Commit graph

11433 commits

Author SHA1 Message Date
Dr. Stephen Henson
4b4c1fcc88 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-06 12:45:10 +00:00
Andy Polyakov
1cfd7cf3cc CHANGES: mention "universal" ARM support.
This is re-commit without unrelated modification.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0548505f4c)
2015-01-06 12:15:40 +01:00
Andy Polyakov
2996157127 Revert "CHANGES: mention "universal" ARM support."
This reverts commit caeed719fe.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 12:12:15 +01:00
Andy Polyakov
caeed719fe CHANGES: mention "universal" ARM support.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4fec915069)
2015-01-06 11:21:12 +01:00
Andy Polyakov
f4868c9921 Remove inconsistency in ARM support.
This facilitates "universal" builds, ones that target multiple
architectures, e.g. ARMv5 through ARMv7. See commentary in
Configure for details.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c1669e1c20)
2015-01-06 11:14:23 +01:00
Dr. Stephen Henson
4aaf1e493c ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f876964)
2015-01-05 23:34:57 +00:00
Dr. Stephen Henson
d96c24926d update ordinals
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 31c65a7bc0)
2015-01-05 16:51:41 +00:00
Adam Langley
d9b277e085 Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99)
2015-01-05 17:33:02 +01:00
Dr. Stephen Henson
aace6dbcb3 Constify ASN1_TYPE_cmp add X509_ALGOR_cmp.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 4c52816d35)
2015-01-05 14:54:38 +00:00
Dr. Stephen Henson
85cfc188c0 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 684400ce19)
2015-01-05 14:36:06 +00:00
Matt Caswell
6ee7de1eb3 Additional fix required for no-srtp to work
RT3638

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 14:28:40 +00:00
Piotr Sikora
7b0194db42 Fix building with no-srtp
RT3638

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-01-05 14:28:40 +00:00
Emilia Kasper
bfaf796241 Add a clang build target for linux-x86_64
This change documents the world as-is, by turning all warnings on,
and then turning warnings that trigger off again.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-05 14:10:33 +01:00
Andy Polyakov
c02e2d6a71 ecp_nistz256-x86_64.pl: fix occasional failures.
RT: 3607
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 9e557ab262)
2015-01-04 23:22:06 +01:00
Rich Salz
9f49067c9e RT2914: NULL check missing in X509_name_canon
Check for NULL return from X509_NAME_ENTRY_new()

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2c60925d1c)
2015-01-04 14:52:01 -05:00
Dr. Stephen Henson
5396c1190f Update SGC flag comment.
Since SGC has been removed from OpenSSL 1.0.2 the
SSL3_FLAGS_SGC_RESTART_DONE is no longer used. However the #define is
retained for compatibility.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-02 23:12:37 +00:00
Dr. Stephen Henson
cf95b2d66a Remove MS SGC
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 63eab8a620)
2015-01-02 23:01:38 +00:00
Dr. Stephen Henson
47606dda67 Clear existing extension state.
When parsing ClientHello clear any existing extension state from
SRP login and SRTP profile.

Thanks to Karthikeyan Bhargavan for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 4f605ccb77)

Conflicts:
	ssl/t1_lib.c
2015-01-02 22:27:40 +00:00
Dominik Neubauer
c30c876176 typo in s_client
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-31 11:19:03 +01:00
Kurt Roeckx
73bda31b4c Make "run" volatile
RT#3629

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:54:56 +01:00
Thorsten Glaser
dc00fb9d51 Document openssl dgst -hmac option
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
Kurt Roeckx
06c3e65deb dlfcn: always define _GNU_SOURCE
We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
ports.  There shouldn't be a problem defining this on systems not using glibc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
Kurt Roeckx
5984c7e3d5 Fix memory leak in the apps
The BIO_free() allocated ex_data again that we already freed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
Alok Menghrajani
beef278bd7 Improves certificates HOWTO
* adds links to various related documents.
* fixes a few typos.
* rewords a few sentences.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 67472bd82b)
2014-12-22 16:26:03 +01:00
Richard Levitte
58191465ef Small typo
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 7cfab40f43)
2014-12-22 15:36:42 +01:00
Michael Tuexen
5760c8b82f Fix incorrect OPENSSL_assert() usage.
Return an error code for I/O errors instead of an assertion failure.

