Commit graph

334 commits

Author SHA1 Message Date
Matt Caswell
92760c21e6 Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
0d9824c171 Implement tls13_change_cipher_state()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
94ed2c6739 Fixed various style issues in the key_share code
Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
0f1e51ea11 Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
d7c42d71ba Add processing of the key_share received in the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
b1834ad781 Add the key_share processing to the server side
At the moment the server doesn't yet do anything with this information.
We still need to send the server's key_share info back to the client. That
will happen in subsequent commits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Richard Levitte
b612799a80 Revert "Remove heartbeats completely"
Done too soon, this is for future OpenSSL 1.2.0

This reverts commit 6c62f9e163.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-15 14:53:33 +01:00
Richard Levitte
6c62f9e163 Remove heartbeats completely
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-15 10:45:21 +01:00
Matt Caswell
801cb720ad Fix make update following extensions refactor
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
1ab3836b3b Refactor ClientHello processing so that extensions get parsed earlier
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:29 +00:00
Matt Caswell
7ee8627f6e Convert libssl writing for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
eda757514e Further libssl size_t-ify of reading
Writing still to be done

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
5923ad4bbe Don't set the handshake header in every message
Move setting the handshake header up a level into the state machine code
in order to reduce boilerplate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-03 16:25:48 +01:00
Matt Caswell
cc59ad1073 Convert CertStatus message construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 17:07:45 +01:00
Matt Caswell
83ae466131 Fix missing NULL checks in NewSessionTicket construction
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 16:15:16 +01:00
Matt Caswell
af58be768e Don't allow too many consecutive warning alerts
Certain warning alerts are ignored if they are received. This can mean that
no progress will be made if one peer continually sends those warning alerts.
Implement a count so that we abort the connection if we receive too many.

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 20:17:04 +01:00
Matt Caswell
3c10632529 make update and fix some associated mis-matched error codes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-21 14:31:30 +01:00
Matt Caswell
15e6be6c5c Convert NextProto message construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 10:16:56 +01:00
Matt Caswell
2c7b4dbc1a Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
1fb9fdc302 Fix DTLS replay protection
The DTLS implementation provides some protection against replay attacks
in accordance with RFC6347 section 4.1.2.6.

A sliding "window" of valid record sequence numbers is maintained with
the "right" hand edge of the window set to the highest sequence number we
have received so far. Records that arrive that are off the "left" hand
edge of the window are rejected. Records within the window are checked
against a list of records received so far. If we already received it then
we also reject the new record.

If we have not already received the record, or the sequence number is off
the right hand edge of the window then we verify the MAC of the record.
If MAC verification fails then we discard the record. Otherwise we mark
the record as received. If the sequence number was off the right hand edge
of the window, then we slide the window along so that the right hand edge
is in line with the newly received sequence number.

Records may arrive for future epochs, i.e. a record from after a CCS being
sent, can arrive before the CCS does if the packets get re-ordered. As we
have not yet received the CCS we are not yet in a position to decrypt or
validate the MAC of those records. OpenSSL places those records on an
unprocessed records queue. It additionally updates the window immediately,
even though we have not yet verified the MAC. This will only occur if
currently in a handshake/renegotiation.

This could be exploited by an attacker by sending a record for the next
epoch (which does not have to decrypt or have a valid MAC), with a very
large sequence number. This means the right hand edge of the window is
moved very far to the right, and all subsequent legitimate packets are
dropped causing a denial of service.

A similar effect can be achieved during the initial handshake. In this
case there is no MAC key negotiated yet. Therefore an attacker can send a
message for the current epoch with a very large sequence number. The code
will process the record as normal. If the hanshake message sequence number
(as opposed to the record sequence number that we have been talking about
so far) is in the future then the injected message is bufferred to be
handled later, but the window is still updated. Therefore all subsequent
legitimate handshake records are dropped. This aspect is not considered a
security issue because there are many ways for an attacker to disrupt the
initial handshake and prevent it from completing successfully (e.g.
injection of a handshake message will cause the Finished MAC to fail and
the handshake to be aborted). This issue comes about as a result of trying
to do replay protection, but having no integrity mechanism in place yet.
Does it even make sense to have replay protection in epoch 0? That
issue isn't addressed here though.

This addressed an OCAP Audit issue.

