ustream-openssl: clear error stack before SSL_read/SSL_write The OpenSSL library uses a global error queue per thread which needs to be cleared prior to calling I/O functions in order to get reliable error results. Failure to do so will lead to stray errors reported by SSL_get_error() when an unrelated connection within the same thread encountered a TLS error since the last SSL_read() or SSL_write() on the current connection. This issue was frequently triggered by Google Chrome which usually initiates simultaneous TLS connections (presumably for protocol support probing) and subsequently closes most of them with a "certificate unknown" TLS error, causing the next SSL_get_error() to report an SSL library error instead of the expected SSL_WANT_READ or SSL_WANT_WRITE error states. Solve this issue by invoking ERR_clear_error() prior to invoking SSL_read() or SSL_write() to ensure that the subsequent SSL_get_error() returns current valid results. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
add support for specifying usable ciphers Implement a new ustream_ssl_ops.context_set_ciphers() function which allows to specify the usable ciphers for TLS context which is useful to restrict the accepted cipher subset especially for ustream-ssl server applications. For the OpenSSL backend, the given cipher string is passed as-is to the SSL_CTX_set_cipher_list(). For mbedTLS, the given string is split on colons and each item of the list is resolved through mbedtls_ssl_get_ciphersuite_id() to construct a numeric list of allowed ciphers. Note that OpenSSL and mbedTLS use different names for their ciphers but both implementations simply ignore unknown names, so it is possible to specify cipherstrings which are applicable to either library, e.g. `-ALL:ECDHE- ECDSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` would enable ChaCha20/Poly1305 in both OpenSSL and mbedTLS. Another crucial difference between the libraries is that the cipherstring in mbedTLS is effectively a whitelist of allowed ciphers while, without additional syntax elements, OpenSSL's cipherstring merely appends ciphers to the default selection. Ref: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html Ref: https://tls.mbed.org/api/ssl_8h.html#a9914cdf5533e813e1ea7ca52981aa006 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ustream-ssl: mbedtls: fix ssl client verification The ustream_ssl_update_own_cert() function should, like the name suggests, only update the local ssl peer's own certificate and not the any of the CA's. By overwriting the CA's certifcates when setting the own certificate, the code broke SSL client verification. This bug was only triggerd when: ustream_ssl_context_set_crt_file() was called after ustream_ssl_context_add_ca_crt_file() Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
ustream-ssl: skip writing pending data if .eof is true after connect Check the .eof member of the underlying ustream after the call to __ustream_ssl_connect() since existing users of the library appear to set the eof flag as a way to signal connection termination upon failing certificate verification. This is a stop-gap measure to address TALOS-2019-0893 but a proper API redesign is required to give applications proper control over whether certificate failures are to be ignored or not and the default implementation without custom callbacks should always terminate on verification failures. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
wolfssl: adjust to new API in v4.2.0 WolfSSL has recently added many openssl 1.1+ calls, including TLS_server_method & TLS_client_method, which were being redefined, causing compilation failure: ustream-openssl.c:113:0: error: "TLS_server_method" redefined [-Werror] ustream-openssl.c:114:0: error: "TLS_client_method" redefined [-Werror] Only define the symbols if not previously defined. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Update example certificate & key, fix typo The current crypto libraries will fail to load small RSA keys, so a new certificate was generated with a 2048-bit RSA key. Also fixed a typo in ustream-example-client.c Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
wolfssl: enable CN validation WolfSSL added a wolfSSL_X509_check_host function to perform CN validation in v3.10.4, depending on the build-time configure options: --enable-nginx enables it for all supported versions; --enable-opensslextra, since v3.14.2. If the function is unavailable, then SSL_get_verify_result will be called, and 'valid_cert' will be true if that call suceeds and we have a peer certificate, just as it happens with openssl. Only 'valid_cn' will not be set. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
ustream-io-cyassl.c: fix client-mode connections Starting in v3.13.2, wolfSSL stores the BIO send and recv callbacks in the SSL struct. When the SSL session is created, it inherits the calls from the SSL_CTX, but they do not get updated when the SSL_CTX callbacks are changed. Currently, ustream-ssl sets the callbacks after the SSL session is created, causing failures. Client apps, such as uclient-fetch fail immediately to connect to https URLs with a 'Connection failed' error message. uhttpd seems unaffected. New calls to set them directly to the SSL struct were added in 4.1.0, so we can use them, with a check in CMakeLists.txt to detect their presence. Otherwise, another call to ustream_set_io is done before creating the SSL session to properly set the callbacks. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Remove CyaSSL, WolfSSL < 3.10.4 support This updates the CyaSSL names to wolfSSL, and removes obsolete code to support old versions of the library < v3.10.4. Some #include statements were moved around, so that wolfssl/options.h is loaded before any other wolfssl/openssl header. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Revise supported ciphersuites CBC ciphersuites have been under scrutiny because of the many padding oracle vulnerabilities that keep popping up; it seems that we won't be able to patch up the inherent wakness of MAC-then-encrypt forever. They have been blacklisted by HTTP/2, and recently dropped from Mozilla's Security/Serverside TLS intermediate compatibility list: https://wiki.mozilla.org/Security/Server_Side_TLS This commit removes ECDSA-CBC ciphersuites. Basically, you can choose a level of ciphersuite security, using the private-key type as a switch: For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly matching Mozilla's Old backward compatibility list. If you use an EC private key, then only ephemeral-key, authenticated ciphers will be used, along the lines of what Mozilla's Intermediate compatibility list prescribes. The order does not match Mozilla's list 100% because in most embedded systems, the server is going to be the least-capable machine. So, chacha20-poly1305 is moved ahead of AES, and the cipher preference is always given to the server. Also, DHE ciphers are not used for server. The client list had the order changed to prioritize authenticated ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
wolfssl, openssl: use TLS 1.3, set ciphersuites For wolfssl, instead of hard-coding TLS 1.2, use generic method and disable older protocols, adding the necessary ciphersuites. Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering needs a separate call, so this sets the ciphersuite preference when using TLS 1.3. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
ustream-ssl: mbedtls: use chacha-poly ciphersuites These ciphersuites were added in mbedtls v2.12.0, so we may add them to the ustream-ssl ciphersuite list. They were already part of the list for openssl and wolfssl. Chacha20-Poly1305 is a 256-bit cipher with AEAD, much faster than AES on CPUs without special AES instructions (the case for most embedded chips). Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
openssl, wolfssl: match mbedTLS ciphersuite list The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Use the same ciphersuite list as mbedTLS. wolfssl was not honoring setting the minimum protocol with SSL_CTX_set_options, so we must use TLSv1_2_server_method. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
ustream-ssl: Revised security on mbedtls The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. I've revised the security options, and made them more uniform across the ssl libraries. - use only TLS 1.2 in server mode - changed the ciphersuite ordering Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
ustream-ssl: add openssl-1.1.0 compatibility The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Patch to compile ustream-ssl with openssl-1.1.0, maintaining compatibility with openssl 1.0.2. Fixed flag handling in ustream-io-openssl.c. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
mbedtls: Fix setting allowed cipher suites The cipher suites should be set after the default settings are done, otherwise the settings will be overwritten with the defaults later on again. Also make the list of supported cipher suites match what Chrome tries to use. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
mbedtls: Add support for a session cache This allows the client to reuse the settings from a previous session and no full key exchange is needed. The partially key exchange takes less than 0.1 seconds compared to over a second needed for a full key exchange. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>