Commit Graph

3958 Commits

Author SHA1 Message Date
Pauli
ada66e78ef Deprecate the low level Diffie-Hellman functions.
Use of the low level DH functions has been informally discouraged for a
long time.  We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)
2020-02-20 19:04:57 +10:00
Pauli
c5f8713443 Deprecate the low level RSA functions.
Use of the low level RSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)
2020-02-20 18:58:40 +10:00
Simon Cornish
cc0663f697 Handle max_fragment_length overflow for DTLS
Allow for encryption overhead in early DTLS size check
and send overflow if validated record is too long

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11096)
2020-02-19 09:21:10 +01:00
Shane Lontis
075b1f2f42 Fix coverity issues
CID : 1458169 RESOURCE LEAK ffc_params_generate.c - False positive, but addressed another Leak in adjacent code
CID : 1458171 UNCHECKED RET apps/pkeyutl.c
CID : 1458173 DEAD CODE ffc_params_generate.c
CID : 1458174 RESOURCE LEAK ssl_lib.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11048)
2020-02-14 07:28:46 +10:00
Matt Caswell
0618b62ca2 Fix a mem leak in libssl
Make sure we free up any ENGINE references after we have finished using
them.

Fixes #11064

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11070)
2020-02-13 14:25:32 +00:00
Kurt Roeckx
620c97b671 Check that ed25519 and ed448 are allowed by the security level
Signature algorithms not using an MD weren't checked that they're
allowed by the security level.

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785
2020-02-11 23:24:03 +01:00
Matt Caswell
709b5e8a3e Fix no-engine
We don't need to check if an engine has a cipher/digest in a no-engine
build.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11031)
2020-02-07 23:27:58 +00:00
Matt Caswell
0f00ed7720 Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX
When we use an EVP_PKEY_CTX in libssl we should be doing so with the
OPENSSL_CTX and property query string that were specified when the
SSL_CTX object was first created.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)
2020-02-06 11:59:07 +00:00
Matt Caswell
c8f6c28a93 Explicitly fetch ciphers and digests in libssl
We modify libssl to use explicitly fetched ciphers, digests and other
algorithms as required based on the configured library context and
property query string for the SSL_CTX that is being used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)
2020-02-06 11:59:07 +00:00
Pauli
8b6ffd4040 Params: change UTF8 construct calls to avoid explicit strlen(3) calls.
It is better, safer and smaller to let the library routine handle the
strlen(3) call.

Added a note to the documentation suggesting this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11019)
2020-02-06 16:22:00 +10:00
Matt Caswell
d924dbf4ae Detect EOF while reading in libssl
If we hit an EOF while reading in libssl then we will report an error
back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.

Contains a partial fix for #10880

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10907)
2020-02-04 14:39:29 +00:00
Matt Caswell
cd624ccd41 Don't acknowledge a servername following warning alert in servername cb
If the servername cb decides to send back a warning alert then the
handshake continues, but we should not signal to the client that the
servername has been accepted.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/10018)
2020-01-30 16:01:26 +00:00
Matt Caswell
7955c1f16e Fix SSL_get_servername() and SNI behaviour
The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername()
was not quite right, and not entirely consistent with the RFC.

The TLSv1.3 RFC explicitly says that SNI is negotiated on each handshake
and the server is not required to associate it with the session. This was
not quite reflected in the code so we fix that.

Additionally there were some additional checks around early_data checking
that the SNI between the original session and this session were
consistent. In fact the RFC does not require any such checks, so they are
removed.

Finally the behaviour of SSL_get_servername() was not quite right. The
behaviour was not consistent between resumption and normal handshakes,
and also not quite consistent with historical behaviour. We clarify the
behaviour in various scenarios and also attempt to make it match historical
behaviour as closely as possible.

