aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2014-06-06 20:59:29 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2014-06-06 20:59:29 +0000
commit2e22f5e2e00c1f1f599b03634ca27bb5b9ac471e (patch)
treea707d3fdb02faa3d4423773ae7b606febaa5e786 /ssl
parent06369e3974fbc83d3778807c090fbe69f20a27d4 (diff)
downloadsrc-2e22f5e2e00c1f1f599b03634ca27bb5b9ac471e.tar.gz
src-2e22f5e2e00c1f1f599b03634ca27bb5b9ac471e.zip
Import OpenSSL 1.0.1h.vendor/openssl/1.0.1h
Approved by: so (delphij)
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=267188 svn path=/vendor-crypto/openssl/1.0.1h/; revision=267189; tag=vendor/openssl/1.0.1h
Diffstat (limited to 'ssl')
-rw-r--r--ssl/Makefile2
-rw-r--r--ssl/d1_both.c15
-rw-r--r--ssl/d1_lib.c9
-rw-r--r--ssl/d1_pkt.c19
-rw-r--r--ssl/d1_srvr.c1
-rw-r--r--ssl/heartbeat_test.c465
-rw-r--r--ssl/s3_clnt.c9
-rw-r--r--ssl/s3_pkt.c42
-rw-r--r--ssl/s3_srvr.c33
-rw-r--r--ssl/ssl.h4
-rw-r--r--ssl/ssl3.h1
-rw-r--r--ssl/ssl_asn1.c4
-rw-r--r--ssl/ssl_err.c2
-rw-r--r--ssl/ssl_lib.c4
-rw-r--r--ssl/t1_enc.c8
-rw-r--r--ssl/t1_lib.c45
16 files changed, 595 insertions, 68 deletions
diff --git a/ssl/Makefile b/ssl/Makefile
index debe07405bf8..0045d8983022 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile
@@ -15,7 +15,7 @@ KRB5_INCLUDES=
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile README ssl-lib.com install.com
-TEST=ssltest.c
+TEST=ssltest.c heartbeat_test.c
APPS=
LIB=$(TOP)/libssl.a
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 2e8cf681ed09..04aa23107ec5 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
frag->msg_header.frag_off = 0;
}
else
+ {
frag = (hm_fragment*) item->data;
+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
+ {
+ item = NULL;
+ frag = NULL;
+ goto err;
+ }
+ }
+
/* If message is already reassembled, this must be a
* retransmit and can be dropped.
@@ -674,8 +683,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
item = pitem_new(seq64be, frag);
if (item == NULL)
{
- goto err;
i = -1;
+ goto err;
}
pqueue_insert(s->d1->buffered_messages, item);
@@ -784,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
int i,al;
struct hm_header_st msg_hdr;
+ redo:
/* see if we have the required fragment already */
if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
{
@@ -842,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
s->msg_callback_arg);
s->init_num = 0;
- return dtls1_get_message_fragment(s, st1, stn,
- max, ok);
+ goto redo;
}
else /* Incorrectly formated Hello request */
{
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 106939f24177..6bde16fa212c 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s)
while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
{
- frag = (hm_fragment *)item->data;
- OPENSSL_free(frag->fragment);
- OPENSSL_free(frag);
+ rdata = (DTLS1_RECORD_DATA *) item->data;
+ if (rdata->rbuf.buf)
+ {
+ OPENSSL_free(rdata->rbuf.buf);
+ }
+ OPENSSL_free(item->data);
pitem_free(item);
}
}
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 8186462d4a6b..438c0913d24e 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
}
#endif
- /* insert should not fail, since duplicates are dropped */
- if (pqueue_insert(queue->q, item) == NULL)
- {
- OPENSSL_free(rdata);
- pitem_free(item);
- return(0);
- }
-
s->packet = NULL;
s->packet_length = 0;
memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -259,7 +251,16 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
pitem_free(item);
return(0);
}
-
+
+ /* insert should not fail, since duplicates are dropped */
+ if (pqueue_insert(queue->q, item) == NULL)
+ {
+ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+ OPENSSL_free(rdata);
+ pitem_free(item);
+ return(0);
+ }
+
return(1);
}
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 9975e20873c4..1384ab0cbf17 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1356,6 +1356,7 @@ int dtls1_send_server_key_exchange(SSL *s)
(unsigned char *)encodedPoint,
encodedlen);
OPENSSL_free(encodedPoint);
+ encodedPoint = NULL;
p += encodedlen;
}
#endif
diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
new file mode 100644
index 000000000000..d8cc559981c4
--- /dev/null
+++ b/ssl/heartbeat_test.c
@@ -0,0 +1,465 @@
+/* test/heartbeat_test.c */
+/*
+ * Unit test for TLS heartbeats.
