summaryrefslogtreecommitdiffstats
path: root/ssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Update copyright yearMatt Caswell2020-04-2324-24/+24
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
* GOST2012 TLS Supported Groups Identifiers SupportNikolay Morozov2020-04-222-0/+25
| | | | | | | | | For GOST2012-GOST8912-GOST8912 IANA introduce TLS Supported Groups Identifiers https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11568)
* Fix test_ssl_new test failureMatt Caswell2020-04-211-4/+6
| | | | | | | | | | | A couple of fetches of the MD5 and SHA1 digests were not using the libctx in libssl and causing test_ssl_new to fail in travis. This only occurs on builds with SSLv3 enabled (its disabled by default). [extended tests] Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11586)
* Fix NULL dereference in SSL_check_chain() for TLS 1.3Benjamin Kaduk2020-04-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | In the tls1_check_sig_alg() helper function, we loop through the list of "signature_algorithms_cert" values received from the client and attempt to look up each one in turn in our internal table that maps wire codepoint to string-form name, digest and/or signature NID, etc., in order to compare the signature scheme from the peer's list against what is used to sign the certificates in the certificate chain we're checking. Unfortunately, when the peer sends a value that we don't support, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client. Since we will not be able to say anything about algorithms we don't recognize, treat NULL return from lookup as "does not match". We currently only apply the "signature_algorithm_cert" checks on TLS 1.3 connections, so previous TLS versions are unaffected. SSL_check_chain() is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. CVE-2020-1967 Reviewed-by: Matt Caswell <matt@openssl.org>
* Use a fetched MD if appropriate in ssl3_cbc_digest_recordMatt Caswell2020-04-203-9/+16
| | | | | | | | | | | HMACs used via the legacy EVP_DigestSign interface are strange in that they use legacy codepath's which eventually (under the covers) transform the operation into a new style EVP_MAC. This can mean the digest in use can be a legacy one, so we need to be careful with any digest we extract from the ctx. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
* Use the libctx for all EVP_PKEY_CTX operationsMatt Caswell2020-04-193-83/+39
| | | | | | | | There were a few places where we were not passing through the libctx when constructing and EVP_PKEY_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
* GOST2012 TLS ClientCertificateType Identifiers supportNikolay Morozov2020-04-181-2/+4
| | | | | | | | | For GOST2012-GOST8912-GOST8912 IANA introduce ClientCertificateType Identifiers https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11558)
* TLSEXT_SIGALG_gostr34102012 0x0840 and 0x0841 supportNikolay Morozov2020-04-163-2/+16
| | | | | | | | | For GOST2012-GOST8912-GOST8912 IANA introduce signature Signature Algorithm parametrs https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11482)
* Make sure we always send an alert in libssl if we hit a fatal errorMatt Caswell2020-04-151-1/+3
| | | | | | | | | We had a spot where a fatal error was occurring but we hadn't sent an alert. This results in a later assertion failure. Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11537)
* Make sure we use the libctx in libssl when loading PrivateKeysMatt Caswell2020-04-151-9/+15
| | | | | | | | Since loading a private key might require algorithm fetches we should make sure the correct libctx is used. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11494)
* Ensure libssl uses the new library context aware CT codeMatt Caswell2020-04-091-2/+2
| | | | | | | | | | | Ensure that when we create a CTLOG_STORE we use the new library context aware function. Also ensure that when we create a CT_POLICY_EVAL_CTX we associate it with the library context. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11483)
* Explicitly cache the X509v3_extensions in one more place in libsslMatt Caswell2020-04-091-0/+6
| | | | | | | | Make sure we cache the extensions for a cert using the right libctx. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11457)
* Use X509_STORE_CTX_new_with_libctx() in libsslMatt Caswell2020-04-092-3/+4
| | | | | | | | | Libssl is OPENSSL_CTX aware so we should use it when creating an X509_STORE_CTX. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11457)
* TLS: Temporarly downgrade newly generated EVP_PKEYs to legacyRichard Levitte2020-04-084-0/+120
| | | | | | | | | The transfer of TLS encodedpoint to backends isn't yet fully supported in provider implementations. This is a temporary measure so as not to get stuck in other development. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11358)
* EVP & TLS: Add necessary EC_KEY data extraction functions, and use themRichard Levitte2020-04-083-35/+36
| | | | | | | | | | libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data from the EC_KEY. We replace that with internal EVP_PKEY functions. This may or may not be refactored later on. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11358)
* TLS Cipher Suite 0xC102 SupportNikolay Morozov2020-04-023-5/+23
| | | | | | | | | | | | | For GOST2012-GOST8912-GOST8912 was used 0xFF85 identifier, but new identifier 0xc102 was assigned. Because of old software we will support both numbers. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 https://datatracker.ietf.org/doc/draft-smyshlyaev-tls12-gost-suites/ Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11403)
* Make sure we use the libctx when creating an EVP_PKEY_CTX in libsslMatt Caswell2020-04-011-3/+28
| | | | | | | | We should use EVP_PKEY_CTX_new_from_pkey() to ensure we use the correct libctx. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11401)
* Use EVP_DigestSignInit_ex and EVP_DigestVerifyInit_ex in libsslMatt Caswell2020-04-016-8/+21
| | | | | | | | We need to make sure we use the correct libctx for all operations in libssl. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11401)
