From 56d250321ea9dfa66ea9afa599f12c83a4147c86 Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@google.com>
Date: Tue, 23 Jun 2015 16:20:13 -0700
Subject: Fixes for CVE-2015-1791.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

This change cherry-picks the following BoringSSL changes:

b31040d0 – Get rid of CERT_PKEY slots in SESS_CERT.
fd67aa8c – Add SSL_SESSION_from_bytes.
95d31825 – Duplicate SSL_SESSIONs when renewing them.
d65bb78c – Add SSL_initial_handshake_complete.
680ca961 – Preserve session->sess_cert on ticket renewal.

Change-Id: I474065330842e4ab0066b2485c1489a50e4dfd5b
---
 src/include/openssl/ssl.h | 45 ++++++++++++++++++++++++++++++---------------
 1 file changed, 30 insertions(+), 15 deletions(-)

(limited to 'src/include/openssl/ssl.h')

diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 217dbaf..2735e15 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -517,6 +517,10 @@ OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);
 OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out,
                                       size_t *out_len, size_t max_out);
 
+/* SSL_initial_handshake_complete returns one if the initial handshake has
+ * completed and zero otherwise. */
+OPENSSL_EXPORT int SSL_initial_handshake_complete(const SSL *ssl);
+
 
 /* Underdocumented functions.
  *
@@ -646,7 +650,12 @@ struct ssl_session_st {
    * disable session caching and tickets. */
   int not_resumable;
 
-  /* The cert is the certificate used to establish this connection */
+  /* The cert is the certificate used to establish this connection
+   *
+   * TODO(davidben): Remove this field. It is not serialized as part of the
+   * session, but some APIs access it. Certificate-related fields, where not
+   * redundant with |peer|, should be added to the session. Others should
+   * probably not be retained across resumptions. */
   struct sess_cert_st /* SESS_CERT */ *sess_cert;
 
   /* This is the cert for the other end. On clients, it will be the same as
@@ -1963,31 +1972,34 @@ OPENSSL_EXPORT int SSL_has_matching_session_id(const SSL *ssl,
 OPENSSL_EXPORT int SSL_SESSION_to_bytes(SSL_SESSION *in, uint8_t **out_data,
                                         size_t *out_len);
 
-/* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session ID
- * which is not necessary in a session ticket. */
+/* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session
+ * identification information, namely the session ID and ticket. */
 OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(SSL_SESSION *in,
                                                    uint8_t **out_data,
                                                    size_t *out_len);
 
+/* SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It
+ * returns a newly-allocated |SSL_SESSION| on success or NULL on error. */
+OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in,
+                                                   size_t in_len);
+
 /* Deprecated: i2d_SSL_SESSION serializes |in| to the bytes pointed to by
  * |*pp|. On success, it returns the number of bytes written and advances |*pp|
  * by that many bytes. On failure, it returns -1. If |pp| is NULL, no bytes are
  * written and only the length is returned.
  *
- * Use SSL_SESSION_to_bytes instead. */
+ * Use |SSL_SESSION_to_bytes| instead. */
 OPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp);
 
-/* d2i_SSL_SESSION deserializes a serialized buffer contained in the |length|
- * bytes pointed to by |*pp|. It returns the new SSL_SESSION and advances |*pp|
- * by the number of bytes consumed on success and NULL on failure. If |a| is
- * NULL, the caller takes ownership of the new session and must call
- * |SSL_SESSION_free| when done.
+/* Deprecated: d2i_SSL_SESSION parses a serialized session from the |length|
+ * bytes pointed to by |*pp|. It returns the new |SSL_SESSION| and advances
+ * |*pp| by the number of bytes consumed on success and NULL on failure. The
+ * caller takes ownership of the new session and must call |SSL_SESSION_free|
+ * when done.
  *
- * If |a| and |*a| are not NULL, the SSL_SESSION at |*a| is overridden with the
- * deserialized session rather than allocating a new one. In addition, |a| is
- * not NULL, but |*a| is, |*a| is set to the new SSL_SESSION.
+ * If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|.
  *
- * Passing a value other than NULL to |a| is deprecated. */
+ * Use |SSL_SESSION_from_bytes| instead. */
 OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp,
                                             long length);
 
@@ -2621,8 +2633,8 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_F_SSL_use_psk_identity_hint 147
 #define SSL_F_SSL_write 148
 #define SSL_F_d2i_SSL_SESSION 149
-#define SSL_F_d2i_SSL_SESSION_get_octet_string 150
-#define SSL_F_d2i_SSL_SESSION_get_string 151
+#define SSL_F_SSL_SESSION_parse_octet_string 150
+#define SSL_F_SSL_SESSION_parse_string 151
 #define SSL_F_do_ssl3_write 152
 #define SSL_F_dtls1_accept 153
 #define SSL_F_dtls1_buffer_record 154
@@ -2747,6 +2759,9 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_F_SSL_AEAD_CTX_open 277
 #define SSL_F_SSL_AEAD_CTX_seal 278
 #define SSL_F_dtls1_seal_record 279
+#define SSL_F_SSL_SESSION_from_bytes 280
+#define SSL_F_SSL_SESSION_parse 281
+#define SSL_F_ssl3_check_certificate_for_cipher 282
 #define SSL_R_APP_DATA_IN_HANDSHAKE 100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
 #define SSL_R_BAD_ALERT 102
-- 
cgit v1.1