Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22828)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20061)
In TLSv1.2 we should not attempt to use a supported_group value that is
intended for use with TLSv1.3 - even if both the server and the client
support it, e.g. the ffdhe groups are supported by OpenSSL for TLSv1.3 but
not for TLSv1.2.
Fixes#21081
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21274)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20866)
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).
Add APIs
Add unit tests
Add documentation
Add s_client/s_server support
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
The documentation didn't mention the development where EVP_PKEY_get_id()
returns a negative value for provider-only implementations, and the
migration guide didn't mention how to cope with that.
Fixes#20497
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20501)
calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory
leak visible in valgrind:
4 bytes in 1 blocks are definitely lost in loss record 1 of 1
at 0x4841888: malloc (vg_replace_malloc.c:381)
by 0x4B1EE96: CRYPTO_memdup (in libcrypto.so.3)
by 0x48993A0: tls1_set_groups_list (in libssl.so.3)
by 0x487AA7E: ssl3_ctx_ctrl (in libssl.so.3)
by 0x1091EA: main (mem_leak.c:10)
LEAK SUMMARY:
definitely lost: 4 bytes in 1 blocks
Freeing *pext to fix it.
CLA: trivial
Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20317)
(cherry picked from commit fcf3a9f7c6)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19424)
Create new TLS_GROUP_ENTRY values for these groups.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19315)
This partially reverts commit 0a10825a0 in order to reimplement it in a
simpler way in the next commit. The reverted aspects are all related to
the TLSv1.3 brainpool curves in the supported_groups extension. Rather
than special casing the handling of these curves we simply add new entries
to the groups table to represent them. They can then be handled without
any additional special casing. This makes the code simpler to maintain.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19315)
Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
there's no need to report ERR_R_MALLOC_FAILURE where they are called
directly, or when SSLfatal() and RLAYERfatal() is used, the reason
`ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`.
There were a number of places where `ERR_R_MALLOC_FAILURE` was reported
even though it was a function from a different sub-system that was
called. Those places are changed to report ERR_R_{lib}_LIB, where
{lib} is the name of that sub-system.
Some of them are tricky to get right, as we have a lot of functions
that belong in the ASN1 sub-system, and all the `sk_` calls or from
the CRYPTO sub-system.
Some extra adaptation was necessary where there were custom OPENSSL_malloc()
wrappers, and some bugs are fixed alongside these changes.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)
This is instead of time_t and struct timeval. Some public APIs mandate a
presence of these two types, but they are converted to OSSL_TIME internally.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19082)
Only done for the read side so far. Still need to do TLS1.3 and SSL3.0.
Also need to separate out KTLS.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)
As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18891)
Make the SSL object polymorphic based on whether this is
a traditional SSL connection, QUIC connection, or later
to be implemented a QUIC stream.
It requires adding if after every SSL_CONNECTION_FROM_SSL() call
which itself has to be added to almost every public SSL_ API call.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18612)
- If keymgmmt is not available, it's not an error but the error message
persists in stack
- when setting groups, it's worth saying which group is not available
Fixes#18585
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18591)
When TLS-1.3 is used and the server does not send any CA names
the ca_dn will be NULL. sk_X509_NAME_num() returns -1 on null
argument.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17986)
Prior to the crash there is an out of memory error
in X509_verify_cert which makes the chain NULL or
empty. The error is ignored by ssl_add_cert_chain,
and ssl_security_cert_chain crashes due to the
unchecked null pointer.
This is reproducible with my error injection patch.
The test vector has been validated on the 1.1.1 branch
but the issue is of course identical in all branches.
$ ERROR_INJECT=1652848273 ../util/shlib_wrap.sh ./server-test ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8# ./corpora/server/47c8e933c4ec66fa3c309422283dfe0f31aafae8
#0 0x7f3a8f766eba in __sanitizer_print_stack_trace ../../../../gcc-trunk/libsanitizer/asan/asan_stack.cpp:87
#1 0x403ba4 in my_malloc fuzz/test-corpus.c:114
#2 0x7f3a8f39a430 in CRYPTO_zalloc crypto/mem.c:230
#3 0x7f3a8f46bd3b in sk_reserve crypto/stack/stack.c:180
#4 0x7f3a8f46bd3b in OPENSSL_sk_insert crypto/stack/stack.c:242
#5 0x7f3a8f4a4fd8 in sk_X509_push include/openssl/x509.h:99
#6 0x7f3a8f4a4fd8 in X509_verify_cert crypto/x509/x509_vfy.c:286
#7 0x7f3a8fed726e in ssl_add_cert_chain ssl/statem/statem_lib.c:959
#8 0x7f3a8fed726e in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#9 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#10 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#11 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#12 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#13 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#14 0x40371b in testfile fuzz/test-corpus.c:182
#15 0x402856 in main fuzz/test-corpus.c:226
#16 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#17 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8400==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000158 (pc 0x7f3a8f4d822f bp 0x7ffc39b76190 sp 0x7ffc39b760a0 T0)
==8400==The signal is caused by a READ memory access.
