Commit Graph

1512 Commits

Author SHA1 Message Date
Adam Langley
0fbf33a691 Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally
identified the issue.

(Imported from upstream's 728bd41a159ea16a60111e7c1120ec2a005507b3)
2014-06-20 13:17:42 -07:00
Adam Langley
e044fe4bc7 Fix null pointer errors.
PR#3394

(Imported from upstream's cea5a1d5f255a6a186cd7944c4a312612da965f3)
2014-06-20 13:17:42 -07:00
Adam Langley
8314351bcc Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.

(Imported from upstream's 05b2210476d3b2b0f24159112ccaea65e55831e5)
2014-06-20 13:17:42 -07:00
Adam Langley
6acf476eb6 Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption set the
CCS_OK flag.

(Imported from upstream's a21f350a76b34b66dcaf9c1676baec945f32e980)
2014-06-20 13:17:41 -07:00
Adam Langley
bed2214b3e Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

(Imported from upstream's eb6508d50c9a314b88ac155bd378cbd79a117c92)
2014-06-20 13:17:41 -07:00
Adam Langley
ce7f9caa98 Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.

(Imported from upstream's 77719aefb8f549ccc7f04222174889615d62057b)
2014-06-20 13:17:41 -07:00
Adam Langley
ec48ffc1fe Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.

(Imported from upstream's 9d2c9dd1e1a452939a733b638d180bb308ce72a9)
2014-06-20 13:17:41 -07:00
Adam Langley
895780572b Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without
recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

(Imported from upstream's 8942b92c7cb5fa144bd79b7607b459d0b777164c)
2014-06-20 13:17:41 -07:00
Adam Langley
d06eddd15c Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.

(Imported from upstream's e5f706590c7b1f19ca34415593aebdb6cbef355b)
2014-06-20 13:17:41 -07:00
Adam Langley
b7bf53c808 Check there is enough room for extension.
(Imported from upstream's 56b94a38b9a2197210a110c4a01a39ac75b34ce8)
2014-06-20 13:17:41 -07:00
Adam Langley
fb5cd20236 Free up s->d1->buffered_app_data.q properly.
PR#3286

(Imported from upstream's d52eb82781eff1f8245ae9c16c84db765f037cbe)
2014-06-20 13:17:41 -07:00
Adam Langley
f10a63b050 Typo: set i to -1 before goto.
PR#3302

(Imported from upstream's 646886682373e76dee233f7b918dec0c83e180fc)
2014-06-20 13:17:41 -07:00
Adam Langley
d74d7d030c Added SSLErr call for internal error in dtls1_buffer_record
(Imported from upstream's de8a5b523f38377c8e0d9098ebff880749156db6)
2014-06-20 13:17:41 -07:00
Adam Langley
3a54f9e015 Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug.
PR#3362

(Imported from upstream's 8de85b00484e7e4ca6f0b6e174fb1dc97db91281)
2014-06-20 13:17:41 -07:00
Adam Langley
ce1cfe169a Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361

(Imported from upstream's 856a4585d6f7a856b90c93792cf1c1ed968d4a4b)
2014-06-20 13:17:40 -07:00
Adam Langley
caddf1c4de Use correct digest when exporting keying material.
PR#3319

(Imported from upstream's 87a0cbdf2ee539ea922f9cf7a4b7c2c03119891d)
2014-06-20 13:17:40 -07:00
Adam Langley
b4b9914f74 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(Imported from upstream's 2312a84ca17c5ac133581552df7024957cf15bc8)
2014-06-20 13:17:40 -07:00
Adam Langley
45fb1eca0d Sync with upstream's fix for PR#3321.
(Imported from upstream's f710c3f198c9980a1056bac9b4b9617554254671)
2014-06-20 13:17:40 -07:00
Adam Langley
041240485d Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317

(Imported from upstream's 8571902e238ba2ef1517185c2a662c03f51dc1bf and
1f5bce2dcebbb5059c2a5ecf4037432e8041cc07)
2014-06-20 13:17:40 -07:00
Adam Langley
9611cfcb9f safety check to ensure we dont send out beyond the users buffer
(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
2014-06-20 13:17:40 -07:00
Adam Langley
f77452c572 fix coverity issue 966597 - error line is not always initialised
(Imported from upstream's afe343c3a7077caeaad43a9f2ee7e5d7f70076e5)
2014-06-20 13:17:40 -07:00
Adam Langley
4a35a93a12 Fix use after free.
(Imported from upstream's a0fe2e72c48166c9c4bb423397723de1fb6227b0)
2014-06-20 13:17:40 -07:00
Adam Langley
56475207be Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

(Imported from upstream's 7e840163c06c7692b796a93e3fa85a93136adbb2)
2014-06-20 13:17:39 -07:00
Adam Langley
dacb502cf4 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

