| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
The previous errata patch 019_libssl broke bidirectional SSL_shutdown.
This can cause a hang in some software that calls SSL_shutdown in a loop.
Problem reported and fix tested by Predrag Punosevac. Thanks to Steffen
Nurpmeso who independently found that this was due to an SSL_shutdown loop.
ok jsing
This is errata/6.7/020_libssl.patch.sig
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Improve client certificate selection to allow EC certificates
instead of only RSA certificates.
* Do not error out if a TLSv1.3 server requests an OCSP response as
part of a certificate request.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behaviour could cause a hang.
* Fix a memory leak and add a missing error check in the handling of
the key update message.
* Fix a memory leak in tls13_record_layer_set_traffic_key.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Ensure that only PSS may be used with RSA in TLSv1.3 in order
to avoid using PKCS1-based signatures.
* Add the P-521 curve to the list of curves supported by default
in the client.
This is errata/6.7/019_libssl.patch.sig
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
original commits:
CVSROOT: /cvs
Module name: src
Changes by: jsing@cvs.openbsd.org 2020/05/16 08:44:55
Modified files:
lib/libssl : tls13_client.c
Log message:
Ensure that a TLSv1.3 server has provided a certificate.
The RFC requires that a server always provide a certificate for
authentication. Ensure that this is the case, rather than proceeding and
attempting validation. In the case where validation was disabled and the
server returned an empty certificate list, this would have previously
resulted in a NULL pointer deference.
Issue reported by otto@
ok inoguchi@ tb@
CVSROOT: /cvs
Module name: src
Changes by: jsing@cvs.openbsd.org 2020/05/17 08:26:15
Modified files:
lib/libssl : tls13_client.c
Log message:
Send a decode error alert if a server provides an empty certificate list.
According to RFC 8446 section 4.4.2.4, a client receiving an empty
certificate list must abort the handshake with a decode error alert.
ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In compatibility mode, a TLSv1.3 server MUST send a dummy CCS message
immediately after its first handshake message. This is normally after the
ServerHello message, but it can be after the HelloRetryRequest message.
As such we accept one CCS message from the server during the handshake.
However, it turns out that in the HelloRetryRequest case, Facebook's fizz
TLSv1.3 stack sends CCS messages after both the HelloRetryRequest message
and the ServerHello message. This is unexpected and as far as I'm aware,
no other TLSv1.3 implementation does this. Unfortunately the RFC is rather
ambiguous here, which probably means it is not strictly an RFC violation.
Relax the CCS message handling to allow two dummy CCS messages during a
TLSv1.3. This makes our TLSv1.3 client work with Facebook Fizz when HRR
is triggered.
Issue discovered by inoguchi@ and investigated by tb@.
ok deraadt@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
We might remove static again for further regress around record layer
in the future.
ok jsing@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
| |
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The server-side will need to use the same function.
No functional change.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Move functions so that they are in the order that the TLSv1.3 messages are
processed. While here, also move tls13_client_end_of_early_data_send() from
tls13_client.c to tls13_server.c.
No functional change.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This ensures that we remain in a valid handshake state in the TLSv1.3
server. Ideally we would not switch to NEGOTIATED until after record
protection has been enabled, but we'll revisit this later.
Issue noted by inoguchi@
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
the main list of words to make it more readable, even though it
remains long.
Avoid using deprecated aliases in explanations what other words mean.
Stop documenting aDSS because it is *both* a deprecated alias *and*
no longer matches anything at all.
General direction discussed with jsing@ some time ago.
|
| |
|
|
|
| |
the TLSv1.3 cipher suites are made available, too;
related to ssl_ciph.c rev. 1.115
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The state machine currently handles the HelloRetryRequest case by using
WITH_HRR - in other words, we're explicitly indicating when we transition
to the alternate path. The problem here is that we do not know if we're
going to receive a ServerHello or a HelloRetryRequest until we process
the message. This means that the ServerHello processing code has to handle
both types of messages.
The state machine and associated processing code becomes cleaner if we flip
this around so that we assume we are going to receive a HelloRetryRequest
and upon discovering that it is not, trigger WITHOUT_HRR and hand off to
the ServerHello processing function. In particular, this makes the logic
much more straight forward on the server side, when adding support for HRR.
With feedback from tb@
ok tb@
|
| |
|
|
|
|
|
|
| |
Previously we would only select an X25519 key share from the client,
ignoring any others. Change this so that we will select the first of the
key shares that matches one of our supported groups.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Move all of the TLSv1.3 constants to the top of tls13_lib.c. Also mark
these all as const so that they end up in .rodata rather than .data.
ok tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
SSL_get_server_tmp_key() provides the peer ephemeral public key used
for key exchange. In the case of TLSv1.3 this is essentially the peer
public key from the key share used for TLSv1.3 key exchange, hence make it
availaable via SSL_get_server_tmp_key().
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Use a boolean value rather than using a counter, as suggested by tb@
during the previous review.
ok tb@
|
| |
|
|
|
|
|
|
| |
The key share code previously only allowed for key shares to be generated
using one of the groups in our default list (X25519, secp256r1, secp384r1).
