Commit graph

11263 commits

Author SHA1 Message Date
Matt Caswell
7c17c20a56 Prepare for 1.0.1q-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:29:59 +01:00
Matt Caswell
5ab53da9fb Prepare for 1.0.1p release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:22:23 +01:00
Matt Caswell
245daa2b73 Update CHANGES and NEWS for the new release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 09:32:04 +01:00
Matt Caswell
cb22d2ae5a Fix alt chains bug
This is a follow up to the alternate chains certificate forgery issue
(CVE-2015-1793). That issue is exacerbated in 1.0.1 by a related bug which
means that we *always* check for an alternative chain, even if we have
already found a chain. The code is supposed to stop as soon as it has found
one (and does do in master and 1.0.2).

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:57:36 +01:00
Matt Caswell
b3b1eb5735 Reject calls to X509_verify_cert that have not been reinitialised
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase  where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.

With regards to the second of these, we should discount this - it should
not be supported to allow this.

With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.

Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:52:36 +01:00
Matt Caswell
d42d100433 Add test for CVE-2015-1793
This adds a test for CVE-2015-1793. This adds a new test file
verify_extra_test.c, which could form the basis for additional
verification tests.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	test/Makefile
2015-07-07 22:52:31 +01:00
Matt Caswell
9a0db453ba Fix alternate chains certificate forgery issue
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.

This occurs where at least one cert is added to the first chain from the
trust store, but that chain still ends up being untrusted. In that case
ctx->last_untrusted is decremented in error.

Patch provided by the BoringSSL project.

CVE-2015-1793

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:50:04 +01:00
Dr. Stephen Henson
cb6e0ed17a Relax CCM tag check.
In CCM mode don't require a tag before initialising decrypt: this allows
the tag length to be set without requiring the tag.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9cca7be11d)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
e5d5019a23 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf5)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
d6be3124f2 Fix PSK handling.
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669df)
2015-07-02 13:04:25 +01:00
Dr. Stephen Henson
eb0e2a5c5d Check for errors with SRP
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5fced2395d)
2015-06-29 19:21:34 +01:00
Dr. Stephen Henson
0d25eb7800 Don't output bogus errors in PKCS12_parse
PR#3923

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ffbf304d48)
2015-06-25 04:55:56 +01:00
Rich Salz
ae2f46597a RT3907-fix
Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit cc3f3fc2b1)
2015-06-22 20:50:36 -04:00
Rich Salz
9ad2eb6a6e RT3907: avoid "local" in testssl script
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 75ba5c58c6)
2015-06-22 15:50:14 -04:00
Richard Levitte
f4961dc2af Cleanup mttest.c : because we no longer use stdio here, don't include it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ca96efd24)
2015-06-21 22:13:28 +02:00
Richard Levitte
40ced6c187 Add -ldl to the build of mttest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d62c98c81c)
2015-06-21 22:13:28 +02:00
Richard Levitte
f1817dd4d0 Cleanup mttest.c : do not try to output reference counts when threads are done
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 964626957f)
2015-06-21 22:13:28 +02:00
Richard Levitte
5891dae67c Cleanup mttest.c : better error reporting when certs are missing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a1789d254)
2015-06-21 22:13:28 +02:00
Richard Levitte
1d6d4efea5 Cleanup mttest.c : make ssl_method a pointer to const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f4c73bfe0a)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
0fee334404 Cleanup mttest.c : more output changes
More fprintf()s and printf()s to turn into BIO calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-21 22:13:28 +02:00
Richard Levitte
141f7d263b Cleanup mttest.c : modernise output
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bb8abd6735)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
ae3254a52d Cleanup mttest.c : modernise the threads setup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5c78e18352)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
9720dd4314 Cleanup mttest.c : remove MS_CALLBACK
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3f9286556)
2015-06-21 22:13:28 +02:00
Rich Salz
83d6620986 RT1688: Add dependencies for parallel make
Backport to 1.0.1 and 1.0.2 to fix RT 3905

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8e6bb99979)
2015-06-21 15:27:30 -04:00
Richard Levitte
347fc5d8cd Make preprocessor error into real preprocessor error
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit b4f0d1a4a8)
2015-06-16 13:14:09 +02:00
Richard Levitte
a5d8c1c291 Remove one extraneous parenthesis
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 30cf91784b)
2015-06-16 13:14:09 +02:00
Matt Caswell
902795b2f1 Prepare for 1.0.1p-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:24:26 +01:00
Matt Caswell
2a8c2799e1 Prepare for 1.0.1o release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:20:59 +01:00
Matt Caswell
2ad310ffde Updated CHANGES and NEWS entries for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:02:04 +01:00
Adam Langley
6cbc78906b Allow a zero length extension block
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-12 15:45:17 +01:00
Matt Caswell
fffcf87a55 Fix ABI break with HMAC
Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.

