Commit graph

1982 commits

Author SHA1 Message Date
Richard Levitte
c168a027cf VMS adjustments:
Add new symbols that are longer than 31 chars to symhacks.
VMS doesn't have <sys/un.h>, reflect that in e_os.h.
MS_CALLBACK has been removed, ssl_task.c needs adjustment.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-30 14:43:40 +01:00
Richard Levitte
c6ef15c494 clang on Linux x86_64 complains about unreachable code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-29 01:54:09 +01:00
Rich Salz
68fd6dce73 Remove support for opaque-prf
An expired IETF Internet-Draft (seven years old) that nobody
implements, and probably just as good as NSA DRBG work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-28 15:37:16 -05:00
Rich Salz
646e8c1d6b Dead code removal: Fortezza identifiers
Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 21:00:03 -05:00
Rich Salz
1a5adcfb5e "#if 0" removal: header files
Remove all "#if 0" blocks from header files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-27 17:44:12 -05:00
Rich Salz
63c574f6a6 OPENSSL_NO_XXX cleanup: OPENSSL_NO_BUF_FREELISTS
Remove OPENSSL_NO_BUF_FREELISTS. This was turned on by default,
so the work here is removing the 'maintain our own freelist' code.
Also removed a minor old Windows-multibyte/widechar conversion flag.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 16:43:53 -05:00
Rich Salz
daa48704cc OPENSSL_NO_XXX cleanup: NO_TLS, NO_TLS1
TLS and TLS1 are no longer optional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 15:14:12 -05:00
Rich Salz
474e469bbd OPENSSL_NO_xxx cleanup: SHA
Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
	GENUINE_DSA         OPENSSL_NO_SHA0
	OPENSSL_NO_SHA      OPENSSL_NO_SHA1
	OPENSSL_NO_SHA224   OPENSSL_NO_SHA256
	OPENSSL_NO_SHA384   OPENSSL_NO_SHA512

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 12:34:45 -05:00
Rich Salz
a00ae6c46e OPENSSL_NO_xxx cleanup: many removals
The following compile options (#ifdef's) are removed:
    OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
    OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
    OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
    OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY

This diff is big because of updating the indents on preprocessor lines.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 10:06:22 -05:00
Matt Caswell
8dd4ad0ff5 Make DTLS always act as if read_ahead is set. The actual value of read_ahead
is ignored for DTLS.

RT#3657

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 14:28:41 +00:00
Kurt Roeckx
2747d73c14 Fix segfault with empty fields as last in the config.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-24 14:46:50 +01:00
Rich Salz
68b00c2372 ifdef cleanup part 3: OPENSSL_SYSNAME
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
Remove MS_STATIC; it's a relic from platforms <32 bits.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-23 11:58:26 -05:00
Matt Caswell
d2a0d72f33 Fix post-reformat errors preventing windows compilation
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 14:09:37 +00:00
Matt Caswell
35a1cc90bc More comment realignment
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
50e735f9e5 Re-align some comments after running the reformat script.
This should be a one off operation (subsequent invokation of the
script should not move them)

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
739a5eee61 Rerun util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
22b52164aa More tweaks for comments due indent issues
Conflicts:
	ssl/ssl_ciph.c
	ssl/ssl_locl.h

Conflicts:
	ssl/s2_srvr.c
	ssl/ssl.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
df6741c9a0 Tweaks for comments due to indent's inability to handle them
Conflicts:
	demos/tunala/tunala.h
	engines/e_padlock.c
	ssl/s2_clnt.c
	ssl/s2_lib.c
	ssl/s2_srvr.c
	ssl/s3_srvr.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
68d39f3ce6 Move more comments that confuse indent
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
7a2cb6f034 Fix indent comment corruption issue
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Matt Caswell
b853717fc4 Fix strange formatting by indent
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Matt Caswell
dbd87ffc21 indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Matt Caswell
a7b1eed566 More indent fixes for STACK_OF
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:07 +00:00
Matt Caswell
e636e2acd7 Fix source where indent will not be able to cope
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:06 +00:00
Matt Caswell
28470b6095 Yet more comments
Conflicts:
	crypto/dsa/dsa_asn1.c
	crypto/pem/pem_all.c
	fips/dh/dh_gen.c
	fips/dh/fips_dh_check.c
	fips/dh/fips_dh_gen.c
	ssl/ssl_ciph.c

Conflicts:
	ssl/d1_clnt.c

Conflicts:
	ssl/s2_pkt.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:06 +00:00
Matt Caswell
23a22b4cf7 More comments
Conflicts:
	crypto/dsa/dsa_vrf.c
	crypto/ec/ec2_smpl.c
	crypto/ec/ecp_smpl.c

