Commit graph

474 commits

Author SHA1 Message Date
Rich Salz
7c96dbcdab GH715: ENGINE_finish can take NULL
Simplifies calling code.  Also fixed up any !ptr tests that were
nearby, turning them into NULL tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-25 15:19:42 -05:00
Rich Salz
72e9be3d08 GH235: Set error status on malloc failure
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-25 08:37:36 -05:00
Dr. Stephen Henson
2cf28d6127 Remove unused parameter in ssl_set_masks().
The ssl_set_masks() function no longer depends on the cipher. This
also means there is no need to set the masks for each cipher in
ssl3_choose_cipher.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 02:41:54 +00:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Zhao Junwang
c4c32155f5 GH706: Use NULL for pointer compare.
As handshake_func is a function pointer, it should compare to NULL

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-18 09:56:02 -05:00
Dr. Stephen Henson
c7c4625693 remove redundant code
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-17 16:16:13 +00:00
Dr. Stephen Henson
ce0c1f2bb2 Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-11 20:54:01 +00:00
Rich Salz
f3f1cf8444 Move to REF_DEBUG, for consistency.
Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT
This is also RT 4181

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:40:32 -05:00
Matt Caswell
0fc32b0718 The new init functions can now fail so shouldn't be void
The new init functions can fail if the library has already been stopped. We
should be able to indicate failure with a 0 return value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00
Rich Salz
f672aee494 Rename INIT funtions, deprecate old ones.
Man, there were a lot of renamings :)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-10 09:37:03 -05:00
Matt Caswell
7fa792d14d Auto init/de-init libssl
Building on the pervious commit to auto initialise and de-initialise libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Viktor Dukhovni
c0a445a9f2 Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails.  However, this only happened when verification
failed during chain construction.  Errors in verification of the
constructed chain did not have the intended effect on these functions.

This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails.  Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail.  They must of course first check
and save the real error, and restore the original error as quickly
as possible.  Hiding by default seems to be the safer interface.

Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records.  Previously reported via X509_V_ERR_CERT_UNTRUSTED.

This also changes the "-brief" output from s_client to include
verification results and TLSA match information.

Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).

Added a few more test-cases to danetest, that exercise the new
code.

Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().

Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error.  [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 14:46:09 -05:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Matt Caswell
64f9f40696 Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:29:29 +00:00
Dr. Stephen Henson
696178edff Add SSL_get0_verified_chain() to return verified chain of peer
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-06 18:18:28 +00:00
Dmitry-Me
a89c9a0d85 GH614: Use memcpy()/strdup() when possible
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 15:45:56 -05:00
Emilia Kasper
dc5744cb78 RT3234: disable compression
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-03 18:08:16 +01:00
Matt Caswell
ec4479249d Implement Async SSL_shutdown
This extends the existing async functionality to SSL_shutdown(), i.e.
SSL_shutdown() can now casuse an SSL_ERROR_WANT_ASYNC error to be returned
from SSL_get_error() if async mode has been enabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-29 11:36:44 +00:00
Matt Caswell
a18a31e49d Add SSL_up_ref() and SSL_CTX_up_ref()
The SSL and SSL_CTX structures are reference counted. However since libssl
was made opaque there is no way for users of the library to manipulate the
reference counts. This adds functions to enable that.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-26 13:19:10 +00:00
Alessandro Ghedini
b7557ccf36 Fix build failure with CIPHER_DEBUG
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-22 12:00:46 -05:00
Matt Caswell
7bb196a71a Handle SSL_shutdown while in init more appropriately
Calling SSL_shutdown while in init previously gave a "1" response, meaning
everything was successfully closed down (even though it wasn't). Better is
to send our close_notify, but fail when trying to receive one.

