Commit Graph

2341 Commits

Author SHA1 Message Date
David Benjamin
fb4ea28bb8 Tidy DTLS cookie callback types.
const-correctness, unsigned long -> size_t.

Change-Id: Ic0c2685a48a0f98396c5753b6077c6c0c3b92326
Reviewed-on: https://boringssl-review.googlesource.com/1540
Reviewed-by: Adam Langley <agl@google.com>
2014-08-18 17:52:21 +00:00
David Benjamin
f4501347c9 Remove default_timeout hook.
Of the remaining implementations left, ssl3_, dtls1_, and ssl23_, dtls1_ is
redundant and can be folded into ssl3_. ssl23_ actually isn't; it sets 5
minutes rather than 2 hours. Two hours seems to be what everything else uses
and seems a saner default. Most consumers seem to override it anyway
(SSL_CTX_set_timeout). But it is a behavior change.

The method is called at two points:
- SSL_get_default_timeout
- SSL_CTX_new

Incidentally, the latter call actually makes the former never called internally
and the value it returns a lie. SSL_get_default_timeout returns the default
timeout of the /current/ method, but in ssl_get_new_session, the timeout is
shadowed by session_timeout on the context. That is initialized when
SSL_CTX_new is called. So, unless you go out of your way to
SSL_CTX_set_timeout(0), it always overrides. (And it actually used to a
difference because, for SSL23, the SSL_CTX's method is SSL23, but, when session
creation happens, the SSL's method is the version-specific one.)

Change-Id: I331d3fd69b726242b36492402717b6d0b521c6ee
Reviewed-on: https://boringssl-review.googlesource.com/1521
Reviewed-by: Adam Langley <agl@google.com>
2014-08-18 17:25:20 +00:00
David Benjamin
d4178fd9d8 Remove AES-GCM cipher indices.
Those ciphers go through EVP_AEAD now.

Change-Id: Ia97af9960223724f041dc2c249def9e626fd03f8
Reviewed-on: https://boringssl-review.googlesource.com/1520
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 22:02:42 +00:00
David Benjamin
b00eee1935 Trim unused cipher indices and definitions.
Also remove SSL_eNULL ciphers. They were broken anyway in the initial import
because of a lost 'else', but just remove them altogether.

Change-Id: Ie71cf1b45f8fc6883e209801443eddf7f2d058ba
Reviewed-on: https://boringssl-review.googlesource.com/1518
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 22:01:43 +00:00
David Benjamin
335d10d201 Remove Suite B mode.
It was added in OpenSSL 1.0.2, so nothing can be depending on it yet. If we
really want a Suite B profile, it seems better to generate a configuration for
the rest of the system rather than pepper the codebase with checks.

Change-Id: I1be3ebed0e87cbfe236ade4174dcf5bbc7e10dd5
Reviewed-on: https://boringssl-review.googlesource.com/1517
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 22:00:16 +00:00
David Benjamin
76d8abe7fd Get SSL 3.0 server tests working.
The missing SSL 3.0 client support in runner.go was fairly minor.

Change-Id: Ibbd440c9b6be99be08a214dec6b93ca358d8cf0a
Reviewed-on: https://boringssl-review.googlesource.com/1516
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 21:42:36 +00:00
David Benjamin
6fd297bb62 Add initial DTLS tests.
Change-Id: I7407261bdb2d788c879f2e67e617a615d9ff8f8b
Reviewed-on: https://boringssl-review.googlesource.com/1505
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 16:55:45 +00:00
Adam Langley
82b7da271f Set SSL_SESSION.cipher when parsing.
This was done for the server when parsing a session ticket, but it
wasn't done in the parsing function itself. That caused problems when
high level code used the parsing function directly to set a session for
the client code.

See comments in internal bug 7091840.

Change-Id: Iaa048c3df62cd9fe7a003af33805819e2556960a
2014-08-14 09:42:46 -07:00
Adam Langley
0f4746e207 Add SSL_SESSION_get_version.
Android uses this and added it to their OpenSSL in
  https://android.googlesource.com/platform/external/openssl.git/+/master/patches/0003-jsse.patch

Change-Id: Ib7985d51752ad8e7b75480513c3ab582a30f398a
2014-08-14 09:42:46 -07:00
David Benjamin
1b96526c6f Merge tls1_* method hooks with the ssl3_* versions.
The protocols are pretty similar; they were all basically redundant. The free
of s->tlsext_session_ticket (more fallout from the EAP-FAST patch) was moved to
SSL_free because that object's attached to s, not s->s3. This is relevant if
SSL_set_ssl_method gets called.

Change-Id: I14a896ba8a6a2c34ab1cb5f65311b117051228da
Reviewed-on: https://boringssl-review.googlesource.com/1509
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 00:18:12 +00:00
David Benjamin
5a593af42a Move configuration into a dedicated TestConfig struct.
This removes some duplicate code in parsing command-line flags and, more
importantly, makes configuration available when constructing the SSL_CTX and
avoids a number of globals.

Change-Id: I26e2d2285b732f855a2c82752bc8e0db480c3b30
Reviewed-on: https://boringssl-review.googlesource.com/1502
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 23:44:50 +00:00
David Benjamin
83c0bc94d7 Test-only DTLS implementation in runner.go.
Run against openssl s_client and openssl s_server. This seems to work for a
start, although it may need to become cleverer to stress more of BoringSSL's
implementation for test purposes.

In particular, it assumes a reliable, in-order channel. And it requires that
the peer send handshake fragments in order. Retransmit and whatnot are not
implemented. The peer under test will be expected to handle a lossy channel,
but all loss in the channel will be controlled. MAC errors, etc., are fatal.

Change-Id: I329233cfb0994938fd012667ddf7c6a791ac7164
Reviewed-on: https://boringssl-review.googlesource.com/1390
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 23:43:38 +00:00
David Benjamin
51e3283d62 Port dtls1_get_hello_verify to CBS.
Gives bounds checks and asserts that there's nothing after the cookie.

Change-Id: I8f9753e0c72670e9960f73a5722cefd9c02696a9
Reviewed-on: https://boringssl-review.googlesource.com/1507
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 21:59:51 +00:00
David Benjamin
9174312be6 Update d1_clnt.c to use ssl_cipher_has_server_public_key.
Mirror the changes in s3_clnt.c.

Change-Id: I7af7080c6eea2a67cc994befa11e45d32eaa9615
Reviewed-on: https://boringssl-review.googlesource.com/1506
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 21:59:02 +00:00
David Benjamin
6491e8c267 Allow renewed tickets on session resumption in DTLS.
Analogous fix for DTLS as upstream's c519e89f5c359b8c0f747519773284d9b6382791.

Change-Id: I8a56070ce2a1edf4e9ceb2fd8ce08552e25a1cf3
Reviewed-on: https://boringssl-review.googlesource.com/1504
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 21:58:43 +00:00
David Benjamin
09bd58d1f1 Replace some DTLS version checks with SSL_IS_DTLS.
They weren't updated to account for DTLS 1.2.

Change-Id: I81b3bfcb84a46d7b233bb567976a7de37bc46b92
Reviewed-on: https://boringssl-review.googlesource.com/1503
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 21:58:03 +00:00
Håvard Molland
16c623b83d Fix of handling weak dh server keys.
https://crbug.com/353579

Align behavior with NSS and report SSL_R_BAD_DH_P_LENGTH error
when size of the server's dh group is less than 512 bits.

Change-Id: I09f1828482f40b2283f7c6a69425819379399815
Reviewed-on: https://boringssl-review.googlesource.com/1480
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 17:59:59 +00:00
Håvard Molland
584d28cad6 Use OPENSSL_free instead of free.
Even if OPENSSL_free() now simply is defined to free(), it is
still nice to consistently use OPENSSL_free, so that they can
easily be replaced. Many embedded platforms still have slow
allocation and free functions.

Change-Id: Ie8781591311f12c7f69206dbad6fc4a0c89d88b7
Reviewed-on: https://boringssl-review.googlesource.com/1490
Reviewed-by: Adam Langley <agl@google.com>
2014-08-13 17:02:09 +00:00
Adam Langley
f1df2b3fbf Add SSL_CIPHER_get_kx_name.
This is needed by Android because it passes this string to a handshake
callback. It's implemented in Android's OpenSSL in this patch:
  https://android.googlesource.com/platform/external/openssl.git/+/master/patches/0003-jsse.patch

(Note that it's called |SSL_authentication_method| there.)

I didn't format this function in OpenSSL style because it's crazy and
because we'll probably clang-format ssl/ soon.

Change-Id: I865540511b50859c339da5d76ce37810449aa444
2014-08-12 14:13:12 -07:00
Adam Langley
8eaaa86da3 Add mode to disallow session creation.
Android needs this and it was patched into their OpenSSL in
  https://android.googlesource.com/platform/external/openssl.git/+/master/patches/0003-jsse.patch

It appears that this is needed because javax.net.ssl.SSLEngine has it as
part of its interface and thus it's part of the Android API. No idea why
anything would ever want to disable that though.

Change-Id: I9c6279a961637f44936889edbe269b9d5c19746d
2014-08-12 14:11:35 -07:00
David Benjamin
98e882ead1 Clean up s23_srvr.c.
ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an
even older SSL_OP_NON_EXPORT_FIRST option (see upstream's
d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic.

Split it into three states and move V2ClientHello parsing into its own
function. Port it to CBS and CBB to give bounds checks on the V2ClientHello
parse.

This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello
failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an
extra time.

It also unbreaks the invariant between s->packet, s->packet_length,
s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this
was of no consequence because the first ssl3_read_n call passes extend = 0
which resets s->packet and s->packet_length.

It also makes us tolerant to major version bumps in the ClientHello. Add tests
for TLS tolerance of both minor and major version bumps as well as the HTTP
request error codes.

Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257
Reviewed-on: https://boringssl-review.googlesource.com/1455
Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 21:10:56 +00:00
Adam Langley
ded93581f1 Windows build fixes.
Windows doesn't have ssize_t, sadly. There's SSIZE_T, but defining an
OPENSSL_SSIZE_T seems worse than just using an int.

Change-Id: I09bb5aa03f96da78b619e551f92ed52ce24d9f3f
Reviewed-on: https://boringssl-review.googlesource.com/1352
Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 22:10:02 +00:00
Håvard Molland
90974e7081 Fixed reporting wrong function to OPENSSL_PUT_ERROR.
ssl3_send_client_key_exchange were wrongly reported
by ssl3_send_client_certificate() and
ssl3_check_cert_and_algorithm()

Change-Id: I244d3d871b6b4f75a188fd386d52ffc4335d1f9b
Reviewed-on: https://boringssl-review.googlesource.com/1460
Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 18:46:56 +00:00
David Benjamin
1e7f8d70ec Move SendV2ClientHello to handshake coverage tests.
It's a different handshake flow with more state machine coverage. We should
make sure to test the asynchronous version.

Change-Id: I0bb79ca7e6a86bd3cac66bac1f795a885d474909
Reviewed-on: https://boringssl-review.googlesource.com/1454
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:40:18 +00:00
David Benjamin
bed9aae757 Add RenewTicketOnResume tests.
Didn't have coverage for abbreviated handshakes with NewSessionTicket. Also add
some missing resumeSession flags so the tests match the comments.

