Commit graph

8665 commits

Author SHA1 Message Date
Matt Caswell
4ff07f4c71 Prepare for 0.9.8zc-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:40 +01:00
Matt Caswell
1c5f396d36 Prepare for 0.9.8zb release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:20 +01:00
Matt Caswell
9fcaaef34f Updates to CHANGES and NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 22:02:00 +01:00
Emilia Kasper
b9a73f5481 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 22:02:00 +01:00
Emilia Käsper
bff5319d90 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 22:02:00 +01:00
David Benjamin
fc4bd2f287 Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
4c836c96c4 Remove some duplicate DTLS code.
In |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
6e14e7fc19 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
fc15c44049 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
445598b35e Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
338a5e7e54 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
6a431cd293 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
1b7024fb69 Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Dr. Stephen Henson
5021f6314e fix warn_unused_result warnings
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 21:59:15 +01:00
Dr. Stephen Henson
21d24dd38a Fix warnings about ignored return values.
(cherry picked from commit 27131fe8f7)
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-06 21:58:25 +01:00
Bodo Moeller
681d11b6fd Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
	crypto/ec/ectest.c
2014-08-01 17:59:31 +02:00
Billy Brumley
8c387e62b2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:29:35 +01:00
Tim Hudson
a117329c5a Remove old unused and unmaintained demonstration code.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b8138)
2014-07-22 07:25:47 +10:00
Tim Hudson
f39dbff498 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6)
2014-07-21 20:23:09 +10:00
Dr. Stephen Henson
f6fefb0cb6 Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:32:29 +01:00
Jeffrey Walton
febfaa53f4 Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf)
2014-07-17 12:09:14 +01:00
Matt Caswell
cfed221c2d Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a)
2014-07-15 23:25:07 +01:00
Dr. Stephen Henson
c2014ae252 Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617)
2014-07-15 20:24:55 +01:00
Dr. Stephen Henson
c3d317b4de Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f)
2014-07-15 18:24:14 +01:00
Dr. Stephen Henson
a214feb26b Don't allow -www etc options with DTLS.
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
2014-07-15 12:27:29 +01:00
Dr. Stephen Henson
7a3a82dbbd Use case insensitive compare for servername.
PR#3445
(cherry picked from commit 1c3e9a7c67)
2014-07-15 00:00:39 +01:00
Matt Caswell
02fef91630 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:36:03 +01:00
Richard Levitte
0b8cd5acd6 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:17:21 +02:00
Matt Caswell
97f4e235a1 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:38:23 +01:00
David Lloyd
cfd2aeeb7c Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:51:07 +01:00
Dr. Stephen Henson
a0fdc4c6d6 Fix ECC SSLv2 exclusion on OpenSSL 0.9.8. 2014-07-07 13:00:07 +01:00
Dr. Stephen Henson
b5def0243e Update ticket callback docs.
(cherry picked from commit a23a6e85d8)
2014-07-06 12:43:22 +01:00
Matt Caswell
357f6d8add Fixes for newer versions of pod2man 2014-07-06 00:05:29 +01:00
Matt Caswell
19a71e8c16 Fixed error in pod files with latest versions of pod2man
(cherry picked from commit 07255f0a76d9d349d915e14f969b9ff2ee0d1953)
2014-07-06 00:05:29 +01:00
Alan Hryngle
7faa66433f Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:39:16 +01:00
Dr. Stephen Henson
1a0498769f Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
(cherry picked from commit 7f6e957864)

Conflicts:

	ssl/s3_srvr.c
2014-07-05 13:32:40 +01:00
Dr. Stephen Henson
a4dde82423 More doc fixes. 2014-07-03 21:31:51 +01:00
Rich Salz
eba0aa995d More bugfixes from the doc-fix merge; errors found by DrH, thanks. 2014-07-03 16:17:54 -04:00
Rich Salz
c9e6fffa53 Fix errors with last cherry-pick; SSL_CONF_* and s_client
-verify_return_error aren't in this release.
2014-07-03 14:31:04 -04:00
Rich Salz
85dcce7c63 Merge branch 'rsalz-docfixes'
(cherry picked from commit b5071dc2f6)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/verify.pod
	doc/apps/x509v3_config.pod
	doc/crypto/ASN1_generate_nconf.pod
	doc/ssl/SSL_CONF_CTX_set_ssl_ctx.pod
	doc/ssl/SSL_CONF_cmd.pod
	doc/ssl/SSL_CONF_cmd_argv.pod
	doc/ssl/SSL_CTX_set_cert_cb.pod
	doc/ssl/SSL_CTX_set_security_level.pod
2014-07-03 12:35:40 -04:00
Rich Salz
2ed29615cb Close 3170, remove reference to Ariel Glenn's old 0.9.8 doc
(cherry picked from commit f1112985e8)
2014-07-03 12:28:54 -04:00
Matt Smart
d7080d624b Fix doc typo.
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.

PR#3283
(cherry picked from commit 5cc99c6cf5)
2014-07-02 03:45:21 +01:00
Geoff Thorpe
5d7c8a48db util/mkerr.pl: fix perl warning
Gets rid of this;

defined(@array) is deprecated at ../util/mkerr.pl line 792.
        (Maybe you should just omit the defined()?)
defined(@array) is deprecated at ../util/mkerr.pl line 800.
        (Maybe you should just omit the defined()?)

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 647f360e2e)
2014-07-02 01:51:04 +01:00
Dr. Stephen Henson
00e86a74bd ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe5e)
2014-07-02 01:01:55 +01:00
Dr. Stephen Henson
9e6857a358 Fix memory leak.
PR#2531.
(cherry picked from commit 59899c4d1b)
2014-06-29 13:54:21 +01:00
Ken Ballou
715258486c Typo.
PR#3173
(cherry picked from commit 76ed5a42ea)
2014-06-29 13:39:32 +01:00
Dr. Stephen Henson
2daec41e25 Show errors on CSR verification failure.
If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.

PR#2875
(cherry picked from commit a30bdb55d1)
2014-06-29 13:35:18 +01:00
Dr. Stephen Henson
8519635923 Typo.
PR#3107
(cherry picked from commit 7c206db928)
2014-06-28 12:43:50 +01:00
Dr. Stephen Henson
d0bdfdd830 Don't disable state strings with no-ssl2
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
(cherry picked from commit 0518a3e19e)
2014-06-28 00:57:18 +01:00
Andreas Westfeld
4b98488eb0 Fix typo in ideatest.c
(cherry picked from commit d1d4382dcb)
2014-06-28 00:07:02 +01:00