+ *
+ * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
+ *
+ * Author: Mike Bland (mbland@acm.org, http://mike-bland.com/)
+ * Date: 2014-04-12
+ * License: Creative Commons Attribution 4.0 International (CC By 4.0)
+ * http://creativecommons.org/licenses/by/4.0/deed.en_US
+ *
+ * OUTPUT
+ * ------
+ * The program returns zero on success. It will print a message with a count
+ * of the number of failed tests and return nonzero if any tests fail.
+ *
+ * It will print the contents of the request and response buffers for each
+ * failing test. In a "fixed" version, all the tests should pass and there
+ * should be no output.
+ *
+ * In a "bleeding" version, you'll see:
+ *
+ * test_dtls1_heartbleed failed:
+ * expected payload len: 0
+ * received: 1024
+ * sent 26 characters
+ * "HEARTBLEED "
+ * received 1024 characters
+ * "HEARTBLEED \xde\xad\xbe\xef..."
+ * ** test_dtls1_heartbleed failed **
+ *
+ * The contents of the returned buffer in the failing test will depend on the
+ * contents of memory on your machine.
+ *
+ * MORE INFORMATION
+ * ----------------
+ * http://mike-bland.com/2014/04/12/heartbleed.html
+ * http://mike-bland.com/tags/heartbleed.html
+ */
+
+#include "../ssl/ssl_locl.h"
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if !defined(OPENSSL_NO_HEARTBEATS) && !defined(OPENSSL_SYS_WINDOWS)
+
+/* As per https://tools.ietf.org/html/rfc6520#section-4 */
+#define MIN_PADDING_SIZE 16
+
+/* Maximum number of payload characters to print as test output */
+#define MAX_PRINTABLE_CHARACTERS 1024
+
+typedef struct heartbeat_test_fixture
+ {
+ SSL_CTX *ctx;
+ SSL *s;
+ const char* test_case_name;
+ int (*process_heartbeat)(SSL* s);
+ unsigned char* payload;
+ int sent_payload_len;
+ int expected_return_value;
+ int return_payload_offset;
+ int expected_payload_len;
+ const char* expected_return_payload;
+ } HEARTBEAT_TEST_FIXTURE;
+
+static HEARTBEAT_TEST_FIXTURE set_up(const char* const test_case_name,
+ const SSL_METHOD* meth)
+ {
+ HEARTBEAT_TEST_FIXTURE fixture;
+ int setup_ok = 1;
+ memset(&fixture, 0, sizeof(fixture));
+ fixture.test_case_name = test_case_name;
+
+ fixture.ctx = SSL_CTX_new(meth);
+ if (!fixture.ctx)
+ {
+ fprintf(stderr, "Failed to allocate SSL_CTX for test: %s\n",
+ test_case_name);
+ setup_ok = 0;
+ goto fail;
+ }
+
+ fixture.s = SSL_new(fixture.ctx);
+ if (!fixture.s)
+ {
+ fprintf(stderr, "Failed to allocate SSL for test: %s\n", test_case_name);
+ setup_ok = 0;
+ goto fail;
+ }
+
+ if (!ssl_init_wbio_buffer(fixture.s, 1))
+ {
+ fprintf(stderr, "Failed to set up wbio buffer for test: %s\n",
+ test_case_name);
+ setup_ok = 0;
+ goto fail;
+ }
+
+ if (!ssl3_setup_buffers(fixture.s))
+ {
+ fprintf(stderr, "Failed to setup buffers for test: %s\n",
+ test_case_name);
+ setup_ok = 0;
+ goto fail;
+ }
+
+ /* Clear the memory for the return buffer, since this isn't automatically
+ * zeroed in opt mode and will cause spurious test failures that will change
+ * with each execution.