(Imported from upstream's 6411b83e52fdfd0d3563d50a4dc00838b142fb2c)
2014-06-20 13:17:39 -07:00
Adam Langley
db4f9521b5 Fix memory leak with client auth.
(Imported from upstream's bc5ec653ba65fedb1619c8182088497de8a97a70)
2014-06-20 13:17:39 -07:00
Adam Langley
64c2223310 Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
2014-06-20 13:17:39 -07:00
Adam Langley
dff7b9e11b Allow duplicate certs in ssl_build_cert_chain
(Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
2014-06-20 13:17:39 -07:00
Adam Langley
9f61d7f4a1 ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201

(Imported from upstream's 8d08627c940900998d02a0dff0566db736efb94f)
2014-06-20 13:17:38 -07:00
Adam Langley
f669c2d91a New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

(Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
2014-06-20 13:17:38 -07:00
Adam Langley
b6333d600e Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only

(Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and
3bff195dca617c4ec1630945fef93b792b418cc8)
2014-06-20 13:17:38 -07:00
Adam Langley
80842bdb44 Fix test of first of 255 CBC padding bytes.
Thanks to Peter Gijsels for pointing out that if a CBC record has 255
bytes of padding, the first was not being checked.
2014-06-20 13:17:37 -07:00
Adam Langley
01797e309f psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
2014-06-20 13:17:37 -07:00
Adam Langley
aed2306b9d Refactor ssl3_send_client_verify.
The original logic was a confusing spaghetti and mixed up initialization
for all the different cases together.
2014-06-20 13:17:37 -07:00
Adam Langley
28acbbc2d6 Add SSL_get_client_certificate_types.
Exposes the certificate_types parameter in a CertificateRequest.

Transplanted from https://codereview.chromium.org/254723002/
2014-06-20 13:17:36 -07:00
Adam Langley
c3174b7b2d Move ECC extensions to end.
Move ECC SSL extensions to the end.

WebSphere Application Server 7.0 appears to be intolerant of an empty
extension at the end. To that end, also ensure we never send an empty
padding extension.
2014-06-20 13:17:36 -07:00
Adam Langley
c6c8ae8fae Fix use-after-free after a deferred alert.
The KLEE folks (who do symbolic execution of code) found a crash:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
2014-06-20 13:17:36 -07:00
Adam Langley
0289c73051 Fix TLS-PSK identity hint implementation issues.
PSK identity hint can be stored in SSL_CTX and in SSL/SSL_SESSION,
similar to other TLS parameters, with the value in SSL/SSL_SESSION
taking precedence over the one in SSL_CTX. The value in SSL_CTX is
shared (used as the default) between all SSL instances associated
with that SSL_CTX, whereas the value in SSL/SSL_SESSION is confined
to that particular TLS/SSL connection/session.

The existing implementation of TLS-PSK does not correctly distinguish
between PSK identity hint in SSL_CTX and in SSL/SSL_SESSION. This
change fixes these issues:
1. SSL_use_psk_identity_hint does nothing and returns "success" when
   the SSL object does not have an associated SSL_SESSION.
2. On the client, the hint in SSL_CTX (which is shared between
   multiple SSL instances) is overwritten with the hint received from
   server or reset to NULL if no hint was received.
3. On the client, psk_client_callback is invoked with the hint from
   SSL_CTX rather than from current SSL/SSL_SESSION (i.e., the one
   received from the server). Issue #2 above masks this issue.
4. On the server, the hint in SSL/SSL_SESSION is ignored and the hint
   from SSL_CTX is sent to the client.
5. On the server, the hint in SSL/SSL_SESSION is reset to the one in
   SSL_CTX after the ClientKeyExchange message step.

This change fixes the issues by:
* Adding storage for the hint in the SSL object. The idea being that
  the hint in the associated SSL_SESSION takes precedence.
* Reading the hint during the handshake only from the associated
  SSL_SESSION object.
* Initializing the hint in SSL object with the one from the SSL_CTX
  object.
* Initializing the hint in SSL_SESSION object with the one from the
  SSL object.
* Making SSL_use_psk_identity_hint and SSL_get_psk_identity_hint
  set/get the hint to/from SSL_SESSION associated with the provided
  SSL object, or, if no SSL_SESSION is available, set/get the hint
  to/from the provided SSL object.
* Removing code which resets the hint during handshake.
2014-06-20 13:17:36 -07:00
Adam Langley
a5dc545bbc Set SID from SSL_CTX
This change ensures that the session ID context of an SSL* is updated
when its SSL_CTX is updated.
2014-06-20 13:17:36 -07:00
Adam Langley
dc9b141127 Early callback support. 2014-06-20 13:17:36 -07:00
Adam Langley
b0c235ed36 TLS extension limit check fixes.
Fix limit checks in ssl_add_clienthello_tlsext and
ssl_add_serverhello_tlsext.

