Commit graph

10738 commits

Author SHA1 Message Date
Dr. Stephen Henson
30fbe92c78 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
2014-08-09 00:13:27 +01:00
Dr. Stephen Henson
1241e77f15 Test SRP authentication ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
2014-08-09 00:10:26 +01:00
Dr. Stephen Henson
1433cac53c Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-07 01:08:14 +01:00
Matt Caswell
204fb36a0e Prepare for 1.0.1j-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:19:10 +01:00
Matt Caswell
2b45603445 Prepare for 1.0.1i release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Matt Caswell
d70c0be4c1 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Dr. Stephen Henson
9b649d9a73 update NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
abbd58559e update CHANGES
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
d15d17bb64 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
966fe81f9b Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
83764a989d Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Gabor Tyukasz
86788e1ee6 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Kasper
03b04ddac1 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Käsper
88ae012c80 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
David Benjamin
fc4f4cdb8b Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
4e0fbdc4ec Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
0c37aed3f3 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
099ccdb808 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
9871417fb7 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
fc7804ec39 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
e7b9d9be48 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
2172d4f63c Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
c34091d47e make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:23:49 +01:00
Dr. Stephen Henson
a9f4ebd753 Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
(cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)
2014-08-01 18:42:40 +01:00
Bodo Moeller
604c9948a8 Update $default_depflags to match current defaults. 2014-08-01 19:07:57 +02:00
Bodo Moeller
281720c2a3 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
2014-08-01 17:50:26 +02:00
Dr. Stephen Henson
2a9023f7b4 Avoid multiple lock using FIPS DRBG.
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3efe1b6e9)
2014-07-30 21:09:20 +01:00
Dr. Stephen Henson
36e8c39899 Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4)

Conflicts:

	ssl/Makefile
	util/mkdef.pl
2014-07-24 19:43:25 +01:00
Billy Brumley
e3f009c595 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:28:40 +01:00
Tim Hudson
fbe3baa773 Remove old unused and unmaintained demonstration code.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b8138)
2014-07-22 07:26:35 +10:00
Tim Hudson
690998f904 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6)
2014-07-21 20:24:47 +10:00
Dr. Stephen Henson
3221da845f Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:26:12 +01:00
Jeffrey Walton
9aeb410419 Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf)
2014-07-17 12:08:52 +01:00
Matt Caswell
bf4519cde5 Disabled XTS mode in enc utility as it is not supported
PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c57)
2014-07-16 21:05:10 +01:00
Matt Caswell
e967b94356 Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a)
2014-07-15 23:24:26 +01:00
Dr. Stephen Henson
2316286c0e Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617)
2014-07-15 20:23:35 +01:00
Dr. Stephen Henson
67bde7d465 Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f)
2014-07-15 18:23:44 +01:00
Dr. Stephen Henson
cd63f94d4d Don't allow -www etc options with DTLS.
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
2014-07-15 12:25:39 +01:00
Dr. Stephen Henson
2054eb771e Add ECC extensions with DTLS.
PR#3449
2014-07-15 12:20:30 +01:00
Dr. Stephen Henson
ea0ceb11a0 Use case insensitive compare for servername.
PR#3445
(cherry picked from commit 1c3e9a7c67)
2014-07-15 00:00:03 +01:00
Hubert Kario
00579b98c4 document -nextprotoneg option in man pages
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e)

Conflicts:

	doc/apps/s_server.pod
2014-07-14 23:43:58 +01:00
Dr. Stephen Henson
ee5a8d3e31 Use more common name for GOST key exchange.
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
2014-07-14 18:31:54 +01:00
Matt Caswell
72370164c3 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:23:10 +01:00
Peter Mosmans
704422ce1e Add names of GOST algorithms.
PR#3440
(cherry picked from commit 924e5eda2c)
2014-07-13 18:31:36 +01:00
Richard Levitte
8e8d7e1b26 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:15:30 +02:00
Ben Laurie
3ed6327571 Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259).
(cherry picked from commit c1d1b0114e)
2014-07-10 17:52:37 +01:00
Matt Caswell
efd4f1dfd3 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:34:35 +01:00
David Lloyd
00032b0ba1 Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:50:00 +01:00
Dr. Stephen Henson
a07f514fc0 Usage for -hack and -prexit -verify_return_error
(cherry picked from commit ee724df75d)
2014-07-06 22:48:57 +01:00
Dr. Stephen Henson
b197c770a6 Document certificate status request options.
(cherry picked from commit cba3f1c739)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/s_server.pod
2014-07-06 22:48:52 +01:00