Commit graph

11742 commits

Author SHA1 Message Date
Matt Caswell
8f8e4e4f52 Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:41:28 +00:00
Matt Caswell
a20718fa2c Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4f9fab6bd0)

Conflicts:
	ssl/s3_srvr.c
2015-03-25 12:29:48 +00:00
Matt Caswell
4285b85163 Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d5d0a1cb13)
2015-03-25 12:28:45 +00:00
Kurt Roeckx
fe82be2b33 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:42:30 +01:00
Dr. Stephen Henson
8509128179 Fix OCSP tests.
OCSP verification changes mean the OCSP tests now need -trusted_first

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 21:22:00 +00:00
Dr. Stephen Henson
d3a9eaccc1 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:13 +00:00
Dr. Stephen Henson
4ba9a4265b Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:14:04 +00:00
Mike Frysinger
bc0eb82b85 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a6)
2015-03-24 11:34:20 +00:00
Matt Caswell
bd891f098b Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b79d24101e)
2015-03-23 14:06:17 +00:00
Andy Polyakov
c45dfdc68a sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ecd32a1f8)
2015-03-23 13:38:46 +01:00
Matt Caswell
b5dc90121c Fix no-ec with no-ec2m
Fix builds config'd with no-ec and no-ec2m. Technically this combination is
redundant - but the fix is straight forward. Fix from OpenWrt.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-03-22 20:32:49 +00:00
Matt Caswell
b0b7232877 Add DTLS tests to make test
Updated test/testssl script to include the new DTLS capability in ssltest.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3c381e5423)
2015-03-20 12:09:24 +00:00
David Woodhouse
ece8574ae6 Add DTLS support to ssltest
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 98b8cdd322)

Conflicts:
	ssl/ssltest.c
2015-03-20 12:09:22 +00:00
David Woodhouse
3edf1b98e0 Add DTLS to SSL_get_version
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 504e643e09)

Conflicts:
	ssl/ssl_lib.c
2015-03-20 12:06:12 +00:00
Matt Caswell
0d6d10d97d Prepare for 1.0.2b-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:34:56 +00:00
Matt Caswell
3df69d3aef Prepare for 1.0.2a release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:31:16 +00:00
Matt Caswell
921095d4d3 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:31:16 +00:00
Matt Caswell
5cc6509dae Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:36 +00:00
Matt Caswell
18029a3d07 Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
7b22e8d01f Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
da947c9758 Update CHANGES for release
Update CHANGES file with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
128b271c8d Fix discrepancy in NEWS file
There was a discrepancy between the 1.0.2 version of NEWS and the 1.0.1
version. This fixes it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
a8b1e52ff4 Fix CHANGES discrepancies
There were some discrepancies in the CHANGES file between the 1.0.1 version
and 1.0.2. This corrects it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
d6e903d188 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Emilia Kasper
86f8fb0e34 Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:58:35 +00:00
Emilia Kasper
c0334c2c92 PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
c3c7fb07dc Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
b19d814321 Fix DHE Null CKE vulnerability
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.

CVE-2015-1787

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
76343947ad Fix for CVE-2015-0291
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
4b22cce381 Reject invalid PSS parameters.
Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.

Thanks to Brian Carpenter for reporting this issues.

CVE-2015-0208

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
b717b08307 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-03-19 11:11:22 +00:00
Matt Caswell
819418110b Fix Seg fault in DTLSv1_listen
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 11:11:22 +00:00
Matt Caswell
77c77f0a1b Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.

CVE-2015-0290

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-19 11:11:22 +00:00
Dr. Stephen Henson
8b84495380 Add support for ServerInfo SSL_CONF option.
Add support for ServerInfo SSL_CONF option and update documentation. This
was wrongly omitted from the 1.0.2 release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-18 12:31:06 +00:00
Matt Caswell
c1559f5046 Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259)
2015-03-17 14:49:47 +00:00
Matt Caswell
d8d2e50359 Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c)
2015-03-17 14:49:47 +00:00
Matt Caswell
6c4ce00753 Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f2)
2015-03-17 13:48:04 +00:00
Matt Caswell
fcb61b6c92 Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c6)
2015-03-17 13:48:04 +00:00
Matt Caswell
b2b8163964 Fix memset call in stack.c
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac830f)
2015-03-17 13:48:04 +00:00
Matt Caswell
56490fc26f Move malloc fail checks closer to malloc
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477adc9)
2015-03-17 13:48:04 +00:00
Matt Caswell
f2e95a02b1 Add malloc failure checks
Add some missing checks for memory allocation failures in ca app.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a561bfe944)
2015-03-17 13:48:04 +00:00
Carl Jackson
912c8c92b5 Fix regression in ASN1_UTCTIME_cmp_time_t
Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if
s < t, and 0 if s == t.

This behavior was broken in a refactor [0], resulting in the opposite
time comparison behavior.

[0]: 904348a492

PR#3706

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit da27006df0)
2015-03-15 19:47:08 +00:00
Andy Polyakov
94be83127b Avoid reading an unused byte after the buffer
Other curves don't have this problem.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9fbbdd73c5)
2015-03-14 18:24:58 +01:00
Emilia Kasper
be109b9eec Fix undefined behaviour in shifts.
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8b37e5c14f)
2015-03-13 21:14:20 -07:00
Dr. Stephen Henson
c0d69ddb33 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a2)
2015-03-12 13:45:24 +00:00
Dr. Stephen Henson
8cd6714084 ASN.1 print fix.
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a74)
2015-03-12 13:45:24 +00:00
Matt Caswell
327de270d5 SSL_check_chain fix
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d813f9eb38)
2015-03-12 09:29:48 +00:00
Matt Caswell
8e91b3d991 Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f2b5336a)
2015-03-12 09:29:48 +00:00
Matt Caswell
20223855e4 Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0c7ca4033d)
2015-03-12 09:29:48 +00:00
Matt Caswell
563fc239d2 Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bb)
2015-03-12 09:29:48 +00:00