summaryrefslogtreecommitdiff
path: root/ssl
Commit message (Collapse)AuthorAgeFilesLines
* Fix coverity 1504433: unchecked return valuePauli2022-05-191-0/+1
| | | | | | | | Just extending the comment so coveriety knows as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18326)
* Add return value check of EVP_PKEY_copy_parameters () in ssl_set_cert_and_key()Zhou Qingyang2022-05-161-2/+8
| | | | | | | | | | | | | It seems the return value of EVP_PKEY_copy_parameters() in ssl_set_cert_and_key(), and could lead to null pointer dereference in EVP_PKEY_eq() function. However those functions are complicated and this fix is suggested by a static analyzer, so please advise. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18071)
* err: get rid of err_free_strings_int()Dr. Matthias St. Pierre2022-05-101-13/+1
| | | | | | | | | | | Even though the function is not part of the public api, it is not entirely removed, in order to minimize the chance of breakage, because it is exported from libcrypto. Instead, we keep a dummy implementation. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17974)
* Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACEbasavesh2022-05-091-3/+11
| | | | | | | | | | | | | | | | | | | rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret. Consider a weaker leakage model(CL) where only cacheline base address is leaked, i.e address/32 for 32-byte cacheline(CL32). Previous code used to perform two loads 1. rotated_mac[rotate_offset ^ 32] and 2. rotated_mac[rotate_offset++] which would leak 2q + 1, 2q for 0 <= rotate_offset < 32 and 2q, 2q + 1 for 32 <= rotate_offset < 64 The proposed fix performs load operations which will always leak 2q, 2q + 1 and selects the appropriate value in constant-time. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18033)
* tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and abovePauli2022-05-081-10/+4
| | | | | | | | | | This is in line with the NEWS entry (erroneously) announcing such for 3.0. Fixes #18194 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18236)
* Remove duplicated #include headersJHH202022-05-041-1/+0
| | | | | | | | | CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18220)
* Update copyright yearMatt Caswell2022-05-0326-26/+26
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
* str[n]casecmp => OPENSSL_strncasecmpDmitry Belyavskiy2022-04-221-5/+6
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18069)
* Fix an assertion in the DTLS server codeBernd Edlinger2022-04-141-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes an internal error alert from the server and an unexpected connection failure in the release version, but a failed assertion and a server crash in the debug version. Reproduce this issue with a DTLS server/client like that: ./openssl s_server -dtls -mtu 1500 ./openssl s_client -dtls -maxfraglen 512 In the debug version a crash happens in the Server now: ./openssl s_server -dtls -mtu 1500 Using default temp DH parameters ACCEPT ssl/statem/statem_dtls.c:269: OpenSSL internal error: Assertion failed: len == written Aborted (core dumped) While in the release version the handshake exceeds the negotiated max fragment size, and fails because of this: $ ./openssl s_server -dtls -mtu 1500 Using default temp DH parameters ACCEPT ERROR 4057152ADA7F0000:error:0A0000C2:SSL routines:do_dtls1_write:exceeds max fragment size:ssl/record/rec_layer_d1.c:826: shutting down SSL CONNECTION CLOSED From the client's point of view the connection fails with an Internal Error Alert: $ ./openssl s_client -dtls -maxfraglen 512 Connecting to ::1 CONNECTED(00000003) 40B76343377F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_d1.c:613:SSL alert number 80 and now the connection attempt fails unexpectedly. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18093)
* SSL_conf_cmd: Allow DH Parameters at any position.Daniel Fiala2022-04-121-5/+9
| | | | | | | | Fixes openssl#17326. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18041)
* Add SSL_(CTX_)?get0_(verify|chain)_cert_store functionsHugo Landau2022-04-063-0/+19
| | | | | | | | | | | Currently we do not have any way to retrieve these values once set. Fixes #18035. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18038)
* KTLS: Enable KTLS for receiving as well in TLS 1.3Daiki Ueno2022-04-061-11/+21
| | | | | | | | | | | | | This removes a guard condition that prevents KTLS being enabled for receiving in TLS 1.3. Use the correct sequence number and BIO for receive vs transmit offload. Co-authored-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
* KTLS: Handle TLS 1.3 in ssl3_get_record.Daiki Ueno2022-04-061-15/+31
