Commit graph

2405 commits

Author SHA1 Message Date
Ben Laurie
94d6151236 Make no-dh work, plus other no-dh problems found by Richard.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-11 18:38:38 +00:00
Matt Caswell
67f60be8c9 Ensure |rwstate| is set correctly on BIO_flush
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 12:44:07 +00:00
Matt Caswell
2ad226e88b Fix DTLS handshake fragment retries
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 12:44:07 +00:00
Matt Caswell
330dcb09b2 Add a return value check
If the call to OBJ_find_sigid_by_algs fails to find the relevant NID then
we should set the NID to NID_undef.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 11:50:20 +00:00
Andy Polyakov
48f1484555 Configure: make no-chacha and no-poly1305 work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 12:05:50 +01:00
Andy Polyakov
a76ba82ccb Wire ChaCha20-Poly1305 to TLS.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 12:05:30 +01:00
Richard Levitte
60f43e9e4d Fix warnings about unused variables when EC is disabled.
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-12-09 23:59:04 +01:00
Dr. Stephen Henson
3c4e064e78 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-09 22:09:19 +00:00
Dr. Stephen Henson
4160936143 update errors
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:32:39 +00:00
Dr. Stephen Henson
e7f0d9210c Extended master secret fixes and checks.
Add new flag TLS1_FLAGS_RECEIVED_EXTMS which is set when the peer sends
the extended master secret extension.

Server now sends extms if and only if the client sent extms.

Check consistency of extms extension when resuming sessions following (where
practical) RFC7627.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:32:39 +00:00
Richard Levitte
39d5193201 Fix clang complaints about uninitialised variables.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 20:37:08 +01:00
Richard Levitte
bfb0641f93 Cleanup: fix all sources that used EVP_MD_CTX_(create|init|destroy)
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
eda34e4bef Adapt the rest of the source to the removal of (EVP_MD_CTX|HMAC_CTX)_cleanup
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
bf7c68177b Adapt the rest of the source to the opaque HMAC_CTX
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
6e59a892db Adjust all accesses to EVP_MD_CTX to use accessor functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
fa0c23de83 Adapt HMAC to the EVP_MD_CTX changes
This change required some special treatment, as HMAC is intertwined
with EVP_MD.  For now, all local HMAC_CTX variables MUST be
initialised with HMAC_CTX_EMPTY, or whatever happens to be on the
stack will be mistaken for actual pointers to EVP_MD_CTX.  This will
change as soon as HMAC_CTX becomes opaque.

Also, since HMAC_CTX_init() can fail now, its return type changes from
void to int, and it will return 0 on failure, 1 on success.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:36:57 +01:00
Viktor Dukhovni
1c735804a2 Really disable 56-bit (single-DES) ciphers
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-06 12:32:19 -05:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Kurt Roeckx
fe6ef2472d Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:30:36 +01:00
Kurt Roeckx
6977e8ee4a Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it.  On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:25:11 +01:00
Kurt Roeckx
6f78b9e824 Remove support for SSL_{CTX_}set_tmp_ecdh_callback().
This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:22:31 +01:00
Matt Caswell
ad3819c29e Fix EAP FAST in the new state machine
The new state machine code missed an allowed transition when resuming a
session via EAP FAST. This commits adds the missing check for the
transition.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-12-04 20:26:54 +00:00
Viktor Dukhovni
1c86d8fd41 Revert unnecessary SSL_CIPHER_get_bits API change
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-04 13:58:22 -05:00
Dr. Stephen Henson
7f572e958b Remove legacy sign/verify from EVP_MD.
Remove sign/verify and required_pkey_type fields of EVP_MD: these are a
legacy from when digests were linked to public key types. All signing is
now handled by the corresponding EVP_PKEY_METHOD.

Only allow supported digest types in RSA EVP_PKEY_METHOD: other algorithms
already block unsupported types.

Remove now obsolete EVP_dss1() and EVP_ecdsa().

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-02 17:52:01 +00:00
Rich Salz
e6390acac9 ex_data part 2: doc fixes and CRYPTO_free_ex_index.
Add CRYPTO_free_ex_index (for shared libraries)
Unify and complete the documentation for all "ex_data" API's and objects.
Replace xxx_get_ex_new_index functions with a macro.
Added an exdata test.
Renamed the ex_data internal datatypes.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-01 11:48:37 -05:00
Dr. Stephen Henson
30c7fea496 Remove GOST special case: handled automatically now.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-30 03:49:35 +00:00
Dr. Stephen Henson
7afd231275 Use digest indices for signature algorithms.
Don't hard code EVP_sha* etc for signature algorithms: use table
indices instead. Add SHA224 and SHA512 to tables.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-30 03:49:35 +00:00
Dr. Stephen Henson
aa430c7467 For TLS < 1.2 use default digest for client certificate
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-30 01:13:51 +00:00
Dr. Stephen Henson
152fbc28e8 Use digest tables for defaults.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-30 00:32:57 +00:00
Dr. Stephen Henson
600fdc716f fix function code discrepancy
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-27 21:28:23 +00:00
Dr. Stephen Henson
28ba2541f9 PRF and handshake hash revision.
Change handshake hash array into a single digest context simplifying the
handhake hash code. Use EVP_md5_sha1() if needed for handshake hashes in
TLS 1.1 and earlier.

