Commit graph

4288 commits

Author SHA1 Message Date
Matt Caswell
00ea17f9d7 Fix source where indent will not be able to cope
Conflicts:
	apps/ciphers.c
	ssl/s3_pkt.c

Conflicts:
	crypto/ec/ec_curve.c

Conflicts:
	crypto/ec/ec_curve.c
	ssl/s3_clnt.c
	ssl/s3_srvr.c
	ssl/ssl_sess.c

Conflicts:
	apps/ciphers.c
	crypto/bn/bn.h
	crypto/ec/ec_curve.c
	ssl/t1_enc.c
	ssl/t1_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:49:13 +00:00
Matt Caswell
3e8042c38f Additional comment changes for reformat of 0.9.8
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:49:06 +00:00
Matt Caswell
564ccc55d6 Further comment amendments to preserve formatting prior to source reformat
(cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5)

Conflicts:
	crypto/x509v3/pcy_tree.c

Conflicts:
	apps/apps.c
	ssl/ssltest.c

Conflicts:
	apps/apps.c
	crypto/ec/ec2_oct.c
	crypto/ec/ecp_nistp224.c
	crypto/ec/ecp_nistp256.c
	crypto/ec/ecp_nistp521.c
	ssl/s3_cbc.c
	ssl/ssl_sess.c
	ssl/t1_lib.c

Conflicts:
	crypto/bio/b_sock.c
	crypto/pem/pem.h
	crypto/x509/x509_vfy.c
	crypto/x509v3/pcy_tree.c
	ssl/s3_both.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:48:59 +00:00
Tim Hudson
b558c8d597 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

(cherry picked from commit 1d97c84351)

Conflicts:
	crypto/bn/bn_lcl.h
	crypto/bn/bn_prime.c
	crypto/engine/eng_all.c
	crypto/rc4/rc4_utl.c
	crypto/sha/sha.h
	ssl/kssl.c
	ssl/t1_lib.c

Conflicts:
	crypto/rc4/rc4_enc.c
	crypto/x509v3/v3_scts.c
	crypto/x509v3/v3nametest.c
	ssl/d1_both.c
	ssl/s3_srvr.c
	ssl/ssl.h
	ssl/ssl_locl.h
	ssl/ssltest.c
	ssl/t1_lib.c

Conflicts:
	crypto/asn1/a_sign.c
	crypto/bn/bn_div.c
	crypto/dsa/dsa_asn1.c
	crypto/ec/ecp_nistp224.c
	crypto/ec/ecp_nistp256.c
	crypto/ec/ecp_nistp521.c
	crypto/ec/ecp_nistputil.c
	crypto/modes/gcm128.c
	crypto/opensslv.h
	ssl/d1_both.c
	ssl/heartbeat_test.c
	ssl/s3_clnt.c
	ssl/s3_srvr.c
	ssl/ssl_sess.c
	ssl/t1_lib.c
	test/testutil.h

Conflicts:
	apps/openssl.c
	apps/ts.c
	apps/vms_decc_init.c
	crypto/aes/aes_core.c
	crypto/aes/aes_x86core.c
	crypto/dsa/dsa_ameth.c
	crypto/ec/ec2_mult.c
	crypto/evp/evp.h
	crypto/objects/objects.h
	crypto/rsa/rsa_pss.c
	crypto/stack/safestack.h
	crypto/ts/ts.h
	crypto/ts/ts_rsp_verify.c
	crypto/whrlpool/wp_dgst.c
	crypto/x509v3/v3_ncons.c
	e_os2.h
	engines/ccgost/gost89.c
	engines/ccgost/gost_ctl.c
	engines/ccgost/gost_keywrap.c
	engines/ccgost/gost_keywrap.h
	engines/ccgost/gost_sign.c
	ssl/kssl.c
	ssl/s3_srvr.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:48:44 +00:00
Matt Caswell
ba442a7e1b Prepare for 0.9.8zf-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 15:08:48 +00:00
Matt Caswell
e8ccaee31c Prepare for 0.9.8ze release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 15:05:59 +00:00
Matt Caswell
60431d0db3 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 15:05:59 +00:00
Matt Caswell
56abaa14e0 Fix warning where BIO_FLAGS_UPLINK was being redefined.
This warning breaks the build in 1.0.0 and 0.9.8

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b1ffc6ca1c)
2015-01-13 11:26:07 +00:00
Matt Caswell
8b8a48d099 Avoid deprecation problems in Visual Studio 13
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 86d21d0b95)

Conflicts:
	e_os.h
2015-01-13 09:50:04 +00:00
Dr. Stephen Henson
09caf4ffcd Avoid Windows 8 Getversion deprecated errors.
Windows 8 SDKs complain that GetVersion() is deprecated.

