Commit graph

11656 commits

Author SHA1 Message Date
Richard Levitte
700c0eb8d9 Appease clang -Wshadow
The macros BSWAP4 and BSWAP8 have statetemnt expressions
implementations that use local variable names that shadow variables
outside the macro call, generating warnings like this

e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable
      [-Wshadow]
    seqnum = BSWAP8(blocks[0].q[0]);
             ^
../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8'
                            ^
e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here
    size_t ret = 0;
           ^

Have clang be quiet by modifying the macro variable names slightly
(suffixing them with an underscore).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2da2a4349c)
2015-04-08 17:59:41 +02:00
Richard Levitte
a4ba716333 Appease clang -Wgnu-statement-expression
We use GNU statement expressions in crypto/md32_common.h, surrounded
by checks that GNU C is indeed used to compile.  It seems that clang,
at least on Linux, pretends to be GNU C, therefore finds the statement
expressions and then warns about them.

The solution is to have clang be quiet about it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 04958e84d8)
2015-04-08 17:59:41 +02:00
Richard Levitte
d21cbd7d5e Appease clang -Wempty-translation-unit
ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one
      declaration [-Wempty-translation-unit]
      ^
1 warning generated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c25dea53e9)
2015-04-08 17:59:40 +02:00
Emilia Kasper
ae50d82700 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 16:28:42 +02:00
Andy Polyakov
ff864ffef3 modes/asm/ghashv8-armx.pl: up to 90% performance improvement.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7eeeb49e11)
2015-04-02 10:04:37 +02:00
Andy Polyakov
0a1f31f7ba sha/asm/sha*-armv8.pl: add Denver and X-Gene esults.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit be5a87a1b0)
2015-04-02 09:51:32 +02:00
Andy Polyakov
5a27a20be3 aes/asm/aesv8-armx.pl: optimize for Cortex-A5x.
ARM has optimized Cortex-A5x pipeline to favour pairs of complementary
AES instructions. While modified code improves performance of post-r0p0
Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts
original r0p0. We favour later revisions, because one can't prevent
future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%,
while new code is not slower on r0p0, or Apple A7 for that matter.

[Update even SHA results for latest Cortex-A53.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 94376cccb4)
2015-04-02 09:51:24 +02:00
Douglas E Engert
3d5bb773ec Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294)

Conflicts:
	crypto/ec/ec_asn1.c
2015-03-31 16:38:20 +01:00
Andy Polyakov
c8ece537e3 ec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b06a6f7cc44baa0c17207a8f72c4ac360be7b555)
2015-03-28 15:56:28 +01:00
Matt Caswell
8338cf0bdb Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:07:31 +00:00
Matt Caswell
ddbf312fb4 Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:58:56 +00:00
Matt Caswell
e7c2ad508d Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:58:56 +00:00
Matt Caswell
929b0d70c1 Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c
2015-03-25 12:58:53 +00:00
Matt Caswell
b7279ed55c Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:56:47 +00:00
Matt Caswell
8f8e4e4f52 Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:41:28 +00:00
Matt Caswell
a20718fa2c Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4f9fab6bd0)

Conflicts:
	ssl/s3_srvr.c
2015-03-25 12:29:48 +00:00
Matt Caswell
4285b85163 Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d5d0a1cb13)
2015-03-25 12:28:45 +00:00
Kurt Roeckx
fe82be2b33 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:42:30 +01:00
Dr. Stephen Henson
8509128179 Fix OCSP tests.
OCSP verification changes mean the OCSP tests now need -trusted_first

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 21:22:00 +00:00
Dr. Stephen Henson
d3a9eaccc1 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:13 +00:00
Dr. Stephen Henson
4ba9a4265b Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:14:04 +00:00
Mike Frysinger
bc0eb82b85 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a6)
2015-03-24 11:34:20 +00:00
Matt Caswell
bd891f098b Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b79d24101e)
2015-03-23 14:06:17 +00:00
Andy Polyakov
c45dfdc68a sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ecd32a1f8)
2015-03-23 13:38:46 +01:00
Matt Caswell
b5dc90121c Fix no-ec with no-ec2m
Fix builds config'd with no-ec and no-ec2m. Technically this combination is
redundant - but the fix is straight forward. Fix from OpenWrt.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-03-22 20:32:49 +00:00
Matt Caswell
b0b7232877 Add DTLS tests to make test
Updated test/testssl script to include the new DTLS capability in ssltest.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3c381e5423)
2015-03-20 12:09:24 +00:00
David Woodhouse
ece8574ae6 Add DTLS support to ssltest
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 98b8cdd322)

Conflicts:
	ssl/ssltest.c
2015-03-20 12:09:22 +00:00
David Woodhouse
3edf1b98e0 Add DTLS to SSL_get_version
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 504e643e09)

Conflicts:
	ssl/ssl_lib.c
2015-03-20 12:06:12 +00:00
Matt Caswell
0d6d10d97d Prepare for 1.0.2b-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:34:56 +00:00
Matt Caswell
3df69d3aef Prepare for 1.0.2a release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:31:16 +00:00
Matt Caswell
921095d4d3 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:31:16 +00:00
Matt Caswell
5cc6509dae Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:36 +00:00
Matt Caswell
18029a3d07 Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
7b22e8d01f Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
da947c9758 Update CHANGES for release
Update CHANGES file with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
128b271c8d Fix discrepancy in NEWS file
There was a discrepancy between the 1.0.2 version of NEWS and the 1.0.1
version. This fixes it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
a8b1e52ff4 Fix CHANGES discrepancies
There were some discrepancies in the CHANGES file between the 1.0.1 version
and 1.0.2. This corrects it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
d6e903d188 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Emilia Kasper
86f8fb0e34 Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:58:35 +00:00
Emilia Kasper
c0334c2c92 PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
c3c7fb07dc Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Matt Caswell
b19d814321 Fix DHE Null CKE vulnerability
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.

CVE-2015-1787

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
76343947ad Fix for CVE-2015-0291
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
4b22cce381 Reject invalid PSS parameters.
Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.

Thanks to Brian Carpenter for reporting this issues.

CVE-2015-0208

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:58:35 +00:00
Dr. Stephen Henson
b717b08307 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-03-19 11:11:22 +00:00
Matt Caswell
819418110b Fix Seg fault in DTLSv1_listen
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 11:11:22 +00:00
Matt Caswell
77c77f0a1b Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.

CVE-2015-0290

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-19 11:11:22 +00:00
Dr. Stephen Henson
8b84495380 Add support for ServerInfo SSL_CONF option.
Add support for ServerInfo SSL_CONF option and update documentation. This
was wrongly omitted from the 1.0.2 release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-18 12:31:06 +00:00
Matt Caswell
c1559f5046 Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259)
2015-03-17 14:49:47 +00:00
Matt Caswell
d8d2e50359 Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c)
2015-03-17 14:49:47 +00:00