Simplify PRF code to also use a single digest and treat EVP_md5_sha1()
as a special case.

Modify algorithm2 field of ciphers to use a single index value for handshake
hash and PRF instead of a bitmap.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-27 19:04:14 +00:00
Matt Caswell
2a9b96548a Updates to GOST2012
Various updates following feedback from the recent commit of the new
GOST2012 code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-27 17:23:14 +00:00
Dr. Stephen Henson
6938c954b0 Remove unused cert_verify_mac code
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-25 18:22:12 +00:00
Pascal Cuoq
a60c151a7d ssl3_free(): Return if it wasn't created
If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() can
get called with s->s3 still being NULL.

Patch also provided by Willy Tarreau <wtarreau@haproxy.com>

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2015-11-24 22:01:35 +01:00
Dr. Stephen Henson
28f4580c1e Use EVP_md5_sha1() to process client verify
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Dr. Stephen Henson
a0f63828e3 Use EVP_md5_sha1() to generate client verify
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Dr. Stephen Henson
e3e11e99ce Remove RSA exception when generating server key exchange.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Dr. Stephen Henson
192e4bbbf9 Remove RSA exception when processing server key exchange.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Dr. Stephen Henson
d18d31a16f Use MD5+SHA1 for default digest if appropriate.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Rich Salz
cc99bfa76b Fix a few missed "if (!ptr)" cleanups
And a scalar !x --> x==0 test
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-23 13:51:23 -05:00
Dmitry Belyavsky
e44380a990 Patch containing TLS implementation for GOST 2012
This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-23 16:09:42 +00:00
Viktor Dukhovni
5c649375dd Good hygiene with size_t output argument.
Though the callers check the function return value and ignore the
size_t output argument on failure, it is still often not ideal to
store (-1) in size_t on error.  That might signal an unduly large
buffer.  Instead set the size_t to 0, to indicate no space.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-21 05:27:35 -05:00
Matt Caswell
7fecbf6f21 Rename start_async_job to ssl_start_async_job
Make it clear that this function is ssl specific.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
add2f5ca6d Clean up libssl async calls
Tidy up the libssl async calls and make sure all IO functions are covered.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
9920a58eb2 Fix the error code for SSL_get_async_wait_fd()
0 is a valid file descriptor so SSL_get_async_wait_fd should instead return
-1 on error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Matt Caswell
44a27ac282 Remove ASYNC_in_job()
The ASYNC_in_job() function is redundant. The same effect can be achieved by
using ASYNC_get_current_job().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:34 +00:00
Matt Caswell
f4da39d200 Initial Async notify code changes
Initial API implemented for notifying applications that an ASYNC_JOB
has completed. Currently only s_server is using this. The Dummy Async
engine "cheats" in that it notifies that it has completed *before* it
pauses the job. A normal async engine would not do that.

Only the posix version of this has been implemented so far, so it will
probably fail to compile on Windows at the moment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
826760945d Async clean ups
Removed the function ASYNC_job_is_waiting() as it was redundant. The only
time user code has a handle on a job is when one is waiting, so all they
need to do is check whether the job is NULL. Also did some cleanups to
make sure the job really is NULL after it has been freed!

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:32:18 +00:00
Matt Caswell
07bbc92ccb Make libssl async aware
The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Matt Caswell
ba4f1331e3 Fix uninitialised variable
The al variable could be uninitialised in an error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:15:53 +00:00
Matt Caswell
5f3d93e4a3 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-20 15:47:02 +00:00
Dr. Stephen Henson
fa49924659 Make GOST ciphersuites require TLSv1
PR#4141

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-19 14:35:39 +00:00
Matt Caswell
ae4d0c8d22 Add comment explaining why we don't check a return value
A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-17 11:21:17 +00:00
Matt Caswell
d73ca3efa7 Remove an NULL ptr deref in an error path
The |passwd| variable in the code can be NULL if it goes to the err label.
Therefore we cannot call strlen on it without first checking that it is non
NULL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-17 11:17:37 +00:00
Dr. Stephen Henson
60a25abdab Add "TLSv1.0" cipher alias.
This adds a TLSv1.0 cipher alias for ciphersuites requiring
at least TLSv1.0: currently only PSK ciphersuites using SHA256
or SHA384 MAC (SSLv3 only supports SHA1 and MD5 MAC).

