Commit graph

11831 commits

Author SHA1 Message Date
Matt Caswell
692f07c3e0 Reject calls to X509_verify_cert that have not been reinitialised
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase  where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.

With regards to the second of these, we should discount this - it should
not be supported to allow this.

With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.

Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 21:50:09 +01:00
Matt Caswell
f404943bca Add test for CVE-2015-1793
This adds a test for CVE-2015-1793. This adds a new test file
verify_extra_test.c, which could form the basis for additional
verification tests.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 21:48:55 +01:00
Matt Caswell
21376d8ae3 Fix alternate chains certificate forgery issue
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.

This occurs where at least one cert is added to the first chain from the
trust store, but that chain still ends up being untrusted. In that case
ctx->last_untrusted is decremented in error.

Patch provided by the BoringSSL project.

CVE-2015-1793

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 21:48:55 +01:00
Dr. Stephen Henson
c0b674b7cb Relax CCM tag check.
In CCM mode don't require a tag before initialising decrypt: this allows
the tag length to be set without requiring the tag.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9cca7be11d)
2015-07-06 18:35:35 +01:00
Dr. Stephen Henson
a229c2b805 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf5)
2015-07-06 18:35:35 +01:00
Dr. Stephen Henson
3c66a669df Fix PSK handling.
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-02 12:01:27 +01:00
Dr. Stephen Henson
f8f75a7e4a Check for errors with SRP
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5fced2395d)
2015-06-29 19:21:15 +01:00
Dr. Stephen Henson
7c1dae55d4 Don't output bogus errors in PKCS12_parse
PR#3923

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ffbf304d48)
2015-06-25 04:55:43 +01:00
Dr. Stephen Henson
edbc9050be Add docs for ssl verification parameter functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 77672802a6)
2015-06-24 22:22:23 +01:00
Vitezslav Cizek
c00206c326 GH297: Fix NAME section of SSL_CTX_use_serverinfo.pod
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-23 08:17:57 -04:00
Rich Salz
4ce5ed5f39 RT3682: Avoid double-free on OCSP parse error
Found by Kurt Cancemi

(Manual cherry-pick of f8e427154bbc0c33f29fa7aad001b1b655e5995b)
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-23 08:14:24 -04:00
Russell Webb
295c629ab1 RT3856: Fix memory leaks in test code
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2d540402aa)
2015-06-23 08:04:19 -04:00
Richard Levitte
c61bb1abaf make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-23 03:03:10 +02:00
Richard Levitte
f59186e436 Rearrange rsaz
A small rearrangement so the inclusion of rsaz_exp.h would be
unconditional, but what that header defines becomes conditional.

This solves the weirdness where rsaz_exp.h gets in and out of the
dependency list for bn_exp.c, depending on the present architecture.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-23 03:02:05 +02:00
Rich Salz
0abf610447 RT3907-fix
Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit cc3f3fc2b1)
2015-06-22 20:50:20 -04:00
Rich Salz
57bd71b45b RT3907: avoid "local" in testssl script
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 75ba5c58c6)
2015-06-22 15:50:02 -04:00
Rich Salz
4475451164 RT3917: add cleanup on an error path
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7fba8407cc)
2015-06-21 17:55:06 -04:00
Richard Levitte
220b9519eb Cleanup mttest.c : because we no longer use stdio here, don't include it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ca96efd24)
2015-06-21 22:12:07 +02:00
Richard Levitte
710e28ef93 Add -ldl to the build of mttest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d62c98c81c)
2015-06-21 22:12:07 +02:00
Richard Levitte
05d20833e3 Cleanup mttest.c : do not try to output reference counts when threads are done
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 964626957f)
2015-06-21 22:12:07 +02:00
Richard Levitte
90ee3c1646 Cleanup mttest.c : better error reporting when certs are missing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a1789d254)
2015-06-21 22:12:07 +02:00
Richard Levitte
7ef465050e Cleanup mttest.c : make ssl_method a pointer to const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f4c73bfe0a)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:12:07 +02:00
Richard Levitte
8ca211707a Cleanup mttest.c : more output changes
More fprintf()s and printf()s to turn into BIO calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-21 22:12:07 +02:00
Richard Levitte
9007dfa203 Cleanup mttest.c : modernise output
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bb8abd6735)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:12:07 +02:00
Richard Levitte
603bebc0e7 Cleanup mttest.c : modernise the threads setup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5c78e18352)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:12:07 +02:00
Richard Levitte
56f0733145 Cleanup mttest.c : remove MS_CALLBACK
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3f9286556)
2015-06-21 22:12:07 +02:00
Rich Salz
8e6bb99979 RT1688: Add dependencies for parallel make
Backport to 1.0.1 and 1.0.2 to fix RT 3905

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-21 15:26:54 -04:00
Dr. Stephen Henson
8615d8b4ec typo: should be OPENSSL_free
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bc9567cdc9)
2015-06-20 19:28:58 +01:00
Richard Levitte
4f0812cc28 Make preprocessor error into real preprocessor error
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit b4f0d1a4a8)
2015-06-16 13:13:49 +02:00
Richard Levitte
3bf9adaa2b Remove one extraneous parenthesis
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 30cf91784b)
2015-06-16 13:13:48 +02:00
Matt Caswell
54ae378c9e Prepare for 1.0.2d-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:14:35 +01:00
Matt Caswell
0ee5fcde06 Prepare for 1.0.2c release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:10:40 +01:00
Matt Caswell
d4c1763858 Updated CHANGES and NEWS entries for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 15:56:51 +01:00
Adam Langley
fe64245aa1 Allow a zero length extension block
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-12 15:43:02 +01:00
Matt Caswell
1030f89f5e Fix ABI break with HMAC
Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.

Conflicts:
	crypto/hmac/hmac.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 14:08:54 +01:00
Matt Caswell
b6ed991731 Prepare for 1.0.2c-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 14:59:37 +01:00
Matt Caswell
7b560c174d Prepare for 1.0.2b release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 14:55:38 +01:00
Matt Caswell
c26bfada81 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 14:55:38 +01:00
Andy Polyakov
40b8eb792d bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
CVE-2015-1788

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4924b37ee0)
2015-06-11 14:52:39 +01:00
Matt Caswell
ab17f6b746 Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 14:52:39 +01:00
Emilia Kasper
7bc2aee4f1 PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 14:52:39 +01:00
Emilia Kasper
9bc3665ac9 Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11 14:52:39 +01:00
Dr. Stephen Henson
aa5ab40860 Fix infinite loop in CMS
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 14:52:39 +01:00
Richard Levitte
8aa556e1c3 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 15:51:16 +02:00
Richard Levitte
5ef5b9ffa9 Correction of make depend merge error
$(PROGS) was mistakenly removed, adding it back.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 15:51:16 +02:00
Matt Caswell
d44f89c990 More ssl_session_dup fixes
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.

Conflicts:
	ssl/ssl_sess.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11 10:04:00 +01:00
Andy Polyakov
c35e138a58 e_aes_cbc_hmac_sha*.c: address linker warning about OPENSSL_ia32cap_P size mismatch.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f0fa5c8306)
2015-06-11 10:14:01 +02:00
Kurt Roeckx
57e477b9ec Only allow a temporary rsa key exchange when they key is larger than 512.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838
2015-06-11 00:06:06 +02:00
Kurt Roeckx
39a298a1c0 Properly check certificate in case of export ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838
2015-06-11 00:06:06 +02:00
Andy Polyakov
1fdf36f511 gcm.c: address linker warning about OPENSSL_ia32cap_P size mismatch.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 75c4827dfe)
2015-06-10 23:58:07 +02:00