--strict-warnings started showing warnings for this today...
Surely an error should be raised if these reads fail?
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Some of the PACKET functions were returning incorrect data. An unfortunate
choice of test data in the unit test was masking the failure.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The move of CCS into the state machine introduced a bug in ssl3_read_bytes.
The value of |recvd_type| was not being set if we are satisfying the request
from handshake fragment storage. This can occur, for example, with
renegotiation and causes the handshake to fail.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Continuing on from the previous commit this moves the processing of DTLS
CCS messages out of the record layer and into the state machine.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The handling of incoming CCS records is a little strange. Since CCS is not
a handshake message it is handled differently to normal handshake messages.
Unfortunately whilst technically it is not a handhshake message the reality
is that it must be processed in accordance with the state of the handshake.
Currently CCS records are processed entirely within the record layer. In
order to ensure that it is handled in accordance with the handshake state
a flag is used to indicate that it is an acceptable time to receive a CCS.
Previously this flag did not exist (see CVE-2014-0224), but the flag should
only really be considered a workaround for the problem that CCS is not
visible to the state machine.
Outgoing CCS messages are already handled within the state machine.
This patch makes CCS visible to the TLS state machine. A separate commit
will handle DTLS.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Provide more robust (inline) functions to replace n2s, n2l, etc. These
functions do the same thing as the previous macros, but also keep track
of the amount of data remaining and return an error if we try to read more
data than we've got.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Commit e481f9b90b removed OPENSSL_NO_TLSEXT from the code.
Previously if OPENSSL_NO_TLSEXT *was not* defined then the server random was
filled during getting of the ClientHello. If it *was* defined then the
server random would be filled in ssl3_send_server_hello(). Unfortunately in
commit e481f9b90b the OPENSSL_NO_TLSEXT guards were removed but *both*
server random fillings were left in. This could cause problems for session
ticket callbacks.
Reviewed-by: Stephen Henson <steve@openssl.org>
Move PSK premaster secret algorithm to ssl_generate_master secret so
existing key exchange code can be used and modified slightly to add
the PSK wrapping structure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Add support for RSAPSK, DHEPSK and ECDHEPSK server side.
Update various checks to ensure certificate and server key exchange messages
are only sent when required.
Update message handling. PSK server key exchange parsing now include an
identity hint prefix for all PSK server key exchange messages. PSK
client key exchange message expects PSK identity and requests key for
all PSK key exchange ciphersuites.
Update flags for RSA, DH and ECDH so they are also used in PSK.
Reviewed-by: Matt Caswell <matt@openssl.org>
Add support for RSAPSK, DHEPSK and ECDHEPSK client side.
Update various checks to ensure certificate and server key exchange messages
are only expected when required.
Update message handling. PSK server key exchange parsing now expects an
identity hint prefix for all PSK server key exchange messages. PSK
client key exchange message requests PSK identity and key for all PSK
key exchange ciphersuites and includes identity in message.
Update flags for RSA, DH and ECDH so they are also used in PSK.
Reviewed-by: Matt Caswell <matt@openssl.org>
The DTLS code is supposed to drop packets if we try to write them out but
the underlying BIO write buffers are full. ssl3_write_pending() contains
an incorrect test for DTLS that controls this. The test only checks for
DTLS1 so DTLS1.2 does not correctly clear the internal OpenSSL buffer which
can later cause an assert to be hit. This commit changes the test to cover
all DTLS versions.
RT#3967
Reviewed-by: Tim Hudson <tjh@openssl.org>
This flag was not set anywhere within the codebase (only read). It could
only be set by an app reaching directly into s->s3->flags and setting it
directly. However that method became impossible when libssl was opaquified.
Even in 1.0.2/1.0.1 if an app set the flag directly it is only relevant to
ssl3_connect(), which calls SSL_clear() during initialisation that clears
any flag settings. Therefore it could take effect if the app set the flag
after the handshake has started but before it completed. It seems quite
unlikely that any apps really do this (especially as it is completely
undocumented).
The purpose of the flag is suppress flushing of the write bio on the client
side at the end of the handshake after the client has written the Finished
message whilst resuming a session. This enables the client to send
application data as part of the same flight as the Finished message.
This flag also controls the setting of a second flag SSL3_FLAGS_POP_BUFFER.
There is an interesting comment in the code about this second flag in the
implementation of ssl3_write:
/* This is an experimental flag that sends the
* last handshake message in the same packet as the first
* use data - used to see if it helps the TCP protocol during
* session-id reuse */
It seems the experiment did not work because as far as I can tell nothing
is using this code. The above comment has been in the code since SSLeay.
This commit removes support for SSL3_FLAGS_DELAY_CLIENT_FINISHED, as well
as the associated SSL3_FLAGS_POP_BUFFER.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Add support for loading verify and chain stores in SSL_CONF.
Commands to set verify mode and client CA names.
Add documentation.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).
Reviewed-by: Matt Caswell <matt@openssl.org>
We always free the handshake buffer when digests are freed so move
it into ssl_free_digest_list()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Rewrite ssl3_digest_cached_records handling. Only digest cached records
if digest array is NULL: this means it is safe to call
ssl3_digest_cached_records multiple times (subsequent calls are no op).
Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer
if digest array is NULL.
Add additional "keep" parameter to ssl3_digest_cached_records to indicate
if the handshake buffer should be retained after digesting cached records
(needed for TLS 1.2 client authentication).
Reviewed-by: Matt Caswell <matt@openssl.org>
If RSA or DSA is disabled we will never use a ciphersuite with
RSA/DSA authentication as it is already filtered out by the cipher
list logic.
Reviewed-by: Richard Levitte <levitte@openssl.org>
As numerous comments indicate the certificate and key array is not an
appopriate structure to store the peers certificate: so remove it and
just the s->session->peer instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This reverts commit d480e182fe.
Commit broke TLS handshakes due to fragility of digest caching: that will be
fixed separately.
Reviewed-by: Rich Salz <rsalz@openssl.org>
While closing RT3588 (Remove obsolete comment) Kurt and I saw that a
few lines to completely clear the SSL cipher state could be moved into
a common function.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.
Thanks to LibreSSL project for reporting these issues.
Reviewed-by: Tim Hudson <tjh@openssl.org>
This is a workaround so old that nobody remembers what buggy clients
it was for. It's also been broken in stable branches for two years and
nobody noticed (see
https://boringssl-review.googlesource.com/#/c/1694/).
Reviewed-by: Tim Hudson <tjh@openssl.org>
It should not be possible for DTLS message fragments to span multiple
packets. However previously if the message header fitted exactly into one
packet, and the fragment body was in the next packet then this would work.
Obviously this would fail if packets get re-ordered mid-flight.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The underlying field returned by RECORD_LAYER_get_rrec_length() is an
unsigned int. The return type of the function should match that.
Reviewed-by: Tim Hudson <tjh@openssl.org>
This adds additional checks to the processing of extensions in a ClientHello
to ensure that either no extensions are present, or if they are then they
take up the exact amount of space expected.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Stephen Henson <steve@openssl.org>
Remove a comment that suggested further clean up was required.
DH_free() performs the necessary cleanup.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.
With thanks to the Open Crypto Audit Project for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The session object on the client side is initially created during
construction of the ClientHello. If the client is DTLS1.2 capable then it
will store 1.2 as the version for the session. However if the server is only
DTLS1.0 capable then when the ServerHello comes back the client switches to
using DTLS1.0 from then on. However the session version does not get
updated. Therefore when the client attempts to resume that session the
server throws an alert because of an incorrect protocol version.
Reviewed-by: Tim Hudson <tjh@openssl.org>
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.
CVE-2015-1791
This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.
Parts of this patch were inspired by this Akamai change:
c0bf69a791
Reviewed-by: Rich Salz <rsalz@openssl.org>
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Where we called openssl_cleanse, make sure we do it on all error
paths. Be consistent in use of sizeof(foo) when possible.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The new accessors SSL_get_client_random, SSL_get_server_random and
SSL_SESSION_get_master_key should return a size_t to match the type of the
|outlen| parameter.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Change the new SSL_get_client_random(), SSL_get_server_random() and
SSL_SESSION_get_master_key() functions to use size_t for |outlen| instead of
int.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Tor uses these values to implement a low-rent clone of RFC 5705 (which,
in our defense, we came up with before RFC 5705 existed). But now that
ssl_st is opaque, we need another way to get at them.
Includes documentation, with suitable warnings about not actually
using these functions.
Signed-off-by: Nick Mathewson <nickm@torproject.org>
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
On the server side, if you want to know which ciphers the client
offered, you had to use session->ciphers. But that field is no
longer visible, so we need a method to get at it.
Signed-off-by: Nick Mathewson <nickm@torproject.org>
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.
RT#3862
Reviewed-by: Richard Levitte <levitte@openssl.org>
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Version negotiation was broken (one of the late changes in the review
process broke it). The problem is that TLS clients do not set first_packet,
whereas TLS/DTLS servers and DTLS clients do. The simple fix is to set
first_packet for TLS clients too.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
The certificate masks are used to select which ciphersuite we are going to
use. The variables |emask_k| and |emask_a| relate to export grade key
exchange and authentication respecitively. The variables |mask_k| and
|mask_a| are the equivalent versions for non-export grade. This fixes an
instance where the two usages of export/non-export were mixed up. In
practice it makes little difference since it still works!
Reviewed-by: Richard Levitte <levitte@openssl.org>
Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in. This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.
This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If a client receives a bad hello request in DTLS then the alert is not
sent correctly.
RT#2801
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
The function RECORD_LAYER_clear() is supposed to clear the contents of the
RECORD_LAYER structure, but retain certain data such as buffers that are
allocated. Unfortunately one buffer (for compression) got missed and was
inadvertently being wiped, thus causing a memory leak.
In part this is due to the fact that RECORD_LAYER_clear() was reaching
inside SSL3_BUFFERs and SSL3_RECORDs, which it really shouldn't. So, I've
rewritten it to only clear the data it knows about, and to defer clearing
of SSL3_RECORD and SSL3_BUFFER structures to SSL_RECORD_clear() and the
new function SSL3_BUFFER_clear().
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.
The result:
$ openssl s_server -named_curves "auto"
This command will negotiate an ECDHE ciphersuite with P-256:
$ openssl s_client
This command will negotiate P-384:
$ openssl s_client -curves "P-384"
This command will not negotiate ECDHE because P-224 is disabled with "auto":
$ openssl s_client -curves "P-224"
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move per-connection state out of the CERT structure: which should just be
for shared configuration data (e.g. certificates to use).
In particular move temporary premaster secret, raw ciphers, peer signature
algorithms and shared signature algorithms.
Reviewed-by: Rich Salz <rsalz@openssl.org>