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:33 +00:00
Dr. Stephen Henson
2b573382f8 Don't alow TLS v1.0 ciphersuites for SSLv3
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:32 +00:00
Dr. Stephen Henson
5e3d21fef1 Use SSL_TLSV1 only if at least TLS v1.0 is needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:32 +00:00
Dr. Stephen Henson
558ceae7e8 absent identity hint should be NULL
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-13 16:00:29 +00:00
Matt Caswell
a974e64aaa Fix SSL_use_certificate_chain_file
The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-11-10 23:02:44 +00:00
Matt Caswell
6329b6092b Remove redundant check from tls1_get_curvelist
The function tls1_get_curvelist() has an explicit check to see if s->cert
is NULL or not. However the check appears *after* calling the tls1_suiteb
macro which derefs s->cert. In reality s->cert can never be NULL because
it is created in SSL_new(). If the malloc fails then the SSL_new call fails
and no SSL object is created.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-09 23:07:57 +00:00
Matt Caswell
a71edf3ba2 Standardise our style for checking malloc failures
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-09 22:48:41 +00:00
Matt Caswell
3457e7a087 Remove redundant check from SSL_shutdown
The SSL object was being deref'd and then there was a later redundant check
to see if it is NULL. We assume all SSL_foo functions pass a non NULL SSL
object and do not check it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-09 15:36:19 +00:00
Dr. Stephen Henson
36e79832d3 Replace L suffix with U
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-08 14:03:50 +00:00
Dr. Stephen Henson
90d9e49a4b Use uint32_t and int32_t for SSL_CIPHER structure.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-08 14:03:50 +00:00
Matt Caswell
d99b0691d3 Fix compilation problems with SCTP
The SCTP code is not compiled by default. This fixes some compilation
problems in that code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-06 15:40:31 +00:00
Matt Caswell
8d16c58fa4 Remove some redundant assignments
We were setting |s->renegotiate| and |s->new_session| to 0 twice in
tls_finish_handshake. This is redundant so now we just do it once!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-06 15:32:44 +00:00
Matt Caswell
e657515620 Don't finish the handshake twice
We finish the handshake when we move into the TLS_ST_OK state. At various
points we were also unnecessarily finishing it when we were reading/writing
the Finished message. It's much simpler just to do it in TLS_ST_OK, so
remove the other calls.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-06 15:32:44 +00:00
Dr. Stephen Henson
b8fb59897b Rebuild error source files.
Rebuild error source files: the new mkerr.pl functionality will now
pick up and translate static function names properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-05 15:48:37 +00:00
Matt Caswell
cf0113eb47 Ensure the dtls1_get_*_methods work with DTLS_ANY_VERSION
The various dtls1_get*_methods did not handle the DTLS_ANY_VERSION case,
so this needed to be added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-05 15:05:58 +00:00
Matt Caswell
1c2e5d560d Remove a reachable assert from ssl3_write_bytes
A buggy application that call SSL_write with a different length after a
NBIO event could cause an OPENSSL_assert to be reached. The assert is not
actually necessary because there was an explicit check a little further
down that would catch this scenario. Therefore remove the assert an move
the check a little higher up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
6929b4477b Remove an OPENSSL_assert which could fail
An OPENSSL_assert was being used which could fail (e.g. on a malloc
failure).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
267b7789f8 Remove a trivially true OPENSSL_assert
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be
true because it is testing the sum of values that have been set as
constants just a few lines above and nothing has changed them. Therefore
remove this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
87d9cafa33 Remove some SSLv2 references
There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 09:17:22 +00:00
Matt Caswell
b7fa1f989d Add SRP and PSK to disallowed CertificateRequest ciphersuites
There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
bb3e20cf8c Remove the inline keyword
Some functions were marked as inline in statem_srvr.c where they probably
didn't need to be, so remove it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
956de7b287 Remove superfluous check
|tls_process_finished| was checking that |peer_finish_md_len| was
non-negative. However neither |tls1_final_finish_mac| or
|ssl3_final_finish_mac| can ever return a negative value, so the check is
superfluous.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
fed1767436 Change SSL_state_string return strings to start with a T
Due the rest of the state machine changes it makes sense to change the
SSL_state_string return strings from 3* to T*. They are not SSL3 specific

