Commit graph

68 commits

Author SHA1 Message Date
Matt Caswell
80d09058af The first call to query the mtu in dtls1_do_write correctly checks that the
mtu that we have received is not less than the minimum. If its less it uses the
minimum instead. The second call to query the mtu does not do that, but
instead uses whatever comes back. We have seen an instance in RT#3592 where we
have got an unreasonably small mtu come back. This commit makes both query
checks consistent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6abb0d1f8e)
2014-12-03 09:30:21 +00:00
Matt Caswell
3cc0c0d21c The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a)
2014-12-03 09:30:21 +00:00
Matt Caswell
5e47008b61 Verify that we have a sensible message len and fail if not
RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cf75017bfd)
2014-12-03 09:30:21 +00:00
Matt Caswell
60de554e4f Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8a35dbb6d8)
2014-11-26 10:11:25 +00:00
Erik Auerswald
ff89be854e RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e)
2014-09-08 11:23:02 -04:00
Adam Langley
d345a24569 Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:24 +01:00
Matt Caswell
3d5dceac43 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
aad61c0a57 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
8ca4c4b25e Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Matt Caswell
0598468fc0 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Matt Caswell
ea7cb53974 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
4985007555 Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Dr. Stephen Henson
cea5a1d5f2 Fix null pointer errors.
PR#3394
(cherry picked from commit 7a9d59c148)
2014-06-10 14:48:02 +01:00
Dr. Stephen Henson
eb6508d50c Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef7448)
2014-06-05 13:24:50 +01:00
Dr. Stephen Henson
8942b92c7c Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(cherry picked from commit d3152655d5)
2014-06-05 13:24:36 +01:00
Sami Farin
6468866823 Typo: set i to -1 before goto.
PR#3302
(cherry picked from commit 9717f01951f976f76dd40a38d9fc7307057fa4c4)
2014-06-02 13:53:54 +01:00
Dr. Stephen Henson
7e840163c0 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023b8)
2014-04-07 19:25:34 +01:00
Dr. Stephen Henson
80b6d97585 Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
(cherry picked from commit 34628967f1)
2013-12-20 23:25:41 +00:00
Dr. Stephen Henson
b60b9e7afe Enable TLS 1.2 ciphers in DTLS 1.2.
Port TLS 1.2 GCM code to DTLS. Enable use of TLS 1.2 only ciphers when in
DTLS 1.2 mode too.
(cherry picked from commit 4221c0dd30)
2013-09-18 13:46:02 +01:00
Dr. Stephen Henson
68039af3e7 Remove versions test from dtls1_buffer_message
Since this is always called from DTLS code it is safe to assume the header
length should be the DTLS value. This avoids the need to check the version
number and should work with any version of DTLS (not just 1.0).
(cherry picked from commit 9cf0f18754)
2013-09-18 13:46:02 +01:00
Dr. Stephen Henson
741c9959f6 DTLS revision.
Revise DTLS code. There was a *lot* of code duplication in the
DTLS code that generates records. This makes it harder to maintain and
sometimes a TLS update is omitted by accident from the DTLS code.

Specifically almost all of the record generation functions have code like
this:

some_pointer = buffer + HANDSHAKE_HEADER_LENGTH;
... Record creation stuff ...
set_handshake_header(ssl, SSL_MT_SOMETHING, message_len);

...

write_handshake_message(ssl);

Where the "Record creation stuff" is identical between SSL/TLS and DTLS or
in some cases has very minor differences.

By adding a few fields to SSL3_ENC to include the header length, some flags
and function pointers for handshake header setting and handshake writing the
code can cope with both cases.

