Commit graph

10723 commits

Author SHA1 Message Date
Emilia Kasper
8d507aee7c RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
2014-09-24 15:52:41 +02:00
Adam Langley
133145686e This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6d)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 15:46:26 +02:00
Emilia Kasper
0f04b004ac RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:17:41 +02:00
Tim Hudson
81e3a6055c Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
2014-09-22 06:34:25 +10:00
Rich Salz
bea9a17726 RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
2014-09-10 12:20:25 -04:00
Erik Auerswald
b537ea9ce4 RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e)
2014-09-08 11:23:10 -04:00
Adam Langley
13ce52be1b psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
2014-09-05 12:22:50 +02:00
Adam Langley
11853c50ec Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:06:51 +02:00
Richard Levitte
a60aa7e008 Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:26:05 +02:00
Phil Mesnier
a49256a349 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:26:05 +02:00
Emilia Kasper
e517dfd3d1 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:24:59 +02:00
Andy Polyakov
74687f5979 md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6b)
2014-08-30 19:19:01 +02:00
Rich Salz
8dc6617ad5 Add tags/TAGS
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 9d6253cfd3)
2014-08-30 10:09:30 -04:00
Rich Salz
c2119214c2 RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6aa9dbab0f)
2014-08-30 10:06:07 -04:00
James Westby
22387f00b6 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
2014-08-30 09:51:56 -04:00
Rich Salz
4d16915381 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
2014-08-29 16:46:28 -04:00
Emilia Kasper
e7169a5835 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401)

Conflicts:
	test/Makefile
2014-08-28 17:07:07 +02:00
Raphael Spreitzer
abc2dfbcc3 RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176)
2014-08-27 22:59:52 -04:00
Rich Salz
23ea9f6f03 RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 089f10e69e)
2014-08-27 21:47:12 -04:00
Emilia Kasper
3e5df37861 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:36 +02:00
Matt Caswell
4e5f9f8a9a RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)

Conflicts:
	doc/crypto/EC_KEY_new.pod
2014-08-27 19:50:36 +02:00
Adam Langley
9446ecfb3a RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:36 +02:00
Mihai Militaru
48ecdec7a0 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:27:06 -04:00
David Gatwood
8f5f782253 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:40:45 -04:00
Jan Schaumann
228a77a4ad RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:57 -04:00
Matt Caswell
03b17a5789 Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:40 +01:00
Adam Langley
391f3b5708 RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82f)
2014-08-22 15:53:14 +02:00
Adam Langley
fe9b9a880f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e19c93811f)
2014-08-22 15:25:18 +02:00
Emilia Kasper
9f96ea4c2b Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:06:09 +02:00
Emilia Kasper
41a765182f define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a73)
2014-08-21 16:07:55 +02:00
Emilia Kasper
bcdd904c6c Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68)
2014-08-21 15:48:23 +02:00
Adam Langley
a90b1e32d2 Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-19 17:09:27 +02:00
Matt Caswell
0ed8e95c4b Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:29:28 +01:00
Bodo Moeller
6b5b85f4f6 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:44:53 +02:00
Dr. Stephen Henson
03ebf85f77 Fix SRP ciphersuites.
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-12 20:42:27 +01:00
Dr. Stephen Henson
30fbe92c78 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
2014-08-09 00:13:27 +01:00
Dr. Stephen Henson
1241e77f15 Test SRP authentication ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
2014-08-09 00:10:26 +01:00
Dr. Stephen Henson
1433cac53c Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-07 01:08:14 +01:00
Matt Caswell
204fb36a0e Prepare for 1.0.1j-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:19:10 +01:00
Matt Caswell
2b45603445 Prepare for 1.0.1i release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Matt Caswell
d70c0be4c1 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Dr. Stephen Henson
9b649d9a73 update NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
abbd58559e update CHANGES
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
d15d17bb64 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
966fe81f9b Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
83764a989d Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Gabor Tyukasz
86788e1ee6 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Kasper
03b04ddac1 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Käsper
88ae012c80 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
David Benjamin
fc4f4cdb8b Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:27:51 +01:00