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
141eb8c679 Change snprintf to memcpy
There was a few uses of snprintf in the DTLS SCTP code which made more
sense to be a memcpy.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
8481f583d3 Add ossl_statem prefix to various functions
Add the ossl_statem prefix to various funtions to avoid name clashes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
be3583fa40 Convert enums to typedefs
Various enums were introduced as part of the state machine rewrite. As a
matter of style it is preferred for these to be typedefs.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
3616bb6358 Make dtls1_link_min_mtu static
The function dtls1_link_min_mtu() was only used within d1_lib.c so make
it static.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
006207d1bc Fix a bogus clang warning
Clang with --strict-warnings was complaining about an uninitalised
variable. In reality it will never be used uninitialised but clang can't
figure out the logic, so just init it anyway to silence the warning.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
c9de4a20fa Fix empty NewSessionTicket processing
Rebasing the state machine code introduced a problem with empty
NewSessionTicket processing. The return value from the
tls_process_new_session_ticket() is supposed to be an enum, but a bare
integer was being used. Unfortunately this is valid C so the compiler
doesn't pick it up.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
d13dd4beb4 Fix uninitialised variable
Fix another instance of |al| being unitialised in certain error scenarios.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
f0659bdb00 Fix various error codes
A number of error codes were wrong due to a rebase of the state machine
code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
024f543c15 Move in_handshake into STATEM
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
20dbe58577 Fix unitialised variable problem
tls_process_client_hello() failed to initialise the |al| variable in some
(error) scenarios. This could cause issues with creating the alert.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
31fd10e60d Fix DTLSv1_listen following state machine changes
Adding the new state machine broke the DTLSv1_listen code because
calling SSL_in_before() was erroneously returning true after DTLSv1_listen
had successfully completed. This change ensures that SSL_in_before returns
false.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
91eac8d567 Add a function to get the info_callback
Remove repeated blocks of checking SSL and then SSL_CTX for the
info_callback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
d78052cf4f Change SUB_STATE_RETURN into a typedef
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
d6f1a6e931 Rename STATEM to OSSL_STATEM
Add an OSSL_ prefix onto STATEM

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
5998e29035 Remove SSL_state and SSL_set_state
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer
supported.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
a71a4966a3 Move |no_cert_verify| into state machine
The |no_cert_verify| should be in the state machine structure not in SSL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
c874def60a Remove extraneous parens
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
fe3a329117 Change statem prefix to ossl_statem
Change various state machine functions to use the prefix ossl_statem
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
35bf6e0537 Change HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE
Rename the enum HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE to ensure there are
no namespace clashes, and convert it into a typedef.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
a455d0f6ff Fix some client side transition logic
Fixed some issues in the logic for determining whether an SKE should be
expected or not. In particular only allow an SKE for RSA if its export and
the key size is not allowed. Also fix the ephemeral ciphersuite checks and
add in a missing call to ssl3_check_cert_and_algorithm().

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
e0a51488c3 Fix a comment
Fix an out of date reference to old state machine code in a comment

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
9d671ad1cf Remove some unused variables
The next_state variable is no longer needed in the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
f0de395950 Add a state machine README
Add some documentation on the thinking behind the state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
61ae935a98 More state machine reorg
Move some function definitions around within the state machine to make sure
they are in the correct files. Also create a statem_locl.h header for stuff
entirely local to the state machine code and move various definitions into
it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
8ba708e516 Reorganise state machine files
Pull out the state machine into a separate sub directory. Also moved some
functions which were nothing to do with the state machine but were in state
machine files. Pulled all the SSL_METHOD definitions into one place...most
of those files had very little left in them any more.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
1aeaa7ec06 Remove ssl_get_message from ssl_method_st
ssl_get_message is no longer used so it should be removed from
ssl_method_st

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
73999b62a2 Move PACKET creation into the state machine
Previously each message specific process function would create its own
PACKET structure. Rather than duplicate all of this code lots of times we
should create it in the state machine itself.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
0131df49ee Remove the SSL state variable
The SSL structure contained a "state" variable that kept track of the state
machine in the old code. The new state machine does not use this so it can
be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
23a635c0ec Remove the type variable
The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. This duplicates the capability of the "server" variable and was
actually rarely used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
5e41ba031e Convert DTLSv1_listen to use new state machine code
The DTLSv1_listen code set the state value explicitly to move into init.
Change to use state_set_in_init() instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c64359db8a Redefine old state values
ssl.h and ssl3.h have a number of defines for the various states in the old
state machine code. Since this is public API it is not desirable to just
remove them. Instead redefine them to the closest equivalent state in the
new state machine code. If an application calls SSL_state then the return
value can still be compared against these old values if necessary. However
not all values have an equivalent state in the new code, so these are just
redefined to a dummy value.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c130dd8ea4 Move server side DTLS to new state machine
Implement all of the necessary changes to make DTLS on the server work
with the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
94836de2ae Move server side TLS to new state machine
Implement all of the necessary changes for moving TLS server side
processing into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
e27f234a41 Split TLS server functions
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready
for the migration to the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
4e3458a565 Delete unused functions
Remove all the functions and dead code that is now no longer required as
a result of the DTLS client move into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
473483d42d Implement DTLS client move to new state machine
Move all DTLS client side processing into the new state machine code. A
subsequent commit will clean up the old dead code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
76af303761 dtls_get_message changes for state machine move
Create a dtls_get_message function similar to the old dtls1_get_message but
in the format required for the new state machine code. The old function will
eventually be deleted in later commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f6a2f2da58 Client TLS state machine rewrite cleanup
Remove redundant code following moving client side TLS handling to the new
state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
8723588e1b Implement Client TLS state machine
This swaps the implementation of the client TLS state machine to use the
new state machine code instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
b9908bf9b8 Split client message reading and writing functions
The new state machine code will split up the reading and writing of
hanshake messages into discrete phases. In order to facilitate that the
existing "get" type functions will be split into two halves: one to get
the message and one to process it. The "send" type functions will also have
all work relating to constructing the message split out into a separate
function just for that. For some functions there will also be separate
pre and post "work" phases to prepare or update state.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f8e0a55738 Add initial state machine rewrite code
This is the first drop of the new state machine code.

