| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Provide a ssl3_release_buffer() function that correctly frees a buffer
and call it from the appropriate locations. While here also change
ssl3_release_{read,write}_buffer() to void since they cannot fail and
no callers check the return value currently.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used CBB to build the record headers, but not the entire
record. Use CBB_init_fixed() upfront, then build the record header and
add space for the record content. However, in order to do this we need
to determine the length of the record upfront.
This simplifies the code, removes a number of manual bounds checks and
makes way for further improvements.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
The write path can return a failure in the AEAD path and there is no reason
not to check a return value.
Spotted by tb@ during another review.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Make the DTLS code much more consistent with the ssl3 code.
- Avoid assigning wr->input and wr->length just so they can be used as
arguments to memcpy().
- Remove the arc4random_buf() call for the explicit IV, since tls1_enc()
already does this for us.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This will allow for further changes to be made with less complexity and
easier review.
In particular, decide if we need an empty fragment early on and only do
the alignment calculation once (rather than in two separate parts of the
function.
ok tb@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
comments to their correct places.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
invalid change cipher spec. Found due to dead assignment warnings
by the Clang static analyzer.
ok inoguchi (previous version), jsing
|
| |
|
|
|
|
|
|
|
|
| |
In January 2017, we changed large amounts of libssl's data structures to
be non-visible/internal, however intentionally left things that the
software ecosystem was needing to use. The four or so applications that
reached into libssl for record layer related state now implement
alternative code. As such, make these data structures internal.
ok tb@
|
| |
|
|
|
|
| |
This code has been rotting since 2006.
ok bcook@ tb@
|
| |
|
|
|
|
|
| |
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
| |
|
|
|
|
|
| |
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
| |
|
|
|
|
| |
and defines since they are the same everywhere.
ok beck@
|
| |
|
|
|
|
|
| |
the awkward API provided by ssl3_read_n(). Call these when we need to
read or extend a packet.
ok beck@
|
| |
|
|
| |
set and cleared via existing functions.
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
| |
so these should not be diddled with directly
ok jsing@
|
| |
|
|
| |
other perversions touches them sickly and unnaturally.
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
internal.
ok beck@
|
| |
|
|
|
|
| |
known to be used by ports.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
three functions that were removed a while ago
ok jsing@
|
| |
|
|
|
|
| |
ssl3_ prefix.
ok beck@
|
| |
|
|
|
|
|
| |
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.
ok bcook@ miod@
|
| |
|
|
|
|
| |
The p initialization was hiding this bug but Coverity 126279 saw it.
ok miod@ bcook@ beck@
|
| |
|
|
|
|
|
| |
Changed return value from void to int. It should never return an error
given that the input length is not checked yet.
ok miod@
|
| |
|
|
| |
ok miod@, input + ok jsing@
|
| |
|
|
|
|
|
|
| |
The "if" is a bit ugly, but this does remove a lot of repetitive code.
This will be converted to CBS later as well.
ok miod@
jsing@ roughly ok with it after seeing the CBS version
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
|
|
|
| |
jsg@ noticed that some of the lines in libssl and libcrypto are not
indented properly. At a quick glance, it looks like it has a different
control flow than it really does. I checked the history in our tree and
in OpenSSL to make sure these were simple mistakes.
ok miod@ jsing@
|
| |
|
|
|
|
|
|
| |
OpenBSD does not have SCTP support and it sees little use in the wild.
OPENSSL_NO_SCTP is already specified via opensslfeatures.h, hence this
is a code removal only and symbols should remain unchanged.
ok beck@ miod@ tedu@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were four bugs fixed by this patch:
* dtls1_buffer_record() now frees rdata->rbuf.buf on error. Since
s->s3->rbuf was memset, rdata->rbuf is the only pointer left which
points to the old rbuf. On error, rdata is freed so there will not
be any way of freeing this memory unless we do it here.
* Changed the return code of dtls1_buffer_record() to differentiate
between queue full (0) and error (-1). See below as this differs
from upstream.
* Handle errors if calls to dtls1_buffer_record() fail with -1.
Previously, it did not check the return value.
* Changed the way receipts are recorded. Previously, it was recorded
when processed successfully (whether buffered or not) in
dtls1_process_record(). Now, it records when it is handled in
dtls1_get_record(): either when it is entered into the queue to buffer
for the next epoch or when it is processed directly. Processing
buffered records does not add a receipt because it needed one in
order to get into the queue.
The above bugs combined contributed to an eventual DoS through memory
exhaustion. The memory leak came from dtls1_buffer_record()'s error
handling. The error handling can be triggered by a duplicate record
or malloc failure. It was possible to add duplicate records because
they were not being dropped. The faulty receipts logic did not detect
replays when dealing with records for the next epoch. Additionally,
dtls1_buffer_record()'s return value was not checked so an attacker
could send repeated replay records for the next epoch.
Reported to OpenSSL by Chris Mueller.
Patch based on OpenSSL commit 103b171d8fc282ef435f8de9afbf7782e312961f
and BoringSSL commit 44e2709cd65fbd2172b9516c79e56f1875f60300.
Our patch matches BoringSSL's commit. OpenSSL returns 0 when the queue
is full or when malloc() or pitem_new() fails. They return -1 on error
including !ssl3_setup_buffers() which is another failure to allocate
memory.
BoringSSL and LibreSSL changed the return code for dtls1_buffer_record()
to be 1 on success, 0 when the queue is full and -1 on error.
input + ok bcook@, jsing@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
SSL3_RT_HANDSHAKE replays.
Reported by Markus Stenberg <markus.stenberg at iki.fi> - thanks!
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
| |
to only apply to s23_srvr.c.
|
| |
|
|
|
|
|
|
|
|
|
| |
saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
