Commit graph

10713 commits

Author SHA1 Message Date
Emilia Kasper
e517dfd3d1 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:24:59 +02:00
Andy Polyakov
74687f5979 md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6b)
2014-08-30 19:19:01 +02:00
Rich Salz
8dc6617ad5 Add tags/TAGS
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 9d6253cfd3)
2014-08-30 10:09:30 -04:00
Rich Salz
c2119214c2 RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6aa9dbab0f)
2014-08-30 10:06:07 -04:00
James Westby
22387f00b6 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
2014-08-30 09:51:56 -04:00
Rich Salz
4d16915381 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
2014-08-29 16:46:28 -04:00
Emilia Kasper
e7169a5835 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401)

Conflicts:
	test/Makefile
2014-08-28 17:07:07 +02:00
Raphael Spreitzer
abc2dfbcc3 RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176)
2014-08-27 22:59:52 -04:00
Rich Salz
23ea9f6f03 RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 089f10e69e)
2014-08-27 21:47:12 -04:00
Emilia Kasper
3e5df37861 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:36 +02:00
Matt Caswell
4e5f9f8a9a RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)

Conflicts:
	doc/crypto/EC_KEY_new.pod
2014-08-27 19:50:36 +02:00
Adam Langley
9446ecfb3a RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:36 +02:00
Mihai Militaru
48ecdec7a0 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:27:06 -04:00
David Gatwood
8f5f782253 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:40:45 -04:00
Jan Schaumann
228a77a4ad RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:57 -04:00
Matt Caswell
03b17a5789 Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:40 +01:00
Adam Langley
391f3b5708 RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82f)
2014-08-22 15:53:14 +02:00
Adam Langley
fe9b9a880f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e19c93811f)
2014-08-22 15:25:18 +02:00
Emilia Kasper
9f96ea4c2b Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:06:09 +02:00
Emilia Kasper
41a765182f define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a73)
2014-08-21 16:07:55 +02:00
Emilia Kasper
bcdd904c6c Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68)
2014-08-21 15:48:23 +02:00
Adam Langley
a90b1e32d2 Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-19 17:09:27 +02:00
Matt Caswell
0ed8e95c4b Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:29:28 +01:00
Bodo Moeller
6b5b85f4f6 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:44:53 +02:00
Dr. Stephen Henson
03ebf85f77 Fix SRP ciphersuites.
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-12 20:42:27 +01:00
Dr. Stephen Henson
30fbe92c78 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
2014-08-09 00:13:27 +01:00
Dr. Stephen Henson
1241e77f15 Test SRP authentication ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
2014-08-09 00:10:26 +01:00
Dr. Stephen Henson
1433cac53c Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-07 01:08:14 +01:00
Matt Caswell
204fb36a0e Prepare for 1.0.1j-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:19:10 +01:00
Matt Caswell
2b45603445 Prepare for 1.0.1i release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Matt Caswell
d70c0be4c1 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Dr. Stephen Henson
9b649d9a73 update NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
abbd58559e update CHANGES
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
d15d17bb64 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
966fe81f9b Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
83764a989d Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Gabor Tyukasz
86788e1ee6 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Kasper
03b04ddac1 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Käsper
88ae012c80 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
David Benjamin
fc4f4cdb8b Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
4e0fbdc4ec Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
0c37aed3f3 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
099ccdb808 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
9871417fb7 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
fc7804ec39 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
e7b9d9be48 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
2172d4f63c Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
c34091d47e make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:23:49 +01:00
Dr. Stephen Henson
a9f4ebd753 Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
(cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)
2014-08-01 18:42:40 +01:00
Bodo Moeller
604c9948a8 Update $default_depflags to match current defaults. 2014-08-01 19:07:57 +02:00