Commit graph

480 commits

Author SHA1 Message Date
Alessandro Ghedini
aacfb134be GH355: Implement HKDF
This patch implements the HMAC-based Extract-and-Expand Key Derivation
Function (HKDF) as defined in RFC 5869.

It is required to implement the QUIC and TLS 1.3 protocols (among others).

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-03 18:21:20 -05:00
Emilia Kasper
062178678f Refactor ClientHello extension parsing
1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-03-03 13:53:26 +01:00
Dr. Stephen Henson
3e30fa0a6d Add KDF error codes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 21:30:56 +00:00
Dr. Stephen Henson
99119000ad EVP_PKEY_CTX utility functions.
Utility functions to pass a string or hex string to EVP_PKEY_CTX_ctrl().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 20:57:32 +00:00
Dr. Stephen Henson
e9b1c42f75 make errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 20:48:12 +00:00
Dr. Stephen Henson
e2285d878d Handle KDF internally.
Handle KDF in ECDH_compute_key instead of requiring each implementation
support it. This modifies the compute_key method: now it allocates and
populates a buffer containing the shared secret.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 20:48:12 +00:00
Christian Heimes
0c452abc16 Provide getters for default_passwd_cb and userdata
This patch provides getters for default_passwd_cb and userdata for SSL
and SSL_CTX. The getter functions are required to port Python's ssl module
to OpenSSL 1.1.0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-02 17:15:46 +00:00
Dr. Stephen Henson
83f0e802ab make errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 22:04:25 +00:00
Rob Percival
7d054e5ab2 CT policy validation
Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 20:03:25 +00:00
Rob Percival
8c6afbc55c Verify SCT signatures
Tests included in future commit, which adds CT policy validation.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 11:59:28 -05:00
Matt Caswell
ff75a25749 Refactor the async wait fd logic
Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-29 12:58:44 +00:00
Matt Caswell
b32166b4fa Workaround for VisualStudio 2015 bug
VisualStudio 2015 has a bug where an internal compiler error was occurring.
By reordering the DEFINE_STACK_OF declarations for SSL_CIPHER and SSL_COMP
until after the ssl3.h include everything seems ok again.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-29 10:28:18 +00:00
Dr. Stephen Henson
1db3107ada TLS support for X25519
Add X25519 to TLS supported curve list.
Reject attempts to configure keys which cannot be used
for signing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:54 +00:00
Dr. Stephen Henson
4b0555ec9d Add no signing flag.
Add a flag to EC_METHOD for curves which do not support signing.
New function EC_KEY_can_sign() returns 1 is key can be used for signing.
Return an explicit error is an attempt is made to sign with
no signing curves.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:53 +00:00
Dr. Stephen Henson
899cf48f17 Rename OIDs.
Use standard X25519 and X448 names for OIDs. Delete EdDSA OIDs: for now they
wont be used and EdDSA may use a different format.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:53 +00:00
FdaSilvaYY
b6453a68bb GH753: More spelling fix
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-27 10:58:16 -05:00
Rob Percival
a8d177acf0 Moves SCT struct typedef into ossl_typ.h
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-26 14:57:29 -05:00
Rob Percival
0cea8832df Public API for Certificate Transparency
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-26 14:57:29 -05:00
Alessandro Ghedini
71a04cfca0 Implement new multi-threading API
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-26 10:00:36 +00:00
Rich Salz
f2adbd85dd Fix indents
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-25 11:52:37 -05:00
Emilia Kasper
380f18ed5f CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:42:48 +01:00
Rich Salz
72e9be3d08 GH235: Set error status on malloc failure
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-25 08:37:36 -05:00
Rich Salz
6b2ebe4332 Add PKCS7_NO_DUAL_CONTENT flag
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-23 08:42:03 -05:00
Rich Salz
a773b52a61 Remove unused parameters from internal functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 13:39:44 -05:00
David Woodhouse
cbb259caaf RT4334: Check UEFI before __STDC_VERSION__ for <inttypes.h>
Adding -nostdinc to the EDK2 showed that we were including <inttypes.h>
for some UEFI builds, because the check for __STDC_VERSION__ happens
before the check for OPENSSL_SYS_UEFI. Fix that.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-22 12:10:00 -05:00
Matt Caswell
316fae2a94 Partial revert of 1288f26 and fix for no-async
The commit 1288f26 says that it fixes no-async, but instead seems to break
it. Therefore revert that change and fix no-async.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22 16:48:09 +00:00
David Woodhouse
d99d0d96a7 RT4309: Define PRIu64 for UEFI build
Provide an appropriate definition of PRIu64 for the EDK2 build, since
we don't have <inttypes.h> there.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-22 11:31:31 -05:00
Rich Salz
f9eca34c22 Missed an experimental.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 10:00:47 -05:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Viktor Szakats
eaa7e483c5 GH712: Missed some no-filenames cases
crypto.h: honor no-filenames config setting in missing cases