CVE-2016-2181

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Remi Gacogne
fddfc0afc8 Add missing session id and tlsext_status accessors
* SSL_SESSION_set1_id()
 * SSL_SESSION_get0_id_context()
 * SSL_CTX_get_tlsext_status_cb()
 * SSL_CTX_get_tlsext_status_arg()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 10:38:20 +01:00
Kurt Roeckx
69588edbaa Check for errors allocating the error strings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
2016-07-20 19:20:53 +02:00
Matt Caswell
4fa88861ee Update error codes following tls_process_key_exchange() refactor
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Richard Levitte
bbba0a7dff make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 11:50:42 +02:00
Matt Caswell
05ec6a25f8 Fix up error codes after splitting up tls_construct_key_exchange()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-18 23:05:15 +01:00
Matt Caswell
c76a4aead2 Errors fix up following break up of CKE processing
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-18 22:55:07 +01:00
Rich Salz
54478ac92a GH1278: Removed error code for alerts
Commit aea145e removed some error codes that are generated
algorithmically: mapping alerts to error texts.  Found by
Andreas Karlsson.  This restores them, and adds two missing ones.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 13:28:33 -04:00
FdaSilvaYY
f430ba31ac Spelling... and more spelling
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1245)
2016-06-22 00:26:10 +02:00
Rich Salz
255cf605d6 RT3895: Remove fprintf's from SSL library.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-04 07:08:29 -04:00
Matt Caswell
2c4a056f59 Handle a memory allocation failure in ssl3_init_finished_mac()
The ssl3_init_finished_mac() function can fail, in which case we need to
propagate the error up through the stack.

RT#3198

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 20:29:04 +01:00
Rich Salz
0cd0a820ab Remove unused error/function codes.
Add script to find unused err/reason codes
Remove unused reason codes.
Remove entries for unused functions

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-23 15:04:23 -04:00
FdaSilvaYY
8fdc99cb5d Fix an error code spelling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)
2016-04-28 14:22:26 -04:00
FdaSilvaYY
8483a003bf various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)
2016-04-28 14:22:26 -04:00
Viktor Dukhovni
e2ab7fb343 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-22 10:41:57 -04:00
Viktor Dukhovni
a4ccf06808 make update
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 14:41:34 -04:00
Rich Salz
e771eea6d8 Revert "various spelling fixes"
This reverts commit 620d540bd4.
It wasn't reviewed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 16:11:43 -04:00
Rich Salz
9f2a142b13 Revert "Fix an error code spelling."
This reverts commit 2b0bcfaf83.
It wasn't reviewed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 16:11:04 -04:00
FdaSilvaYY
2b0bcfaf83 Fix an error code spelling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 15:06:32 -04:00
FdaSilvaYY
620d540bd4 various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 15:06:32 -04:00
Fedor Indutny
ccae4a1582 Allow different protocol version when trying to reuse a session
We now send the highest supported version by the client, even if the session
uses an older version.

This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
  uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
  stuck trying to reuse the old version while both sides support a newer
  version

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

GH: #852, MR: #2452
2016-03-27 23:58:50 +02:00
Matt Caswell
d102d9df86 Implement write pipeline support in libssl
Use the new pipeline cipher capability to encrypt multiple records being
written out all in one go. Two new SSL/SSL_CTX parameters can be used to
control how this works: max_pipelines and split_send_fragment.

max_pipelines defines the maximum number of pipelines that can ever be used
in one go for a single connection. It must always be less than or equal to
SSL_MAX_PIPELINES (currently defined to be 32). By default only one
pipeline will be used (i.e. normal non-parallel operation).

split_send_fragment defines how data is split up into pipelines. The number
of pipelines used will be determined by the amount of data provided to the
SSL_write call divided by split_send_fragment. For example if
split_send_fragment is set to 2000 and max_pipelines is 4 then:
SSL_write called with 0-2000 bytes == 1 pipeline used
SSL_write called with 2001-4000 bytes == 2 pipelines used
SSL_write called with 4001-6000 bytes == 3 pipelines used
SSL_write_called with 6001+ bytes == 4 pipelines used