Fixes #8822

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/10018)
2020-01-30 16:01:25 +00:00
Pauli
a76ce2862b TLS: use EVP for HMAC throughout libssl.
Backwards compatibility with the old ticket key call back is maintained.
This will be removed when the low level HMAC APIs are finally removed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
2020-01-29 19:49:23 +10:00
Kurt Roeckx
b0031e5dc2 Check that the default signature type is allowed
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the
others. TLS 1.2 sends a list of supported ciphers, but allows not sending
it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory.

When we didn't receive a list from the client, we always used the
defaults without checking that they are allowed by the configuration.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #10784
2020-01-25 14:10:40 +01:00
Matt Caswell
8f21260b09 Make sure we use RAND_bytes_ex and RAND_priv_bytes_ex in libssl
Now that libssl knows about libctx we should use it wherever we generate
a random number.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10927)
2020-01-24 15:12:56 +00:00
Matt Caswell
ba18627e4a Introduce SSL_CTX_new_with_libex()
We add the ability to specify an OPENSSL_CTX (which may be NULL for the
default context) and a property query string for use during algorithm
fetch operations.

For example, in this way one SSL_CTX could be used the default provider,
and another one could be used with the FIPS provider.

At this stage we don't use these values. That will come later.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10866)
2020-01-22 10:47:12 +00:00
Matt Caswell
bddbfae1cd libssl: Eliminate as much use of EVP_PKEY_size() as possible
Some uses were going against documented recommendations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10798)
2020-01-19 02:47:46 +01:00
Pauli
781aa7ab63 Deprecate the low level MD5 functions.
Use of the low level MD5 functions has been informally discouraged for a long
time.  We now formally deprecate them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
2020-01-19 10:14:39 +10:00
Pauli
85d843c8ec Deprecate the low level SHA functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
2020-01-19 10:14:39 +10:00
dcruette
2de5a5fbdd Update tls13_enc.c
Fix double + in hkdflabel declaration (FIXES #10675)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10700)
2020-01-02 13:49:41 +01:00
Rich Salz
742ccab318 Deprecate most of debug-memory
Fixes #8322

The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neutered;
only the "make malloc fail" capability remains.  OpenSSL recommends using
the compiler's leak-detection instead.

The OPENSSL_DEBUG_MEMORY environment variable is no longer used.
CRYPTO_mem_ctrl(), CRYPTO_set_mem_debug(), CRYPTO_mem_leaks(),
CRYPTO_mem_leaks_fp() and CRYPTO_mem_leaks_cb() return a failure code.
CRYPTO_mem_debug_{malloc,realloc,free}() have been removed.  All of the
above are now deprecated.

Merge (now really small) mem_dbg.c into mem.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)
2019-12-14 20:57:35 +01:00
Dmitry Belyavskiy
4e3ee452d0 Parse large GOST ClientKeyExchange messages
Large GOST ClientKeyExchange messages are sent by VipNet CSP, one of
Russian certified products implementing GOST TLS, when a server
certificate contains 512-bit keys.

This behaviour was present in 1.0.2 branch and needs to be restored.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10376)
2019-12-13 17:43:33 +03:00
Veres Lajos
79c44b4e30 Fix some typos
Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10544)
2019-12-11 19:04:01 +01:00
Matt Caswell
e7db9680db Move constant time RSA code out of libssl
Server side RSA key transport code in a Client Key Exchange message
currently uses constant time code to check that the RSA decrypt is
correctly formatted. The previous commit taught the underlying RSA
implementation how to do this instead, so we use that implementation and
remove this code from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)
2019-12-05 16:12:18 +00:00
John Baldwin
a7bdd0433c Support ciphersuites using a SHA2 384 digest in FreeBSD KTLS.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #10372
2019-11-24 23:12:38 +01:00
Daniil Zotkin
6834df12d1 Process GOST ClientKeyExchange message in SSL_trace
Use ssl_print_hex to print message in case of GOST key exchange algorithm.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9995)
2019-11-23 16:27:30 +03:00
Benjamin Kaduk
2a53855110 Fix a race condition in SNI handling
As was done for ciphers, supported groups, and EC point formats in
https://github.com/openssl/openssl/pull/9162, only write the negotiated
SNI hostname value to the session object when not resuming, even for
TLS 1.3 resumptions.  Otherwise, when using a stateful session cache
(as is done by default when 0-RTT data is enabled), we can have multiple
SSLs active using the same in-memory session object, which leads to
double-frees and similar race conditions in the SNI handler prior
to this commit.

