Commit Graph

2662 Commits

Author SHA1 Message Date
Dr. Stephen Henson
2e5ead831b Constify ssl_cert_type()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 15:49:44 +01:00
Dr. Stephen Henson
8900f3e398 Convert X509* functions to use const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 13:59:04 +01:00
Remi Gacogne
fddfc0afc8 Add missing session id and tlsext_status accessors
* SSL_SESSION_set1_id()
 * SSL_SESSION_get0_id_context()
 * SSL_CTX_get_tlsext_status_cb()
 * SSL_CTX_get_tlsext_status_arg()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 10:38:20 +01:00
Matt Caswell
48593cb12a Convert SSL_SESSION* functions to use const getters
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-16 23:36:28 +01:00
Matt Caswell
f9cf774cbd Ensure we unpad in constant time for read pipelining
The read pipelining code broke constant time unpadding. See GitHub
issue #1438

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 16:53:17 +01:00
David Woodhouse
31c34a3e2f Fix satsub64be() to unconditionally use 64-bit integers
Now we support (u)int64_t this can be very much simpler.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-16 10:24:57 +01:00
Matt Caswell
78fcddbb8d Address feedback on SSLv2 ClientHello processing
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Matt Caswell
a01c86a251 Send an alert if we get a non-initial record with the wrong version
If we receive a non-initial record but the version number isn't right then
we should send an alert.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Matt Caswell
44efb88a21 Address feedback on SSLv2 ClientHello processing
Feedback on the previous SSLv2 ClientHello processing fix was that it
breaks layering by reading init_num in the record layer. It also does not
detect if there was a previous non-fatal warning.

This is an alternative approach that directly tracks in the record layer
whether this is the first record.

GitHub Issue #1298

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Rob Percival
a1bb7708ce Improves CTLOG_STORE setters
Changes them to have clearer ownership semantics, as suggested in
https://github.com/openssl/openssl/pull/1372#discussion_r73232196.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-15 12:56:47 -04:00
Dr. Stephen Henson
0a699a0723 Fix no-ec
Fix no-ec builds by having separate functions to create keys based on
an existing EVP_PKEY and a curve id.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 14:07:33 +01:00
Dr. Stephen Henson
ec24630ae2 Modify TLS support for new X25519 API.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
Rich Salz
e928132343 GH1446: Add SSL_SESSION_get0_cipher
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1451)
2016-08-12 15:23:48 -04:00
Adam Langley
eea8723cd0 Fix test of first of 255 CBC padding bytes.
Thanks to Peter Gijsels for pointing out that if a CBC record has 255
bytes of padding, the first was not being checked.

(This is an import of change 80842bdb from BoringSSL.)

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1431)
2016-08-08 13:36:55 -07:00
JimC
a4a18b2f89 Fix CIPHER_DEBUG
Commit 3eb2aff renamed a field of ssl_cipher_st from algorithm_ssl -> min_tls but neglected to update the fprintf reference which is included by -DCIPHER_DEBUG

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1417)
2016-08-06 10:03:25 -04:00
klemens
6025001707 spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
2016-08-05 19:07:30 -04:00
Richard Levitte
e38da82047 Remove OPENSSL_NO_STDIO guards around certain SSL cert/key functions
These functions are:

    SSL_use_certificate_file
    SSL_use_RSAPrivateKey_file
    SSL_use_PrivateKey_file
    SSL_CTX_use_certificate_file
    SSL_CTX_use_RSAPrivateKey_file
    SSL_CTX_use_PrivateKey_file
    SSL_use_certificate_chain_file

Internally, they use BIO_s_file(), which is defined and implemented at
all times, even when OpenSSL is configured no-stdio.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 21:18:15 +02:00
David Woodhouse
2e94723c1b Fix ubsan 'left shift of negative value -1' error in satsub64be()
Baroque, almost uncommented code triggers behaviour which is undefined
by the C standard. You might quite reasonably not care that the code was
broken on ones-complement machines, but if we support a ubsan build then
we need to at least pretend to care.

It looks like the special-case code for 64-bit big-endian is going to
behave differently (and wrongly) on wrap-around, because it treats the
values as signed. That seems wrong, and allows replay and other attacks.
Surely you need to renegotiate and start a new epoch rather than
wrapping around to sequence number zero again?

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:24 +01:00
David Woodhouse
032924c4b4 Make DTLS1_BAD_VER work with DTLS_client_method()
DTLSv1_client_method() is deprecated, but it was the only way to obtain
DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with
DTLS_client_method(), and it's relatively non-trivial to make it work without
expanding the hack into lots of places.