* Don't double free a DH objectMatt Caswell2020-04-011-1/+2
| | | | | | | | | | | | | Having created a DH object and assigned it to an EVP_PKEY - we should not free both the EVP_PKEY and the original DH. This will lead to a double free occurring. This issue was discovered and reported by GitHub Security Lab team member Agustin Gianni. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11441)
* Give a better error if we can't find a sig algMatt Caswell2020-03-301-2/+2
| | | | | | | | | | Some scenarios where we could not find a suitable sig alg just gave "internal error" as the reason - which isn't very helpful. A more suitable reason code already exists - so we use that. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11425)
* Explicitly cache X509v3 extensions in libsslMatt Caswell2020-03-303-2/+25
| | | | | | | | Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11409)
* Don't attempt to up-ref an EVP_CIPHER if it is NULLMatt Caswell2020-03-301-1/+4
| | | | | | | | | EVP_CIPHERs in the ssl_cipher_methods table can be NULL if they are not available. We shouldn't attempt to up-ref a cipher if it is NULL. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11426)
* Update libssl to use the new library context aware SRP functionsMatt Caswell2020-03-271-12/+18
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11410)
* Ignore some fetch failuresMatt Caswell2020-03-271-3/+13
| | | | | | | | Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405)
* Use a fetched cipher for the TLSv1.3 early secretMatt Caswell2020-03-263-19/+46
| | | | | | | | We should use an explicitly fetched cipher to ensure that we are using the correct libctx and property query. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11402)
* Use a fetched cipher when decrypting a ticket in libsslMatt Caswell2020-03-261-4/+12
| | | | | | | We need to make sure we are using the correct libctx and property query. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11402)
* Make sure we use a fetched cipher when encrypting stateless ticketsMatt Caswell2020-03-241-1/+10
| | | | | | | | We use AES-256-CBC to encrypt stateless session tickets. We should ensure that the implementation is fetched from the appropriate provider. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11356)
* Use a fetched version of SHA256 in tls_process_new_session_ticket()Matt Caswell2020-03-242-3/+15
| | | | | | | | | We use the SHA256 digest of the ticket as a "fake" session id. We should ensure that the SHA256 implementation is fetched from the appropriate provider. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11356)
* Use correct libctx when fetching the TLS1 PRF in libsslMatt Caswell2020-03-231-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11357)
* Use the libctx and properties when constructing an EVP_PKEY_CTXMatt Caswell2020-03-231-1/+2
| | | | | | | | | When constructing an RSA ClientKeyExchange make sure we construct our EVP_PKEY_CTX using the correct libctx and properties Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11357)
* Constify various mostly X509-related parameter types in crypto/ and apps/Dr. David von Oheimb2020-03-231-1/+1
| | | | | | | | | in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *, also some result types of new functions, which does not break compatibility Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/10504)
* Use a flag in SSL3_BUFFER to track when an application buffer is reused.John Baldwin2020-03-164-1/+8
| | | | | | | | | | | | | | | | | | | | | With KTLS, writes to an SSL connection store the application buffer pointer directly in the 'buf' member instead of allocating a separate buffer to hold the encrypted data. As a result, ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers. Previously, ssl3_release_write_buffer() checked for KTLS being enabled on the write BIO to determine if a buffer should be freed. However, a buffer can outlive a BIO. For example, 'openssl s_time' creates new write BIOs when reusing sessions. Since the new BIO did not have KTLS enabled at the start of a connection, ssl3_release_write_buffer() would incorrectly try to free the 'buf' pointer from the previous KTLS connection. To fix, track the state of 'buf' explicitly in SSL3_BUFFER to determine if the 'buf' should be freed or simply cleared. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10489)
* Code to thread-safety in ChangeCipherStateBenjamin Kaduk2020-03-131-1/+9
| | | | | | | | | | | | | | | | | | | | | The server-side ChangeCipherState processing stores the new cipher in the SSL_SESSION object, so that the new state can be used if this session gets resumed. However, writing to the session is only thread-safe for initial handshakes, as at other times the session object may be in a shared cache and in use by another thread at the same time. Reflect this invariant in the code by only writing to s->session->cipher when it is currently NULL (we do not cache sessions with no cipher). The code prior to this change would never actually change the (non-NULL) cipher value in a session object, since our server enforces that (pre-TLS-1.3) resumptions use the exact same cipher as the initial connection, and non-abbreviated renegotiations have produced a new session object before we get to this point. Regardless, include logic to detect such a condition and abort the handshake if it occurs, to avoid any risk of inadvertently using the wrong cipher on a connection. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943)
* Don't write to the session when computing TLS 1.3 keysBenjamin Kaduk2020-03-132-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | TLS 1.3 maintains a separate keys chedule in the SSL object, but was writing to the 'master_key_length' field in the SSL_SESSION when generating the per-SSL master_secret. (The generate_master_secret SSL3_ENC_METHOD function needs an output variable for the master secret length, but the TLS 1.3 implementation just uses the output size of the handshake hash function to get the lengths, so the only natural-looking thing to use as the output length was the field in the session. This would potentially involve writing to a SSL_SESSION object that was in the cache (i.e., resumed) and shared with other threads, though. The thread-safety impact should be minimal, since TLS 1.3 requires the hash from the original handshake to be associated with the resumption PSK and used for the subsequent connection. This means that (in the resumption case) the value being written would be the same value that was previously there, so the only risk would be on architectures that can produce torn writes/reads for aligned size_t values. Since the value is essentially ignored anyway, just provide the address of a local dummy variable to generate_master_secret() instead. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943)
* Fix whitespace nit in ssl_generate_master_secret()Benjamin Kaduk2020-03-131-1/+1
| | | | | | | Use a space after a comma. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10943)
* Deprecate the low level Diffie-Hellman functions.Pauli2020-02-204-12/+13
| | | | | | | | Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
* Deprecate the low level RSA functions.Pauli2020-02-201-7/+5
| | | | | | | | Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063)
* Handle max_fragment_length overflow for DTLSSimon Cornish2020-02-191-2/+8
| | | | | | | | | Allow for encryption overhead in early DTLS size check and send overflow if validated record is too long Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11096)
* Fix coverity issuesShane Lontis2020-02-131-1/+1
| | | | | | | | | | | CID : 1458169 RESOURCE LEAK ffc_params_generate.c - False positive, but addressed another Leak in adjacent code CID : 1458171 UNCHECKED RET apps/pkeyutl.c CID : 1458173 DEAD CODE ffc_params_generate.c CID : 1458174 RESOURCE LEAK ssl_lib.c Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11048)
* Fix a mem leak in libsslMatt Caswell2020-02-131-2/+12
| | | | | | | | | | Make sure we free up any ENGINE references after we have finished using them. Fixes #11064 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11070)
* Check that ed25519 and ed448 are allowed by the security levelKurt Roeckx2020-02-111-18/+41
| | | | | | | | Signature algorithms not using an MD weren't checked that they're allowed by the security level. Reviewed-by: Matt Caswell <matt@openssl.org> GH: #10785
* Fix no-engineMatt Caswell2020-02-081-0/+4
| | | | | | | | We don't need to check if an engine has a cipher/digest in a no-engine build. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11031)
* Use the OPENSSL_CTX and property query string in EVP_PKEY_CTXMatt Caswell2020-02-065-11/+23
| | | | | | | | | When we use an EVP_PKEY_CTX in libssl we should be doing so with the OPENSSL_CTX and property query string that were specified when the SSL_CTX object was first created. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
* Explicitly fetch ciphers and digests in libsslMatt Caswell2020-02-0615-171/+324
| | | | | | | | | We modify libssl to use explicitly fetched ciphers, digests and other algorithms as required based on the configured library context and property query string for the SSL_CTX that is being used. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10854)
* Params: change UTF8 construct calls to avoid explicit strlen(3) calls.Pauli2020-02-062-3/+3
| | | | | | | | | | It is better, safer and smaller to let the library routine handle the strlen(3) call. Added a note to the documentation suggesting this. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11019)
* Detect EOF while reading in libsslMatt Caswell2020-02-042-1/+9
| | | | | | | | | | | | If we hit an EOF while reading in libssl then we will report an error back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add an error to the stack (which means we instead return SSL_ERROR_SSL) and therefore give a hint as to what went wrong. Contains a partial fix for #10880 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10907)
* Don't acknowledge a servername following warning alert in servername cbMatt Caswell2020-01-301-0/+1
| | | | | | | | | If the servername cb decides to send back a warning alert then the handshake continues, but we should not signal to the client that the servername has been accepted. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/10018)
* Fix SSL_get_servername() and SNI behaviourMatt Caswell2020-01-303-22/+86
| | | | | | | | | | | | | | | | | | | | | | | | | The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername() was not quite right, and not entirely consistent with the RFC. The TLSv1.3 RFC explicitly says that SNI is negotiated on each handshake and the server is not required to associate it with the session. This was not quite reflected in the code so we fix that. Additionally there were some additional checks around early_data checking that the SNI between the original session and this session were consistent. In fact the RFC does not require any such checks, so they are removed. Finally the behaviour of SSL_get_servername() was not quite right. The behaviour was not consistent between resumption and normal handshakes, and also not quite consistent with historical behaviour. We clarify the behaviour in various scenarios and also attempt to make it match historical behaviour as closely as possible. Fixes #8822 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/10018)
* TLS: use EVP for HMAC throughout libssl.Pauli2020-01-294-29/+220
| | | | | | | | Backwards compatibility with the old ticket key call back is maintained. This will be removed when the low level HMAC APIs are finally removed. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10836)
* Check that the default signature type is allowedKurt Roeckx2020-01-252-5/+13
| | | | | | | | | | | | TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the others. TLS 1.2 sends a list of supported ciphers, but allows not sending it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory. When we didn't receive a list from the client, we always used the defaults without checking that they are allowed by the configuration. Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #10784