Commit Graph

617 Commits

Author SHA1 Message Date
Matt Caswell
70af3d8ed7 Avoid repeatedly scanning the list of extensions
Because extensions were keyed by type which is sparse, we were continually
scanning the list to find the one we wanted. The way we stored them also
had the side effect that we were running initialisers/finalisers in a
different oder to the parsers. In this commit we change things so that we
instead key on an index value for each extension.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:56 +00:00
Matt Caswell
24b8e4b2c8 Simplify ClientHello extension parsing
Remove some functions that are no longer needed now that we have the new
extension framework.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:51 +00:00
Matt Caswell
ab83e31414 Move client construction of ClientHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:30 +00:00
Matt Caswell
6dd083fd68 Move client parsing of ServerHello extensions into new framework
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:25 +00:00
Matt Caswell
7da160b0f4 Move ServerHello extension construction into the new extensions framework
This lays the foundation for a later move to have the extensions built and
placed into the correct message for TLSv1.3 (e.g. ServerHello or
EncryptedExtensions).

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:12 +00:00
Matt Caswell
6b473acabd Refactor ClientHello extension parsing
This builds on the work started in 1ab3836b3 and extends is so that
each extension has its own identified parsing functions, as well as an
allowed context identifying which messages and protocols it is relevant for.
Subsequent commits will do a similar job for the ServerHello extensions.
This will enable us to have common functions for processing extension blocks
no matter which of the multiple messages they are received from. In TLSv1.3
a number of different messages have extension blocks, and some extensions
have moved from one message to another when compared to TLSv1.2.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:17:45 +00:00
Matt Caswell
bebc0c7d85 Use the TLSv1.3 nonce construction
This updates the record layer to use the TLSv1.3 style nonce construciton.
It also updates TLSProxy and ossltest to be able to recognise the new
layout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-29 23:31:10 +00:00
Matt Caswell
7acb8b64c3 Use ClientHello.legacy_version for the RSA pre-master no matter what
Don't use what is in supported_versions for the RSA pre-master

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-11-23 17:01:33 +00:00
Matt Caswell
c805f6189e Fix SSL_IS_TLS13(s)
The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:22 +00:00
Matt Caswell
6484776f17 Create the Finished message payload
The previous commit had a dummy payload for the Finished data. This commit
fills it in with a real value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
92760c21e6 Update state machine to be closer to TLS1.3
This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
0d9824c171 Implement tls13_change_cipher_state()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Kurt Roeckx
2f545ae45d Add support for reference counting using C11 atomics
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
2016-11-17 22:02:25 +01:00
Matt Caswell
0f1e51ea11 Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Matt Caswell
bcec335856 Add key_share info to the ServerHello
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Richard Levitte
e72040c1dc Remove heartbeat support
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-13 16:24:02 -05:00
Matt Caswell
de4d764e32 Rename the Elliptic Curves extension to supported_groups
This is a skin deep change, which simply renames most places where we talk
about curves in a TLS context to groups. This is because TLS1.3 has renamed
the extension, and it can now include DH groups too. We still only support
curves, but this rename should pave the way for a future extension for DH
groups.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 15:05:36 +00:00
Matt Caswell
f2342b7ac3 Address some supported_versions review comments
Added some TODOs, refactored a couple of things and added a SSL_IS_TLS13()
macro.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:09 +00:00
Matt Caswell
cd99883755 Add server side support for supported_versions extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
34574f193b Add support for TLS1.3 secret generation
Nothing is using this yet, it just adds the underlying functions necesary
for generating the TLS1.3 secrets.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 14:08:14 +00:00
Matt Caswell
902aca09f3 Make some CLIENTHELLO_MSG function arguments const
There were a few places where they could be declared const so this commit
does that.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
df7ce507fc Rename clienthello.version to clienthello.legacy_version
For consistency with the TLSv1.3 spec.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:30 +00:00
Matt Caswell
6f8db4e669 Use an explicit name for the struct for definition of RAW_EXTENSION
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:29 +00:00
Matt Caswell
1ab3836b3b Refactor ClientHello processing so that extensions get parsed earlier
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 09:10:29 +00:00
Matt Caswell
54105ddd23 Rename all "read" variables with "readbytes"
Travis is reporting one file at a time shadowed variable warnings where
"read" has been used. This attempts to go through all of libssl and replace
"read" with "readbytes" to fix all the problems in one go.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
8b0e934afb Fix some missed size_t updates
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
d736bc1a7d Update misc function params in libssl for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
6db6bc5a8f Convert some libssl local functions to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
cb150cbcac Update cookie_len for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
12472b4561 Update numerous misc libssl fields to be size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
ec60ccc1c1 Convert session_id_length and sid_ctx_len to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
8c1a534305 Convert master_secret_size code to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
b43d1cbb9a Convert various mac_secret_size usage to size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
d0e7c31db0 Convert ssl3_cbc_digest_record for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
72716e79bf Convert some misc record layer functions for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
7ee8627f6e Convert libssl writing for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
eda757514e Further libssl size_t-ify of reading
Writing still to be done