| | | | | | | | | | | | | | | | | | | | | | | - Don't unpad records, check the outer record type, or extract the inner record type from TLS 1.3 records handled by the kernel. KTLS performs all of these steps and returns the inner record type in the TLS header. - When checking the length of a received TLS 1.3 record don't allow for the extra byte for the nested record type when KTLS is used. - Pass a pointer to the record type in the TLS header to the SSL3_RT_INNER_CONTENT_TYPE message callback. For KTLS, the old pointer pointed to the last byte of payload rather than the record type. For the non-KTLS case, the TLS header has been updated with the inner type before this callback is invoked. Co-authored-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
* KTLS: Add using_ktls helper variable in ssl3_get_record().John Baldwin2022-04-061-10/+10
| | | | | | | | | | | | | | | When KTLS receive is enabled, pending data may still be present due to read ahead. This data must still be processed the same as records received without KTLS. To ease readability (especially in consideration of additional checks which will be added for TLS 1.3), add a helper variable 'using_ktls' that is true when the KTLS receive path is being used to receive a record. Co-authored-by: Dmitry Podgorny <pasis.ua@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
* KTLS: Check for unprocessed receive records in ktls_configure_crypto.John Baldwin2022-04-064-82/+91
| | | | | | | | | | | | | | | | | | | | | KTLS implementations currently assume that the start of the in-kernel socket buffer is aligned with the start of a TLS record for the receive side. The socket option to enable KTLS specifies the TLS sequence number of this initial record. When read ahead is enabled, data can be pending in the SSL read buffer after negotiating session keys. This pending data must be examined to ensurs that the kernel's socket buffer does not contain a partial TLS record as well as to determine the correct sequence number of the first TLS record to be processed by the kernel. In preparation for enabling receive kernel offload for TLS 1.3, move the existing logic to handle read ahead from t1_enc.c into ktls.c and invoke it from ktls_configure_crypto(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17942)
* tls_process_server_hello: Disallow repeated HRRTomas Mraz2022-03-301-0/+4
| | | | | | | | | | Repeated HRR must be rejected. Fixes #17934 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17936)
* ticket_lifetime_hint may exceed 1 week in TLSv1.3Todd Short2022-03-251-6/+15
| | | | | | | | | | For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446 Fixes #17948 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17952)
* Fix Coverity 1498611 & 1498608: uninitialised readPauli2022-03-231-0/+2
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17893)
* print SSL session, fix build warnings on OpenBSD.David Carlier2022-03-181-2/+2
| | | | | | | | time_t is a 64 bits type on this platform. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17917)
* Replace handling of negative verification result with SSL_set_retry_verify()Tomas Mraz2022-03-142-3/+7
| | | | | | | | | | | | | | | | Provide a different mechanism to indicate that the application wants to retry the verification. The negative result of the callback function now indicates an error again. Instead the SSL_set_retry_verify() can be called from the callback to indicate that the handshake should be suspended. Fixes #17568 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17825)
* [ssl] Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3Nicola Tuveri2022-03-011-2/+3
| | | | | | | | | Fixes #17743 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
* [ssl] Prefer SSL_k(EC)?DHE to the SSL_kE(EC)?DH aliasNicola Tuveri2022-03-012-7/+7
| | | | | | | | | | | | `SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already marked as aliases of each other in the headers. This commit, for each pair, replaces the leftover uses of the latter synonym with the first one, which is considered more common. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17763)
* Add back check for the DH public key sizeTomas Mraz2022-02-174-5/+27
| | | | | | | | | | | | This is needed for TLS-1.3. Also add check for uncompressed point format for ECDHE as the other formats are not allowed by RFC 8446. Fixes #17667 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17678)
* Cleanup record length checks for KTLSBernd Edlinger2022-02-111-6/+21
| | | | | | | | | | | | | In some corner cases the check for packets which exceed the allowed record length was missing when KTLS is initially enabled, when some unprocessed packets are still pending. Add at least some tests for KTLS, since we have currently not very much test coverage for KTLS. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17504)
* Move e_os.h to include/internalRichard Levitte2022-02-054-4/+4
| | | | | | | | | | | | Including e_os.h with a path from a header file doesn't work well on certain exotic platform. It simply fails to build. Since we don't seem to be able to stop ourselves, the better move is to move e_os.h to an include directory that's part of the inclusion path given to the compiler. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17641)
* Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.John Baldwin2022-02-041-0/+10
| | | | | | | | FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13752)
* add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order()Phus Lu2022-02-032-0/+42
| | | | | | | | | The function/macro allow user get groups/extensions without memory allcations. So we could calculate the ssl fignerprint(ja3) in low cost. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16910)
* Update the comment on ssl3_write_pending()yangyangtiantianlonglong2022-02-011-1/+1
| | | | | | | | | The struct s->s3 has been modified. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17611)
* Revert dropped usage of var thiswr in do_ssl3_write()yangyangtiantianlonglong2022-02-011-1/+1
| | | | | | | | | The var 'thiswr' is an unwanted modification, it was submitted in #5253. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17610)
* apps: Add option -no_ems to s_client/s_server appsyangyangtiantianlonglong2022-01-281-0/+3
| | | | | | | | | The option SSL_OP_NO_EXTENDED_MASTER_SECRET was added in #3910. And it is valid for versions below (D)TLS 1.2. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17597)
* ssl: better support TSAN operationsPauli2022-01-196-27/+93
| | | | | | | | For platforms that do not have native TSAN support, locking needs to be used instead. This adds the locking. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17489)
* ssl: replace ;; with ; as statement separatorPauli2022-01-183-3/+3
| | | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17528)
* ssl/t1_enc: Fix kTLS RX offload pathDmytro Podgornyi2022-01-171-1/+1
| | | | | | | | | | | | | During counting of the unprocessed records, return code is treated in a wrong way. This forces kTLS RX path to be skipped in case of presence of unprocessed records. CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17492)
* Delete unused param about get_construct_message_fyangyangtiantianlonglong2022-01-094-6/+6
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17385)
* Update alert to common protocolKan2022-01-081-11/+11
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/17161)
* Fix: some patches related to error exitingPeiwei Hu2022-01-071-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17417)
* fix the return check of EVP_PKEY_CTX_ctrl() in 5 spotsxkernel2022-01-072-5/+5
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17413)
* properly free the resource from EVP_MD_CTX_new() at ssl3_record.c:1413xkernel2022-01-071-11/+11
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17415)
* properly free the resource from CRYPTO_mallocxkernel2022-01-061-2/+2
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17412)
* Fix typosDimitris Apostolou2022-01-051-1/+1
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
* add OSSL_STACK_OF_X509_free() for commonly used patternDr. David von Oheimb2021-12-217-15/+15
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)
* Fix invalid handling of verify errors in libsslMatt Caswell2021-12-142-3/+14
| | | | | | | | | | | | | | In the event that X509_verify() returned an internal error result then libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY. That return code is supposed to only ever be returned if an application is using an app verify callback to complete replace the use of X509_verify(). Applications may not be written to expect that return code and could therefore crash (or misbehave in some other way) as a result. CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org>
* Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functionsMatt Caswell2021-12-072-4/+10
| | | | | | | | | | | We should not be freeing the caller's key in the event of error. Fixes #17196 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17209)
* No EtM for GOST ciphers in TLS 1.2Dmitry Belyavskiy2021-11-291-1/+5
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17150)
* Don't include any TLSv1.3 ciphersuites that are disabledolszomal2021-11-291-6/+15
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16925)
* Enable brainpool curves for TLS1.3Bernd Edlinger2021-11-268-46/+139
| | | | | | | | See the recently assigned brainpool code points at: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7485)
* Move more general parts of internal/cryptlib.h to new internal/common.hDr. David von Oheimb2021-11-171-1/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
* Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string ↵Dr. David von Oheimb2021-11-174-20/+21
| | | | | | | has literal prefix Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
* BIO_read_filename: fix return checkPeiwei Hu2021-11-161-2/+2
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17033)
* RAND_bytes_ex: fix return checkPeiwei Hu2021-11-161-1/+1
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17032)
View Lorry Controller Status