Commit Graph

3983 Commits

Author SHA1 Message Date
Matt Caswell
1a37ee9402 Ensure libssl uses the new library context aware CT code
Ensure that when we create a CTLOG_STORE we use the new library context
aware function.

Also ensure that when we create a CT_POLICY_EVAL_CTX we associate it with
the library context.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11483)
2020-04-09 14:51:48 +01:00
Matt Caswell
e66c37deb6 Explicitly cache the X509v3_extensions in one more place in libssl
Make sure we cache the extensions for a cert using the right libctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11457)
2020-04-09 00:00:20 +01:00
Matt Caswell
a959b4fa97 Use X509_STORE_CTX_new_with_libctx() in libssl
Libssl is OPENSSL_CTX aware so we should use it when creating an
X509_STORE_CTX.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11457)
2020-04-08 23:56:29 +01:00
Richard Levitte
afce590b74 TLS: Temporarly downgrade newly generated EVP_PKEYs to legacy
The transfer of TLS encodedpoint to backends isn't yet fully supported
in provider implementations.  This is a temporary measure so as not to
get stuck in other development.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11358)
2020-04-08 15:30:25 +02:00
Richard Levitte
c2041da8c1 EVP & TLS: Add necessary EC_KEY data extraction functions, and use them
libssl code uses EVP_PKEY_get0_EC_KEY() to extract certain basic data
from the EC_KEY.  We replace that with internal EVP_PKEY functions.

This may or may not be refactored later on.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11358)
2020-04-08 15:30:25 +02:00
Nikolay Morozov
98278b9631 TLS Cipher Suite 0xC102 Support
For GOST2012-GOST8912-GOST8912 was used 0xFF85 identifier,
but new identifier 0xc102 was assigned.
Because of old software we will support both numbers.

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
https://datatracker.ietf.org/doc/draft-smyshlyaev-tls12-gost-suites/

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11403)
2020-04-02 18:01:41 +03:00
Matt Caswell
d882e4ce56 Make sure we use the libctx when creating an EVP_PKEY_CTX in libssl
We should use EVP_PKEY_CTX_new_from_pkey() to ensure we use the correct
libctx.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11401)
2020-04-01 17:29:12 +01:00
Matt Caswell
fc69f32cd6 Use EVP_DigestSignInit_ex and EVP_DigestVerifyInit_ex in libssl
We need to make sure we use the correct libctx for all operations in
libssl.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11401)
2020-04-01 17:28:56 +01:00
Matt Caswell
fe56d5951f Don't double free a DH object
Having created a DH object and assigned it to an EVP_PKEY - we should
not free both the EVP_PKEY and the original DH. This will lead to a
double free occurring.

This issue was discovered and reported by GitHub Security Lab team member
Agustin Gianni.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11441)
2020-04-01 17:16:58 +01:00
Matt Caswell
a70535f849 Give a better error if we can't find a sig alg
Some scenarios where we could not find a suitable sig alg just
gave "internal error" as the reason - which isn't very helpful. A
more suitable reason code already exists - so we use that.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11425)
2020-03-30 15:21:20 +01:00
Matt Caswell
9f0f53b7db Explicitly cache X509v3 extensions in libssl
Caching the X509v3 extensions requires an explicit libctx. We do that
where required in libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)
2020-03-30 14:54:37 +01:00
Matt Caswell
c2146b57d2 Don't attempt to up-ref an EVP_CIPHER if it is NULL
EVP_CIPHERs in the ssl_cipher_methods table can be NULL if
they are not available. We shouldn't attempt to up-ref a
cipher if it is NULL.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11426)
2020-03-30 14:46:54 +01:00
Matt Caswell
1744b6d3aa Update libssl to use the new library context aware SRP functions
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11410)
2020-03-27 11:29:25 +00:00
Matt Caswell
5fcb97c61e Ignore some fetch failures
Some fetch failurs are ok and should be ignored.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)
2020-03-27 11:12:27 +00:00
Matt Caswell
9727f4e7fd Use a fetched cipher for the TLSv1.3 early secret
We should use an explicitly fetched cipher to ensure that we are using
the correct libctx and property query.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11402)
2020-03-26 13:46:43 +00:00
Matt Caswell
148bfd26a4 Use a fetched cipher when decrypting a ticket in libssl
We need to make sure we are using the correct libctx and property query.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11402)
2020-03-26 13:46:43 +00:00
Matt Caswell
6f829f58ef Make sure we use a fetched cipher when encrypting stateless tickets
We use AES-256-CBC to encrypt stateless session tickets. We should
ensure that the implementation is fetched from the appropriate provider.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)
2020-03-24 16:13:59 +00:00
Matt Caswell
abd86cecce Use a fetched version of SHA256 in tls_process_new_session_ticket()
We use the SHA256 digest of the ticket as a "fake" session id. We should
ensure that the SHA256 implementation is fetched from the appropriate
provider.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)
2020-03-24 16:13:59 +00:00
Matt Caswell
ca1bbc1a20 Use correct libctx when fetching the TLS1 PRF in libssl
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11357)
2020-03-23 11:23:26 +00:00
Matt Caswell
3aceb9ec51 Use the libctx and properties when constructing an EVP_PKEY_CTX
When constructing an RSA ClientKeyExchange make sure we construct our
EVP_PKEY_CTX using the correct libctx and properties

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11357)
2020-03-23 11:23:26 +00:00
Dr. David von Oheimb
8cc86b81ac Constify various mostly X509-related parameter types in crypto/ and apps/
in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which does not break compatibility

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10504)
2020-03-23 08:30:37 +01:00
John Baldwin
074a6e86e6 Use a flag in SSL3_BUFFER to track when an application buffer is reused.
With KTLS, writes to an SSL connection store the application buffer
pointer directly in the 'buf' member instead of allocating a separate
buffer to hold the encrypted data.  As a result,
ssl3_release_write_buffer() has to avoid freeing these 'buf' pointers.

Previously, ssl3_release_write_buffer() checked for KTLS being enabled
on the write BIO to determine if a buffer should be freed.  However, a
buffer can outlive a BIO.  For example, 'openssl s_time' creates new
write BIOs when reusing sessions.  Since the new BIO did not have KTLS
enabled at the start of a connection, ssl3_release_write_buffer()
would incorrectly try to free the 'buf' pointer from the previous KTLS
connection.  To fix, track the state of 'buf' explicitly in
SSL3_BUFFER to determine if the 'buf' should be freed or simply
cleared.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10489)
2020-03-16 10:41:51 +01:00
Benjamin Kaduk
2e3ec2e157 Code to thread-safety in ChangeCipherState
The server-side ChangeCipherState processing stores the new cipher
in the SSL_SESSION object, so that the new state can be used if
this session gets resumed.  However, writing to the session is only
thread-safe for initial handshakes, as at other times the session
object may be in a shared cache and in use by another thread at the
same time.  Reflect this invariant in the code by only writing to
s->session->cipher when it is currently NULL (we do not cache sessions
with no cipher).  The code prior to this change would never actually
change the (non-NULL) cipher value in a session object, since our
server enforces that (pre-TLS-1.3) resumptions use the exact same
cipher as the initial connection, and non-abbreviated renegotiations
have produced a new session object before we get to this point.
Regardless, include logic to detect such a condition and abort the
handshake if it occurs, to avoid any risk of inadvertently using
the wrong cipher on a connection.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
d74014c4b8 Don't write to the session when computing TLS 1.3 keys
TLS 1.3 maintains a separate keys chedule in the SSL object, but
was writing to the 'master_key_length' field in the SSL_SESSION
when generating the per-SSL master_secret.  (The generate_master_secret
SSL3_ENC_METHOD function needs an output variable for the master secret
length, but the TLS 1.3 implementation just uses the output size of
the handshake hash function to get the lengths, so the only natural-looking
thing to use as the output length was the field in the session.
This would potentially involve writing to a SSL_SESSION object that was
in the cache (i.e., resumed) and shared with other threads, though.

