1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00
Commit Graph

51 Commits

Author SHA1 Message Date
joshua
40ae7d6bc6 Add TLS_ERROR_INVALID_CONTEXT error code to libtls
ok jsing@ beck@
2024-03-26 08:54:48 +00:00
joshua
7a756d3745 Add error code support to libtls
This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.

Additional error codes will be added in follow-up commits.

ok jsing@ beck@
2024-03-26 06:24:52 +00:00
op
e6d77be993 add missing #include <string.h>; ok tb@ 2023-05-14 07:26:25 +00:00
inoguchi
bcc534f91b Check function return value in libtls
EVP_EncryptInit_ex, EVP_DecryptInit_ex and HMAC_Init_ex are possible to
fail and return error.
Error from these functions will be fatal for the callback, and I choose to
return -1.
SSL_CTX_set_tlsext_ticket_key_cb.3 explains the return value of callback.

This also could fix Coverity CID 345319.

ok jsing@ tb@
2022-01-19 11:10:55 +00:00
tb
79d77232f0 Use SSL_AD_INTERNAL_ERROR
One instance of TLS1_AD_* was missed and broke the tree in the recent
switch to using only one version of alert defines internally.
2021-06-14 03:53:59 +00:00
tb
09626e4b2a Remove unnecessary cast in free.
ok jsing
2021-06-01 19:49:17 +00:00
bcook
565eed69f1 Acquire mutex before incrementing the refcount. Fixes COV-186144
ok tb@
2019-05-13 22:36:01 +00:00
jsing
b9573a74af Automatically handle library initialisation for libtls.
Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() and
tls_server()) - this makes an explicit tls_init() call no longer a
requirement.

ok bcook@ beck@ inoguchi@
2018-03-19 16:34:47 +00:00
jsing
bb4cb1b044 Split keypair handling out into its own file - it had already appeared
in multiple locations.

ok beck@
2018-02-08 05:56:49 +00:00
jsing
9ee433b9e6 Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.

Issue reported by William Graeber and confirmed by Andreas Bartelt.

Fix tested by William Graeber and Andreas Bartelt - thanks!
2017-09-20 17:05:17 +00:00
jsing
4896de1e4b Add a tls_config_set_ecdhecurves() function to libtls, which allows the
names of the elliptic curves that may be used during client and server
key exchange to be specified.

This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.

ok beck@
2017-08-10 18:18:30 +00:00
jsing
dd391ab5c4 RFC 6066 states that IP literals are not permitted in "HostName" for a
TLS Server Name extension, however seemingly several clients (including
Python, Ruby and Safari) violate the RFC. Given that this is a fairly
widespread issue, if we receive a TLS Server Name extension that contains
an IP literal, pretend that we did not receive the extension rather than
causing a handshake failure.

Issue raised by jsg@

ok jsg@
2017-07-05 15:38:35 +00:00
jsing
a192468a6a Use the tls_password_cb() callback with all PEM_read_bio_*() calls, so that
we can prevent libcrypto from going behind our back and trying to read
passwords from standard input (which we may not be permitted to do).

Found by jsg@ with httpd and password protected keys.
2017-06-22 18:03:57 +00:00
jsing
ae6dba7666 Use the standard `rv' idiom in tls_keypair_load_cert(), rather than
duplicating clean up code.
2017-06-22 17:34:25 +00:00
jsing
88c10dab72 Perform reference counting for tls_config. This allows tls_config_free() to
be called as soon as it has been passed to the final tls_configure() call,
simplifying lifetime tracking for the application.

Requested some time ago by tedu@.

ok beck@
2017-05-06 20:59:28 +00:00
jsing
5f3c52056a Rework name verification code so that a match is indicated via an argument,
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).

Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.

ok beck@ jca@
2017-04-10 17:11:13 +00:00
jsing
f61da50d75 Disable client-initiated renegotiation for libtls servers.
ok beck@ reyk@
2017-01-31 15:57:43 +00:00
jsing
5a7524621d Use a flag to track when we need to call SSL_shutdown(). This avoids an
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.

Reported by Vinay Sajip.

ok beck@
2017-01-26 12:56:37 +00:00
claudio
47c43cfe84 Introduce ticket support. To enable them it is enough to set a positive
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.

If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key

For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).

Since tickets break PFS it is best to minimize the session lifetime according
to needs.

With a lot of help, input and OK beck@, jsing@
2017-01-24 01:48:05 +00:00
jsing
59bda8bee5 If tls_set_cbs() fails an error will already be specified, so do not
replace it with a less specific one.
2017-01-12 16:15:58 +00:00
beck
2279ffc3f9 Set the callback on the correct ssl_ctx for the SNI case, instead of
the master only.
ok jsing@
2016-11-06 16:55:16 +00:00
beck
668bec9501 Add support for server side OCSP stapling to libtls.
Add support for server side OCSP stapling to netcat.
2016-11-05 15:13:26 +00:00
jsing
777595f383 Avoid shadowing the socket global.
ok miod@
2016-11-04 19:01:29 +00:00
bcook
4e91ee0b35 Set callbacks on the right tls ctx on accept.
From Tobias Pape
2016-09-14 11:34:37 +00:00
jsing
2233a86c2f Maintain consistency with function naming. 2016-09-04 13:20:56 +00:00
bcook
ed19021f58 Add callback-based interface to libtls.
This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@
2016-09-04 12:26:43 +00:00
jsing
f89edc012d Create contexts for server side SNI - these include the additional SSL_CTX
that is required for certificate switching with libssl and the certificate
itself so that we can match against the subject and SANs. Hook up the
servername callback and switch to the appropriate SSL_CTX if we find a
matching certificate.

ok beck@
2016-08-22 14:51:37 +00:00
jsing
991d42a128 Split out the TLS server SSL_CTX allocation and configuration code, so
that it can be reused to allocate the additional SSL_CTXs needed for SNI.

ok reyk@
2016-08-18 15:52:03 +00:00
jsing
b7f318e776 Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.

Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.

ok reyk@
2016-08-15 14:04:23 +00:00
jsing
183da8c641 Add ALPN support to libtls.
ok beck@ doug@
2016-08-12 15:10:59 +00:00
jsing
380117c0ca Revert previous since it adds new symbols.
Requested by deraadt@
2016-08-02 07:47:11 +00:00
jsing
623e6e8282 Add ALPN support to libtls.
ok beck@ doug@
2016-08-01 17:32:19 +00:00
jsing
1fe9fea1eb Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.

ok beck@
2016-04-28 17:05:59 +00:00
deraadt
810e306d0a clean some ugly intendation warts 2015-09-29 10:17:04 +00:00
jsing
9ba095aa2b Ensure that we clear the libssl error stack before we make a function call
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to their being unrelated errors
already on the error stack.

Spotted by Marko Kreen.

ok beck@
2015-09-12 19:54:31 +00:00
beck
521d38f20c actually set return value to 0 on success.
ok jsing@ who wears the cone of shame.
2015-09-11 08:31:26 +00:00
jsing
e2b71c1183 Split tls_handshake() out from tls_accept/tls_connect. By doing this the
tls_accept/tls_connect functions can be guaranteed to succeed or fail and
will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves
the semantics of tls_accept_*.

The tls_handshake() function now does I/O and can return
TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will
trigger the handshake if it has not already completed, meaning that in many
cases existing code will continue to work.

Discussed over many coffees at l2k15.

ok beck@ bluhm@
2015-09-10 10:14:20 +00:00
jsing
c57e6ec010 Add support for preferring the server's cipher list or the client's cipher
list. Prefer the server's cipher list by default.

Based on a diff from Kyle Thompson <jmp at giga dot moe>.

ok beck@ bcook@
2015-09-10 09:10:42 +00:00
jsing
240d3da60b Indent labels with a space so that diff -p is more friendly.
Requested by bluhm@
2015-09-09 19:49:07 +00:00
beck
51f3bd3dbc Add client certificate support. Still needs a few tweaks but this will
ride upcoming minor bump
ok jsing@
2015-09-09 19:23:04 +00:00
jsing
aa7238e62d Only take ownership of a socket if we allocated it within libtls. If we are
passed a socket then the caller is responsible for closing it.

ok bcook@
2015-09-09 14:32:06 +00:00
jsing
fdb1c79f59 Improve libtls error messages.
The tls_set_error() function previously stored the errno but did nothing
with it. Change tls_set_error() to append the strerror(3) of the stored
errno so that we include useful information regarding failures.

Provide a tls_set_errorx() function that does not store the errno or
include strerror(3) in the error message. Call this function instead of
tls_set_error() for errors where the errno value has no useful meaning.

With feedback from and ok doug@
2015-08-27 15:26:49 +00:00
jsing
31ee3a2bbd Unify error message between client and server. 2015-08-22 14:52:39 +00:00
jsing
8c73da28b3 SSL_set_app_data is a macro for SSL_set_ex_data(), which is a wrapper
around CRYPTO_set_ex_data(), which can fail. Since this is the case, check
the return value of CRYPTO_set_ex_data^WSSL_set_ex_data^WSSL_set_app_data.
2015-08-22 14:51:34 +00:00
jsing
e1e4dea2b5 Provide a tls_accept_fds() function, which allows a TLS connection to be
accepted via an existing pair of file descriptors.

Based on a diff from Jan Klemkow.
2015-03-31 14:03:38 +00:00
jsing
5251ab8ebf Store errors that occur during a tls_accept_socket() call on the context
for the server, rather than on the context for the connection. This makes
more sense than the current behaviour does.

Issue reported by Tim van der Molen.
2015-03-31 12:21:27 +00:00
jsing
d474f84fda Convert tls_connect_fds() and tls_accept_socket() to the new OpenSSL error
dance handling code. This means that we get slightly useful messages when
a TLS connection or accept fails.

Requested by reyk@
2015-02-07 09:50:09 +00:00
jsing
9e5deb484b Add tls_config_set_dheparams() to allow specification of the parameters to
use for DHE. This enables the use of DHE cipher suites.

Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.

Discussed with reyk@
2015-02-07 06:19:26 +00:00
bluhm
f30b95a158 Make the TLS connect and accept error messages consistent.
OK jsing@
2015-01-30 14:25:37 +00:00
reyk
31413d7e14 The SSL/TLS session Id context is limited to 32 bytes. Instead of
using the name of relayd relay or smtpd pki, use a 32 byte arc4random
buffer that should be unique for the context.  This fixes an issue in
OpenSMTPD when a long pki name could break the configuration.

OK gilles@ benno@
2015-01-16 14:34:51 +00:00