PR#3470
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 2521fcd852)
2014-12-20 14:46:28 +00:00
Matt Caswell
b651407268 Fix a problem if CFLAGS is too long cversion.c fails to compile when config
is run with --strict-warnings.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 488f16e31b)
2014-12-19 14:05:25 +00:00
Kurt Roeckx
a760dde681 Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-18 15:04:58 +01:00
Dr. Stephen Henson
f5e4b6b5b5 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-17 14:34:36 +00:00
Emilia Kasper
9ca2cc78a9 Add a comment noting the padding oracle.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 03af843039)
2014-12-17 14:55:47 +01:00
Emilia Kasper
0cf552230e Revert "RT3425: constant-time evp_enc"
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 738911cde6.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:55:39 +01:00
Emilia Kasper
0e1c318ece Build fixes
Various build fixes, mostly uncovered by clang's unused-const-variable
and unused-function errors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-17 14:27:49 +01:00
Richard Levitte
8bc8450a26 Clear warnings/errors within RL_DEBUG code sections (RL_DEBUG should be renamed)
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
bf68456f53 Clear warnings/errors within TLS_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
53332a75d1 Clear warnings/errors within KSSL_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
cd387d21da Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
0c403e80a9 Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
553affbef7 Clear warnings/errors within BN_CTX_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Adam Langley
1ecfb67335 Premaster secret handling fixes
From BoringSSL
- Send an alert when the client key exchange isn't correctly formatted.
- Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4aecfd4d9f)
2014-12-17 14:03:43 +01:00
Bodo Möller
bb565cd29e Backport regression test
master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdde6.

This code is now in 1.0.2/1.0.1, so also backport the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 12:00:17 +01:00
Emilia Kasper
a43bcd9e96 Check for invalid divisors in BN_div.
Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 10:00:17 +01:00
Dr. Stephen Henson
c8667a2e46 Check return value of ssl3_output_cert_chain
(cherry picked from commit 66f96fe2d5)

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-16 15:01:29 +00:00
Matt Caswell
5ee441162e The dtls1_output_cert_chain function no longer exists so remove it from
ssl_locl.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-16 15:01:11 +00:00
Adam Langley
63ef0db60f Don't set client_version to the ServerHello version.
The client_version needs to be preserved for the RSA key exchange.

This change also means that renegotiation will, like TLS, repeat the old
client_version rather than advertise only the final version. (Either way,
version change on renego is not allowed.) This is necessary in TLS to work
around an SChannel bug, but it's not strictly necessary in DTLS.

(From BoringSSL)

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit ec1af3c419)
2014-12-16 14:46:57 +00:00
Matt Caswell
f74f5c8586 Add more meaningful OPENSSL_NO_ECDH error message for suite b mode
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit db812f2d70)
2014-12-16 14:17:32 +00:00
Matt Caswell
a38ae11c48 Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit af6e2d51bf)
2014-12-16 14:17:12 +00:00
Matt Caswell
4ca0e95b92 Remove extraneous white space, and add some braces
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 55e530265a)
2014-12-16 00:13:36 +00:00
Matt Caswell
f9398b92de DTLS fixes for signed/unsigned issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 1904d21123)
2014-12-16 00:13:36 +00:00
Emilia Kasper
6af16ec5ee Fix unused variable warning
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-15 13:15:30 +01:00
Matt Caswell
d04a1e0b5b Fix memory leak in s2_srvr.c if BUF_MEM_grow fails
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-13 00:04:32 +00:00