+ */
+ memset(fixture.s->s3->wbuf.buf, 0, fixture.s->s3->wbuf.len);
+
+ fail:
+ if (!setup_ok)
+ {
+ ERR_print_errors_fp(stderr);
+ exit(EXIT_FAILURE);
+ }
+ return fixture;
+ }
+
+static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char* const test_case_name)
+ {
+ HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+ DTLSv1_server_method());
+ fixture.process_heartbeat = dtls1_process_heartbeat;
+
+ /* As per dtls1_get_record(), skipping the following from the beginning of
+ * the returned heartbeat message:
+ * type-1 byte; version-2 bytes; sequence number-8 bytes; length-2 bytes
+ *
+ * And then skipping the 1-byte type encoded by process_heartbeat for
+ * a total of 14 bytes, at which point we can grab the length and the
+ * payload we seek.
+ */
+ fixture.return_payload_offset = 14;
+ return fixture;
+ }
+
+/* Needed by ssl3_write_bytes() */
+static int dummy_handshake(SSL* s)
+ {
+ return 1;
+ }
+
+static HEARTBEAT_TEST_FIXTURE set_up_tls(const char* const test_case_name)
+ {
+ HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+ TLSv1_server_method());
+ fixture.process_heartbeat = tls1_process_heartbeat;
+ fixture.s->handshake_func = dummy_handshake;
+
+ /* As per do_ssl3_write(), skipping the following from the beginning of
+ * the returned heartbeat message:
+ * type-1 byte; version-2 bytes; length-2 bytes
+ *
+ * And then skipping the 1-byte type encoded by process_heartbeat for
+ * a total of 6 bytes, at which point we can grab the length and the payload
+ * we seek.
+ */
+ fixture.return_payload_offset = 6;
+ return fixture;
+ }
+
+static void tear_down(HEARTBEAT_TEST_FIXTURE fixture)
+ {
+ ERR_print_errors_fp(stderr);
+ SSL_free(fixture.s);
+ SSL_CTX_free(fixture.ctx);
+ }
+
+static void print_payload(const char* const prefix,
+ const unsigned char *payload, const int n)
+ {
+ const int end = n < MAX_PRINTABLE_CHARACTERS ? n
+ : MAX_PRINTABLE_CHARACTERS;
+ int i = 0;
+
+ printf("%s %d character%s", prefix, n, n == 1 ? "" : "s");
+ if (end != n) printf(" (first %d shown)", end);
+ printf("\n \"");
+
+ for (; i != end; ++i)
+ {
+ const unsigned char c = payload[i];
+ if (isprint(c)) fputc(c, stdout);
+ else printf("\\x%02x", c);
+ }
+ printf("\"\n");
+ }
+
+static int execute_heartbeat(HEARTBEAT_TEST_FIXTURE fixture)
+ {
+ int result = 0;
+ SSL* s = fixture.s;
+ unsigned char *payload = fixture.payload;
+ unsigned char sent_buf[MAX_PRINTABLE_CHARACTERS + 1];
+ int return_value;
+ unsigned const char *p;
+ int actual_payload_len;
+
+ s->s3->rrec.data = payload;
+ s->s3->rrec.length = strlen((const char*)payload);
+ *payload++ = TLS1_HB_REQUEST;
+ s2n(fixture.sent_payload_len, payload);
+
+ /* Make a local copy of the request, since it gets overwritten at some
+ * point */
+ memcpy((char *)sent_buf, (const char*)payload, sizeof(sent_buf));
+
+ return_value = fixture.process_heartbeat(s);
+
+ if (return_value != fixture.expected_return_value)
+ {
+ printf("%s failed: expected return value %d, received %d\n",
+ fixture.test_case_name, fixture.expected_return_value,
+ return_value);
+ result = 1;
+ }
+
+ /* If there is any byte alignment, it will be stored in wbuf.offset. */
+ p = &(s->s3->wbuf.buf[
+ fixture.return_payload_offset + s->s3->wbuf.offset]);
+ actual_payload_len = 0;
+ n2s(p, actual_payload_len);
+
+ if (actual_payload_len != fixture.expected_payload_len)
+ {
+ printf("%s failed:\n expected payload len: %d\n received: %d\n",
+ fixture.test_case_name, fixture.expected_payload_len,
+ actual_payload_len);
