It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 0ac6239955)
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.
Thanks to BoringSSL for reporting this issue.
RT#4120
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 905943af3b)
Fix some more URLs mangled by indent in the reformat. These ones don't exist
in master so we have a separate commit. Based on a patch supplied by Arnaud
Lacombe <al@aerilon.ca>
Reviewed-by: Richard Levitte <levitte@openssl.org>
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 67f60be8c9)
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ad226e88b)
The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f9fd35248c)
In the DTLS ClientHello processing the return value is stored in |ret| which
by default is -1. We wish to return 1 on success or 2 on success *and* we
have validated the DTLS cookie. Previously on successful validation of the
cookie we were setting |ret| to 2. Unfortunately if we later encounter an
error then we can end up returning a successful (positive) return code from
the function because we already set |ret| to a positive value.
This does not appear to have a security consequence because the handshake
just fails at a later point.
Reviewed-by: Andy Polyakov <appro@openssl.org>
If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() can
get called with s->s3 still being NULL.
Patch also provided by Willy Tarreau <wtarreau@haproxy.com>
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 3e7bd2ce0b16f8611298175d6dc7cb35ee06ea6d)
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 56d9134675)
Conflicts:
ssl/s3_enc.c
ssl/s3_srvr.c
If a DTLS client that does not support secure renegotiation connects to an
OpenSSL DTLS server then, by default, renegotiation is disabled. If a
server application attempts to initiate a renegotiation then OpenSSL is
supposed to prevent this. However due to a discrepancy between the TLS and
DTLS code, the server sends a HelloRequest anyway in DTLS.
This is not a security concern because the handshake will still fail later
in the process when the client responds with a ClientHello.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d40ec4ab8e)
In DTLS if an IO retry occurs during writing of a fragmented ClientHello
then we can end up reseting the finish mac variables on the retry, which
causes a handshake failure. We should only reset on the first attempt not
on retries.
Thanks to BoringSSL for reporting this issue.
RT#4119
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 15a7164eb7)
During work on a larger change in master a number of locations were
identified where return value checks were missing. This backports the
relevant fixes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 903738ac63)
Conflicts:
crypto/cms/cms_sd.c
Some extension handling functions were passing in a pointer to the start
of the data, plus the length in order to calculate the end, rather than
just passing in the end to start with. This change makes things a little
more readable.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Conflicts:
ssl/s3_srvr.c
ssl/ssl_locl.h
ssl/t1_lib.c
RFC 5077 section 3.3 says: If the server determines that it does not
want to include a ticket after it has included the SessionTicket
extension in the ServerHello, then it sends a zero-length ticket in the
NewSessionTicket handshake message.
Previously the client would fail upon attempting to allocate a
zero-length buffer. Now, we have the client ignore the empty ticket and
keep the existing session.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 21b538d616)
Commit f0348c842e introduced a problem with session resumption. The
version for the session is fixed when the session is created. By moving
the creation of the session earlier in the process the version is fixed
*before* version negotiation has completed when processing the ServerHello
on the client side. This fix updates the session version after version neg
has completed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit dc0c888811)
Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the
issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code
consistency. However this commit will not fix no-tlsext in those branches
which have always been broken for other reasons. The commit is not applied
to master at all, because no-tlsext has been completely removed from that
branch.
Based on a patch by Marc Branchaud <marcnarc@xiplink.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9a931208d7)
A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.
The bug can be demonstrated as follows:
Start a DTLS s_server instance:
openssl s_server -dtls
Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket
Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem
The client will abort the handshake.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ee4ffd6fcc)
Conflicts:
ssl/d1_clnt.c
When config'd with "sctp" running "make test" causes a seg fault. This is
actually due to the way ssltest works - it dives under the covers and frees
up BIOs manually and so some BIOs are NULL when the SCTP code does not
expect it. The simplest fix is just to add some sanity checks to make sure
the BIOs aren't NULL before we use them.
This problem occurs in master and 1.0.2. The fix has also been applied to
1.0.1 to keep the code in sync.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f75d5171be)
There are some missing return value checks in the SCTP code. In master this
was causing a compilation failure when config'd with
"--strict-warnings sctp".
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d8e8590ed9)
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)
The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.
CVE-2015-1794
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The function SSL_set_session_ticket_ext can be used to set custom session
ticket data passed in the initial ClientHello. This can be particularly
useful for EAP-FAST. However, when using SSLv23_method, the session does
not get created until the ServerHello has been received. The extension code
will only add the SessionTicket data to the ClientHello if a session already
exists. Therefore SSL_set_session_ticket_ext has no impact when used in
conjunction with SSLv23_method. The solution is to simply create the session
during creation of the ClientHello instead of waiting for the ServerHello.
This commit fixes the test failure introduced by the previous commit.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The function SSL_set_session_ticket_ext sets the ticket data to be sent in
the ClientHello. This is useful for EAP-FAST. This commit adds a test to
ensure that when this function is called the expected ticket data actually
appears in the ClientHello.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).
Use BUF_strndup when copying identity as it may not be null terminated.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669df)
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.
Thanks to LibreSSL project for reporting these issues.
Conflicts:
ssl/ssl_sess.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
It should not be possible for DTLS message fragments to span multiple
packets. However previously if the message header fitted exactly into one
packet, and the fragment body was in the next packet then this would work.
Obviously this would fail if packets get re-ordered mid-flight.
Reviewed-by: Tim Hudson <tjh@openssl.org>
This adds additional checks to the processing of extensions in a ClientHello
to ensure that either no extensions are present, or if they are then they
take up the exact amount of space expected.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Stephen Henson <steve@openssl.org>
Conflicts:
ssl/t1_lib.c
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13)
Remove a comment that suggested further clean up was required.
DH_free() performs the necessary cleanup.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f3d889523e)
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b7ee4815f2)
Conflicts:
ssl/s3_srvr.c
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e3dbe37ca)
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
CVE-2015-1791
This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.
Parts of this patch were inspired by this Akamai change:
c0bf69a791
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27c76b9b80)
Conflicts:
ssl/ssl.h
ssl/ssl_err.c
This is a backport of commit e83ee04bb7 from
the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
was CVE-2015-0207. For other branches there is no known security issue, but
this is being backported as a precautionary measure.
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next.
Reviewed-by: Richard Levitte <levitte@openssl.org>
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c2b1d872b)
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.
RT#3862
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c89d29083)
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