(cherry picked from commit 173e72e64c)
2013-09-18 13:46:02 +01:00
Michael Tuexen
3f84d34c37 Avoid unnecessary fragmentation.
(cherry picked from commit 80ccc66d7e)
2013-03-18 14:32:59 +00:00
Dr. Stephen Henson
7e65b21a24 Backport: Revise ssl code to use CERT_PKEY structure when outputting a certificate chain (from HEAD) 2012-04-06 12:00:24 +00:00
Dr. Stephen Henson
736d69750d Backport: tidy/enhance certificate chain output code (from HEAD) 2012-04-06 11:58:17 +00:00
Dr. Stephen Henson
25bfdca16a PR: 2755
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
2012-03-06 13:47:27 +00:00
Dr. Stephen Henson
a54ce007e6 PR: 2739
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix padding bugs in Heartbeat support.
2012-02-27 16:38:10 +00:00
Dr. Stephen Henson
bd6941cfaa PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
e065e6cda2 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:40 +00:00
Dr. Stephen Henson
5372f5f989 PR: 2628
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Send alert instead of assertion failure for incorrectly formatted DTLS
fragments.
2011-10-27 13:06:43 +00:00
Dr. Stephen Henson
56f5ab43c2 PR: 2602
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
2011-09-23 13:35:05 +00:00
Dr. Stephen Henson
2ab42de1ec PR: 2462
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS Retransmission Buffer Bug
2011-04-03 17:14:48 +00:00
Dr. Stephen Henson
ac2024ccbf PR: 2458
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Don't change state when answering DTLS ClientHello.
2011-04-03 16:25:54 +00:00
Dr. Stephen Henson
93164a7d64 PR: 2457
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS fragment reassembly bug.
2011-04-03 15:48:32 +00:00
Dr. Stephen Henson
8c1e7de6cb PR: 2230
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix bug in bitmask macros and stop warnings.
2010-05-03 13:01:50 +00:00
Dr. Stephen Henson
9f827ded1c fix signed/unsigned comparison warnings 2010-04-14 00:41:01 +00:00
Dr. Stephen Henson
1507f3abba PR: 2230
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix various DTLS fragment reassembly bugs.
2010-04-14 00:17:29 +00:00
Dr. Stephen Henson
7b52778eff PR: 1731 and maybe 2197
Clear error queue in a few places in SSL code where errors are expected
so they don't stay in the queue.
2010-03-24 23:16:49 +00:00
Dr. Stephen Henson
d5b8c46499 PR: 2115
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Add Renegotiation extension to DTLS, fix DTLS ClientHello processing bug.
2009-12-01 17:41:42 +00:00
Dr. Stephen Henson
23b97c6bb5 PR: 2089
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Fragment size bug fix.
2009-11-02 13:37:17 +00:00
Dr. Stephen Henson
29c2fd46d2 PR: 2054
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_ctrl error handling
2009-10-01 00:03:50 +00:00
Dr. Stephen Henson
a4bade7aac PR: 1997
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
2009-08-12 13:21:26 +00:00
Dr. Stephen Henson
5135d6b985 Fix error codes and indentation. 2009-07-15 11:32:58 +00:00
Dr. Stephen Henson
dbb834ffeb Update from 0.9.8-stable. 2009-06-28 16:24:11 +00:00
Dr. Stephen Henson
7074f1df07 Stop gcc bracket warning. 2009-06-05 14:57:10 +00:00
Dr. Stephen Henson
4e63da0669 PR: 1950
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve@openssl.org

DTLS fragment retransmission bug.
2009-06-05 14:46:49 +00:00
Dr. Stephen Henson
abda7c1147 PR: 1931
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix fragment handling memory leak.
2009-05-16 16:22:11 +00:00
Dr. Stephen Henson
d6584eba8c PR: 1922
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS Timer bug fix.
2009-05-15 22:58:13 +00:00
Dr. Stephen Henson
561cbe5678 PR: 1923
Submitted by: Daniel Mentz <daniel.m@sent.com>, Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Don't access freed data structure.
2009-05-13 11:51:30 +00:00
Dr. Stephen Henson
a543ea44bc Fix WIN32 warning. 2009-04-22 12:17:02 +00:00
Dr. Stephen Henson
b452f43322 PR: 1751
Submitted by: David Woodhouse <dwmw2@infradead.org>
Approved by: steve@openssl.org

Compatibility patches for Cisco VPN client DTLS.
2009-04-19 18:03:13 +00:00