, jsing@
|
| |
|
|
|
|
|
| |
afterwards. openssl has a more complicated fix, but it's less intrusive
for now to simply hoist the expensive part (fake key generation) up without
sweating a branch or two.
ok bcook jsing
|
| |
|
|
| |
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
| |
|
|
|
|
|
|
| |
Remove support for conditional payload alignment, since we would never
want to turn it off. Also, consistently use size_t for calculating the
alignment.
ok miod@
|
| |
|
|
|
|
| |
the new handshake functions.
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
messages. This will allow for removal of repeated/duplicated code.
Additionally, DTLS was written by wholesale copying of the SSL/TLS code,
with some DTLS specifics being added to the duplicated code. Since these
SSL handshake message functions know how to handle both SSL/TLS and DTLS,
upon conversion the duplicate versions will become identical (or close to),
at which point the DTLS versions can be removed and the SSL/TLS versions
used for both protocols.
Partially based on similar changes in OpenSSL.
ok miod@
|
| | |
|
| |
|
|
|
|
|
| |
mazes in libssl. NPN is being replaced by ALPN, however it is still going
to be around for a while yet.
ok miod@
|
| |
|
|
|
|
|
| |
enabled and I would hope that no one is using client certificates with DTLS
and Netscape, assuming it even supported it...
ok bcook@ miod@
|
| |
|
|
|
|
|
|
| |
calls malloc(). Instead of silently continuing on failure, check the return
value of BIO_new() and propagate failure back to the caller for appropriate
handling.
ok bcook@
|
| |
|
|
|
|
|
| |
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov.
|
| |
|
|
|
|
| |
Based on OpenSSL and BoringSSL.
ok bcook@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
only sometimes being available... and when it was available it was via
the crypto engine. GOST is now part of libcrypto proper.
Instead of trying to do EVP PKEY lookups via string literals and the
ASN1 interfaces, lookup the methods directly using the appropriate NID.
ok bcook@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the associated peer_rsa_tmp goop.
This was only needed for export cipher handling and intentional RFC
violations. The export cipher suites have already been removed and
previous cleanup means that we will never send ServerKeyExchange messages
from the server side for RSA.
|
| |
|
|
|
|
|
|
| |
storing and processing in wire encoded form.
Inspired by boringssl.
ok miod@
|
| |
|
|
|
|
|
|
| |
The EC curve handling code assumes this to be the case and will read one
byte off the end of the curve list during processing, in the case where it
is not.
ok miod@
|
| |
|
|
|
|
|
| |
the buffer. The later size check would catch this, however reading first
and checking later is less than ideal.
ok miod@
|
| |
|
|
| |
from OpenSSL HEAD via Thomas Jakobi.
|
| |
|
|
|
|
|
| |
ssl3_send_client_key_exchange(), rather than checking it in the key
exchange algorithm specific code.
ok beck@ miod@
|
| |
|
|
|
|
| |
Reported by Felix Groebert of the Google Security Team.
ok beck@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
crafted server response used in conjunction with an anonymous DH or
anonymous ECDH ciphersuite.
Fixes CVE-2014-3510, which is effectively a repeat of CVE-2014-3470 in
copied code.
Reported by Felix Groebert of the Google Security Team.
ok beck@ miod@
|
| |
|
|
|
|
| |
Based on boringssl commit: 1df112448b41c3568477f3fcd3b8fc820ce80066
ok miod@ jsing@
|
| |
|
|
|
| |
This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.
|
| | |
|
| | |
|
| |
|
|
| |
DTLS (whatever that is) instead of for TLS too. ok jsing.
|
| |
|
|
|
|
|
| |
that use these algorithms (and SEED was removed from libcrypto some time
ago).
ok doug@
|
| |
|
|
| |
there are backwards compatible names/aliases for EDH.
|
| |
|
|
|
| |
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.
|
| | |
|
| |
|
|
|
|
|
| |
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
|
| |
|
|
|
|
|
|
|
| |
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
|
| |
|
|
|
|
|
|
| |
SSL3_RT_HANDSHAKE replays.
Reported by Markus Stenberg <markus.stenberg at iki.fi> - thanks!
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modified version of patch from Dmitry Eremin-Solenikov.
==28360== 98 bytes in 2 blocks are definitely lost in loss record 7 of 7
==28360== at 0x402AC54: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28360== by 0x40E2D2C: ASN1_STRING_set (asn1_lib.c:393)
==28360== by 0x40EC22C: asn1_ex_c2i (tasn_dec.c:959)
==28360== by 0x40EC632: asn1_d2i_ex_primitive (tasn_dec.c:824)
==28360== by 0x40ED2E6: ASN1_item_ex_d2i (tasn_dec.c:230)
==28360== by 0x40ED421: ASN1_item_d2i (tasn_dec.c:133)
==28360== by 0x40F0335: d2i_ASN1_OCTET_STRING (tasn_typ.c:75)
==28360== by 0x405FD6D: d2i_SSL_SESSION (ssl_asn1.c:367)
==28360== by 0x405DD6E: ssl3_send_newsession_ticket (s3_srvr.c:2743)
==28360== by 0x405EA48: ssl3_accept (s3_srvr.c:665)
==28360== by 0x4067C34: SSL_accept (ssl_lib.c:922)
==28360== by 0x404E97B: ssl23_get_client_hello (s23_srvr.c:573)
ok miod@ beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
| |
intrinsic functions everywhere, and wrap these functions in an
#ifndef LIBRESSL_INTERNAL to make sure we don't bring their use back.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
|
| |
|
|
|
|
|
| |
a compression identifier. In the case of a server using ephemeral EC keys,
the supplied key is unlikely to have a public key where
SSL_CTX_set_tmp_ecdh() is called after SSL_OP_SINGLE_ECDH_USE has been
set. This makes ECDHE ciphers work again for this use case.
|
| |
|
|
|
| |
correct name for EECDH). The EDH and EECDH aliases remain for backwards
compatibility.
|
| |
|
|
|
|
|
| |
ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@
|
| |
|
|
|
|
| |
hand rolling the same code.
ok miod@
|
| |
|
|
|
|
|
|
| |
return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
jsing
reyk
doug
tedu
miod
bcook
beck