Change-Id: Ie4d76e8764561f3f1f31e1aa9595324affce0db8
Reviewed-on: https://boringssl-review.googlesource.com/1453
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:39:57 +00:00
David Benjamin
9821454f2b Add tests for CVE-2014-3511.
Also change MaxHandshakeRecordLength to 1 in the handshake coverage tests to
better stress the state machine.

Change-Id: I27fce2c000b3d4818fd2e9a47fb09d3f646dd1bd
Reviewed-on: https://boringssl-review.googlesource.com/1452
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:39:47 +00:00
David Benjamin
7e2e6cf1a0 Add test coverage for TLS version negotiation.
Test all pairs of client and server version, except for the ones that require
SSLv3 client support in runner.go. That is, as yet, still missing.

Change-Id: I601ab49c5526cd2eb4f85d5d535570e32f218d5b
Reviewed-on: https://boringssl-review.googlesource.com/1450
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:39:16 +00:00
David Benjamin
0fecacd46d Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>

(Imported from upstream's 280b1f1ad12131defcd986676a8fc9717aaa601b)

Change-Id: I39894b340d2a03751b221631f8cd0ee220cf5b67
Reviewed-on: https://boringssl-review.googlesource.com/1451
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:08:41 +00:00
David Benjamin
a8e3e0e936 Remove SSL_OP_TLS_ROLLBACK_BUG.
It's not part of SSL_OP_ALL and is unused, so remove it. Add a test that
asserts the version check works.

Change-Id: I917516594ec5a4998a8316782f035697c33d99b0
Reviewed-on: https://boringssl-review.googlesource.com/1418
Reviewed-by: Adam Langley <agl@google.com>
2014-08-08 17:04:53 +00:00
Emilia Käsper
c3d79605ab Fix DTLS anonymous EC(DH) denial of service
(This change originally applied to 1.0.1. In the switch to 1.0.2, the
DTLS specific client processing was removed and now the s3_clnt.c
functions are used. This caused most of the patch to be moot. What
remains is still useful however. For the original patch, see the change
against 1.0.1: 88ae012c8092852f03c50f6461175271104b4c8a)

CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

(Imported from upstream's 1d7d0ed9c21403d79d602b6c7d76fdecf5e737da)

Change-Id: I666f9c48d603f2366cab821ae446a57360c3026b
Reviewed-on: https://boringssl-review.googlesource.com/1439
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:13:45 +00:00
Adam Langley
5ba06a7532 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509

(Imported from upstream's 92aa73bcbfad44f9dd7997ae51537ac5d7dc201e)

Change-Id: Ibc681897251081ae5ebfea0ff6ca9defd73fe0f5
Reviewed-on: https://boringssl-review.googlesource.com/1441
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:11:23 +00:00
Adam Langley
abae631fb9 Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's d345a24569edf0a966b3d6eaae525f0ca4c5e570)

Change-Id: I038f9f01a1d9379f1ee058b231d80e8b9ce6c2d7
Reviewed-on: https://boringssl-review.googlesource.com/1438
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:09:32 +00:00
Matt Caswell
e24f686e31 Same fix as in dtls1_process_out_of_seq_message.
Applying same fix as in dtls1_process_out_of_seq_message. A truncated
DTLS fragment would cause *ok to be clear, but the return value would
still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's 3d5dceac430d7b9b273331931d4d2303f5a2256f)

Change-Id: Ibe30716266e2ee1489c98b922cf53edda096c23c
Reviewed-on: https://boringssl-review.googlesource.com/1437
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:09:21 +00:00
Adam Langley
8506609ca3 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's aad61c0a57a3b6371496034db61675abcdb81811.)

Change-Id: I2fb0ea93b6e812e19723ada3351f842cc7b2fa91
Reviewed-on: https://boringssl-review.googlesource.com/1436
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:09:12 +00:00
Adam Langley
e951ff4fc3 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's 8ca4c4b25e050b881f3aad7017052842b888722d.)

Change-Id: I387e3f6467a0041f6367965ed3c1ad4377b9ac08
Reviewed-on: https://boringssl-review.googlesource.com/1435
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:09:00 +00:00
Matt Caswell
2306fe5ff5 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's 0598468fc04fb0cf2438c4ee635b587aac1bcce6)

Change-Id: I4849498eabb45ec973fcb988d639b23145891e25
Reviewed-on: https://boringssl-review.googlesource.com/1434
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:08:49 +00:00
Matt Caswell
3873f6f33d Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's ea7cb5397457c59554155935b677a1dab23bd864)

Change-Id: Idd5ed233028c42d2b921deb424381aad88a0aa84
Reviewed-on: https://boringssl-review.googlesource.com/1433
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 18:20:41 +00:00
Adam Langley
d06afe40ab Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(Imported from upstream's 49850075555893c9c60d5b981deb697f3b9515ea)

Change-Id: Ie40007184f6194ba032b4213c18d36254e80aaa6
Reviewed-on: https://boringssl-review.googlesource.com/1432
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 18:12:41 +00:00
David Benjamin
67454b6f76 Don't X509_up_ref X509_STOREs.
Change-Id: Ic78bec93aedcc06c1496fe374e1c1c77ef70ea4b
Reviewed-on: https://boringssl-review.googlesource.com/1416
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 02:44:31 +00:00
Kenny Root
7fdeaf1101 Retry sending record split fragment when SSL write fails.
When the write size was exactly SSL3_RT_MAX_PLAIN_LENGTH+1 and record
splitting is needed, an extra byte would be added to the max size of the
message to be written. This would cause the requested size to not exceed
the max. If the SSL_WANT_WRITE error were returned, the next packet
would not get the extra byte added to the max packet size since
record_split_done is set. Since a different set of arguments
(SSL3_RT_MAX_PLAIN_LENGTH+1 vs SSL3_RT_MAX_PLAIN_LENGTH) would be passed
to do_ssl3_write, it would return an "SSL3_WRITE_PENDING:bad write
retry" error.

To avoid a failure in the opposite direction, the max variable increment
is removed as well. This can happen when SSL_MODE_ENABLE_PARTIAL_WRITE
is not enabled and the call to ssl3_write_bytes contains, e.g., a buffer
of 2*SSL3_RT_MAX_PLAIN_LENGTH, where the first call into do_ssl3_write
succeeds writing the first SSL3_RT_MAX_PLAIN_LENGTH bytes, but writing
the second SSL3_RT_MAX_PLAIN_LENGTH bytes fails. This means the first
time the the second section of SSL3_RT_MAX_PLAIN_LENGTH bytes has called
do_ssl3_write with "max" bytes, but next call to ssl3_write_bytes in
turn calls into do_ssl3_write with "max+1" bytes.

Change-Id: Icf8453195c1145a54d31b8e8146801118207df03
Reviewed-on: https://boringssl-review.googlesource.com/1420
Reviewed-by: Kenny Root <kroot@google.com>
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 00:08:44 +00:00
David Benjamin
150c617cfc Add X509_up_ref and use it internally.
Avoid needing to manually increment the reference count and using the right
lock, both here and in Chromium.

Change-Id: If116ebc224cfb1c4711f7e2c06f1fd2c97af21dd
Reviewed-on: https://boringssl-review.googlesource.com/1415
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 00:06:34 +00:00
David Benjamin
e6e15fc3a1 Use EVP_PKEY_dup instead of manually incrementing the refcount.
Reference counting should be internal to the type, otherwise callers need to
know which lock to use.

Change-Id: If4d805876a321ef6dece115c805e605584ff311e
Reviewed-on: https://boringssl-review.googlesource.com/1414
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 00:03:56 +00:00
David Benjamin
43ec06f705 Test state machine asynchronous behavior.
Add a framework for testing the asynchronous codepath. Move some handshake
state machine coverage tests to cover a range of record-layer and
handshake-layer asynchronicity.

This adds tests for the previous two async bugs fixed.

Change-Id: I422ef33ba3eeb0ad04766871ed8bc59b677b169e
Reviewed-on: https://boringssl-review.googlesource.com/1410
Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 20:41:58 +00:00
David Benjamin
734fca0890 Fix memory leak in ssl3_get_cert_verify.
Any ssl3_get_* function that takes ownership of something before the
ssl_get_message call can't early-return without cleanup work.

This fixes valgrind on ClientAuth-Server-Async.

Change-Id: Ie7f0b37cac4d4bb7e06c00bae091fee0386c22da
Reviewed-on: https://boringssl-review.googlesource.com/1413
Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 18:07:32 +00:00
David Benjamin
95fcaa4f4b Fix server-side ClientHello state machine.
- DTLS server code didn't account for the new ClientHello state. This looks
  like it only matters if a DTLS server uses select_certificate_cb and returns
  asynchronously.

- State A transitions immediately to B and is redundant. No code distinguishes
  A and B.

- The ssl_get_message call transitions to the second state (originally C). This
  makes the explicit transition to C a no-op. More of a problem,
  ssl_get_message may return asynchronously and remain in its second state if the
  handshake body had not completed yet. Fix this by splitting state C in two.
  Combined with the above change, this results in only the top few states getting
  reshuffled.

This fixes the server async tests.

Change-Id: I46703bcd205988b118217b6424ba4f88e731be5a
Reviewed-on: https://boringssl-review.googlesource.com/1412
Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 18:07:13 +00:00
Alex Chernyakhovsky
6ccf29012c Remove use of freelist_{extract,insert}
With the removal of the freelist itself, these macros are
superfluous. Remove them in favore of OPENSSL_malloc and OPENSSL_free.

Change-Id: I4bfeff8ea087b9e16c7c32d7c1bdb7a07e7dd03e
Reviewed-on: https://boringssl-review.googlesource.com/1389
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:14:51 +00:00
Alex Chernyakhovsky
983f6bdb58 Set OPENSSL_NO_BUF_FREELISTS
The memory freelist maintained by OpenSSL claims to be a performance
optimization for platforms that have a slow malloc/free
implementation. This should not be the case on modern
linux/glibc. Remove the freelist as it poses a potential security
hazard of buffer-reuse that is of "initialized" memory that will not
be caught be tools such as valgrind.

Change-Id: I3cfa6a05f9bdfbbba7820060bae5a673dee43014
Reviewed-on: https://boringssl-review.googlesource.com/1385
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:14:33 +00:00
Alex Chernyakhovsky
75d1589f60 Remove PKCS1_CHECK
The code guarded by PKCS1_CHECK appears to be unhelpful, and the guard
is explicitly undefined in ssl_locl.h Remove both.