The rewrite has the following objectives:
- Remove duplication of state code between client and server
- Remove duplication of state code between TLS and DTLS
- Simplify transitions and bring the logic together in a single location
  so that it is easier to validate
- Remove duplication of code between each of the message handling functions
- Receive a message first and then work out whether that is a valid
  transition - not the other way around (the other way causes lots of issues
  where we are expecting one type of message next but actually get something
  else)
- Separate message flow state from handshake state (in order to better
  understand each)
  - message flow state = when to flush buffers; handling restarts in the
    event of NBIO events; handling the common flow of steps for reading a
    message and the common flow of steps for writing a message etc
  - handshake state = what handshake message are we working on now
- Control complexity: only the state machine can change state: keep all
  the state changes local to a file

This builds on previous state machine related work:
- Surface CCS processing in the state machine
- Version negotiation rewrite

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Matt Caswell
9ab930b27d Split ssl3_get_message
The function ssl3_get_message gets a whole message from the underlying bio
and returns it to the state machine code. The new state machine code will
split this into two discrete steps: get the message header and get the
message body. This commit splits the existing function into these two
sub steps to facilitate the state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Alessandro Ghedini
070c23325a Remove useless code
RT#4081

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Alessandro Ghedini
3f6c769187 Fix memory leaks and other mistakes on errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Matt Caswell
3fde6c9276 Avoid undefined behaviour in PACKET_buf_init
Change the sanity check in PACKET_buf_init to check for excessive length
buffers, which should catch the interesting cases where len has been cast
from a negative value whilst avoiding any undefined behaviour.

RT#4094

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-21 16:13:53 +01:00
Emilia Kasper
f4f78ff7da PACKET: fix __owur
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-15 16:20:22 +02:00
Emilia Kasper
bbafa47b55 Appease gcc's Wmaybe-uninitialized
False positive: gcc (4.8) can't figure out the SSL_IS_DTLS logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-15 16:19:00 +02:00
Dr. Stephen Henson
9076bd25bf Make no-psk compile without warnings.
PR#4035

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-11 13:38:01 +01:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Emilia Kasper
329428708d PACKET: simplify ServerKeyExchange parsing
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-08 16:44:39 +02:00
Matt Caswell
68a1662851 Don't advance PACKET in ssl_check_for_safari
The function ssl_check_for_safari fingerprints the incoming extensions
to see whether it is one of the broken versions of safari. However it was
failing to reset the PACKET back to the same position it started in, hence
causing some extensions to be skipped incorrectly.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-10-07 16:17:52 +01:00
Emilia Kasper
20218b58b5 SSLv2 compat ciphers: clarify comment
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-06 18:03:51 +02:00
Andy Polyakov
f4bd5de544 Address more Windows warnings illuminated by mingw.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-06 09:44:27 +02:00
Alessandro Ghedini
52a48f9eed Validate ClientHello extension field length
RT#4069

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:43:00 +01:00
Emilia Kasper
67202973cf Add PACKET_copy_all
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
bf0fc41266 ssl_sess.c: grab a copy of the session ID
The user callback takes a non-const pointer, so don't pass PACKET data
to it directly; rather, grab a local copy.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
38a3cbfbf7 PACKETize and clean up ssl_bytes_to_cipher_list.
Fix alerts.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Emilia Kasper
b3e2272c59 ssl3_get_client_hello: rearrange logic
Move all packet parsing to the beginning of the method. This limits the
SSLv2 compatibility soup to the parsing, and makes the rest of the
processing uniform.

This is also needed for simpler EMS support: EMS servers need to do an
early scan for EMS to make resumption decisions. This'll be easier when
the entire ClientHello is parsed in the beginning.

As a side effect,
1) PACKETize ssl_get_prev_session and tls1_process_ticket; and
2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Richard Levitte
2ff00bdbc4 make depend
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-10-05 11:08:18 +02:00
Rich Salz
9982cbbbf6 Remove BIO_s_file_internal macro.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-02 14:22:05 -04:00
Matt Caswell
c84f7f4a74 Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.

Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-30 19:15:06 +01:00
David Woodhouse
984d6c6052 Fix no-stdio build
Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>

   +Replace FILE BIO's with dummy ops that fail.
   +Include <stdio.h> for sscanf() even with no-stdio (since the declaration
    is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment
    variable, since it can be larger than a 'long'. And we don't rely on the
    availability of strtoull().
   +Remove OPENSSL_stderr(); not used.
   +Make OPENSSL_showfatal() do nothing (currently without stdio there's
    nothing we can do).
   +Remove file-based functionality from ssl/. The function
    prototypes were already gone, but not the functions themselves.
   +Remove unviable conf functionality via SYS_UEFI
   +Add fallback definition of BUFSIZ.
   +Remove functions taking FILE * from header files.
   +Add missing DECLARE_PEM_write_fp_const
   +Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out,
    so remove its prototype.
   +Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid().
   +Eliminate SRP_VBASE_init() and supporting functions. Users will need to
    build the verifier manually instead.
   +Eliminate compiler warning for unused do_pk8pkey_fp().
   +Disable TEST_ENG_OPENSSL_PKEY.
   +Disable GOST engine as is uses [f]printf all over the place.
   +Eliminate compiler warning for unused send_fp_chars().

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-29 21:59:19 -04:00
Emilia Kasper
fc5ce51d17 PACKET: simplify ServerHello parsing
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 16:22:21 +02:00
Emilia Kasper
e711da714b RT2772: accept empty SessionTicket
RFC 5077 section 3.3 says:
If the server determines that it does not want to include a
ticket after it has included the SessionTicket extension in the
ServerHello, then it sends a zero-length ticket in the
NewSessionTicket handshake message.

Previously the client would fail upon attempting to allocate a
zero-length buffer. Now, we have the client ignore the empty ticket and
keep the existing session.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:25 +02:00
Matt Caswell
d84a7b20e3 Add ability to set default CA path and file locations individually
Previously you could only set both the default path and file locations
together. This adds the ability to set one without the other.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Matt Caswell
373dc6e196 Sanity check cookie_len
Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Matt Caswell
912c89c529 Remove remaining old listen code
The old implementation of DTLSv1_listen which has now been replaced still
had a few vestiges scattered throughout the code. This commit removes them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Matt Caswell
e3d0dae7cf DTLSv1_listen rewrite
The existing implementation of DTLSv1_listen() is fundamentally flawed. This
function is used in DTLS solutions to listen for new incoming connections
from DTLS clients. A client will send an initial ClientHello. The server
will respond with a HelloVerifyRequest containing a unique cookie. The
client the responds with a second ClientHello - which this time contains the
cookie.

Once the cookie has been verified then DTLSv1_listen() returns to user code,
which is typically expected to continue the handshake with a call to (for
example) SSL_accept().

Whilst listening for incoming ClientHellos, the underlying BIO is usually in
an unconnected state. Therefore ClientHellos can come in from *any* peer.
The arrival of the first ClientHello without the cookie, and the second one
with it, could be interspersed with other intervening messages from
different clients.

The whole purpose of this mechanism is as a defence against DoS attacks. The
idea is to avoid allocating state on the server until the client has
verified that it is capable of receiving messages at the address it claims
to come from. However the existing DTLSv1_listen() implementation completely
fails to do this. It attempts to super-impose itself on the standard state
machine and reuses all of this code. However the standard state machine
expects to operate in a stateful manner with a single client, and this can
cause various problems.

A second more minor issue is that the return codes from this function are
quite confused, with no distinction made between fatal and non-fatal errors.
Most user code treats all errors as non-fatal, and simply retries the call
to DTLSv1_listen().

This commit completely rewrites the implementation of DTLSv1_listen() and
provides a stand alone implementation that does not rely on the existing
state machine. It also provides more consistent return codes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Emilia Kasper
6a12a5740b PACKET: simplify
Get rid of the third field that is no longer needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:42:18 +02:00
Emilia Kasper
e9fa092efc Remove ssl_put_cipher_by_char
Since SSLv3, a CipherSuite is always 2 bytes. The only place where we
need 3-byte ciphers is SSLv2-compatible ClientHello processing.

So, remove the ssl_put_cipher_by_char indirection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:34:25 +02:00
Dr. Stephen Henson
f1c412c9e6 Handle SSL_ERROR_WANT_X509_LOOKUP
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-20 14:19:49 +01:00
Emilia Kasper
88f84eb257 Remove PACKET_back
It's unused, and the same functionality can be achieved with saving a
copy of the struct.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-18 13:04:07 +02:00
Emilia Kasper
4bd16463b8 Remove PACKET_(get|goto)_bookmark
The bookmark API results in a lot of boilerplate error checking that can
be much more easily achieved with a simple struct copy. It also lays the
path for removing the third PACKET field.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-17 18:47:33 +02:00
Filipe DA SILVA
0e04674e96 RT4047: Set reference count earlier
Make sure it's valid very early.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-17 11:58:24 -04:00
Emilia Kasper
20ca916d7d Disentangle RSA premaster secret parsing
Simplify encrypted premaster secret reading by using new methods in the
PACKET API.