==8400==Hint: address points to the zero page.
#0 0x7f3a8f4d822f in x509v3_cache_extensions crypto/x509v3/v3_purp.c:386
#1 0x7f3a8f4d9d3a in X509_check_purpose crypto/x509v3/v3_purp.c:84
#2 0x7f3a8f4da02a in X509_get_extension_flags crypto/x509v3/v3_purp.c:921
#3 0x7f3a8feff7d2 in ssl_security_cert_sig ssl/t1_lib.c:2518
#4 0x7f3a8feff7d2 in ssl_security_cert ssl/t1_lib.c:2542
#5 0x7f3a8feffa03 in ssl_security_cert_chain ssl/t1_lib.c:2562
#6 0x7f3a8fed728d in ssl_add_cert_chain ssl/statem/statem_lib.c:963
#7 0x7f3a8fed728d in ssl3_output_cert_chain ssl/statem/statem_lib.c:1015
#8 0x7f3a8fee1c50 in tls_construct_server_certificate ssl/statem/statem_srvr.c:3812
#9 0x7f3a8feb8b0a in write_state_machine ssl/statem/statem.c:843
#10 0x7f3a8feb8b0a in state_machine ssl/statem/statem.c:443
#11 0x7f3a8fe84b3f in SSL_do_handshake ssl/ssl_lib.c:3718
#12 0x403202 in FuzzerTestOneInput fuzz/server.c:740
#13 0x40371b in testfile fuzz/test-corpus.c:182
#14 0x402856 in main fuzz/test-corpus.c:226
#15 0x7f3a8e859f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#16 0x402936 (/home/ed/OPC/openssl/fuzz/server-test+0x402936)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV crypto/x509v3/v3_purp.c:386 in x509v3_cache_extensions
==8400==ABORTING
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18376)
This is needed for TLS-1.3.
Also add check for uncompressed point format for ECDHE as
the other formats are not allowed by RFC 8446.
Fixes#17667
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17678)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17528)
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes#15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
The EVP_PKEY_supports_digest_nid() is renamed to
EVP_PKEY_digestsign_supports_digest() and implemented
via EVP_DigestSignInit_ex().
Fixes#14343
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15198)
One was related to probing for the combination of signature and hash
algorithm together. This is currently not easily possible. The TODO(3.0)
is converted to a normal comment and I've raised the problem as issue
number #14885 as something to resolve post 3.0.
The other TODO was a hard coded limit on the number of groups that could
be registered. This has been amended so that there is no limit.
Fixes#14333
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14886)
While all the standardized groups would fit within the old limit,
with the addition of providers, some might want to experiment with
new and unstandardized groups. As such, their names might not fit
within the old limit.
Define it as GROUP_NAME_BUFFER_LENGTH with value 64.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14502)
The existing names such as EVP_PKEY_param_fromdata_settable were a bit
confusing since the 'param' referred to key params not OSSL_PARAM. To simplify
the interface a 'selection' parameter will be passed instead. The
changes are:
(1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init().
(2) EVP_PKEY_fromdata() has an additional selection parameter.
(3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable().
EVP_PKEY_fromdata_settable() also uses a selection parameter.
Fixes#12989
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14076)
We should no longer be relying on compile time checks in libssl for
the availability of crypto algorithms. The availability of crypto
algorithms should be determined at runtime based on what providers have
been loaded.
Fixes#13616
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
We may have compiled in sigalg values that we can't support at runtime.
Make sure we only use sigalgs that are actually enabled.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
By recognising the nist group names directly we can avoid having to call
EC_curve_nist2nid in libssl, which is not available in a no-ec build.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
The supported groups code was checking the OPENSSL_NO_EC and
OPENSSL_NO_DH guards in order to work, and the list of default groups was
based on those guards. However we now need it to work even in a no-ec
and no-dh build, because new groups might be added from providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
The default supported groups code was disabled in the event of a build
with no-ec and no-dh. However now that providers can add there own
groups (which might not fit into either of these categories), this is
no longer appropriate.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that
libssl is entirely using the EVP APIs and implementations can be plugged
in via providers it is no longer needed to disable DH at compile time in
libssl. Instead it should detect at runtime whether DH is available from
the loaded providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
We had a couple of stray references to OpenSSL1.2 in libssl. We just
reword the comments to remove those references without changing any
behaviour.
The first one in t1_lib.c is a technical non-compliance in the TLSv1.3
spec where, under some circumstances, we offer DSA sigalgs even in a
ClientHello that eventually negotiates TLSv1.3. We explicitly chose to
accept this behaviour in 1.1.1 and we're not planning to change it for
3.0.
The second one in s3_lib.c is regarnding the behaviour of
SSL_set_tlsext_host_name(). Technically you shouldn't be able to call
this from a server - but we allow it and just ignore it rather than
raising an error. The TODO suggest we consider raising an error instead.
However, with 3.0 we are trying to minimise breaking changes so I suggest
not making this change now.
Fixes#13161
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14037)
libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order
to get the conv form and field type. Instead we provide EVP_PKEY level
functions to do this.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)