So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make
it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:24 +01:00
David Woodhouse
387cf21345 Fix cipher support for DTLS1_BAD_VER
Commit 3eb2aff40 ("Add support for minimum and maximum protocol version
supported by a cipher") disabled all ciphers for DTLS1_BAD_VER.

That wasn't helpful. Give them back.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
David Woodhouse
ff4952896e Fix DTLS_VERSION_xx() comparison macros for DTLS1_BAD_VER
DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so
we have to make a special case for it.

This does leave us with a set of macros which will evaluate their arguments
more than once, but it's not a public-facing API and it's not like this is
the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
David Woodhouse
e6027420b7 Fix ossl_statem_client_max_message_size() for DTLS1_BAD_VER
The Change Cipher Spec message in this ancient pre-standard version of DTLS
that Cisco are unfortunately still using in their products, is 3 bytes.

Allow it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
David Woodhouse
c8a18468ca Fix SSL_export_keying_material() for DTLS1_BAD_VER
Commit d8e8590e ("Fix missing return value checks in SCTP") made the
DTLS handshake fail, even for non-SCTP connections, if
SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER.

Apply the trivial fix to make it succeed, since there's no real reason
why it shouldn't even though we never need it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
Ben Laurie
3260adf190 peer_tmp doesn't exist if no-ec no-dh.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 11:30:33 +01:00
Matt Caswell
58c27c207d Fix crash as a result of MULTIBLOCK
The MULTIBLOCK code uses a "jumbo" sized write buffer which it allocates
and then frees later. Pipelining however introduced multiple pipelines. It
keeps track of how many pipelines are initialised using numwpipes.
Unfortunately the MULTIBLOCK code was not updating this when in deallocated
its buffers, leading to a buffer being marked as initialised but set to
NULL.

RT#4618

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-30 11:46:20 +01:00
Matt Caswell
65e2d67254 Simplify and rename SSL_set_rbio() and SSL_set_wbio()
SSL_set_rbio() and SSL_set_wbio() are new functions in 1.1.0 and really
should be called SSL_set0_rbio() and SSL_set0_wbio(). The old
implementation was not consistent with what "set0" means though as there
were special cases around what happens if the rbio and wbio are the same.
We were only ever taking one reference on the BIO, and checking everywhere
whether the rbio and wbio are the same so as not to double free.

A better approach is to rename the functions to SSL_set0_rbio() and
SSL_set0_wbio(). If an existing BIO is present it is *always* freed
regardless of whether the rbio and wbio are the same or not. It is
therefore the callers responsibility to ensure that a reference is taken
for *each* usage, i.e. one for the rbio and one for the wbio.

The legacy function SSL_set_bio() takes both the rbio and wbio in one go
and sets them both. We can wrap up the old behaviour in the implementation
of that function, i.e. previously if the rbio and wbio are the same in the
call to this function then the caller only needed to ensure one reference
was passed. This behaviour is retained by internally upping the ref count.

This commit was inspired by BoringSSL commit f715c423224.

RT#4572

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 14:09:57 +01:00
Matt Caswell
b46fe860fe Fix BIO_pop for SSL BIOs
The BIO_pop implementation assumes that the rbio still equals the next BIO
in the chain. While this would normally be the case, it is possible that it
could have been changed directly by the application. It also does not
properly cater for the scenario where the buffering BIO is still in place
for the write BIO.

Most of the existing BIO_pop code for SSL BIOs can be replaced by a single
call to SSL_set_bio(). This is equivalent to the existing code but
additionally handles the scenario where the rbio has been changed or the
buffering BIO is still in place.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 14:09:57 +01:00
Matt Caswell
eddef30589 Fix BIO_push ref counting for SSL BIO
When pushing a BIO onto an SSL BIO we set the rbio and wbio for the SSL
object to be the BIO that has been pushed. Therefore we need to up the ref
count for that BIO. The existing code was uping the ref count on the wrong
BIO.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 14:09:57 +01:00
Matt Caswell
8e3854ac88 Don't double free the write bio
When setting the read bio we free up any old existing one. However this can
lead to a double free if the existing one is the same as the write bio.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 14:09:57 +01:00
Matt Caswell
0647719d80 Make the checks for an SSLv2 style record stricter
SSLv2 is no longer supported in 1.1.0, however we *do* still accept an SSLv2
style ClientHello, as long as we then subsequently negotiate a protocol
version >= SSLv3. The record format for SSLv2 style ClientHellos is quite
different to SSLv3+. We only accept this format in the first record of an
initial ClientHello. Previously we checked this by confirming
s->first_packet is set and s->server is true. However, this really only
tells us that we are dealing with an initial ClientHello, not that it is
the first record (s->first_packet is badly named...it really means this is
the first message). To check this is the first record of the initial
ClientHello we should also check that we've not received any data yet
(s->init_num == 0), and that we've not had any empty records.

