Commit graph

1749 commits

Author SHA1 Message Date
Matt Caswell
8744ba5e42 Check the message type requested is the type received in DTLS
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c2b1d872b)
2015-06-01 00:30:56 +01:00
Emilia Kasper
b6f33dce3b Fix ssltest to use 1024-bit DHE parameters
Also add more ciphersuite test coverage, and a negative test for
512-bit DHE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 1ee85aab75)
2015-05-26 12:42:40 +02:00
Matt Caswell
cdc47dcf19 Don't check for a negative SRP extension size
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c89d29083)
2015-05-26 10:38:56 +01:00
Matt Caswell
11414f17d9 Don't send an alert if we've just received one
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-25 17:52:27 +01:00
Richard Levitte
bf42354620 Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1a2)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
2015-05-23 06:25:12 +02:00
Matt Caswell
e4731f76e2 Fix typo setting up certificate masks
The certificate masks are used to select which ciphersuite we are going to
use. The variables |emask_k| and |emask_a| relate to export grade key
exchange and authentication respecitively. The variables |mask_k| and
|mask_a| are the equivalent versions for non-export grade. This fixes an
instance where the two usages of export/non-export were mixed up. In
practice it makes little difference since it still works!

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fdfe8b06ae)
2015-05-23 00:01:48 +01:00
Matt Caswell
595487ea19 Remove export static DH ciphersuites
Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 13f8eb4730)

Conflicts:
	CHANGES
2015-05-23 00:01:45 +01:00
Lubom
254c01ed54 Lost alert in DTLS
If a client receives a bad hello request in DTLS then the alert is not
sent correctly.

RT#2801

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4dc1aa0436)
2015-05-22 09:44:44 +01:00
Kurt Roeckx
2d8e705b2a Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a)
2015-05-20 22:19:34 +02:00
Emilia Kasper
f4d1fb7769 Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.

The result:

$ openssl s_server -named_curves "auto"

This command will negotiate an ECDHE ciphersuite with P-256:

$ openssl s_client

This command will negotiate P-384:

$ openssl s_client -curves "P-384"

This command will not negotiate ECDHE because P-224 is disabled with "auto":

$ openssl s_client -curves "P-224"

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 16:04:37 +02:00
Emilia Kasper
10a70da729 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 14:54:51 +02:00
Matt Caswell
464774d75f Don't allow a CCS when expecting a CertificateVerify
Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.

Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.

RT#2958

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit a0bd649336)
2015-05-13 11:21:01 +01:00
Matt Caswell
edc2a76ade Check sk_SSL_CIPHER_new_null return value
If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.

Based on an original patch by mrpre <mrpre@163.com>.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 14def5f537)
2015-05-11 11:53:50 +01:00
Matt Caswell
feb96e914a Add more error state transitions (DTLS)
Ensure all fatal errors transition into the new error state for DTLS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cefc93910c)

Conflicts:
	ssl/d1_srvr.c
2015-05-05 20:05:21 +01:00
Matt Caswell
67fb63e9b7 Add more error state transitions (client)
Ensure all fatal errors transition into the new error state on the client
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cc273a9361)

Conflicts:
	ssl/s3_clnt.c
2015-05-05 20:05:21 +01:00
Matt Caswell
eecc697b65 Add more error state transitions
Ensure all fatal errors transition into the new error state on the server
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cf9b0b6fb2)

Conflicts:
	ssl/s3_srvr.c
2015-05-05 19:52:26 +01:00
Matt Caswell
e4f77bf183 Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a89db885e0)

Conflicts:
	ssl/s3_srvr.c
	ssl/ssl_stat.c
2015-05-05 19:50:12 +01:00
Matt Caswell
9c5efc9c65 Add sanity check to ssl_get_prev_session
Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb0f400b0c)
2015-04-30 23:21:53 +01:00
Matt Caswell
75862f7741 Sanity check the return from final_finish_mac
The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c427570e50)

Conflicts:
	ssl/ssl_locl.h
2015-04-30 23:21:53 +01:00
Matt Caswell
99ceb2d40c Add sanity check in ssl3_cbc_digest_record
For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 29b0a15a48)
2015-04-30 23:21:53 +01:00
Matt Caswell
1a3701f4fe Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c826988109)

Conflicts:
	ssl/record/ssl3_record.c
2015-04-30 23:21:50 +01:00
Matt Caswell
c5f8cd7bc6 Add length sanity check in SSLv2 n_do_ssl_write()
Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the
code I do not believe there is a real problem here. However the logic flows
are complicated enough that a sanity check of |len| is probably worthwhile.

Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-29 17:23:45 +01:00
Emilia Kasper
8f0f9ffda3 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec61
and
7b3ba508af
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6e3d015363)
2015-04-21 19:31:09 +02:00
Emilia Kasper
496c79f60c make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-21 17:50:36 +02:00
Emilia Kasper
e697a4c3d7 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb32)
2015-04-17 18:44:35 +02:00
Viktor Dukhovni
3b38646d13 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:50:01 -04:00
Matt Caswell
5101c35c91 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9)
2015-04-14 14:59:40 +01:00
Matt Caswell
35bac91676 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:48:24 +01:00
Emilia Kasper
ae50d82700 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 16:28:42 +02:00
Matt Caswell
8f8e4e4f52 Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:41:28 +00:00
Matt Caswell
a20718fa2c Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4f9fab6bd0)

Conflicts:
	ssl/s3_srvr.c
2015-03-25 12:29:48 +00:00
Matt Caswell
4285b85163 Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d5d0a1cb13)
2015-03-25 12:28:45 +00:00
Kurt Roeckx
fe82be2b33 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:42:30 +01:00
Matt Caswell
bd891f098b Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b79d24101e)
2015-03-23 14:06:17 +00:00
Matt Caswell
b5dc90121c Fix no-ec with no-ec2m
Fix builds config'd with no-ec and no-ec2m. Technically this combination is
redundant - but the fix is straight forward. Fix from OpenWrt.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-03-22 20:32:49 +00:00
David Woodhouse
ece8574ae6 Add DTLS support to ssltest
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 98b8cdd322)

Conflicts:
	ssl/ssltest.c
2015-03-20 12:09:22 +00:00
David Woodhouse
3edf1b98e0 Add DTLS to SSL_get_version
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 504e643e09)

Conflicts:
	ssl/ssl_lib.c
2015-03-20 12:06:12 +00:00
Matt Caswell
5cc6509dae Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:36 +00:00
Emilia Kasper
86f8fb0e34 Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
b19d814321 Fix DHE Null CKE vulnerability
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.

CVE-2015-1787

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
76343947ad Fix for CVE-2015-0291
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-03-19 12:58:35 +00:00
Matt Caswell
819418110b Fix Seg fault in DTLSv1_listen
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 11:11:22 +00:00
Matt Caswell
77c77f0a1b Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.

CVE-2015-0290

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-19 11:11:22 +00:00
Dr. Stephen Henson
8b84495380 Add support for ServerInfo SSL_CONF option.
Add support for ServerInfo SSL_CONF option and update documentation. This
was wrongly omitted from the 1.0.2 release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-18 12:31:06 +00:00
Matt Caswell
fcb61b6c92 Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c6)
2015-03-17 13:48:04 +00:00
Matt Caswell
327de270d5 SSL_check_chain fix
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d813f9eb38)
2015-03-12 09:29:48 +00:00
Matt Caswell
35fafc4dbc Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-11 10:45:23 +00:00
Emilia Kasper
0c14565c5b Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.

Reported by Adam Langley (Google).

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3)
2015-03-10 13:52:32 -07:00
Matt Caswell
2b31fcc0b5 Prevent handshake with unseeded PRNG
Fix security issue where under certain conditions a client can complete a
handshake with an unseeded PRNG. The conditions are:
- Client is on a platform where the PRNG has not been seeded, and the
user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data
from the PRNG beyond the initial ClientHello client random
(e.g. PSK-RC4-SHA)

If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore
the output may be predictable.

For example using the following command with an unseeded openssl will
succeed on an unpatched platform:

openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA

CVE-2015-0285

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e1b568dd24)
2015-03-10 10:45:52 +00:00
David Woodhouse
0d691e0e27 Wrong SSL version in DTLS1_BAD_VER ClientHello
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.

RT#3711

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f7683aaf36)
2015-03-09 11:07:47 +00:00