Fortunately, since draft-ietf-tls-tls13-22, there is no requirement
that the SNI hostname be preserved across TLS 1.3 resumption, and thus
not a need to continually update the session object with the "current"
value (to be used when producing session tickets, so that the subsequent
resumption can be checked against the current value).  So we can just
relax the logic and only write to the session object for initial handshakes.
This still leaves us in a somewhat inconsistent state, since if the SNI value
does change across handshakes, the session object will continue to record
the initial handshake's value, even if that bears no relation to the
current handshake.  The current SSL_get_servername() implementation
prefers the value from the session if s->hit, but a more complete fix
for that and related issues is underway in
https://github.com/openssl/openssl/pull/10018; there is no need to wait
for the complete fix for SNI name handling in order to close the
race condition and avoid runtime crashes.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10441)
2019-11-21 18:09:59 -08:00
raniervf
4bac25e111 commit a6efbe123af3d98b4d10d4fcdfe68dc5303212f8
Author: raniervf <ranier_gyn@hotmail.com>
Date:   Thu Nov 7 18:59:11 2019 -0300

Avoid calling strlen repeatedly in loops.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10380)
2019-11-16 08:29:26 +10:00
Richard Levitte
ee669781d5 SSL: Document SSL_add_{file,dir,store}_cert_subjects_to_stack()
This also removes the incorrect documentation comments by those
functions, and fixes a bug in SSL_add_store_cert_subjects_to_stack(),
where the condition for recursive addition was 'depth == 0' when it
should be 'depth > 0'.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10402)
2019-11-12 13:38:36 +01:00
Ido Ben-Natan
6ed12cec72 Fix misspelled resumption_label for CHARSET_EBCDIC
The resumption_label variable when CHARSET_EBCDIC was enabled, was misspelled.
Instead of evaluating to 'res binder' as expected, it evaluated to 'red binder'.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10396)
2019-11-11 17:04:43 +01:00
Dmitry Belyavskiy
db30f43242 Workaround for Windows-based GOST implementations
Many Windows-based GOST TLS implementations are unable to extend the
list of supported SignatureAlgorithms because of lack of the necessary
callback in Windows. So for TLS 1.2 it makes sense to imply the support
of GOST algorithms in case when the GOST ciphersuites are present.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10377)
2019-11-10 18:59:26 +03:00
Richard Levitte
285a0db396 Update some inclusions of <openssl/macros.h>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)
2019-11-07 11:37:25 +01:00
Richard Levitte
00db8c60aa Update source files for pre-3.0 deprecation
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10364)
2019-11-07 11:37:25 +01:00
Richard Levitte
6dcb100f89 X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI
This is a wrapper around OSSL_STORE.

This also adds necessary support functions:

- X509_STORE_load_file
- X509_STORE_load_path
- X509_STORE_load_store
- SSL_add_store_cert_subjects_to_stack
- SSL_CTX_set_default_verify_store
- SSL_CTX_load_verify_file
- SSL_CTX_load_verify_dir
- SSL_CTX_load_verify_store

