Commit graph

11699 commits

Author SHA1 Message Date
Matt Caswell
75862f7741 Sanity check the return from final_finish_mac
The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c427570e50)

Conflicts:
	ssl/ssl_locl.h
2015-04-30 23:21:53 +01:00
Matt Caswell
99ceb2d40c Add sanity check in ssl3_cbc_digest_record
For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 29b0a15a48)
2015-04-30 23:21:53 +01:00
Matt Caswell
abc7a266a3 Clarify logic in BIO_*printf functions
The static function dynamically allocates an output buffer if the output
grows larger than the static buffer that is normally used. The original
logic implied that |currlen| could be greater than |maxlen| which is
incorrect (and if so would cause a buffer overrun). Also the original
logic would call OPENSSL_malloc to create a dynamic buffer equal to the
size of the static buffer, and then immediately call OPENSSL_realloc to
make it bigger, rather than just creating a buffer than was big enough in
the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9d9e37744c)
2015-04-30 23:21:53 +01:00
Matt Caswell
33c99f2c81 Sanity check EVP_EncodeUpdate buffer len
There was already a sanity check to ensure the passed buffer length is not
zero. Extend this to ensure that it also not negative. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b86d7dca69)
2015-04-30 23:21:53 +01:00
Matt Caswell
1a3701f4fe Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c826988109)

Conflicts:
	ssl/record/ssl3_record.c
2015-04-30 23:21:50 +01:00
Matt Caswell
4ce06271aa Sanity check DES_enc_write buffer length
Add a sanity check to DES_enc_write to ensure the buffer length provided
is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 873fb39f20)
2015-04-30 23:14:55 +01:00
Matt Caswell
c5f8cd7bc6 Add length sanity check in SSLv2 n_do_ssl_write()
Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the
code I do not believe there is a real problem here. However the logic flows
are complicated enough that a sanity check of |len| is probably worthwhile.

Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-29 17:23:45 +01:00
Matt Caswell
937a766982 Revert "Fix verify algorithm."
This reverts commit 47daa155a3.

The above commit was backported to the 1.0.2 branch as part of backporting
the alternative chain verify algorithm changes. However it has been pointed
out (credit to Shigeki Ohtsu) that this is unnecessary in 1.0.2 as this
commit is a work around for loop checking that only exists in master.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-29 15:44:03 +01:00
Emilia Kasper
07977739f0 NISTZ256: use EC_POINT API and check errors.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6038354cf8)
2015-04-27 19:50:19 +02:00
Emilia Kasper
c7e78b6bed NISTZ256: don't swallow malloc errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a4d5269e6d)
2015-04-27 18:06:01 +02:00
Emilia Kasper
df6c736fbd NISTZ256: set Z_is_one to boolean 0/1 as is customary.
Cosmetic, no real effect.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4446044a79)
2015-04-27 16:50:05 +02:00
Emilia Kasper
c30a1b3b33 Error checking and memory leak fixes in NISTZ256.
Thanks to Brian Smith for reporting these issues.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-27 16:37:19 +02:00
Emilia Kasper
9ed55313a7 Fix error checking and memory leaks in NISTZ256 precomputation.
Thanks to Brian Smith for reporting these issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 53dd4ddf71)
2015-04-24 17:47:01 +02:00
Emilia Kasper
7238a82c8a Correctly set Z_is_one on the return value in the NISTZ256 implementation.
Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-24 17:35:56 +02:00
Loganaden Velvindron
6e5d130765 Fix CRYPTO_strdup
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
2015-04-22 17:20:38 +01:00
Emilia Kasper
8f0f9ffda3 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec61
and
7b3ba508af
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6e3d015363)
2015-04-21 19:31:09 +02:00
Emilia Kasper
5c4fd8b515 Initialize variable
newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6824941440)
2015-04-21 19:27:24 +02:00
Emilia Kasper
496c79f60c make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-21 17:50:36 +02:00
Richard Levitte
186578be45 Initialised 'ok' and redo the logic.
The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 06affe3dac)
2015-04-21 01:45:47 +02:00
Matt Caswell
f4c5cd3085 Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8817e2e0c9)
2015-04-20 23:10:56 +01:00
Matt Caswell
0ddf91c5f3 Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7b611e5fe8)
2015-04-20 23:10:56 +01:00
Andy Polyakov
73824ba8fe aes/asm/aesni-x86.pl: fix typo affecting Windows build.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7be6bc68c6)
2015-04-20 18:40:46 +02:00
Andy Polyakov
e95e22af50 aes/asm/aesni-x86[_64].pl update.
This addresses

- request for improvement for faster key setup in RT#3576;
- clearing registers and stack in RT#3554 (this is more of a gesture to
see if there will be some traction from compiler side);
- more commentary around input parameters handling and stack layout
(desired when RT#3553 was reviewed);
- minor size and single block performance optimization (was lying around);

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 23f6eec71d)
2015-04-20 15:44:36 +02:00
Dr. Stephen Henson
47daa155a3 Fix verify algorithm.
Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e5991ec528)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
be856c0391 Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
017a06c7d1 Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
dfd3322d72 Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
6281abc796 In certain situations the server provided certificate chain may no longer be
valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Dr. Stephen Henson
3661bb4e79 Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37)
2015-04-18 14:43:33 +01:00
Emilia Kasper
e697a4c3d7 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb32)
2015-04-17 18:44:35 +02:00
Emilia Kasper
5613feaacc Use -Wall -Wextra with clang
The disabled set of -Weverything is hard to maintain across versions.
Use -Wall -Wextra but also document other useful warnings that currently trigger.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-17 18:26:09 +02:00
Viktor Dukhovni
3b38646d13 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:50:01 -04:00
Dr. Stephen Henson
bf5b8ff17d Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e82)
2015-04-16 16:06:11 +01:00
Dr. Stephen Henson
a696708ae6 Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60bea0)
2015-04-16 16:06:10 +01:00
Matt Caswell
5101c35c91 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9)
2015-04-14 14:59:40 +01:00
Matt Caswell
35bac91676 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:48:24 +01:00
Kurt Roeckx
ea9de25f2f do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd36)
2015-04-11 20:35:13 +02:00
Kurt Roeckx
f6cddcccc8 X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff50)
2015-04-11 20:35:13 +02:00
Dr. Stephen Henson
6df777ed50 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:52:02 +01:00
Dr. Stephen Henson
07395b7a6d Fix ECDH key identifier support.
PR#3789

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a317fa07c)
2015-04-10 18:52:49 +01:00
Dr. Stephen Henson
784f155e0d Fix ECDH detection, add ECDH keyid test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9fdbc9df76)
2015-04-10 18:52:49 +01:00
Richard Levitte
42802a94be Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918)
2015-04-08 21:46:15 +02:00
Richard Levitte
9e63eeaf76 Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2b)
2015-04-08 18:00:47 +02:00
Richard Levitte
700c0eb8d9 Appease clang -Wshadow
The macros BSWAP4 and BSWAP8 have statetemnt expressions
implementations that use local variable names that shadow variables
outside the macro call, generating warnings like this

e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable
      [-Wshadow]
    seqnum = BSWAP8(blocks[0].q[0]);
             ^
../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8'
                            ^
e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here
    size_t ret = 0;
           ^

Have clang be quiet by modifying the macro variable names slightly
(suffixing them with an underscore).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2da2a4349c)
2015-04-08 17:59:41 +02:00
Richard Levitte
a4ba716333 Appease clang -Wgnu-statement-expression
We use GNU statement expressions in crypto/md32_common.h, surrounded
by checks that GNU C is indeed used to compile.  It seems that clang,
at least on Linux, pretends to be GNU C, therefore finds the statement
expressions and then warns about them.

The solution is to have clang be quiet about it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 04958e84d8)
2015-04-08 17:59:41 +02:00
Richard Levitte
d21cbd7d5e Appease clang -Wempty-translation-unit
ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one
      declaration [-Wempty-translation-unit]
      ^
1 warning generated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c25dea53e9)
2015-04-08 17:59:40 +02:00
Emilia Kasper
ae50d82700 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 16:28:42 +02:00
Andy Polyakov
ff864ffef3 modes/asm/ghashv8-armx.pl: up to 90% performance improvement.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7eeeb49e11)
2015-04-02 10:04:37 +02:00
Andy Polyakov
0a1f31f7ba sha/asm/sha*-armv8.pl: add Denver and X-Gene esults.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit be5a87a1b0)
2015-04-02 09:51:32 +02:00
Andy Polyakov
5a27a20be3 aes/asm/aesv8-armx.pl: optimize for Cortex-A5x.
ARM has optimized Cortex-A5x pipeline to favour pairs of complementary
AES instructions. While modified code improves performance of post-r0p0
Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts
original r0p0. We favour later revisions, because one can't prevent
future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%,
while new code is not slower on r0p0, or Apple A7 for that matter.

[Update even SHA results for latest Cortex-A53.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 94376cccb4)
2015-04-02 09:51:24 +02:00