Commit graph

4245 commits

Author SHA1 Message Date
Bodo Moeller
44a8fced97 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

Conflicts:
	crypto/ec/ectest.c

Conflicts:
	crypto/ec/ec.h
2014-08-13 18:09:00 +02:00
Matt Caswell
4ff07f4c71 Prepare for 0.9.8zc-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:40 +01:00
Matt Caswell
1c5f396d36 Prepare for 0.9.8zb release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:20 +01:00
Emilia Kasper
b9a73f5481 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 22:02:00 +01:00
Dr. Stephen Henson
5021f6314e fix warn_unused_result warnings
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 21:59:15 +01:00
Bodo Moeller
681d11b6fd Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
	crypto/ec/ectest.c
2014-08-01 17:59:31 +02:00
Billy Brumley
8c387e62b2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:29:35 +01:00
Matt Caswell
02fef91630 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:36:03 +01:00
Richard Levitte
0b8cd5acd6 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:17:21 +02:00
Matt Caswell
97f4e235a1 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:38:23 +01:00
David Lloyd
cfd2aeeb7c Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:51:07 +01:00
Alan Hryngle
7faa66433f Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:39:16 +01:00
Dr. Stephen Henson
00e86a74bd ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe5e)
2014-07-02 01:01:55 +01:00
Andreas Westfeld
4b98488eb0 Fix typo in ideatest.c
(cherry picked from commit d1d4382dcb)
2014-06-28 00:07:02 +01:00
Tom Greenslade
326de18955 Handle IPv6 addresses in OCSP_parse_url.
PR#2783
(cherry picked from commit b36f35cda9)
2014-06-27 17:31:55 +01:00
Dr. Stephen Henson
9fb10cfe6b Memory leak and NULL dereference fixes.
PR#3403
(cherry picked from commit d2aea03829)

Conflicts:

	apps/crl2p7.c
	crypto/asn1/a_utctm.c
	crypto/asn1/ameth_lib.c
	crypto/asn1/bio_asn1.c
2014-06-27 15:33:18 +01:00
Dr. Stephen Henson
a20a6366c8 Remove ancient obsolete files under pkcs7.
(cherry picked from commit 7be6b27aaf)
2014-06-27 14:04:35 +01:00
Huzaifa Sidhpurwala
54985b5061 Make sure BN_sqr can never return a negative value.
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
2014-06-26 23:52:18 +01:00
Dr. Stephen Henson
0345354fe0 Fix null pointer errors.
PR#3394
(cherry picked from commit 7a9d59c148)
2014-06-10 14:48:19 +01:00
Dr. Stephen Henson
0a9b8dd1b4 Fix 0.9.8 FIPS capable OpenSSL build.
The object file bn_lib.o is excluded from FIPS builds which causes
a linker error for BN_consttime_swap. So move definition from bn_lib.c
to bn_gf2m.c

This change is *only* needed for OpenSSL 0.9.8 which uses the 1.2
FIPS module.
2014-06-06 12:31:13 +01:00
Dr. Stephen Henson
4a1190beca Prepare for 0.9.8zb-dev 2014-06-05 10:40:11 +01:00
Dr. Stephen Henson
047ec5d196 Prepare for 0.9.8za release 2014-06-05 10:38:57 +01:00
Dr. Stephen Henson
61e6e80fe5 Set default global mask to UTF8 only.
(cherry picked from commit 3009244da4)
2014-06-01 15:04:49 +01:00
Dr. Stephen Henson
105e52bf23 Set version number correctly.
PR#3249
(cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)
2014-05-29 14:12:11 +01:00
František Bořánek
492a5010a4 Fix memory leak.
PR#3278
(cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)
2014-05-29 14:12:11 +01:00
Dr. Stephen Henson
8323996d99 Fix for PKCS12_create if no-rc2 specified.
Use triple DES for certificate encryption if no-rc2 is
specified.

PR#3357
(cherry picked from commit 03b5b78c09)
2014-05-21 11:30:34 +01:00
Dr. Stephen Henson
70ddf8ecca Return an error if no recipient type matches.
If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.

PR#3348
(cherry picked from commit 83a3182e0560f76548f4378325393461f6275493)
2014-05-08 13:18:49 +01:00
Geoff Thorpe
9febee0272 evp: prevent underflow in base64 decoding
This patch resolves RT ticket #2608.

Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:23:54 -04:00
Geoff Thorpe
a721216f0f bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:23:49 -04:00
Dr. Stephen Henson
47f689ac09 Initialize num properly.
PR#3289
PR#3345
(cherry picked from commit 3ba1e406c2)
2014-05-06 14:09:26 +01:00
Dr. Stephen Henson
f51f374199 Set Enveloped data version to 2 if ktri version not zero.
(cherry picked from commit 9c5d953a07)
2014-05-06 14:05:05 +01:00
Eric Young
9ad5c5e4f9 Fix base64 decoding bug.
A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.

PR#3289
(cherry picked from commit 10378fb5f4)
2014-04-02 19:58:25 +01:00
mancha
fff69a7d8c Fix for CVE-2014-0076 backported to 0.9.8 branch
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.

Thanks for mancha for backporting the fix to OpenSSL 0.9.8 branch.
2014-03-27 00:55:08 +00:00
mancha
a375025e4d Fix alert handling.
Fix OpenSSL 0.9.8 alert handling.

PR#3038
2014-03-27 00:54:16 +00:00
Dr. Stephen Henson
d471adf351 Remove duplicate statement.
(cherry picked from commit 5a7652c3e5)
2014-02-15 01:31:34 +00:00
Dr. Stephen Henson
b70e4d3e90 Fixes for no-static-engine and Windows builds. 2013-11-21 15:49:34 +00:00
Bodo Moeller
ff7b021040 Fix overly lenient comparisons:
- EC_GROUP_cmp shouldn't consider curves equal just because
      the curve name is the same. (They really *should* be the same
      in this case, but there's an EC_GROUP_set_curve_name API,
      which could be misused.)

    - EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
      or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
      equality (not an error).

    Reported by: king cope

(cherry picked from commit ca567a03ad)

Conflicts:
	Configure
2013-09-17 10:20:04 +02:00
Dr. Stephen Henson
1cbd7456aa Print out DSA key if parameters absent.
In DSA_print DSA parameters can be absent (e.g inherited) it is
not a fatal error.
2013-04-07 22:50:55 +01:00
Andy Polyakov
01de6e21cc x86cpuid.pl: make it work with older CPU.
PR: 3005, from master
2013-03-18 20:03:44 +01:00
Dr. Stephen Henson
1643edc63c Encode INTEGER correctly.
If an ASN1_INTEGER structure is allocated but not explicitly set encode
it as zero: don't generate an invalid zero length INTEGER.
2013-03-18 14:19:40 +00:00
Dr. Stephen Henson
7ecd974f5f Set next version.
Note: it was decided that after 0.9.8y it should be 0.9.8za then
0.9.8zb etc.
2013-02-10 13:30:04 +00:00
Dr. Stephen Henson
8964efc413 prepare for release 2013-02-05 16:50:37 +00:00
Andy Polyakov
1213e6c3c2 bn_word.c: fix overflow bug in BN_add_word.
(cherry picked from commit 134c00659a)
2013-02-05 16:50:36 +00:00
Dr. Stephen Henson
24b2806097 Move CRYPTO_memcmp to o_init.c when compiling with fips: cryptlib.o
is in the fips module for fips capable builds.
2013-02-05 16:50:34 +00:00
Ben Laurie
2928cb4c82 Fixups. 2013-02-05 16:50:33 +00:00
Ben Laurie
35a65e814b Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
	ssl/d1_enc.c
	ssl/s3_enc.c
	ssl/s3_pkt.c
	ssl/ssl3.h
	ssl/ssl_algs.c
	ssl/t1_enc.c
2013-02-05 16:50:32 +00:00
Ben Laurie
2708813166 Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a)

Conflicts:
	crypto/crypto.h
	ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)

Conflicts:
	crypto/crypto.h
	ssl/d1_pkt.c
	ssl/s3_pkt.c
2013-02-05 16:50:32 +00:00
Dr. Stephen Henson
66e8211c0b Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
2013-02-05 16:50:31 +00:00
Dr. Stephen Henson
dd2dee60f3 Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set 2013-01-23 01:16:59 +00:00
Dr. Stephen Henson
6495179af6 Don't include comp.h if no-comp set. 2013-01-20 01:16:25 +00:00