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
David Woodhouse
045bd04706 Add DTLS_get_data_mtu() function
We add ssl_cipher_get_overhead() as an internal function, to avoid
having too much ciphersuite-specific knowledge in DTLS_get_data_mtu()
itself. It's going to need adjustment for TLSv1.3... but then again, so
is fairly much *all* of the SSL_CIPHER handling. This bit is in the noise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-02 14:00:10 +00:00
Matt Caswell
582a17d662 Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:08:21 +00:00
Matt Caswell
4a01c59f36 Harmonise setting the header and closing construction
Ensure all message types work the same way including CCS so that the state
machine doesn't need to know about special cases. Put all the special logic
into ssl_set_handshake_header() and ssl_close_construct_packet().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-03 16:25:48 +01:00
Matt Caswell
7cea05dcc7 Move init of the WPACKET into write_state_machine()
Instead of initialising, finishing and cleaning up the WPACKET in every
message construction function, we should do it once in
write_state_machine().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-03 16:25:48 +01:00
Matt Caswell
a29fa98ceb Rename ssl_set_handshake_header2()
ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
WPACKET yet. No code remains that needed that so we can rename it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
e2726ce64d Remove ssl_set_handshake_header()
Remove the old ssl_set_handshake_header() implementations. Later we will
rename ssl_set_handshake_header2() to ssl_set_handshake_header().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
42cde22f48 Remove the tls12_get_sigandhash_old() function
This is no longer needed now that all messages use WPACKET

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-02 20:25:57 +01:00
Matt Caswell
ac8cc3efb2 Remove tls12_copy_sigalgs_old()
This was a temporary function needed during the conversion to WPACKET. All
callers have now been converted to the new way of doing this so this
function is no longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 14:52:55 +01:00
Matt Caswell
28ff8ef3f7 Convert CertificateRequest construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 14:52:55 +01:00
Matt Caswell
150e298551 Delete some unneeded code
Some functions were being called from both code that used WPACKETs and code
that did not. Now that more code has been converted to use WPACKETs some of
that duplication can be removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
8157d44b62 Convert ServerHello construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 10:06:46 +01:00
Matt Caswell
c536b6be1a Convert HelloVerifyRequest construction to WPACKET
We actually construct a HelloVerifyRequest in two places with common code
pulled into a single function. This one commit handles both places.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 23:12:38 +01:00
Matt Caswell
c49e191230 Convert Certificate message construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 10:16:56 +01:00
Matt Caswell
6400f33818 Convert ClientVerify Construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-20 10:16:56 +01:00
Matt Caswell
0217dd19c0 Move from explicit sub-packets to implicit ones
No need to declare an explicit sub-packet. Just start one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
ae2f7b37da Rename PACKETW to WPACKET
To avoid confusion with the read PACKET structure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
2c7b4dbc1a Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 09:41:21 +01:00
Matt Caswell
f5c7f5dfba Fix DTLS buffered message DoS attack
DTLS can handle out of order record delivery. Additionally since
handshake messages can be bigger than will fit into a single packet, the
messages can be fragmented across multiple records (as with normal TLS).
That means that the messages can arrive mixed up, and we have to
reassemble them. We keep a queue of buffered messages that are "from the
future", i.e. messages we're not ready to deal with yet but have arrived
early. The messages held there may not be full yet - they could be one
or more fragments that are still in the process of being reassembled.

The code assumes that we will eventually complete the reassembly and
when that occurs the complete message is removed from the queue at the
point that we need to use it.

However, DTLS is also tolerant of packet loss. To get around that DTLS
messages can be retransmitted. If we receive a full (non-fragmented)
message from the peer after previously having received a fragment of
that message, then we ignore the message in the queue and just use the
non-fragmented version. At that point the queued message will never get
removed.

Additionally the peer could send "future" messages that we never get to
in order to complete the handshake. Each message has a sequence number
(starting from 0). We will accept a message fragment for the current
message sequence number, or for any sequence up to 10 into the future.
However if the Finished message has a sequence number of 2, anything
greater than that in the queue is just left there.

So, in those two ways we can end up with "orphaned" data in the queue
that will never get removed - except when the connection is closed. At
that point all the queues are flushed.

An attacker could seek to exploit this by filling up the queues with
lots of large messages that are never going to be used in order to
attempt a DoS by memory exhaustion.

I will assume that we are only concerned with servers here. It does not
seem reasonable to be concerned about a memory exhaustion attack on a
client. They are unlikely to process enough connections for this to be
an issue.

A "long" handshake with many messages might be 5 messages long (in the
incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
CertificateVerify, Finished. So this would be message sequence numbers 0
to 4. Additionally we can buffer up to 10 messages in the future.
Therefore the maximum number of messages that an attacker could send
that could get orphaned would typically be 15.

The maximum size that a DTLS message is allowed to be is defined by
max_cert_list, which by default is 100k. Therefore the maximum amount of
"orphaned" memory per connection is 1500k.