Don't overwrite the packet buffer. RSA decrypt accepts truncated
ciphertext with leading zeroes omitted, so it's even possible that by
crafting a valid ciphertext with several leading zeroes, this could
cause a few bytes out-of-bounds write. The write is harmless because of
the size of the underlying message buffer, but nevertheless we shouldn't
write into the packet.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-17 17:26:19 +02:00
Kurt Roeckx
fae11ec714 Fix return values when adding serverinfo fails.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #1128
2015-09-16 20:54:51 +02:00
Matt Caswell
8011f64efb make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-16 12:40:55 +01:00
Dr. Stephen Henson
df6da24bda Fix PSK identity hint handling.
For server use a PSK identity hint value in the CERT structure which
is inherited when SSL_new is called and which allows applications to
set hints on a per-SSL basis. The previous version of
SSL_use_psk_identity_hint tried (wrongly) to use the SSL_SESSION structure.

PR#4039

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-14 19:52:27 +01:00
Ben Laurie
df2ee0e27d Enable -Wmissing-variable-declarations and
-Wincompatible-pointer-types-discards-qualifiers (the latter did not require
any code changes).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-11 04:51:55 +01:00
Emilia Kasper
cdde7b49a4 Restore SSLerr on PACKET_strndup failure.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-09-10 16:40:26 +02:00
Emilia Kasper
6d41fc80e6 PACKET: add PACKET_memdup and PACKET_strndup
Use each once in s3_srvr.c to show how they work.

Also fix a bug introduced in c3fc7eeab8
and made apparent by this change:
ssl3_get_next_proto wasn't updating next_proto_negotiated_len

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-09 12:47:05 +02:00
Matt Caswell
8098fc5663 PACKETise ServerKeyExchange
Process the ServerKeyExchange message using the PACKET API

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-07 10:51:41 +01:00
Matt Caswell
50932c4af2 PACKETise ServerHello processing
Process ServerHello messages using the PACKET API

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-07 10:45:38 +01:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Dr. Stephen Henson
13e228d684 Match SUITEB strings at start of cipher list.
PR#4009.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-04 21:17:59 +01:00
Rich Salz
64b25758ed remove 0 assignments.
After openssl_zalloc, cleanup more "set to 0/NULL" assignments.
Many are from github feedback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 16:26:34 -04:00
Rich Salz
b51bce9420 Add and use OPENSSL_zalloc
There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-02 22:05:37 -04:00
Dr. Stephen Henson
04dc8b36ef Fix CCM support in DTLS
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-02 21:23:12 +01:00
Hiroyuki YAMAMORI
246b52f39a Fix DTLS1.2 buffers
Fix the setup of DTLS1.2 buffers to take account of the Header

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-02 00:34:14 +01:00
Dr. Stephen Henson
05f0fb9f6a Add X509_up_ref function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 23:18:55 +01:00
Matt Caswell
95cdad6344 Clean up reset of read/write sequences
Use sizeof instead of an explicit size, and use the functions for the
purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-26 16:22:45 +01:00
Emilia Kasper
ec30e8566e PACKET: add methods for reading length-prefixed TLS vectors.
Rewrite ssl3_get_client_hello to use the new methods.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 13:25:48 +02:00
Emilia Kasper
9cc3e8f1f2 Fix SSLv2-compatible ClientHello processing.
If the client challenge is less than 32 bytes, it is padded with leading - not trailing - zero bytes.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 13:23:24 +02:00
Emilia Kasper
2aa815c343 PACKET: constify where possible
The PACKET should hold a 'const unsigned char*' underneath as well
but the legacy code passes the record buffer around as 'unsigned char*'
(to callbacks, too) so that's a bigger refactor.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 13:19:12 +02:00
Matt Caswell
ee4ffd6fcc Fix DTLS session ticket renewal
A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.

The bug can be demonstrated as follows:

Start a DTLS s_server instance:
openssl s_server -dtls

Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket

Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem

The client will abort the handshake.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 10:17:49 +01:00
Matt Caswell
ac11233201 PACKETise CertificateRequest
Process CertificateRequest messages using the PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-14 17:29:21 +01:00
Matt Caswell
efcdbcbeda PACKETise ClientKeyExchange processing
Use the new PACKET code to process the CKE message