The problem with doing a shutdown while in the middle of a handshake is
that once our close_notify is sent we shouldn't really do anything else
(including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS before
acting on our close_notify - so we won't be able to read it because we're
not acting on CCS messages!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-20 13:58:12 +00:00
Viktor Dukhovni
8d887efa2e Better invalid SNI name error handling
Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:42 -05:00
Rich Salz
47153c7253 Make SSL_set_debug deprecated in 1.1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-14 12:30:32 -05:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Richard Levitte
846ec07d90 Adapt all EVP_CIPHER_CTX users for it becoming opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:52:22 +01:00
Dr. Stephen Henson
62d0577e0d Add lh_new() inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Viktor Dukhovni
8106cb8b6d Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-11 10:51:02 -05:00
Dr. Stephen Henson
4a640fb6c3 Fix declarations and constification for inline stack.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Viktor Dukhovni
919ba00942 DANE support structures, constructructors and accessors
Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-05 19:31:49 -05:00
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Dr. Stephen Henson
bc71f91064 Remove fixed DH ciphersuites.
Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-19 16:14:51 +00:00
Rich Salz
7644a9aef8 Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 16:14:49 -05:00
Richard Levitte
60f43e9e4d Fix warnings about unused variables when EC is disabled.
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-12-09 23:59:04 +01:00
Richard Levitte
bfb0641f93 Cleanup: fix all sources that used EVP_MD_CTX_(create|init|destroy)
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
6e59a892db Adjust all accesses to EVP_MD_CTX to use accessor functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Kurt Roeckx
fe6ef2472d Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:30:36 +01:00
Kurt Roeckx
6977e8ee4a Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it.  On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:25:11 +01:00
Kurt Roeckx
6f78b9e824 Remove support for SSL_{CTX_}set_tmp_ecdh_callback().
This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:22:31 +01:00
Rich Salz
e6390acac9 ex_data part 2: doc fixes and CRYPTO_free_ex_index.
Add CRYPTO_free_ex_index (for shared libraries)
Unify and complete the documentation for all "ex_data" API's and objects.
Replace xxx_get_ex_new_index functions with a macro.
Added an exdata test.
Renamed the ex_data internal datatypes.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-01 11:48:37 -05:00
Dr. Stephen Henson
28ba2541f9 PRF and handshake hash revision.
Change handshake hash array into a single digest context simplifying the
handhake hash code. Use EVP_md5_sha1() if needed for handshake hashes in
TLS 1.1 and earlier.

Simplify PRF code to also use a single digest and treat EVP_md5_sha1()
as a special case.

Modify algorithm2 field of ciphers to use a single index value for handshake
hash and PRF instead of a bitmap.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-27 19:04:14 +00:00
Matt Caswell
2a9b96548a Updates to GOST2012
Various updates following feedback from the recent commit of the new
GOST2012 code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-27 17:23:14 +00:00
Dr. Stephen Henson
6938c954b0 Remove unused cert_verify_mac code
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-25 18:22:12 +00:00
Dmitry Belyavsky
e44380a990 Patch containing TLS implementation for GOST 2012
This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-23 16:09:42 +00:00
Matt Caswell
7fecbf6f21 Rename start_async_job to ssl_start_async_job
Make it clear that this function is ssl specific.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
add2f5ca6d Clean up libssl async calls
Tidy up the libssl async calls and make sure all IO functions are covered.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00
Matt Caswell
9920a58eb2 Fix the error code for SSL_get_async_wait_fd()
0 is a valid file descriptor so SSL_get_async_wait_fd should instead return
-1 on error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Matt Caswell
44a27ac282 Remove ASYNC_in_job()
The ASYNC_in_job() function is redundant. The same effect can be achieved by
using ASYNC_get_current_job().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:34 +00:00
Matt Caswell
f4da39d200 Initial Async notify code changes
Initial API implemented for notifying applications that an ASYNC_JOB
has completed. Currently only s_server is using this. The Dummy Async
engine "cheats" in that it notifies that it has completed *before* it
pauses the job. A normal async engine would not do that.

Only the posix version of this has been implemented so far, so it will
probably fail to compile on Windows at the moment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
826760945d Async clean ups
Removed the function ASYNC_job_is_waiting() as it was redundant. The only
time user code has a handle on a job is when one is waiting, so all they
need to do is check whether the job is NULL. Also did some cleanups to
make sure the job really is NULL after it has been freed!