GitHub Issue #1298

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-07-29 12:42:40 +01:00
russor
78a01b3f69 zero pad DHE public key in ServerKeyExchange message for interop
Some versions of the Microsoft TLS stack have problems when the DHE public key
is encoded with fewer bytes than the DHE prime.

There's some public acknowledgement of the bug at these links:

https://connect.microsoft.com/IE/feedback/details/1253526/tls-serverkeyexchange-with-1024-dhe-may-encode-dh-y-as-127-bytes-breaking-internet-explorer-11
https://connect.microsoft.com/IE/feedback/details/1104905/wininet-calculation-of-mac-in-tls-handshake-intermittently-fails-for-dhe-rsa-key-exchange

This encoding issue also causes the same errors with 2048-bit DHE, if the
public key is encoded in fewer than 256 bytes and includes the TLS stack on
Windows Phone 8.x.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1320)
2016-07-25 13:41:33 -04:00
FdaSilvaYY
d3d5dc607a Enforce and explicit some const casting
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
2016-07-25 08:20:00 -04:00
Richard Levitte
8b9546c708 Correct misspelt OPENSSL_NO_SRP
RT#4619

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-23 10:47:52 +02:00
Dr. Stephen Henson
31a7d80d0d Send alert for bad DH CKE
RT#4511

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-22 15:55:38 +01:00
Richard Levitte
912c258fc9 Have load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 11:56:45 +02:00
Kurt Roeckx
69588edbaa Check for errors allocating the error strings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
2016-07-20 19:20:53 +02:00
Matt Caswell
2e7dc7cd68 Never expose ssl->bbio in the public API.
This is adapted from BoringSSL commit 2f87112b963.

This fixes a number of bugs where the existence of bbio was leaked in the
public API and broke things.

- SSL_get_wbio returned the bbio during the handshake. It must always return
  the BIO the consumer configured. In doing so, some internal accesses of
  SSL_get_wbio should be switched to ssl->wbio since those want to see bbio.

- The logic in SSL_set_rfd, etc. (which I doubt is quite right since
  SSL_set_bio's lifetime is unclear) would get confused once wbio got
  wrapped. Those want to compare to SSL_get_wbio.

- If SSL_set_bio was called mid-handshake, bbio would get disconnected and
  lose state. It forgets to reattach the bbio afterwards. Unfortunately,
  Conscrypt does this a lot. It just never ended up calling it at a point
  where the bbio would cause problems.

- Make more explicit the invariant that any bbio's which exist are always
  attached. Simplify a few things as part of that.

RT#4572

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-20 13:08:08 +01:00
FdaSilvaYY
e8aa8b6c8f Fix a few if(, for(, while( inside code.
Fix some indentation at the same time

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
2016-07-20 07:21:53 -04:00
Dr. Stephen Henson
52eede5a97 Sanity check in ssl_get_algorithm2().
RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-20 00:09:46 +01:00
Dr. Stephen Henson
fb9339827b Send alert on CKE error.
RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-20 00:03:43 +01:00
Richard Levitte
c2e4e5d248 Change all our uses of CRYPTO_THREAD_run_once to use RUN_ONCE instead
That way, we have a way to check if the init function was successful
or not.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-07-19 23:49:54 +02:00
Emilia Kasper
70c22888c1 Fix two bugs in clienthello processing
- Always process ALPN (previously there was an early return in the
  certificate status handling)
- Don't send a duplicate alert. Previously, both
  ssl_check_clienthello_tlsext_late and its caller would send an
  alert. Consolidate alert sending code in the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 14:18:03 +02:00
Emilia Kasper
ce2cdac278 SSL test framework: port NPN and ALPN tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 14:17:48 +02:00
Matt Caswell
4fa88861ee Update error codes following tls_process_key_exchange() refactor
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
e1e588acae Tidy up tls_process_key_exchange()
After the refactor of tls_process_key_exchange(), this commit tidies up
some loose ends.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
ff74aeb1fa Split out ECDHE from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the ECDHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
e01a610db8 Split out DHE from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the DHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
25c6c10cd7 Split out SRP from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the SRP aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
7dc1c64774 Split out the PSK preamble from tls_process_key_exchange()
The tls_process_key_exchange() function is too long. This commit starts
the process of splitting it up by moving the PSK preamble code to a
separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00
Matt Caswell
02a74590bb Move the PSK preamble for tls_process_key_exchange()
The function tls_process_key_exchange() is too long. This commit moves
the PSK preamble processing out to a separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 12:18:46 +01:00