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-08-14 17:19:57 +01:00
Matt Caswell
561e12bbb0 PACKETise NewSessionTicket
Process NewSessionTicket messages using the new PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-14 17:05:46 +01:00
Matt Caswell
c83eda8c22 Fix session tickets
Commit 9ceb2426b0 (PACKETise ClientHello) broke session tickets by failing
to detect the session ticket extension in an incoming ClientHello. This
commit fixes the bug.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-14 17:00:11 +01:00
Dr. Stephen Henson
176f85a28e Add CCM ciphersuites from RFC6655 and RFC7251
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-14 06:57:32 +01:00
Dr. Stephen Henson
3d3701ea20 ccm8 support
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-14 06:56:11 +01:00
Dr. Stephen Henson
e75c5a794e CCM support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-14 06:56:11 +01:00
Matt Caswell
ac63710a3d PACKETise Certificate Status message
Process the Certificate Status message using the PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-13 20:41:06 +01:00
Matt Caswell
bc6616a434 Enhance PACKET readability
Enhance the PACKET code readability, and fix a stale comment. Thanks
to Ben Kaduk (bkaduk@akamai.com) for pointing this out.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-13 20:34:51 +01:00
Matt Caswell
f9f6053442 Add missing return check for PACKET_buf_init
The new ClientHello PACKET code is missing a return value check.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-13 20:34:51 +01:00
Matt Caswell
df758a8569 PACKETise Server Certificate processing
Use the PACKET API to process an incoming server Certificate message.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-13 09:29:17 +01:00
Rich Salz
ade44dcb16 Remove Gost94 signature algorithm.
This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 18:23:29 -04:00
Matt Caswell
f75d5171be Fix "make test" seg fault with SCTP enabled
When config'd with "sctp" running "make test" causes a seg fault. This is
actually due to the way ssltest works - it dives under the covers and frees
up BIOs manually and so some BIOs are NULL when the SCTP code does not
expect it. The simplest fix is just to add some sanity checks to make sure
the BIOs aren't NULL before we use them.

This problem occurs in master and 1.0.2. The fix has also been applied to
1.0.1 to keep the code in sync.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-11 22:16:38 +01:00
Matt Caswell
d8e8590ed9 Fix missing return value checks in SCTP
There are some missing return value checks in the SCTP code. In master this
was causing a compilation failure when config'd with
"--strict-warnings sctp".

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-11 22:16:38 +01:00
Guy Leaver (guleaver)
61e72d761c Fix seg fault with 0 p val in SKE
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)

The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.

CVE-2015-1794

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 19:57:01 +01:00
Matt Caswell
870063c83d Normalise make errors output
make errors wants things in a different order to the way things are
currently defined in the header files. The easiest fix is to just let it
reorder it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 19:57:01 +01:00
Rich Salz
fbfcb22439 RT3999: Remove sub-component version strings
Especially since after the #ifdef cleanups this is not useful.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-10 12:13:32 -04:00
Adam Eijdenberg
6f136aa6fc Change error reason to match previous behaviour.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-04 15:15:38 -07:00
Adam Eijdenberg
6c3cca5793 Fix unhandled error condition in sslv2 client hello parsing.
--strict-warnings started showing warnings for this today...

Surely an error should be raised if these reads fail?

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-04 15:05:01 -07:00
Matt Caswell
c3fc7eeab8 PACKETise NextProto
Change NextProto message processing to use the PACKET API.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-08-04 14:05:10 +01:00
Matt Caswell
f532a35d2a PACKETise CertificateVerify processing
Modify CertificateVerify processing to use the new PACKET API.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-08-04 13:56:50 +01:00
Matt Caswell
0bc09ecd26 PACKETise ClientCertificate processing
Use the PACKET API for processing ClientCertificate messages

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-04 13:15:29 +01:00
Matt Caswell
44128847e8 Fix a bug in the new PACKET implementation
Some of the PACKET functions were returning incorrect data. An unfortunate
choice of test data in the unit test was masking the failure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-04 13:06:58 +01:00
Matt Caswell
496dbe1855 Fix make errors for the CCS changes
The move of CCS into the state machine was causing make errors to fail. This
fixes it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:06 +01:00
Matt Caswell
e9f6b9a1a5 Fix ssl3_read_bytes handshake fragment bug
The move of CCS into the state machine introduced a bug in ssl3_read_bytes.
The value of |recvd_type| was not being set if we are satisfying the request
from handshake fragment storage. This can occur, for example, with
renegotiation and causes the handshake to fail.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:06 +01:00
Matt Caswell
c69f2adf71 Move DTLS CCS processing into the state machine
Continuing on from the previous commit this moves the processing of DTLS
CCS messages out of the record layer and into the state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:05 +01:00
Matt Caswell
657da85eea Move TLS CCS processing into the state machine
The handling of incoming CCS records is a little strange. Since CCS is not
a handshake message it is handled differently to normal handshake messages.
Unfortunately whilst technically it is not a handhshake message the reality
is that it must be processed in accordance with the state of the handshake.
Currently CCS records are processed entirely within the record layer. In
order to ensure that it is handled in accordance with the handshake state
a flag is used to indicate that it is an acceptable time to receive a CCS.

Previously this flag did not exist (see CVE-2014-0224), but the flag should
only really be considered a workaround for the problem that CCS is not
visible to the state machine.

Outgoing CCS messages are already handled within the state machine.

This patch makes CCS visible to the TLS state machine. A separate commit
will handle DTLS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:05 +01:00