Message sequence numbers get reset after the Finished message, so
renegotiation will not extend the maximum number of messages that can be
orphaned per connection.

As noted above, the queues do get cleared when the connection is closed.
Therefore in order to mount an effective attack, an attacker would have
to open many simultaneous connections.

Issue reported by Quan Luo.

CVE-2016-2179

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 10:53:55 +01:00
Emilia Kasper
a230b26e09 Indent ssl/
Run util/openssl-format-source on ssl/

Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:02:29 +02:00
Dr. Stephen Henson
2e5ead831b Constify ssl_cert_type()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 15:49:44 +01:00
Dr. Stephen Henson
8900f3e398 Convert X509* functions to use const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 13:59:04 +01:00
David Woodhouse
31c34a3e2f Fix satsub64be() to unconditionally use 64-bit integers
Now we support (u)int64_t this can be very much simpler.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-16 10:24:57 +01:00
Dr. Stephen Henson
0a699a0723 Fix no-ec
Fix no-ec builds by having separate functions to create keys based on
an existing EVP_PKEY and a curve id.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 14:07:33 +01:00
Dr. Stephen Henson
ec24630ae2 Modify TLS support for new X25519 API.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
klemens
6025001707 spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
2016-08-05 19:07:30 -04:00
David Woodhouse
032924c4b4 Make DTLS1_BAD_VER work with DTLS_client_method()
DTLSv1_client_method() is deprecated, but it was the only way to obtain
DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with
DTLS_client_method(), and it's relatively non-trivial to make it work without
expanding the hack into lots of places.

So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make
it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:24 +01:00
David Woodhouse
ff4952896e Fix DTLS_VERSION_xx() comparison macros for DTLS1_BAD_VER
DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so
we have to make a special case for it.

This does leave us with a set of macros which will evaluate their arguments
more than once, but it's not a public-facing API and it's not like this is
the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
Emilia Kasper
70c22888c1 Fix two bugs in clienthello processing
- Always process ALPN (previously there was an early return in the
  certificate status handling)
- Don't send a duplicate alert. Previously, both
  ssl_check_clienthello_tlsext_late and its caller would send an
  alert. Consolidate alert sending code in the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 14:18:03 +02:00
Matt Caswell
d4450e4bb9 Fix bug with s2n et al macros
The parameters should have parens around them when used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-18 23:05:14 +01:00
Dr. Stephen Henson
d166ed8c11 check return values for EVP_Digest*() APIs
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-15 14:09:05 +01:00
Matt Caswell
2c4a056f59 Handle a memory allocation failure in ssl3_init_finished_mac()
The ssl3_init_finished_mac() function can fail, in which case we need to
propagate the error up through the stack.

RT#3198

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 20:29:04 +01:00
Dr. Stephen Henson
77ab2b0193 remove encrypt then mac ifdefs
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-23 19:15:20 +01:00
Matt Caswell
464175692f Simplify SSL BIO buffering logic
The write BIO for handshake messages is bufferred so that we only write
out to the network when we have a complete flight. There was some
complexity in the buffering logic so that we switched buffering on and
off at various points through out the handshake. The only real reason to
do this was historically it complicated the state machine when you wanted
to flush because you had to traverse through the "flush" state (in order
to cope with NBIO). Where we knew up front that there was only going to
be one message in the flight we switched off buffering to avoid that.

In the new state machine there is no longer a need for a flush state so
it is simpler just to have buffering on for the whole handshake. This
also gives us the added benefit that we can simply call flush after every
flight even if it only has one message in it. This means that BIO authors
can implement their own buffering strategies and not have to be aware of
the state of the SSL object (previously they would have to switch off
their own buffering during the handshake because they could not rely on
a flush being received when they really needed to write data out). This
last point addresses GitHub Issue #322.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-20 14:11:11 +01:00
Rich Salz
846e33c729 Copyright consolidation 01/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 14:19:19 -04:00
Kurt Roeckx
d139723b0e session tickets: use more sizeof
Reviewed-by: Matt Caswell <matt@openssl.org>

MR: #2153
2016-05-16 20:43:20 +02:00
TJ Saunders
05df5c2036 Use AES256 for the default encryption algoritm for TLS session tickets
This involves providing more session ticket key data, for both the cipher and
the digest

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #515, MR: #2153
2016-05-16 20:43:06 +02:00
jfigus
ba261f718b Propagate tlsext_status_type from SSL_CTX to SSL
To allow OCSP stapling to work with libcurl.

Github PR #200

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 14:42:30 +01:00
Andy Polyakov
c21c7830ac IRIX fixes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 08:44:51 +02:00
David Benjamin
f7aa318552 Don't send signature algorithms when client_version is below TLS 1.2.
Per RFC 5246,

    Note: this extension is not meaningful for TLS versions prior to 1.2.
    Clients MUST NOT offer it if they are offering prior versions.
    However, even if clients do offer it, the rules specified in [TLSEXT]
    require servers to ignore extensions they do not understand.

