Place ticket keys into secure memory
Place the session ticket AES and HMAC keys into secure memory. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2351)
This commit is contained in:
parent
c2b290c3d0
commit
4bfb96f2ad
5 changed files with 34 additions and 25 deletions
24
ssl/s3_lib.c
24
ssl/s3_lib.c
|
@ -3798,8 +3798,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
{
|
{
|
||||||
unsigned char *keys = parg;
|
unsigned char *keys = parg;
|
||||||
long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
|
long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
|
||||||
sizeof(ctx->ext.tick_hmac_key) +
|
sizeof(ctx->ext.secure->tick_hmac_key) +
|
||||||
sizeof(ctx->ext.tick_aes_key));
|
sizeof(ctx->ext.secure->tick_aes_key));
|
||||||
if (keys == NULL)
|
if (keys == NULL)
|
||||||
return tick_keylen;
|
return tick_keylen;
|
||||||
if (larg != tick_keylen) {
|
if (larg != tick_keylen) {
|
||||||
|
@ -3809,23 +3809,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||||
if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
|
if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
|
||||||
memcpy(ctx->ext.tick_key_name, keys,
|
memcpy(ctx->ext.tick_key_name, keys,
|
||||||
sizeof(ctx->ext.tick_key_name));
|
sizeof(ctx->ext.tick_key_name));
|
||||||
memcpy(ctx->ext.tick_hmac_key,
|
memcpy(ctx->ext.secure->tick_hmac_key,
|
||||||
keys + sizeof(ctx->ext.tick_key_name),
|
keys + sizeof(ctx->ext.tick_key_name),
|
||||||
sizeof(ctx->ext.tick_hmac_key));
|
sizeof(ctx->ext.secure->tick_hmac_key));
|
||||||
memcpy(ctx->ext.tick_aes_key,
|
memcpy(ctx->ext.secure->tick_aes_key,
|
||||||
keys + sizeof(ctx->ext.tick_key_name) +
|
keys + sizeof(ctx->ext.tick_key_name) +
|
||||||
sizeof(ctx->ext.tick_hmac_key),
|
sizeof(ctx->ext.secure->tick_hmac_key),
|
||||||
sizeof(ctx->ext.tick_aes_key));
|
sizeof(ctx->ext.secure->tick_aes_key));
|
||||||
} else {
|
} else {
|
||||||
memcpy(keys, ctx->ext.tick_key_name,
|
memcpy(keys, ctx->ext.tick_key_name,
|
||||||
sizeof(ctx->ext.tick_key_name));
|
sizeof(ctx->ext.tick_key_name));
|
||||||
memcpy(keys + sizeof(ctx->ext.tick_key_name),
|
memcpy(keys + sizeof(ctx->ext.tick_key_name),
|
||||||
ctx->ext.tick_hmac_key,
|
ctx->ext.secure->tick_hmac_key,
|
||||||
sizeof(ctx->ext.tick_hmac_key));
|
sizeof(ctx->ext.secure->tick_hmac_key));
|
||||||
memcpy(keys + sizeof(ctx->ext.tick_key_name) +
|
memcpy(keys + sizeof(ctx->ext.tick_key_name) +
|
||||||
sizeof(ctx->ext.tick_hmac_key),
|
sizeof(ctx->ext.secure->tick_hmac_key),
|
||||||
ctx->ext.tick_aes_key,
|
ctx->ext.secure->tick_aes_key,
|
||||||
sizeof(ctx->ext.tick_aes_key));
|
sizeof(ctx->ext.secure->tick_aes_key));
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -3035,6 +3035,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||||
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
|
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
|
if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
/* No compression for DTLS */
|
/* No compression for DTLS */
|
||||||
if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
|
if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
|
||||||
ret->comp_methods = SSL_COMP_get_compression_methods();
|
ret->comp_methods = SSL_COMP_get_compression_methods();
|
||||||
|
@ -3045,10 +3048,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||||
/* Setup RFC5077 ticket keys */
|
/* Setup RFC5077 ticket keys */
|
||||||
if ((RAND_bytes(ret->ext.tick_key_name,
|
if ((RAND_bytes(ret->ext.tick_key_name,
|
||||||
sizeof(ret->ext.tick_key_name)) <= 0)
|
sizeof(ret->ext.tick_key_name)) <= 0)
|
||||||
|| (RAND_bytes(ret->ext.tick_hmac_key,
|
|| (RAND_bytes(ret->ext.secure->tick_hmac_key,
|
||||||
sizeof(ret->ext.tick_hmac_key)) <= 0)
|
sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
|