split_send_fragment must always be less than or equal to max_send_fragment.
By default it is set to be equal to max_send_fragment. This will mean that
the same number of records will always be created as would have been
created in the non-parallel case, although the data will be apportioned
differently. In the parallel case data will be spread equally between the
pipelines.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Rob Percival
ed29e82ade Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Rich Salz
72e9be3d08 GH235: Set error status on malloc failure
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-25 08:37:36 -05:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Rich Salz
a4625290c3 After renaming init, update errors.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 15:52:32 -05:00
Matt Caswell
302f75887e Attempt to log an error if init failed
If init failed we'd like to set an error code to indicate that. But if
init failed then when the error system tries to load its strings its going
to fail again. We could get into an infinite loop. Therefore we just set
a single error the first time around. After that no error is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00
Matt Caswell
64f9f40696 Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:29:29 +00:00
Matt Caswell
3edeb622ba Make DTLSv1_listen a first class function and change its type
The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-05 19:12:18 +00:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Matt Caswell
7bb196a71a Handle SSL_shutdown while in init more appropriately
Calling SSL_shutdown while in init previously gave a "1" response, meaning
everything was successfully closed down (even though it wasn't). Better is
to send our close_notify, but fail when trying to receive one.

The problem with doing a shutdown while in the middle of a handshake is
that once our close_notify is sent we shouldn't really do anything else
(including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS before
acting on our close_notify - so we won't be able to read it because we're
not acting on CCS messages!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-20 13:58:12 +00:00
Viktor Dukhovni
aea145e399 Regenerate SSL record/statem error strings
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-10 20:18:05 -05:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Viktor Dukhovni
919ba00942 DANE support structures, constructructors and accessors
Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-05 19:31:49 -05:00
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Dr. Stephen Henson
e091c83e72 remove unused error code
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 16:16:35 +00:00
Dr. Stephen Henson
a2074b9287 make errors
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
4160936143 update errors
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:32:39 +00:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Dr. Stephen Henson
600fdc716f fix function code discrepancy
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-27 21:28:23 +00:00
Matt Caswell
7fecbf6f21 Rename start_async_job to ssl_start_async_job
Make it clear that this function is ssl specific.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
add2f5ca6d Clean up libssl async calls
Tidy up the libssl async calls and make sure all IO functions are covered.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
07bbc92ccb Make libssl async aware
The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Matt Caswell
5f3d93e4a3 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-20 15:47:02 +00:00
Dr. Stephen Henson
b8fb59897b Rebuild error source files.
Rebuild error source files: the new mkerr.pl functionality will now
pick up and translate static function names properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-05 15:48:37 +00:00
Matt Caswell
73999b62a2 Move PACKET creation into the state machine
Previously each message specific process function would create its own
PACKET structure. Rather than duplicate all of this code lots of times we
should create it in the state machine itself.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c130dd8ea4 Move server side DTLS to new state machine
Implement all of the necessary changes to make DTLS on the server work
with the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
94836de2ae Move server side TLS to new state machine
Implement all of the necessary changes for moving TLS server side
processing into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
e27f234a41 Split TLS server functions
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready
for the migration to the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
473483d42d Implement DTLS client move to new state machine
Move all DTLS client side processing into the new state machine code. A
subsequent commit will clean up the old dead code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
76af303761 dtls_get_message changes for state machine move
Create a dtls_get_message function similar to the old dtls1_get_message but
in the format required for the new state machine code. The old function will
eventually be deleted in later commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
b9908bf9b8 Split client message reading and writing functions
The new state machine code will split up the reading and writing of
hanshake messages into discrete phases. In order to facilitate that the
existing "get" type functions will be split into two halves: one to get
the message and one to process it. The "send" type functions will also have
all work relating to constructing the message split out into a separate
function just for that. For some functions there will also be separate
pre and post "work" phases to prepare or update state.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f8e0a55738 Add initial state machine rewrite code
This is the first drop of the new state machine code.

The rewrite has the following objectives:
- Remove duplication of state code between client and server
- Remove duplication of state code between TLS and DTLS
- Simplify transitions and bring the logic together in a single location
  so that it is easier to validate
- Remove duplication of code between each of the message handling functions
- Receive a message first and then work out whether that is a valid
  transition - not the other way around (the other way causes lots of issues
  where we are expecting one type of message next but actually get something
  else)
- Separate message flow state from handshake state (in order to better
  understand each)
  - message flow state = when to flush buffers; handling restarts in the
    event of NBIO events; handling the common flow of steps for reading a
    message and the common flow of steps for writing a message etc
  - handshake state = what handshake message are we working on now
- Control complexity: only the state machine can change state: keep all
  the state changes local to a file

This builds on previous state machine related work:
- Surface CCS processing in the state machine
- Version negotiation rewrite

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Matt Caswell
9ab930b27d Split ssl3_get_message
The function ssl3_get_message gets a whole message from the underlying bio
and returns it to the state machine code. The new state machine code will
split this into two discrete steps: get the message header and get the
message body. This commit splits the existing function into these two
sub steps to facilitate the state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Emilia Kasper
329428708d PACKET: simplify ServerKeyExchange parsing
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-08 16:44:39 +02:00
Matt Caswell
e3d0dae7cf DTLSv1_listen rewrite
The existing implementation of DTLSv1_listen() is fundamentally flawed. This
function is used in DTLS solutions to listen for new incoming connections
from DTLS clients. A client will send an initial ClientHello. The server
will respond with a HelloVerifyRequest containing a unique cookie. The
client the responds with a second ClientHello - which this time contains the
cookie.