The thread-safety impact should be minimal, since TLS 1.3 requires the
hash from the original handshake to be associated with the resumption
PSK and used for the subsequent connection.  This means that (in the
resumption case) the value being written would be the same value that was
previously there, so the only risk would be on architectures that can
produce torn writes/reads for aligned size_t values.

Since the value is essentially ignored anyway, just provide the
address of a local dummy variable to generate_master_secret() instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
1866a0d380 Fix whitespace nit in ssl_generate_master_secret()
Use a space after a comma.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Pauli
ada66e78ef Deprecate the low level Diffie-Hellman functions.
Use of the low level DH functions has been informally discouraged for a
long time.  We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11024)
2020-02-20 19:04:57 +10:00
Pauli
c5f8713443 Deprecate the low level RSA functions.
Use of the low level RSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11063)
2020-02-20 18:58:40 +10:00
Simon Cornish
cc0663f697 Handle max_fragment_length overflow for DTLS
Allow for encryption overhead in early DTLS size check
and send overflow if validated record is too long

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11096)
2020-02-19 09:21:10 +01:00
Shane Lontis
075b1f2f42 Fix coverity issues
CID : 1458169 RESOURCE LEAK ffc_params_generate.c - False positive, but addressed another Leak in adjacent code
CID : 1458171 UNCHECKED RET apps/pkeyutl.c
CID : 1458173 DEAD CODE ffc_params_generate.c
CID : 1458174 RESOURCE LEAK ssl_lib.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11048)
2020-02-14 07:28:46 +10:00
Matt Caswell
0618b62ca2 Fix a mem leak in libssl
Make sure we free up any ENGINE references after we have finished using
them.

Fixes #11064

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11070)
2020-02-13 14:25:32 +00:00
Kurt Roeckx
620c97b671 Check that ed25519 and ed448 are allowed by the security level
Signature algorithms not using an MD weren't checked that they're
allowed by the security level.

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #10785
2020-02-11 23:24:03 +01:00
Matt Caswell
709b5e8a3e Fix no-engine
We don't need to check if an engine has a cipher/digest in a no-engine
build.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11031)
2020-02-07 23:27:58 +00:00
Matt Caswell
0f00ed7720 Use the OPENSSL_CTX and property query string in EVP_PKEY_CTX
When we use an EVP_PKEY_CTX in libssl we should be doing so with the
OPENSSL_CTX and property query string that were specified when the
SSL_CTX object was first created.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)
2020-02-06 11:59:07 +00:00
Matt Caswell
c8f6c28a93 Explicitly fetch ciphers and digests in libssl
We modify libssl to use explicitly fetched ciphers, digests and other
algorithms as required based on the configured library context and
property query string for the SSL_CTX that is being used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10854)
2020-02-06 11:59:07 +00:00
Pauli
8b6ffd4040 Params: change UTF8 construct calls to avoid explicit strlen(3) calls.
It is better, safer and smaller to let the library routine handle the
strlen(3) call.

Added a note to the documentation suggesting this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11019)
2020-02-06 16:22:00 +10:00
Matt Caswell
d924dbf4ae Detect EOF while reading in libssl
If we hit an EOF while reading in libssl then we will report an error
back to the application (SSL_ERROR_SYSCALL) but errno will be 0. We add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.

Contains a partial fix for #10880

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10907)
2020-02-04 14:39:29 +00:00
Matt Caswell
cd624ccd41 Don't acknowledge a servername following warning alert in servername cb
If the servername cb decides to send back a warning alert then the
handshake continues, but we should not signal to the client that the
servername has been accepted.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/10018)
2020-01-30 16:01:26 +00:00
Matt Caswell
7955c1f16e Fix SSL_get_servername() and SNI behaviour
The SNI behaviour for TLSv1.3 and the behaviour of SSL_get_servername()
was not quite right, and not entirely consistent with the RFC.

The TLSv1.3 RFC explicitly says that SNI is negotiated on each handshake
and the server is not required to associate it with the session. This was
not quite reflected in the code so we fix that.

Additionally there were some additional checks around early_data checking
that the SNI between the original session and this session were
consistent. In fact the RFC does not require any such checks, so they are
removed.

Finally the behaviour of SSL_get_servername() was not quite right. The
behaviour was not consistent between resumption and normal handshakes,
and also not quite consistent with historical behaviour. We clarify the
behaviour in various scenarios and also attempt to make it match historical
behaviour as closely as possible.

Fixes #8822

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/10018)
2020-01-30 16:01:25 +00:00
Pauli
a76ce2862b TLS: use EVP for HMAC throughout libssl.
Backwards compatibility with the old ticket key call back is maintained.
This will be removed when the low level HMAC APIs are finally removed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
2020-01-29 19:49:23 +10:00
Kurt Roeckx
b0031e5dc2 Check that the default signature type is allowed
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the
others. TLS 1.2 sends a list of supported ciphers, but allows not sending
it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory.

When we didn't receive a list from the client, we always used the
defaults without checking that they are allowed by the configuration.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #10784
2020-01-25 14:10:40 +01:00
Matt Caswell
8f21260b09 Make sure we use RAND_bytes_ex and RAND_priv_bytes_ex in libssl
Now that libssl knows about libctx we should use it wherever we generate
a random number.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10927)
2020-01-24 15:12:56 +00:00
Matt Caswell
ba18627e4a Introduce SSL_CTX_new_with_libex()
We add the ability to specify an OPENSSL_CTX (which may be NULL for the
default context) and a property query string for use during algorithm
fetch operations.

For example, in this way one SSL_CTX could be used the default provider,
and another one could be used with the FIPS provider.

At this stage we don't use these values. That will come later.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10866)
2020-01-22 10:47:12 +00:00
Matt Caswell
bddbfae1cd libssl: Eliminate as much use of EVP_PKEY_size() as possible
Some uses were going against documented recommendations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10798)
2020-01-19 02:47:46 +01:00
Pauli
781aa7ab63 Deprecate the low level MD5 functions.
Use of the low level MD5 functions has been informally discouraged for a long
time.  We now formally deprecate them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
2020-01-19 10:14:39 +10:00
Pauli
85d843c8ec Deprecate the low level SHA functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)
2020-01-19 10:14:39 +10:00
dcruette
2de5a5fbdd Update tls13_enc.c
Fix double + in hkdflabel declaration (FIXES #10675)
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10700)
2020-01-02 13:49:41 +01:00
Rich Salz
742ccab318 Deprecate most of debug-memory
Fixes #8322

The leak-checking (and backtrace option, on some platforms) provided
by crypto-mdebug and crypto-mdebug-backtrace have been mostly neutered;
only the "make malloc fail" capability remains.  OpenSSL recommends using
the compiler's leak-detection instead.

The OPENSSL_DEBUG_MEMORY environment variable is no longer used.
CRYPTO_mem_ctrl(), CRYPTO_set_mem_debug(), CRYPTO_mem_leaks(),
CRYPTO_mem_leaks_fp() and CRYPTO_mem_leaks_cb() return a failure code.
CRYPTO_mem_debug_{malloc,realloc,free}() have been removed.  All of the
above are now deprecated.

Merge (now really small) mem_dbg.c into mem.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10572)
2019-12-14 20:57:35 +01:00
Dmitry Belyavskiy
4e3ee452d0 Parse large GOST ClientKeyExchange messages
Large GOST ClientKeyExchange messages are sent by VipNet CSP, one of
Russian certified products implementing GOST TLS, when a server
certificate contains 512-bit keys.

This behaviour was present in 1.0.2 branch and needs to be restored.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10376)
2019-12-13 17:43:33 +03:00
Veres Lajos
79c44b4e30 Fix some typos
Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10544)
2019-12-11 19:04:01 +01:00
Matt Caswell
e7db9680db Move constant time RSA code out of libssl
Server side RSA key transport code in a Client Key Exchange message
currently uses constant time code to check that the RSA decrypt is
correctly formatted. The previous commit taught the underlying RSA
implementation how to do this instead, so we use that implementation and
remove this code from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)
2019-12-05 16:12:18 +00:00