Conflicts:
	crypto/hmac/hmac.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 14:43:23 +01:00
Matt Caswell
3adca975dc Prepare for 1.0.1o-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:08:34 +01:00
Matt Caswell
517899e6c8 Prepare for 1.0.1n release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:05:11 +01:00
Andy Polyakov
f61bbf8da5 bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
CVE-2015-1788

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4924b37ee0)
2015-06-11 15:02:21 +01:00
Matt Caswell
1f31458a77 Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 15:02:21 +01:00
Emilia Kasper
5fbc59cac6 PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 15:02:21 +01:00
Emilia Kasper
370ac32030 Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11 15:02:21 +01:00
Dr. Stephen Henson
dd90a91d87 Fix infinite loop in CMS
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 15:02:21 +01:00
Richard Levitte
176b59d157 Correction of make depend merge error
$(PROGS) was mistakenly removed, adding it back.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5ef5b9ffa9)
2015-06-11 15:52:29 +02:00
Matt Caswell
907f04a303 More ssl_session_dup fixes
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.

Conflicts:
	ssl/ssl_sess.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11 10:08:18 +01:00
Kurt Roeckx
f3b355fec3 Only allow a temporary rsa key exchange when they key is larger than 512.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838

(cherry picked from commit 57e477b9ec)
2015-06-11 00:10:24 +02:00
Kurt Roeckx
c4ce10773f Properly check certificate in case of export ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838

(cherry picked from commit 39a298a1c0)
2015-06-11 00:10:02 +02:00
Matt Caswell
d46de4ce48 DTLS handshake message fragments musn't span packets
It should not be possible for DTLS message fragments to span multiple
packets. However previously if the message header fitted exactly into one
packet, and the fragment body was in the next packet then this would work.
Obviously this would fail if packets get re-ordered mid-flight.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-10 12:12:57 +01:00
Matt Caswell
418df5ea23 Fix leak in HMAC error path
In the event of an error in the HMAC function, leaks can occur because the
HMAC_CTX does not get cleaned up.

Thanks to the BoringSSL project for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e43a13c807)
2015-06-10 11:08:51 +01:00
Matt Caswell
d163a2cc46 EC_POINT_is_on_curve does not return a boolean
The function EC_POINT_is_on_curve does not return a boolean value.
It returns 1 if the point is on the curve, 0 if it is not, and -1
on error. Many usages within OpenSSL were incorrectly using this
function and therefore not correctly handling error conditions.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 68886be7e2)
2015-06-10 10:51:17 +01:00
Matt Caswell
72df35acf2 Tighten extension handling
This adds additional checks to the processing of extensions in a ClientHello
to ensure that either no extensions are present, or if they are then they
take up the exact amount of space expected.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-06-10 10:32:05 +01:00
Matt Caswell
f92b196723 Fix memory leaks in BIO_dup_chain()
This fixes a memory leak that can occur whilst duplicating a BIO chain if
the call to CRYPTO_dup_ex_data() fails. It also fixes a second memory leak
where if a failure occurs after successfully creating the first BIO in the
chain, then the beginning of the new chain was not freed.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	crypto/bio/bio_lib.c
2015-06-10 10:29:31 +01:00
Matt Caswell
e94118ae2a Replace memset with OPENSSL_cleanse()
BUF_MEM_free() attempts to cleanse memory using memset immediately prior
to a free. This is at risk of being optimised away by the compiler, so
replace with a call to OPENSSL_cleanse() instead.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-10 10:29:31 +01:00
Matt Caswell
106a9a5d7e Fix Kerberos issue in ssl_session_dup
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13)
2015-06-10 10:02:16 +01:00
Richard Levitte
cb972a4fe7 When making libcrypto from apps or test, make sure to include engines
For librypto to be complete, the stuff in both crypto/ and engines/
have to be built.  Doing 'make test' or 'make apps' from a clean
source tree failed to do so.
Corrected by using the new 'build_libcrypto' in the top Makefile.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit acaff3b797)
2015-06-10 02:12:34 +02:00