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:32:18 +00:00
Matt Caswell
07bbc92ccb Make libssl async aware
The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Matt Caswell
5f3d93e4a3 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-20 15:47:02 +00:00
Matt Caswell
a974e64aaa Fix SSL_use_certificate_chain_file
The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-11-10 23:02:44 +00:00
Matt Caswell
a71edf3ba2 Standardise our style for checking malloc failures
if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-09 22:48:41 +00:00
Matt Caswell
3457e7a087 Remove redundant check from SSL_shutdown
The SSL object was being deref'd and then there was a later redundant check
to see if it is NULL. We assume all SSL_foo functions pass a non NULL SSL
object and do not check it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-09 15:36:19 +00:00
Dr. Stephen Henson
90d9e49a4b Use uint32_t and int32_t for SSL_CIPHER structure.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-08 14:03:50 +00:00
Matt Caswell
87d9cafa33 Remove some SSLv2 references
There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 09:17:22 +00:00
Matt Caswell
024f543c15 Move in_handshake into STATEM
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
a71a4966a3 Move |no_cert_verify| into state machine
The |no_cert_verify| should be in the state machine structure not in SSL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
fe3a329117 Change statem prefix to ossl_statem
Change various state machine functions to use the prefix ossl_statem
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
23a635c0ec Remove the type variable
The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. This duplicates the capability of the "server" variable and was
actually rarely used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
e27f234a41 Split TLS server functions
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready
for the migration to the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
f8e0a55738 Add initial state machine rewrite code
This is the first drop of the new state machine code.

The rewrite has the following objectives:
- Remove duplication of state code between client and server
- Remove duplication of state code between TLS and DTLS
- Simplify transitions and bring the logic together in a single location
  so that it is easier to validate
- Remove duplication of code between each of the message handling functions
- Receive a message first and then work out whether that is a valid
  transition - not the other way around (the other way causes lots of issues
  where we are expecting one type of message next but actually get something
  else)
- Separate message flow state from handshake state (in order to better
  understand each)
  - message flow state = when to flush buffers; handling restarts in the
    event of NBIO events; handling the common flow of steps for reading a
    message and the common flow of steps for writing a message etc
  - handshake state = what handshake message are we working on now
- Control complexity: only the state machine can change state: keep all
  the state changes local to a file

This builds on previous state machine related work:
- Surface CCS processing in the state machine
- Version negotiation rewrite

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
David Woodhouse
984d6c6052 Fix no-stdio build
Much related/similar work also done by
Ivan Nestlerode <ivan.nestlerode@sonos.com>

   +Replace FILE BIO's with dummy ops that fail.
   +Include <stdio.h> for sscanf() even with no-stdio (since the declaration
    is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment
    variable, since it can be larger than a 'long'. And we don't rely on the
    availability of strtoull().
   +Remove OPENSSL_stderr(); not used.
   +Make OPENSSL_showfatal() do nothing (currently without stdio there's
    nothing we can do).
   +Remove file-based functionality from ssl/. The function
    prototypes were already gone, but not the functions themselves.
   +Remove unviable conf functionality via SYS_UEFI
   +Add fallback definition of BUFSIZ.
   +Remove functions taking FILE * from header files.
   +Add missing DECLARE_PEM_write_fp_const
   +Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out,
    so remove its prototype.
   +Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid().
   +Eliminate SRP_VBASE_init() and supporting functions. Users will need to
    build the verifier manually instead.
   +Eliminate compiler warning for unused do_pk8pkey_fp().
   +Disable TEST_ENG_OPENSSL_PKEY.
   +Disable GOST engine as is uses [f]printf all over the place.
   +Eliminate compiler warning for unused send_fp_chars().

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-29 21:59:19 -04:00
Matt Caswell
d84a7b20e3 Add ability to set default CA path and file locations individually
Previously you could only set both the default path and file locations
together. This adds the ability to set one without the other.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Emilia Kasper
e9fa092efc Remove ssl_put_cipher_by_char
Since SSLv3, a CipherSuite is always 2 bytes. The only place where we
need 3-byte ciphers is SSLv2-compatible ClientHello processing.

