Commit graph

132 commits

Author SHA1 Message Date
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Dr. Stephen Henson
6938c954b0 Remove unused cert_verify_mac code
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-25 18:22:12 +00:00
Matt Caswell
a71edf3ba2 Standardise our style for checking malloc failures
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-09 22:48:41 +00:00
Matt Caswell
267b7789f8 Remove a trivially true OPENSSL_assert
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be
true because it is testing the sum of values that have been set as
constants just a few lines above and nothing has changed them. Therefore
remove this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
3616bb6358 Make dtls1_link_min_mtu static
The function dtls1_link_min_mtu() was only used within d1_lib.c so make
it static.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
024f543c15 Move in_handshake into STATEM
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
31fd10e60d Fix DTLSv1_listen following state machine changes
Adding the new state machine broke the DTLSv1_listen code because
calling SSL_in_before() was erroneously returning true after DTLSv1_listen
had successfully completed. This change ensures that SSL_in_before returns
false.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
fe3a329117 Change statem prefix to ossl_statem
Change various state machine functions to use the prefix ossl_statem
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
8ba708e516 Reorganise state machine files
Pull out the state machine into a separate sub directory. Also moved some
functions which were nothing to do with the state machine but were in state
machine files. Pulled all the SSL_METHOD definitions into one place...most
of those files had very little left in them any more.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
5e41ba031e Convert DTLSv1_listen to use new state machine code
The DTLSv1_listen code set the state value explicitly to move into init.
Change to use state_set_in_init() instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Matt Caswell
373dc6e196 Sanity check cookie_len
Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Matt Caswell
e3d0dae7cf DTLSv1_listen rewrite
The existing implementation of DTLSv1_listen() is fundamentally flawed. This
function is used in DTLS solutions to listen for new incoming connections
from DTLS clients. A client will send an initial ClientHello. The server
will respond with a HelloVerifyRequest containing a unique cookie. The
client the responds with a second ClientHello - which this time contains the
cookie.

Once the cookie has been verified then DTLSv1_listen() returns to user code,
which is typically expected to continue the handshake with a call to (for
example) SSL_accept().

Whilst listening for incoming ClientHellos, the underlying BIO is usually in
an unconnected state. Therefore ClientHellos can come in from *any* peer.
The arrival of the first ClientHello without the cookie, and the second one
with it, could be interspersed with other intervening messages from
different clients.

The whole purpose of this mechanism is as a defence against DoS attacks. The
idea is to avoid allocating state on the server until the client has
verified that it is capable of receiving messages at the address it claims
to come from. However the existing DTLSv1_listen() implementation completely
fails to do this. It attempts to super-impose itself on the standard state
machine and reuses all of this code. However the standard state machine
expects to operate in a stateful manner with a single client, and this can
cause various problems.

A second more minor issue is that the return codes from this function are
quite confused, with no distinction made between fatal and non-fatal errors.
Most user code treats all errors as non-fatal, and simply retries the call
to DTLSv1_listen().

This commit completely rewrites the implementation of DTLSv1_listen() and
provides a stand alone implementation that does not rely on the existing
state machine. It also provides more consistent return codes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Rich Salz
b51bce9420 Add and use OPENSSL_zalloc
There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-02 22:05:37 -04:00
Rich Salz
fbfcb22439 RT3999: Remove sub-component version strings
Especially since after the #ifdef cleanups this is not useful.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-10 12:13:32 -04:00
Rich Salz
16f8d4ebf0 memset, memcpy, sizeof consistency fixes
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy.  Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-05 22:18:59 -04:00
Rich Salz
b4faea50c3 Use safer sizeof variant in malloc
For a local variable:
        TYPE *p;
Allocations like this are "risky":
        p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption.  Instead do this:
        p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-04 15:00:13 -04:00
Rich Salz
25aaa98aa2 free NULL cleanup -- coda
After the finale, the "real" final part. :)  Do a recursive grep with
"-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are
an "if NULL" check that can be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01 14:37:16 -04:00
Matt Caswell
fb45690275 Remove redundant includes from dtls1.h
There were a set of includes in dtls1.h which are now redundant due to the
libssl opaque work. This commit removes those includes, which also has the
effect of resolving one issue preventing building on windows (i.e. the
include of winsock.h)

