Commit graph

11015 commits

Author SHA1 Message Date
Matt Caswell
106a9a5d7e Fix Kerberos issue in ssl_session_dup
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13)
2015-06-10 10:02:16 +01:00
Richard Levitte
cb972a4fe7 When making libcrypto from apps or test, make sure to include engines
For librypto to be complete, the stuff in both crypto/ and engines/
have to be built.  Doing 'make test' or 'make apps' from a clean
source tree failed to do so.
Corrected by using the new 'build_libcrypto' in the top Makefile.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit acaff3b797)
2015-06-10 02:12:34 +02:00
Richard Levitte
ee2d14be94 Add and rearrange building of libraries
There's a need for a target that will build all of libcrypto, so let's
add 'build_libcrypto' that does this.  For ortogonality, let's also
add 'build_libssl'.  Have both also depend on 'libcrypto.pc' and
'libssl.pc' so those get built together with the libraries.
This makes 'all' depend on fewer things directly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 177b5f9c82)

Conflicts:
	Makefile.org
2015-06-10 02:12:25 +02:00
Dr. Stephen Henson
3d2c3fa5fc return correct NID for undefined object
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0fb9990480)
2015-06-08 21:47:05 +01:00
Emilia Kasper
ba5693686e Use CRYPTO_memcmp in s3_cbc.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 05627d57e5)
2015-06-08 15:05:08 +02:00
Emilia Kasper
59b5ab4aa7 Use CRYPTO_memcmp when comparing authenticators
Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley
(Google).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 1e4a355dca)
(cherry picked from commit ac32a77cd6)
2015-06-08 15:01:47 +02:00
Matt Caswell
c22ed559bb Remove misleading comment
Remove a comment that suggested further clean up was required.
DH_free() performs the necessary cleanup.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f3d889523e)
2015-06-04 12:56:13 +01:00
Matt Caswell
4b6f33a5c2 Clean premaster_secret for GOST
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b7ee4815f2)

Conflicts:
	ssl/s3_srvr.c
2015-06-04 12:56:13 +01:00
Matt Caswell
c36d3840ff Clean Kerberos pre-master secret
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e3dbe37ca)
2015-06-04 12:42:51 +01:00
Matt Caswell
05bdebb6e0 Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.

With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c56353071d)

Conflicts:
	crypto/bn/bn_print.c
2015-06-04 09:29:13 +01:00
Annie Yousar
32b2ad7e07 RT3230: Better test for C identifier
objects.pl only looked for a space to see if the name could be
used as a C identifier.  Improve the test to match the real C
rules.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 591b7aef05)
2015-06-02 17:17:54 -04:00
Richard Levitte
1977240204 Add the macro OPENSSL_SYS_WIN64
This is for consistency.
Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3f131556d6)

Conflicts:
	e_os2.h
2015-06-02 18:05:31 +02:00
Matt Caswell
939b496027 Fix race condition in NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
c0bf69a791

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27c76b9b80)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
2015-06-02 12:44:40 +01:00
Matt Caswell
cce3e4adb7 Clear state in DTLSv1_listen
This is a backport of commit e83ee04bb7 from
the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
was CVE-2015-0207. For other branches there is no known security issue, but
this is being backported as a precautionary measure.

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-02 09:12:39 +01:00
Matt Caswell
f3e85f4359 Check the message type requested is the type received in DTLS
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c2b1d872b)
2015-06-01 00:33:22 +01:00
Dr. Stephen Henson
cc74177e71 check for error when creating PKCS#8 structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2849707fa6)
2015-05-28 18:02:19 +01:00
Dr. Stephen Henson
e2cf18c635 PEM doc fixes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f097f81c89)
2015-05-28 18:02:19 +01:00
Andy Polyakov
df00b6eb5e Housekeeping 'make TABLE' update.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 21:55:57 +02:00
Emilia Kasper
1ee85aab75 Fix ssltest to use 1024-bit DHE parameters
Also add more ciphersuite test coverage, and a negative test for
512-bit DHE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26 12:41:51 +02:00
Matt Caswell
029e8f3ac9 Don't check for a negative SRP extension size
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c89d29083)
2015-05-26 10:42:10 +01:00
Matt Caswell
28ea6ad612 Fix error check in GOST engine
The return value of i2d functions can be negative if an error occurs.
Therefore don't assign the return value to an unsigned type and *then*
check if it is negative.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 90e7cdff3a)
2015-05-26 10:42:10 +01:00
Matt Caswell
4ae1c7771d Handle unsigned struct timeval members
The members of struct timeval on OpenVMS are unsigned. The logic for
calculating timeouts needs adjusting to deal with this.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc52ac9028)
2015-05-26 10:42:10 +01:00
Andy Polyakov
dbcf8e3319 Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
RT#3860

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit aa1e42215b)
2015-05-26 10:24:20 +02:00
Billy Brumley
5fcfef49d9 fix copy paste error in ec_GF2m function prototypes
RT#3858

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 71f6130b7a)
2015-05-26 10:14:56 +02:00
Andy Polyakov
8af1319270 bn/bn_lcl.h: fix MIPS-specific gcc version check.
RT#3859

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 60c268b21a)
2015-05-26 10:08:44 +02:00
Andy Polyakov
38b7073328 md32_common.h: backport ICC fix.
RT#3843

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 09:58:12 +02:00
Matt Caswell
75077a2277 Don't send an alert if we've just received one
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-25 23:11:02 +01:00
Richard Levitte
c62592e52f Fix update and depend in engines/
The update: target in engines/ didn't recurse into engines/ccgost.
The update: and depend: targets in engines/ccgost needed a fixup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8b822d2566)
2015-05-23 11:22:10 +02:00
Richard Levitte
f460f050c2 Missed a couple of spots in the update change
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6f45032f67)

Conflicts:
	apps/Makefile
2015-05-23 11:22:10 +02:00
Richard Levitte
eb797fde3f Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1a2)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
2015-05-23 11:22:10 +02:00
Matt Caswell
b484b040e3 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:45:33 +01:00
Matt Caswell
726b5e7132 Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d8158)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2015-05-22 23:21:55 +01:00
Lubom
0a9f8e0621 Lost alert in DTLS
If a client receives a bad hello request in DTLS then the alert is not
sent correctly.

RT#2801

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4dc1aa0436)
2015-05-22 10:24:49 +01:00
Matt Caswell
1c687ff4dd Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod
2015-05-20 23:14:25 +02:00
Matt Caswell
c6a39046f5 Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c
2015-05-20 23:14:25 +02:00
Matt Caswell
cf1bf3f032 Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2015-05-20 23:14:24 +02:00
Matt Caswell
f7bf8e02df In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store.
When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2015-05-20 23:14:24 +02:00
Kurt Roeckx
3b509e8cdc Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a)
2015-05-20 22:23:28 +02:00
Emilia Kasper
63830384e9 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
ff4de7dde9 Update documentation with Diffie-Hellman best practices.
- Do not advise generation of DH parameters with dsaparam to save
computation time.
- Promote use of custom parameters more, and explicitly forbid use of
built-in parameters weaker than 2048 bits.
- Advise the callback to ignore <keylength> - it is currently called
with 1024 bits, but this value can and should be safely ignored by
servers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
3372aeed2c dhparam: fix documentation
The default bitlength is now 2048. Also clarify that either the number
of bits or the generator must be present:

$ openssl dhparam -2
and
$ openssl dhparam 2048
generate parameters but
$ openssl dhparam
does not.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
8568170d77 dhparam: set the default to 2048 bits
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
f1612746ec s_server: Use 2048-bit DH parameters by default.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 15:01:36 +02:00
StudioEtrange
5a1f055d91 GitHub284: Fix typo in xx-32.pl scripts.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-20 04:35:39 -04:00
Robert Swiecki
e96de9822e Don't add write errors into bytecounts
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 00d565cfbe)
2015-05-19 07:20:38 -04:00
Andy Polyakov
2df0ba9b4f mk1mf.pl: replace chop for windows.
Backport old patch to make it work in mixture of perls for Windows.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Cherry-picked from 7bb98eee3c

(cherry picked from commit 051b41df41)
2015-05-15 14:19:29 -04:00
Rich Salz
76b49a8ad7 Add NULL checks from master
The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f34b095fab)
2015-05-13 12:55:23 -04:00
Hanno Böck
5e0ec9012b Call of memcmp with null pointers in obj_cmp()
The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.

This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem

What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.

RT#3816

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2b8dc08b74)
2015-05-13 15:32:23 +01:00
Matt Caswell
5c122908ab Don't allow a CCS when expecting a CertificateVerify
Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.

Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.

RT#2958

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit a0bd649336)
2015-05-13 11:25:10 +01:00
Kurt Cancemi
1c70c783af Add missing NULL check in X509V3_parse_list()
Matt's note: I added a call to X509V3err to Kurt's original patch.

RT#3840

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 344c271eb3)
2015-05-11 12:21:43 +01:00