Commit graph

11197 commits

Author SHA1 Message Date
Emilia Kasper
9a9b0c0401 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)

Conflicts:
	ssl/s3_cbc.c
	test/Makefile
2014-08-28 16:26:01 +02:00
Raphael Spreitzer
b85d461cdf RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176)
2014-08-27 22:59:40 -04:00
Rich Salz
089f10e69e RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Cherry-pick of commit 17e80c6bd0
2014-08-27 21:45:09 -04:00
Emilia Kasper
7f7c05ca63 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:15 +02:00
Matt Caswell
2083f7c465 RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)
2014-08-27 19:50:15 +02:00
Adam Langley
1f2b943254 RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:15 +02:00
Mihai Militaru
dc5c3d7370 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:25:36 -04:00
John Fitzgibbon
383f0e349f RT2724: Remove extra declaration
Extra SSL_get_selected_srtp_profile() declaration in ssl/srtp.h
causes -Werror builds to fail.

Cherry-picked from 3609b02305

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-26 16:55:54 -04:00
David Gatwood
0a64a864b4 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:38:27 -04:00
Jan Schaumann
dec128313b RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:17 -04:00
Matt Caswell
1d4f214eaf Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:02 +01:00
Adam Langley
3aac17a82f RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-22 15:36:06 +02:00
Adam Langley
e19c93811f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-22 15:21:12 +02:00
Emilia Kasper
108e907645 Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:05:55 +02:00
Emilia Kasper
8958be3946 define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a73)
2014-08-21 16:07:44 +02:00
Emilia Kasper
ebf221ee25 Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68)
2014-08-21 15:48:10 +02:00
Andy Polyakov
ef90877721 bn/asm/rsaz-*.pl: allow spaces in Perl path name.
RT: 2835

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 15735e4f0e)
2014-08-21 00:19:24 +02:00
Andy Polyakov
a89adc148e sha1-mb-x86_64.pl: add commentary.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e608273a80)
2014-08-21 00:16:32 +02:00
Andy Polyakov
b698c427de crypto/evp/e_aes_cbc_hmac_sha[1|256].c: fix compiler warnings.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2893a302a9)
2014-08-20 22:20:21 +02:00
Andy Polyakov
e99ac8b868 sha1-mb-x86_64.pl: fix typo.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 55eb14da20)
2014-08-20 22:12:50 +02:00
Matt Caswell
43312c624d Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:28:52 +01:00
Istvan Noszticzius
beeb0fa7be Fix use after free bug.
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5afa57fb7b17aa51cfba1ffa94e900fc7a5f0e04)
2014-08-15 16:46:14 +01:00
Bodo Moeller
267e6f3cc0 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:40:33 +02:00
Dr. Stephen Henson
5ed0b6ac0c Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)
2014-08-09 00:09:14 +01:00
Dr. Stephen Henson
90a549ddfb Test SRP authentication ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
2014-08-09 00:09:01 +01:00
Dr. Stephen Henson
bc792813f0 Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1433cac53c)
2014-08-07 02:11:53 +01:00
Dr. Stephen Henson
bb4c9ffd02 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:41:53 +01:00
Dr. Stephen Henson
53348780e9 Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
2014-08-06 20:41:24 +01:00
Dr. Stephen Henson
f338c2e0c2 Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:41:24 +01:00
Gabor Tyukasz
92aa73bcbf Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:41:24 +01:00
Emilia Kasper
c01618dd82 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:41:24 +01:00
Emilia Käsper
1d7d0ed9c2 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:41:24 +01:00
David Benjamin
40a2200d89 Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:41:24 +01:00
Adam Langley
d345a24569 Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:24 +01:00
Matt Caswell
3d5dceac43 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
aad61c0a57 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
8ca4c4b25e Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Matt Caswell
0598468fc0 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Matt Caswell
ea7cb53974 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Adam Langley
4985007555 Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:41:23 +01:00
Dr. Stephen Henson
89d2f8f1a9 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:21:03 +01:00
Dr. Stephen Henson
2c3673cd3f Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
2014-08-01 18:42:41 +01:00
Bodo Moeller
ba5f75d53e Update $default_depflags to match current defaults. 2014-08-01 19:03:03 +02:00
Bodo Moeller
be804523cf Clean up CHANGES files: If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.
2014-08-01 18:38:56 +02:00
Bodo Moeller
d5213519c0 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org
2014-08-01 17:27:59 +02:00
Dr. Stephen Henson
a3efe1b6e9 Avoid multiple lock using FIPS DRBG.
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-07-30 21:08:07 +01:00
Dr. Stephen Henson
789b12599d Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4)

Conflicts:

	ssl/heartbeat_test.c
	ssl/ssl.h
	util/mkdef.pl
2014-07-24 19:42:26 +01:00
Matt Caswell
371d9a627b Prepare for 1.0.2-beta3-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:31:04 +01:00
Matt Caswell
2f63ad1c6d Prepare for 1.0.2-beta2 release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:30:33 +01:00
Matt Caswell
0e32035292 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:30:33 +01:00