Commit graph

8854 commits

Author SHA1 Message Date
Richard Levitte
e979e4715f _BSD_SOURCE is deprecated, use _DEFAULT_SOURCE instead
The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f9fd35248c)
2015-12-02 18:50:01 +01:00
Dr. Stephen Henson
2c02faeecd Fix uninitialised p error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 63eb10a07e)
2015-11-24 16:56:02 +00:00
Dr. Stephen Henson
a8731c0cb8 Limit depth of ASN1 parse printing.
Thanks to Guido Vranken <guidovranken@gmail.com> for reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 158e5207a7)

Conflicts:
	crypto/asn1/asn1_par.c
2015-11-24 15:31:05 +00:00
Dr. Stephen Henson
31172717e8 Typo.
PR#4079

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c69ce93513)

Conflicts:
	crypto/evp/e_des3.c
2015-10-11 00:39:27 +01:00
Dr. Stephen Henson
cc21b51add Don't try and parse boolean type.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e58c4d3cdd)
2015-10-06 15:18:05 +01:00
Rich Salz
89133ba26a Change --debug to -d for compat with old releases.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1d4ddb4e1a)
2015-09-25 11:43:08 -04:00
Richard Levitte
1d587fdd1e OpenSSL 0.9.8 doesn't have support for mingw64
Remove that option from travis

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 12:21:19 +02:00
Rich Salz
68d53e4f30 Remove stricts-warnings on 0.9.8 travis.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-22 17:21:49 -04:00
Rich Salz
ba6d3a6299 GH398: Add mingw cross-compile, etc.
For all release branches.  It adds travis build support. If you don't
have a config file it uses the default (because we enabled travis for the
project), which uses ruby/rake/rakefiles, and you get confusing "build
still failing" messages.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit db9defdfe3)
2015-09-22 13:47:56 -04:00
Matt Caswell
5e7d583bab Make sure OPENSSL_cleanse checks for NULL
In master we have the function OPENSSL_clear_free(x,y), which immediately
returns if x == NULL. In <=1.0.2 this function does not exist so we have to
do:
OPENSSL_cleanse(x, y);
OPENSSL_free(x);

However, previously, OPENSSL_cleanse did not check that if x == NULL, so
the real equivalent check would have to be:
if (x != NULL)
    OPENSSL_cleanse(x, y);
OPENSSL_free(x);

It would be easy to get this wrong during cherry-picking to other branches
and therefore, for safety, it is best to just ensure OPENSSL_cleanse also
checks for NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 020d8fc83f)
2015-09-17 22:37:21 +01:00
Matt Caswell
27bc0555aa Fix building with OPENSSL_NO_TLSEXT.
Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the
issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code
consistency. However this commit will not fix no-tlsext in those branches
which have always been broken for other reasons. The commit is not applied
to master at all, because no-tlsext has been completely removed from that
branch.

Based on a patch by Marc Branchaud <marcnarc@xiplink.com>

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9a931208d7)

Conflicts:
	ssl/ssl_sess.c
2015-09-02 00:16:30 +01:00
Richard Levitte
1cbe0ff569 Ignore .dir-locals.el
Because we recently encourage people to have a .dir-locals.el, it's a good
idea to ignore it on a git level.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d7c02691a5)
2015-09-01 01:19:58 +02:00
Richard Levitte
0d6ebdf486 Remove auto-fill-mode
Apparently, emacs sees changes to auto-fill-mode as insecure

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6dc08048d9)
2015-08-31 18:21:07 +02:00
Richard Levitte
92d0e6aa94 Add an example .dir-locals.el
This file, when copied to .dir-locals.el in the OpenSSL source top,
will make sure that the CC mode style "OpenSSL-II" will be used for
all C files.

Additionally, I makes sure that tabs are never used as indentation
character, regardless of the emacs mode, and that the fill column is
78.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0927f0d822)
2015-08-31 18:21:06 +02:00
Richard Levitte
1333891830 Add emacs CC mode style for OpenSSL
This hopefully conforms closely enough to the current code style.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d9b3554b2d)
2015-08-31 18:21:06 +02:00
Rich Salz
ab69c5a379 Move FAQ to the web.
Best hope of keeping current.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4f46473a86)
2015-08-16 19:04:54 -04:00
Rich Salz
a95168889f Tweak README about rt and bug reporting.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 932af1617e)
2015-07-29 10:40:43 -04:00
Richard Levitte
1ac4693c38 Set numeric IDs for tar as well
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit da24e6f8a0)
2015-07-10 20:32:01 +02:00
Richard Levitte
0ede4e2e46 Stop using tardy
Instead of piping through tardy, and possibly suffering from bugs in certain
versions, use --transform, --owner and --group directly with GNU tar (we
already expect that tar variant).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27f98436b9)

