Commit graph

10929 commits

Author SHA1 Message Date
Dr. Stephen Henson
bd41063b11 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:53:00 +01:00
Richard Levitte
0186f7bf87 Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918)
2015-04-08 21:47:00 +02:00
Richard Levitte
10a612a9e4 Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2b)
2015-04-08 18:01:34 +02:00
Emilia Kasper
a20db08e77 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae50d82700)
2015-04-08 16:42:28 +02:00
John Foley
9da34ad6cb Fix intermittent s_server issues with ECDHE
Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable.  Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-04-07 23:37:46 +01:00
Douglas E Engert
a63d3ac012 Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294)

Conflicts:
	crypto/ec/ec_asn1.c
2015-03-31 16:41:33 +01:00
Emilia Kasper
8a46e51ed8 Fix uninitialized variable warning
While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 15:19:20 +01:00
Matt Caswell
fe9b85c3cb Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 70e5fd8778)
2015-03-25 13:09:31 +00:00
Matt Caswell
42c9c7103c Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
4ebc70cc51 Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
2674af2f79 Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c
2015-03-25 13:01:04 +00:00
Matt Caswell
bae9b9915a Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
750190567a Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f8e4e4f52)

Conflicts:
	crypto/evp/e_des3.c
2015-03-25 12:45:17 +00:00
Kurt Roeckx
23a9b24aa1 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:58:30 +01:00
Dr. Stephen Henson
5d74b4b4b3 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:36 +00:00
Dr. Stephen Henson
d635f4bb36 Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:14:32 +00:00
Mike Frysinger
117476ba30 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a6)
2015-03-24 11:35:46 +00:00
Matt Caswell
a6a704f448 Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:41:07 +00:00
Matt Caswell
506c106880 Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
686d82a7a2 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
8ca79fcbf4 Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
a4517be9e3 Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
6e24e1cdd2 Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
ffc69bd942 Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
82123b5e94 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
cd56a08d4e Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
e2acb69c76 PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
c982285ab6 Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
b485d97634 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-03-18 11:52:27 +00:00
Matt Caswell
636c42d747 Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259)
2015-03-17 14:52:46 +00:00
Matt Caswell
28e4f659c5 Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c)
2015-03-17 14:52:46 +00:00
Matt Caswell
6a43243d1d Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f2)
2015-03-17 13:49:32 +00:00
Matt Caswell
f08731cd82 Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c6)
2015-03-17 13:49:32 +00:00
Matt Caswell
f4b8760056 Fix memset call in stack.c
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac830f)
2015-03-17 13:49:31 +00:00
Matt Caswell
d3554bff69 Move malloc fail checks closer to malloc
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477adc9)
2015-03-17 13:49:31 +00:00
Matt Caswell
3f9117e161 Add malloc failure checks
Add some missing checks for memory allocation failures in ca app.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a561bfe944)
2015-03-17 13:49:31 +00:00
Andy Polyakov
eadc81e7dd Avoid reading an unused byte after the buffer
Other curves don't have this problem.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9fbbdd73c5)
2015-03-14 18:31:54 +01:00
Emilia Kasper
a2fcab9978 Fix undefined behaviour in shifts.
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8b37e5c14f)
2015-03-13 21:14:56 -07:00
Dr. Stephen Henson
1a09816435 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a2)
2015-03-12 13:45:52 +00:00
Dr. Stephen Henson
0e978b9a5d ASN.1 print fix.
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a74)
2015-03-12 13:45:52 +00:00
Matt Caswell
f06249f112 Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f2b5336a)
2015-03-12 09:33:48 +00:00
Matt Caswell
2407241fb2 Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0c7ca4033d)
2015-03-12 09:33:48 +00:00
Matt Caswell
3942e7d9eb Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bb)

Conflicts:
	crypto/dh/dh_ameth.c
2015-03-12 09:33:46 +00:00
Matt Caswell
2679485e69 Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 34a7ed0c39)
2015-03-12 09:32:23 +00:00
Matt Caswell
e6dcb08984 ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9e488fd6ab)
2015-03-12 09:32:22 +00:00
Matt Caswell
0c8f422999 Fix EVP_DigestInit_ex with NULL digest
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit a01087027b)
2015-03-12 09:32:22 +00:00
Matt Caswell
cc27bec2b4 Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c5a7b33c6)
2015-03-12 09:32:22 +00:00
Matt Caswell
f5ee521307 Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit ac5a110621)
2015-03-11 11:32:07 +00:00
Matt Caswell
58d8a271ab Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4dbc)

Conflicts:
	ssl/s3_enc.c
2015-03-11 10:49:22 +00:00
Emilia Kasper
8b7e469d06 Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.

Reported by Adam Langley (Google).

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3)
2015-03-10 13:52:37 -07:00