Once the cookie has been verified then DTLSv1_listen() returns to user code,
which is typically expected to continue the handshake with a call to (for
example) SSL_accept().

Whilst listening for incoming ClientHellos, the underlying BIO is usually in
an unconnected state. Therefore ClientHellos can come in from *any* peer.
The arrival of the first ClientHello without the cookie, and the second one
with it, could be interspersed with other intervening messages from
different clients.

The whole purpose of this mechanism is as a defence against DoS attacks. The
idea is to avoid allocating state on the server until the client has
verified that it is capable of receiving messages at the address it claims
to come from. However the existing DTLSv1_listen() implementation completely
fails to do this. It attempts to super-impose itself on the standard state
machine and reuses all of this code. However the standard state machine
expects to operate in a stateful manner with a single client, and this can
cause various problems.

A second more minor issue is that the return codes from this function are
quite confused, with no distinction made between fatal and non-fatal errors.
Most user code treats all errors as non-fatal, and simply retries the call
to DTLSv1_listen().

This commit completely rewrites the implementation of DTLSv1_listen() and
provides a stand alone implementation that does not rely on the existing
state machine. It also provides more consistent return codes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Guy Leaver (guleaver)
61e72d761c Fix seg fault with 0 p val in SKE
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)

The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.

CVE-2015-1794

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 19:57:01 +01:00
Matt Caswell
870063c83d Normalise make errors output
make errors wants things in a different order to the way things are
currently defined in the header files. The easiest fix is to just let it
reorder it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 19:57:01 +01:00
Matt Caswell
657da85eea Move TLS CCS processing into the state machine
The handling of incoming CCS records is a little strange. Since CCS is not
a handshake message it is handled differently to normal handshake messages.
Unfortunately whilst technically it is not a handhshake message the reality
is that it must be processed in accordance with the state of the handshake.
Currently CCS records are processed entirely within the record layer. In
order to ensure that it is handled in accordance with the handshake state
a flag is used to indicate that it is an acceptable time to receive a CCS.

Previously this flag did not exist (see CVE-2014-0224), but the flag should
only really be considered a workaround for the problem that CCS is not
visible to the state machine.

Outgoing CCS messages are already handled within the state machine.

This patch makes CCS visible to the TLS state machine. A separate commit
will handle DTLS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:05 +01:00
Matt Caswell
98ece4eebf Fix race condition in NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
c0bf69a791

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-02 09:30:12 +01:00
Matt Caswell
d45ba43dab Updates following review comments
Miscellaneous updates following review comments on the version negotiation
rewrite patches.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:20:52 +01:00
Matt Caswell
55a9a16f1c Remove Kerberos support from libssl
Remove RFC2712 Kerberos support from libssl. This code and the associated
standard is no longer considered fit-for-purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-13 15:07:57 +01:00
Dr. Stephen Henson
fae4772c24 Add SSL_use_certificate_chain_file function
Add SSL_use_certiicate_chain file functions: this is works the same
way as SSL_CTX_use_certificate_chain_file but for an SSL structure.

Update SSL_CONF code to use the new function.
Update docs.
Update ordinals.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-08 18:43:44 +01:00
Emilia Kasper
6e3d015363 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec61
and
7b3ba508af
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-21 18:12:58 +02:00
Kurt Roeckx
4dcb4b91db return unexpected message when receiving kx with kDHr or kDHd
It was saying that it was an illegal parameter / unsupported cipher

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-23 21:08:20 +01:00
Matt Caswell
77d514c5a0 ssl3_set_handshake_header returns
Change ssl_set_handshake_header from return void to returning int, and
handle error return code appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 15:23:24 +00:00
Matt Caswell
69f6823748 Fix missing return value checks
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 15:23:11 +00:00
Kurt Roeckx
2c3823491d Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-03-15 12:15:08 +01:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
db812f2d70 Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 14:14:09 +00:00
Jonas Maebe
c27dc3981c tls1_process_heartbeat: check for NULL after allocating buffer
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-10 18:35:18 +01:00
Emilia Kasper
740580c2b2 Add extra checks for odd-length EC curve lists.
Odd-length lists should be rejected everywhere upon parsing. Nevertheless,
be extra careful and add guards against off-by-one reads.

