Commit graph

11297 commits

Author SHA1 Message Date
Andy Polyakov
d7a854c055 bn/bn_exp.c: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.
Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 11:24:05 +00:00
Viktor Dukhovni
abd5d8fbef Disable EXPORT and LOW SSLv3+ ciphers by default
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:24:02 +00:00
Viktor Dukhovni
a82cfd612b Bring SSL method documentation up to date
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:24:02 +00:00
Viktor Dukhovni
56f1acf5ef Disable SSLv2 default build, default negotiation and weak ciphers.
SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:23:45 +00:00
Matt Caswell
8f651326a5 Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.

This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.

All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.

Issue reported by Guido Vranken.

CVE-2016-0797

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c175308407)
2016-02-29 16:40:02 +00:00
Kurt Roeckx
f16bc6f06c Revert "Don't check RSA_FLAG_SIGN_VER."
This reverts commit 23a58779f5.

This broke existing engines that didn't properly implement the sign and verify
functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #2077
2016-02-27 13:38:01 +01:00
Matt Caswell
a801bf2638 Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 578b956fe7)
2016-02-25 22:48:17 +00:00
Emilia Kasper
59a908f1e8 CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:44:21 +01:00
FdaSilvaYY
3ee48ada8c GH714: missing field initialisation
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 04f2a0b50d)
2016-02-23 13:21:48 -05:00
Dr. Stephen Henson
ccb2a61407 Fix double free in DSA private key parsing.
Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6c88c71b4e)
2016-02-19 14:04:21 +00:00
Andy Polyakov
3629c49d7a modes/ctr128.c: pay attention to ecount_buf alignment in CRYPTO_ctr128_encrypt.
It's never problem if CRYPTO_ctr128_encrypt is called from EVP, because
buffer in question is always aligned within EVP_CIPHER_CTX structure.

RT#4218

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5e4bbeb49f)
2016-02-12 22:01:13 +01:00
Andy Polyakov
b0b9f693b4 util/mk1mf.pl: use LINK_CMD instead of LINK variable.
Trouble is that LINK variable assignment in make-file interferes with
LINK environment variable, which can be used to modify Microsoft's
LINK.EXE behaviour.

RT#4289

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d44bb1c31c)

Resolved conflicts:
	util/pl/VC-32.pl

(cherry picked from commit 0fffd52242)
2016-02-11 21:30:19 +01:00
Andy Polyakov
9b6e183925 ms/uplink-x86.pl: make it work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 740b2b9a6c)
2016-02-10 12:57:29 +01:00
Kurt Roeckx
99a5c8a659 Fix CHANGES entry about DSA_generate_parameters_ex
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 2b0c11a620)
2016-01-28 19:56:49 +01:00
Richard Levitte
5d5de781a5 Correct number of arguments in BIO_get_conn_int_port macro
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 41a28cb294)
2016-01-28 18:20:53 +01:00
Matt Caswell
69ff244490 Prepare for 1.0.1s-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
09ccb58518 Prepare for 1.0.1r release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Richard Levitte
6210c70992 TARFILE wasn't correctly set
This solves an earlier cherry-pick mistake.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
bea4cb2e80 Further updates to CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
5fed60f962 Update CHANGES and NEWS ready for release
Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-28 17:06:38 +00:00
Viktor Dukhovni
4040a7fd10 Better SSLv2 cipher-suite enforcement
Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>

CVE-2015-3197

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
8bc643efc8 Always generate DH keys for ephemeral DH cipher suites
Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-28 10:27:55 +00:00
Richard Levitte
126ac21c80 Fix BSD -rpath parameter
For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c64879d3f3)
2016-01-19 20:59:31 +01:00
Alessandro Ghedini
51223748e5 Validate ClientHello session_id field length and send alert on failure
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 15:42:23 +00:00
Prayag Verma
4c33d583f5 Update license year range to 2016
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 02f7037247)
2016-01-19 10:24:52 -05:00
Viktor Dukhovni
e9a6c72e3c Empty SNI names are not valid
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 21:14:02 -05:00
Dr. Stephen Henson
00cebd1131 To avoid possible time_t overflow use X509_time_adj_ex()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 9aa00b187a)

