Commit graph

2153 commits

Author SHA1 Message Date
Matt Caswell
1aeaa7ec06 Remove ssl_get_message from ssl_method_st
ssl_get_message is no longer used so it should be removed from
ssl_method_st

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
73999b62a2 Move PACKET creation into the state machine
Previously each message specific process function would create its own
PACKET structure. Rather than duplicate all of this code lots of times we
should create it in the state machine itself.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
0131df49ee Remove the SSL state variable
The SSL structure contained a "state" variable that kept track of the state
machine in the old code. The new state machine does not use this so it can
be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
23a635c0ec Remove the type variable
The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. This duplicates the capability of the "server" variable and was
actually rarely used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
5e41ba031e Convert DTLSv1_listen to use new state machine code
The DTLSv1_listen code set the state value explicitly to move into init.
Change to use state_set_in_init() instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c64359db8a Redefine old state values
ssl.h and ssl3.h have a number of defines for the various states in the old
state machine code. Since this is public API it is not desirable to just
remove them. Instead redefine them to the closest equivalent state in the
new state machine code. If an application calls SSL_state then the return
value can still be compared against these old values if necessary. However
not all values have an equivalent state in the new code, so these are just
redefined to a dummy value.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c130dd8ea4 Move server side DTLS to new state machine
Implement all of the necessary changes to make DTLS on the server work
with the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
94836de2ae Move server side TLS to new state machine
Implement all of the necessary changes for moving TLS server side
processing into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
e27f234a41 Split TLS server functions
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready
for the migration to the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
4e3458a565 Delete unused functions
Remove all the functions and dead code that is now no longer required as
a result of the DTLS client move into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
473483d42d Implement DTLS client move to new state machine
Move all DTLS client side processing into the new state machine code. A
subsequent commit will clean up the old dead code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
76af303761 dtls_get_message changes for state machine move
Create a dtls_get_message function similar to the old dtls1_get_message but
in the format required for the new state machine code. The old function will
eventually be deleted in later commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f6a2f2da58 Client TLS state machine rewrite cleanup
Remove redundant code following moving client side TLS handling to the new
state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
8723588e1b Implement Client TLS state machine
This swaps the implementation of the client TLS state machine to use the
new state machine code instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
b9908bf9b8 Split client message reading and writing functions
The new state machine code will split up the reading and writing of
hanshake messages into discrete phases. In order to facilitate that the
existing "get" type functions will be split into two halves: one to get
the message and one to process it. The "send" type functions will also have
all work relating to constructing the message split out into a separate
function just for that. For some functions there will also be separate
pre and post "work" phases to prepare or update state.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f8e0a55738 Add initial state machine rewrite code
This is the first drop of the new state machine code.

The rewrite has the following objectives:
- Remove duplication of state code between client and server
- Remove duplication of state code between TLS and DTLS
- Simplify transitions and bring the logic together in a single location
  so that it is easier to validate
- Remove duplication of code between each of the message handling functions
- Receive a message first and then work out whether that is a valid
  transition - not the other way around (the other way causes lots of issues
  where we are expecting one type of message next but actually get something
  else)
- Separate message flow state from handshake state (in order to better
  understand each)
  - message flow state = when to flush buffers; handling restarts in the
    event of NBIO events; handling the common flow of steps for reading a
    message and the common flow of steps for writing a message etc
  - handshake state = what handshake message are we working on now
- Control complexity: only the state machine can change state: keep all
  the state changes local to a file

This builds on previous state machine related work:
- Surface CCS processing in the state machine
- Version negotiation rewrite

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Matt Caswell
9ab930b27d Split ssl3_get_message
The function ssl3_get_message gets a whole message from the underlying bio
and returns it to the state machine code. The new state machine code will
split this into two discrete steps: get the message header and get the
message body. This commit splits the existing function into these two
sub steps to facilitate the state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Alessandro Ghedini
070c23325a Remove useless code
RT#4081

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Alessandro Ghedini
3f6c769187 Fix memory leaks and other mistakes on errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Matt Caswell
3fde6c9276 Avoid undefined behaviour in PACKET_buf_init
Change the sanity check in PACKET_buf_init to check for excessive length
buffers, which should catch the interesting cases where len has been cast
from a negative value whilst avoiding any undefined behaviour.