So, remove the ssl_put_cipher_by_char indirection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:34:25 +02:00
Filipe DA SILVA
0e04674e96 RT4047: Set reference count earlier
Make sure it's valid very early.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-17 11:58:24 -04:00
Dr. Stephen Henson
df6da24bda Fix PSK identity hint handling.
For server use a PSK identity hint value in the CERT structure which
is inherited when SSL_new is called and which allows applications to
set hints on a per-SSL basis. The previous version of
SSL_use_psk_identity_hint tried (wrongly) to use the SSL_SESSION structure.

PR#4039

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-14 19:52:27 +01:00
Ben Laurie
df2ee0e27d Enable -Wmissing-variable-declarations and
-Wincompatible-pointer-types-discards-qualifiers (the latter did not require
any code changes).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-11 04:51:55 +01:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Rich Salz
64b25758ed remove 0 assignments.
After openssl_zalloc, cleanup more "set to 0/NULL" assignments.
Many are from github feedback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 16:26:34 -04:00
Rich Salz
b51bce9420 Add and use OPENSSL_zalloc
There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-02 22:05:37 -04:00
Dr. Stephen Henson
05f0fb9f6a Add X509_up_ref function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 23:18:55 +01:00
Rich Salz
ade44dcb16 Remove Gost94 signature algorithm.
This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 18:23:29 -04:00
Dr. Stephen Henson
526f94ad68 Enable PSK if corresponding mask set.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-30 14:43:35 +01:00
Dr. Stephen Henson
f7d5348710 Use uint32_t consistently for flags.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-18 13:57:05 +01:00
Dr. Stephen Henson
c34b0f9930 Move peer chain to SSL_SESSION structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-22 13:52:24 +01:00
Rich Salz
d31fb0b5b3 Refactor into clear_ciphers; RT3588
While closing RT3588 (Remove obsolete comment) Kurt and I saw that a
few lines to completely clear the SSL cipher state could be moved into
a common function.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-06-15 10:08:19 -04:00
Matt Caswell
d9f1c639d5 Change return type of the new accessors
The new accessors SSL_get_client_random, SSL_get_server_random and
SSL_SESSION_get_master_key should return a size_t to match the type of the
|outlen| parameter.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-28 16:55:15 +01:00
Matt Caswell
6b8f5d0d43 Change the new functions to use size_t
Change the new SSL_get_client_random(), SSL_get_server_random() and
SSL_SESSION_get_master_key() functions to use size_t for |outlen| instead of
int.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-28 16:05:56 +01:00
Nick Mathewson
858618e7e0 Add new functions to extract {client,server}_random, master_key
Tor uses these values to implement a low-rent clone of RFC 5705 (which,
in our defense, we came up with before RFC 5705 existed).  But now that
ssl_st is opaque, we need another way to get at them.

Includes documentation, with suitable warnings about not actually
using these functions.

Signed-off-by: Nick Mathewson <nickm@torproject.org>
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-28 16:05:01 +01:00
Nick Mathewson
831eef2cf5 Add SSL_get_client_ciphers() to return ciphers from ClientHello
On the server side, if you want to know which ciphers the client
offered, you had to use session->ciphers.  But that field is no
longer visible, so we need a method to get at it.

Signed-off-by: Nick Mathewson <nickm@torproject.org>
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-28 16:00:23 +01:00
Matt Caswell
fdfe8b06ae Fix typo setting up certificate masks
The certificate masks are used to select which ciphersuite we are going to
use. The variables |emask_k| and |emask_a| relate to export grade key
exchange and authentication respecitively. The variables |mask_k| and
|mask_a| are the equivalent versions for non-export grade. This fixes an
instance where the two usages of export/non-export were mixed up. In
practice it makes little difference since it still works!