Change-Id: I3cd45a744a8f35b02181b1e48fd1ef11af5e6f4a
Reviewed-on: https://boringssl-review.googlesource.com/1383
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:14:21 +00:00
Alex Chernyakhovsky
499b440135 Remove OPENSSL_NO_SHA512
Changes were made by running

find . -type f -name *.c | xargs unifdef -m -U OPENSSL_NO_SHA512
find . -type f -name *.h | xargs unifdef -m -U OPENSSL_NO_SHA512

Change-Id: I5c8a89384c865423aa7b549470068ef18161bce4
Reviewed-on: https://boringssl-review.googlesource.com/1379
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:13:54 +00:00
Alex Chernyakhovsky
69877b6119 Remove OPENSSL_NO_SHA256
Changes were made by running

find . -type f -name *.c | xargs unifdef -m -U OPENSSL_NO_SHA256
find . -type f -name *.h | xargs unifdef -m -U OPENSSL_NO_SHA256

Change-Id: Ia2fda4b1a3a4aad286ced86cf936358fc7a30b15
Reviewed-on: https://boringssl-review.googlesource.com/1378
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:13:46 +00:00
David Benjamin
f4e5c4e106 runner: Implement DHE-RSA.
Use it to test DHE-RSA in BoringSSL.

Change-Id: I88f7bfa76507a6f60234d61d494c9f94b7df4e0a
Reviewed-on: https://boringssl-review.googlesource.com/1377
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:12:58 +00:00
David Benjamin
884fdf1616 runner: Take the build directory as flag.
Don't hardcode the directory.

Change-Id: I5c778a4ff16e00abbac2959ca9c9b4f4c40576f7
Reviewed-on: https://boringssl-review.googlesource.com/1376
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:11:07 +00:00
David Benjamin
2bc8e6fc9a runner: Take the number of workers as a flag.
Default to the number of CPUs. Avoids the tests launching 64 valgrinds in
parallel on machines without gobs of memory.

Change-Id: I9eeb365b48aa7407e303d161f90ce69a591a884c
Reviewed-on: https://boringssl-review.googlesource.com/1375
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:10:58 +00:00
David Benjamin
bef270a9cf Add server-side FallbackSCSV tests.
Assert that inappropriate fallbacks are detected, but if the client_version
matches the server's highest version, do not abort the handshake.

Change-Id: I9d72570bce45e1eb23fc2b74a3c5fca10562e573
Reviewed-on: https://boringssl-review.googlesource.com/1373
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:10:43 +00:00
David Benjamin
d86c7671a8 Add a test to assert parsing V2ClientHellos works.
Should have test coverage there as long as we care about supporting it.

Change-Id: Ic67539228b550f2ebd0b543d5a58640913b0474b
Reviewed-on: https://boringssl-review.googlesource.com/1371
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:10:29 +00:00
Alex Chernyakhovsky
a324603651 Remove OPENSSL_NO_TLS{,1}
A modern TLS library without full support for TLS does not make sense.

Change-Id: I032537d1412f6e4effc9a2dd47123baf0084b4c6
Reviewed-on: https://boringssl-review.googlesource.com/1382
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 19:20:19 +00:00
Alex Chernyakhovsky
c1e293c060 Remove remnants of OPENSSL_NO_CAMELLIA
OPENSSL_NO_CAMELLIA has already been effectively defined, including in
opensslfeatures.h. This commit removes the last ifdef-protected code
guarded by OPENSSL_NO_CAMELLIA.

Change-Id: I58dc79dbe7a77843a641d9216f40f1d7d63fcc40
Reviewed-on: https://boringssl-review.googlesource.com/1380
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 19:19:35 +00:00
David Benjamin
8f0ceb6f27 Remove OPENSSL_MAX_TLS1_2_CIPHER_LENGTH.
It's not built. The problem is worked around by the padding extension now.

Change-Id: If577efdae57d1bca4e0a626486fc0502c3567ebb
Reviewed-on: https://boringssl-review.googlesource.com/1374
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 19:00:30 +00:00
Adam Langley
eb7d2ed1fe Add visibility rules.
This change marks public symbols as dynamically exported. This means
that it becomes viable to build a shared library of libcrypto and libssl
with -fvisibility=hidden.

On Windows, one not only needs to mark functions for export in a
component, but also for import when using them from a different
component. Because of this we have to build with
|BORINGSSL_IMPLEMENTATION| defined when building the code. Other
components, when including our headers, won't have that defined and then
the |OPENSSL_EXPORT| tag becomes an import tag instead. See the #defines
in base.h

In the asm code, symbols are now hidden by default and those that need
to be exported are wrapped by a C function.

In order to support Chromium, a couple of libssl functions were moved to
ssl.h from ssl_locl.h: ssl_get_new_session and ssl_update_cache.

Change-Id: Ib4b76e2f1983ee066e7806c24721e8626d08a261
Reviewed-on: https://boringssl-review.googlesource.com/1350
Reviewed-by: Adam Langley <agl@google.com>
2014-07-31 22:03:11 +00:00
David Benjamin
44dbcc0804 Remove SSL_get_client_certificate_types.
Chromium is no longer using it.

Change-Id: If56340627d2024ff3fb8561405dd0cfc6f4787cb
Reviewed-on: https://boringssl-review.googlesource.com/1346
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:44:16 +00:00
David Benjamin
7bbeead507 A bunch of dead assignments.
Caught by clang scan-build.

Change-Id: I4f10c879dc137d4a14a7a395764d28e5caa033ff
Reviewed-on: https://boringssl-review.googlesource.com/1342
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:44:03 +00:00
David Benjamin
072c953f40 Convert some malloc + memcpys into BUF_memdup.
Slightly tidier.

Change-Id: Ib3cb4dc262c88087bd56b446a6f7a05d1e57ade6
Reviewed-on: https://boringssl-review.googlesource.com/1345
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:42:40 +00:00
David Benjamin
9a37359008 Don't malloc(0) on empty extensions list.
Caught by clang scan-build.

Change-Id: I29092d659f1ac21c6a74b925f6abc0283e7652fc
Reviewed-on: https://boringssl-review.googlesource.com/1344
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:35:38 +00:00
David Benjamin
61b66ffcc2 Fix error-handling bugs.
Caught by clang scan-build.

Change-Id: I133d0338fe38172d687c02099d909366a59ee95b
Reviewed-on: https://boringssl-review.googlesource.com/1343
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:34:55 +00:00
David Benjamin
59b3a728dc Fix some DTLS alerts.
Caught by clang scan-build.

Change-Id: Ib17368557d3e8b2edac91e0441e64c21a5eb1318
Reviewed-on: https://boringssl-review.googlesource.com/1341
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:34:23 +00:00
Adam Langley
482b4f189f Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client certificate for
both TLS and DTLS.

PR#3452

(Imported from upstream's 666a597ffb9bcf3ba2d49e711fcca28df91eff9d)

Change-Id: Ia267255a32c0b3b9a7da1c53f13ef6f620ff5ec1
2014-07-28 17:05:14 -07:00
Adam Langley
887b1c3d49 Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).

(Imported from upstream's 8358302d47c8b6e0680d91ffee11302331f17a69)

Change-Id: I222c454620ab445d4906ee2c2b6a9ad80e56018e
2014-07-28 17:05:13 -07:00
Adam Langley
e3142a788c Make disabling last cipher work.
(Imported from upstream's 8f243ab6c173096943ca079648d240eba1e46dd3)

Change-Id: I929e481842c489aa28f28cf066b4556160a23efe
2014-07-28 17:05:13 -07:00
Adam Langley
3e14885558 Fix memory leak.
PR#2531

(Imported from upstream's 15de0f609c859883347357aaf6cc685c797358bd)

Change-Id: I4ee3a5ce22ee047a8eaa2c74f26971109a23680c
2014-07-28 17:05:13 -07:00
Adam Langley
46cfb0e4ee Remove redundant check.
PR#3174

(Imported from upstream's ec77f276e14f4b835cdd42fa175d74dcda532663)

Change-Id: I7e33d67c201bdd088520d060cc8e4e9713223e69
2014-07-28 17:05:13 -07:00
David Benjamin
7e3305eebd Fix False Start without session tickets.
One of the state transitions wasn't rewritten to CR_CHANGE. Add a test to
exercise this codepath. Also SSL_cutthrough_complete references the state.

Change-Id: Ib2f7ac5ac3f0348864efa93cf13cfd87454572f0
Reviewed-on: https://boringssl-review.googlesource.com/1337
Reviewed-by: Adam Langley <agl@google.com>
2014-07-28 20:31:56 +00:00
Piotr Sikora
108300573f Hook ssl_stat.c into build.
Change-Id: I049b2ed1b83e38375ddb658abf588a8e3355acb8
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/1190
Reviewed-by: Adam Langley <agl@google.com>
2014-07-28 18:50:46 +00:00
David Benjamin
0eb5a2df4a Fix tls1_get_curvelist default curves list size.
The length is the number of elements now, not the size in bytes. Caught by
ASan.

Change-Id: I4c5ccee61711e8d2e272b9bacd292dbff04b5133
Reviewed-on: https://boringssl-review.googlesource.com/1336
Reviewed-by: Adam Langley <agl@google.com>
2014-07-26 02:56:37 +00:00
David Benjamin
0aa0767340 Improve constant-time padding check in RSA key exchange.
Although the PKCS#1 padding check is internally constant-time, it is not
constant time at the crypto/ ssl/ API boundary. Expose a constant-time
RSA_message_index_PKCS1_type_2 function and integrate it into the
timing-sensitive portion of the RSA key exchange logic.

Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3
Reviewed-on: https://boringssl-review.googlesource.com/1301
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:25:15 +00:00
David Benjamin
86271ee9f8 Change CCS_OK to EXPECT_CCS.
Now that the flag is set accurately, use it to enforce that the handshake and
CCS synchronization. If EXPECT_CCS is set, enforce that:

(a) No handshake records may be received before ChangeCipherSpec.

(b) There is no pending handshake data at the point EXPECT_CCS is set.

Change-Id: I04b228fe6a7a771cf6600b7d38aa762b2d553f08
Reviewed-on: https://boringssl-review.googlesource.com/1299
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 17:58:58 +00:00
David Benjamin
cb5abad717 Consolidate CCS_OK paths in s3_clnt.c.
Introduce a CR_CHANGE state just before entering CR_FINISHED_A. This replaces
the CCS_OK in the CR_FINISHED_A/CR_FINISHED_B case which otherwise would get
applied after partial reads of Finished. The other CCS_OK settings are
redundant with this one.

The copy in tls_secret_session_cb codepath is made unnecessary with
9eaeef81fa.

The copy in the normal session resumption case is unnecessary with
6444287806. Before that commit, OpenSSL would
potentially read Finished a state early. Now that we are strict (and get the
book-keeping correct) for expecting the NewSessionTicket message it too is
redundant.

Of particular note is the one after ssl3_send_finished. That was added in
response to upstream's PR#3400. I've reproduced the bug and concluded it was
actually a bug around expecting a NewSessionTicket message. That has been fixed
properly in 6444287806 by resetting
tlsext_expect_ticket on renegotiations.

Change-Id: I6a928386994fcd5efff26a5f0efb12b65bf7f299
Reviewed-on: https://boringssl-review.googlesource.com/1298
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 17:49:12 +00:00
David Benjamin
84ec49e914 Consolidate CCS_OK codepaths in s3_srvr.c.
Rename SSL3_ST_SR_POST_CLIENT_CERT to SSL3_ST_SR_CHANGE and have this be the
point at which CCS_OK is set. The copy before ssl3_get_finished is redundant as
we never transition to SR_FINISHED directly.

