1. 04 7月, 2014 1 次提交
  2. 02 7月, 2014 1 次提交
  3. 05 6月, 2014 1 次提交
    • D
      Fix for CVE-2014-0224 · a91be108
      Dr. Stephen Henson 提交于
      Only accept change cipher spec when it is expected instead of at any
      time. This prevents premature setting of session keys before the master
      secret is determined which an attacker could use as a MITM attack.
      
      Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
      and providing the initial fix this patch is based on.
      (cherry picked from commit bc8923b1ec9c467755cd86f7848c50ee8812e441)
      a91be108
  4. 01 6月, 2014 1 次提交
  5. 13 5月, 2014 1 次提交
  6. 28 3月, 2014 3 次提交
    • D
      Security framework. · b362ccab
      Dr. Stephen Henson 提交于
      Security callback: selects which parameters are permitted including
      sensible defaults based on bits of security.
      
      The "parameters" which can be selected include: ciphersuites,
      curves, key sizes, certificate signature algorithms, supported
      signature algorithms, DH parameters, SSL/TLS version, session tickets
      and compression.
      
      In some cases prohibiting the use of a parameters will mean they are
      not advertised to the peer: for example cipher suites and ECC curves.
      In other cases it will abort the handshake: e.g DH parameters or the
      peer key size.
      
      Documentation to follow...
      b362ccab
    • D
      Check return value of ssl3_output_cert_chain · 66f96fe2
      Dr. Stephen Henson 提交于
      66f96fe2
    • D
      Auto DH support. · 09599b52
      Dr. Stephen Henson 提交于
      Add auto DH parameter support. This is roughly equivalent to the
      ECDH auto curve selection but for DH. An application can just call
      
      SSL_CTX_set_auto_dh(ctx, 1);
      
      and appropriate DH parameters will be used based on the size of the
      server key.
      
      Unlike ECDH there is no way a peer can indicate the range of DH parameters
      it supports. Some peers cannot handle DH keys larger that 1024 bits for
      example. In this case if you call:
      
      SSL_CTX_set_auto_dh(ctx, 2);
      
      Only 1024 bit DH parameters will be used.
      
      If the server key is 7680 bits or more in size then 8192 bit DH parameters
      will be used: these will be *very* slow.
      
      The old export ciphersuites aren't supported but those are very
      insecure anyway.
      09599b52
  7. 19 3月, 2014 1 次提交
  8. 21 2月, 2014 1 次提交
  9. 06 2月, 2014 3 次提交
  10. 28 1月, 2014 1 次提交
  11. 26 1月, 2014 1 次提交
  12. 09 1月, 2014 2 次提交
    • D
      use SSL_kDHE throughout instead of SSL_kEDH · 5a21cadb
      Daniel Kahn Gillmor 提交于
      DHE is the standard term used by the RFCs and by other TLS
      implementations.  It's useful to have the internal variables use the
      standard terminology.
      
      This patch leaves a synonym SSL_kEDH in place, though, so that older
      code can still be built against it, since that has been the
      traditional API.  SSL_kEDH should probably be deprecated at some
      point, though.
      5a21cadb
    • D
      use SSL_kECDHE throughout instead of SSL_kEECDH · 4082fea8
      Daniel Kahn Gillmor 提交于
      ECDHE is the standard term used by the RFCs and by other TLS
      implementations.  It's useful to have the internal variables use the
      standard terminology.
      
      This patch leaves a synonym SSL_kEECDH in place, though, so that older
      code can still be built against it, since that has been the
      traditional API.  SSL_kEECDH should probably be deprecated at some
      point, though.
      4082fea8
  13. 02 1月, 2014 1 次提交
  14. 18 11月, 2013 1 次提交
  15. 21 10月, 2013 2 次提交
    • N
      Fix another gmt_unix_time case in server_random · 2927791d
      Nick Mathewson 提交于
      2927791d
    • N
      Do not include a timestamp in the Client/ServerHello Random field. · 2016265d
      Nick Mathewson 提交于
      Instead, send random bytes, unless SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
      is set.
      