Although second sentence would suggest that there would be no interop
problems in always offering the extension, WebRTC has reported issues
with Bouncy Castle on < TLS 1.2 ClientHellos that still include
signature_algorithms. See also
https://bugs.chromium.org/p/webrtc/issues/detail?id=4223

RT#4390

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-09 17:46:23 +01:00
Matt Caswell
b3599dbb6a Rename int_*() functions to *_int()
There is a preference for suffixes to indicate that a function is internal
rather than prefixes. Note: the suffix is only required to disambiguate
internal functions and public symbols with the same name (but different
case)

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:59:03 +01:00
Matt Caswell
342c21cd8b Rename lots of *_intern or *_internal function to int_*
There was a lot of naming inconsistency, so we try and standardise on
one form.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:52:34 +01:00
Matt Caswell
03b0e73555 Deprecate SSL_COMP_free_compression_methods() and make it a no-op
SSL_COMP_free_compression_methods() should not be called expicitly - we
should leave auto-deinit to clean this up instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:52:33 +01:00
Matt Caswell
f8c3f2b4ed Remove an unused function
The function pqueue_print is not exported and is never called. Therefore
we should delete it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-11 14:31:26 +01:00
Rich Salz
b9aec69ace Add SSL_DANE typedef for consistency.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-04-08 09:30:23 -04:00
Viktor Dukhovni
43341433a8 Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.

Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 14:41:34 -04:00
Fedor Indutny
ccae4a1582 Allow different protocol version when trying to reuse a session
We now send the highest supported version by the client, even if the session
uses an older version.

This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
  uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
  stuck trying to reuse the old version while both sides support a newer
  version

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

GH: #852, MR: #2452
2016-03-27 23:58:50 +02:00
Kurt Roeckx
88a9614ba3 Check algo_strength using SSL_STRONG_MASK
algo_strength contains 2 parts that need to be checked by their own.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2082
2016-03-22 22:00:12 +01:00
Rich Salz
3c27208fab Remove #error from include files.
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-20 19:48:36 -04:00
Rich Salz
748f254657 Sort cipher-list at runtime.
Reduces #ifdef complexity.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-16 22:21:25 -04:00
Kurt Roeckx
2b8fa1d56c Deprecate the use of version-specific methods
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:45:05 +01:00
Kurt Roeckx
ca3895f0b5 Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
3eb2aff401 Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
068c358ac3 Add ssl_get_client_min_max_version() function
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
7d65007238 Make function to convert version to string
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
e4646a8963 Constify security callbacks
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Alessandro Ghedini
16203f7b71 Convert CRYPTO_LOCK_SSL_* to new multi-threading API
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 18:48:38 -05:00
Todd Short
817cd0d52f GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-08 09:03:05 -05:00
Matt Caswell
dad78fb13d Add an ability to set the SSL read buffer size
This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Matt Caswell
d102d9df86 Implement write pipeline support in libssl
Use the new pipeline cipher capability to encrypt multiple records being
written out all in one go. Two new SSL/SSL_CTX parameters can be used to
control how this works: max_pipelines and split_send_fragment.

max_pipelines defines the maximum number of pipelines that can ever be used
in one go for a single connection. It must always be less than or equal to
SSL_MAX_PIPELINES (currently defined to be 32). By default only one
pipeline will be used (i.e. normal non-parallel operation).

split_send_fragment defines how data is split up into pipelines. The number
of pipelines used will be determined by the amount of data provided to the
SSL_write call divided by split_send_fragment. For example if
split_send_fragment is set to 2000 and max_pipelines is 4 then:
SSL_write called with 0-2000 bytes == 1 pipeline used
SSL_write called with 2001-4000 bytes == 2 pipelines used
SSL_write called with 4001-6000 bytes == 3 pipelines used
SSL_write_called with 6001+ bytes == 4 pipelines used

split_send_fragment must always be less than or equal to max_send_fragment.
By default it is set to be equal to max_send_fragment. This will mean that
the same number of records will always be created as would have been
created in the non-parallel case, although the data will be apportioned
differently. In the parallel case data will be spread equally between the
pipelines.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Rob Percival
4d482ee24f Lowercase name of SSL_validate_ct as it is an internal function
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07 14:44:04 -05:00
Emilia Kasper
a556f34220 Rework the default cipherlist.
- Always prefer forward-secure handshakes.
 - Consistently order ECDSA above RSA.
 - Next, always prefer AEADs to non-AEADs, irrespective of strength.
 - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
 - Prefer TLS v1.2 ciphers to legacy ciphers.
 - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
   list to reduce ClientHello bloat.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07 16:53:42 +01:00
Rob Percival
ed29e82ade Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Matt Caswell
ff75a25749 Refactor the async wait fd logic
Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-29 12:58:44 +00:00
Dr. Stephen Henson
2cf28d6127 Remove unused parameter in ssl_set_masks().
The ssl_set_masks() function no longer depends on the cipher. This
also means there is no need to set the masks for each cipher in
ssl3_choose_cipher.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 02:41:54 +00:00
Rich Salz
a773b52a61 Remove unused parameters from internal functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 13:39:44 -05:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Rich Salz
e4ef2e25f1 Remove "experimental" in code and comments, too.
Thanks to Viktor for additional review.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-17 21:12:30 -05:00
Ben Laurie
08934f1ab2 Don't test heartbeats when there aren't any.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-14 10:55:38 +00:00
Viktor Szakats
f0ff328e36 GH675: make ssl3_ciphers static
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 13:29:58 -05:00
Dr. Stephen Henson
ce0c1f2bb2 Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-11 20:54:01 +00:00
Viktor Dukhovni
ce023e77d7 Fix MacOS/X build warnings
Commit 7823d792d0 added DEFINE_LHASH_OF
to a C source file.  DEFINE_LHASH_OF() and DEFINE_STACK_OF() must
be used only in header files to avoid clang warnings for unused
static-inline functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 13:53:39 -05:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Todd Short
1c37fd96d8 Add CHACHA20 alias for ciphers.
Update ciphers documentation as well (based on -04 rev of ID).

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4206, GH: #642
2016-02-10 20:13:26 +01:00
Dr. Stephen Henson
696178edff Add SSL_get0_verified_chain() to return verified chain of peer
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-06 18:18:28 +00:00
Emilia Kasper
b698174493 constify PACKET
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 16:21:57 +01:00
Rich Salz
94af0cd7f3 Move more BN internals to bn_lcl.h
There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-01-30 16:54:35 -05:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Rich Salz
cf2cede4a7 Move pqueue into ssl
This is an internal facility, never documented, not for
public consumption.  Move it into ssl (where it's only used
for DTLS).

I also made the typedef's for pqueue and pitem follow our style: they
name structures, not pointers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-24 18:25:04 -05:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Viktor Dukhovni
4b1fa408b2 STACK_OF(SSL_COMP) is a public type
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 14:16:04 -05:00
Dr. Stephen Henson
89d6aa10a2 Use ossl_inline and DEFINE_LHASH_OF
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:42 +00:00
Dr. Stephen Henson
8588571572 Rename DECLARE*STACK_OF to DEFINE*STACK_OF
Applications wishing to include their own stacks now just need to include

DEFINE_STACK_OF(foo)

in a header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
4a640fb6c3 Fix declarations and constification for inline stack.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Viktor Dukhovni
919ba00942 DANE support structures, constructructors and accessors
Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-05 19:31:49 -05:00
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Dr. Stephen Henson
b22d71131a fix no-ec
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-24 00:23:29 +00:00
Dr. Stephen Henson
e2b420fdd7 Server side EVP_PKEY DH support
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
6c4e6670d7 utility function
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
fb79abe378 EVP_PKEY DH client support.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Kurt Roeckx
1c9ed1d8a7 Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support.
Suggested by David Benjamin

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

MR: #1520
2015-12-23 20:40:54 +01:00
Dr. Stephen Henson
bc71f91064 Remove fixed DH ciphersuites.
Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-19 16:14:51 +00:00
Dr. Stephen Henson
61dd9f7a22 Use EVP_PKEY for client side EC.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
880d9d8609 Use EVP_PKEY for server EC.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
3f3504bdaf Add ECDH/DH utility functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Andy Polyakov
a76ba82ccb Wire ChaCha20-Poly1305 to TLS.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-10 12:05:30 +01:00
Dr. Stephen Henson
e7f0d9210c Extended master secret fixes and checks.
Add new flag TLS1_FLAGS_RECEIVED_EXTMS which is set when the peer sends
the extended master secret extension.

Server now sends extms if and only if the client sent extms.

Check consistency of extms extension when resuming sessions following (where
practical) RFC7627.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:32:39 +00:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Kurt Roeckx
fe6ef2472d Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:30:36 +01:00
Kurt Roeckx
6977e8ee4a Make SSL_{CTX}_set_tmp_ecdh() call SSL_{CTX_}set1_curves()
SSL_{CTX}_set_tmp_ecdh() allows to set 1 EC curve and then tries to use it.  On
the other hand SSL_{CTX_}set1_curves() allows you to set a list of curves, but
only when SSL_{CTX_}set_ecdh_auto() was called to turn it on.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:25:11 +01:00
Kurt Roeckx
6f78b9e824 Remove support for SSL_{CTX_}set_tmp_ecdh_callback().
This only gets used to set a specific curve without actually checking that the
peer supports it or not and can therefor result in handshake failures that can
be avoided by selecting a different cipher.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:22:31 +01:00
Dr. Stephen Henson
7afd231275 Use digest indices for signature algorithms.
Don't hard code EVP_sha* etc for signature algorithms: use table
indices instead. Add SHA224 and SHA512 to tables.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-30 03:49:35 +00:00
Dr. Stephen Henson
152fbc28e8 Use digest tables for defaults.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-11-30 00:32:57 +00:00
Dr. Stephen Henson
28ba2541f9 PRF and handshake hash revision.
Change handshake hash array into a single digest context simplifying the
handhake hash code. Use EVP_md5_sha1() if needed for handshake hashes in
TLS 1.1 and earlier.