and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations,
as they aren't extensible.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
2019-11-03 18:38:23 +01:00
John Baldwin
f059e4cc43 Don't generate a MAC when using KTLS.
The kernel will generate the MAC when transmitting the frame.  Doing
so here causes the MAC to be included as part of the plain text that
the kernel MACs and encrypts.  Note that this path is not taken when
using stitched cipher suites.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-31 10:24:32 +00:00
John Baldwin
712c094293 Simplify NO_KTLS path in SSL_sendfile.
Avoid tripping over errno values from previous system calls in the
thread and just hardcode the specific error.  BIO_get_ktls_send()
should never be true in the NO_KTLS path, so the #ifdef could be
moved even higher up to assume that error path in the NO_KTLS case
instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-31 10:24:32 +00:00
Andrew Gallatin
54f30cb57c Bypass multiblock and send individual records when using KTLS.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-31 10:24:32 +00:00
Andrew Gallatin
2111f5c283 Add support for in-kernel TLS (KTLS) on FreeBSD.
- Check for the <sys/ktls.h> header to determine if KTLS support
  is available.
- Populate a tls_enable structure with session key material for
  supported algorithms.  At present, AES-GCM128/256 and AES-CBC128/256
  with SHA1 and SHA2-256 HMACs are supported.  For AES-CBC, only MtE
  is supported.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10045)
2019-10-31 10:24:32 +00:00
raja-ashok
187753e09c Fix leak with no-ec config
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10194)
2019-10-21 09:33:34 +10:00
Rich Salz
3d48457478 Replace BUF_ string function calls with OPENSSL_ ones
Deprecate the BUF_ string macros

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10207)
2019-10-17 23:19:59 +02:00
Richard Levitte
47b4ccea9c Stop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
This is a flag that has lost its relevance.  The new mechanism to do
the same thing is to fetch the needed digest explicitly with "-fips"
as property query, i.e. we remove any requirement for that property to
be set when fetching, even if the default property query string
requires its presence.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10138)
2019-10-11 09:52:31 +02:00
Artiom Vaskov
99435164ac ssl/statem/statem_lib.c: make servercontext/clientcontext arrays of chars instead of char pointers to fix EBCDIC builds.
Fixes #9869

CLA:trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9878)

(cherry picked from commit d8e8ed0220)
2019-10-10 16:28:44 +02:00
Rich Salz
12a765a523 Explicitly test against NULL; do not use !p or similar
Also added blanks lines after declarations in a couple of places.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9916)
2019-10-09 21:32:15 +02:00
Matt Caswell
3713329083 Send bad_record_mac instead of decryption_failed
The decryption failed alert was deprecated a long time ago. It can
provide an attacker too much information to be able to distinguish between
MAC failures and decryption failures and can lead to oracle attacks.
Instead we should always use the bad_record_mac alert for these issues.
This fixes one instance that still exists. It does not represent a
security issue in this case because it is only ever sent if the record is
publicly invalid, i.e. we have detected it is invalid without using any
secret material.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10093)
2019-10-07 08:12:43 +01:00
NaveenShivanna86
e7c27a6c37 'init_buf' memory can be freed when DTLS is used over SCTP (not over UDP).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9653)
2019-10-03 15:17:57 +02:00
Daniil Zotkin
65c76cd2c9 Do not print extensions in Certificate message for TLS1.2 and lower
According to RFC8446 CertificateEntry in Certificate message contains
extensions that were not present in the Certificate message in RFC5246.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9994)
2019-10-03 10:29:49 +10:00
Dr. Matthias St. Pierre
ae4186b004 Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below

For the public header files (in the 'include/openssl' directory), the guard
names try to match the path specified in the include directives, with
all letters converted to upper case and '/' and '.' replaced by '_'. For the
private header files files, an extra 'OSSL_' is added as prefix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 20:26:36 +02:00
Dr. Matthias St. Pierre
706457b7bd Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like

  '*_lcl.h', '*_local.h', or '*_int.h'

This commit changes the different suffixes to '*_local.h' uniformly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 20:26:35 +02:00
Richard Levitte
0cd1b144f9 util/mkerr.pl: make it not depend on the function code
The output C code was made to use ERR_func_error_string() to see if a
string table was already loaded or not.  Since this function returns
NULL always, this check became useless.

Change it to use ERR_reason_error_string() instead, as there's no
reason to believe we will get rid of reason strings, ever.

To top it off, we rebuild all affected C sources.

Fixes #9756

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)
2019-09-12 17:59:52 +02:00