Conflicts:
	demos/bio/saccept.c
	ssl/d1_clnt.c

Conflicts:
	bugs/dggccbug.c
	demos/tunala/cb.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:06 +00:00
Matt Caswell
c80fd6b215 Further comment changes for reformat (master)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:19:59 +00:00
Rich Salz
4b618848f9 Cleanup OPENSSL_NO_xxx, part 1
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
Two typo's on #endif comments fixed:
	OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB
	OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-14 15:57:28 -05:00
Rich Salz
6d23cf9744 RT3548: Remove unsupported platforms
This last one for this ticket.  Removes WIN16.
So long, MS_CALLBACK and MS_FAR.  We won't miss you.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 17:30:54 -05:00
Rich Salz
9405a9a2e1 RT478: Add uninstall make target
Add INSTALLDIRS variable, list of directories where things get
installed. Change install_html_docs to use perl mkdir-p script.

Add uninstall, uninstall_sw, uninstall_docs, uninstall_html_docs
to Makefile.org.  The actions of these targets were figured out
by "inverting" the install target.

Recurse into subdirs to do uninstall as needed.  Added uninstall
targets whose actions were similarly figured out by "inverting"
the install target.

Also remove some 'space before tab' complaints in Makefile.org

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-12 10:28:05 -05:00
Matt Caswell
103b171d8f A memory leak can occur in dtls1_buffer_record if either of the calls to
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-08 15:49:45 +00:00
Dr. Stephen Henson
1421e0c584 Unauthenticated DH client certificate fix.
Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 15:49:45 +00:00
Matt Caswell
248385c606 Follow on from CVE-2014-3571. This fixes the code that was the original source
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-08 15:49:27 +00:00
Dr. Stephen Henson
feba02f391 Fix crash in dtls1_get_record whilst in the listen state where you get two
separate reads performed - one for the header and one for the body of the
handshake record.

CVE-2014-3571

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 11:18:16 +00:00
Dr. Stephen Henson
4a4d415857 fix error discrepancy
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-07 18:10:03 +00:00
Emilia Kasper
ac8e9cbe14 Only inherit the session ID context in SSL_set_SSL_CTX if the existing
context was also inherited (matches that of the existing SSL_CTX).

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 23:09:25 +01:00
Matt Caswell
3a83462dfe Further comment amendments to preserve formatting prior to source reformat
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 15:45:25 +00:00
Dr. Stephen Henson
fb76ad8d43 fix compilation error
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 02:17:07 +00:00
Dr. Stephen Henson
ce325c60c7 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 02:06:39 +00:00
Dr. Stephen Henson
b15f876964 ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-05 22:59:32 +00:00
Adam Langley
61aa44ca99 Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-05 17:31:56 +01:00
Matt Caswell
32b07f5a80 Additional fix required for no-srtp to work
RT3638

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 14:17:51 +00:00
Piotr Sikora
e783bae26a Fix building with no-srtp
RT3638

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 14:17:22 +00:00
Dr. Stephen Henson
9527559939 Remove SGC restart flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-02 22:56:54 +00:00
Dr. Stephen Henson
63eab8a620 Remove MS SGC
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-02 22:56:54 +00:00
Dr. Stephen Henson
4f605ccb77 Clear existing extension state.
When parsing ClientHello clear any existing extension state from
SRP login and SRTP profile.

Thanks to Karthikeyan Bhargavan for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-02 22:25:52 +00:00
Martin Nowak
b17dcb0d63 remove duplicate defines
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-31 11:13:48 +01:00
Cristian Rodríguez
d97ed21986 constify tls 1.2 lookup tables.
None of this should live in writable memory

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-31 11:13:48 +01:00
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-30 22:10:26 +00:00
Rich Salz
e03b29871b RT3548: Remove outdated platforms
This commit removes all mention of NeXT and NextStep.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-19 21:11:09 -05:00
Matt Caswell
53e95716f5 Change all instances of OPENSSL_NO_DEPRECATED to OPENSSL_USE_DEPRECATED
Introduce use of DECLARE_DEPRECATED

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-18 19:57:14 +00:00
Adam Langley
4aecfd4d9f Premaster secret handling fixes
From BoringSSL
- Send an alert when the client key exchange isn't correctly formatted.
- Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-17 14:01:19 +01:00
Richard Levitte
6dec5e1ca9 Clear warnings/errors within TLS_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-17 10:15:09 +01:00
Richard Levitte
3ddb2914b5 Clear warnings/errors within KSSL_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-17 10:15:09 +01:00
Richard Levitte
a501f647aa Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-17 10:15:09 +01:00
Richard Levitte
72b5d03b5b Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-17 10:15:09 +01:00
Matt Caswell
789da2c73d The dtls1_output_cert_chain function no longer exists so remove it from
ssl_locl.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-16 15:02:03 +00:00
Adam Langley
ec1af3c419 Don't set client_version to the ServerHello version.
The client_version needs to be preserved for the RSA key exchange.

This change also means that renegotiation will, like TLS, repeat the old
client_version rather than advertise only the final version. (Either way,
version change on renego is not allowed.) This is necessary in TLS to work
around an SChannel bug, but it's not strictly necessary in DTLS.

(From BoringSSL)

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 14:44:17 +00:00
Matt Caswell
db812f2d70 Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 14:14:09 +00:00
Matt Caswell
af6e2d51bf Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 14:13:45 +00:00
Matt Caswell
55e530265a Remove extraneous white space, and add some braces
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 00:00:25 +00:00
Matt Caswell
1904d21123 DTLS fixes for signed/unsigned issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-15 23:59:50 +00:00
Kurt Roeckx
995207bedc Allow using -SSLv2 again when setting Protocol in the config.
RT#3625

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-15 18:09:53 +01:00
Matt Caswell
24097938ad Fixed memory leak if BUF_MEM_grow fails
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-13 00:02:20 +00:00
Matt Caswell
fd0ba77717 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-11 23:52:47 +00:00
Jonas Maebe
288b4e4f8f tls1_heartbeat: check for NULL after allocating buf
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:18 +01:00
Jonas Maebe
c27dc3981c tls1_process_heartbeat: check for NULL after allocating buffer
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:18 +01:00
Jonas Maebe
fed5b55252 SSL_set_session: check for NULL after allocating s->kssl_ctx->client_princ
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:18 +01:00
Jonas Maebe
e9e688effb serverinfo_process_buffer: check result of realloc(ctx->cert->key->serverinfo) and don't leak memory if it fails
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:17 +01:00
Jonas Maebe
bf8e7047aa ssl3_digest_cached_records: check for NULL after allocating s->s3->handshake_dgst
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:17 +01:00
Jonas Maebe
9052ffda91 ssl3_get_certificate_request: check for NULL after allocating s->cert->ctypes
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:17 +01:00
Jonas Maebe
d00b1d62d6 SSL_COMP_add_compression_method: exit if allocating the new compression method struct fails
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:17 +01:00
Geoff Thorpe
e52a3c3d14 Include <openssl/foo.h> instead of "foo.h"
Exported headers shouldn't be included as "foo.h" by code from the same
module, it should only do so for module-internal headers. This is
because the symlinking of exported headers (from include/openssl/foo.h
to crypto/foo/foo.h) is being removed, and the exported headers are
being moved to the include/openssl/ directory instead.

Change-Id: I4c1d80849544713308ddc6999a549848afc25f94
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-08 14:21:35 -05:00
Matt Caswell
41bf250130 Fixed memory leak in the event of a failure of BUF_MEM_grow
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-08 16:43:25 +00:00
Matt Caswell
76e6509085 Fix memory leak in SSL_new if errors occur.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-08 16:42:59 +00:00
Dr. Stephen Henson
00b4ee7664 Remove some unnecessary OPENSSL_FIPS references
FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:18:43 +00:00
Emilia Kasper
376e2ca3e3 Clarify the return values for SSL_get_shared_curve.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 18:31:21 +01:00
Emilia Kasper
740580c2b2 Add extra checks for odd-length EC curve lists.
Odd-length lists should be rejected everywhere upon parsing. Nevertheless,
be extra careful and add guards against off-by-one reads.

Also, drive-by replace inexplicable double-negation with an explicit comparison.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:57:58 +01:00
Emilia Kasper
33d5ba8629 Reject elliptic curve lists of odd lengths.
The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:32:39 +01:00
Jonas Maebe
f5905ba341 ssl_create_cipher_list: check whether push onto cipherstack succeeds
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
b3b966fb87 ssl_cert_dup: Fix memory leak
Always use goto err on failure and call ssl_cert_free() on the error path so all
fields and "ret" itself are freed

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Kurt Roeckx
6c42b39c95 dtls1_new: free s on error path
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
241e2dc936 dtls1_heartbeat: check for NULL after allocating s->cert->ctypes
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Jonas Maebe
d15f5df70d dtls1_process_heartbeat: check for NULL after allocating buffer
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Matt Caswell
71c16698fa Remove incorrect code inadvertently introduced through commit 59669b6ab.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-04 14:17:50 +00:00
Kurt Roeckx
45f55f6a5b Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 11:55:03 +01:00
Matt Caswell
4bb8eb9ce4 Remove "#if 0" code
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:25:00 +00:00
Matt Caswell
047f21593e Only use the fallback mtu after 2 unsuccessful retransmissions if it is less
than the mtu we are already using

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:53 +00:00
Matt Caswell
d3d9eef316 If we really get a situation where the underlying mtu is less than the minimum
we will support then dtls1_do_write can go into an infinite loop. This commit
fixes that.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:28 +00:00
Matt Caswell
1620a2e49c Fix dtls_query_mtu so that it will always either complete with an mtu that is
at least the minimum or it will fail.
There were some instances in dtls1_query_mtu where the final mtu can end up
being less than the minimum, i.e. where the user has set an mtu manually. This
shouldn't be allowed. Also remove dtls1_guess_mtu that, despite having
logic for guessing an mtu, was actually only ever used to work out the minimum
mtu to use.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:20 +00:00
Matt Caswell
59669b6abf Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:12 +00:00
Matt Caswell
6abb0d1f8e The first call to query the mtu in dtls1_do_write correctly checks that the
mtu that we have received is not less than the minimum. If its less it uses the
minimum instead. The second call to query the mtu does not do that, but
instead uses whatever comes back. We have seen an instance in RT#3592 where we
have got an unreasonably small mtu come back. This commit makes both query
checks consistent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:23:56 +00:00
Matt Caswell
001235778a The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:23:46 +00:00
Matt Caswell
cf75017bfd Verify that we have a sensible message len and fail if not
RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:23:09 +00:00
Rich Salz
8cfe08b4ec Remove all .cvsignore files
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-11-28 18:32:43 -05:00
Richard Levitte
7a04b854d6 [PR3597] Advance to the next state variant when reusing messages.
Previously, state variant was not advanced, which resulted in state
being stuck in the st1 variant (usually "_A").

This broke certificate callback retry logic when accepting connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.

Reported by Yichun Zhang (agentzh).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-28 20:47:41 +01:00
Matt Caswell
f9ea4deba0 Fix warning in ssl2_enc
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:41:17 +00:00
Matt Caswell
eceef8fb86 Remove more references to dtls1_enc
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:40:59 +00:00
Matt Caswell
81ec01b217 Check EVP_Cipher return values for SSL2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:40:39 +00:00
Matt Caswell
4b87706d20 Delete unused file
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:40:16 +00:00
Matt Caswell
fe78f08d15 Add checks to the return value of EVP_Cipher to prevent silent encryption failure.
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:39:47 +00:00
Matt Caswell
fc3968a25c Remove redundant checks in ssl_cert_dup. This was causing spurious error messages when using GOST
PR#3613

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 20:50:44 +00:00
Matt Caswell
f67203836c Add include of ssl.h which is required by srtp.h
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-27 13:16:36 +00:00
Matt Caswell
8a35dbb6d8 Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-11-26 10:10:21 +00:00
Matt Caswell
3a0765882c Corrected comments in ssl.h about SSLv23_method and friends
PR#3574