Relax this and allow key shares using any of the groups in our NID list.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Revise the previous so that we only include TLSv1.3 cipher suites if the
cipher rule string resulted in at least one active cipher suite. This more
closely matches OpenSSL behaviour.
Noted and fix tested by schwarze@
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
Generate a client key share using our preferred group, rather than always
using X25519. This means that the key share group can be controlled via
SSL{_CTX,}_set1_groups() and SSL{_CTX,}_set1_groups_list().
ok beck@
|
| |
|
|
|
|
|
|
| |
* mention TLSv1.3
* remove DSS, DES(56), RC4(64), and IDEA(128), which are no longer supported
* remove ChaCha20-Poly1305-Old and STREEBOG512 which don't exist in LibreSSL
* correct the instruction for printing the complete list
OK jsing@
|
| |
|
|
|
| |
cipher suites" to the DES entry and use the same wording for DSS;
OK jsing@
|
| |
|
|
|
|
|
|
|
| |
in LOW, MEDIUM, and HIGH. That's going to change repeatedly and
the extra maintenance effort for keeping it up to date is a waste
because people can trivially run "openssl ciphers -v LOW" to look
it up. Besides, updating it will usually be forgotten; the LOW
entry was already wrong.
Suggested by jsing@.
|
| |
|
|
|
|
|
| |
TLSv1 control word, and explain how TLSv1.3 cipher suites can be
configured in LibreSSL and in OpenSSL. While here, also mention
how users can inspect the DEFAULT list of cipher suites.
Stimulus, feedback and OK from jsing@.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has always taken the approach of enabling almost everything by
default. As a result, if you wanted to run a secure TLS client/server
you had to specify your own "secure" cipher string, rather than being
able to trust the defaults as being sensible and secure. The problem
is that with the introduction of TLSv1.3, most of these "secure" cipher
strings result in the new TLSv1.3 cipher suites being excluded.
The "work around" for this issue in OpenSSL was to add a new TLSv1.3
API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate
knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means
that every application now needs to call two APIs, but it does mean that
applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list()
cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working.
We've taken a different approach and have allowed TLSv1.3 cipher suites
to be manipulated via the existing SSL_set_cipher_list() API. However,
in order to avoid problems with hardcoded cipher strings, change this
behaviour so that we always include TLSv1.3 cipher suites unless the
cipher string has a specific reference to the TLSv1.3 protocol or a
TLSv1.3 cipher suite.
This means that:
$ openssl ciphers -v TLSv1.2:!TLSv1.3
still gives TLSv1.2 only cipher suites and:
$ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256
only lists a single TLSv1.3 cipher, however:
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3
cipher suites (which also matches OpenSSL's openssl(1) behaviour).
Issue encountered by kn@ with mumble.
ok tb@
|
| | |
|
| |
|
|
| |
explicitly comparing against a value.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Generate an unpredictable 32-byte legacy session ID during client
initialisation, rather than when the ClientHello message is being created.
Otherwise in the case of a HelloRetryRequest the legacy session ID values
will differ between the first and second ClientHello messages, which is
not permitted by the RFC.
Fixes an issue talking TLSv1.3 to smtp.mail.yahoo.com.
ok beck@
|
| |
|
|
|
|
|
|
|
| |
If the maximum version is less than TLSv1.3, send a zero-length session
identifier (matching the behaviour of the legacy TLS stack), rather than
a 32 byte random identifier. The 32 byte random identifier is only needed
for "compatibility" mode in TLSv1.3.
ok beck@
|
| |
|
|
| |
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
| |
|
|
| |
Patch from Martin Vahlensieck <academicsolutions dot ch>.
|
| |
|
|
|
|
|
|
|
| |
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
We currently throw an error on overflow, but still wrap. Check up front
if we would need to wrap and only increment if that case is excluded.
This simplifies the increment loop and makes the returns in this function
less magic.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Like much of the original DTLS code, dtls1_enc() is effectively a renamed
copy of tls1_enc(). Since then tls1_enc() has been modified, however the
non-AEAD code remains largely the same. As such, remove dtls1_enc() and
instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS,
however this is a non-issue since we do not support AEAD cipher suites with
DTLS currently.
ok tb@
|
| |
|
|
| |
Fix proposed by tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
CBB uses recallocarray() to expand buffers, however was still using
malloc() for the initial buffer, which could result in memory being leaked
in incorrect use cases.
While here also use calloc() to allocate internal structs.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This reduces the chance of accidently leaking stack memory.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Currently the CBC related code stuffs the padding length in the upper bits
of the type field... stop doing that and add a padding_length field to the
record struct instead.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in
public headers, even though their usage is internal. This moves to
using _INTERNAL suffixed versions that are in internal headers, which
then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
Both session tickets and key updates are post-handshake handshake messages,
which were originally included in the handshake code.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
In the unlikely event that the return value from the read callback is
larger than the number of bytes we asked for, we can end up incrementing
buf->len beyond capacity. Check the return value from the read callback to
prevent this.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
The enc function pointers do not serve any purpose these days - remove
a layer of indirection and call dtls1_enc()/tls1_enc() directly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
TLSv1.1 or below, it should check whether the server's random value
contains the magic downgrade protection cookie and in that case abort
the handshake with an illegal parameter alert.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
|
| |
|
|
|
|
|
|
| |
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