||||||
|| (RAND_bytes(ret->ext.tick_aes_key,
|
|| (RAND_bytes(ret->ext.secure->tick_aes_key,
|
||||||
sizeof(ret->ext.tick_aes_key)) <= 0))
|
sizeof(ret->ext.secure->tick_aes_key)) <= 0))
|
||||||
ret->options |= SSL_OP_NO_TICKET;
|
ret->options |= SSL_OP_NO_TICKET;
|
||||||
|
|
||||||
if (RAND_bytes(ret->ext.cookie_hmac_key,
|
if (RAND_bytes(ret->ext.cookie_hmac_key,
|
||||||
|
@ -3190,6 +3193,7 @@ void SSL_CTX_free(SSL_CTX *a)
|
||||||
OPENSSL_free(a->ext.supportedgroups);
|
OPENSSL_free(a->ext.supportedgroups);
|
||||||
#endif
|
#endif
|
||||||
OPENSSL_free(a->ext.alpn);
|
OPENSSL_free(a->ext.alpn);
|
||||||
|
OPENSSL_secure_free(a->ext.secure);
|
||||||
|
|
||||||
CRYPTO_THREAD_lock_free(a->lock);
|
CRYPTO_THREAD_lock_free(a->lock);
|
||||||
|
|
||||||
|
|
|
@ -733,7 +733,13 @@ DEFINE_LHASH_OF(SSL_SESSION);
|
||||||
/* Needed in ssl_cert.c */
|
/* Needed in ssl_cert.c */
|
||||||
DEFINE_LHASH_OF(X509_NAME);
|
DEFINE_LHASH_OF(X509_NAME);
|
||||||
|
|
||||||
# define TLSEXT_KEYNAME_LENGTH 16
|
# define TLSEXT_KEYNAME_LENGTH 16
|
||||||
|
# define TLSEXT_TICK_KEY_LENGTH 32
|
||||||
|
|
||||||
|
typedef struct ssl_ctx_ext_secure_st {
|
||||||
|
unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];
|
||||||
|
unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
|
||||||
|
} SSL_CTX_EXT_SECURE;
|
||||||
|
|
||||||
struct ssl_ctx_st {
|
struct ssl_ctx_st {
|
||||||
const SSL_METHOD *method;
|
const SSL_METHOD *method;
|
||||||
|
@ -927,8 +933,7 @@ struct ssl_ctx_st {
|
||||||
void *servername_arg;
|
void *servername_arg;
|
||||||
/* RFC 4507 session ticket keys */
|
/* RFC 4507 session ticket keys */
|
||||||
unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
|
unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
|
||||||
unsigned char tick_hmac_key[32];
|
SSL_CTX_EXT_SECURE *secure;
|
||||||
unsigned char tick_aes_key[32];
|
|
||||||
/* Callback to support customisation of ticket key setting */
|
/* Callback to support customisation of ticket key setting */
|
||||||
int (*ticket_key_cb) (SSL *ssl,
|
int (*ticket_key_cb) (SSL *ssl,
|
||||||
unsigned char *name, unsigned char *iv,
|
unsigned char *name, unsigned char *iv,
|
||||||
|
|
|
@ -3831,9 +3831,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
|
||||||
iv_len = EVP_CIPHER_iv_length(cipher);
|
iv_len = EVP_CIPHER_iv_length(cipher);
|
||||||
if (RAND_bytes(iv, iv_len) <= 0
|
if (RAND_bytes(iv, iv_len) <= 0
|
||||||
|| !EVP_EncryptInit_ex(ctx, cipher, NULL,
|
|| !EVP_EncryptInit_ex(ctx, cipher, NULL,
|
||||||
tctx->ext.tick_aes_key, iv)
|
tctx->ext.secure->tick_aes_key, iv)
|
||||||
|| !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
|
|| !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
|
||||||
sizeof(tctx->ext.tick_hmac_key),
|
sizeof(tctx->ext.secure->tick_hmac_key),
|
||||||
EVP_sha256(), NULL)) {
|
EVP_sha256(), NULL)) {
|
||||||
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
||||||
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
|
SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
|
||||||
|
|
|
@ -1349,11 +1349,11 @@ SSL_TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
|
||||||
ret = SSL_TICKET_NO_DECRYPT;
|
ret = SSL_TICKET_NO_DECRYPT;
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
|
if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
|
||||||
sizeof(tctx->ext.tick_hmac_key),
|
sizeof(tctx->ext.secure->tick_hmac_key),
|
||||||
EVP_sha256(), NULL) <= 0
|
EVP_sha256(), NULL) <= 0
|
||||||
|| EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
|
|| EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
|
||||||
tctx->ext.tick_aes_key,
|
tctx->ext.secure->tick_aes_key,
|
||||||
etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
|
etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue