- Tolerate RSA PKCS#1 *certificate* signatures when
the peer sigals include RSA PSS with the same digest.
Now that we're more strict about not sending sigalgs that are out of
protocol range, when the client supports TLS 1.3 only, we might refuse
to return an RSA PKCS#1-signed cert.
- Don't send TLS 1.3 sigalgs when requesting client certs from
a TLS 1.2 client.
Fixes: #1144Fixes: #25277
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27166)
On the server side we were changing the handshake rx secret a little late.
This meant the application was forced to call SSL_do_handshake() again
even if there was nothing to read in order to get the secret. We move it
a little earlier int the process to avoid this.
Fixes the issue described in:
https://github.com/ngtcp2/ngtcp2/pull/1582#issuecomment-2735950083
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27101)
The TLS EndOfEarlyData message is not applicable in some scenarios (e.g., QUIC).
This adds a macro to handle this message.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26552)
quic interop testing showed that interop with the mvfst client was
failing, due to detecting mis ordering of supported groups and keyshare
extensions
This is strictly a mvfst problem to fix, but RFC 8446 indicates that we
MAY check the ordering but don't strictly have to.
We've opened an issue with the client to fix this, but in the interests
of client compatibility relax the ordering check so that, instead of
issuing a fatal alert, we just log a trace message indicating the
discrepancy
Fixesopenssl/project#1106
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26818)
While RPK performs X.509 checks correctly, at the SSL layer the
SSL_VERIFY_PEER flag was not honoured and connections were allowed to
complete even when the server was not verified. The client can of
course determine this by calling SSL_get_verify_result(), but some
may not know to do this.
Added tests to make sure this does not regress.
Fixes CVE-2024-12797
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
This PR is the implementation of concluded discussion that occurred in a
draft PR #25605. This changes were mainly authored by @martinschmatz
with some contribution from myself.
It addresses issue #21633
This extends the group list definition to support a more complex
definition while still retaining backward compatibility with the simple
form of colon separated groups.
Details of the agreed format and expected behaviour can be found in
#25605 and in the documentation changes.
Signed-off-by: Dave Kelsey <d_kelsey@uk.ibm.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26445)
This changes the alert according to RFC 8446.
Fixes: #25402
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25547)
When processing a callback within libssl that applies to TLS the original
SSL object may have been created for TLS directly, or for QUIC. When making
the callback we must make sure that we use the correct SSL object. In the
case of QUIC we must not use the internal only SSL object.
Fixes#25788
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25874)
Fixes#25471
Signed-off-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25845)
`sess` is not NULL at this point, and is freed on the success path, but
not on the error path. Fix this by going to the `err` label such that
`SSL_SESSION_free(sess)` is called.
CLA: trivial
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25643)
- Remove e_os.h include from "ssl_local.h"
- Added e_os.h into the files that need it now.
- Move e_os.h to be the very first include
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14344)
As reported by Alicja Kario, we ignored excess bytes after the
signature payload in TLS CertificateVerify Messages. These
should not be present.
Fixes: #25298
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25302)
Fixes#7940: Updated the compression check logic to improve protocol compliance. The code now returns `SSL_AD_DECODE_ERROR` when no compression method is provided in the ClientHello message. It returns `SSL_AD_ILLEGAL_PARAMETER` if the “null” compression method (0x00) is missing.
Additionally, refactored the related test code for enhanced readability and maintainability.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25255)
For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to digest nothing in most cases).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
RFC8446 requires we send an illegal_parameter alert if we don't get a
key_share back from the server and our kex_modes require one. We were
instead reporting this as missing_extension.
Fixes#25040
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25059)
If an HRR is sent then it MUST contain supported_versions according to the
RFC. We were sanity checking any supported_versions extension that was sent
but failed to verify that it was actually present.
Fixes#25041
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
Found by running the checkpatch.pl Linux script to enforce coding style.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22097)
windows vs2019 throws warnings when compiling openssl for edk2:
ERROR - Compiler #2220 from [2024-07-15 13:43:34] [build-stdout] d:\a\edk2\edk2\CryptoPkg\Library\OpensslLib\openssl\ssl\statem\statem_clnt.c(1895) : the following warning is treated as an error
WARNING - Compiler #4701 from [2024-07-15 13:43:34] [build-stdout] d:\a\edk2\edk2\CryptoPkg\Library\OpensslLib\openssl\ssl\statem\statem_clnt.c(1895) : potentially uninitialized local variable 'peer_rpk' used
WARNING - Compiler #4703 from [2024-07-15 13:43:34] [build-stdout] d:\a\edk2\edk2\CryptoPkg\Library\OpensslLib\openssl\ssl\statem\statem_clnt.c(1895) : potentially uninitialized local pointer variable 'peer_rpk' used
Explicitly initialize the peer_rpk variable to make the compiler happy.
Yes, it's a false positive, but you have to check the tls_process_rpk()
body in another source file to see that, which apparently is beyond the
compiler's capabilities.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24895)
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
A psk session was assumed to be a resumption which failed a check
when parsing the max_fragment_length extension hello from the client.
Relevant code from PR#18130 which was a suggested fix to the issue
was cherry-picked.
Fixes#18121
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24513)
The compression methods are now a global variable in libssl.
This change moves it into OSSL library context.
It is necessary to eliminate atexit call from libssl.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24414)
Setting the server sig algs sets up the certificate "s3->tmp.valid_flags".
These are needed when calling ssl3_choose_cipher() which can happen
immediately after calling the session_secret_cb
Fixes#24213
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24309)
Replace the type of variables with int to avoid implicit conversion when it is assigned by EVP_MD_get_size().
Moreover, add the checks to avoid integer overflow.
Fixes: 6594189 ("Merge early_data_info extension into early_data")
Fixes: 9368f86 ("Add TLSv1.3 client side external PSK support")
Fixes: 1053a6e ("Implement Server side of PSK extension parsing")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23937)
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
(cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24034)
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24042)
Using the client one when the server once should be used could cause a
later call to SSL_set_accept_state() to unexpectedly fail.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23256)
`tls_parse_ctos_key_share()` didn't properly handle the option.
Avoid the need to deal with the option in multiple places by properly
handling it in `tls_parse_ctos_psk_kex_modes()`.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22844)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22828)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22828)