+ print_payload("sent", sent_buf, strlen((const char*)sent_buf));
+ print_payload("received", p, actual_payload_len);
+ result = 1;
+ }
+ else
+ {
+ char* actual_payload = BUF_strndup((const char*)p, actual_payload_len);
+ if (strcmp(actual_payload, fixture.expected_return_payload) != 0)
+ {
+ printf("%s failed:\n expected payload: \"%s\"\n received: \"%s\"\n",
+ fixture.test_case_name, fixture.expected_return_payload,
+ actual_payload);
+ result = 1;
+ }
+ OPENSSL_free(actual_payload);
+ }
+
+ if (result != 0)
+ {
+ printf("** %s failed **\n--------\n", fixture.test_case_name);
+ }
+ return result;
+ }
+
+static int honest_payload_size(unsigned char payload_buf[])
+ {
+ /* Omit three-byte pad at the beginning for type and payload length */
+ return strlen((const char*)&payload_buf[3]) - MIN_PADDING_SIZE;
+ }
+
+#define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
+ HEARTBEAT_TEST_FIXTURE fixture = set_up_##type(__func__);\
+ int result = 0
+
+#define EXECUTE_HEARTBEAT_TEST()\
+ if (execute_heartbeat(fixture) != 0) result = 1;\
+ tear_down(fixture);\
+ return result
+
+static int test_dtls1_not_bleeding()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+ /* Three-byte pad at the beginning for type and payload length */
+ unsigned char payload_buf[] = " Not bleeding, sixteen spaces of padding"
+ " ";
+ const int payload_buf_len = honest_payload_size(payload_buf);
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = payload_buf_len;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = payload_buf_len;
+ fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_dtls1_not_bleeding_empty_payload()
+ {
+ int payload_buf_len;
+
+ SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+ /* Three-byte pad at the beginning for type and payload length, plus a NUL
+ * at the end */
+ unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+ memset(payload_buf, ' ', sizeof(payload_buf));
+ payload_buf[sizeof(payload_buf) - 1] = '\0';
+ payload_buf_len = honest_payload_size(payload_buf);
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = payload_buf_len;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = payload_buf_len;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_dtls1_heartbleed()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+ /* Three-byte pad at the beginning for type and payload length */
+ unsigned char payload_buf[] = " HEARTBLEED ";
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = 0;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_dtls1_heartbleed_empty_payload()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+ /* Excluding the NUL at the end, one byte short of type + payload length +
+ * minimum padding */
+ unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+ memset(payload_buf, ' ', sizeof(payload_buf));
+ payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = 0;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_dtls1_heartbleed_excessive_plaintext_length()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+ /* Excluding the NUL at the end, one byte in excess of maximum allowed
+ * heartbeat message length */
+ unsigned char payload_buf[SSL3_RT_MAX_PLAIN_LENGTH + 2];
+ memset(payload_buf, ' ', sizeof(payload_buf));
+ payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = honest_payload_size(payload_buf);
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = 0;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_tls1_not_bleeding()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+ /* Three-byte pad at the beginning for type and payload length */
