aboutsummaryrefslogtreecommitdiff
path: root/openssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/ssl')
-rw-r--r--openssl/ssl/d1_both.c23
-rw-r--r--openssl/ssl/d1_lib.c9
-rw-r--r--openssl/ssl/d1_pkt.c41
-rw-r--r--openssl/ssl/d1_srvr.c2
-rw-r--r--openssl/ssl/s3_clnt.c6
-rw-r--r--openssl/ssl/s3_enc.c3
-rw-r--r--openssl/ssl/s3_lib.c3
-rw-r--r--openssl/ssl/s3_srvr.c11
-rw-r--r--openssl/ssl/ssl.h2
-rw-r--r--openssl/ssl/ssl3.h11
-rw-r--r--openssl/ssl/ssl_ciph.c1
-rw-r--r--openssl/ssl/ssl_err.c4
-rw-r--r--openssl/ssl/ssl_lib.c6
-rw-r--r--openssl/ssl/ssl_locl.h1
-rw-r--r--openssl/ssl/t1_lib.c6
15 files changed, 96 insertions, 33 deletions
diff --git a/openssl/ssl/d1_both.c b/openssl/ssl/d1_both.c
index 2180c6d4d..9f898d699 100644
--- a/openssl/ssl/d1_both.c
+++ b/openssl/ssl/d1_both.c
@@ -158,7 +158,6 @@ static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1
/* XDTLS: figure out the right values */
static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
-static unsigned int dtls1_min_mtu(void);
static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
unsigned long frag_len);
@@ -264,11 +263,10 @@ int dtls1_do_write(SSL *s, int type)
return ret;
mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
}
-
- OPENSSL_assert(mtu > 0); /* should have something reasonable now */
-
#endif
+ OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */
+
if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
OPENSSL_assert(s->init_num ==
(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -795,7 +793,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
*ok = 0;
return i;
}
- OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
+ /* Handshake fails if message header is incomplete */
+ if (i != DTLS1_HM_HEADER_LENGTH)
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
/* parse the message fragment header */
dtls1_get_message_header(wire, &msg_hdr);
@@ -867,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
- OPENSSL_assert(i == (int)frag_len);
+ if (i != (int)frag_len)
+ {
+ al=SSL3_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
+ goto f_err;
+ }
*ok = 1;
@@ -1367,7 +1376,7 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
return p;
}
-static unsigned int
+unsigned int
dtls1_min_mtu(void)
{
return (g_probable_mtu[(sizeof(g_probable_mtu) /
diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c
index 48e8b6ffb..c3b77c889 100644
--- a/openssl/ssl/d1_lib.c
+++ b/openssl/ssl/d1_lib.c
@@ -204,7 +204,8 @@ void dtls1_clear(SSL *s)
pqueue buffered_messages;
pqueue sent_messages;
pqueue buffered_app_data;
-
+ unsigned int mtu;
+
if (s->d1)
{
unprocessed_rcds = s->d1->unprocessed_rcds.q;
@@ -212,6 +213,7 @@ void dtls1_clear(SSL *s)
buffered_messages = s->d1->buffered_messages;
sent_messages = s->d1->sent_messages;
buffered_app_data = s->d1->buffered_app_data.q;
+ mtu = s->d1->mtu;
dtls1_clear_queues(s);
@@ -222,6 +224,11 @@ void dtls1_clear(SSL *s)
s->d1->cookie_len = sizeof(s->d1->cookie);
}
+ if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
+ {
+ s->d1->mtu = mtu;
+ }
+
s->d1->unprocessed_rcds.q = unprocessed_rcds;
s->d1->processed_rcds.q = processed_rcds;
s->d1->buffered_messages = buffered_messages;
diff --git a/openssl/ssl/d1_pkt.c b/openssl/ssl/d1_pkt.c
index 39aac73e1..de30a505a 100644
--- a/openssl/ssl/d1_pkt.c
+++ b/openssl/ssl/d1_pkt.c
@@ -375,6 +375,8 @@ dtls1_process_record(SSL *s)
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
+ int decryption_failed_or_bad_record_mac = 0;
+ unsigned char *mac = NULL;
rr= &(s->s3->rrec);
@@ -409,13 +411,10 @@ dtls1_process_record(SSL *s)
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
{
- /* decryption failed, silently discard message */
- if (enc_err < 0)
- {
- rr->length = 0;
- s->packet_length = 0;
- }
- goto err;
+ /* To minimize information leaked via timing, we will always
+ * perform all computations before discarding the message.
+ */
+ decryption_failed_or_bad_record_mac = 1;
}
#ifdef TLS_DEBUG
@@ -445,28 +444,32 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
- goto err;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
- if (rr->length < mac_size)
+ if (rr->length >= mac_size)
{
-#if 0 /* OK only for stream ciphers */
- al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
-#else
- goto err;
-#endif
+ rr->length -= mac_size;
+ mac = &rr->data[rr->length];
}
- rr->length-=mac_size;
+ else
+ rr->length = 0;
i=s->method->ssl3_enc->mac(s,md,0);
- if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+ if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
{
- goto err;
+ decryption_failed_or_bad_record_mac = 1;
}
}
+ if (decryption_failed_or_bad_record_mac)
+ {
+ /* decryption failed, silently discard message */
+ rr->length = 0;
+ s->packet_length = 0;
+ goto err;
+ }
+
/* r->length is now just compressed */
if (s->expand != NULL)
{
diff --git a/openssl/ssl/d1_srvr.c b/openssl/ssl/d1_srvr.c
index a6a4c87ea..149983be3 100644
--- a/openssl/ssl/d1_srvr.c
+++ b/openssl/ssl/d1_srvr.c
@@ -1271,7 +1271,7 @@ int dtls1_send_server_key_exchange(SSL *s)
EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
- EVP_SignUpdate(&md_ctx,&(d[4]),n);
+ EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
if (!EVP_SignFinal(&md_ctx,&(p[2]),
(unsigned int *)&i,pkey))
{
diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c
index 50bd415b5..53223bd38 100644
--- a/openssl/ssl/s3_clnt.c
+++ b/openssl/ssl/s3_clnt.c
@@ -953,7 +953,7 @@ int ssl3_get_server_hello(SSL *s)
/* wrong packet length */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
- goto err;
+ goto f_err;
}
return(1);
@@ -1837,7 +1837,7 @@ int ssl3_get_new_session_ticket(SSL *s)
if (n < 6)
{
/* need at least ticket_lifetime_hint + ticket length */
- al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
@@ -1848,7 +1848,7 @@ int ssl3_get_new_session_ticket(SSL *s)
/* ticket_lifetime_hint + ticket_length + ticket */
if (ticklen + 6 != n)
{
- al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
diff --git a/openssl/ssl/s3_enc.c b/openssl/ssl/s3_enc.c
index 58386e1ba..b14597076 100644
--- a/openssl/ssl/s3_enc.c
+++ b/openssl/ssl/s3_enc.c
@@ -511,6 +511,9 @@ int ssl3_enc(SSL *s, int send)
/* we need to add 'i-1' padding bytes */
l+=i;
+ /* the last of these zero bytes will be overwritten
+ * with the padding length. */
+ memset(&rec->input[rec->length], 0, i);
rec->length+=i;
rec->input[l-1]=(i-1);
}
diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c
index 62c791cb7..1130244ae 100644
--- a/openssl/ssl/s3_lib.c
+++ b/openssl/ssl/s3_lib.c
@@ -2177,6 +2177,7 @@ void ssl3_clear(SSL *s)
{
unsigned char *rp,*wp;
size_t rlen, wlen;
+ int init_extra;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@ void ssl3_clear(SSL *s)
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
wlen = s->s3->wbuf.len;
+ init_extra = s->s3->init_extra;
if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@ void ssl3_clear(SSL *s)
s->s3->wbuf.buf = wp;
s->s3->rbuf.len = rlen;
s->s3->wbuf.len = wlen;
+ s->s3->init_extra = init_extra;
ssl_free_wbio_buffer(s);
diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c
index c3b5ff33f..d734c359f 100644
--- a/openssl/ssl/s3_srvr.c
+++ b/openssl/ssl/s3_srvr.c
@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
}
s->init_num=0;
+ s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
if (s->state != SSL_ST_RENEGOTIATE)
{
@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
int ok;
long n;
+ /* We only allow the client to restart the handshake once per
+ * negotiation. */
+ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+ {
+ SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+ return -1;
+ }
+
/* this function is called when we really expect a Certificate message,
* so permit appropriate message length */
n=s->method->ssl_get_message(s,
@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
s->s3->tmp.ecdh = NULL;
}
#endif
+ s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
return 2;
}
return 1;
@@ -2130,6 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
if (i <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+ BN_clear_free(pub);
goto err;
}
diff --git a/openssl/ssl/ssl.h b/openssl/ssl/ssl.h
index e4c3f6501..8f922eea7 100644
--- a/openssl/ssl/ssl.h
+++ b/openssl/ssl/ssl.h
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL3_CALLBACK_CTRL 233
#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
#define SSL_F_SSL3_CLIENT_HELLO 131
#define SSL_F_SSL3_CONNECT 132
#define SSL_F_SSL3_CTRL 213
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_MISSING_TMP_RSA_KEY 172
#define SSL_R_MISSING_TMP_RSA_PKEY 173
#define SSL_R_MISSING_VERIFY_MESSAGE 174
+#define SSL_R_MULTIPLE_SGC_RESTARTS 346
#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
#define SSL_R_NO_CERTIFICATES_RETURNED 176
#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/openssl/ssl/ssl3.h b/openssl/ssl/ssl3.h
index baaa89e71..9c2c41287 100644
--- a/openssl/ssl/ssl3.h
+++ b/openssl/ssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
#define SSL3_FLAGS_POP_BUFFER 0x0004
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
+
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
typedef struct ssl3_state_st
{
diff --git a/openssl/ssl/ssl_ciph.c b/openssl/ssl/ssl_ciph.c
index a8ce186b7..54ba7ef5b 100644
--- a/openssl/ssl/ssl_ciph.c
+++ b/openssl/ssl/ssl_ciph.c
@@ -446,6 +446,7 @@ static void load_builtin_compressions(void)
sk_SSL_COMP_push(ssl_comp_methods,comp);
}
}
+ sk_SSL_COMP_sort(ssl_comp_methods);
}
MemCheck_on();
}
diff --git a/openssl/ssl/ssl_err.c b/openssl/ssl/ssl_err.c
index 0eed46474..e9be77109 100644
--- a/openssl/ssl/ssl_err.c
+++ b/openssl/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
- * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/openssl/ssl/ssl_lib.c b/openssl/ssl/ssl_lib.c
index 46732791f..6688f19a6 100644
--- a/openssl/ssl/ssl_lib.c
+++ b/openssl/ssl/ssl_lib.c
@@ -1054,6 +1054,11 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
s->max_cert_list=larg;
return(l);
case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
+ if (larg < (long)dtls1_min_mtu())
+ return 0;
+#endif
+
if (SSL_version(s) == DTLS1_VERSION ||
SSL_version(s) == DTLS1_BAD_VER)
{
@@ -3042,4 +3047,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
IMPLEMENT_STACK_OF(SSL_COMP)
IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
ssl_cipher_id);
-
diff --git a/openssl/ssl/ssl_locl.h b/openssl/ssl/ssl_locl.h
index 4c78393f3..cea622a2a 100644
--- a/openssl/ssl/ssl_locl.h
+++ b/openssl/ssl/ssl_locl.h
@@ -950,6 +950,7 @@ void dtls1_stop_timer(SSL *s);
int dtls1_is_timer_expired(SSL *s);
void dtls1_double_timeout(SSL *s);
int dtls1_send_newsession_ticket(SSL *s);
+unsigned int dtls1_min_mtu(void);
/* some client-only functions */
int ssl3_client_hello(SSL *s);
diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c
index 85371c87b..26cbae449 100644
--- a/openssl/ssl/t1_lib.c
+++ b/openssl/ssl/t1_lib.c
@@ -971,6 +971,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
sdata = data;
if (dsize > 0)
{
+ if (s->tlsext_ocsp_exts)
+ {
+ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+ X509_EXTENSION_free);
+ }
+
s->tlsext_ocsp_exts =
d2i_X509_EXTENSIONS(NULL,
&sdata, dsize);