Commit graph

11323 commits

Author SHA1 Message Date
Dr. Stephen Henson
d23de0bbf9 Leak fixes.
Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and
a2i_ASN1_ENUMERATED().

Thanks to Shi Lei for reporting these issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e1be1dce77)
2016-08-05 18:06:56 +01:00
Kurt Roeckx
3c39313f7b Return error when trying to print invalid ASN1 integer
GH: #1322

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 32baafb2f6)
2016-08-04 22:23:22 +01:00
Dr. Stephen Henson
a199e0c39a Limit recursion depth in old d2i_ASN1_bytes function
Thanks to Shi Lei for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 81f69e5b69)
2016-08-04 22:12:59 +01:00
Dr. Stephen Henson
6592de7c8c Check for overflows in i2d_ASN1_SET()
Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit af601b8319)
2016-08-04 17:43:57 +01:00
Dr. Stephen Henson
5db2a579b7 Calculate sequence length properly.
Use correct length in old ASN.1 indefinite length sequence decoder
(only used by SSL_SESSION).

This bug was discovered by Hanno Böck using libfuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 436dead2e2)
2016-08-03 02:36:08 +01:00
Dr. Stephen Henson
c648bdcc4c include <limits.h>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 134ab5139a)
2016-08-03 00:10:26 +01:00
Dr. Stephen Henson
7149c709a2 Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e9f17097e9)
2016-08-02 20:55:06 +01:00
Dr. Stephen Henson
e3db6f1c43 Check for overlows and error return from ASN1_object_size()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 56f9953c84)
2016-08-02 20:55:06 +01:00
Dr. Stephen Henson
6adf409c74 Fix OOB read in TS_OBJ_print_bio().
TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ed26acce3)
2016-07-22 15:17:38 +01:00
Matt Caswell
beaa2c03e7 Convert memset calls to OPENSSL_cleanse
Ensure things really do get cleared when we intend them to.

Addresses an OCAP Audit issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb5ebf9613)
2016-06-30 15:56:16 +01:00
Richard Levitte
08327bfb26 Allow proxy certs to be present when verifying a chain
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6ad8c48291)
2016-06-30 01:01:38 +02:00
Richard Levitte
f7c95287b6 Fix proxy certificate pathlength verification
While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 30aeb31281)
2016-06-30 01:00:26 +02:00
Richard Levitte
26576cf9ce Check that the subject name in a proxy cert complies to RFC 3820
The subject name MUST be the same as the issuer name, with a single CN
entry added.

RT#1852

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 338fb1688f)
2016-06-30 01:00:19 +02:00
Matt Caswell
05200ee5c6 Change usage of RAND_pseudo_bytes to RAND_bytes
RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-27 15:02:34 +01:00
Matt Caswell
3681a4558c More fix DSA, preserve BN_FLG_CONSTTIME
The previous "fix" still left "k" exposed to constant time problems in
the later BN_mod_inverse() call. Ensure both k and kq have the
BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.

CVE-2016-2178

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b7d0f2834e)
2016-06-07 15:23:41 +01:00
Cesar Pereida
d168705e11 Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 621eaf49a2)
2016-06-06 11:31:36 +01:00
Matt Caswell
ac29a0fed6 Update CONTRIBUTING
Fix typos and clarify a few things in the CONTRIBUTING file.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 17:12:39 +01:00
Matt Caswell
6f35f6deb5 Avoid some undefined pointer arithmetic
A common idiom in the codebase is:

if (p + len > limit)
{
    return; /* Too long */
}

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!

Issue reported by Guido Vranken.

CVE-2016-2177

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-01 14:25:03 +01:00
Viktor Dukhovni
3d4f83a5c4 Ensure verify error is set when X509_verify_cert() fails
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot
continue due to malloc failure.  Similarly for issuer lookup failures
and caller errors (bad parameters or invalid state).

Also, when X509_verify_cert() returns <= 0 make sure that the
verification status does not remain X509_V_OK, as a last resort set
it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns
an error without setting an appropriate value of ctx->error.