Simplify PRF code to also use a single digest and treat EVP_md5_sha1()
as a special case.

Modify algorithm2 field of ciphers to use a single index value for handshake
hash and PRF instead of a bitmap.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-27 19:04:14 +00:00
Dr. Stephen Henson
6938c954b0 Remove unused cert_verify_mac code
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-25 18:22:12 +00:00
Dr. Stephen Henson
a0f63828e3 Use EVP_md5_sha1() to generate client verify
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-24 19:18:44 +00:00
Dmitry Belyavsky
e44380a990 Patch containing TLS implementation for GOST 2012
This patch contains the necessary changes to provide GOST 2012
ciphersuites in TLS. It requires the use of an external GOST 2012 engine.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-23 16:09:42 +00:00
Matt Caswell
07bbc92ccb Make libssl async aware
The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Matt Caswell
5f3d93e4a3 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-20 15:47:02 +00:00
Dr. Stephen Henson
2b573382f8 Don't alow TLS v1.0 ciphersuites for SSLv3
This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:32 +00:00
Matt Caswell
a974e64aaa Fix SSL_use_certificate_chain_file
The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-11-10 23:02:44 +00:00
Dr. Stephen Henson
36e79832d3 Replace L suffix with U
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-08 14:03:50 +00:00
Dr. Stephen Henson
90d9e49a4b Use uint32_t and int32_t for SSL_CIPHER structure.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-08 14:03:50 +00:00
Matt Caswell
87d9cafa33 Remove some SSLv2 references
There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 09:17:22 +00:00
Matt Caswell
3616bb6358 Make dtls1_link_min_mtu static
The function dtls1_link_min_mtu() was only used within d1_lib.c so make
it static.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
024f543c15 Move in_handshake into STATEM
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
d6f1a6e931 Rename STATEM to OSSL_STATEM
Add an OSSL_ prefix onto STATEM

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
a71a4966a3 Move |no_cert_verify| into state machine
The |no_cert_verify| should be in the state machine structure not in SSL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
9d671ad1cf Remove some unused variables
The next_state variable is no longer needed in the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
61ae935a98 More state machine reorg
Move some function definitions around within the state machine to make sure
they are in the correct files. Also create a statem_locl.h header for stuff
entirely local to the state machine code and move various definitions into
it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
8ba708e516 Reorganise state machine files
Pull out the state machine into a separate sub directory. Also moved some
functions which were nothing to do with the state machine but were in state
machine files. Pulled all the SSL_METHOD definitions into one place...most
of those files had very little left in them any more.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
1aeaa7ec06 Remove ssl_get_message from ssl_method_st
ssl_get_message is no longer used so it should be removed from
ssl_method_st

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
73999b62a2 Move PACKET creation into the state machine
Previously each message specific process function would create its own
PACKET structure. Rather than duplicate all of this code lots of times we
should create it in the state machine itself.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
0131df49ee Remove the SSL state variable
The SSL structure contained a "state" variable that kept track of the state
machine in the old code. The new state machine does not use this so it can
be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
23a635c0ec Remove the type variable
The SSL structure contained a "type" variable that was set to either
SSL_ST_ACCEPT or SSL_ST_CONNECT depending on whether we are the server or
the client. This duplicates the capability of the "server" variable and was
actually rarely used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
c130dd8ea4 Move server side DTLS to new state machine
Implement all of the necessary changes to make DTLS on the server work
with the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
e27f234a41 Split TLS server functions
Split the TLS server ssl3_get_* and ssl3_send_* functions into two ready
for the migration to the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
4e3458a565 Delete unused functions
Remove all the functions and dead code that is now no longer required as
a result of the DTLS client move into the new state machine code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
473483d42d Implement DTLS client move to new state machine
Move all DTLS client side processing into the new state machine code. A
subsequent commit will clean up the old dead code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
76af303761 dtls_get_message changes for state machine move
Create a dtls_get_message function similar to the old dtls1_get_message but
in the format required for the new state machine code. The old function will
eventually be deleted in later commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
8723588e1b Implement Client TLS state machine
This swaps the implementation of the client TLS state machine to use the
new state machine code instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
b9908bf9b8 Split client message reading and writing functions
The new state machine code will split up the reading and writing of
hanshake messages into discrete phases. In order to facilitate that the
existing "get" type functions will be split into two halves: one to get
the message and one to process it. The "send" type functions will also have
all work relating to constructing the message split out into a separate
function just for that. For some functions there will also be separate
pre and post "work" phases to prepare or update state.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:32:44 +00:00
Matt Caswell
f8e0a55738 Add initial state machine rewrite code
This is the first drop of the new state machine code.