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-19 10:03:49 -05:00
Richard Levitte
ce192ebed0 Remove all special make depend flags, as well as OPENSSL_DOING_MAKEDEPEND
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was.  Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-18 23:43:09 +01:00
David Woodhouse
3ba84717a0 Finish 02f7114a7f
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-17 17:04:47 -05:00
Rich Salz
1288f26fb9 RT4310: Fix varous no-XXX builds
When OPENSSL_NO_ASYNC is set, make ASYNC_{un,}block_pause() do nothing.
This prevents md_rand.c from failing to build. Probably better to do it
this way than to wrap every instance in an explicit #ifdef.

A bunch of new socket code got added to a new file crypto/bio/b_addr.c.
Make it all go away if OPENSSL_NO_SOCK is defined.

Allow configuration with no-ripemd, no-ts, no-ui
We use these for the UEFI build.

Also remove the 'Really???' comment from no-err and no-locking. We use
those too.

We need to drop the crypto/engine directory from the build too, and also
set OPENSSL_NO_ENGINE

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-17 13:33:51 -05:00
David Woodhouse
21b80f9a12 RT4318: Fix OSSL_SSIZE_MAX for UEFI build
Commit e634b448c ("Defines OSSL_SSIZE_MAX") introduced a definition of
OSSL_SSIZE_MAX which broke the UEFI build. Fix that by making UEFI take
the same definition as Ultrix (ssize_t == int).

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-17 10:39:35 -05:00
Rich Salz
dba3177745 Remove JPAKE
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-17 09:46:10 -05:00
Richard Levitte
05c7b1631b Implement the use of heap manipulator implementions
- Make use of the functions given through CRYPTO_set_mem_functions().
- CRYPTO_free(), CRYPTO_clear_free() and CRYPTO_secure_free() now receive
  __FILE__ and __LINE__.
- The API for CRYPTO_set_mem_functions() and CRYPTO_get_mem_functions()
  is slightly changed, the implementation for free() now takes a couple
  of extra arguments, taking __FILE__ and __LINE__.
- The CRYPTO_ memory functions will *always* receive __FILE__ and __LINE__
  from the corresponding OPENSSL_ macros, regardless of if crypto-mdebug
  has been enabled or not.  The reason is that if someone swaps out the
  malloc(), realloc() and free() implementations, we can't know if they
  will use them or not.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-17 10:12:49 +01:00
Richard Levitte
c4fb3b3942 Prepare for 1.1.0-pre4-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-15 19:37:42 +01:00
Richard Levitte
c2bbf05873 Prepare for 1.1.0-pre3 release
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-15 19:37:20 +01:00
Richard Levitte
c35f5c3d3a Correct deprecation of OPENSSL_config
Reported in GH#684

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-15 16:25:10 +01:00
Richard Levitte
2c90015c06 Make sure the OPENSSL_INIT flags are 32 bits and document the ssl range
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-13 14:04:42 +01:00
Rob Percival
e634b448c3 Defines OSSL_SSIZE_MAX
Removes SSIZE_MAX definition from bss_bio.c and changes that file to use
OSSL_SSIZE_MAX.

No need to account for OPENSSL_SYS_VXWORKS, since that never actually
gets defined anywhere. It must be a historical artifact.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-13 10:22:54 +00:00
Dr. Stephen Henson
e314c34073 fix warnings on 32 bit builds
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-13 02:29:25 +00:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Rich Salz
f3f1cf8444 Move to REF_DEBUG, for consistency.
Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT
This is also RT 4181

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:40:32 -05:00
Rich Salz
27f172d9a3 GH620: second diff from rt-2275, adds error code
clean up and apply patches from RT-2275

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 09:33:51 -05:00
Rich Salz
7253fd550c Hide OPENSSL_INIT_SETTINGS.
Make OPENSSL_INIT_SETTINGS an opaque structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 08:43:46 -05:00
Rich Salz
a4625290c3 After renaming init, update errors.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 15:52:32 -05:00
Richard Levitte
e09621ff57 Make it possible to get ENGINESDIR info from OpenSSL_versions
Have apps/openssl display the result along with OPENSSLDIR

As part of this, add ENGINESDIR in util/mk1mf.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 19:36:48 +01:00
Matt Caswell
302f75887e Attempt to log an error if init failed
If init failed we'd like to set an error code to indicate that. But if
init failed then when the error system tries to load its strings its going
to fail again. We could get into an infinite loop. Therefore we just set
a single error the first time around. After that no error is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00
Matt Caswell
0fc32b0718 The new init functions can now fail so shouldn't be void
The new init functions can fail if the library has already been stopped. We
should be able to indicate failure with a 0 return value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00