Commit graph

1606 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
0ec6898c67 Allow ECDHE and DHE as forward-compatible aliases for EECDH and EDH
see RT #3203

Future versions of OpenSSL use the canonical terms "ECDHE" and "DHE"
as configuration strings and compilation constants.  This patch
introduces aliases so that the stable 1.0.2 branch can be
forward-compatible with code and configuration scripts that use the
normalized terms, while avoiding changing any library output for
stable users.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-10 10:58:49 +01:00
Emilia Kasper
4c75f4e5ca Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399)
2014-10-28 17:38:23 +01:00
Emilia Kasper
a35f7adf5c Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit fd28a41ec8)

Conflicts:
	ssl/ssltest.c
2014-10-27 16:33:28 +01:00
Dr. Stephen Henson
1ce95f1960 Copy negotiated parameters in SSL_set_SSL_CTX.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 14e14bf696)
2014-10-24 14:01:01 +01:00
Dr. Stephen Henson
51695b98f1 Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c800c27a8c)

Conflicts:

	ssl/ssl.h
	ssl/ssl_err.c
	ssl/ssl_locl.h
2014-10-24 13:57:23 +01:00
Dr. Stephen Henson
82182413a4 Parse custom extensions after SNI.
Since SNI will typically switch the SSL_CTX structure to the one
corresponding to the appopriate server we need to parse custom
extensions using the switched SSL_CTX not the original one. This
is done by parsing custom extensions *after* SNI.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-23 14:45:30 +01:00
Bodo Moeller
981545e1e7 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:39:26 +02:00
Bodo Moeller
d60de314f4 When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:32:09 +02:00
Kurt Roeckx
b6ece4c1fc Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952)
2014-10-21 21:04:09 +02:00
Geoff Thorpe
82180dcc0a Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:54:26 -04:00
Dr. Stephen Henson
c2b90b398d Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
2014-10-15 08:54:26 -04:00
Matt Caswell
c2a2ff3f0a Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	util/mkdef.pl
	util/ssleay.num

Conflicts:
	util/mkdef.pl
2014-10-15 08:54:26 -04:00
Matt Caswell
d64b6c980c Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:54:26 -04:00
Bodo Moeller
a46c705214 Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:04:55 +02:00
Dr. Stephen Henson
3b4a761853 Don't allow non-FIPS curves in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-25 00:20:56 +01:00
Emilia Kasper
e1080ea3c7 RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
2014-09-24 15:54:51 +02:00
Adam Langley
941af48fec This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6d)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 15:42:43 +02:00
Emilia Kasper
9bed73adaa RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
	crypto/rsa/rsa_pk1.c
	ssl/s3_cbc.c
2014-09-24 12:47:19 +02:00
Tim Hudson
320d949781 Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
2014-09-22 06:35:57 +10:00
Kurt Cancemi
283a8fd1aa RT3506: typo's in ssltest
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 4eadd11cd9)
2014-09-09 13:58:33 -04:00
Erik Auerswald
ff89be854e RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e)
2014-09-08 11:23:02 -04:00
Martin Olsson
610ac0525d RT2843: Remove another spurious close-comment token
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 683cd7c948)
2014-09-08 10:52:19 -04:00
Martin Olsson
9c096d0bbf RT2842: Remove spurious close-comment marker.
Also, I (rsalz) changed "#ifdef undef" to "#if 0"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 6b0dc6eff1)
2014-09-08 10:50:33 -04:00
Adam Langley
e12e875759 psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
2014-09-05 12:22:33 +02:00
Richard Levitte
770b98d02e Add t1_ext and ssl_utst to the VMS build as well.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-08-31 18:22:02 +02:00
Dr. Stephen Henson
f9784baf0e Fix comments, add new test.
Fix comments in ssltest.c: return value of 0 now means extension is
omitted and add_cb is not called for servers if the corresponding
extension is absent in ClientHello.

Test add_cb is not called if extension is not received.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f47e203975)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
cf8d6c1000 Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 0cfefe4b6d)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
4164d631bb Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 8cafe9e8bf)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
46a1b9ef4f New function SSL_extension_supported().
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit c846a5f567)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
6db2239c60 New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.

Modify parse_cb handling so <= 0 is an error.

Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.

NOTE: these changes WILL break existing code.

Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 33f653adf3)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
423ceb8319 Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".

Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit de2a9e38f3)
2014-08-28 18:10:21 +01:00
Dr. Stephen Henson
cd2e17020e Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 707b026d78)

Conflicts:

	ssl/ssl3.h
	ssl/t1_lib.c
2014-08-28 18:09:59 +01:00
Dr. Stephen Henson
9346c75cb8 Add custom extension sanity checks.
Reject attempts to use extensions handled internally.

Add flags to each extension structure to indicate if an extension
has been sent or received. Enforce RFC5246 compliance by rejecting
duplicate extensions and unsolicited extensions and only send a
server extension if we have sent the corresponding client extension.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 28ea0a0c6a)
2014-08-28 18:09:39 +01:00
Dr. Stephen Henson
0a4fe37fc6 Custom extension revision.
Use the same structure for client and server custom extensions.

Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit ecf4d66090)

Conflicts:

	ssl/ssl_lib.c
	ssl/ssl_locl.h
	ssl/t1_lib.c
2014-08-28 18:09:05 +01:00
Dr. Stephen Henson
da67a0ae34 Revision of custom extension code.
Move custom extension structures from SSL_CTX to CERT structure.

This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b83294fe30)

Conflicts:

	ssl/ssl.h
	ssl/ssl_cert.c
	ssl/ssl_locl.h
2014-08-28 17:06:50 +01:00
Emilia Kasper
9a9b0c0401 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)

Conflicts:
	ssl/s3_cbc.c
	test/Makefile
2014-08-28 16:26:01 +02:00
John Fitzgibbon
383f0e349f RT2724: Remove extra declaration
Extra SSL_get_selected_srtp_profile() declaration in ssl/srtp.h
causes -Werror builds to fail.

Cherry-picked from 3609b02305

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-26 16:55:54 -04:00
Adam Langley
3aac17a82f RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-22 15:36:06 +02:00
Matt Caswell
43312c624d Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:28:52 +01:00
Dr. Stephen Henson
5ed0b6ac0c Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)
2014-08-09 00:09:14 +01:00
Dr. Stephen Henson
bb4c9ffd02 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:41:53 +01:00
Dr. Stephen Henson
f338c2e0c2 Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:41:24 +01:00
Gabor Tyukasz
92aa73bcbf Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:41:24 +01:00
Emilia Käsper
1d7d0ed9c2 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:41:24 +01:00
David Benjamin
40a2200d89 Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:41:24 +01:00
Adam Langley
d345a24569 Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:24 +01:00
Matt Caswell
3d5dceac43 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
aad61c0a57 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
8ca4c4b25e Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Matt Caswell
0598468fc0 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00