The V2ClientHello code creates an empty compression list, but the
compression list must explicitly contain the null compression (and later
code enforces this).
RT#4387
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The tls_client_key_exchange_post_work() frees the pms on error. It also
calls ssl_generate_master_secret() which also free the pms. If an error
occurs after ssl_generate_master_secret() has been called then a double
free can occur.
Reviewed-by: Andy Polyakov <appro@openssl.org>
If we fail halfway through constructing the peer_tmp EVP_PKEY but we have
already stored it in s->s3->peer_tmp then if anything tries to use it then
it will likely fail. This was causing s_client to core dump in the
sslskewith0p test. s_client was trying to print out the connection
parameters that it had negotiated so far. Arguably s_client should not do
that if the connection has failed...but given it is existing functionality
it's easier to fix libssl.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Move the dh_st structure into an internal header file and provide
relevant accessors for the internal fields.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
The original check for != SSL_VERIFY_NONE can give surprising results
when flags SSL_VERIFY_PEER is not set, but other flags are. Note
that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
of all other flag bits.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.
The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.
This was found by libFuzzer.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Session resumption involves a version check, so version negotiation must
happen first. Currently, the DTLS implementation cannot do session
resumption in DTLS 1.0 because the ssl_version check always checks
against 1.2.
Switching the order also removes the need to fixup ssl_version in DTLS
version negotiation.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
RT: #4392, MR: #2452
We now send the highest supported version by the client, even if the session
uses an older version.
This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
stuck trying to reuse the old version while both sides support a newer
version
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #852, MR: #2452
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1 && m@/\* .*\.[ch] \*/@;
close ARGV if eof; # Close file to reset $.
And then some hand-editing of other files.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This is an internal facility, never documented, not for
public consumption. Move it into ssl (where it's only used
for DTLS).
I also made the typedef's for pqueue and pitem follow our style: they
name structures, not pointers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven. Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure. The same protocol version constraints
are now applied in all code paths. It is now much easier to add
new protocol versions without reworking the protocol selection
logic.
In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...). Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.
RT#4198
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.
Thanks to BoringSSL for reporting this issue.
RT#4120
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
When EC is disabled, and an error occurs in ssl_generate_master_secret()
or RAND_bytes(), the error path does not free rsa_decrypt.
RT#4197
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
After the recent change to use ossl_inline, builds were failing on some
platforms due to a missing usage of "inline".
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
GCM and CCM are modes of operation for block ciphers only. ChaCha20-Poly1305
operates in neither of them but it is AEAD. This change also enables future
AEAD ciphers to be available for use with DTLS.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
This reverts commit 777f482d99.
Author credit missing. Reverting this and re-committing with
an Author line.
Reviewed-by: Matt Caswell <matt@openssl.org>
GCM and CCM are modes of operation for block ciphers only. ChaCha20-Poly1305
operates in neither of them but it is AEAD. This change also enables future
AEAD ciphers to be available for use with DTLS.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This change required some special treatment, as HMAC is intertwined
with EVP_MD. For now, all local HMAC_CTX variables MUST be
initialised with HMAC_CTX_EMPTY, or whatever happens to be on the
stack will be mistaken for actual pointers to EVP_MD_CTX. This will
change as soon as HMAC_CTX becomes opaque.
Also, since HMAC_CTX_init() can fail now, its return type changes from
void to int, and it will return 0 on failure, 1 on success.
Reviewed-by: Rich Salz <rsalz@openssl.org>
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it. On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
The new state machine code missed an allowed transition when resuming a
session via EAP FAST. This commits adds the missing check for the
transition.
Reviewed-by: Andy Polyakov <appro@openssl.org>
This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.
Thanks to the Open Crypto Audit Project for identifying this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
We were setting |s->renegotiate| and |s->new_session| to 0 twice in
tls_finish_handshake. This is redundant so now we just do it once!
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
We finish the handshake when we move into the TLS_ST_OK state. At various
points we were also unnecessarily finishing it when we were reading/writing
the Finished message. It's much simpler just to do it in TLS_ST_OK, so
remove the other calls.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Some functions were marked as inline in statem_srvr.c where they probably
didn't need to be, so remove it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|tls_process_finished| was checking that |peer_finish_md_len| was
non-negative. However neither |tls1_final_finish_mac| or
|ssl3_final_finish_mac| can ever return a negative value, so the check is
superfluous.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
There was a few uses of snprintf in the DTLS SCTP code which made more
sense to be a memcpy.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add the ossl_statem prefix to various funtions to avoid name clashes.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Various enums were introduced as part of the state machine rewrite. As a
matter of style it is preferred for these to be typedefs.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Clang with --strict-warnings was complaining about an uninitalised
variable. In reality it will never be used uninitialised but clang can't
figure out the logic, so just init it anyway to silence the warning.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rebasing the state machine code introduced a problem with empty
NewSessionTicket processing. The return value from the
tls_process_new_session_ticket() is supposed to be an enum, but a bare
integer was being used. Unfortunately this is valid C so the compiler
doesn't pick it up.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Fix another instance of |al| being unitialised in certain error scenarios.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
A number of error codes were wrong due to a rebase of the state machine
code.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
tls_process_client_hello() failed to initialise the |al| variable in some
(error) scenarios. This could cause issues with creating the alert.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Adding the new state machine broke the DTLSv1_listen code because
calling SSL_in_before() was erroneously returning true after DTLSv1_listen
had successfully completed. This change ensures that SSL_in_before returns
false.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Remove repeated blocks of checking SSL and then SSL_CTX for the
info_callback.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer
supported.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
The |no_cert_verify| should be in the state machine structure not in SSL
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Change various state machine functions to use the prefix ossl_statem
instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rename the enum HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE to ensure there are
no namespace clashes, and convert it into a typedef.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Fixed some issues in the logic for determining whether an SKE should be
expected or not. In particular only allow an SKE for RSA if its export and
the key size is not allowed. Also fix the ephemeral ciphersuite checks and
add in a missing call to ssl3_check_cert_and_algorithm().
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Fix an out of date reference to old state machine code in a comment
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add some documentation on the thinking behind the state machine.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Move some function definitions around within the state machine to make sure
they are in the correct files. Also create a statem_locl.h header for stuff
entirely local to the state machine code and move various definitions into
it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Pull out the state machine into a separate sub directory. Also moved some
functions which were nothing to do with the state machine but were in state
machine files. Pulled all the SSL_METHOD definitions into one place...most
of those files had very little left in them any more.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