Change-Id: I3eefeb821e7ae53d52dacc587fdc59de9ea9a667
Reviewed-on: https://boringssl-review.googlesource.com/1297
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 17:44:40 +00:00
David Benjamin
77a942b7fe Don't use the RSA key exchange with a signing-only key.
This removes the last case where the server generates an RSA key for the
ServerKeyExchange. Remove the code for this. Client support to accept them
still remains.

Leave the APIs for now, but they don't do anything anymore.

Change-Id: I84439e034cc575719f5bc9b3e501165e12b62107
Reviewed-on: https://boringssl-review.googlesource.com/1286
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:35:40 +00:00
David Benjamin
cd9969434c Pass parameters to tls1_process_sigalgs as a CBS.
Slightly cleaner; it means we can use CBS_stow.

Change-Id: I074aa2d73a79648013dea025ee531beeea2af4a2
Reviewed-on: https://boringssl-review.googlesource.com/1287
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:18:38 +00:00
David Benjamin
060d9d2c56 Remove support code for export cipher suites.
Now the only case where temporary RSA keys are used on the server end is
non-signing keys.

Change-Id: I55f6c206e798dd28548c386fdffd555ccc395477
Reviewed-on: https://boringssl-review.googlesource.com/1285
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:14:08 +00:00
David Benjamin
5ffeb7c22f Remove two more quirks.
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG and
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Neither of them have code that's even
enabled.

Change-Id: I866aabe1aa37e8ee145aaeaecaff6704c3ad21bc
Reviewed-on: https://boringssl-review.googlesource.com/1284
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:12:04 +00:00
David Benjamin
b9cc33a4d6 Remove SSL_OP_EPHEMERAL_RSA quirk.
Also fix a place where fixes for the condition for sending ServerKeyExchange in
s3_srvr.c were never propogated to d1_srvr.c. Tidy up that logic to use
ssl_cipher_requires_server_key_exchange and simplify the PSK check.

Change-Id: Ie36d378f733e59a8df405bc869f2346af59bd574
Reviewed-on: https://boringssl-review.googlesource.com/1283
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:11:50 +00:00
David Benjamin
ff175b4a46 unifdef OPENSSL_NO_PSK.
Get those out of the way.

Change-Id: I4cc8c34cf637379ad734c43623f76ae72f22014e
Reviewed-on: https://boringssl-review.googlesource.com/1282
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:11:05 +00:00
David Benjamin
019c3cc64a Remove last remnants of GOST support.
This removes support code for a "stream_mac" mode only used by GOST. Also get
rid of this

   /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */

comment next to it. It's not actually related to GOST (dates to OpenSSL initial
commit), but isn't especially helpful at this point.

Change-Id: Ib13c6e27e16e0d1fb59ed0142ddf913b9abc20b7
Reviewed-on: https://boringssl-review.googlesource.com/1281
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:10:53 +00:00
David Benjamin
0e498f14d2 Remove some remnants of SSLv2 support.
Some ssl23 functions that can be folded into ssl3, declarations and macros that
don't exist anymore.

Change-Id: I8057fb0bab8b6fe7e4da7b90a4945f7f22e29cd9
Reviewed-on: https://boringssl-review.googlesource.com/1280
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:10:41 +00:00
David Benjamin
39482a13ac Remove get_cipher_by_char and put_cipher_by_char.
Without SSLv2, all cipher suite values are 2 bytes. Represent them as a
uint16_t and make all functions pass those around rather than pointers.

This removes SSL_CIPHER_find as it's unused.

Change-Id: Iea0b75abee4352a8333a4b8e39a161430ae55ea6
Reviewed-on: https://boringssl-review.googlesource.com/1259
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:10:29 +00:00
David Benjamin
0eb17906ab Remove support for sending V2ClientHello.
Accepting them as a server is still necessary, but this code is unreachable.
Without SSLv2 support, none of the cipher suites are SSLv2, so
ssl23_no_ssl2_ciphers always returns true and we send a V3ClientHello.

Change-Id: I09030f2c6e375660453c74e4f094d95e9908c3e1
Reviewed-on: https://boringssl-review.googlesource.com/1258
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:10:18 +00:00
David Benjamin
d23f412a8a Improve test coverage around NewSessionTicket message.
Test both when the peer doesn't support session tickets and when the server
promises a NewSessionTicket message but doesn't deliver.

Change-Id: I48f338094002beac2e6b80e41851c72822b3b9d5
Reviewed-on: https://boringssl-review.googlesource.com/1300
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:09:55 +00:00
David Benjamin
072334d943 Consistently use uint16_t for curve IDs.
Don't retain curve IDs in serialized form; serialization only happens when
writing and reading from the wire. The internal representation is a uint16_t
which matches the range of the value and avoids all the checks for the first
byte being 0.

This also fixes a bug in tls1_check_ec_tmp_key's suite B logic; the || should
have been &&, though now it's gone.

This doesn't relieve some of the other assumptions about curve IDs:
tls1_set_curves still assumes that all curve IDs are under 32, and
tls1_ec_curve_id2nid still assumes 0 is not a valid curve ID. Add a
compile-time assert and a comment to document this. We're up to 28 now, so this
may well need to be revised sooner or later.

Remove SSL_get_shared_curve as it's new and unused API, using it in a loop is
O(N^3), and lets us simplify a function.

Change-Id: I82778cb82648d82f7b5de8c5341e0e1febdf5611
Reviewed-on: https://boringssl-review.googlesource.com/1256
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:08:34 +00:00
David Benjamin
f3ec83dee0 Add EarlyChangeCipherSpec tests.
Adapted from patch in https://www.imperialviolet.org/2014/06/05/earlyccs.html.

Change-Id: I14bf314d105780e23e6bd09217870deff5744979
Reviewed-on: https://boringssl-review.googlesource.com/1292
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:05:13 +00:00
David Benjamin
1d5c83e063 Add test coverage for session resumption with tickets.
The shim is now passed two file descriptors. In a session resumption test, the
second is used in an abbreviated handshake immediately after the first.

Change-Id: I1f348c05f1a8ff2881fb46fc9e869696f74071c6
Reviewed-on: https://boringssl-review.googlesource.com/1291
Reviewed-by: Adam Langley <agl@google.com>
2014-07-24 21:04:52 +00:00
David Benjamin
6444287806 Do not allow a Finished message when NewSessionTicket is expected.
Per spec, the server sends it iff it sends the extension in ServerHello. There
is no need to probe for whether Finished is or isn't sent. NSS is strict about
this (wait_new_session_ticket never transitions to wait_change_cipher without a
NewSessionTicket message), so this is safe.

Reset tlsext_ticket_expected in ssl_scan_serverhello_tlsext to ensure state
from the initial handshake doesn't confuse renegotiation.  This is another one
of those per-handshake states that should be systematically reset on each
handshake. For now, reset it properly at least.

Change-Id: I7d16439ce632b9abf42f62d5d8e1303cb6f0be1f
Reviewed-on: https://boringssl-review.googlesource.com/1296
Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 15:53:29 +00:00
David Benjamin
407886f589 Remove ssl3_check_finished.
ssl3_get_new_session_ticket is sensible and fills in a session_id for stateless
sessions, so the resumption will already be detected at this point. Remove the
codepath in ssl3_client_hello which allows for resuming sessions with empty
session_ids. The rest of the code doesn't allow it either.

This removes another codepath where we potentially probe a Finished message
early.

Change-Id: I2749b5c65c7ce98c6f30566d8716360ff1bba24c
Reviewed-on: https://boringssl-review.googlesource.com/1295
Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 15:52:38 +00:00
David Benjamin
9eaeef81fa Set s->hit when using tls_session_secret_cb.
tls_session_secret_cb is used for EAP-FAST which computes the master secret
externally and enters the abbreviated handshake. It appears to only have been
working because ssl3_check_finished would drive it into the appropriate state
afterwards. That, in turn, only has been working because EAP-FAST misuses the
session ticket extension for some other field, so ssl3_check_finished isn't a
no-op.

Instead, set s->hit so it follows the abbreviated state machine directly.

If we ever build wpa_supplicant with BoringSSL, this will require some testing.
(And, if not, this API should be removed.)

Change-Id: Ie2992a9bba049f7120522b996f739906e38a070e
Reviewed-on: https://boringssl-review.googlesource.com/1294
Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 15:50:29 +00:00
David Benjamin
6553b379e2 Don't accidentally read Finished in ssl3_get_cert_verify.
This removes one place where we set CCS_OK. ssl3_get_cert_verify already knows
whether or not to expect a CertificateVerify message, so there is no need to
look ahead and potentially read ChangeCipherSpec early.

Change-Id: I80f4ec218b073c1007b01dbe1e3bd529fb848d37
Reviewed-on: https://boringssl-review.googlesource.com/1293
Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 15:45:55 +00:00
David Benjamin
b61b4de6df Fix runner.go session ticket support.
Some test code to insert a bogus session ticket was retained. Also,
decryptTicket mutated its input, in turn, mutating the ClientHello,
breaking the Finished hash.

The latter fix should probably be merged upstream.

Change-Id: I6949f842c67e19df8742561fb0b849af9f5f099d
Reviewed-on: https://boringssl-review.googlesource.com/1290
Reviewed-by: Adam Langley <agl@google.com>
2014-07-23 15:31:24 +00:00
David Benjamin
42be6456ca Add SkipChangeCipherSpec-Server-NPN test.
Finished isn't always the first post-CCS message.

Change-Id: I4f70eeed57cf732693d07212b096efb2594c5b3c
Reviewed-on: https://boringssl-review.googlesource.com/1288
Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 19:24:32 +00:00
David Benjamin
de620d9c87 runner: Require the CertificateVerify signature and hash to match.
This change can probably be ported over to upstream crypto/tls. The current Go
TLS implementation ignores the signature and hash algorithm lists in
CertificateVerify and CertificateRequest. Take these into account so that our
tests assert OpenSSL fills them out correctly.

Also fix a bug in the original code where 'err' within the switch block get
shadowed.

Change-Id: I5d9c0b31ebb4662ecc767ed885a20707f0e86216
Reviewed-on: https://boringssl-review.googlesource.com/1253
Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 15:59:48 +00:00
David Benjamin
a0e5223bb8 Add SkipChangeCipherSpec tests.
They pass, but this is an error case that is probably worth a test.

Change-Id: I37b2eec34a1781fa8342eea57ee4f9da81ce17ed
Reviewed-on: https://boringssl-review.googlesource.com/1257
Reviewed-by: Adam Langley <agl@google.com>
2014-07-21 02:14:13 +00:00
David Benjamin
ecc0ce7e67 Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK.
Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque"
bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the
sanity checks for certificate and key matching.

Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc
Reviewed-on: https://boringssl-review.googlesource.com/1255
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 23:35:04 +00:00
Adam Langley
37a623cf29 Have BIO_get_mem_data return a size_t and uint8_t*
Change-Id: I883f9c3527b572a2140ae4899cf4409cdc25c6dc
Reviewed-on: https://boringssl-review.googlesource.com/1261
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 17:22:05 +00:00
Adam Langley
6defe177fe Fix typo in DTLS-SRTP extension parsing.
Change-Id: I1fd4c22b20a6272cd65448f5f62b9790d7597aa7
Reviewed-on: https://boringssl-review.googlesource.com/1260
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 00:52:51 +00:00
Adam Langley
045cc5590a Don't delay CKX and Finished for False Start.
Android never did this - they patched out the point in the code that set
the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag when doing False Start.
Also, from the unittests it appears that NSS doesn't do this either.
Thus this change brings BoringSSL into line with existing behaviour.

SSL3_FLAGS_DELAY_CLIENT_FINISHED wasn't introduced with False Start,
it's an option in vanilla OpenSSL. But I can't find anything that uses
it and, since it's going to be untested, I've removed it completely in
this change.

Change-Id: I910537bfa35e74ab88778b83612cf5607d485969
Reviewed-on: https://boringssl-review.googlesource.com/1221
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 18:59:38 +00:00
David Benjamin
2e52121acd Fix magic SSL reason codes.
SSL reason codes corresponding to alerts have special values. Teach
make_errors.go that values above 1000 are reserved (otherwise it will assign
new values in that namespace). Also fix all the existing reason codes which
corresponded to alerts.

Change-Id: Ieabdf8fd59f4802938616934e1d84e659227cf84
Reviewed-on: https://boringssl-review.googlesource.com/1212
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 18:54:06 +00:00
David Benjamin
8f3234b2c8 Fix another flipped condition.
This one in code that's not compiled though.

Change-Id: I8fb6c2df4669a70223889d31b233b577cf3e6b22
Reviewed-on: https://boringssl-review.googlesource.com/1211
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 17:11:47 +00:00
David Benjamin
407a10cf43 Fix parsing of CertificateRequests.
Got one of the conditions flipped.

Change-Id: I327a9c13e42865459e8d69a431b0d3a2bc6b54a5
Reviewed-on: https://boringssl-review.googlesource.com/1210
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 17:07:15 +00:00
David Benjamin
22f9bccde5 Port ssl3_get_client_hello to CBS.
Also fix some DTLS cookie bugs. rcvd_cookie is never referenced after being
saved (and the length isn't saved, so it couldn't be used anyway), and the
cookie verification failed to check the length.

For convenience, add a CBS_mem_equal helper function. Saves a bit of
repetition.

Change-Id: I187137733b069f0ac8d8b1bf151eeb80d388b971
Reviewed-on: https://boringssl-review.googlesource.com/1174
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 18:30:09 +00:00
David Benjamin
14c83e7d00 Refactor PSK logic in ssl3_get_client_key_exchange.
This avoids duplicating the code to build the final premaster in PSK and
ECDHE_PSK. It also ports it to CBB for an initial trial of the API. Computing
the premaster secret now proceeds in four steps:

1. If a PSK key exchange (alg_a), look up the pre-shared key.
2. Compute the premaster secret based on alg_k. If PSK, it's all zeros.
3. If a PSK key exchange (alg_a), wrap the premaster in a struct with the
   pre-shared key.
4. Use the possibly modified premaster to compute the master secret.

Change-Id: Ib511dd2724cbed42c82b82a676f641114cec5470
Reviewed-on: https://boringssl-review.googlesource.com/1173
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 00:02:14 +00:00
David Benjamin
820c74af65 Tidy up some PSK cipher checks.
The only PSK cipher suite that computes the shared secret early is PSK. Also
there were two (unreachable because of earlier checks) codepaths where we're
exit this function without a master secret.

Change-Id: I3b64fc007b83c4bc46ddb6e14382fb285d8095f9
Reviewed-on: https://boringssl-review.googlesource.com/1172
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:56:29 +00:00
David Benjamin
35c023014b Port ssl3_get_client_key_exchange to CBS.
Change-Id: I065554d058395322a4ac675155bfe66c874b47ad
Reviewed-on: https://boringssl-review.googlesource.com/1171
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:56:05 +00:00
David Benjamin
8f8040dd4f Rename ssl3_get_key_exchange to ssl3_get_server_key_exchange.
More consistent with ssl3_send_server_key_exchange and the message name.

Change-Id: If0f435a89bdf117297d349099708fff0bd5a6e98
Reviewed-on: https://boringssl-review.googlesource.com/1170
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:55:35 +00:00
David Benjamin
05da6e1641 Port tls12_check_peer_sigalg to CBS.
This avoids having to do the CBS_skip dance and is better about returning the
right alert.

Change-Id: Id84eba307d7c67269ccbc07a38d9044b6f4f7c6c
Reviewed-on: https://boringssl-review.googlesource.com/1169
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:55:01 +00:00
David Benjamin
a03d95d156 Port ssl3_get_server_hello to CBS.
Change-Id: I8ec531cf327653b4779ff6a29cac62e240502269
Reviewed-on: https://boringssl-review.googlesource.com/1167
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:52:52 +00:00
David Benjamin
46062681ab Port ssl3_get_cert_status to CBS.
Change-Id: I18b68f32fceb0f9273f2d86ec201ebf9350103df
Reviewed-on: https://boringssl-review.googlesource.com/1166
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:42:28 +00:00
David Benjamin
e044c3d8a2 Port ssl3_get_new_session_ticket to CBS.
Change-Id: Iabca923c9be48d001abd3b12b8c6898e604aa85a
Reviewed-on: https://boringssl-review.googlesource.com/1165
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:38:16 +00:00
David Benjamin
ed43958853 Port ssl3_get_key_exchange to CBS.
Also tidy up some variable names and update RSA_verify call for it no longer
returning -1. Add CBS helper functions for dealing with C strings.

Change-Id: Ibc398d27714744f5d99d4f94ae38210cbc89471a
Reviewed-on: https://boringssl-review.googlesource.com/1164
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:37:29 +00:00
David Benjamin
1f5f62b204 Add a server NPN test.
Change-Id: Ib34a24e86bb5de117ecf5609918e130c1ff9532e
Reviewed-on: https://boringssl-review.googlesource.com/1161
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:08:01 +00:00
Adam Langley
4c921e1bbc Move public headers to include/openssl/
Previously, public headers lived next to the respective code and there
were symlinks from include/openssl to them.

This doesn't work on Windows.

This change moves the headers to live in include/openssl. In cases where
some symlinks pointed to the same header, I've added a file that just
includes the intended target. These cases are all for backwards-compat.

Change-Id: I6e285b74caf621c644b5168a4877db226b07fd92
Reviewed-on: https://boringssl-review.googlesource.com/1180
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 22:42:18 +00:00
David Benjamin
6897dbece1 Port ssl3_get_cert_verify to CBS.
Also tidy up a little now that {RSA,ECDSA}_verify don't have two separate error
codes.

Change-Id: Id0e9248f63766771032a131fd96d86d2596ade32
Reviewed-on: https://boringssl-review.googlesource.com/1168
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:47:17 +00:00
David Benjamin
67666e7823 Add tests for the server accepting client certificates.
Change-Id: I9acc4363c6b9804d5fe464053393cf16ffb7785c
Reviewed-on: https://boringssl-review.googlesource.com/1159
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:45:57 +00:00
David Benjamin
51b1f7427b Make init_msg a uint8_t*.
It's current a void* and gets explicitly cast everywhere. Make it a uint8_t and
only add the casts when converting it come init_buf, which internally stores a
char*.

Change-Id: I28bed129e46ed37ee1ce378d5c3bd0738fc1177f
Reviewed-on: https://boringssl-review.googlesource.com/1163
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:43:20 +00:00
David Benjamin
9c651c9ef6 Be strict about requiring ServerKeyExchange.
Missing ServerKeyExchange is handled, but only because it hits an
ERR_R_INTERNAL_ERROR in ssl3_send_client_key_exchange in trying to find the
server ECDH parameters. Be strict about requiring it for ECDHE.

Change-Id: Ifce5b73c8bd14746b8a2185f479d550e9e3f84df
Reviewed-on: https://boringssl-review.googlesource.com/1157
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:42:30 +00:00
David Benjamin
ced551f967 Port ssl3_get_next_proto to CBS.
NPNServerTest in runner.go provides test coverage.

Change-Id: I5503ccbc4270e7f9f42ebc30c21e8077a430cf9f
Reviewed-on: https://boringssl-review.googlesource.com/1162
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:28:47 +00:00
David Benjamin
d5b1f84d6e Port ssl3_get_client_certificate to CBS.
Server client certificate tests provide test coverage.

Change-Id: I272b8099675f2a747f3ca878327c5f0b6936a988
Reviewed-on: https://boringssl-review.googlesource.com/1160
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 21:27:42 +00:00
David Benjamin
9a6232f34d Port ssl3_get_channel_id to CBS.
Change-Id: I3c36c62b6f073304e89dec5b3dfe3694b6339f6e
Reviewed-on: https://boringssl-review.googlesource.com/1158
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:51:28 +00:00
David Benjamin
e8f3d666cc Be strict about expecting a server Certificate message.
Introduce a ssl_cipher_has_server_public_key to save the repeated
NULL/PSK/RSA_PSK[*] check. Don't allow skipping to ServerKeyExchange when
expecting Certificate; the messages expected are determined by the cipher
suite. The ssl3_get_server_public_key call is already guarded.

As the previous test demonstrates, this is safe because of the
ssl3_check_cert_and_algorithm call, but avoid the looseness in the parsing
there.

[*] NB: we don't implement RSA_PSK, and OpenSSL has never implemented it.

Change-Id: I0571e6bcbeb8eb883f77878bdc98d1aa3a287cf3
Reviewed-on: https://boringssl-review.googlesource.com/1156
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:50:30 +00:00
David Benjamin
1c375dda8a Add UnauthenticatedECDH bug test.
This works, but there's enough shared codepaths that it's worth a test to
ensure it stays that way.

Change-Id: I5d5a729811e35832170322957258304213204e3b
Reviewed-on: https://boringssl-review.googlesource.com/1155
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:50:09 +00:00
David Benjamin
d26aea6c96 Remove remnants of KRB5 support.
This drops the bits of logic that allowed Certificate messages to be optional
for a KRB5 cipher suite.

Change-Id: I2a71b7c13d7e76f4f5542d4074169f80f3617240
Reviewed-on: https://boringssl-review.googlesource.com/1154
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:49:57 +00:00
David Benjamin
0c49ec97f4 Fix potential memory leak.
This can't happen because we don't implement RSA_PSK, but we probably should
check here.

Probably |sess_cert| shouldn't be attached to SSL_SESSION anyway; it's only
relevant when initializing the session and if it's accessed afterwards, it'll
be shared and cause problems.

Change-Id: Id868e523195f33c22e057f9b89dc02fe68e9b554
Reviewed-on: https://boringssl-review.googlesource.com/1153
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:49:39 +00:00
David Benjamin
5235f74bc2 Fix algorithm_auth and SSL_k* mismatch.
Fixes bug introduced in c26c802a89. Only one of
the two halves got flipped.

Change-Id: I0b3905ab22b0f83f093e1720af85594b1a970a7f
Reviewed-on: https://boringssl-review.googlesource.com/1152
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 20:49:26 +00:00
David Benjamin
7bf334a9ff Perform bounds checks in hmac_signctx.
Match the other EVP_DigestSignFinal implementations. Fix the instances in
ssl/t1_enc.c which were not following the EVP_DigestSignFinal contract; on
entry, *out_len should contain the size of the buffer.

Change-Id: Icd44d97a4c98704dea975798c0101d5a37274d17
Reviewed-on: https://boringssl-review.googlesource.com/1130
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 20:59:10 +00:00
David Benjamin
0e2908a806 Unify signing codepath of ssl3_send_client_verify.
Instead of, in the pre-TLS-1.2 case, reaching into the EVP and manually
signing, compute the digest separately from signing. Then use EVP_PKEY_sign.
This will make it easier to implement https://crbug.com/347404 by having only
one signing codepath as well as make that logic simpler.

Also add a bounds check while we're here, although the buffer is too large to
actually matter.

runner.go client auth tests should cover code changes.

Change-Id: I7d87181bbcc5a761660412452e508d24c4725327
Reviewed-on: https://boringssl-review.googlesource.com/1122
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 00:05:14 +00:00
David Benjamin
636293bf25 Add client auth tests.
Change-Id: If3ecae4c97f67085b9880ffa49dd616f1436ce97
Reviewed-on: https://boringssl-review.googlesource.com/1112
Reviewed-by: Adam Langley <agl@google.com>
2014-07-09 21:04:06 +00:00
David Benjamin
7b03051103 Add a test for certificate types parsing.
Change-Id: Icddd39ae183f981f78a65427a4dda34449ca389a
Reviewed-on: https://boringssl-review.googlesource.com/1111
Reviewed-by: Adam Langley <agl@google.com>
2014-07-09 21:03:54 +00:00
David Benjamin
676d1e780e Separate client and server certificate_types.
This is the first of reorganizing state between connection state and handshake
state. The existing set are retained in cert_st for the server; they are server
configuration. The client gets a copy in s->s3->tmp alongside other handshake
state.

With other handshake state moved there, hopefully we can reset that state in
one go and possibly not even maintain it when there is no handshake in
progress.  Rather than currently where we sometimes confused connection state
and handshake state and have to reset as appropriate on renegotiate.

While I'm here, document the fields and name them something more useful than
'ctypes'.

Change-Id: Ib927579f0004fc5c6854fce2127625df669b2b6d
Reviewed-on: https://boringssl-review.googlesource.com/1113
Reviewed-by: Adam Langley <agl@google.com>
2014-07-09 19:51:08 +00:00
David Benjamin
8f2c20eb70 Port early callback support to CBS.
Resolve one of the TODOs since it's quick. Adjust the
-expect-server-name test to assert it both in the normal codepath and
in the early callback, to provide test coverage for
SSL_early_callback_ctx_extension_get.

Change-Id: I4d71158b9fd2f4fbb54d3e51184bd25d117bdc91
Reviewed-on: https://boringssl-review.googlesource.com/1120
Reviewed-by: Adam Langley <agl@google.com>
2014-07-09 16:48:31 +00:00
David Benjamin
35a7a4492d Check duplicate extensions before processing.
ClientHello and ServerHello are not allowed to include duplicate extensions.
Add a new helper function to check this and call as appropriate. Remove ad-hoc
per-extension duplicate checks which are no unnecessary.

Add runner.go tests to verify such message correctly rejected.

Change-Id: I7babd5b642dfec941459512869e2dd6de26a831c
Reviewed-on: https://boringssl-review.googlesource.com/1100
Reviewed-by: Adam Langley <agl@google.com>
2014-07-08 22:17:59 +00:00
David Benjamin
398ba895fb Remove SSL_copy_session_id.
This is the only codepath that allowed a cert_st to be shared between two
ssl_st's. Given that the cert_st currently contains some per-connection and
even per-handshake state, this probably doesn't work.

Remove the function altogether and don't ref-count cert_st.

Change-Id: I66d5346117cb59b6063e7b9b893d1c4b40cb6867
Reviewed-on: https://boringssl-review.googlesource.com/1110
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 22:43:56 +00:00
David Benjamin
9d28c75774 Fix some OPENSSL_PUT_ERROR calls.
The function names are wrong.

Change-Id: Icbaeb541a2dcc504f69af81a7505e5cfbeed91f0
Reviewed-on: https://boringssl-review.googlesource.com/1101
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:32:38 +00:00
David Benjamin
b9621b9c1a Remove is_probably_safari logic.
We handle it externally now.

Change-Id: Ib561f64078809645195fd1a859b3256499038847
Reviewed-on: https://boringssl-review.googlesource.com/1098
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:32:29 +00:00
David Benjamin
5468b23797 Remove rest of DANE code.
We pulled in some of upstream's removal, but not the rest of it.

Change-Id: I8ea6681848f3c59955b7d2ce935c077d024245be
Reviewed-on: https://boringssl-review.googlesource.com/1099
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:32:04 +00:00
David Benjamin
64f4c91b89 Remove OPENSSL_FIPS blocks.
Done with unifdef with some manual edits to remove empty lines.

Change-Id: I40d163539cab8ef0e01e45b7dc6a1a0a37733c3e
Reviewed-on: https://boringssl-review.googlesource.com/1097
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:31:50 +00:00
David Benjamin
6dbd73db5d Remove OPENSSL_NO_TLSEXT compilation option.
Mostly done with unifdef.

Change-Id: I876f79f9e96d77628d696b09694363d07aee6b74
Reviewed-on: https://boringssl-review.googlesource.com/1096
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:31:37 +00:00
Alex Chernyakhovsky
31955f91dc Port Certificate Request parsing to crypto/bytestring
Along the way, clean up the certificate types code to not have the
hard-coded fixed-size array.

Change-Id: If3e5978f7c5099478a3dfa37a0a7059072f5454a
Reviewed-on: https://boringssl-review.googlesource.com/1103
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:27:04 +00:00
Alex Chernyakhovsky
9c890d4b70 Remove SSL_OP_NETSCAPE_CA_DN_BUG
SSL_OP_NETSCAPE_CA_DN_BUG is not included in SSL_OP_ALL.

Change-Id: I1635ad2721ed2742b1dff189d68bfc67a1c840a6
Reviewed-on: https://boringssl-review.googlesource.com/1102
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:21:59 +00:00
Alex Chernyakhovsky
3c5034e97c Remove OPENSSL_NO_RSA
Building without RSA support is unreasonable. Changes were made by
running

find . -type f -name *.c | xargs unifdef -m -U OPENSSL_NO_RSA
find . -type f -name *.h | xargs unifdef -m -U OPENSSL_NO_RSA

using unifdef 2.10 and some newlines were removed manually.

Change-Id: Iea559e2d4b3d1053f28a4a9cc2f7a3d1f6cabd61
Reviewed-on: https://boringssl-review.googlesource.com/1095
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:20:53 +00:00
Alex Chernyakhovsky
c6318e349a Port Server Certificate parsing to crypto/bytestring
Change-Id: I79e5475be4d8d1fe6fcce6ae7ab5b43e0dc98efa
Reviewed-on: https://boringssl-review.googlesource.com/1094
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:20:19 +00:00
David Benjamin
dc72ff75bd Port ClientHello extensions parsing to crypto/bytestring.
Change-Id: I673c929b78bcf6952db8dfb295dd79d455bcb2a0
Reviewed-on: https://boringssl-review.googlesource.com/1070
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 19:48:22 +00:00
Alex Chernyakhovsky
2897ed3634 Remove CHARSET_EBCDIC
Since crypto/ebcdic.{c,h} are not present in BoringSSL, remove the #ifdefs
Changes were made by running

find . -type f -name *.c | xargs unifdef -m -U CHARSET_EBCDIC
find . -type f -name *.h | xargs unifdef -m -U CHARSET_EBCDIC

using unifdef 2.10.

An additional two ifdefs (CHARSET_EBCDIC_not) were removed manually.

Change-Id: Ie174bb00782cc44c63b0f9fab69619b3a9f66d42
Reviewed-on: https://boringssl-review.googlesource.com/1093
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 19:30:35 +00:00
David Benjamin
8af6639565 Fix leak in ssl_parse_clienthello_use_srtp_ext.
If parsing the MKI value fails, clnt is never freed.

Change-Id: Ic85edf0d6efc54ca0828f333bc389c0dbf58f491
Reviewed-on: https://boringssl-review.googlesource.com/1072
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 22:55:24 +00:00
David Benjamin
197b3abaa8 Add a test that server_name extensions are parsed correctly.
Change-Id: Id4025835df49eb498df9a48fc81061541778569b
Reviewed-on: https://boringssl-review.googlesource.com/1092
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 22:52:59 +00:00
David Benjamin
025b3d3459 Add some basic server tests to runner.go.
client_shim.cc and runner.go are generalized to handle both ends. Plumb a bit
through the test case to control which and add server versions of all the
cipher suite tests.

Change-Id: Iab2640b390f7ed7160c9a9bf6bb34b8bec761b2e
Reviewed-on: https://boringssl-review.googlesource.com/1091
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 22:52:02 +00:00
David Benjamin
4c852c5363 Add missing break statement in ssl3_get_client_hello.
dc9b141127 added a default case when importing
the patch but accidentally falls through all the time.

Change-Id: Ieb9beeb9e3ffcf77f2842841eda7d28a62fe8072
Reviewed-on: https://boringssl-review.googlesource.com/1073
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 19:46:50 +00:00
David Benjamin
325b5c3667 Fix FallbackSCSV test.
It wasn't actually testing SSL_enable_fallback_scsv, just that not calling it
didn't send an SCSV. Plumb the 'flag' parameter to testCase through and add a
test that asserts it does get sent when expected. (Make it a []string since Go
doesn't distinguish nil string from "" and for flexibility.)

Change-Id: I124c01e045aebbed5c1d87b7196de7c2026f26f3
Reviewed-on: https://boringssl-review.googlesource.com/1071
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:30:29 +00:00
David Benjamin
2b0aeecabf Remove authz extension (RFC5878)
Found no users of the functions which control the feature. (Also I don't
particularly want to port all of that to CBS...)

Change-Id: I55da42c44d57252bd47bdcb30431be5e6e90dc56
Reviewed-on: https://boringssl-review.googlesource.com/1061
Reviewed-by: Adam Langley <agl@google.com>
2014-07-01 20:48:38 +00:00
David Benjamin
0442ac5ce4 Update comment for TLSEXT_TYPE_renegotiate.
Change-Id: I2b831cf04e15116b849dae714d77602da4cbad91
Reviewed-on: https://boringssl-review.googlesource.com/1064
Reviewed-by: Adam Langley <agl@google.com>
2014-07-01 18:55:50 +00:00
David Benjamin
2e5d686e5a Make ssl_parse_serverhello_use_srtp_ext return 0 on failure.
Match most other functions. 03973096f4 changed
the call site, but not the function itself.

Change-Id: Iac018cbed8a454f50fb0da5e2419f503d8cb652d
Reviewed-on: https://boringssl-review.googlesource.com/1060
Reviewed-by: Adam Langley <agl@google.com>
2014-07-01 18:55:32 +00:00
David Benjamin
fd76191821 Remove opaque_prf_input extension.
This code doesn't even get built unless you go out of your way to pass an
extension value at build time.

Change-Id: I92ffcdfb18505c96e5ef390c8954a54cee19967f
Reviewed-on: https://boringssl-review.googlesource.com/1063
Reviewed-by: Adam Langley <agl@google.com>
2014-07-01 18:55:19 +00:00
David Benjamin
3c1345e9db Remove tlsext_custom_types field.
Remnant of custom extensions support.

Change-Id: I4b91a0962709dccaf7fdf6b118d47d6e0dbadb91
Reviewed-on: https://boringssl-review.googlesource.com/1062
Reviewed-by: Adam Langley <agl@google.com>
2014-07-01 18:54:59 +00:00
Adam Langley
9447dff5a2 Use RC4-MD5 AEAD in ssl/
This change adds the infrastructure to use stateful AEADs in ssl/ and
specifically wires in the stitched, RC4-MD5 AEAD. Over time, all
cipher suites will be supported via the AEAD interface and the old
EVP_CIPHER code will die off.

Change-Id: I44ed3ca2672e1342c6b632be08fee9272d113f8e
Reviewed-on: https://boringssl-review.googlesource.com/1044
Reviewed-by: Adam Langley <agl@google.com>
2014-06-30 23:39:17 +00:00
Loganaden Velvindron
389110ae89 DTLS: fix memory leak when allocation fails.
Change-Id: Ib789362bc0a8aa5460cfce61fef141cb22747b33
2014-06-26 17:46:27 -07:00
David Benjamin
d7e23c17a9 Remove serverinfo and custom extensions support.
If we need an extension, we can implement it in-library.

Change-Id: I0eac5affcd8e7252b998b6c86ed2068234134b08
Reviewed-on: https://boringssl-review.googlesource.com/1051
Reviewed-by: Adam Langley <agl@google.com>
2014-06-26 20:51:50 +00:00
David Benjamin
13ab3e3ce1 Remove heartbeat extension.
Change-Id: I0273a31e49c5367b89b9899553e3ebe13ec50687
Reviewed-on: https://boringssl-review.googlesource.com/1050
Reviewed-by: Adam Langley <agl@google.com>
2014-06-26 20:48:19 +00:00
David Benjamin
03973096f4 Port ServerHello extension parsing to CBS.
This gives us systematic bounds-checking on all the parses. Also adds a
convenience function, CBS_memdup, for saving the current contents of a CBS.

Change-Id: I17dad74575f03121aee3f771037b8806ff99d0c3
Reviewed-on: https://boringssl-review.googlesource.com/1031
Reviewed-by: Adam Langley <agl@google.com>
2014-06-26 20:42:27 +00:00
Adam Langley
8adf4f1d89 Merge "Remove references to AEAD in non-AEAD interface codepath" 2014-06-26 00:59:49 +00:00
Adam Langley
659de419c1 Add ISC header to a handful of files.
A handful of new files were missing the ISC license header.

Change-Id: I44507dd1361b0348d8e0e1bf12d38072030af53d
2014-06-26 10:26:42 -07:00
Victor Vasiliev
508c29fec9 Remove references to AEAD in non-AEAD interface codepath
Since all AEAD ciphers now go through EVP_AEAD interface, the code which
uses EVP_Cipher interface no longer needs any of AEAD handling logic.

This also removes EVP_CTRL_AEAD_TLS1_AAD from GCM interface, which was
duplicating non-TLS-specific GCM logic and is not used anymore.

Change-Id: I5ddae880e7bc921337f9149a0acfdd00c9a478c3
2014-06-25 15:56:05 -04:00
David Benjamin
3f6fa3db62 Remove more remnants of compression.
Change-Id: I721914594fc92a66d95c7ec2088f13b68e964103
2014-06-24 18:43:57 -04:00
David Benjamin
95463b311d Remove crypto/comp and SSL_COMP support code.
Now that the consuming code in ssl/ is removed, there is no need for this.
Leave SSL_COMP and STACK_OF(SSL_COMP) for now so as not to break any code which
manipulates the output of SSL_COMP_get_compression_methods to disable
compression.

Change-Id: Idf0a5debd96589ef6e7e56acf5d9259412b7d7a1
2014-06-24 17:22:06 +00:00
Adam Langley
ac874a968f Merge "Deprecate SSL_get_client_certificate_types." 2014-06-23 21:45:37 +00:00
David Benjamin
5c57c60beb Deprecate SSL_get_client_certificate_types.
OpenSSL added SSL_get0_certificate_types and fixed the truncation (and
subsequent parse error) by adding an alternate copy of the data.
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=9f27b1eec3175305e62eed87faa80e231f319ca0

Make SSL_get_client_certificate_types call SSL_get0_certificate_types to query
the new list. Remove when Chromium is switched over.

Also remove a now unnecessary cast because SSL_get_client_certificate_types
fixed the type of tmp.ctypes. Further fix it to use a size_t and match the
cert_st copy OpenSSL added.

BUG=388000

Change-Id: Ic6653e10e5a3c3ac6b3fe2a2322f388d6ffb0a06
2014-06-23 18:37:12 -04:00
Adam Langley
3213bed728 Remove GOST support code from ssl/
Also remove related quirk, SSL_OP_CRYPTOPRO_TLSEXT_BUG. Glue code is
left in for now.

Change-Id: Ic09593dabf7da6ba3904fffe59f322a7c7cb74f4
2014-06-23 12:26:07 -07:00
Adam Langley
ac61fa379f Implement TLS_FALLBACK_SCSV support for the client.
With this change, calling SSL_enable_fallback_scsv on a client SSL* will
cause the fallback SCSV to be sent.

This is intended to be set when the client is performing TLS fallback
after a failed connection. (This only happens if the application itself
implements this behaviour: OpenSSL does not do fallback automatically.)

The fallback SCSV indicates to the server that it should reject the
connection if the version indicated by the client is less than the
version supported by the server.

See http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02.

Change-Id: I478d6d5135016f1b7c4aaa6c306a1a64b1d215a6
2014-06-23 12:03:11 -07:00
Adam Langley
f3a95c4d67 Reduce elliptic curves and formats in ClientHello.
Advertise support of only the NIST curves P-521, P-384, and P-256, as
well as only uncompressed points.

(Imported from Chromium:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/openssl/patches.chromium/0005-reduce_client_hello_size.patch?revision=231571)

Change-Id: I0b509b182b224bdf7aa9a4ffed24c00495c2cf75
2014-06-20 15:50:41 -07:00
Adam Langley
94d86b1f67 Remove unused DANE macros. This should be the last DANE stuff...
(Imported from upstream's 23351c607b1cdcbef15b4052f2e9ebc4d2ecbd67)
2014-06-20 13:17:43 -07:00
Adam Langley
a433cbdc4f Accept CCS after sending finished.
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400

(Imported from upstream's 90d94ce39ecc2fad7fb2b8eb6bde0c669a65ee81)
2014-06-20 13:17:43 -07:00
Adam Langley
4c65f3a2f1 Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index
validation before accessing arrays.

PR#3375

(Imported from upstream's 3d86077427f93dc46b18fee706b567ec32ac232a)
2014-06-20 13:17:42 -07:00
Adam Langley
87750b433a Added OPENSSL_assert check as per PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de>
(Imported from upstream's 955bfbc2686153b50aebb045a42d96e5b026e29c)
2014-06-20 13:17:42 -07:00
Adam Langley
0823800db3 Remove unimplemented functions.
(Imported from upstream's 5af09776cecd193a2f2c9a078abd90618fbea55c)
2014-06-20 13:17:42 -07:00
Adam Langley
0fbf33a691 Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally
identified the issue.

(Imported from upstream's 728bd41a159ea16a60111e7c1120ec2a005507b3)
2014-06-20 13:17:42 -07:00
Adam Langley
e044fe4bc7 Fix null pointer errors.
PR#3394

(Imported from upstream's cea5a1d5f255a6a186cd7944c4a312612da965f3)
2014-06-20 13:17:42 -07:00
Adam Langley
8314351bcc Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.

(Imported from upstream's 05b2210476d3b2b0f24159112ccaea65e55831e5)
2014-06-20 13:17:42 -07:00
Adam Langley
6acf476eb6 Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption set the
CCS_OK flag.

(Imported from upstream's a21f350a76b34b66dcaf9c1676baec945f32e980)
2014-06-20 13:17:41 -07:00
Adam Langley
bed2214b3e Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

(Imported from upstream's eb6508d50c9a314b88ac155bd378cbd79a117c92)
2014-06-20 13:17:41 -07:00
Adam Langley
ce7f9caa98 Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.

(Imported from upstream's 77719aefb8f549ccc7f04222174889615d62057b)
2014-06-20 13:17:41 -07:00
Adam Langley
ec48ffc1fe Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.

(Imported from upstream's 9d2c9dd1e1a452939a733b638d180bb308ce72a9)
2014-06-20 13:17:41 -07:00
Adam Langley
895780572b Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without
recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

(Imported from upstream's 8942b92c7cb5fa144bd79b7607b459d0b777164c)
2014-06-20 13:17:41 -07:00
Adam Langley
d06eddd15c Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.

(Imported from upstream's e5f706590c7b1f19ca34415593aebdb6cbef355b)
2014-06-20 13:17:41 -07:00
Adam Langley
b7bf53c808 Check there is enough room for extension.
(Imported from upstream's 56b94a38b9a2197210a110c4a01a39ac75b34ce8)
2014-06-20 13:17:41 -07:00
Adam Langley
fb5cd20236 Free up s->d1->buffered_app_data.q properly.
PR#3286

(Imported from upstream's d52eb82781eff1f8245ae9c16c84db765f037cbe)
2014-06-20 13:17:41 -07:00
Adam Langley
f10a63b050 Typo: set i to -1 before goto.
PR#3302

(Imported from upstream's 646886682373e76dee233f7b918dec0c83e180fc)
2014-06-20 13:17:41 -07:00
Adam Langley
d74d7d030c Added SSLErr call for internal error in dtls1_buffer_record
(Imported from upstream's de8a5b523f38377c8e0d9098ebff880749156db6)
2014-06-20 13:17:41 -07:00
Adam Langley
3a54f9e015 Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug.
PR#3362

(Imported from upstream's 8de85b00484e7e4ca6f0b6e174fb1dc97db91281)
2014-06-20 13:17:41 -07:00
Adam Langley
ce1cfe169a Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361

(Imported from upstream's 856a4585d6f7a856b90c93792cf1c1ed968d4a4b)
2014-06-20 13:17:40 -07:00
Adam Langley
caddf1c4de Use correct digest when exporting keying material.
PR#3319

(Imported from upstream's 87a0cbdf2ee539ea922f9cf7a4b7c2c03119891d)
2014-06-20 13:17:40 -07:00
Adam Langley
b4b9914f74 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(Imported from upstream's 2312a84ca17c5ac133581552df7024957cf15bc8)
2014-06-20 13:17:40 -07:00
Adam Langley
45fb1eca0d Sync with upstream's fix for PR#3321.
(Imported from upstream's f710c3f198c9980a1056bac9b4b9617554254671)
2014-06-20 13:17:40 -07:00
Adam Langley
041240485d Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317