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:59:33 +01:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00
Dr. Stephen Henson
4d69f9e69d move masks out of CERT structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-19 14:05:29 +01:00
Dr. Stephen Henson
6383d31645 Move certificate validity flags out of CERT.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-18 18:49:13 +01:00
Dr. Stephen Henson
d376e57d68 Move signing digest out of CERT.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-18 18:49:13 +01:00
Dr. Stephen Henson
76106e60a8 CERT tidy
Move per-connection state out of the CERT structure: which should just be
for shared configuration data (e.g. certificates to use).

In particular move temporary premaster secret, raw ciphers, peer signature
algorithms and shared signature algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-18 18:49:13 +01:00
Matt Caswell
d45ba43dab Updates following review comments
Miscellaneous updates following review comments on the version negotiation
rewrite patches.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:20:52 +01:00
Matt Caswell
32ec41539b Server side version negotiation rewrite
This commit changes the way that we do server side protocol version
negotiation. Previously we had a whole set of code that had an "up front"
state machine dedicated to the negotiating the protocol version. This adds
significant complexity to the state machine. Historically the justification
for doing this was the support of SSLv2 which works quite differently to
SSLv3+. However, we have now removed support for SSLv2 so there is little
reason to maintain this complexity.

The one slight difficulty is that, although we no longer support SSLv2, we
do still support an SSLv3+ ClientHello in an SSLv2 backward compatible
ClientHello format. This is generally only used by legacy clients. This
commit adds support within the SSLv3 code for these legacy format
ClientHellos.

Server side version negotiation now works in much the same was as DTLS,
i.e. we introduce the concept of TLS_ANY_VERSION. If s->version is set to
that then when a ClientHello is received it will work out the most
appropriate version to respond with. Also, SSLv23_method and
SSLv23_server_method have been replaced with TLS_method and
TLS_server_method respectively. The old SSLv23* names still exist as
macros pointing at the new name, although they are deprecated.

Subsequent commits will look at client side version negotiation, as well of
removal of the old s23* code.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:19:56 +01:00
Matt Caswell
55a9a16f1c Remove Kerberos support from libssl
Remove RFC2712 Kerberos support from libssl. This code and the associated
standard is no longer considered fit-for-purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-13 15:07:57 +01:00
Rich Salz
9a555706a3 Make COMP_CTX and COMP_METHOD opaque
Since COMP_METHOD is now defined in comp_lcl.h, it is no
longer possible to create new TLS compression methods without
using the OpenSSL source.  Only ZLIB is supported by default.
Also, since the types are opaque, #ifdef guards to use "char *"
instead of the real type aren't necessary.

The changes are actually minor.  Adding missing copyright to some
files makes the diff misleadingly big.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-12 10:24:48 -04:00
Matt Caswell
14def5f537 Check sk_SSL_CIPHER_new_null return value
If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.

Based on an original patch by mrpre <mrpre@163.com>.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-11 11:47:19 +01:00
Rich Salz
16f8d4ebf0 memset, memcpy, sizeof consistency fixes
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy.  Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-05 22:18:59 -04:00
Rich Salz
b4faea50c3 Use safer sizeof variant in malloc
For a local variable:
        TYPE *p;
Allocations like this are "risky":
        p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption.  Instead do this:
        p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-04 15:00:13 -04:00
Rich Salz
25aaa98aa2 free NULL cleanup -- coda
After the finale, the "real" final part. :)  Do a recursive grep with
"-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are
an "if NULL" check that can be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01 14:37:16 -04:00
Rich Salz
666964780a Remove goto inside an if(0) block
There were a dozen-plus instances of this construct:
   if (0) { label: ..... }

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01 14:29:48 -04:00
Rich Salz
efa7dd6444 free NULL cleanup 11
Don't check for NULL before calling free functions. This gets:
        ERR_STATE_free
        ENGINE_free
        DSO_free
        CMAC_CTX_free
        COMP_CTX_free
        CONF_free
        NCONF_free NCONF_free_data _CONF_free_data
        A sk_free use within OBJ_sigid_free
        TS_TST_INFO_free (rest of TS_ API was okay)
        Doc update for UI_free (all uses were fine)
        X509V3_conf_free
        X509V3_section_free
        X509V3_string_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 10:15:18 -04:00