Also, drive-by replace inexplicable double-negation with an explicit comparison.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:57:58 +01:00
Kurt Roeckx
45f55f6a5b Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 11:55:03 +01:00
Matt Caswell
eceef8fb86 Remove more references to dtls1_enc
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:40:59 +00:00
Dr. Stephen Henson
e469af8d05 Process signature algorithms before deciding on certificate.
The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice).
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 56e8dc542b)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
2014-11-19 14:49:12 +00:00
Dr. Stephen Henson
c800c27a8c Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-24 13:46:37 +01:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Emilia Kasper
be0477a8e9 RT 3060: amend patch
Use existing error code SSL_R_RECORD_TOO_SMALL for too many empty records.

For ease of backporting the patch to release branches.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-22 15:35:42 +02:00
Dr. Stephen Henson
0989790b87 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:36:41 +01:00
Ben Laurie
d2ab55eb5b Reduce casting nastiness. 2014-07-05 15:00:53 +01:00
Dr. Stephen Henson
b948ee27b0 Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
2014-07-04 13:26:35 +01:00
Matt Caswell
a141effa7b Fixed spelling error in error message. Fix supplied by Marcos Marado 2014-05-01 00:28:00 +01:00
Dr. Stephen Henson
b362ccab5c Security framework.
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.

The "parameters" which can be selected include: ciphersuites,
curves, key sizes, certificate signature algorithms, supported
signature algorithms, DH parameters, SSL/TLS version, session tickets
and compression.

In some cases prohibiting the use of a parameters will mean they are
not advertised to the peer: for example cipher suites and ECC curves.
In other cases it will abort the handshake: e.g DH parameters or the
peer key size.

Documentation to follow...
2014-03-28 14:56:30 +00:00
Dr. Stephen Henson
26bda7ef2b Sync error codes with 1.0.2-stable 2013-11-06 14:18:41 +00:00
Ben Laurie
9725bda766 Show useful errors.
Conflicts:
	apps/s_server.c
2013-09-25 12:45:48 +01:00
Dr. Stephen Henson
9600602267 Fix error code clashes. 2013-09-18 01:22:50 +01:00
Scott Deboy
36086186a9 Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
2013-09-06 13:59:13 +01:00
Adam Langley
64a786a292 Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.
2013-06-13 17:10:52 +01:00
Trevor
a398f821fa Add support for arbitrary TLS extensions.
Contributed by Trevor Perrin.
2013-06-12 17:01:13 +01:00
Dr. Stephen Henson
412834dcf0 Typo. 2013-04-14 01:19:07 +01:00
Dr. Stephen Henson
4544f0a691 Suite B support for DTLS 1.2
Check for Suite B support using method flags instead of version numbers:
anything supporting TLS 1.2 cipher suites will also support Suite B.

Return an error if an attempt to use DTLS 1.0 is made in Suite B mode.
2013-04-09 16:49:13 +01:00
Dr. Stephen Henson
4842dde80c return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded 2012-12-01 18:33:21 +00:00
Dr. Stephen Henson
3db935a9e5 add SSL_CONF functions and documentation 2012-11-16 19:12:24 +00:00
Dr. Stephen Henson
d47c01a31a perform sanity checks on server certificate type as soon as it is received instead of waiting until server key exchange 2012-08-31 11:18:54 +00:00
Dr. Stephen Henson
becfdb995b give more meaningful error if presented with wrong certificate type by server 2012-08-30 12:46:22 +00:00
Dr. Stephen Henson
2ea8035460 Add three Suite B modes to TLS code, supporting RFC6460. 2012-08-15 15:15:05 +00:00
Dr. Stephen Henson
ec4a50b3c3 Abort handshake if signature algorithm used not supported by peer. 2012-07-24 18:11:27 +00:00
Dr. Stephen Henson
d18b716d25 check EC tmp key matches preferences 2012-07-24 13:47:40 +00:00
Dr. Stephen Henson
74ecfab401 Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.

Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
Dr. Stephen Henson
a1644902eb add ssl_locl.h to err header files, rebuild ssl error strings 2012-07-19 14:45:36 +00:00
Dr. Stephen Henson
18d7158809 Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
2012-06-29 14:24:42 +00:00
Dr. Stephen Henson
4453cd8c73 Reorganise supported signature algorithm extension processing.
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
2012-06-25 14:32:30 +00:00
Ben Laurie
7a71af86ce Rearrange and test authz extension. 2012-06-07 13:20:47 +00:00
Ben Laurie
a9e1c50bb0 RFC 5878 support. 2012-05-30 10:10:58 +00:00
Dr. Stephen Henson
09e4e4b98e Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
2012-04-24 12:22:23 +00:00
Dr. Stephen Henson
ce33b42bc6 oops, not yet ;-) 2012-04-23 21:58:29 +00:00
Dr. Stephen Henson
579d553464 update NEWS 2012-04-23 21:56:33 +00:00
Dr. Stephen Henson
aa09c2c631 correct error codes 2012-04-18 15:36:12 +00:00
Dr. Stephen Henson
5421196eca ABI compliance fixes.
Move new structure fields to end of structures.
2012-02-22 15:39:54 +00:00
Dr. Stephen Henson
5997efca83 Submitted by: Eric Rescorla <ekr@rtfm.com>
Fix encoding of use_srtp extension to be compliant with RFC5764
2012-02-10 00:07:18 +00:00
Dr. Stephen Henson
4379d0e457 Tidy/enhance certificate chain output code.
New function ssl_add_cert_chain which adds a certificate chain to
SSL internal BUF_MEM. Use this function in ssl3_output_cert_chain
and dtls1_output_cert_chain instead of partly duplicating code.
2012-01-26 15:47:32 +00:00
Dr. Stephen Henson
d0dc991c62 Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 23:15:51 +00:00
Dr. Stephen Henson
b3720c34e5 oops, revert wrong patch 2012-01-03 22:06:21 +00:00
Dr. Stephen Henson
5733919dbc only send heartbeat extension from server if client sent one 2012-01-03 22:03:20 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Ben Laurie
e0af04056c Add TLS exporter. 2011-11-15 23:50:52 +00:00
Ben Laurie
333f926d67 Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
Dr. Stephen Henson
8f82912460 Process signature algorithms during TLS v1.2 client authentication.
Make sure message is long enough for signature algorithms.
2011-05-12 14:38:01 +00:00
Dr. Stephen Henson
a2f9200fba Initial TLS v1.2 client support. Include a default supported signature
algorithms extension (including everything we support). Swicth to new
signature format where needed and relax ECC restrictions.

Not TLS v1.2 client certifcate support yet but client will handle case
where a certificate is requested and we don't have one.
2011-05-09 15:44:01 +00:00
Dr. Stephen Henson
08557cf22c Initial "opaque SSL" framework. If an application defines
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.

The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
2011-04-29 22:37:12 +00:00
Dr. Stephen Henson
23bc7961d2 Fix broken SRP error/function code assignment. 2011-03-16 16:17:46 +00:00
Ben Laurie
edc032b5e3 Add SRP support. 2011-03-12 17:01:19 +00:00
Ben Laurie
ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
76998a71bc Updates to conform with draft-ietf-tls-renegotiation-03.txt:
1. Add provisional SCSV value.
2. Don't send SCSV and RI at same time.
3. Fatal error is SCSV received when renegotiating.
2010-01-06 17:37:09 +00:00
Dr. Stephen Henson
2be3d6ebc8 Client side compression algorithm sanity checks: ensure old compression
algorithm matches current and give error if compression is disabled and
server requests it (shouldn't happen unless server is broken).
2010-01-01 14:39:37 +00:00
Dr. Stephen Henson
e6f418bcb7 Compression handling on session resume was badly broken: it always
used compression algorithms in client hello (a legacy from when
the compression algorithm wasn't serialized with SSL_SESSION).
2009-12-31 14:13:30 +00:00
Dr. Stephen Henson
338a61b94e Add patch to crypto/evp which didn't apply from PR#2124 2009-12-09 15:01:39 +00:00
Dr. Stephen Henson
64abf5e657 Include a more meaningful error message when rejecting legacy renegotiation 2009-11-18 14:20:21 +00:00
Dr. Stephen Henson
e0e7997212 First cut of renegotiation extension. (port to HEAD) 2009-11-09 19:03:34 +00:00
Dr. Stephen Henson
e0d4e97c1a Make update, deleting bogus DTLS error code 2009-09-06 15:58:19 +00:00