Richard Levitte [Fri, 28 Nov 2014 19:40:10 +0000 (20:40 +0100)]
[PR3597] Advance to the next state variant when reusing messages.
Previously, state variant was not advanced, which resulted in state
being stuck in the st1 variant (usually "_A").
This broke certificate callback retry logic when accepting connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.
Reported by Yichun Zhang (agentzh).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
Alok Menghrajani [Fri, 14 Nov 2014 18:39:41 +0000 (10:39 -0800)]
Improves the proxy certificates howto doc.
The current documentation contains a bunch of spelling and grammar mistakes. I also
found it hard to understand some paragraphs, so here is my attempt to improve its
readability.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 03b637a730e4a298c360cc143de7564060c06324)
Guenter [Thu, 27 Nov 2014 13:33:47 +0000 (13:33 +0000)]
NetWare compilation fix.
Workaround for NetWare CodeWarrior compiler which doesn't properly lookup
includes when in same directory as the C file which includes it.
PR#3569 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 333fad9f2de1dea99552fcb424b312ca1a390f85)
When using the -xcert option to test certificate validity print out
if we pass Suite B compliance. We print out "not tested" if we aren't
in Suite B mode. Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7d4cdededc371854eb36e773ed18204593e994e1)
Emilia Kasper [Wed, 19 Nov 2014 16:01:36 +0000 (17:01 +0100)]
Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.
(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)
Thanks to Joeri de Ruiter for reporting this issue.
Emilia Kasper [Wed, 19 Nov 2014 15:28:11 +0000 (16:28 +0100)]
Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.
Emilia Kasper [Wed, 19 Nov 2014 14:42:43 +0000 (15:42 +0100)]
Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.
New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.
When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.
We should document this somewhere, e.g. wiki, FAQ or manual page. Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3881d8106df732fc433d30446625dfa2396da42d)
Process signature algorithms before deciding on certificate.
The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice). Reviewed-by: Matt Caswell <matt@openssl.org>
Jan Hykel [Sun, 16 Nov 2014 16:51:17 +0000 (16:51 +0000)]
Don't use msg on error.
Don't attempt to access msg structure if recvmsg returns an error.
PR#3483 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 012aa9ec76b158179b4de44bb5de8b8472045eac)
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table. Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 55f7fb8848b6e4bec291724a479e1580d6f407d6)
Russell Coker [Thu, 25 Jun 2009 05:59:32 +0000 (15:59 +1000)]
Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.
PR3584, https://bugs.debian.org/534534
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org>
Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203
Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants. This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>
Emilia Kasper [Tue, 28 Oct 2014 16:35:59 +0000 (17:35 +0100)]
Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist. Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 14e14bf6964965d02ce89805d9de867f000095aa)
Since SNI will typically switch the SSL_CTX structure to the one
corresponding to the appopriate server we need to parse custom
extensions using the switched SSL_CTX not the original one. This
is done by parsing custom extensions *after* SNI. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Kurt Roeckx [Tue, 21 Oct 2014 18:45:15 +0000 (20:45 +0200)]
Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL. We didn't used to do that, and it breaks things. This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
method since the code is not able to deal with a NULL method at this time.
Matt Caswell [Wed, 15 Oct 2014 00:03:32 +0000 (01:03 +0100)]
Fix for SRTP Memory Leak
CVE-2014-3513
This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752cc7531e4b609aea166f2db1c155ab5bdd)
projects / openssl / log