RT#4094

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-21 16:13:53 +01:00
Emilia Kasper
f4f78ff7da PACKET: fix __owur
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-15 16:20:22 +02:00
Emilia Kasper
bbafa47b55 Appease gcc's Wmaybe-uninitialized
False positive: gcc (4.8) can't figure out the SSL_IS_DTLS logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-15 16:19:00 +02:00
Dr. Stephen Henson
9076bd25bf Make no-psk compile without warnings.
PR#4035

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-11 13:38:01 +01:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Emilia Kasper
329428708d PACKET: simplify ServerKeyExchange parsing
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-08 16:44:39 +02:00
Matt Caswell
68a1662851 Don't advance PACKET in ssl_check_for_safari
The function ssl_check_for_safari fingerprints the incoming extensions
to see whether it is one of the broken versions of safari. However it was
failing to reset the PACKET back to the same position it started in, hence
causing some extensions to be skipped incorrectly.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-10-07 16:17:52 +01:00
Emilia Kasper
20218b58b5 SSLv2 compat ciphers: clarify comment
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-06 18:03:51 +02:00
Andy Polyakov
f4bd5de544 Address more Windows warnings illuminated by mingw.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-06 09:44:27 +02:00
Alessandro Ghedini
52a48f9eed Validate ClientHello extension field length
RT#4069

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:43:00 +01:00
Emilia Kasper
67202973cf Add PACKET_copy_all
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
bf0fc41266 ssl_sess.c: grab a copy of the session ID
The user callback takes a non-const pointer, so don't pass PACKET data
to it directly; rather, grab a local copy.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
38a3cbfbf7 PACKETize and clean up ssl_bytes_to_cipher_list.
Fix alerts.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
b3e2272c59 ssl3_get_client_hello: rearrange logic
Move all packet parsing to the beginning of the method. This limits the
SSLv2 compatibility soup to the parsing, and makes the rest of the
processing uniform.

This is also needed for simpler EMS support: EMS servers need to do an
early scan for EMS to make resumption decisions. This'll be easier when
the entire ClientHello is parsed in the beginning.

As a side effect,
1) PACKETize ssl_get_prev_session and tls1_process_ticket; and
2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Richard Levitte
2ff00bdbc4 make depend
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-10-05 11:08:18 +02:00
Rich Salz
9982cbbbf6 Remove BIO_s_file_internal macro.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-02 14:22:05 -04:00
Matt Caswell
c84f7f4a74 Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.

Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-30 19:15:06 +01:00
David Woodhouse
984d6c6052 Fix no-stdio build
Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>

   +Replace FILE BIO's with dummy ops that fail.
   +Include <stdio.h> for sscanf() even with no-stdio (since the declaration
    is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment
    variable, since it can be larger than a 'long'. And we don't rely on the
    availability of strtoull().
   +Remove OPENSSL_stderr(); not used.
   +Make OPENSSL_showfatal() do nothing (currently without stdio there's
    nothing we can do).
   +Remove file-based functionality from ssl/. The function
    prototypes were already gone, but not the functions themselves.
   +Remove unviable conf functionality via SYS_UEFI
   +Add fallback definition of BUFSIZ.
   +Remove functions taking FILE * from header files.
   +Add missing DECLARE_PEM_write_fp_const
   +Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out,
    so remove its prototype.
   +Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid().
   +Eliminate SRP_VBASE_init() and supporting functions. Users will need to
    build the verifier manually instead.
   +Eliminate compiler warning for unused do_pk8pkey_fp().
   +Disable TEST_ENG_OPENSSL_PKEY.
   +Disable GOST engine as is uses [f]printf all over the place.
   +Eliminate compiler warning for unused send_fp_chars().