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-30 11:34:51 +01:00
Viktor Dukhovni
61986d32f3 Code style: space after 'if'
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-16 13:44:59 -04:00
Matt Caswell
24a1e2f2ec Move buffered_app_data from s->d1 to s->rlayer.d
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 15:02:00 +00:00
Matt Caswell
5fb6f80cdf Fix seg fault in dtls1_new
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 15:02:00 +00:00
Matt Caswell
cb2ce7abfd Moved processed_rcds and unprocessed_rcds from s->d1 to s->rlayer.d
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 15:02:00 +00:00
Matt Caswell
78a39fe735 Move r_epoch and w_epoch from s->d1 to s->rlayer.d
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 15:02:00 +00:00
Matt Caswell
40f37188a6 Introduce a DTLS_RECORD_LAYER type for DTLS record layer state
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 15:02:00 +00:00
Matt Caswell
c7f5b5d7bc Fix SSL_clear unused return
Fix missing return value check in dtls1_listen when calling SSL_clear().

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 16:02:21 +00:00
Matt Caswell
77d514c5a0 ssl3_set_handshake_header returns
Change ssl_set_handshake_header from return void to returning int, and
handle error return code appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 15:23:24 +00:00
Matt Caswell
69f6823748 Fix missing return value checks
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 15:23:11 +00:00
Matt Caswell
e83ee04bb7 Fix Seg fault in DTLSv1_listen
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 11:11:02 +00:00
David Woodhouse
f7683aaf36 Wrong SSL version in DTLS1_BAD_VER ClientHello
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.

RT#3711

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-09 11:04:39 +00:00
Matt Caswell
d2a0d72f33 Fix post-reformat errors preventing windows compilation
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 14:09:37 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Kurt Roeckx
6c42b39c95 dtls1_new: free s on error path
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 23:48:44 +01:00
Matt Caswell
71c16698fa Remove incorrect code inadvertently introduced through commit 59669b6ab.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-04 14:17:50 +00:00
Matt Caswell
047f21593e Only use the fallback mtu after 2 unsuccessful retransmissions if it is less
than the mtu we are already using

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:53 +00:00
Matt Caswell
59669b6abf Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:12 +00:00
Matt Caswell
001235778a The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:23:46 +00:00
Matt Caswell
8a35dbb6d8 Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-11-26 10:10:21 +00:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Ben Laurie
8892ce7714 Constification - mostly originally from Chromium. 2014-06-29 21:05:23 +01:00
zhu qun-ying
470990fee0 Free up s->d1->buffered_app_data.q properly.
PR#3286
2014-06-02 23:55:55 +01:00
Andy Polyakov
972b0dc350 bss_dgram.c,d1_lib.c: make it compile with mingw.
Submitted by: Roumen Petrov
2014-03-06 14:04:56 +01:00
Dr. Stephen Henson
c6913eeb76 Dual DTLS version methods.
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.

As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
2013-04-09 14:02:48 +01:00
Dr. Stephen Henson
04638f2fc3 Set s->d1 to NULL after freeing it. 2013-04-08 18:24:42 +01:00
Dr. Stephen Henson
4221c0dd30 Enable TLS 1.2 ciphers in DTLS 1.2.
Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
2013-03-28 14:14:27 +00:00
Dr. Stephen Henson
c3b344e36a Provisional DTLS 1.2 support.
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
2013-03-26 15:16:41 +00:00
Dr. Stephen Henson
173e72e64c DTLS revision.
Revise DTLS code. There was a *lot* of code duplication in the
DTLS code that generates records. This makes it harder to maintain and
sometimes a TLS update is omitted by accident from the DTLS code.

Specifically almost all of the record generation functions have code like
this:

some_pointer = buffer + HANDSHAKE_HEADER_LENGTH;
... Record creation stuff ...
set_handshake_header(ssl, SSL_MT_SOMETHING, message_len);

...

write_handshake_message(ssl);

Where the "Record creation stuff" is identical between SSL/TLS and DTLS or
in some cases has very minor differences.

By adding a few fields to SSL3_ENC to include the header length, some flags
and function pointers for handshake header setting and handshake writing the
code can cope with both cases.