+ unsigned char payload_buf[] = " Not bleeding, sixteen spaces of padding"
+ " ";
+ const int payload_buf_len = honest_payload_size(payload_buf);
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = payload_buf_len;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = payload_buf_len;
+ fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_tls1_not_bleeding_empty_payload()
+ {
+ int payload_buf_len;
+
+ SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+ /* Three-byte pad at the beginning for type and payload length, plus a NUL
+ * at the end */
+ unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+ memset(payload_buf, ' ', sizeof(payload_buf));
+ payload_buf[sizeof(payload_buf) - 1] = '\0';
+ payload_buf_len = honest_payload_size(payload_buf);
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = payload_buf_len;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = payload_buf_len;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_tls1_heartbleed()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+ /* Three-byte pad at the beginning for type and payload length */
+ unsigned char payload_buf[] = " HEARTBLEED ";
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = 0;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+static int test_tls1_heartbleed_empty_payload()
+ {
+ SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+ /* Excluding the NUL at the end, one byte short of type + payload length +
+ * minimum padding */
+ unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+ memset(payload_buf, ' ', sizeof(payload_buf));
+ payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+ fixture.payload = &payload_buf[0];
+ fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+ fixture.expected_return_value = 0;
+ fixture.expected_payload_len = 0;
+ fixture.expected_return_payload = "";
+ EXECUTE_HEARTBEAT_TEST();
+ }
+
+#undef EXECUTE_HEARTBEAT_TEST
+#undef SETUP_HEARTBEAT_TEST_FIXTURE
+
+int main(int argc, char *argv[])
+ {
+ int num_failed;
+
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ num_failed = test_dtls1_not_bleeding() +
+ test_dtls1_not_bleeding_empty_payload() +
+ test_dtls1_heartbleed() +
+ test_dtls1_heartbleed_empty_payload() +
+ /* The following test causes an assertion failure at
+ * ssl/d1_pkt.c:dtls1_write_bytes() in versions prior to 1.0.1g: */
+ (OPENSSL_VERSION_NUMBER >= 0x1000107fL ?
+ test_dtls1_heartbleed_excessive_plaintext_length() : 0) +
+ test_tls1_not_bleeding() +
+ test_tls1_not_bleeding_empty_payload() +
+ test_tls1_heartbleed() +
+ test_tls1_heartbleed_empty_payload() +
+ 0;
+
+ ERR_print_errors_fp(stderr);
+
+ if (num_failed != 0)
+ {
+ printf("%d test%s failed\n", num_failed, num_failed != 1 ? "s" : "");
+ return EXIT_FAILURE;
+ }
+ return EXIT_SUCCESS;
+ }
+
+#else /* OPENSSL_NO_HEARTBEATS*/
+
+int main(int argc, char *argv[])
+ {
+ return EXIT_SUCCESS;
+ }
+#endif /* OPENSSL_NO_HEARTBEATS */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index a6b3c01afa18..0457af878917 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0) goto end;
@@ -915,6 +916,7 @@ int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->hit=1;
}
else /* a miss or crap from the other end */
@@ -2510,6 +2512,13 @@ int ssl3_send_client_key_exchange(SSL *s)
int ecdh_clnt_cert = 0;
int field_size = 0;
+ if (s->session->sess_cert == NULL)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+ goto err;
+ }
+
/* Did we send out the client's
* ECDH share for use in premaster
* computation as part of client certificate?
