A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Fixed by adding consistency check for DTLS fragments.
Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef7448)
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
(cherry picked from commit bc8923b1ec)
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(cherry picked from commit d3152655d5)
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.
This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.
PR#3336
The previous calls to memset() were added to tear_down() when I noticed the
test spuriously failing in opt mode, with different results each time. This
appeared to be because the allocator zeros out memory in debug mode, but not
in opt mode. Since the heartbeat functions silently drop the request on error
without modifying the contents of the write buffer, whatever random contents
were in memory before being reallocated to the write buffer used in the test
would cause nondeterministic test failures in the Heartbleed regression cases.
Adding these calls allowed the test to pass in both debug and opt modes.
Ben Laurie notified me offline that the test was aborting in
debug-ben-debug-64-clang mode, configured with GitConfigure and built with
GitMake. Looking into this, I realized the first memset() call was zeroing out
a reference count used by SSL_free() that was checked in
debug-ben-debug-64-clang mode but not in the normal debug mode.
Removing the memset() calls from tear_down() and adding a memset() for the
write buffer in set_up() addresses the issue and allows the test to
successfully execute in debug, opt, and debug-ben-debug-64-clang modes.
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.
PR#3335
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023b8)
Security callback: selects which parameters are permitted including
sensible defaults based on bits of security.
The "parameters" which can be selected include: ciphersuites,
curves, key sizes, certificate signature algorithms, supported
signature algorithms, DH parameters, SSL/TLS version, session tickets
and compression.
In some cases prohibiting the use of a parameters will mean they are
not advertised to the peer: for example cipher suites and ECC curves.
In other cases it will abort the handshake: e.g DH parameters or the
peer key size.
Documentation to follow...
New function ssl_cipher_disabled.
Check for disabled client ciphers using ssl_cipher_disabled.
New function to return only supported ciphers.
New option to ciphers utility to print only supported ciphers.
Add auto DH parameter support. This is roughly equivalent to the
ECDH auto curve selection but for DH. An application can just call
SSL_CTX_set_auto_dh(ctx, 1);
and appropriate DH parameters will be used based on the size of the
server key.
Unlike ECDH there is no way a peer can indicate the range of DH parameters
it supports. Some peers cannot handle DH keys larger that 1024 bits for
example. In this case if you call:
SSL_CTX_set_auto_dh(ctx, 2);
Only 1024 bit DH parameters will be used.
If the server key is 7680 bits or more in size then 8192 bit DH parameters
will be used: these will be *very* slow.
The old export ciphersuites aren't supported but those are very
insecure anyway.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.
If errors occur during verification and SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
is set return 2 so applications can issue warnings.
(cherry picked from commit 2dd6976f6d)
Although the memory allocated by compression methods is fixed and
cannot grow over time it can cause warnings in some leak checking
tools. The function SSL_COMP_free_compression_methods() will free
and zero the list of supported compression methods. This should
*only* be called in a single threaded context when an application
is shutting down to avoid interfering with existing contexts
attempting to look up compression methods.
(cherry picked from commit 976c58302b)
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.
Add verify error code when building chain.
Update docs.
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d)
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.
Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.
This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only
This allows to process multiple fragmets of maximum fragment size,
as opposite to chopping maximum-sized fragments to multiple smaller
ones. This approach relies on dynamic allocation of larger buffers,
which we trade for performance improvement, for several *times* in
some situations.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
Replace the full ciphersuites with "EDH-" in their labels with "DHE-"
so that all DHE ciphersuites are referred to in the same way.
Leave backward-compatible aliases for the ciphersuites in question so
that configurations which specify these explicitly will continue
working.
This change normalizes the SSL_CK_DHE_ #defines to use the common term
"DHE", while permitting older code that uses the more uncommon "EDH"
constants to compile properly.
DHE is the standard term used by the RFCs and by other TLS
implementations. It's useful to have the internal variables use the
standard terminology.
This patch leaves a synonym SSL_kEDH in place, though, so that older
code can still be built against it, since that has been the
traditional API. SSL_kEDH should probably be deprecated at some
point, though.
other parts of packet tracing emit the standard "DHE" label instead of
"edh". This change brings the output of ssl_print_client_keyex() and
ssl_print_server_keyex() into accordance with the standard term.
The standard terminology in https://tools.ietf.org/html/rfc5426 is
"DHE". "openssl ciphers" outputs "DHE" (for the most part). But
users of the library currently cannot specify "DHE", they must
currently specify "EDH".
This change allows users to specify the common term in cipher suite
strings without breaking backward compatibility.
ECDHE is the standard term used by the RFCs and by other TLS
implementations. It's useful to have the internal variables use the
standard terminology.
This patch leaves a synonym SSL_kEECDH in place, though, so that older
code can still be built against it, since that has been the
traditional API. SSL_kEECDH should probably be deprecated at some
point, though.
other parts of packet tracing emit the standard "ECDHE" label instead
of "EECDH". This change brings the output of ssl_print_client_keyex()
and ssl_print_server_keyex() into accordance with the standard term.
The standard terminology in https://tools.ietf.org/html/rfc4492 is
ECDHE. "openssl ciphers" outputs ECDHE. But users of the library
currently cannot specify ECDHE, they must specify EECDH.
This change allows users to specify the common term in cipher suite
strings without breaking backward compatibility.