Conflicts:
	apps/x509.c
2016-01-14 03:04:31 +00:00
Kurt Roeckx
f5fc9404c2 Change minimum DH size from 768 to 1024
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-11 00:13:54 +01:00
Kurt Roeckx
ff9cef0266 File is about s_time, not s_client
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1918e01c9f)
2016-01-10 13:14:52 +01:00
Viktor Dukhovni
737d57d072 Fix X509_STORE_CTX_cleanup()
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-04 21:50:01 -05:00
Rich Salz
b5dbbebbc2 RT4202: Update rt URL's.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 41977c53cd)
2015-12-28 16:41:28 -05:00
Matt Caswell
968bccee46 Add some documentation for the OCSP callback functions
Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c52c3b5e11)
2015-12-27 22:05:36 +00:00
Matt Caswell
604f67f521 Ensure we don't call the OCSP callback if resuming a session
It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 0ac6239955)
2015-12-27 22:05:36 +00:00
Matt Caswell
a7316aace3 Fix error when server does not send CertificateStatus message
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 905943af3b)
2015-12-27 22:05:36 +00:00
David Benjamin
1967199f9f Fix memory leak in DSA redo case.
Found by clang scan-build.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4184, MR: #1496
(cherry picked from commit 679d87515d)
2015-12-22 11:54:42 +01:00
Dr. Stephen Henson
23a58779f5 Don't check RSA_FLAG_SIGN_VER.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 6656ba7152)
2015-12-20 19:28:23 +00:00
Richard Levitte
f9b52eb6b1 BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 17592f323a)
2015-12-19 22:10:32 +01:00
Richard Levitte
074821106c Correct or add comments indicating what controls belong to what
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6d97060ee0)
2015-12-19 22:10:32 +01:00
Richard Levitte
0dae9636e8 Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work
No dummy arguments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7eb5125125)
2015-12-19 22:10:32 +01:00
Richard Levitte
f08360a160 Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl
BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a60fccdd9)
2015-12-19 22:10:32 +01:00
Matt Caswell
583f4bf7e8 Fix more URLs mangled by reformat
Fix some more URLs mangled by indent in the reformat. These ones don't exist
in master so we have a separate commit. Based on a patch supplied by Arnaud
Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Matt Caswell
ff2c19efdb Fix URLs mangled by reformat
Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Richard Levitte
e961c7a201 Remove the "eay" c-file-style indicators
Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-12-18 13:13:31 +01:00
Rich Salz
d7f7144391 Provide better "make depend" warning.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2e31ef0366)
2015-12-16 17:47:22 -05:00
Emilia Kasper
d6af325d51 Fix a ** 0 mod 1 = 0 for real this time.
Commit 2b0180c37f attempted to do this but
only hit one of many BN_mod_exp codepaths. Fix remaining variants and add
a test for each method.

Thanks to Hanno Boeck for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d911097d7c)
(cherry picked from commit 44e4f5b04b)
2015-12-14 18:27:04 +01:00
Richard Levitte
36be5f77d0 Fix tarball production to keep test/bctest and util/pod2mantest
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 474a53b3a3)
2015-12-14 11:24:24 +01:00
Matt Caswell
f612bdb342 Ensure |rwstate| is set correctly on BIO_flush
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 67f60be8c9)
2015-12-10 12:50:56 +00:00
Matt Caswell
4a53424318 Fix DTLS handshake fragment retries
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ad226e88b)
2015-12-10 12:50:55 +00:00
Dr Stephen Henson
d724616f68 Don't use applink for static builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 10119938215298ad414468e7c2779d7fd1a0b979)
2015-12-09 00:30:27 +00:00
Rich Salz
d27f073bf5 Refer to website for acknowledgements.
Reviewed-by: Steve Marquess <marquess@openssl.com>
(cherry picked from commit ab29c82a55)
2015-12-08 16:08:20 -05:00