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 96ba63262e44..59011e39c67e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -110,6 +110,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include <errno.h>
#define USE_SOCKETS
#include "ssl_locl.h"
@@ -580,10 +581,11 @@ int ssl3_do_compress(SSL *ssl)
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
{
const unsigned char *buf=buf_;
- unsigned int tot,n,nw;
- int i;
+ unsigned int n,nw;
+ int i,tot;
s->rwstate=SSL_NOTHING;
+ OPENSSL_assert(s->s3->wnum <= INT_MAX);
tot=s->s3->wnum;
s->s3->wnum=0;
@@ -598,6 +600,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
}
}
+ /* ensure that if we end up with a smaller value of data to write
+ * out than the the original len from a write which didn't complete
+ * for non-blocking I/O and also somehow ended up avoiding
+ * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+ * it must never be possible to end up with (len-tot) as a large
+ * number that will then promptly send beyond the end of the users
+ * buffer ... so we trap and report the error in a way the user
+ * will notice
+ */
+ if (len < tot)
+ {
+ SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+ return(-1);
+ }
+
+
n=(len-tot);
for (;;)
{
@@ -641,9 +659,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
SSL3_BUFFER *wb=&(s->s3->wbuf);
SSL_SESSION *sess;
- if (wb->buf == NULL)
- if (!ssl3_setup_write_buffer(s))
- return -1;
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
@@ -659,6 +674,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
/* if it went, fall through and send more stuff */
}
+ if (wb->buf == NULL)
+ if (!ssl3_setup_write_buffer(s))
+ return -1;
+
if (len == 0 && !create_empty_fragment)
return 0;
@@ -1055,7 +1074,7 @@ start:
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
ssl3_release_read_buffer(s);
}
}
@@ -1297,6 +1316,15 @@ start:
goto f_err;
}
+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+ goto f_err;
+ }
+
+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
rr->length=0;
if (s->msg_callback)
@@ -1431,7 +1459,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
if (s->s3->tmp.key_block == NULL)
{
- if (s->session == NULL)
+ if (s->session == NULL || s->session->master_key_length == 0)
{
/* might happen if dtls1_read_bytes() calls this */
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 9ac19c05f22d..503bed3fe0b4 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_VRFY_A:
case SSL3_ST_SR_CERT_VRFY_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
/* we should decide if we expected this one */
ret=ssl3_get_cert_verify(s);
if (ret <= 0) goto end;
@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_FINISHED_A:
case SSL3_ST_SR_FINISHED_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
SSL3_ST_SR_FINISHED_B);
if (ret <= 0) goto end;
@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
#else
if (s->s3->next_proto_neg_seen)
+ {
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
+ }
else
s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
#endif
@@ -2097,6 +2102,11 @@ int ssl3_send_certificate_request(SSL *s)
s->init_num=n+4;
s->init_off=0;
#ifdef NETSCAPE_HANG_BUG
+ if (!BUF_MEM_grow_clean(buf, s->init_num + 4))
+ {
+ SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+ goto err;
+ }
p=(unsigned char *)s->init_buf->data + s->init_num;
/* do the header */
@@ -2813,6 +2823,8 @@ int ssl3_get_client_key_exchange(SSL *s)
unsigned char premaster_secret[32], *start;
size_t outlen=32, inlen;
unsigned long alg_a;
+ int Ttag, Tclass;
+ long Tlen;
/* Get our certificate private key*/
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
@@ -2834,26 +2846,15 @@ int ssl3_get_client_key_exchange(SSL *s)
ERR_clear_error();
}
/* Decrypt session key */
- if ((*p!=( V_ASN1_SEQUENCE| V_ASN1_CONSTRUCTED)))
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
- goto gerr;
- }
- if (p[1] == 0x81)
- {
- start = p+3;
- inlen = p[2];
- }
- else if (p[1] < 0x80)
- {
- start = p+2;
- inlen = p[1];
- }
- else
+ if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, &Tclass, n) != V_ASN1_CONSTRUCTED ||
+ Ttag != V_ASN1_SEQUENCE ||
+ Tclass != V_ASN1_UNIVERSAL)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_DECRYPTION_FAILED);
goto gerr;
}
+ start = p;
+ inlen = Tlen;
if (EVP_PKEY_decrypt(pkey_ctx,premaster_secret,&outlen,start,inlen) <=0)
{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 7219a0e64bc2..4c1242c9d20c 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -553,7 +553,7 @@ struct ssl_session_st
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
+#define SSL_OP_TLSEXT_PADDING 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
@@ -562,6 +562,8 @@ struct ssl_session_st
/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index cb8b2492ec97..37f19e3ab505 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