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-25 22:23:24 +00:00
Dr. Stephen Henson
7255ca99df Fix SuiteB chain checking logic.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 22:13:05 +00:00
David Benjamin
9e189b9dc1 Do not resume a session if the negotiated protocol version does not match
the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-20 16:29:04 +01:00
Emilia Kasper
e94a6c0ede Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Emilia Kasper
de2c7504eb Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Emilia Kasper
980bc1ec61 Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Emilia Kasper
7b3ba508af Set s->hit when resuming from external pre-shared secret.
The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Emilia Kasper
a06cd5d056 Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Dr. Stephen Henson
3881d8106d New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-11-19 18:11:37 +00:00
Dr. Stephen Henson
5a3d8eebb7 Only handle RI extension for SSLv3
Don't send or parse any extensions other than RI (which is needed
to handle secure renegotation) for SSLv3.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-19 15:12:08 +00:00
Dr. Stephen Henson
e469af8d05 Process signature algorithms before deciding on certificate.
The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice).
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 56e8dc542b)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
2014-11-19 14:49:12 +00:00
Matt Caswell
bcb245a74a Added references to RFC 7027
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:01:45 +00:00
Dr. Stephen Henson
1a14b47ed9 Prevent use of binary curves when OPENSSL_NO_EC2M is defined
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-18 13:01:45 +00:00
Matt Caswell
cffeacd91e Updated comment references to draft-ietf-tls-ecc-12 to refer to RFC4492 instead
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:01:45 +00:00
Dr. Stephen Henson
f756f1fc83 Additional output for ssltest.
Print out more details of the conection in ssltest specifically:
server certificate curve name for EC, server temporary key (if any)
and peer signing digest.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-13 13:44:23 +00:00
Dr. Stephen Henson
de94222dba Add SSL_CONF support to ssltest.
Add command line support for SSL_CONF: server side arguments are
prefixed by -s_ (e.g. -s_no_ssl3) and client side with -c_.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-13 13:44:22 +00:00
Emilia Kasper
d663df2399 Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-10-28 17:35:59 +01:00
Emilia Kasper
fd28a41ec8 Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-10-27 16:25:17 +01:00
Dr. Stephen Henson
14e14bf696 Copy negotiated parameters in SSL_set_SSL_CTX.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-24 13:46:37 +01:00
Dr. Stephen Henson
c800c27a8c Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-24 13:46:37 +01:00
Bodo Moeller
98f1ac7df5 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:43:08 +02:00
Bodo Moeller
8cb30232ed When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:24:42 +02:00
Kurt Roeckx
392fa7a952 Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-21 20:45:15 +02:00
Geoff Thorpe
62f45cc27d Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:56:16 -04:00
Dr. Stephen Henson
7482705548 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-10-15 08:56:16 -04:00
Matt Caswell
3dd814ac4d Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	util/mkdef.pl
	util/ssleay.num
2014-10-15 08:56:16 -04:00
Matt Caswell
e659eff2c0 Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:56:16 -04:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Dr. Stephen Henson
f3014206a2 Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 13:23:29 +01:00
Dr. Stephen Henson
4b6dee2b14 Parse custom extensions after internal extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-30 20:10:50 +01:00
Rich Salz
92c7846372 RT3544: Remove MWERKS support
The following #ifdef tests were all removed:
	__MWERKS__
	MAC_OS_pre_X
	MAC_OS_GUSI_SOURCE
	MAC_OS_pre_X
	OPENSSL_SYS_MACINTOSH_CLASSIC
	OPENSSL_SYS_MACOSX_RHAPSODY

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-24 18:07:29 -04:00
Emilia Kasper
455b65dfab RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-24 15:35:02 +02:00
Emilia Kasper
294d1e36c2 RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-24 12:45:42 +02:00
Tim Hudson
b5ff559ff9 Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-09-21 21:54:31 +10:00
Kurt Cancemi
4eadd11cd9 RT3506: typo's in ssltest
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-09 13:57:58 -04:00
Erik Auerswald
af4c6e348e RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-08 11:22:35 -04:00
Martin Olsson
683cd7c948 RT2843: Remove another spurious close-comment token
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-08 10:52:00 -04:00
Martin Olsson
6b0dc6eff1 RT2842: Remove spurious close-comment marker.
Also, I (rsalz) changed "#ifdef undef" to "#if 0"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-08 10:50:08 -04:00
Adam Langley
be0d851732 psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-05 12:21:44 +02:00
Dr. Stephen Henson
f47e203975 Fix comments, add new test.
Fix comments in ssltest.c: return value of 0 now means extension is
omitted and add_cb is not called for servers if the corresponding
extension is absent in ClientHello.

Test add_cb is not called if extension is not received.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
0cfefe4b6d Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
8cafe9e8bf Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
c846a5f567 New function SSL_extension_supported().
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
33f653adf3 New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.

Modify parse_cb handling so <= 0 is an error.

Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.

NOTE: these changes WILL break existing code.

Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
de2a9e38f3 Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".

Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
707b026d78 Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
28ea0a0c6a Add custom extension sanity checks.
Reject attempts to use extensions handled internally.

Add flags to each extension structure to indicate if an extension
has been sent or received. Enforce RFC5246 compliance by rejecting
duplicate extensions and unsolicited extensions and only send a
server extension if we have sent the corresponding client extension.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:52 +01:00
Dr. Stephen Henson
ecf4d66090 Custom extension revision.
Use the same structure for client and server custom extensions.

Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:52 +01:00
Emilia Kasper
5a3d21c058 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-28 15:48:45 +02:00
Emilia Kasper
be0477a8e9 RT 3060: amend patch
Use existing error code SSL_R_RECORD_TOO_SMALL for too many empty records.

For ease of backporting the patch to release branches.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-22 15:35:42 +02:00
Martin Olsson
96208cb182 RT2848: Remove extra NULL check
Don't need to check auth for NULL since we did when we
assigned to it.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-19 12:43:58 -04:00
John Fitzgibbon
3609b02305 RT2724: Remove extra declaration
Extra SSL_get_selected_srtp_profile() declaration in ssl/srtp.h
causes -Werror builds to fail.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-19 09:38:43 -04:00
Justin Blanchard
f756fb430e RT1815: More const'ness improvements
Add a dozen more const declarations where appropriate.
These are from Justin; while adding his patch, I noticed
ASN1_BIT_STRING_check could be fixed, too.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-18 11:49:16 -04:00
Hubert Kario
750487899a Add support for Camellia HMAC-Based cipher suites from RFC6367
While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.

Tested against gnutls 3.3.5

PR#3443

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-15 23:41:20 +01:00
Matt Caswell
f2be92b94d Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:27:34 +01:00
Hans Wennborg
01e438f288 RT3023: Redundant logical expressions
Remove some redundant logical expressions

Reviewed-by: Emilia Kasper <emilia@silkandcyanide.net>
2014-08-15 10:45:00 -04:00
Dr. Stephen Henson
b83294fe30 Revision of custom extension code.
Move custom extension structures from SSL_CTX to CERT structure.

This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 12:20:04 +01:00
Dr. Stephen Henson
06f5d12f51 Include error messages on extension check failure.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 12:16:16 +01:00
Emilia Kasper
f0ca9ccaef make depend
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-14 15:24:58 +02:00
Dr. Stephen Henson
9e72d496d4 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-09 13:21:30 +01:00
Viktor Szakats
693b71fa71 RT 1988: Add "const" to SSL_use_RSAPrivateKey_ASN1
The "unsigned char *d" should be const.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2014-08-09 07:56:28 -04:00
Matthieu Crapet
6d03125ccf RT 1505: Use SSL3_AL_FATAL not "2"
Use SSL3_AL_FATAL instead of the literal constant "2"
Every bit of cleanup helps.
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-08 22:47:33 -04:00
Dr. Stephen Henson
0989790b87 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:36:41 +01:00
Dr. Stephen Henson
80bd7b41b3 Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:36:41 +01:00
Gabor Tyukasz
fb0bc2b273 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:36:41 +01:00
Emilia Käsper
1716003376 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:36:40 +01:00
David Benjamin
280b1f1ad1 Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:36:40 +01:00
Adam Langley
4f2011d981 Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Matt Caswell
f6663338cb Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Adam Langley
b74d1d260f Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Adam Langley
d0a4b7d1a2 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Matt Caswell
1250f12613 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Matt Caswell
11e7982a7c Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Adam Langley
bff1ce4e6a Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:36:40 +01:00
Dr. Stephen Henson
e0fc7961c4 Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-07-24 19:41:29 +01:00
Mike Bland
50bba6852d Update heartbeat_test #includes
ssl/ssl_locl.h now comes first to ensure that it will compile standalone.
test/testutil.h is considered to be in the same directory as the test file,
since the test file will be linked into test/ and built there.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-07-19 19:24:35 +01:00
Mike Bland
6017a55143 Use testutil registry in heartbeat_test
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-07-19 19:24:35 +01:00
Dr. Stephen Henson
c8d710dc5f Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
2014-07-15 18:23:13 +01:00
Dr. Stephen Henson
ec5a992cde Use more common name for GOST key exchange. 2014-07-14 18:31:55 +01:00
Peter Mosmans
924e5eda2c Add names of GOST algorithms.
PR#3440
2014-07-13 18:30:07 +01:00
Andy Polyakov
021e5043e5 Please Clang's sanitizer.
PR: #3424,#3423,#3422
2014-07-08 22:24:44 +02:00
Andy Polyakov
0e7a32b55e s3_pkt.c: fix typo. 2014-07-05 23:56:54 +02:00
Ben Laurie
d2ab55eb5b Reduce casting nastiness. 2014-07-05 15:00:53 +01:00
Dr. Stephen Henson
7f6e957864 Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
2014-07-05 13:19:12 +01:00
Dr. Stephen Henson
b948ee27b0 Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
2014-07-04 13:26:35 +01:00
Thijs Alkemade
7cb472bd0d Make disabling last cipher work. 2014-07-02 03:32:19 +01:00
Ben Laurie
22a10c89d7 Fix possible buffer overrun.
(cherry picked from commit 2db3ea2929)