The rewrite has the following objectives:
- Remove duplication of state code between client and server
- Remove duplication of state code between TLS and DTLS
- Simplify transitions and bring the logic together in a single location
  so that it is easier to validate
- Remove duplication of code between each of the message handling functions
- Receive a message first and then work out whether that is a valid
  transition - not the other way around (the other way causes lots of issues
  where we are expecting one type of message next but actually get something
  else)
- Separate message flow state from handshake state (in order to better
  understand each)
  - message flow state = when to flush buffers; handling restarts in the
    event of NBIO events; handling the common flow of steps for reading a
    message and the common flow of steps for writing a message etc
  - handshake state = what handshake message are we working on now
- Control complexity: only the state machine can change state: keep all
  the state changes local to a file

This builds on previous state machine related work:
- Surface CCS processing in the state machine
- Version negotiation rewrite

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Matt Caswell
9ab930b27d Split ssl3_get_message
The function ssl3_get_message gets a whole message from the underlying bio
and returns it to the state machine code. The new state machine code will
split this into two discrete steps: get the message header and get the
message body. This commit splits the existing function into these two
sub steps to facilitate the state machine implementation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:27:59 +00:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Emilia Kasper
b3e2272c59 ssl3_get_client_hello: rearrange logic
Move all packet parsing to the beginning of the method. This limits the
SSLv2 compatibility soup to the parsing, and makes the rest of the
processing uniform.

This is also needed for simpler EMS support: EMS servers need to do an
early scan for EMS to make resumption decisions. This'll be easier when
the entire ClientHello is parsed in the beginning.

As a side effect,
1) PACKETize ssl_get_prev_session and tls1_process_ticket; and
2) Delete dead code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:03:52 +02:00
Matt Caswell
c84f7f4a74 Change the DEFAULT ciphersuites to exclude DES, RC4 and RC2
This patch updates the "DEFAULT" cipherstring to be
"ALL:!COMPLEMENTOFDEFAULT:!eNULL". COMPLEMENTOFDEFAULT is now defined
internally by a flag on each ciphersuite indicating whether it should be
excluded from DEFAULT or not. This gives us control at an individual
ciphersuite level as to exactly what is in DEFAULT and what is not.

Finally all DES, RC4 and RC2 ciphersuites are added to COMPLEMENTOFDEFAULT
and hence removed from DEFAULT.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-30 19:15:06 +01:00
Matt Caswell
912c89c529 Remove remaining old listen code
The old implementation of DTLSv1_listen which has now been replaced still
had a few vestiges scattered throughout the code. This commit removes them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Matt Caswell
e3d0dae7cf DTLSv1_listen rewrite
The existing implementation of DTLSv1_listen() is fundamentally flawed. This
function is used in DTLS solutions to listen for new incoming connections
from DTLS clients. A client will send an initial ClientHello. The server
will respond with a HelloVerifyRequest containing a unique cookie. The
client the responds with a second ClientHello - which this time contains the
cookie.

Once the cookie has been verified then DTLSv1_listen() returns to user code,
which is typically expected to continue the handshake with a call to (for
example) SSL_accept().

Whilst listening for incoming ClientHellos, the underlying BIO is usually in
an unconnected state. Therefore ClientHellos can come in from *any* peer.
The arrival of the first ClientHello without the cookie, and the second one
with it, could be interspersed with other intervening messages from
different clients.

The whole purpose of this mechanism is as a defence against DoS attacks. The
idea is to avoid allocating state on the server until the client has
verified that it is capable of receiving messages at the address it claims
to come from. However the existing DTLSv1_listen() implementation completely
fails to do this. It attempts to super-impose itself on the standard state
machine and reuses all of this code. However the standard state machine
expects to operate in a stateful manner with a single client, and this can
cause various problems.

A second more minor issue is that the return codes from this function are
quite confused, with no distinction made between fatal and non-fatal errors.
Most user code treats all errors as non-fatal, and simply retries the call
to DTLSv1_listen().

This commit completely rewrites the implementation of DTLSv1_listen() and
provides a stand alone implementation that does not rely on the existing
state machine. It also provides more consistent return codes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:26 +01:00
Emilia Kasper
e9fa092efc Remove ssl_put_cipher_by_char
Since SSLv3, a CipherSuite is always 2 bytes. The only place where we
need 3-byte ciphers is SSLv2-compatible ClientHello processing.

So, remove the ssl_put_cipher_by_char indirection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 20:34:25 +02:00
Dr. Stephen Henson
df6da24bda Fix PSK identity hint handling.
For server use a PSK identity hint value in the CERT structure which
is inherited when SSL_new is called and which allows applications to
set hints on a per-SSL basis. The previous version of
SSL_use_psk_identity_hint tried (wrongly) to use the SSL_SESSION structure.