We only use GetVersion like this:

	(GetVersion() < 0x80000000)

which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit a4cc3c8041)

Conflicts:
	apps/apps.c
	crypto/bio/bss_log.c

Backported by Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openss.org>
2015-01-13 09:30:24 +00:00
Matt Caswell
bc253b0902 Prepare for 0.9.8ze-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:36:15 +00:00
Matt Caswell
b873409efe Prepare for 0.9.8zd release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:33:47 +00:00
Matt Caswell
f89250f2f2 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:33:47 +00:00
Andy Polyakov
4b4c0a1921 Fix for CVE-2014-3570.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
2015-01-08 11:28:17 +00:00
Dr. Stephen Henson
11f719da38 use correct function name
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17)
2015-01-06 21:05:22 +00:00
Dr. Stephen Henson
ec2fede946 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 208a6012be)

Conflicts:
	crypto/dsa/dsa_vrf.c
2015-01-05 16:37:10 +00:00
Dr. Stephen Henson
c22e2dd6e5 Add ASN1_TYPE_cmp and X509_ALGOR_cmp.
(these are needed for certificate fingerprint fixes)
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 15:34:49 +00:00
Kurt Roeckx
7fae32f6d6 Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 86edf13b1c)
2015-01-05 15:23:42 +00:00
Dr. Stephen Henson
5260f1a483 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit f5e4b6b5b5)

Conflicts:
	crypto/asn1/asn1_err.c
2015-01-05 15:22:34 +00:00
Emilia Kasper
1cb10d9c7d Revert "RT3425: constant-time evp_enc"
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 1bb01b1b5f.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:57:16 +01:00
Kurt Roeckx
62abc80540 Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:48:58 +01:00
Andy Polyakov
722fa14271 md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7c)
2014-10-29 10:56:27 +01:00
Samuel Neves
a2ca66f37c Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:57:47 +01:00
Tim Hudson
e369af3600 Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e2e5326e5b)
2014-10-17 14:04:08 +02:00
Richard Levitte
15b7f5bf88 Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8202802fad)

Conflicts:
	crypto/evp/evp_enc.c
2014-10-17 14:03:57 +02:00
Kurt Cancemi
bfb7bf1a28 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:55 +02:00
Dr. Stephen Henson
f33636faf7 Don't try 1**0 test with FIPS.
The 1**0 test will fail for FIPS capable builds because it uses the
old BIGNUM code in the 1.2 FIPS module which can't be fixed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-16 04:40:50 +01:00
Matt Caswell
94f735cade Prepare for 0.9.8zd-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:49:42 +01:00
Matt Caswell
36216218ca Prepare for 0.9.8zc release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:48:52 +01:00
Bodo Moeller
d286606301 Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:39:17 +02:00
Bodo Moeller
c6a876473c Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:18:29 +02:00
Dr. Stephen Henson
5a7fc89394 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:31:29 +01:00
Emilia Kasper
116fd3732a Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:48:08 +02:00
Emilia Kasper
1bb01b1b5f RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319f8)

Conflicts:
	crypto/evp/Makefile
	crypto/evp/evp_enc.c
2014-09-24 16:41:55 +02:00
Emilia Kasper
699d78ce98 RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)

Conflicts:
	ssl/Makefile
2014-09-24 16:01:46 +02:00
Emilia Kasper
96e1015eec RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:39:44 +02:00
Adam Langley
45d129511f Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:07:39 +02:00
Richard Levitte
0976adac8f Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:26:24 +02:00
Phil Mesnier
db5b0d9309 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:26:24 +02:00
Emilia Kasper
aeeedc8acc Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:25:20 +02:00
Matt Caswell
c903866420 Fixed double inclusion of string.h
PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)
2014-08-29 21:40:15 +01:00
Emilia Kasper
9b208659aa Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 73729e4cf3)

Conflicts:
	ssl/Makefile
	test/Makefile
2014-08-28 17:28:42 +02:00
Adam Langley
fee8d86d7a Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a90b1e32d2)
2014-08-19 17:12:08 +02:00
Bodo Moeller
44a8fced97 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

Conflicts:
	crypto/ec/ectest.c

Conflicts:
	crypto/ec/ec.h
2014-08-13 18:09:00 +02:00
Matt Caswell
4ff07f4c71 Prepare for 0.9.8zc-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:40 +01:00
Matt Caswell
1c5f396d36 Prepare for 0.9.8zb release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:20 +01:00
Emilia Kasper
b9a73f5481 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 22:02:00 +01:00
Dr. Stephen Henson
5021f6314e fix warn_unused_result warnings
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 21:59:15 +01:00
Bodo Moeller
681d11b6fd Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
	crypto/ec/ectest.c
2014-08-01 17:59:31 +02:00
Billy Brumley
8c387e62b2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:29:35 +01:00