- Jan 30, 2017
-
-
Matt Caswell authored
Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2259)
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
This mops up various edge cases with key_shares and makes sure we still generate the handshake secret if we haven't been provided with one but we have a PSK. Reviewed-by:
-
Matt Caswell authored
Requires a refactor of the ServerHello parsing, so that we parse first and then subsequently process. This is because the resumption information is held in the extensions block which is parsed last - but we need to know that information earlier. Reviewed-by:
-
Matt Caswell authored
Update SSL_SESSION to store the age_add and use it where needed. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
For the psk extension we need to fill in all the lengths of the message so far, even though we haven't closed the WPACKET yet. This provides a function to do that. Reviewed-by:
-
Matt Caswell authored
Previously "-sess_out" wrote out the session as soon as the handshake finished. In TLSv1.3 this won't work because the NewSessionTicket message arrives post-handshake. Instead we use the session callback mechanism to do this. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
These functions are problematic in TLSv1.3 because the server sends the NewSessionTicket message after the handshake has finished. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
This is required for the later addition of resumption support. Reviewed-by:
-
Matt Caswell authored
We still ignore it for now, but at least its in the right place. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
The record layer was making decisions that should really be left to the state machine around unexpected handshake messages that are received after the initial handshake (i.e. renegotiation related messages). This commit removes that code from the record layer and updates the state machine accordingly. This simplifies the state machine and paves the way for handling other messages post-handshake such as the NewSessionTicket in TLSv1.3. Reviewed-by:
-
Matt Caswell authored
This flag is never set by anything so remove it. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
- Jan 29, 2017
-
-
Ben Laurie authored
Reviewed-by:
-
Richard Levitte authored
On error, i2o_SCT_signature() and i2o_SCT() free a pointer that may have wandered off from the start of the allocated block (not currently true for i2o_SCT_signature(), but has that potential as the code may change. To avoid this, save away the start of the allocated block and free that instead. Thanks to Guido Vranken for reporting this issue. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Jan 28, 2017
-
-
Kurt Roeckx authored
Reviewed-by: -
Rich Salz authored
Reviewed-by:
Kurt Roeckx <kurt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2317)
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
X509_CRL_digest() didn't check if the precomputed sha1 hash was actually present. This also makes sure there's an appropriate flag to check. Reviewed-by:
-
Richard Levitte authored
The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list may have stepped up from its allocated position. Use a pointer that is guaranteed to point at the start of the allocated block instead. Reviewed-by:
-
- Jan 26, 2017
-
-
Rich Salz authored
Reviewed-by:
Stephen Henson <steve@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2299)
-
Dr. Stephen Henson authored
Add a client authentication signature algorithm to simple ssl test and a server signature algorithm. Since we don't do client auth this should have no effect. However if we use client auth signature algorithms by mistake this will abort the handshake with a no shared signature algorithms error. Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:Richard Levitte <levitte@openssl.org>
-
Andy Polyakov authored
CVE-2017-3732 Reviewed-by: -
Andy Polyakov authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by:Viktor Dukhovni <viktor@openssl.org>
-
Richard Levitte authored
When the client reads DH parameters from the TLS stream, we only checked that they all are non-zero. This change updates the check to use DH_check_params() DH_check_params() is a new function for light weight checking of the p and g parameters: check that p is odd check that 1 < g < p - 1 Reviewed-by: -
Andy Polyakov authored
Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory. Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Other ciphers were hardened. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by: -
Andy Polyakov authored
Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory (or bogus MAC value is produced if x86 MD5 assembly module is involved). Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by:
-
- Jan 25, 2017
-
-
Cory Benfield authored
Reviewed-by:
-
Richard Levitte authored
In test/ssl_test, parsing ExpectedClientSignHash ended up in the expected_server_sign_hash field. Reviewed-by:
-
