Commit graph

10622 commits

Author SHA1 Message Date
Matt Caswell
0c37aed3f3 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
099ccdb808 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
9871417fb7 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
fc7804ec39 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
e7b9d9be48 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
2172d4f63c Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
c34091d47e make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:23:49 +01:00
Dr. Stephen Henson
a9f4ebd753 Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
(cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)
2014-08-01 18:42:40 +01:00
Bodo Moeller
604c9948a8 Update $default_depflags to match current defaults. 2014-08-01 19:07:57 +02:00
Bodo Moeller
281720c2a3 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
2014-08-01 17:50:26 +02:00
Dr. Stephen Henson
2a9023f7b4 Avoid multiple lock using FIPS DRBG.
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3efe1b6e9)
2014-07-30 21:09:20 +01:00
Dr. Stephen Henson
36e8c39899 Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4)

Conflicts:

	ssl/Makefile
	util/mkdef.pl
2014-07-24 19:43:25 +01:00
Billy Brumley
e3f009c595 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:28:40 +01:00
Tim Hudson
fbe3baa773 Remove old unused and unmaintained demonstration code.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b8138)
2014-07-22 07:26:35 +10:00
Tim Hudson
690998f904 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6)
2014-07-21 20:24:47 +10:00
Dr. Stephen Henson
3221da845f Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:26:12 +01:00
Jeffrey Walton
9aeb410419 Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf)
2014-07-17 12:08:52 +01:00
Matt Caswell
bf4519cde5 Disabled XTS mode in enc utility as it is not supported
PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c57)
2014-07-16 21:05:10 +01:00
Matt Caswell
e967b94356 Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a)
2014-07-15 23:24:26 +01:00
Dr. Stephen Henson
2316286c0e Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617)
2014-07-15 20:23:35 +01:00
Dr. Stephen Henson
67bde7d465 Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f)
2014-07-15 18:23:44 +01:00
Dr. Stephen Henson
cd63f94d4d Don't allow -www etc options with DTLS.
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
2014-07-15 12:25:39 +01:00
Dr. Stephen Henson
2054eb771e Add ECC extensions with DTLS.
PR#3449
2014-07-15 12:20:30 +01:00
Dr. Stephen Henson
ea0ceb11a0 Use case insensitive compare for servername.
PR#3445
(cherry picked from commit 1c3e9a7c67)
2014-07-15 00:00:03 +01:00
Hubert Kario
00579b98c4 document -nextprotoneg option in man pages
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e)

Conflicts:

	doc/apps/s_server.pod
2014-07-14 23:43:58 +01:00
Dr. Stephen Henson
ee5a8d3e31 Use more common name for GOST key exchange.
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
2014-07-14 18:31:54 +01:00
Matt Caswell
72370164c3 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:23:10 +01:00
Peter Mosmans
704422ce1e Add names of GOST algorithms.
PR#3440
(cherry picked from commit 924e5eda2c)
2014-07-13 18:31:36 +01:00
Richard Levitte
8e8d7e1b26 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:15:30 +02:00
Ben Laurie
3ed6327571 Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259).
(cherry picked from commit c1d1b0114e)
2014-07-10 17:52:37 +01:00
Matt Caswell
efd4f1dfd3 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:34:35 +01:00
David Lloyd
00032b0ba1 Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:50:00 +01:00
Dr. Stephen Henson
a07f514fc0 Usage for -hack and -prexit -verify_return_error
(cherry picked from commit ee724df75d)
2014-07-06 22:48:57 +01:00
Dr. Stephen Henson
b197c770a6 Document certificate status request options.
(cherry picked from commit cba3f1c739)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/s_server.pod
2014-07-06 22:48:52 +01:00
Dr. Stephen Henson
b7c9762598 s_server usage for certificate status requests
(cherry picked from commit a44f219c00)
2014-07-06 22:45:44 +01:00
Dr. Stephen Henson
a414bc8c3e Update ticket callback docs.
(cherry picked from commit a23a6e85d8)
2014-07-06 12:42:27 +01:00
Dr. Stephen Henson
98a3c3c514 Sanity check keylength in PVK files.
PR#2277
(cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)
2014-07-06 00:36:11 +01:00
Jeffrey Walton
157fd05aad Added reference to platform specific cryptographic acceleration such as AES-NI 2014-07-06 00:04:32 +01:00
Matt Caswell
9f510ceb5d Fixed error in pod files with latest versions of pod2man
(cherry picked from commit 07255f0a76d9d349d915e14f969b9ff2ee0d1953)
2014-07-06 00:04:32 +01:00
Alan Hryngle
675b1c2fce Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:38:44 +01:00
Dr. Stephen Henson
c923132e9d Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
(cherry picked from commit 7f6e957864)
2014-07-05 13:30:55 +01:00
Dr. Stephen Henson
1864e3bed3 typo
(cherry picked from commit 2cfbec1cae)
(cherry picked from commit a9661e45ac)
2014-07-04 18:43:55 +01:00
Dr. Stephen Henson
af7bcd7daa Add license info.
(cherry picked from commit 55707a36cc)
2014-07-04 18:43:50 +01:00
Rich Salz
3fa2fff86f Merge branch 'rsalz-docfixes' 2014-07-03 12:53:36 -04:00
Rich Salz
b372a64e10 Close 3170, remove reference to Ariel Glenn's old 0.9.8 doc
(cherry picked from commit f1112985e8)
2014-07-03 12:51:33 -04:00
Andy Polyakov
e432336433 bn_exp.c: fix x86_64-specific crash with one-word modulus.
PR: #3397
(cherry picked from commit eca441b2b4)
2014-07-02 21:21:02 +02:00
Dr. Stephen Henson
f3b0e0215c update release notes 2014-07-02 18:32:03 +01:00
Matt Smart
a6cc0e0a0d Fix doc typo.
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.

PR#3283
(cherry picked from commit 5cc99c6cf5)
2014-07-02 03:45:07 +01:00
Thijs Alkemade
b2cb6dc1ef Make disabling last cipher work.
(cherry picked from commit 7cb472bd0d)
2014-07-02 03:32:50 +01:00
Geoff Thorpe
f87f88a69f util/mkerr.pl: fix perl warning
Gets rid of this;

defined(@array) is deprecated at ../util/mkerr.pl line 792.
        (Maybe you should just omit the defined()?)
defined(@array) is deprecated at ../util/mkerr.pl line 800.
        (Maybe you should just omit the defined()?)

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 647f360e2e)
2014-07-02 01:50:51 +01:00