[openssl] master update
Matt Caswell
matt at openssl.org
Tue Mar 24 16:19:56 UTC 2020
The branch master has been updated
via 6f829f58effd958c75cb7bc3cf2781fbdae22b9b (commit)
via abd86cecce06a2f56f2d0ccc4743273e5981d547 (commit)
from ca1bbc1a20837f76a2b637072d63da2d03985fff (commit)
- Log -----------------------------------------------------------------
commit 6f829f58effd958c75cb7bc3cf2781fbdae22b9b
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 13 23:51:28 2020 +0000
Make sure we use a fetched cipher when encrypting stateless tickets
We use AES-256-CBC to encrypt stateless session tickets. We should
ensure that the implementation is fetched from the appropriate provider.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)
commit abd86cecce06a2f56f2d0ccc4743273e5981d547
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 13 23:54:07 2020 +0000
Use a fetched version of SHA256 in tls_process_new_session_ticket()
We use the SHA256 digest of the ticket as a "fake" session id. We should
ensure that the SHA256 implementation is fetched from the appropriate
provider.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11356)
-----------------------------------------------------------------------
Summary of changes:
crypto/err/openssl.txt | 1 +
include/openssl/sslerr.h | 1 +
ssl/ssl_err.c | 2 ++
ssl/statem/statem_clnt.c | 16 +++++++++++++---
ssl/statem/statem_srvr.c | 11 ++++++++++-
5 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 2f4ffc8bad..090d0f39a5 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -3089,6 +3089,7 @@ SSL_R_EXTENSION_NOT_RECEIVED:279:extension not received
SSL_R_EXTRA_DATA_IN_MESSAGE:153:extra data in message
SSL_R_EXT_LENGTH_MISMATCH:163:ext length mismatch
SSL_R_FAILED_TO_INIT_ASYNC:405:failed to init async
+SSL_R_ALGORITHM_FETCH_FAILED:295:algorithm fetch failed
SSL_R_FRAGMENTED_CLIENT_HELLO:401:fragmented client hello
SSL_R_GOT_A_FIN_BEFORE_A_CCS:154:got a fin before a ccs
SSL_R_HTTPS_PROXY_REQUEST:155:https proxy request
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 8ccdf3dc6b..e1617aae45 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -561,6 +561,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_EXTRA_DATA_IN_MESSAGE 153
# define SSL_R_EXT_LENGTH_MISMATCH 163
# define SSL_R_FAILED_TO_INIT_ASYNC 405
+# define SSL_R_ALGORITHM_FETCH_FAILED 295
# define SSL_R_FRAGMENTED_CLIENT_HELLO 401
# define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
# define SSL_R_HTTPS_PROXY_REQUEST 155
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 517e90c141..85d9dd8448 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -171,6 +171,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
"ext length mismatch"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FAILED_TO_INIT_ASYNC),
"failed to init async"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ALGORITHM_FETCH_FAILED),
+ "algorithm fetch failed"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_FRAGMENTED_CLIENT_HELLO),
"fragmented client hello"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS),
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index dfc6f5a721..534902f9b9 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2560,6 +2560,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
unsigned int sess_len;
RAW_EXTENSION *exts = NULL;
PACKET nonce;
+ EVP_MD *sha256 = NULL;
PACKET_null_init(&nonce);
@@ -2675,20 +2676,28 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
* other way is to set zero length session ID when the ticket is
* presented and rely on the handshake to determine session resumption.
* We choose the former approach because this fits in with assumptions
- * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
- * SHA256 is disabled) hash of the ticket.
+ * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
+ * ticket.
*/
+ sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
+ if (sha256 == NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
+ SSL_R_ALGORITHM_FETCH_FAILED);
+ goto err;
+ }
/*
* TODO(size_t): we use sess_len here because EVP_Digest expects an int
* but s->session->session_id_length is a size_t
*/
if (!EVP_Digest(s->session->ext.tick, ticklen,
s->session->session_id, &sess_len,
- EVP_sha256(), NULL)) {
+ sha256, NULL)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
ERR_R_EVP_LIB);
goto err;
}
+ EVP_MD_free(sha256);
+ sha256 = NULL;
s->session->session_id_length = sess_len;
s->session->not_resumable = 0;
@@ -2727,6 +2736,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
return MSG_PROCESS_CONTINUE_READING;
err:
+ EVP_MD_free(sha256);
OPENSSL_free(exts);
return MSG_PROCESS_ERROR;
}
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 1cc106876c..7ca76fc0fe 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3906,7 +3906,14 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
}
iv_len = EVP_CIPHER_CTX_iv_length(ctx);
} else {
- const EVP_CIPHER *cipher = EVP_aes_256_cbc();
+ EVP_CIPHER *cipher = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC",
+ s->ctx->propq);
+
+ if (cipher == NULL) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
+ SSL_R_ALGORITHM_FETCH_FAILED);
+ goto err;
+ }
iv_len = EVP_CIPHER_iv_length(cipher);
if (RAND_bytes_ex(s->ctx->libctx, iv, iv_len) <= 0
@@ -3915,10 +3922,12 @@ static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add,
|| !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key,
sizeof(tctx->ext.secure->tick_hmac_key),
"SHA256")) {
+ EVP_CIPHER_free(cipher);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_STATELESS_TICKET,
ERR_R_INTERNAL_ERROR);
goto err;
}
+ EVP_CIPHER_free(cipher);
memcpy(key_name, tctx->ext.tick_key_name,
sizeof(tctx->ext.tick_key_name));
}
More information about the openssl-commits
mailing list