Note: although this passes "make test" and some simple DTLS tests there may
be some minor differences in the DTLS code that have to be accounted for.
2013-03-18 14:36:43 +00:00
Andy Polyakov
a006fef78e Improve WINCE support.
Submitted by: Pierre Delaage
2013-01-19 21:23:13 +01:00
Andy Polyakov
f469880c61 d1_lib.c,bss_dgram.c: eliminate dependency on _ftime. 2012-12-16 19:02:59 +00:00
Dr. Stephen Henson
aa09c2c631 correct error codes 2012-04-18 15:36:12 +00:00
Dr. Stephen Henson
ea6e386008 PR: 2756
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS timeout handling.
2012-03-09 15:52:33 +00:00
Dr. Stephen Henson
62b6948a27 PR: 2755
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
2012-03-06 13:47:43 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
7e159e0133 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:15 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Dr. Stephen Henson
1d7392f219 PR: 2602
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
2011-09-23 13:34:48 +00:00
Dr. Stephen Henson
861a7e5c9f PR: 2543
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Correctly handle errors in DTLSv1_handle_timeout()
2011-06-22 15:30:14 +00:00
Dr. Stephen Henson
006b54a8eb Oops use up to date patch for PR#2506 2011-05-25 14:30:20 +00:00
Dr. Stephen Henson
7832d6ab1c PR: 2506
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fully implement SSL_clear for DTLS.
2011-05-25 12:28:06 +00:00
Dr. Stephen Henson
4058861f69 PR: 2462
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS Retransmission Buffer Bug
2011-04-03 17:14:35 +00:00
Richard Levitte
ec44f0ebfa Taken from OpenSSL_1_0_0-stable:
Include proper header files for time functions.
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>
2010-11-22 18:25:04 +00:00
Dr. Stephen Henson
87a37cbadd PR: 2223
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fixes for DTLS timeout bug
2010-04-06 12:29:31 +00:00
Dr. Stephen Henson
8025e25113 PR: 2121
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Add extension support to DTLS code mainly using existing implementation for
TLS.
2009-12-08 11:37:40 +00:00
Dr. Stephen Henson
499684404c PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:42:15 +00:00
Dr. Stephen Henson
1fc3ac806d PR: 2033
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen support.
2009-09-09 17:05:18 +00:00
Dr. Stephen Henson
3ed3603b60 Update default dependency flags.
Make error name discrepancies a fatal error.
Fix error codes.
make update
2009-08-12 17:30:37 +00:00
Dr. Stephen Henson
b972fbaa8f PR: 1997
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
2009-08-12 13:19:54 +00:00
Dr. Stephen Henson
6cf41fec72 Update from 1.0.0-stable. 2009-05-31 17:13:09 +00:00
Dr. Stephen Henson
48fd490c6d Update from 1.0.0-stable. 2009-05-16 11:16:43 +00:00
Dr. Stephen Henson
9289f21b7d Update from 1.0.0 stable branch. 2009-05-16 11:15:42 +00:00
Dr. Stephen Henson
eb38b26dbc Update from 1.0.0-stable. 2009-05-15 22:58:40 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
e5fa864f62 Updates from 1.0.0-stable. 2009-04-15 15:27:03 +00:00
Ben Laurie
babb379849 Type-checked (and modern C compliant) OBJ_bsearch. 2008-10-12 14:32:47 +00:00
Andy Polyakov
5d58f1bbfe Prohibit RC4 in DTLS. 2007-10-05 21:04:56 +00:00
Dr. Stephen Henson
42182852f5 Constify version strings is ssl lib. 2007-01-21 16:06:05 +00:00
Nils Larsch
01a9792f05 remove unused internal foo_base_method functions 2005-08-08 19:04:37 +00:00
Dr. Stephen Henson
f3b656b246 Initialize SSL_METHOD structures at compile time. This removes the need
for locking code. The CRYPTO_LOCK_SSL_METHOD lock is now no longer used.
2005-08-05 23:56:11 +00:00
Andy Polyakov
dffdb56b7f "Liberate" dtls from BN dependency. Fix bug in replay/update. 2005-06-07 22:21:14 +00:00
Richard Levitte
188b05792f pqueue and dtls uses 64-bit values. Unfortunately, OpenSSL doesn't
have a uniform representation for those over all architectures, so a
little bit of hackery is needed.

Contributed by nagendra modadugu <nagendra@cs.stanford.edu>
2005-05-30 22:34:37 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00