Conflicts:
	ssl/t1_lib.c
2014-07-02 00:11:10 +01:00
Rich Salz
e67ddd19af RT 1528; misleading debug print, "pre-master" should be "master key" 2014-07-01 13:22:38 -04:00
Rich Salz
04f545a0d5 RT 1530; fix incorrect comment 2014-07-01 13:06:18 -04:00
Rich Salz
df8ef5f31a RT 1229; typo in comment "dont't"->"don't" 2014-07-01 13:02:57 -04:00
Dr. Stephen Henson
2580ab4ed7 Fix warning.
(cherry picked from commit c97ec5631b)
2014-07-01 13:37:04 +01:00
Ben Laurie
e3ba6a5f83 Make depend. 2014-06-30 16:03:29 +01:00
Ben Laurie
161e0a617d More constification. 2014-06-29 22:13:45 +01:00
Ben Laurie
8892ce7714 Constification - mostly originally from Chromium. 2014-06-29 21:05:23 +01:00
Dr. Stephen Henson
44724beead Fix memory leak.
PR#2531
2014-06-29 13:51:30 +01:00
Dr. Stephen Henson
0518a3e19e Don't disable state strings with no-ssl2
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
2014-06-28 00:54:32 +01:00
yogesh nagarkar
d183545d45 Fix compilation with -DSSL_DEBUG -DTLS_DEBUG -DKSSL_DEBUG
PR#3141
2014-06-28 00:40:26 +01:00
Ken Ballou
0b33bed969 Remove redundant check.
PR#3174
2014-06-27 23:19:39 +01:00
PK
e633248921 Add SHA256 Camellia ciphersuites from RFC5932
PR#2800
2014-06-27 18:24:05 +01:00
Tomas Mraz
0436369fcc Don't advertise ECC ciphersuits in SSLv2 compatible client hello.
PR#3374
2014-06-27 16:51:26 +01:00
Miod Vallat
2841d6ca9f Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375
2014-06-22 23:14:19 +01:00
Matt Caswell
cf1b08cdd7 Revert "Fix off-by-one errors in ssl_cipher_get_evp()"
This reverts commit abfb989fe0.

Incorrect attribution
2014-06-22 22:35:56 +01:00
Matt Caswell
339da43d6c Fixed Windows compilation failure 2014-06-22 20:16:47 +02:00
Felix Laurie von Massenbach
50cc4f7b3d Fix signed/unsigned comparisons. 2014-06-17 17:41:46 +01:00
Dr. Stephen Henson
3b77f01702 Accept CCS after sending finished.
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
2014-06-14 22:31:28 +01:00
Matt Caswell
687721a7dc Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally identified the issue.
2014-06-13 15:36:20 +01:00
Matt Caswell
043fd64689 Revert "Fixed incorrect return code handling in ssl3_final_finish_mac"
This reverts commit 2f1dffa88e.

Missing attribution.
2014-06-13 15:35:20 +01:00
Kurt Cancemi
abfb989fe0 Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

PR#3375
2014-06-12 21:11:00 +01:00
Matt Caswell
d84ba7ea23 Added OPENSSL_assert check as per PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de> 2014-06-12 20:40:54 +01:00
Andy Polyakov
77a27a5066 Enable multi-block support by default. 2014-06-11 20:40:51 +02:00
Matt Caswell
2f1dffa88e Fixed incorrect return code handling in ssl3_final_finish_mac 2014-06-10 23:31:50 +01:00
Mike Bland
3ead9f3798 Create test/testutil.h for unit test helper macros
Defines SETUP_TEST_FIXTURE and EXECUTE_TEST, and updates ssl/heartbeat_test.c
using these macros. SETUP_TEST_FIXTURE makes use of the new TEST_CASE_NAME
macro, defined to use __func__ or __FUNCTION__ on platforms that support those
symbols, or to use the file name and line number otherwise. This should fix
several reported build problems related to lack of C99 support.
2014-06-10 19:20:25 +01:00
Dr. Stephen Henson
7a9d59c148 Fix null pointer errors.
PR#3394
2014-06-10 14:47:29 +01:00
Dr. Stephen Henson
447280ca7b SRP ciphersuite correction.
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
2014-06-09 12:09:52 +01:00
Dr. Stephen Henson
1bea384fd5 Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.
2014-06-09 12:09:52 +01:00
Dr. Stephen Henson
fb8d9ddb9d Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption
set the CCS_OK flag.
2014-06-07 15:27:23 +01:00
Dr. Stephen Henson
c43a55407d Add official extension value.
Encrypt then MAC now has an official extension value, see:

http://www.ietf.org/id/draft-ietf-tls-encrypt-then-mac-02.txt
2014-06-07 15:27:23 +01:00
Dr. Stephen Henson
5111672b8e Update value to use a free bit. 2014-06-05 13:27:11 +01:00
Dr. Stephen Henson
410e444b71 Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef7448)
2014-06-05 13:23:05 +01:00
Dr. Stephen Henson
a91be10833 Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec)
2014-06-05 13:22:42 +01:00
Dr. Stephen Henson
a7c682fb6f Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.
(cherry picked from commit 006cd7083f)
2014-06-05 13:22:24 +01:00
Dr. Stephen Henson
b4322e1de8 Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(cherry picked from commit d3152655d5)
2014-06-05 13:22:03 +01:00
Dr. Stephen Henson
a5362db460 Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.
(cherry picked from commit 8011cd56e3)
2014-06-05 13:21:50 +01:00
David Benjamin
c7f267397e Check there is enough room for extension. 2014-06-02 23:55:56 +01:00
zhu qun-ying
470990fee0 Free up s->d1->buffered_app_data.q properly.
PR#3286
2014-06-02 23:55:55 +01:00
Sami Farin
13b7896022 Typo: set i to -1 before goto.
PR#3302
2014-06-02 14:22:07 +01:00
Matt Caswell
a5510df337 Added SSLErr call for internal error in dtls1_buffer_record 2014-06-01 21:36:25 +01:00
David Ramos
d1e1aeef8f Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362 2014-06-01 21:36:25 +01:00
Dr. Stephen Henson
01f2f18f3c Option to disable padding extension.
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
2014-06-01 18:15:21 +01:00
David Ramos
92d81ba622 Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
2014-06-01 14:27:22 +01:00
Dr. Stephen Henson
4fdf91742e Use correct digest when exporting keying material.
PR#3319
2014-05-31 13:43:02 +01:00
Dr. Stephen Henson
7ce79a5bfd Don't compile heartbeat test code on Windows (for now). 2014-05-31 13:43:02 +01:00
Juli Mallett
487dac87e3 Fix cast of boolean where cast of LHS intended.
Closes #74.
2014-05-26 13:16:12 +01:00
Matt Caswell
955376fde3 Fix for non compilation with TLS_DEBUG defined 2014-05-24 23:55:27 +01:00
Martin Kaiser
189ae368d9 Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352 2014-05-24 00:02:24 +01:00
Mike Bland
647c70f765 Fix heartbeat_test for -DOPENSSL_NO_HEARTBEATS
Replaces the entire test with a trivial implementation when
OPENSSL_NO_HEARTBEATS is defined.
2014-05-22 15:23:10 -04:00
Dr. Stephen Henson
dcca7b13e9 For portability use BUF_strndup instead of strndup. 2014-05-20 11:18:30 +01:00
Dr. Stephen Henson
6db14dbc51 Adding padding extension to trace code. 2014-05-20 11:09:04 +01:00
Dr. Stephen Henson
deffd89af3 Fix bug in signature algorithm copy. 2014-05-20 11:09:04 +01:00
Ben Laurie
2ec52dc3a1 Fixup for ancient compilers. 2014-05-19 17:39:41 +01:00
Mike Bland
39dd6f4549 Zero-initialize heartbeat test write buffer
The previous calls to memset() were added to tear_down() when I noticed the
test spuriously failing in opt mode, with different results each time. This
appeared to be because the allocator zeros out memory in debug mode, but not
in opt mode. Since the heartbeat functions silently drop the request on error
without modifying the contents of the write buffer, whatever random contents
were in memory before being reallocated to the write buffer used in the test
would cause nondeterministic test failures in the Heartbleed regression cases.
Adding these calls allowed the test to pass in both debug and opt modes.

Ben Laurie notified me offline that the test was aborting in
debug-ben-debug-64-clang mode, configured with GitConfigure and built with
GitMake. Looking into this, I realized the first memset() call was zeroing out
a reference count used by SSL_free() that was checked in
debug-ben-debug-64-clang mode but not in the normal debug mode.

Removing the memset() calls from tear_down() and adding a memset() for the
write buffer in set_up() addresses the issue and allows the test to
successfully execute in debug, opt, and debug-ben-debug-64-clang modes.
2014-05-19 17:39:41 +01:00
Mike Bland
f5ad068b01 More through error checks in set_up
Checks the return values of ssl_init_wbio_buffer() and ssl3_setup_buffers().
2014-05-19 17:39:41 +01:00
Ben Laurie
f41231d62a Make it build/run. 2014-05-19 17:39:41 +01:00
Mike Bland
6af080acaf Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html
2014-05-19 17:39:41 +01:00
Kurt Roeckx
4ee356686f Check sk_SSL_CIPHER_num() after assigning sk. 2014-05-12 22:56:13 +01:00