      This is a forward-port of commits:
        4af793036f6ef4f0a1078e5d7155426a98d50e37
        f4c93b46edb51da71f09eda99e83eaf193a33c08
        3da721dac9382c48812c8eba455528fd59af2eef
        2583270191a8b27eed303c03ece1da97b9b69fd3
      
      While the gmt_unix_time record was added in an ostensible attempt to
      mitigate the dangers of a bad RNG, its presence leaks the host's view
      of the current time in the clear.  This minor leak can help
      fingerprint TLS instances across networks and protocols... and what's
      worse, it's doubtful thet the gmt_unix_time record does any good at
      all for its intended purpose, since:
      
          * It's quite possible to open two TLS connections in one second.
      
          * If the PRNG output is prone to repeat itself, ephemeral
            handshakes (and who knows what else besides) are broken.
      2016265d
  16. 06 9月, 2013 3 次提交
    • B
      More cleanup. · 5eda213e
      Ben Laurie 提交于
      5eda213e
    • B
      Make it build. · a6a48e87
      Ben Laurie 提交于
      a6a48e87
    • S
      Add callbacks supporting generation and retrieval of supplemental data... · 36086186
      Scott Deboy 提交于
      Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
      Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
      Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
      Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
      36086186
  17. 13 6月, 2013 1 次提交
  18. 09 4月, 2013 3 次提交
    • D
      Suite B support for DTLS 1.2 · 4544f0a6
      Dr. Stephen Henson 提交于
      Check for Suite B support using method flags instead of version numbers:
      anything supporting TLS 1.2 cipher suites will also support Suite B.
      
      Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
      4544f0a6
    • D
      Always return errors in ssl3_get_client_hello · c56f5b8e
      Dr. Stephen Henson 提交于
      If we successfully match a cookie don't set return value to 2 as this
      results in other error conditions returning 2 as well.
      
      Instead set return value to -2 which can be checked later if everything
      else is OK.
      c56f5b8e
    • D
      Dual DTLS version methods. · c6913eeb
      Dr. Stephen Henson 提交于
      Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
      pick the highest version the peer supports during negotiation.
      
      As with SSL/TLS options can change this behaviour specifically
      SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
      c6913eeb
  19. 18 3月, 2013 2 次提交
    • D
      Use enc_flags when deciding protocol variations. · cbd64894
      Dr. Stephen Henson 提交于
      Use the enc_flags field to determine whether we should use explicit IV,
      signature algorithms or SHA256 default PRF instead of hard coding which
      versions support each requirement.
      cbd64894
    • D
      DTLS revision. · 173e72e6
      Dr. Stephen Henson 提交于
      Revise DTLS code. There was a *lot* of code duplication in the
      DTLS code that generates records. This makes it harder to maintain and
      sometimes a TLS update is omitted by accident from the DTLS code.
      
      Specifically almost all of the record generation functions have code like
      this:
      
      some_pointer = buffer + HANDSHAKE_HEADER_LENGTH;
      ... Record creation stuff ...
      set_handshake_header(ssl, SSL_MT_SOMETHING, message_len);
      
      ...
      
      write_handshake_message(ssl);
      
      Where the "Record creation stuff" is identical between SSL/TLS and DTLS or
      in some cases has very minor differences.
      
      By adding a few fields to SSL3_ENC to include the header length, some flags
      and function pointers for handshake header setting and handshake writing the
      code can cope with both cases.
      
      Note: although this passes "make test" and some simple DTLS tests there may
      be some minor differences in the DTLS code that have to be accounted for.
      173e72e6
  20. 30 12月, 2012 1 次提交
  21. 26 11月, 2012 1 次提交
  22. 11 9月, 2012 1 次提交
  23. 15 8月, 2012 1 次提交
  24. 25 7月, 2012 1 次提交
  25. 20 7月, 2012 1 次提交
  26. 18 7月, 2012 1 次提交
  27. 29 6月, 2012 1 次提交
    • D
      Add certificate callback. If set this is called whenever a certificate · 18d71588
      Dr. Stephen Henson 提交于
      is required by client or server. An application can decide which
      certificate chain to present based on arbitrary criteria: for example
      supported signature algorithms. Add very simple example to s_server.
      This fixes many of the problems and restrictions of the existing client
      certificate callback: for example you can now clear existing certificates
      and specify the whole chain.
      18d71588
  28. 22 6月, 2012 1 次提交
  29. 06 6月, 2012 1 次提交