(Imported from upstream's 8571902e238ba2ef1517185c2a662c03f51dc1bf and
1f5bce2dcebbb5059c2a5ecf4037432e8041cc07)
2014-06-20 13:17:40 -07:00
Adam Langley
9611cfcb9f safety check to ensure we dont send out beyond the users buffer
(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
2014-06-20 13:17:40 -07:00
Adam Langley
f77452c572 fix coverity issue 966597 - error line is not always initialised
(Imported from upstream's afe343c3a7077caeaad43a9f2ee7e5d7f70076e5)
2014-06-20 13:17:40 -07:00
Adam Langley
4a35a93a12 Fix use after free.
(Imported from upstream's a0fe2e72c48166c9c4bb423397723de1fb6227b0)
2014-06-20 13:17:40 -07:00
Adam Langley
56475207be Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

(Imported from upstream's 7e840163c06c7692b796a93e3fa85a93136adbb2)
2014-06-20 13:17:39 -07:00
Adam Langley
dacb502cf4 Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml

(Imported from upstream's 6411b83e52fdfd0d3563d50a4dc00838b142fb2c)
2014-06-20 13:17:39 -07:00
Adam Langley
db4f9521b5 Fix memory leak with client auth.
(Imported from upstream's bc5ec653ba65fedb1619c8182088497de8a97a70)
2014-06-20 13:17:39 -07:00
Adam Langley
64c2223310 Update chain building function.
Don't clear verification errors from the error queue unless
SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR is set.

If errors occur during verification and
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR is set return 2 so applications can
issue warnings.

(Imported from upstream's 2dd6976f6d02f98b30c376951ac38f780a86b3b5)
2014-06-20 13:17:39 -07:00
Adam Langley
dff7b9e11b Allow duplicate certs in ssl_build_cert_chain
(Imported from upstream's 662239183da08d687dc939211ac09d0a5c3a5b93)
2014-06-20 13:17:39 -07:00
Adam Langley
9f61d7f4a1 ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201

(Imported from upstream's 8d08627c940900998d02a0dff0566db736efb94f)
2014-06-20 13:17:38 -07:00
Adam Langley
f669c2d91a New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

(Imported from upstream's c5ea65b157e17743c881b9e348524b0281b3d39f)
2014-06-20 13:17:38 -07:00
Adam Langley
b6333d600e Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only

(Imported from upstream's e0d4272a583c760ce008b661b79baf8b3ff24561 and
3bff195dca617c4ec1630945fef93b792b418cc8)
2014-06-20 13:17:38 -07:00
Adam Langley
80842bdb44 Fix test of first of 255 CBC padding bytes.
Thanks to Peter Gijsels for pointing out that if a CBC record has 255
bytes of padding, the first was not being checked.
2014-06-20 13:17:37 -07:00
Adam Langley
01797e309f psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
2014-06-20 13:17:37 -07:00
Adam Langley
aed2306b9d Refactor ssl3_send_client_verify.
The original logic was a confusing spaghetti and mixed up initialization
for all the different cases together.
2014-06-20 13:17:37 -07:00
Adam Langley
28acbbc2d6 Add SSL_get_client_certificate_types.
Exposes the certificate_types parameter in a CertificateRequest.

Transplanted from https://codereview.chromium.org/254723002/
2014-06-20 13:17:36 -07:00
Adam Langley
c3174b7b2d Move ECC extensions to end.
Move ECC SSL extensions to the end.

WebSphere Application Server 7.0 appears to be intolerant of an empty
extension at the end. To that end, also ensure we never send an empty
padding extension.
2014-06-20 13:17:36 -07:00
Adam Langley
c6c8ae8fae Fix use-after-free after a deferred alert.
The KLEE folks (who do symbolic execution of code) found a crash:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
2014-06-20 13:17:36 -07:00
Adam Langley
0289c73051 Fix TLS-PSK identity hint implementation issues.
PSK identity hint can be stored in SSL_CTX and in SSL/SSL_SESSION,
similar to other TLS parameters, with the value in SSL/SSL_SESSION
taking precedence over the one in SSL_CTX. The value in SSL_CTX is
shared (used as the default) between all SSL instances associated
with that SSL_CTX, whereas the value in SSL/SSL_SESSION is confined
to that particular TLS/SSL connection/session.

The existing implementation of TLS-PSK does not correctly distinguish
between PSK identity hint in SSL_CTX and in SSL/SSL_SESSION. This
change fixes these issues:
1. SSL_use_psk_identity_hint does nothing and returns "success" when
   the SSL object does not have an associated SSL_SESSION.
2. On the client, the hint in SSL_CTX (which is shared between
   multiple SSL instances) is overwritten with the hint received from
   server or reset to NULL if no hint was received.
3. On the client, psk_client_callback is invoked with the hint from
   SSL_CTX rather than from current SSL/SSL_SESSION (i.e., the one
   received from the server). Issue #2 above masks this issue.
4. On the server, the hint in SSL/SSL_SESSION is ignored and the hint
   from SSL_CTX is sent to the client.
5. On the server, the hint in SSL/SSL_SESSION is reset to the one in
   SSL_CTX after the ClientKeyExchange message step.

This change fixes the issues by:
* Adding storage for the hint in the SSL object. The idea being that
  the hint in the associated SSL_SESSION takes precedence.
* Reading the hint during the handshake only from the associated
  SSL_SESSION object.
* Initializing the hint in SSL object with the one from the SSL_CTX
  object.
* Initializing the hint in SSL_SESSION object with the one from the
  SSL object.
* Making SSL_use_psk_identity_hint and SSL_get_psk_identity_hint
  set/get the hint to/from SSL_SESSION associated with the provided
  SSL object, or, if no SSL_SESSION is available, set/get the hint
  to/from the provided SSL object.
* Removing code which resets the hint during handshake.
2014-06-20 13:17:36 -07:00
Adam Langley
a5dc545bbc Set SID from SSL_CTX
This change ensures that the session ID context of an SSL* is updated
when its SSL_CTX is updated.
2014-06-20 13:17:36 -07:00
Adam Langley
dc9b141127 Early callback support. 2014-06-20 13:17:36 -07:00
Adam Langley
b0c235ed36 TLS extension limit check fixes.
Fix limit checks in ssl_add_clienthello_tlsext and
ssl_add_serverhello_tlsext.

Some of the limit checks reference p rather than ret. p is the original
buffer position, not the current one. Fix those and rename p to orig so
it's clearer.
2014-06-20 13:17:36 -07:00
Adam Langley
2970779684 Fallback SCSV.
This patch adds server-side support for TLS_FALLBACK_SCSV (see
http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01).
2014-06-20 13:17:36 -07:00
Adam Langley
735107652b Const correctness.
This change fixes a number of build warnings.
2014-06-20 13:17:36 -07:00
Adam Langley
858a88daf2 Equal preference cipher groups.
This change implements equal-preference groups of cipher suites. This
allows, for example, a server to prefer one of AES-GCM or ChaCha20
ciphers, but to allow the client to pick which one. When coupled with
clients that will boost AES-GCM in their preferences when AES-NI is
present, this allows us to use AES-GCM when the hardware exists and
ChaCha20 otherwise.
2014-06-20 13:17:35 -07:00
Adam Langley
c26c802a89 Implement ECDHE-PSK-WITH-AES-128-GCM-SHA256. 2014-06-20 13:17:35 -07:00
Adam Langley
d493d5289d CBC record splitting.
This patch removes support for empty records (which is almost
universally disabled via SSL_OP_ALL) and adds optional support for 1/n-1
record splitting.

The latter is not enabled by default, since it's not typically used on
servers, but it should be enabled in web browsers since there are known
attacks in that case (see BEAST).
2014-06-20 13:17:35 -07:00
Adam Langley
509e5ed201 Optionally no cert request if ChannelID.
This change allows a server be to configured to skip a
CertificateRequest if the client presented a ChannelID.
2014-06-20 13:17:35 -07:00
Adam Langley
5c270c590d Use AEAD for AES256-GCM. 2014-06-20 13:17:35 -07:00
Adam Langley
de0b202684 ChaCha20-Poly1305 support. 2014-06-20 13:17:35 -07:00
Adam Langley
d8983ce0f2 Use AEAD for AES-GCM in TLS. 2014-06-20 13:17:35 -07:00
Adam Langley
c9fb37504f SSL AEAD support.
This change allows AEADs to be used in ssl/ to implement SSL/TLS
ciphersuites.
2014-06-20 13:17:34 -07:00
Adam Langley
a5fa5b7bb6 tls1_change_cipher_state rewrite
The previous version of the function made adding AEAD changes very
difficult. This change should be a semantic no-op - it should be purely
a cleanup.
2014-06-20 13:17:34 -07:00
Adam Langley
1b9d47735c Optionally don't store client's cipher list.
This change causes the client's list of ciphers to be freed as soon as
we have sent a server-hello. This saves small, but useful, amount of
memory.
2014-06-20 13:17:34 -07:00
Adam Langley
0b5c1ac8ad TLS 1.1 ciphers.
This patch adds support for a different cipher list when the connection
is using TLS 1.1. This is intended to support the case where we want to
use AES with >= TLS 1.1 clients but RC4 otherwise because of the BEAST
attack.
2014-06-20 13:17:34 -07:00
Adam Langley
acff73f227 Constant-time, RSA PMS processing.
This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.
2014-06-20 13:17:34 -07:00
Adam Langley
4d4bff89bb Cipher family functions.
This change adds functions to check membership of various cipher
families. Clients and servers need this in order to optimise the size of
records because different families have different amounts of prefix and
postfix overhead.
2014-06-20 13:17:33 -07:00
Adam Langley
48105fa215 Empty record limit.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.
2014-06-20 13:17:33 -07:00
Adam Langley
1258b6a756 ChannelID support.
Implement ChannelID as both a client and server.
2014-06-20 13:17:33 -07:00
Adam Langley
75872534c2 Optionally, retain only SHA-256 of client cert.
Adds an option to retain only the SHA256 of a client certificate in
memory and in the serialized session state.
2014-06-20 13:17:33 -07:00
Adam Langley
95f22882a7 Add function to test headers agree.
Add a function to test that structure sizes match inside and outside of
OpenSSL.
2014-06-20 13:17:33 -07:00
Adam Langley
b2ce05839b Add support for asynchronous session lookup. 2014-06-20 13:17:32 -07:00
Adam Langley
adb739e1e5 False Start support.
(Called "cut through" for historical reasons in this patch.)

Enables SSL3+ clients to send application data immediately following the
Finished message even when negotiating full-handshakes.  With this
patch, clients can negotiate SSL connections in 1-RTT even when
performing full-handshakes.
2014-06-20 13:17:32 -07:00
Adam Langley
95c29f3cd1 Inital import.
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta).

(This change contains substantial changes from the original and
effectively starts a new history.)
2014-06-20 13:17:32 -07:00