Add new and some missing error codes to X509 error -> SSL alert switch.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-26 16:36:49 -04:00
Viktor Dukhovni
aed4d5b7cb Clarify negative return from X509_verify_cert()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-26 16:36:35 -04:00
Matt Caswell
051b9604f1 Fix error return value in SRP functions
The functions SRP_Calc_client_key() and SRP_Calc_server_key() were
incorrectly returning a valid pointer in the event of error.

Issue reported by Yuan Jochen Kang

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 308ff28673)
2016-05-24 00:05:54 +01:00
Matt Caswell
eea595ff6b Check that the obtained public key is valid
In the X509 app check that the obtained public key is valid before we
attempt to use it.

Issue reported by Yuan Jochen Kang.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-19 21:08:27 +01:00
Rich Salz
bdbfb8477e Recommend GH over RT, per team vote.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit c393a5de99)
2016-05-11 16:47:56 -04:00
Dr. Stephen Henson
24762dee17 Update S/MIME certificates.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-11 18:00:52 +01:00
Dr. Stephen Henson
6ec73ea2f5 Only call FIPS_update, FIPS_final in FIPS mode.
RT#3826

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2b4825d0bb)
2016-05-09 02:10:28 +01:00
Dr. Stephen Henson
0377ad3974 Constify PKCS12_newpass()
PR#4449

Reviewed-by: Rich Salz <rsalz@openssl.org>

(cherry picked from commit b1f8ba4dc7)
2016-05-06 21:53:09 +01:00
Dr. Stephen Henson
5255b49fb7 Tidy up PKCS12_newpass() fix memory leaks.
PR#4466

Reviewed-by: Rich Salz <rsalz@openssl.org>

(cherry picked from commit 06227924ad)
2016-05-06 21:52:13 +01:00
Dr. Stephen Henson
4d71891ad1 Only set CMS parameter when encrypting
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 708cf5ded2)
2016-05-06 21:14:19 +01:00
Dr. Stephen Henson
b0e1362a94 Use default ASN.1 for SEED.
The default ASN.1 handling can be used for SEED. This also makes
CMS work with SEED.

PR#4504

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c0aa8c2748)
2016-05-06 00:03:28 +01:00
Dr. Stephen Henson
852034b8b2 Always try to set ASN.1 parameters for CMS.
Try to set the ASN.1 parameters for CMS encryption even if the IV
length is zero as the underlying cipher should still set the type.

This will correctly result in errors if an attempt is made to use
an unsupported cipher type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3fd60dc422)

Conflicts:
	crypto/cms/cms_enc.c
2016-05-05 23:56:17 +01:00
Dr. Stephen Henson
b583c1bd06 Fix name length limit check.
The name length limit check in x509_name_ex_d2i() includes
the containing structure as well as the actual X509_NAME. This will
cause large CRLs to be rejected.

Fix by limiting the length passed to ASN1_item_ex_d2i() which will
then return an error if the passed X509_NAME exceeds the length.

RT#4531

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e0d184ac1)
2016-05-04 17:41:20 +01:00
Dr. Stephen Henson
28dab7cfba Fix double free in d2i_PrivateKey().
RT#4527

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3340e8bb18)
2016-05-04 13:00:18 +01:00
Dr. Stephen Henson
c3011e3e1d add documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b1b3e14fbe)
2016-05-04 13:00:17 +01:00
Matt Caswell
c33e68971f Prepare for 1.0.1u-dev
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-03 14:50:37 +01:00
Matt Caswell
3d2e575b3f Prepare for 1.0.1t release
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-03 14:49:52 +01:00
Matt Caswell
289cc052d3 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-03 14:49:52 +01:00
Matt Caswell
0e6b8bf4bb Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 13:20:26 +01:00
Dr. Stephen Henson
f5da52e308 Fix ASN1_INTEGER handling.
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.

Thanks to David Benjamin <davidben@google.com> for reporting this bug.

This was found using libFuzzer.

