Place ticket keys into secure memory (4bfb96f2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/s3_lib.c

+12 −12

Original line number	Diff line number	Diff line
		@@ -3798,8 +3798,8 @@ long ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
		{
		unsigned char *keys = parg;
		long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
		sizeof(ctx->ext.tick_hmac_key) +
		sizeof(ctx->ext.tick_aes_key));
		sizeof(ctx->ext.secure->tick_hmac_key) +
		sizeof(ctx->ext.secure->tick_aes_key));
		if (keys == NULL)
		return tick_keylen;
		if (larg != tick_keylen) {
		@@ -3809,23 +3809,23 @@ long ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
		if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
		memcpy(ctx->ext.tick_key_name, keys,
		sizeof(ctx->ext.tick_key_name));
		memcpy(ctx->ext.tick_hmac_key,
		memcpy(ctx->ext.secure->tick_hmac_key,
		keys + sizeof(ctx->ext.tick_key_name),
		sizeof(ctx->ext.tick_hmac_key));
		memcpy(ctx->ext.tick_aes_key,
		sizeof(ctx->ext.secure->tick_hmac_key));
		memcpy(ctx->ext.secure->tick_aes_key,
		keys + sizeof(ctx->ext.tick_key_name) +
		sizeof(ctx->ext.tick_hmac_key),
		sizeof(ctx->ext.tick_aes_key));
		sizeof(ctx->ext.secure->tick_hmac_key),
		sizeof(ctx->ext.secure->tick_aes_key));
		} else {
		memcpy(keys, ctx->ext.tick_key_name,
		sizeof(ctx->ext.tick_key_name));
		memcpy(keys + sizeof(ctx->ext.tick_key_name),
		ctx->ext.tick_hmac_key,
		sizeof(ctx->ext.tick_hmac_key));
		ctx->ext.secure->tick_hmac_key,
		sizeof(ctx->ext.secure->tick_hmac_key));
		memcpy(keys + sizeof(ctx->ext.tick_key_name) +
		sizeof(ctx->ext.tick_hmac_key),
		ctx->ext.tick_aes_key,
		sizeof(ctx->ext.tick_aes_key));
		sizeof(ctx->ext.secure->tick_hmac_key),
		ctx->ext.secure->tick_aes_key,
		sizeof(ctx->ext.secure->tick_aes_key));
		}
		return 1;
		}

ssl/ssl_lib.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -3035,6 +3035,9 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data))
		goto err;

		if ((ret->ext.secure = OPENSSL_secure_zalloc(sizeof(*ret->ext.secure))) == NULL)
		goto err;

		/* No compression for DTLS */
		if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS))
		ret->comp_methods = SSL_COMP_get_compression_methods();
		@@ -3045,10 +3048,10 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		/* Setup RFC5077 ticket keys */
		if ((RAND_bytes(ret->ext.tick_key_name,
		sizeof(ret->ext.tick_key_name)) <= 0)
		\|\| (RAND_bytes(ret->ext.tick_hmac_key,
		sizeof(ret->ext.tick_hmac_key)) <= 0)
		\|\| (RAND_bytes(ret->ext.tick_aes_key,
		sizeof(ret->ext.tick_aes_key)) <= 0))
		\|\| (RAND_bytes(ret->ext.secure->tick_hmac_key,
		sizeof(ret->ext.secure->tick_hmac_key)) <= 0)
		\|\| (RAND_bytes(ret->ext.secure->tick_aes_key,
		sizeof(ret->ext.secure->tick_aes_key)) <= 0))
		ret->options \|= SSL_OP_NO_TICKET;

		if (RAND_bytes(ret->ext.cookie_hmac_key,
		@@ -3190,6 +3193,7 @@ void SSL_CTX_free(SSL_CTX *a)
		OPENSSL_free(a->ext.supportedgroups);
		#endif
		OPENSSL_free(a->ext.alpn);
		OPENSSL_secure_free(a->ext.secure);

		CRYPTO_THREAD_lock_free(a->lock);

ssl/ssl_locl.h

+8 −3

Original line number	Diff line number	Diff line
		@@ -734,6 +734,12 @@ DEFINE_LHASH_OF(SSL_SESSION);
		DEFINE_LHASH_OF(X509_NAME);

		# define TLSEXT_KEYNAME_LENGTH 16
		# define TLSEXT_TICK_KEY_LENGTH 32

		typedef struct ssl_ctx_ext_secure_st {
		unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH];
		unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
		} SSL_CTX_EXT_SECURE;

		struct ssl_ctx_st {
		const SSL_METHOD *method;
		@@ -927,8 +933,7 @@ struct ssl_ctx_st {
		void *servername_arg;
		/* RFC 4507 session ticket keys */
		unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
		unsigned char tick_hmac_key[32];
		unsigned char tick_aes_key[32];
		SSL_CTX_EXT_SECURE *secure;
		/* Callback to support customisation of ticket key setting */
		int (ticket_key_cb) (SSL ssl,
		unsigned char name, unsigned char iv,

ssl/statem/statem_srvr.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -3831,9 +3831,9 @@ int tls_construct_new_session_ticket(SSL s, WPACKET pkt)
		iv_len = EVP_CIPHER_iv_length(cipher);
		if (RAND_bytes(iv, iv_len) <= 0
		\|\| !EVP_EncryptInit_ex(ctx, cipher, NULL,
		tctx->ext.tick_aes_key, iv)
		\|\| !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
		sizeof(tctx->ext.tick_hmac_key),
		tctx->ext.secure->tick_aes_key, iv)
		\|\| !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
		sizeof(tctx->ext.secure->tick_hmac_key),
		EVP_sha256(), NULL)) {
		SSLfatal(s, SSL_AD_INTERNAL_ERROR,
		SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,

ssl/t1_lib.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -1349,11 +1349,11 @@ SSL_TICKET_RETURN tls_decrypt_ticket(SSL s, const unsigned char etick,
		ret = SSL_TICKET_NO_DECRYPT;
		goto err;
		}
		if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
		sizeof(tctx->ext.tick_hmac_key),
		if (HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
		sizeof(tctx->ext.secure->tick_hmac_key),
		EVP_sha256(), NULL) <= 0
		\|\| EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
		tctx->ext.tick_aes_key,
		tctx->ext.secure->tick_aes_key,
		etick + TLSEXT_KEYNAME_LENGTH) <= 0) {
		goto err;
		}