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-29 21:59:19 -04:00
Emilia Kasper
fc5ce51d17 PACKET: simplify ServerHello parsing
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 16:22:21 +02:00
Emilia Kasper
e711da714b RT2772: accept empty SessionTicket
RFC 5077 section 3.3 says:
If the server determines that it does not want to include a
ticket after it has included the SessionTicket extension in the
ServerHello, then it sends a zero-length ticket in the
NewSessionTicket handshake message.

Previously the client would fail upon attempting to allocate a
zero-length buffer. Now, we have the client ignore the empty ticket and
keep the existing session.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:25 +02:00
Matt Caswell
d84a7b20e3 Add ability to set default CA path and file locations individually
Previously you could only set both the default path and file locations
together. This adds the ability to set one without the other.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Matt Caswell
373dc6e196 Sanity check cookie_len
Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Matt Caswell
912c89c529 Remove remaining old listen code
The old implementation of DTLSv1_listen which has now been replaced still
had a few vestiges scattered throughout the code. This commit removes them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Matt Caswell
e3d0dae7cf DTLSv1_listen rewrite
The existing implementation of DTLSv1_listen() is fundamentally flawed. This
function is used in DTLS solutions to listen for new incoming connections
from DTLS clients. A client will send an initial ClientHello. The server
will respond with a HelloVerifyRequest containing a unique cookie. The
client the responds with a second ClientHello - which this time contains the
cookie.

Once the cookie has been verified then DTLSv1_listen() returns to user code,
which is typically expected to continue the handshake with a call to (for
example) SSL_accept().

Whilst listening for incoming ClientHellos, the underlying BIO is usually in
an unconnected state. Therefore ClientHellos can come in from *any* peer.
The arrival of the first ClientHello without the cookie, and the second one
with it, could be interspersed with other intervening messages from
different clients.

The whole purpose of this mechanism is as a defence against DoS attacks. The
idea is to avoid allocating state on the server until the client has
verified that it is capable of receiving messages at the address it claims
to come from. However the existing DTLSv1_listen() implementation completely
fails to do this. It attempts to super-impose itself on the standard state
machine and reuses all of this code. However the standard state machine
expects to operate in a stateful manner with a single client, and this can
cause various problems.

A second more minor issue is that the return codes from this function are
quite confused, with no distinction made between fatal and non-fatal errors.
Most user code treats all errors as non-fatal, and simply retries the call
to DTLSv1_listen().

This commit completely rewrites the implementation of DTLSv1_listen() and
provides a stand alone implementation that does not rely on the existing
state machine. It also provides more consistent return codes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Emilia Kasper
6a12a5740b PACKET: simplify
Get rid of the third field that is no longer needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:42:18 +02:00
Emilia Kasper
e9fa092efc Remove ssl_put_cipher_by_char
Since SSLv3, a CipherSuite is always 2 bytes. The only place where we
need 3-byte ciphers is SSLv2-compatible ClientHello processing.

So, remove the ssl_put_cipher_by_char indirection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:34:25 +02:00
Dr. Stephen Henson
f1c412c9e6 Handle SSL_ERROR_WANT_X509_LOOKUP
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-20 14:19:49 +01:00
Emilia Kasper
88f84eb257 Remove PACKET_back
It's unused, and the same functionality can be achieved with saving a
copy of the struct.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-18 13:04:07 +02:00
Emilia Kasper
4bd16463b8 Remove PACKET_(get|goto)_bookmark
The bookmark API results in a lot of boilerplate error checking that can
be much more easily achieved with a simple struct copy. It also lays the
path for removing the third PACKET field.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-17 18:47:33 +02:00
Filipe DA SILVA
0e04674e96 RT4047: Set reference count earlier
Make sure it's valid very early.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-17 11:58:24 -04:00