RT#4364 (part)CVE-2016-2108.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-03 13:06:36 +01:00
Kurt Roeckx
4159f31167 Check that we have enough padding characters.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

CVE-2016-2107

MR: #2572
2016-05-03 13:06:36 +01:00
Matt Caswell
e903aaf894 Remove some documentation for functions not in 1.0.x
A few functions in the recently added EVP_EncodeInit docs don't apply to
the 1.0.x branches.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 12:54:06 +01:00
Matt Caswell
fec6d1e868 Add documentation for EVP_EncodeInit() and similar functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:54:00 +01:00
Matt Caswell
5d20e98465 Ensure EVP_EncodeUpdate handles an output length that is too long
With the EVP_EncodeUpdate function it is the caller's responsibility to
determine how big the output buffer should be. The function writes the
amount actually used to |*outl|. However this could go negative with a
sufficiently large value for |inl|. We add a check for this error
condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:52:53 +01:00
Matt Caswell
5b814481f3 Avoid overflow in EVP_EncodeUpdate
An overflow can occur in the EVP_EncodeUpdate function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption. Due to the very large amounts of data involved this will most
likely result in a crash.

Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes
data from an untrusted source and outputs it as a PEM file should be
considered vulnerable to this issue.

User applications that call these APIs directly with large amounts of
untrusted data may also be vulnerable.

Issue reported by Guido Vranken.

CVE-2016-2105

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:52:53 +01:00
Matt Caswell
2919516136 Prevent EBCDIC overread for very long strings
ASN1 Strings that are over 1024 bytes can cause an overread in
applications using the X509_NAME_oneline() function on EBCDIC systems.
This could result in arbitrary stack data being returned in the buffer.

Issue reported by Guido Vranken.

CVE-2016-2176

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-03 10:28:00 +01:00
Matt Caswell
56ea22458f Fix encrypt overflow
An overflow can occur in the EVP_EncryptUpdate function. If an attacker is
able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate with a partial block then a length check can overflow
resulting in a heap corruption.

Following an analysis of all OpenSSL internal usage of the
EVP_EncryptUpdate function all usage is one of two forms.

The first form is like this:
EVP_EncryptInit()
EVP_EncryptUpdate()

i.e. where the EVP_EncryptUpdate() call is known to be the first called
function after an EVP_EncryptInit(), and therefore that specific call
must be safe.

The second form is where the length passed to EVP_EncryptUpdate() can be
seen from the code to be some small value and therefore there is no
possibility of an overflow.

Since all instances are one of these two forms, I believe that there can
be no overflows in internal code due to this problem.

It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate()
in certain code paths. Also EVP_CipherUpdate() is a synonym for
EVP_EncryptUpdate(). Therefore I have checked all instances of these
calls too, and came to the same conclusion, i.e. there are no instances
in internal usage where an overflow could occur.

This could still represent a security issue for end user code that calls
this function directly.

CVE-2016-2106

Issue reported by Guido Vranken.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3f3582139f)
2016-05-03 09:03:16 +01:00
Dr. Stephen Henson
1d29506fe0 Fix i2d_X509_AUX: pp can be NULL.
Reported by David Benjamin

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 05aef4bbdb)
2016-05-02 22:50:19 +01:00
Dr. Stephen Henson
66ce2861c1 Don't free ret->data if malloc fails.
Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 64eaf6c928)
2016-04-29 21:43:12 +01:00
Dr. Stephen Henson
1c81a59503 Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 9b08619cb4)

Conflicts:
	crypto/x509/x509.h
	crypto/x509/x509_err.c
2016-04-29 19:55:56 +01:00
Dr. Stephen Henson
0b34cf8223 Sanity check buffer length.
Reject zero length buffers passed to X509_NAME_onelne().

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b33d1141b6)
2016-04-29 19:54:06 +01:00
Dr. Stephen Henson
53d6c14bef Add size limit to X509_NAME structure.
This adds an explicit limit to the size of an X509_NAME structure. Some
part of OpenSSL (e.g. TLS) already effectively limit the size due to
restrictions on certificate size.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 295f3a2491)
2016-04-29 19:53:47 +01:00