PR#4039

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-14 19:52:27 +01:00
Matt Caswell
50932c4af2 PACKETise ServerHello processing
Process ServerHello messages using the PACKET API

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-07 10:45:38 +01:00
Dr. Stephen Henson
3d3701ea20 ccm8 support
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-14 06:56:11 +01:00
Dr. Stephen Henson
e75c5a794e CCM support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-14 06:56:11 +01:00
Rich Salz
ade44dcb16 Remove Gost94 signature algorithm.
This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 18:23:29 -04:00
Matt Caswell
c69f2adf71 Move DTLS CCS processing into the state machine
Continuing on from the previous commit this moves the processing of DTLS
CCS messages out of the record layer and into the state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:05 +01:00
Matt Caswell
657da85eea Move TLS CCS processing into the state machine
The handling of incoming CCS records is a little strange. Since CCS is not
a handshake message it is handled differently to normal handshake messages.
Unfortunately whilst technically it is not a handhshake message the reality
is that it must be processed in accordance with the state of the handshake.
Currently CCS records are processed entirely within the record layer. In
order to ensure that it is handled in accordance with the handshake state
a flag is used to indicate that it is an acceptable time to receive a CCS.

Previously this flag did not exist (see CVE-2014-0224), but the flag should
only really be considered a workaround for the problem that CCS is not
visible to the state machine.

Outgoing CCS messages are already handled within the state machine.

This patch makes CCS visible to the TLS state machine. A separate commit
will handle DTLS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:18:05 +01:00
Matt Caswell
9ceb2426b0 PACKETise ClientHello processing
Uses the new PACKET code to process the incoming ClientHello including all
extensions etc.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:01:42 +01:00
Matt Caswell
7e729bb5a3 Add initial packet parsing code
Provide more robust (inline) functions to replace n2s, n2l, etc. These
functions do the same thing as the previous macros, but also keep track
of the amount of data remaining and return an error if we try to read more
data than we've got.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-03 11:01:42 +01:00
Dr. Stephen Henson
85269210ff Extended PSK server support.
Add support for RSAPSK, DHEPSK and ECDHEPSK server side.

Update various checks to ensure certificate and server key exchange messages
are only sent when required.

Update message handling. PSK server key exchange parsing now include an
identity hint prefix for all PSK server key exchange messages. PSK
client key exchange message expects PSK identity and requests key for
all PSK key exchange ciphersuites.

Update flags for RSA, DH and ECDH so they are also used in PSK.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-30 14:43:35 +01:00
Dr. Stephen Henson
64651d3984 fields for PSK key, new constants
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-30 14:43:34 +01:00
Matt Caswell
57787ac814 Remove support for SSL3_FLAGS_DELAY_CLIENT_FINISHED
This flag was not set anywhere within the codebase (only read). It could
only be set by an app reaching directly into s->s3->flags and setting it
directly. However that method became impossible when libssl was opaquified.

Even in 1.0.2/1.0.1 if an app set the flag directly it is only relevant to
ssl3_connect(), which calls SSL_clear() during initialisation that clears
any flag settings. Therefore it could take effect if the app set the flag
after the handshake has started but before it completed. It seems quite
unlikely that any apps really do this (especially as it is completely
undocumented).

The purpose of the flag is suppress flushing of the write bio on the client
side at the end of the handshake after the client has written the Finished
message whilst resuming a session. This enables the client to send
application data as part of the same flight as the Finished message.

This flag also controls the setting of a second flag SSL3_FLAGS_POP_BUFFER.
There is an interesting comment in the code about this second flag in the
implementation of ssl3_write:

	/* This is an experimental flag that sends the
	 * last handshake message in the same packet as the first
	 * use data - used to see if it helps the TCP protocol during
	 * session-id reuse */

It seems the experiment did not work because as far as I can tell nothing
is using this code. The above comment has been in the code since SSLeay.

This commit removes support for SSL3_FLAGS_DELAY_CLIENT_FINISHED, as well
as the associated SSL3_FLAGS_POP_BUFFER.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-27 15:00:05 +01:00
Dr. Stephen Henson
f7d5348710 Use uint32_t consistently for flags.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-18 13:57:05 +01:00
Dr. Stephen Henson
57b272b01a Use single master secret generation function.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-29 11:47:59 +01:00
Dr. Stephen Henson
124037fdc0 Tidy up ssl3_digest_cached_records logic.
Rewrite ssl3_digest_cached_records handling. Only digest cached records
if digest array is NULL: this means it is safe to call
ssl3_digest_cached_records multiple times (subsequent calls are no op).

Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer
if digest array is NULL.

Add additional "keep" parameter to ssl3_digest_cached_records to indicate
if the handshake buffer should be retained after digesting cached records
(needed for TLS 1.2 client authentication).

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-23 22:24:09 +01:00
Dr. Stephen Henson
389ebcecae Remove SESS_CERT entirely.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-22 13:52:24 +01:00
Dr. Stephen Henson
c34b0f9930 Move peer chain to SSL_SESSION structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-22 13:52:24 +01:00
Dr. Stephen Henson
a273c6eeee Remove certificates from sess_cert
As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-22 13:52:24 +01:00
Dr. Stephen Henson
8d92c1f8a3 Remove peer temp keys from SESS_CERT
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-22 13:52:24 +01:00
Matt Caswell
98ece4eebf Fix race condition in NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
c0bf69a791

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-02 09:30:12 +01:00
Matt Caswell
6218a1f57e Remove struct ccs_header_st
struct ccs_header_st is not used so it should be removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-29 16:24:42 +01:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00