+#define SSL3_FLAGS_CCS_OK 0x0080
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
* restart a handshake because of MS SGC and so prevents us
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index 38540be1e538..477500371027 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@@ -408,6 +408,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length != 3)
{
c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+ c.line=__LINE__;
goto err;
}
id=0x02000000L|
@@ -420,6 +421,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length != 2)
{
c.error=SSL_R_CIPHER_CODE_WRONG_LENGTH;
+ c.line=__LINE__;
goto err;
}
id=0x03000000L|
@@ -429,6 +431,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
else
{
c.error=SSL_R_UNKNOWN_SSL_VERSION;
+ c.line=__LINE__;
goto err;
}
@@ -521,6 +524,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
if (os.length > SSL_MAX_SID_CTX_LENGTH)
{
c.error=SSL_R_BAD_LENGTH;
+ c.line=__LINE__;
goto err;
}
else
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 370fb57e3b86..49ab43e0e528 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -541,7 +541,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
-{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbearts"},
+{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbeats"},
{ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) ,"heartbeat request already pending"},
{ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),"tls illegal exporter label"},
{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6dbc3c1f7d0a..ef6258ca9f06 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1349,6 +1349,10 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
p=buf;
sk=s->session->ciphers;
+
+ if (sk_SSL_CIPHER_num(sk) == 0)
+ return NULL;
+
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
int n;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 0c4cddedf85c..ac8c1539968b 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1048,14 +1048,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
if (!stream_mac)
EVP_MD_CTX_cleanup(&hmac);
#ifdef TLS_DEBUG
-printf("sec=");
-{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
printf("seq=");
{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
-printf("buf=");
-{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
printf("rec=");
-{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
+{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",rec->data[z]); printf("\n"); }
#endif
if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
@@ -1185,7 +1181,7 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
- rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
+ rv = tls1_PRF(ssl_get_algorithm2(s),
val, vallen,
NULL, 0,
NULL, 0,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index bddffd92cc04..3b8d5153eb6f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -617,6 +617,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
#ifndef OPENSSL_NO_HEARTBEATS
/* Add Heartbeat extension */
+ if ((limit - ret - 4 - 1) < 0)
+ return NULL;
s2n(TLSEXT_TYPE_heartbeat,ret);
s2n(1,ret);
/* Set mode:
@@ -661,36 +663,35 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
ret += el;
}
#endif
-
-#ifdef TLSEXT_TYPE_padding
/* Add padding to workaround bugs in F5 terminators.
* See https://tools.ietf.org/html/draft-agl-tls-padding-03
*
* NB: because this code works out the length of all existing
* extensions it MUST always appear last.
*/
- {
- int hlen = ret - (unsigned char *)s->init_buf->data;
- /* The code in s23_clnt.c to build ClientHello messages includes the
- * 5-byte record header in the buffer, while the code in s3_clnt.c does
- * not. */
- if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
- hlen -= 5;
- if (hlen > 0xff && hlen < 0x200)
+ if (s->options & SSL_OP_TLSEXT_PADDING)
{
- hlen = 0x200 - hlen;
- if (hlen >= 4)
- hlen -= 4;
- else
- hlen = 0;
+ int hlen = ret - (unsigned char *)s->init_buf->data;
+ /* The code in s23_clnt.c to build ClientHello messages
+ * includes the 5-byte record header in the buffer, while
+ * the code in s3_clnt.c does not.
+ */
+ if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
+ hlen -= 5;
+ if (hlen > 0xff && hlen < 0x200)
+ {
+ hlen = 0x200 - hlen;
+ if (hlen >= 4)
+ hlen -= 4;
+ else
+ hlen = 0;
- s2n(TLSEXT_TYPE_padding, ret);
- s2n(hlen, ret);
- memset(ret, 0, hlen);
- ret += hlen;
+ s2n(TLSEXT_TYPE_padding, ret);
+ s2n(hlen, ret);
+ memset(ret, 0, hlen);
+ ret += hlen;
+ }
}
- }
-#endif
if ((extdatalen = ret-p-2)== 0)
return p;
@@ -845,6 +846,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
/* Add Heartbeat extension if we've received one */
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
{
+ if ((limit - ret - 4 - 1) < 0)
+ return NULL;
s2n(TLSEXT_TYPE_heartbeat,ret);
s2n(1,ret);
/* Set mode: