Commit graph

11226 commits

Author SHA1 Message Date
Matt Caswell
8bc643efc8 Always generate DH keys for ephemeral DH cipher suites
Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-28 10:27:55 +00:00
Richard Levitte
126ac21c80 Fix BSD -rpath parameter
For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c64879d3f3)
2016-01-19 20:59:31 +01:00
Alessandro Ghedini
51223748e5 Validate ClientHello session_id field length and send alert on failure
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 15:42:23 +00:00
Prayag Verma
4c33d583f5 Update license year range to 2016
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 02f7037247)
2016-01-19 10:24:52 -05:00
Viktor Dukhovni
e9a6c72e3c Empty SNI names are not valid
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 21:14:02 -05:00
Dr. Stephen Henson
00cebd1131 To avoid possible time_t overflow use X509_time_adj_ex()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 9aa00b187a)

Conflicts:
	apps/x509.c
2016-01-14 03:04:31 +00:00
Kurt Roeckx
f5fc9404c2 Change minimum DH size from 768 to 1024
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-11 00:13:54 +01:00
Kurt Roeckx
ff9cef0266 File is about s_time, not s_client
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1918e01c9f)
2016-01-10 13:14:52 +01:00
Viktor Dukhovni
737d57d072 Fix X509_STORE_CTX_cleanup()
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-04 21:50:01 -05:00
Rich Salz
b5dbbebbc2 RT4202: Update rt URL's.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 41977c53cd)
2015-12-28 16:41:28 -05:00
Matt Caswell
968bccee46 Add some documentation for the OCSP callback functions
Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c52c3b5e11)
2015-12-27 22:05:36 +00:00
Matt Caswell
604f67f521 Ensure we don't call the OCSP callback if resuming a session
It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 0ac6239955)
2015-12-27 22:05:36 +00:00
Matt Caswell
a7316aace3 Fix error when server does not send CertificateStatus message
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 905943af3b)
2015-12-27 22:05:36 +00:00
David Benjamin
1967199f9f Fix memory leak in DSA redo case.
Found by clang scan-build.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4184, MR: #1496
(cherry picked from commit 679d87515d)
2015-12-22 11:54:42 +01:00
Dr. Stephen Henson
23a58779f5 Don't check RSA_FLAG_SIGN_VER.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 6656ba7152)
2015-12-20 19:28:23 +00:00
Richard Levitte
f9b52eb6b1 BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 17592f323a)
2015-12-19 22:10:32 +01:00
Richard Levitte
074821106c Correct or add comments indicating what controls belong to what
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6d97060ee0)
2015-12-19 22:10:32 +01:00
Richard Levitte
0dae9636e8 Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work
No dummy arguments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7eb5125125)
2015-12-19 22:10:32 +01:00
Richard Levitte
f08360a160 Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl
BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a60fccdd9)
2015-12-19 22:10:32 +01:00
Matt Caswell
583f4bf7e8 Fix more URLs mangled by reformat
Fix some more URLs mangled by indent in the reformat. These ones don't exist
in master so we have a separate commit. Based on a patch supplied by Arnaud
Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Matt Caswell
ff2c19efdb Fix URLs mangled by reformat
Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Richard Levitte
e961c7a201 Remove the "eay" c-file-style indicators
Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-12-18 13:13:31 +01:00
Rich Salz
d7f7144391 Provide better "make depend" warning.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2e31ef0366)
2015-12-16 17:47:22 -05:00
Emilia Kasper
d6af325d51 Fix a ** 0 mod 1 = 0 for real this time.
Commit 2b0180c37f attempted to do this but
only hit one of many BN_mod_exp codepaths. Fix remaining variants and add
a test for each method.

Thanks to Hanno Boeck for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d911097d7c)
(cherry picked from commit 44e4f5b04b)
2015-12-14 18:27:04 +01:00
Richard Levitte
36be5f77d0 Fix tarball production to keep test/bctest and util/pod2mantest
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 474a53b3a3)
2015-12-14 11:24:24 +01:00
Matt Caswell
f612bdb342 Ensure |rwstate| is set correctly on BIO_flush
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 67f60be8c9)
2015-12-10 12:50:56 +00:00
Matt Caswell
4a53424318 Fix DTLS handshake fragment retries
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ad226e88b)
2015-12-10 12:50:55 +00:00
Dr Stephen Henson
d724616f68 Don't use applink for static builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 10119938215298ad414468e7c2779d7fd1a0b979)
2015-12-09 00:30:27 +00:00
Rich Salz
d27f073bf5 Refer to website for acknowledgements.
Reviewed-by: Steve Marquess <marquess@openssl.com>
(cherry picked from commit ab29c82a55)
2015-12-08 16:08:20 -05:00
Richard Levitte
a19244a433 Not all 'find's know -xtype, use -type instead
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3cd7aef34d)
2015-12-08 21:06:34 +01:00
Richard Levitte
cf269a1a0e Adapt the OS X build to use the OS X tar
As part of this, move release creation to a script to be called from
.travis.yml.  That makes it much easier to test outside of travis.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 382af61f62)
2015-12-08 21:06:34 +01:00
Richard Levitte
4305622736 Make it possible to affect the way dists are made
Introducing DISTTARVARS to propagate changed variables down to the
tar-making target.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d3c30a179)
2015-12-08 21:06:33 +01:00
Richard Levitte
66a1ccf494 Cleanup the EVP_MD_CTX before exit rather than after
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c44844d928)
2015-12-08 12:07:22 +01:00
Richard Levitte
777adea16a Change tar owner and group to just 0
It seems like some tar versions don't like the name:id form for
--owner and --group.  The closest known anonymous user being 0 (root),
that seems to be the most appropriate user/group to assign ownership
to.  It matters very little when unpacking either way.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b91dd150d2)
2015-12-07 20:11:05 +01:00
Richard Levitte
641365436e Do not add symlinks in the source release
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 451a5bdf03)
2015-12-07 16:25:18 +01:00
Richard Levitte
1e8a87295e In travis, build from a "source release" rather than from the build tree
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 475fc3d872)
2015-12-07 16:25:13 +01:00
Richard Levitte
3b92a6fe4f Small changes to creating dists
Make TARFILE include ../ instead of having that hard coded all over the place.
When transforming file names in TAR_COMMAND, use $(NAME) instead of openssl-$(VERSION)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4a544810f0)
2015-12-07 16:24:23 +01:00
Matt Caswell
d82626caec Prepare for 1.0.1r-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:51:13 +00:00
Matt Caswell
55615e8d48 Prepare for 1.0.1q release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:50:26 +00:00
Matt Caswell
56edb20184 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:50:26 +00:00
Matt Caswell
ac3dd9b7e6 Update CHANGES and NEWS
Update the CHANGES and NEWS files for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 13:45:13 +01:00
Dr. Stephen Henson
d8541d7e9e Add PSS parameter check.
Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.

CVE-2015-3194

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-03 13:45:13 +01:00
Dr. Stephen Henson
b29ffa392e Fix leak with ASN.1 combine.
When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 13:45:13 +01:00
Andy Polyakov
005f4893dc e_os.h: limit _MSC_VER trickery to older compilers.
PR: #3390, backport from 1.0.2.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-03 13:24:42 +01:00
Dr. Stephen Henson
d585cc32a5 typo
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-12-02 21:49:37 +00:00
Richard Levitte
fb35ea28f4 _BSD_SOURCE is deprecated, use _DEFAULT_SOURCE instead
The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f9fd35248c)
2015-12-02 18:49:57 +01:00
Matt Caswell
41d049e1cd Return errors even if the cookie validation has succeeded
In the DTLS ClientHello processing the return value is stored in |ret| which
by default is -1. We wish to return 1 on success or 2 on success *and* we
have validated the DTLS cookie. Previously on successful validation of the
cookie we were setting |ret| to 2. Unfortunately if we later encounter an
error then we can end up returning a successful (positive) return code from
the function because we already set |ret| to a positive value.

This does not appear to have a security consequence because the handshake
just fails at a later point.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-30 10:51:43 +00:00
Kurt Roeckx
98b94544e5 Use both sun and __sun
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit ed02493567)
2015-11-24 23:44:50 +01:00
Marcus Meissner
844de56ed6 mark openssl configuration as loaded at end of OPENSSL_config
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #466
(cherry picked from commit 434b58457c)
2015-11-24 22:05:47 +01:00
Pascal Cuoq
784934498f ssl3_free(): Return if it wasn't created
If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() can
get called with s->s3 still being NULL.

Patch also provided by Willy Tarreau <wtarreau@haproxy.com>

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 3e7bd2ce0b16f8611298175d6dc7cb35ee06ea6d)
2015-11-24 21:56:39 +01:00