Commit graph

12115 commits

Author SHA1 Message Date
Andy Polyakov
515f3be47a bn/asm/x86_64-mont5.pl: unify gather procedure in hardly used path
and reorganize/harmonize post-conditions.

Additional hardening following on from CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from master)
2016-03-01 11:21:43 +00:00
Andy Polyakov
25d14c6c29 crypto/bn/x86_64-mont5.pl: constant-time gather procedure.
At the same time remove miniscule bias in final subtraction.
Performance penalty varies from platform to platform, and even with
key length. For rsa2048 sign it was observed to be 4% for Sandy
Bridge and 7% on Broadwell.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from master)
2016-03-01 11:21:29 +00:00
Andy Polyakov
08ea966c01 bn/asm/rsaz-avx2.pl: constant-time gather procedure.
Performance penalty is 2%.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from master)
2016-03-01 11:21:22 +00:00
Andy Polyakov
ef98503eee bn/asm/rsax-x86_64.pl: constant-time gather procedure.
Performance penalty is 2% on Linux and 5% on Windows.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from master)
2016-03-01 11:21:15 +00:00
Andy Polyakov
708dc2f129 bn/bn_exp.c: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.
Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from master)

Resolved conflicts:
	crypto/bn/bn_exp.c
2016-03-01 11:20:41 +00:00
Viktor Dukhovni
bc38a7d2d3 Disable EXPORT and LOW SSLv3+ ciphers by default
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:20:35 +00:00
Matt Caswell
1b1d8ae49a Add a test for SSLv2 configuration
SSLv2 should be off by default. You can only turn it on if you have called
SSL_CTX_clear_options(SSL_OP_NO_SSLv2) or
SSL_clear_options(SSL_OP_NO_SSLv2). You should not be able to inadvertantly
turn it on again via SSL_CONF without having done that first.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:20:35 +00:00
Viktor Dukhovni
021fb42dd0 Bring SSL method documentation up to date
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:20:35 +00:00
Viktor Dukhovni
9dfd2be8a1 Disable SSLv2 default build, default negotiation and weak ciphers.
SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:20:10 +00:00
Matt Caswell
c175308407 Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.

This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.

All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.

Issue reported by Guido Vranken.

CVE-2016-0797

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-29 16:34:18 +00:00
Kurt Roeckx
29305f4edc Fix invalid free
Also removes an extra initializer, the master branch has a extra field.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-28 13:59:57 +01:00
FdaSilvaYY
7bcdf4ef78 Fix two possible leaks
Backport of 98637bd

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-27 17:05:32 -05:00
FdaSilvaYY
e9cf5f0366 Fix possible memory leak on BUF_MEM_grow_clean failure
backport of 3eb70c5eba
shorter changes

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-27 17:05:32 -05:00
Andy Polyakov
a3762a92d6 modes/asm/ghash-x86_64.pl: refine GNU assembler version detection.
Even though AVX support was added in GAS 2.19 vpclmulqdq was apparently
added in 2.20.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d3cdab1736)
2016-02-27 21:35:34 +01:00
Kurt Roeckx
5361af815d Revert "Don't check RSA_FLAG_SIGN_VER."
This reverts commit 6656ba7152.

This broke existing engines that didn't properly implement the sign and verify
functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #2077
2016-02-27 13:12:02 +01:00
Matt Caswell
578b956fe7 Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-25 22:47:13 +00:00
Emilia Kasper
259b664f95 CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 18:39:13 +01:00
Andy Polyakov
64333004a4 ec/asm/ecp_nistz256-x86_64.pl: get corner case logic right.
RT#4284

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d93753412b)
2016-02-23 21:26:53 +01:00
FdaSilvaYY
04f2a0b50d GH714: missing field initialisation
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-23 13:21:07 -05:00
David Woodhouse
c436c990f6 RT4175: Fix PKCS7_verify() regression with Authenticode signatures
This is a partial revert of commit c8491de39 ("GH354: Memory leak fixes"),
which was cherry-picked from commit 55500ea7c in OpenSSL 1.1.

That commit introduced a change in behaviour which is a regression for
software implementing Microsoft Authenticode — which requires a PKCS#7
signature to be validated against explicit external data, even though
it's a non-detached signature with its own embedded data.

The is fixed differently in OpenSSL 1.1 by commit 6b2ebe433 ("Add
PKCS7_NO_DUAL_CONTENT flag"), but that approach isn't viable in the
1.0.2 stable branch, so just comment the offending check back out again.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-23 10:16:15 -05:00
Corinna Vinschen
f78baa9d71 Don't strip object files on Cygwin
Building for the Cygwin distro requires to be able to build debuginfo
  files.  This in turn requires to build object files without stripping.
  The stripping is performed by the next step after building which creates
  the debuginfo files.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

(cherry picked from commit 42b8f1427a)

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 22:14:00 +01:00
Richard Levitte
5c57fbb8ca Recognise Cygwin-x86_64 in config
In response to RT#4326

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22 15:44:10 +01:00
Dr. Stephen Henson
6c88c71b4e Fix double free in DSA private key parsing.
Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-19 14:03:07 +00:00
Andy Polyakov
c575ceffdb Makefile.shared: limit .dll image base pinning to FIPS builds.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-19 13:40:58 +01:00
Andy Polyakov
b393a4ad38 evp/e_des3.c: address compiler warning.
In backporting from master one modification was mistreated.

RT#4210

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-19 13:34:42 +01:00
Dr. Stephen Henson
43be582e9b typo
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f6fb7f1856)
2016-02-18 14:00:23 +00:00
Dr. Stephen Henson
866b282d1b Switch to FIPS implementation for CMAC.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-16 22:52:59 +00:00
Andy Polyakov
24e6a0dba4 evp/e_des[3].c: address compiler warnings, fix formatting.
RT#4210

(1.0.2-specific adaptation of 7687f52550)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 10:46:26 +01:00
Andy Polyakov
6533a0b8d1 modes/ctr128.c: pay attention to ecount_buf alignment in CRYPTO_ctr128_encrypt.
It's never problem if CRYPTO_ctr128_encrypt is called from EVP, because
buffer in question is always aligned within EVP_CIPHER_CTX structure.

RT#4218

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5e4bbeb49f)
2016-02-12 22:00:13 +01:00
Emilia Kasper
b4b23d05d3 RT 3854: Update apps/req
Change the default keysize to 2048 bits, and the minimum to 512 bits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a762655743)
2016-02-12 14:17:57 +01:00
Andy Polyakov
10c639a8a5 perlasm/x86_64-xlate.pl: pass pure constants verbatim.
RT#3885

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fd7dc201d3)
2016-02-11 21:26:44 +01:00
Andy Polyakov
0fffd52242 util/mk1mf.pl: use LINK_CMD instead of LINK variable.
Trouble is that LINK variable assignment in make-file interferes with
LINK environment variable, which can be used to modify Microsoft's
LINK.EXE behaviour.

RT#4289

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d44bb1c31c)

Resolved conflicts:
	util/pl/VC-32.pl
2016-02-11 21:25:24 +01:00
Andy Polyakov
52464477be ms/uplink-x86.pl: make it work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 740b2b9a6c)
2016-02-10 12:55:11 +01:00
Matt Caswell
64193c8218 Handle SSL_shutdown while in init more appropriately #2
Previous commit f73c737c7 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit f73c737c7 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:30:57 +00:00
Dr. Stephen Henson
402fb1896b if no comparison function set make sk_sort no op
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0ca2e82ab1)
2016-02-06 18:49:56 +00:00
Viktor Dukhovni
a3baa17105 Fix missing ok=0 with locally blacklisted CAs
Also in X509_verify_cert() avoid using "i" not only as a loop
counter, but also as a trust outcome and as an error ordinal.

Finally, make sure that all "goto end" jumps return an error, with
"end" renamed to "err" accordingly.

[ The 1.1.0 version of X509_verify_cert() is major rewrite,
  which addresses these issues in a more systemic way. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 10:54:11 -05:00
Kurt Roeckx
093d20a8cb Restore xmm7 from the correct address on win64
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4288, MR: #1831
(cherry picked from commit df057ea6c8)
2016-02-04 15:42:50 +01:00
Viktor Dukhovni
5df0bde60e Fix pkeyutl/rsautl empty encrypt-input/decrypt-output handling
Also fix option processing in pkeyutl to allow use of (formerly)
"out-of-order" switches that were needless implementation limitations.

RT2018

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-02 12:41:33 -05:00
Rich Salz
a2bab12a33 GH611: s_client help message bug
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-02 12:16:10 -05:00
Hubert Kario
106dbca36c GH554: Improve pkeyutl doc
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 53619f9f40)
2016-02-01 11:45:00 -05:00
Daniel Kahn Gillmor
a38a159bfc RT4129: BUF_new_mem_buf should take const void *
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8ab31975ba)
2016-02-01 08:43:27 -05:00
Rich Salz
e0fde613ac GH102: Add volatile to CRYPTO_memcmp
Can't hurt and seems to prevent problems from some over-aggressive
(LTO?) compilers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 98ab57644f)
2016-01-30 14:41:23 -05:00
Dr. Stephen Henson
2454accb6e Backport SHA2 support for capi engine
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-01-29 13:35:49 +00:00
Matt Caswell
1e9446bf5c Add have_precompute_mult tests
Add tests for have_precompute_mult for the optimised curves (nistp224,
nistp256 and nistp521) if present

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8ce4e7e605)
2016-01-29 13:07:12 +00:00
Matt Caswell
e94f52e0c7 Fix bug in nistp224/256/521 where have_precompute_mult always returns 0
During precomputation if the group given is well known then we memcpy a
well known precomputation. However we go the wrong label in the code and
don't store the data properly. Consequently if we call have_precompute_mult
the data isn't there and we return 0.

RT#3600

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 615614c886)
2016-01-29 13:07:10 +00:00
Matt Caswell
83ab6e55a1 Add missing return value checks
The function DH_check_pub_key() was missing some return value checks in
some calls to BN functions.

RT#4278

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit f5a12207ec)
2016-01-29 11:58:45 +00:00
Matt Caswell
7107798ae6 Correct value of DH_CHECK_PUBKEY_INVALID
A new return value for DH_check_pub_key was recently added:
DH_CHECK_PUBKEY_INVALID. As this is a flag which can be ORed with other
return values it should have been set to the value 4 not 3.

RT#4278

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb389fe804)
2016-01-29 11:58:45 +00:00
Kurt Roeckx
2b0c11a620 Fix CHANGES entry about DSA_generate_parameters_ex
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-28 19:55:46 +01:00
Richard Levitte
da7947e8c6 Correct number of arguments in BIO_get_conn_int_port macro
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 41a28cb294)
2016-01-28 18:20:55 +01:00
Matt Caswell
22d192f106 Prepare for 1.0.2g-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 13:58:24 +00:00