This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.
Thanks to the Open Crypto Audit Project for identifying this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
The function tls1_get_curvelist() has an explicit check to see if s->cert
is NULL or not. However the check appears *after* calling the tls1_suiteb
macro which derefs s->cert. In reality s->cert can never be NULL because
it is created in SSL_new(). If the malloc fails then the SSL_new call fails
and no SSL object is created.
Reviewed-by: Tim Hudson <tjh@openssl.org>
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be
true because it is testing the sum of values that have been set as
constants just a few lines above and nothing has changed them. Therefore
remove this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
The function ssl_check_for_safari fingerprints the incoming extensions
to see whether it is one of the broken versions of safari. However it was
failing to reset the PACKET back to the same position it started in, hence
causing some extensions to be skipped incorrectly.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Move all packet parsing to the beginning of the method. This limits the
SSLv2 compatibility soup to the parsing, and makes the rest of the
processing uniform.
This is also needed for simpler EMS support: EMS servers need to do an
early scan for EMS to make resumption decisions. This'll be easier when
the entire ClientHello is parsed in the beginning.
As a side effect,
1) PACKETize ssl_get_prev_session and tls1_process_ticket; and
2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.
Reviewed-by: Matt Caswell <matt@openssl.org>
The bookmark API results in a lot of boilerplate error checking that can
be much more easily achieved with a simple struct copy. It also lays the
path for removing the third PACKET field.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Commit 9ceb2426b0 (PACKETise ClientHello) broke session tickets by failing
to detect the session ticket extension in an incoming ClientHello. This
commit fixes the bug.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Enhance the PACKET code readability, and fix a stale comment. Thanks
to Ben Kaduk (bkaduk@akamai.com) for pointing this out.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
This adds additional checks to the processing of extensions in a ClientHello
to ensure that either no extensions are present, or if they are then they
take up the exact amount of space expected.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Stephen Henson <steve@openssl.org>
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.
RT#3862
Reviewed-by: Richard Levitte <levitte@openssl.org>
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.
The result:
$ openssl s_server -named_curves "auto"
This command will negotiate an ECDHE ciphersuite with P-256:
$ openssl s_client
This command will negotiate P-384:
$ openssl s_client -curves "P-384"
This command will not negotiate ECDHE because P-224 is disabled with "auto":
$ openssl s_client -curves "P-224"
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move per-connection state out of the CERT structure: which should just be
for shared configuration data (e.g. certificates to use).
In particular move temporary premaster secret, raw ciphers, peer signature
algorithms and shared signature algorithms.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Following the version negotiation rewrite all of the previous code that was
dedicated to version negotiation can now be deleted - all six source files
of it!!
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Remove RFC2712 Kerberos support from libssl. This code and the associated
standard is no longer considered fit-for-purpose.
Reviewed-by: Rich Salz <rsalz@openssl.org>
For the various string-compare routines (strcmp, strcasecmp, str.*cmp)
use "strcmp()==0" instead of "!strcmp()"
Reviewed-by: Tim Hudson <tjh@openssl.org>
Compiling OpenSSL code with MSVC and /W4 results in a number of warnings.
One category of warnings is particularly interesting - C4701 (potentially
uninitialized local variable 'name' used). This warning pretty much means
that there's a code path which results in uninitialized variables being used
or returned. Depending on compiler, its options, OS, values in registers
and/or stack, the results can be nondeterministic. Cases like this are very
hard to debug so it's rational to fix these issues.
This patch contains a set of trivial fixes for all the C4701 warnings (just
initializing variables to 0 or NULL or appropriate error code) to make sure
that deterministic values will be returned from all the execution paths.
RT#3835
Signed-off-by: Matt Caswell <matt@openssl.org>
Matt's note: All of these appear to be bogus warnings, i.e. there isn't
actually a code path where an unitialised variable could be used - its just
that the compiler hasn't been able to figure that out from the logic. So
this commit is just about silencing spurious warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Don't check for NULL before calling a free routine. This gets X509_.*free:
x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free
Reviewed-by: Richard Levitte <levitte@openssl.org>
The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).
Reviewed-by: Emilia Käsper <emilia@openssl.org>
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.
Thanks to David Ramos of Stanford University for reporting this bug.
CVE-2015-0291
Reviewed-by: Tim Hudson <tjh@openssl.org>
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>