Conflicts:
	Makefile.org
2015-07-10 17:33:20 +02:00
Dr. Stephen Henson
9b914c7f91 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf5)

Conflicts:
	doc/crypto/X509_NAME_get_index_by_NID.pod
2015-07-06 18:42:33 +01:00
Matt Caswell
2c9dfa18aa Prepare for 0.9.8zh-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:23:16 +01:00
Matt Caswell
0823ddc56e Prepare for 0.9.8zg release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:20:22 +01:00
Matt Caswell
ad6567965d Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 13:07:49 +01:00
Emilia Kasper
582f1f41d4 PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 13:07:49 +01:00
Emilia Kasper
fa57f74a39 Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11 13:07:49 +01:00
Dr. Stephen Henson
92f9a8bf38 Fix infinite loop in CMS
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 13:07:42 +01:00
Matt Caswell
39bcfb129e More ssl_session_dup fixes
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.

Conflicts:
	ssl/ssl_sess.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11 10:18:32 +01:00
Matt Caswell
50d3049930 EC_POINT_is_on_curve does not return a boolean
The function EC_POINT_is_on_curve does not return a boolean value.
It returns 1 if the point is on the curve, 0 if it is not, and -1
on error. Many usages within OpenSSL were incorrectly using this
function and therefore not correctly handling error conditions.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 68886be7e2)

Conflicts:
	crypto/ec/ec2_oct.c
	crypto/ec/ecp_oct.c
	crypto/ec/ectest.c
2015-06-10 10:59:20 +01:00
Matt Caswell
8b4fd12b0d Fix Kerberos issue in ssl_session_dup
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13)
2015-06-10 10:05:17 +01:00
Dr. Stephen Henson
17689e7dc6 return correct NID for undefined object
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0fb9990480)
2015-06-08 21:47:41 +01:00
Matt Caswell
f803a417f7 Clean Kerberos pre-master secret
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e3dbe37ca)
2015-06-04 12:46:35 +01:00
Matt Caswell
9759ff0cd9 Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.

With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c56353071d)

Conflicts:
	crypto/bn/bn_print.c
2015-06-04 09:33:01 +01:00
Richard Levitte
f9603f2673 Add the macro OPENSSL_SYS_WIN64
This is for consistency.
Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3f131556d6)

Conflicts:
	e_os2.h
2015-06-02 18:07:55 +02:00
Matt Caswell
467daf6b6e Fix race condition in NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
c0bf69a791

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27c76b9b80)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
2015-06-02 12:51:37 +01:00
Matt Caswell
113d36a3fb Clear state in DTLSv1_listen
This is a backport of commit e83ee04bb7 from
the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
was CVE-2015-0207. For other branches there is no known security issue, but
this is being backported as a precautionary measure.

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit cce3e4adb7)
2015-06-02 09:17:21 +01:00
Dr. Stephen Henson
f16093d2d6 check for error when creating PKCS#8 structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2849707fa6)
2015-05-28 18:03:04 +01:00
Dr. Stephen Henson
aeff907218 PEM doc fixes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f097f81c89)
2015-05-28 18:03:03 +01:00
Matt Caswell
f3b555a601 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:48:52 +01:00
Matt Caswell
c0de854c9d Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d8158)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2015-05-22 23:25:22 +01:00
Rich Salz
155ca14ea9 Add NULL checks from master
The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f34b095fab)
(cherry picked from commit 690d040b2e)
2015-05-13 12:56:38 -04:00
Dr. Stephen Henson
303845a3b5 Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37)
2015-04-18 14:45:38 +01:00
Viktor Dukhovni
1a38987de0 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:54:47 -04:00
Matt Caswell
5d28381ae4 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9)

Conflicts:
	ssl/ssl_sess.c
2015-04-14 15:02:44 +01:00
Matt Caswell
eeda966123 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:53:58 +01:00
Dr. Stephen Henson
c5b0f5c463 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:54:13 +01:00
Richard Levitte
32fbe9149e Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918)

Conflicts:
	util/mkerr.pl
2015-04-08 21:56:03 +02:00
Dr. Stephen Henson
246b35a96e Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:15:17 +00:00
Matt Caswell
79cc5417a4 Prepare for 0.9.8zg-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:50:06 +00:00
Matt Caswell
db8334be06 Prepare for 0.9.8zf release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:47:27 +00:00
Matt Caswell
fcc5e899aa make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:47:27 +00:00