Commit graph

10996 commits

Author SHA1 Message Date
Loganaden Velvindron
e3dd33c25c Fix CRYPTO_strdup
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
2015-04-22 17:24:47 +01:00
Emilia Kasper
d695a02254 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec61
and
7b3ba508af
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6e3d015363)
2015-04-21 19:37:17 +02:00
Emilia Kasper
a209623fbb Initialize variable
newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6824941440)
2015-04-21 19:32:43 +02:00
Emilia Kasper
92caee08d3 make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-04-21 17:53:36 +02:00
Richard Levitte
0725acd071 Initialised 'ok' and redo the logic.
The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 06affe3dac)
2015-04-21 01:45:58 +02:00
Matt Caswell
5fa7c10bc4 Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8817e2e0c9)
2015-04-20 23:13:02 +01:00
Matt Caswell
96d9674646 Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7b611e5fe8)
2015-04-20 23:13:01 +01:00
Dr. Stephen Henson
32d3b0f52f Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37)
2015-04-18 14:44:17 +01:00
Emilia Kasper
31d085ca74 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb32)
2015-04-17 18:47:25 +02:00
Viktor Dukhovni
c70908d247 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:51:51 -04:00
Andy Polyakov
e963109fcd Please Clang's sanitizer, addendum.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-16 18:29:49 +02:00
Dr. Stephen Henson
da23637e8e Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e82)
2015-04-16 16:06:48 +01:00
Dr. Stephen Henson
5c3fbbc875 Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60bea0)
2015-04-16 16:06:47 +01:00
Matt Caswell
40f26ac782 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9)
2015-04-14 14:59:54 +01:00
Matt Caswell
89c2720298 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:50:20 +01:00
Kurt Roeckx
047cdde7a5 do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd36)
2015-04-11 20:57:43 +02:00
Kurt Roeckx
10473a5a2c X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff50)
2015-04-11 20:57:43 +02:00
Dr. Stephen Henson
bd41063b11 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:53:00 +01:00
Richard Levitte
0186f7bf87 Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918)
2015-04-08 21:47:00 +02:00
Richard Levitte
10a612a9e4 Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2b)
2015-04-08 18:01:34 +02:00
Emilia Kasper
a20db08e77 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae50d82700)
2015-04-08 16:42:28 +02:00
John Foley
9da34ad6cb Fix intermittent s_server issues with ECDHE
Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable.  Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-04-07 23:37:46 +01:00
Douglas E Engert
a63d3ac012 Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294)

Conflicts:
	crypto/ec/ec_asn1.c
2015-03-31 16:41:33 +01:00
Emilia Kasper
8a46e51ed8 Fix uninitialized variable warning
While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 15:19:20 +01:00
Matt Caswell
fe9b85c3cb Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 70e5fd8778)
2015-03-25 13:09:31 +00:00
Matt Caswell
42c9c7103c Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
4ebc70cc51 Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
2674af2f79 Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c
2015-03-25 13:01:04 +00:00
Matt Caswell
bae9b9915a Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
750190567a Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f8e4e4f52)

Conflicts:
	crypto/evp/e_des3.c
2015-03-25 12:45:17 +00:00
Kurt Roeckx
23a9b24aa1 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:58:30 +01:00
Dr. Stephen Henson
5d74b4b4b3 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:36 +00:00
Dr. Stephen Henson
d635f4bb36 Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:14:32 +00:00
Mike Frysinger
117476ba30 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a6)
2015-03-24 11:35:46 +00:00
Matt Caswell
a6a704f448 Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:41:07 +00:00
Matt Caswell
506c106880 Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
686d82a7a2 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
8ca79fcbf4 Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
a4517be9e3 Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
6e24e1cdd2 Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
ffc69bd942 Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
82123b5e94 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
cd56a08d4e Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
e2acb69c76 PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
c982285ab6 Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
b485d97634 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-03-18 11:52:27 +00:00
Matt Caswell
636c42d747 Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259)
2015-03-17 14:52:46 +00:00
Matt Caswell
28e4f659c5 Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c)
2015-03-17 14:52:46 +00:00
Matt Caswell
6a43243d1d Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f2)
2015-03-17 13:49:32 +00:00
Matt Caswell
f08731cd82 Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c6)
2015-03-17 13:49:32 +00:00