Commit graph

4273 commits

Author SHA1 Message Date
Dr. Stephen Henson
ec2fede946 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 208a6012be)

Conflicts:
	crypto/dsa/dsa_vrf.c
2015-01-05 16:37:10 +00:00
Dr. Stephen Henson
c22e2dd6e5 Add ASN1_TYPE_cmp and X509_ALGOR_cmp.
(these are needed for certificate fingerprint fixes)
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 15:34:49 +00:00
Kurt Roeckx
7fae32f6d6 Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 86edf13b1c)
2015-01-05 15:23:42 +00:00
Dr. Stephen Henson
5260f1a483 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit f5e4b6b5b5)

Conflicts:
	crypto/asn1/asn1_err.c
2015-01-05 15:22:34 +00:00
Emilia Kasper
1cb10d9c7d Revert "RT3425: constant-time evp_enc"
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 1bb01b1b5f.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:57:16 +01:00
Kurt Roeckx
62abc80540 Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:48:58 +01:00
Andy Polyakov
722fa14271 md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7c)
2014-10-29 10:56:27 +01:00
Samuel Neves
a2ca66f37c Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:57:47 +01:00
Tim Hudson
e369af3600 Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e2e5326e5b)
2014-10-17 14:04:08 +02:00
Richard Levitte
15b7f5bf88 Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8202802fad)

Conflicts:
	crypto/evp/evp_enc.c
2014-10-17 14:03:57 +02:00
Kurt Cancemi
bfb7bf1a28 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:55 +02:00
Dr. Stephen Henson
f33636faf7 Don't try 1**0 test with FIPS.
The 1**0 test will fail for FIPS capable builds because it uses the
old BIGNUM code in the 1.2 FIPS module which can't be fixed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-16 04:40:50 +01:00
Matt Caswell
94f735cade Prepare for 0.9.8zd-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:49:42 +01:00
Matt Caswell
36216218ca Prepare for 0.9.8zc release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:48:52 +01:00
Bodo Moeller
d286606301 Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:39:17 +02:00
Bodo Moeller
c6a876473c Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:18:29 +02:00
Dr. Stephen Henson
5a7fc89394 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:31:29 +01:00
Emilia Kasper
116fd3732a Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:48:08 +02:00
Emilia Kasper
1bb01b1b5f RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319f8)

Conflicts:
	crypto/evp/Makefile
	crypto/evp/evp_enc.c
2014-09-24 16:41:55 +02:00
Emilia Kasper
699d78ce98 RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)

Conflicts:
	ssl/Makefile
2014-09-24 16:01:46 +02:00
Emilia Kasper
96e1015eec RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:39:44 +02:00
Adam Langley
45d129511f Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:07:39 +02:00
Richard Levitte
0976adac8f Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:26:24 +02:00
Phil Mesnier
db5b0d9309 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:26:24 +02:00
Emilia Kasper
aeeedc8acc Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:25:20 +02:00
Matt Caswell
c903866420 Fixed double inclusion of string.h
PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)
2014-08-29 21:40:15 +01:00
Emilia Kasper
9b208659aa Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 73729e4cf3)

Conflicts:
	ssl/Makefile
	test/Makefile
2014-08-28 17:28:42 +02:00
Adam Langley
fee8d86d7a Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a90b1e32d2)
2014-08-19 17:12:08 +02:00
Bodo Moeller
44a8fced97 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

Conflicts:
	crypto/ec/ectest.c

Conflicts:
	crypto/ec/ec.h
2014-08-13 18:09:00 +02:00
Matt Caswell
4ff07f4c71 Prepare for 0.9.8zc-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:40 +01:00
Matt Caswell
1c5f396d36 Prepare for 0.9.8zb release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:29:20 +01:00
Emilia Kasper
b9a73f5481 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 22:02:00 +01:00
Dr. Stephen Henson
5021f6314e fix warn_unused_result warnings
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 21:59:15 +01:00
Bodo Moeller
681d11b6fd Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
	crypto/ec/ectest.c
2014-08-01 17:59:31 +02:00
Billy Brumley
8c387e62b2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:29:35 +01:00
Matt Caswell
02fef91630 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:36:03 +01:00
Richard Levitte
0b8cd5acd6 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:17:21 +02:00
Matt Caswell
97f4e235a1 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:38:23 +01:00
David Lloyd
cfd2aeeb7c Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:51:07 +01:00
Alan Hryngle
7faa66433f Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:39:16 +01:00
Dr. Stephen Henson
00e86a74bd ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe5e)
2014-07-02 01:01:55 +01:00
Andreas Westfeld
4b98488eb0 Fix typo in ideatest.c
(cherry picked from commit d1d4382dcb)
2014-06-28 00:07:02 +01:00
Tom Greenslade
326de18955 Handle IPv6 addresses in OCSP_parse_url.
PR#2783
(cherry picked from commit b36f35cda9)
2014-06-27 17:31:55 +01:00
Dr. Stephen Henson
9fb10cfe6b Memory leak and NULL dereference fixes.
PR#3403
(cherry picked from commit d2aea03829)

Conflicts:

	apps/crl2p7.c
	crypto/asn1/a_utctm.c
	crypto/asn1/ameth_lib.c
	crypto/asn1/bio_asn1.c
2014-06-27 15:33:18 +01:00
Dr. Stephen Henson
a20a6366c8 Remove ancient obsolete files under pkcs7.
(cherry picked from commit 7be6b27aaf)
2014-06-27 14:04:35 +01:00
Huzaifa Sidhpurwala
54985b5061 Make sure BN_sqr can never return a negative value.
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
2014-06-26 23:52:18 +01:00
Dr. Stephen Henson
0345354fe0 Fix null pointer errors.
PR#3394
(cherry picked from commit 7a9d59c148)
2014-06-10 14:48:19 +01:00
Dr. Stephen Henson
0a9b8dd1b4 Fix 0.9.8 FIPS capable OpenSSL build.
The object file bn_lib.o is excluded from FIPS builds which causes
a linker error for BN_consttime_swap. So move definition from bn_lib.c
to bn_gf2m.c

This change is *only* needed for OpenSSL 0.9.8 which uses the 1.2
FIPS module.
2014-06-06 12:31:13 +01:00
Dr. Stephen Henson
4a1190beca Prepare for 0.9.8zb-dev 2014-06-05 10:40:11 +01:00
Dr. Stephen Henson
047ec5d196 Prepare for 0.9.8za release 2014-06-05 10:38:57 +01:00