Commit graph

11848 commits

Author SHA1 Message Date
Matt Caswell
9cab86ee0a Fix error check in GOST engine
The return value of i2d functions can be negative if an error occurs.
Therefore don't assign the return value to an unsigned type and *then*
check if it is negative.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 90e7cdff3a)
2015-05-26 10:38:56 +01:00
Matt Caswell
e40d7c1f3a Handle unsigned struct timeval members
The members of struct timeval on OpenVMS are unsigned. The logic for
calculating timeouts needs adjusting to deal with this.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc52ac9028)
2015-05-26 10:38:56 +01:00
Andy Polyakov
3ae6186564 Housekeeping 'make TABLE' update.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 10:23:21 +02:00
Andy Polyakov
aa1e42215b Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
RT#3860

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 10:22:01 +02:00
Billy Brumley
bec1093cce fix copy paste error in ec_GF2m function prototypes
RT#3858

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 71f6130b7a)
2015-05-26 10:14:19 +02:00
Andy Polyakov
78ac7fa18d bn/bn_lcl.h: fix MIPS-specific gcc version check.
RT#3859

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 60c268b21a)
2015-05-26 10:07:59 +02:00
Matt Caswell
11414f17d9 Don't send an alert if we've just received one
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-25 17:52:27 +01:00
Andy Polyakov
0a59e2dc30 bn/asm/x86_64-mont5.pl: fix valgrind error.
bn_get_bits5 was overstepping array boundary by 1 byte. It was exclusively
read overstep and data could not have been used. The only potential problem
would be if array happens to end on the very edge of last accesible page.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 69567687b0)
2015-05-24 21:31:49 +02:00
Andy Polyakov
0945bfcb22 bn/bn_gf2m.c: appease STACK, unstable code detector.
RT#3852

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 86e5d1e32b)
2015-05-24 21:27:32 +02:00
Andy Polyakov
f5d840a079 bn/asm/vis3-mont.pl: fix intermittent EC failures on SPARC T3.
BLKINIT optimization worked on T4, but for some reason appears "too
aggressive" for T3 triggering intermiitent EC failures. It's not clear
why only EC is affected...

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 579734ced6)
2015-05-24 13:26:37 +02:00
Richard Levitte
886ef2b650 Fix update and depend in engines/
The update: target in engines/ didn't recurse into engines/ccgost.
The update: and depend: targets in engines/ccgost needed a fixup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8b822d2566)
2015-05-23 11:08:12 +02:00
Richard Levitte
8b89cb3307 Missed a couple of spots in the update change
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6f45032f67)

Conflicts:
	apps/Makefile
2015-05-23 06:25:12 +02:00
Richard Levitte
bf42354620 Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1a2)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
2015-05-23 06:25:12 +02:00
Matt Caswell
e4731f76e2 Fix typo setting up certificate masks
The certificate masks are used to select which ciphersuite we are going to
use. The variables |emask_k| and |emask_a| relate to export grade key
exchange and authentication respecitively. The variables |mask_k| and
|mask_a| are the equivalent versions for non-export grade. This fixes an
instance where the two usages of export/non-export were mixed up. In
practice it makes little difference since it still works!

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fdfe8b06ae)
2015-05-23 00:01:48 +01:00
Matt Caswell
595487ea19 Remove export static DH ciphersuites
Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 13f8eb4730)

Conflicts:
	CHANGES
2015-05-23 00:01:45 +01:00
Matt Caswell
c6eb1cbd1e Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:43:07 +01:00
Matt Caswell
1a9499cf23 Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d8158)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2015-05-22 23:19:34 +01:00
Lubom
254c01ed54 Lost alert in DTLS
If a client receives a bad hello request in DTLS then the alert is not
sent correctly.

RT#2801

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4dc1aa0436)
2015-05-22 09:44:44 +01:00
Kurt Roeckx
2d8e705b2a Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a)
2015-05-20 22:19:34 +02:00
Emilia Kasper
f4d1fb7769 Only support >= 256-bit elliptic curves with ecdh_auto (server) or by default (client).
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else.

The result:

$ openssl s_server -named_curves "auto"

This command will negotiate an ECDHE ciphersuite with P-256:

$ openssl s_client

This command will negotiate P-384:

$ openssl s_client -curves "P-384"

This command will not negotiate ECDHE because P-224 is disabled with "auto":

$ openssl s_client -curves "P-224"

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 16:04:37 +02:00
Emilia Kasper
10a70da729 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 14:54:51 +02:00
Emilia Kasper
dcbc03ede7 Update documentation with Diffie-Hellman best practices.
- Do not advise generation of DH parameters with dsaparam to save
computation time.
- Promote use of custom parameters more, and explicitly forbid use of
built-in parameters weaker than 2048 bits.
- Advise the callback to ignore <keylength> - it is currently called
with 1024 bits, but this value can and should be safely ignored by
servers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 14:54:51 +02:00
Emilia Kasper
b32aa8e63e dhparam: fix documentation
The default bitlength is now 2048. Also clarify that either the number
of bits or the generator must be present:

$ openssl dhparam -2
and
$ openssl dhparam 2048
generate parameters but
$ openssl dhparam
does not.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-20 14:54:51 +02:00
Emilia Kasper
82697bc2b9 s_server: Use 2048-bit DH parameters by default.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 14:54:51 +02:00
StudioEtrange
17b753f23a GitHub284: Fix typo in xx-32.pl scripts.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Signed-off-by: Rich Salz <rsalz@openssl.org>
2015-05-20 04:34:42 -04:00
Robert Swiecki
cdcb94eea7 Don't add write errors into bytecounts
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 00d565cfbe)
2015-05-19 07:20:18 -04:00
Andy Polyakov
051b41df41 mk1mf.pl: replace chop for windows.
Backport old patch to make it work in mixture of perls for Windows.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Cherry-picked from 7bb98eee3c
2015-05-15 14:18:21 -04:00
Rich Salz
c59bd61b2e RT1207: document SSL_COMP_free_compression_methods.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c490a5512e)
2015-05-13 13:03:32 -04:00
Rich Salz
f34b095fab Add NULL checks from master
The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-13 12:55:03 -04:00
Andy Polyakov
d3bb25e30a aes/asm/aesni-sha256-x86_64.pl: fix Windows compilation failure with old assembler.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 82c4a07939)
2015-05-13 17:00:06 +02:00
Hanno Böck
eba8bf485a Call of memcmp with null pointers in obj_cmp()
The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.

This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem

What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.

RT#3816

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2b8dc08b74)
2015-05-13 15:28:48 +01:00
Matt Caswell
464774d75f Don't allow a CCS when expecting a CertificateVerify
Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.

Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.

RT#2958

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit a0bd649336)
2015-05-13 11:21:01 +01:00
Kurt Cancemi
833518cf0e Add missing NULL check in X509V3_parse_list()
Matt's note: I added a call to X509V3err to Kurt's original patch.

RT#3840

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 344c271eb3)
2015-05-11 12:19:54 +01:00
Bjoern D. Rasmussen
8a73e3a0e8 Fix for memcpy() and strcmp() being undefined.
clang says: "s_cb.c:958:9: error: implicitly declaring library function
'memcpy'"

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f744cceff)

Conflicts:
	apps/s_cb.c
2015-05-11 12:03:12 +01:00
Matt Caswell
edc2a76ade Check sk_SSL_CIPHER_new_null return value
If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.

Based on an original patch by mrpre <mrpre@163.com>.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 14def5f537)
2015-05-11 11:53:50 +01:00
Viktor Dukhovni
8dfe1e4dd2 Fix typo in valid_star
Reviewed-by: Rich Salz <rsalz@akamai.com>
2015-05-07 14:00:38 -04:00
Matt Caswell
feb96e914a Add more error state transitions (DTLS)
Ensure all fatal errors transition into the new error state for DTLS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cefc93910c)

Conflicts:
	ssl/d1_srvr.c
2015-05-05 20:05:21 +01:00
Matt Caswell
67fb63e9b7 Add more error state transitions (client)
Ensure all fatal errors transition into the new error state on the client
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cc273a9361)

Conflicts:
	ssl/s3_clnt.c
2015-05-05 20:05:21 +01:00
Matt Caswell
eecc697b65 Add more error state transitions
Ensure all fatal errors transition into the new error state on the server
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cf9b0b6fb2)

Conflicts:
	ssl/s3_srvr.c
2015-05-05 19:52:26 +01:00
Matt Caswell
e4f77bf183 Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a89db885e0)

Conflicts:
	ssl/s3_srvr.c
	ssl/ssl_stat.c
2015-05-05 19:50:12 +01:00
Matt Caswell
cd5f206c2f Remove libcrypto to libssl dependency
Remove dependency on ssl_locl.h from v3_scts.c, and incidentally fix a build problem with
kerberos (the dependency meant v3_scts.c was trying to include krb5.h, but without having been
passed the relevanant -I flags to the compiler)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d13bd6130b)

Conflicts:
	crypto/x509v3/v3_scts.c
2015-05-05 09:09:56 +01:00
Richard Levitte
3cf40601b7 RT2943: Check sizes if -iv and -K arguments
RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.

Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH.  we can be more precise and
check against the size of the actual cipher used.

(cherry picked from commit 8920a7cd04)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-04 20:21:21 +02:00
Rich Salz
82e586a90b Fix cut/paste error
Was memset with wrong sizeof.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 23b0fa5ab6)
2015-05-04 10:54:18 -04:00
Gilles Khouzam
a659386639 RT3820: Don't call GetDesktopWindow()
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bed2edf1cb)
2015-05-02 08:01:52 -04:00
Rich Salz
5b38d54753 RT3776: Wrong size for malloc
Use sizeof *foo parameter, to avoid these errors.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 53ba0a9e91)
2015-05-02 07:55:17 -04:00
Hanno Böck
6b3a315003 Fix uninitialized variable.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 539ed89f68)
2015-05-02 07:45:35 -04:00
Matt Caswell
f296e411ef Fix buffer overrun in RSA signing
The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding.
It is only triggered if the RSA key size is smaller than the digest length.
So with SHA512 you can trigger the overflow with anything less than an RSA
512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA
key. This wasn't sufficient to cause a crash, although your mileage may
vary.

In practice RSA keys of this length are never used and X931 padding is very
rare. Even if someone did use an excessively short RSA key, the chances of
them combining that with a longer digest and X931 padding is very
small. For these reasons I do not believe there is a security implication to
this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 34166d4189)
2015-04-30 23:21:53 +01:00
Matt Caswell
5bea7975a6 Add sanity check to print_bin function
Add a sanity check to the print_bin function to ensure that the |off|
argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3deeeeb61b)
2015-04-30 23:21:53 +01:00
Matt Caswell
9c5efc9c65 Add sanity check to ssl_get_prev_session
Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb0f400b0c)
2015-04-30 23:21:53 +01:00
Matt Caswell
75862f7741 Sanity check the return from final_finish_mac
The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c427570e50)

Conflicts:
	ssl/ssl_locl.h
2015-04-30 23:21:53 +01:00