| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new verifier builds all chains, starting with the shortest possible
path. It also does not currently return partial chains. Both of these
things conflict with auto chain, where we want to build the longest
possible chain (to include all intermediates, and probably the root
unnecessarily), as well as using an incomplete chain when a trusted chain
is not known.
Depending on software configuration, we can end up building a chain
consisting only of a leaf certificate, rather than a longer chain. This
results in auto chain not including intermediates, which is undesireable.
For now, switch auto chain building to use the legacy verifier.
This should resolve the issues encountered by ajacoutot@ with sendmail.
ok tb@
|
| |
|
|
|
|
| |
Yet another mostly meaningless error value...
Noted by and ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a certificate (namely a root) is specified as both a trusted and
untrusted certificate, the new verifier will find multiple chains - the
first being back to the trusted root certificate and a second via the root
that is untrusted, followed by the trusted root certificate. This situation
can be triggered by a server that (unnecessarily) includes the root
certificate in its certificate list.
While this validates correctly (using the first chain), it means that we
encounter a failure while building the second chain due to the root
certificate already being in the chain. When this occurs we call the verify
callback indicating a bad certificate. Some sensitive software (including
bacula and icinga), treat this single bad chain callback as terminal, even
though we successfully verify the certificate.
Avoid this problem by simply dumping the chain if we encounter a situation
where the certificate is already in the chain and also a trusted root -
we'll have already picked up the trusted root as a shorter path.
Issue with icinga2 initially reported by Theodore Wynnychenko.
Fix tested by sthen@ for both bacula and icinga2.
ok tb@
|
| |
|
|
|
|
| |
fix in libcrypto/asn1/a_time_tm.c r1.16.
Suggested by jsing
|
| | |
|
| | |
|
| |
|
|
|
|
| |
order of the struct members for reviewability.
ok jsing
|
| |
|
|
|
|
|
| |
* Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead.
* In tagged lists, put bodies into bodies, not into heads.
* Add a few missing macros.
* Drop some useless quoting.
|
| |
|
|
|
|
|
| |
Follow the previous commit and complete the manual page for consistency;
better readable and tags for free.
OK tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
Manuals like httpd.conf(5) refer to this for valid protocol strings, but
elements inlined into sentences are hard find to spot.
Use a list as already done elsewhere in this manual.
OK jmc on earlier version
Feeback OK tb
|
| |
|
|
|
|
| |
Add a stub for pthread_mutex_destroy() for installers.
ok tb@
|
| |
|
|
| |
noted by deraadt@
|
| |
|
|
| |
ok inoguchi@
|
| |
|
|
| |
pointed out by jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
When parsing an UTCTime into a struct tm that wasn't cleared by the caller,
the years would be added to the already present value, which could give an
incorrect result. This is an issue in ASN1_UTCTIME_cmp_time_t(), which is
practically unused. Fix this by always zeroing the passed struct tm.
Issue reported by Olivier Taïbi, thanks!
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is a historical artifact that cert_verify_md[], finish_md[] and
peer_finish_md[] are twice as large as they need to be. This is
confusing, especially for finish_md[] and peer_finish_md[] which are
copied to to previous_client_finished[] and previous_server_finished[]
which are only half as large. It is easy to check that they will never
get more than EVP_MAX_MD_SIZE data written to them.
In 1998, EVP_MAX_MD_SIZE was 20 bytes long (for SHA-1). This got bumped to
16+20 for the SSLv3-specific md5+sha1. Apparently under the impression
that EVP_MAX_MD_SIZE was still 20 bytes, someone else doubled finish_md[]'s
size to EVP_MAX_MD_SIZE*2 and added /* actually only needs to be 16+20 */.
A bit later finish_md[] was split up, and still a bit later the comment was
amended for TLSv1. Shortly thereafter SHA-512 required a bump of
EVP_MAX_MD_SIZE to 64 by a third person and we have been carrying 192 bytes
of untouched memory in each of our SSLs ever since.
ok inoguchi jsing (jsing had the same diff)
|
| |
|
|
|
|
|
| |
ERR_peek_error() returns unsigned long.
Reported by github issue by @rozhuk-im.
ok bcook@ jsing@
|
| |
|
|
|
|
|
|
|
|
| |
As reported by Steffen Ullrich and bluhm, the Finished tests in
p5-Net-SSLeay's t/local/43_misc_functions.t broke with with TLSv1.3.
The reason for this is that we don't copy the MDs over to the SSL, so
the API functions can't retrieve them. This commit fixes this part of
the test (one unrelated test still fails).
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
This is the natural type for these and it simplifies an upcoming commit.
The few consumers have been carefully checked to be fine with this.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Comparing two GENERAL_NAME structures containing an EDIPARTYNAME can lead
to a crash. This enables a denial of service attack for an attacker who can
control both sides of the comparison.
Issue reported to OpenSSL on Nov 9 by David Benjamin.
OpenSSL shared the information with us on Dec 1st.
Fix from Matt Caswell (OpenSSL) with a few small tweaks.
ok jsing
|
| |
|
|
| |
ok jsing kn
|
| |
|
|
| |
ok jsing kn
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.
In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.
The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().
It's a mess.
Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The method unification broke an API promise of SSL_is_server(). According
to the documentation, calling SSL_is_server() on SSL objects constructed
from generic and server methods would result in 1 even before any call to
SSL_set_accept_state(). This means the information needs to be available
when SSL_new() is called, so must come from the method itself.
Prior to the method unification, s->server would be set to 0 or 1 in
SSL_new() depending on whether the accept method was undefined or not.
Instead, introduce a flag to the internal structs to distinguish client
methods from server and generic methods and copy that flag to s->server in
SSL_new().
This problem was reported to otto due to breakage of DoH in net/dnsdist.
The reason for this is that www/h2o relies on SSL_is_server() to decide
whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would
end up responding to a ClientHello with another ClientHello, which results
in a handshake failure. The bandaid applied to www/h2o can be removed once
this fix has made it into snaps. No other breakage is known.
This commit brings back only about half of the duplication removed in the
method unification, so is preferable to a full revert.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This happens if name->der_len == 0. Since we already have a length
check, we can malloc and memcpy inside the conditional. This also
makes the code easier to read.
agreement from millert
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
x509_verify_chain_new() allocates a few members of a certificate chain:
an empty stack of certificates, a list of errors encountered while
validating the chain, and a list of name constraints. The function to
copy a chain would allocate a new chain using x509_verify_chain_new()
and then clobber its members by copies of the old chain. Fix this by
replacing x509_verify_chain_new() with calloc().
Found by review while investigating the report by Hanno Zysik who
found the same leak using valgrind. This is a cleaner version of
my initial fix from jsing.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The legacy validator would only call x509_vfy_check_policy() once at
the very end after cobbling together a chain. Therefore it didn't
matter that X509_policy_check() always allocates a new tree on top of
the one that might have been passed in. This is in stark contrast to
other, similar APIs in this code base. The new validator calls this
function several times over while building its chains. This adds up
to a sizable leak in the new validator.
Reported with a reproducer by Hanno Zysik on github, who also bisected
this to the commit enabling the new validator.
Narrowed down to x509_vfy_check_policy() by jsing.
We simultaenously came up with a functionally identical fix.
ok jsing
|
| | |
|
| |
|
|
|
|
| |
a few lines after.
stylistic nit from jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.
Issue reported by nmathewson on github.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
| |
This was inadvertently removed in r1.19.
Spotted by tb@
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
in order to be compatible with the openssl error craziness in the legacy
verifier case.
This will fix a regress problem noticed by znc
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the old verifier, the verify callback can always return 1 instructing
the verifier to simply continue regardless of a certificate verification
failure (e.g. the certificate is expired or revoked). This would result
in a chain being built, however the first error encountered would be
persisted, which allows the caller to build the chain, have the
verification process succeed, yet upon inspecting the error code note
that the chain is not valid for some reason.
Mimic this behaviour by keeping track of certificate errors while building
chains - when we finish verification, find the certificate error closest
to the leaf certificate and expose that via the X509_STORE_CTX. There are
various corner cases that we also have to handle, like the fact that we
keep an certificate error until we find the issuer, at which point we have
to clear it.
Issue reported by Ilya Shipitcin due to failing haproxy regression tests.
With much discussion and input from beck@ and tb@!
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
| |
Apparently OpenLDAP relies on this craziness to provide intermediates,
rather than specifying the chain directly like a normal TLS server would.
Issue noted by sthen@ and Bernard Spil, who both also tested this diff.
ok tb@
|
| |
|
|
|
|
|
| |
This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
| |
|
|
|
| |
wincrypt is deprecated and no longer works with newer Windows environments,
such as in Windows Store apps.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TLSv1.3 code that drives a BIO currently checks BIO_should_read()
after BIO_write() and BIO_should_write() after BIO_read(), which was
modelled on SSL_get_error(). However, there are certain cases where
this can confuse the caller - primarily where the same BIO is being
used for both read and write and the caller is manipulating the retry
flags. SSL_get_error() tends avoids this issue by relying on another
layer of state tracking.
Unfortunately haproxy hits this situation - it has its own BIO_METHOD,
the same BIO is used for both read and write and it manipulates the
retry flags - resulting in it stalling.
Issued noted by Thorsten Lockert <tholo@tzecmaun.org>
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
If we fail to find a parent certificate from either the supplied roots or
intermediates and we have a X509_STORE_CTX, call its get_issuer() callback
to see if it can supply a suitable certificate. This makes things like
certificates by directory (aka by_dir) work correctly.
Issue noted by Uwe Werler <uwe@werler.is>
ok beck@ tb@
|
