| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
comments to their correct places.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
| |
|
|
|
|
|
|
|
|
| |
In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.
ok tb@
|
| |
|
|
|
|
| |
This code has been rotting since 2006.
ok bcook@ tb@
|
| |
|
|
|
|
|
| |
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
| |
|
|
|
|
|
| |
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
| |
|
|
|
|
| |
and defines since they are the same everywhere.
ok beck@
|
| |
|
|
|
|
|
| |
the awkward API provided by ssl3_read_n(). Call these when we need to
read or extend a packet.
ok beck@
|
| |
|
|
| |
set and cleared via existing functions.
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
| |
so these should not be diddled with directly
ok jsing@
|
| |
|
|
| |
other perversions touches them sickly and unnaturally.
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
internal.
ok beck@
|
| |
|
|
|
|
| |
known to be used by ports.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
three functions that were removed a while ago
ok jsing@
|
| |
|
|
|
|
| |
ssl3_ prefix.
ok beck@
|
| |
|
|
|
|
|
| |
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.
ok bcook@ miod@
|
| |
|
|
|
|
| |
The p initialization was hiding this bug but Coverity 126279 saw it.
ok miod@ bcook@ beck@
|
| |
|
|
|
|
|
| |
Changed return value from void to int. It should never return an error
given that the input length is not checked yet.
ok miod@
|
| |
|
|
| |
ok miod@, input + ok jsing@
|
| |
|
|
|
|
|
|
| |
The "if" is a bit ugly, but this does remove a lot of repetitive code.
This will be converted to CBS later as well.
ok miod@
jsing@ roughly ok with it after seeing the CBS version
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
|
|
|
| |
jsg@ noticed that some of the lines in libssl and libcrypto are not
indented properly. At a quick glance, it looks like it has a different
control flow than it really does. I checked the history in our tree and
in OpenSSL to make sure these were simple mistakes.
ok miod@ jsing@
|
| |
|
|
|
|
|
|
| |
OpenBSD does not have SCTP support and it sees little use in the wild.
OPENSSL_NO_SCTP is already specified via opensslfeatures.h, hence this
is a code removal only and symbols should remain unchanged.
ok beck@ miod@ tedu@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were four bugs fixed by this patch:
* dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since
s->s3->rbuf was memset, rdata->rbuf is the only pointer left which
points to the old rbuf. On error, rdata is freed so there will not
be any way of freeing this memory unless we do it here.
* Changed the return code of dtls1_buffer_record() to differentiate
between queue full (0) and error (-1). See below as this differs
from upstream.
* Handle errors if calls to dtls1_buffer_record() fail with -1.
Previously, it did not check the return value.
* Changed the way receipts are recorded. Previously, it was recorded
when processed successfully (whether buffered or not) in
dtls1_process_record(). Now, it records when it is handled in
dtls1_get_record(): either when it is entered into the queue to buffer
for the next epoch or when it is processed directly. Processing
buffered records does not add a receipt because it needed one in
order to get into the queue.
The above bugs combined contributed to an eventual DoS through memory
exhaustion. The memory leak came from dtls1_buffer_record()'s error
handling. The error handling can be triggered by a duplicate record
or malloc failure. It was possible to add duplicate records because
they were not being dropped. The faulty receipts logic did not detect
replays when dealing with records for the next epoch. Additionally,
dtls1_buffer_record()'s return value was not checked so an attacker
could send repeated replay records for the next epoch.
Reported to OpenSSL by Chris Mueller.
Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f
and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300.
Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue
is full or when malloc() or pitem_new() fails. They return -1 on error
including !ssl3_setup_buffers() which is another failure to allocate
memory.
BoringSSL and LibreSSL changed the return code for dtls1_buffer_record()
to be 1 on success, 0 when the queue is full and -1 on error.
input + ok bcook@, jsing@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
SSL3_RT_HANDSHAKE replays.
Reported by Markus Stenberg <markus.stenberg at iki.fi> - thanks!
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
| |
to only apply to s23_srvr.c.
|
| |
|
|
|
|
|
|
|
|
|
| |
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
| | |
|
| |
|
|
|
| |
more friendly to systems where the underscore flavours may be defined as empty.
Found the hard way be bcook@; joint brainstrom with bcook beck and guenther
|
| |
|
|
|
|
| |
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod
|
| |
|
|
|
|
|
| |
so that it reflects what it is actually doing. Use this function in a
number of places that still have the hand rolled version.
ok beck@ miod@
|
| | |
|
| |
|
|
|
|
|
|
| |
Just kidding!
unifdef OPENSSL_NO_TLS since we will never want to actually do that.
ok deraadt@
|
| |
|
|
| |
a not quite appropriate data structure. ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DTLS code had a chunk that checked to see if the SSL version was *not*
DTLS. Turns out that this is inside a big #if 0 block with a comment
explaining why DTLS will never need this code...
The DTLS code was clearly written by wholesale copying the SSLv3 code.
Any code not applicable to DTLS was seemingly #if 0'd or commented out
and left for others to find.
d1_pkt.c is copied from s3_pkt.c and it has a do_dtls1_write() function
that has the same function signature as do_ssl3_write(), except that the
create_empty_fragement (yes, that is the spelling in ssl_locl.h) argument
is unused for DTLS (although there is code that pretends to use it) since
it uses explicit IV (as the comment notes).
Instead of leaving this turd lying around, nuke the #if 0'd code (along
with the check for *not* DTLS) and remove the pointless
create_empty_fragment argument given the only two do_dtls1_write() calls
specify zero.
This kind of thing also makes you wonder how much actual peer review
occurred before the code was initially committed...
ok beck@
|
| |
|
|
|
|
|
|
| |
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.
ok miod@
|