Some of the limit checks reference p rather than ret. p is the original
buffer position, not the current one. Fix those and rename p to orig so
it's clearer.
2014-06-20 13:17:36 -07:00
Adam Langley
2970779684 Fallback SCSV.
This patch adds server-side support for TLS_FALLBACK_SCSV (see
http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01).
2014-06-20 13:17:36 -07:00
Adam Langley
735107652b Const correctness.
This change fixes a number of build warnings.
2014-06-20 13:17:36 -07:00
Adam Langley
858a88daf2 Equal preference cipher groups.
This change implements equal-preference groups of cipher suites. This
allows, for example, a server to prefer one of AES-GCM or ChaCha20
ciphers, but to allow the client to pick which one. When coupled with
clients that will boost AES-GCM in their preferences when AES-NI is
present, this allows us to use AES-GCM when the hardware exists and
ChaCha20 otherwise.
2014-06-20 13:17:35 -07:00
Adam Langley
c26c802a89 Implement ECDHE-PSK-WITH-AES-128-GCM-SHA256. 2014-06-20 13:17:35 -07:00
Adam Langley
d493d5289d CBC record splitting.
This patch removes support for empty records (which is almost
universally disabled via SSL_OP_ALL) and adds optional support for 1/n-1
record splitting.

The latter is not enabled by default, since it's not typically used on
servers, but it should be enabled in web browsers since there are known
attacks in that case (see BEAST).
2014-06-20 13:17:35 -07:00
Adam Langley
509e5ed201 Optionally no cert request if ChannelID.
This change allows a server be to configured to skip a
CertificateRequest if the client presented a ChannelID.
2014-06-20 13:17:35 -07:00
Adam Langley
5c270c590d Use AEAD for AES256-GCM. 2014-06-20 13:17:35 -07:00
Adam Langley
de0b202684 ChaCha20-Poly1305 support. 2014-06-20 13:17:35 -07:00
Adam Langley
d8983ce0f2 Use AEAD for AES-GCM in TLS. 2014-06-20 13:17:35 -07:00
Adam Langley
c9fb37504f SSL AEAD support.
This change allows AEADs to be used in ssl/ to implement SSL/TLS
ciphersuites.
2014-06-20 13:17:34 -07:00
Adam Langley
a5fa5b7bb6 tls1_change_cipher_state rewrite
The previous version of the function made adding AEAD changes very
difficult. This change should be a semantic no-op - it should be purely
a cleanup.
2014-06-20 13:17:34 -07:00
Adam Langley
1b9d47735c Optionally don't store client's cipher list.
This change causes the client's list of ciphers to be freed as soon as
we have sent a server-hello. This saves small, but useful, amount of
memory.
2014-06-20 13:17:34 -07:00
Adam Langley
0b5c1ac8ad TLS 1.1 ciphers.
This patch adds support for a different cipher list when the connection
is using TLS 1.1. This is intended to support the case where we want to
use AES with >= TLS 1.1 clients but RC4 otherwise because of the BEAST
attack.
2014-06-20 13:17:34 -07:00
Adam Langley
acff73f227 Constant-time, RSA PMS processing.
This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.
2014-06-20 13:17:34 -07:00
Adam Langley
4d4bff89bb Cipher family functions.
This change adds functions to check membership of various cipher
families. Clients and servers need this in order to optimise the size of
records because different families have different amounts of prefix and
postfix overhead.
2014-06-20 13:17:33 -07:00
Adam Langley
48105fa215 Empty record limit.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.
2014-06-20 13:17:33 -07:00
Adam Langley
1258b6a756 ChannelID support.
Implement ChannelID as both a client and server.
2014-06-20 13:17:33 -07:00
Adam Langley
75872534c2 Optionally, retain only SHA-256 of client cert.
Adds an option to retain only the SHA256 of a client certificate in
memory and in the serialized session state.
2014-06-20 13:17:33 -07:00
Adam Langley
95f22882a7 Add function to test headers agree.
Add a function to test that structure sizes match inside and outside of
OpenSSL.
2014-06-20 13:17:33 -07:00
Adam Langley
b2ce05839b Add support for asynchronous session lookup. 2014-06-20 13:17:32 -07:00
Adam Langley
adb739e1e5 False Start support.
(Called "cut through" for historical reasons in this patch.)

Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes.  With this
patch, clients can negotiate SSL connections in 1-RTT even when
performing full-handshakes.
2014-06-20 13:17:32 -07:00
Adam Langley
95c29f3cd1 Inital import.
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta).

(This change contains substantial changes from the original and
effectively starts a new history.)
2014-06-20 13:17:32 -07:00