Commit graph

8698 commits

Author SHA1 Message Date
Andy Polyakov
9880f63038 e_os.h: refine inline override logic (to address warnings in debug build).
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 55c7a4cf11)
2014-10-17 12:02:00 +02:00
Andy Polyakov
af32df0a8e e_os.h: allow inline functions to be compiled by legacy compilers.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 40155f4089)

Conflicts:
	e_os.h
2014-10-17 12:00:53 +02:00
Kurt Cancemi
bfb7bf1a28 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:55 +02:00
Dr. Stephen Henson
f33636faf7 Don't try 1**0 test with FIPS.
The 1**0 test will fail for FIPS capable builds because it uses the
old BIGNUM code in the 1.2 FIPS module which can't be fixed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-16 04:40:50 +01:00
Matt Caswell
94f735cade Prepare for 0.9.8zd-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:49:42 +01:00
Matt Caswell
36216218ca Prepare for 0.9.8zc release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:48:52 +01:00
Matt Caswell
115eaf4886 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:48:52 +01:00
Matt Caswell
53ce5647d4 Updates to NEWS
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-10-15 08:46:57 -04:00
Matt Caswell
4d2efa29f6 Updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:46:57 -04:00
Geoff Thorpe
cd332a0750 Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:46:57 -04:00
Dr. Stephen Henson
2ed80d14d7 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 90e53055939db40cf0fac1ad0c59630280aeee86)
2014-10-15 08:46:57 -04:00
Bodo Moeller
d286606301 Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:39:17 +02:00
Bodo Moeller
3f4d81e88b Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 11:15:58 +02:00
Bodo Moeller
dc5dfe431c Oops -- fix typo in coment added with TLS_FALLBACK_SCSV support.
Reviewed-by: Steve Henson <steve@openss.org>
2014-10-15 04:26:29 +02:00
Bodo Moeller
c6a876473c Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:18:29 +02:00
Dr. Stephen Henson
5a7fc89394 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:31:29 +01:00
Emilia Kasper
116fd3732a Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:48:08 +02:00
Emilia Kasper
1bb01b1b5f RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319f8)

Conflicts:
	crypto/evp/Makefile
	crypto/evp/evp_enc.c
2014-09-24 16:41:55 +02:00
Emilia Kasper
699d78ce98 RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)

Conflicts:
	ssl/Makefile
2014-09-24 16:01:46 +02:00
Adam Langley
43d613ec18 This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6d)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 16:00:16 +02:00
Emilia Kasper
96e1015eec RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:39:44 +02:00
Tim Hudson
cf4b01a766 Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
2014-09-22 06:31:05 +10:00
Adam Langley
45d129511f Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:07:39 +02:00
Richard Levitte
0976adac8f Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:26:24 +02:00
Phil Mesnier
db5b0d9309 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:26:24 +02:00
Emilia Kasper
aeeedc8acc Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:25:20 +02:00
Matt Caswell
c903866420 Fixed double inclusion of string.h
PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)
2014-08-29 21:40:15 +01:00
Emilia Kasper
9b208659aa Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 73729e4cf3)

Conflicts:
	ssl/Makefile
	test/Makefile
2014-08-28 17:28:42 +02:00
Adam Langley
f54fab0fef RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82f)
2014-08-22 15:53:34 +02:00
Emilia Kasper
b30aaafbe5 define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a73)

Conflicts:
	e_os.h
2014-08-21 16:08:55 +02:00
Adam Langley
fee8d86d7a Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a90b1e32d2)
2014-08-19 17:12:08 +02:00
Matt Caswell
bf3e53a7fa Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:34:45 +01:00
Bodo Moeller
44a8fced97 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

Conflicts:
	crypto/ec/ectest.c

Conflicts:
	crypto/ec/ec.h
2014-08-13 18:09:00 +02:00
Matt Caswell
4ff07f4c71 Prepare for 0.9.8zc-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:40 +01:00
Matt Caswell
1c5f396d36 Prepare for 0.9.8zb release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:20 +01:00
Matt Caswell
9fcaaef34f Updates to CHANGES and NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 22:02:00 +01:00
Emilia Kasper
b9a73f5481 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 22:02:00 +01:00
Emilia Käsper
bff5319d90 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 22:02:00 +01:00
David Benjamin
fc4bd2f287 Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
4c836c96c4 Remove some duplicate DTLS code.
In |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
6e14e7fc19 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
fc15c44049 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
445598b35e Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
338a5e7e54 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Matt Caswell
6a431cd293 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Adam Langley
1b7024fb69 Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 22:02:00 +01:00
Dr. Stephen Henson
5021f6314e fix warn_unused_result warnings
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 21:59:15 +01:00
Dr. Stephen Henson
21d24dd38a Fix warnings about ignored return values.
(cherry picked from commit 27131fe8f7)
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-06 21:58:25 +01:00
Bodo Moeller
681d11b6fd Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
	crypto/ec/ectest.c
2014-08-01 17:59:31 +02:00
Billy Brumley
8c387e62b2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:29:35 +01:00