wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
8714 commits 20 branches 302 tags 153 MiB
Commit graph

4273 commits

Author SHA1 Message Date
Dr. Stephen Henson
61e6e80fe5 Set default global mask to UTF8 only. 
(cherry picked from commit 3009244da4)
 2014-06-01 15:04:49 +01:00
Dr. Stephen Henson
105e52bf23 Set version number correctly. 
PR#3249
(cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)
 2014-05-29 14:12:11 +01:00
František Bořánek
492a5010a4 Fix memory leak. 
PR#3278
(cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)
 2014-05-29 14:12:11 +01:00
Dr. Stephen Henson
8323996d99 Fix for PKCS12_create if no-rc2 specified. 
Use triple DES for certificate encryption if no-rc2 is
specified.

PR#3357
(cherry picked from commit 03b5b78c09)
 2014-05-21 11:30:34 +01:00
Dr. Stephen Henson
70ddf8ecca Return an error if no recipient type matches. 
If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.

PR#3348
(cherry picked from commit 83a3182e0560f76548f4378325393461f6275493)
 2014-05-08 13:18:49 +01:00
Geoff Thorpe
9febee0272 evp: prevent underflow in base64 decoding 
This patch resolves RT ticket #2608.

Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
 2014-05-06 18:23:54 -04:00
Geoff Thorpe
a721216f0f bignum: allow concurrent BN_MONT_CTX_set_locked() 
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
 2014-05-06 18:23:49 -04:00
Dr. Stephen Henson
47f689ac09 Initialize num properly. 
PR#3289
PR#3345
(cherry picked from commit 3ba1e406c2)
 2014-05-06 14:09:26 +01:00
Dr. Stephen Henson
f51f374199 Set Enveloped data version to 2 if ktri version not zero. 
(cherry picked from commit 9c5d953a07)
 2014-05-06 14:05:05 +01:00
Eric Young
9ad5c5e4f9 Fix base64 decoding bug. 
A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.

PR#3289
(cherry picked from commit 10378fb5f4)
 2014-04-02 19:58:25 +01:00
mancha
fff69a7d8c Fix for CVE-2014-0076 backported to 0.9.8 branch 
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.

Thanks for mancha for backporting the fix to OpenSSL 0.9.8 branch.
 2014-03-27 00:55:08 +00:00
mancha
a375025e4d Fix alert handling. 
Fix OpenSSL 0.9.8 alert handling.

PR#3038
 2014-03-27 00:54:16 +00:00
Dr. Stephen Henson
d471adf351 Remove duplicate statement. 
(cherry picked from commit 5a7652c3e5)
 2014-02-15 01:31:34 +00:00
Dr. Stephen Henson
b70e4d3e90 Fixes for no-static-engine and Windows builds. 2013-11-21 15:49:34 +00:00
Bodo Moeller
ff7b021040 Fix overly lenient comparisons: 
- EC_GROUP_cmp shouldn't consider curves equal just because
      the curve name is the same. (They really *should* be the same
      in this case, but there's an EC_GROUP_set_curve_name API,
      which could be misused.)

    - EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
      or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
      equality (not an error).

    Reported by: king cope

(cherry picked from commit ca567a03ad)

Conflicts:
	Configure
 2013-09-17 10:20:04 +02:00
Dr. Stephen Henson
1cbd7456aa Print out DSA key if parameters absent. 
In DSA_print DSA parameters can be absent (e.g inherited) it is
not a fatal error.
 2013-04-07 22:50:55 +01:00
Andy Polyakov
01de6e21cc x86cpuid.pl: make it work with older CPU. 
PR: 3005, from master
 2013-03-18 20:03:44 +01:00
Dr. Stephen Henson
1643edc63c Encode INTEGER correctly. 
If an ASN1_INTEGER structure is allocated but not explicitly set encode
it as zero: don't generate an invalid zero length INTEGER.
 2013-03-18 14:19:40 +00:00
Dr. Stephen Henson
7ecd974f5f Set next version. 
Note: it was decided that after 0.9.8y it should be 0.9.8za then
0.9.8zb etc.
 2013-02-10 13:30:04 +00:00
Dr. Stephen Henson
8964efc413 prepare for release 2013-02-05 16:50:37 +00:00
Andy Polyakov
1213e6c3c2 bn_word.c: fix overflow bug in BN_add_word. 
(cherry picked from commit 134c00659a)
 2013-02-05 16:50:36 +00:00
Dr. Stephen Henson
24b2806097 Move CRYPTO_memcmp to o_init.c when compiling with fips: cryptlib.o 
is in the fips module for fips capable builds.
 2013-02-05 16:50:34 +00:00
Ben Laurie
2928cb4c82 Fixups. 2013-02-05 16:50:33 +00:00
Ben Laurie
35a65e814b Make CBC decoding constant time. 
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
	ssl/d1_enc.c
	ssl/s3_enc.c
	ssl/s3_pkt.c
	ssl/ssl3.h
	ssl/ssl_algs.c
	ssl/t1_enc.c
 2013-02-05 16:50:32 +00:00
Ben Laurie
2708813166 Add and use a constant-time memcmp. 
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a)

Conflicts:
	crypto/crypto.h
	ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)

Conflicts:
	crypto/crypto.h
	ssl/d1_pkt.c
	ssl/s3_pkt.c
 2013-02-05 16:50:32 +00:00
Dr. Stephen Henson
66e8211c0b Don't try and verify signatures if key is NULL (CVE-2013-0166) 
Add additional check to catch this in ASN1_item_verify too.
 2013-02-05 16:50:31 +00:00
Dr. Stephen Henson
dd2dee60f3 Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set 2013-01-23 01:16:59 +00:00
Dr. Stephen Henson
6495179af6 Don't include comp.h if no-comp set. 2013-01-20 01:16:25 +00:00
Dr. Stephen Henson
42e10c3fd6 PR: 2803 
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
 2012-11-29 19:16:01 +00:00
Bodo Möller
75f0bc4f44 Fix EC_KEY initialization race. 
Submitted by: Adam Langley
 2012-10-05 20:51:47 +00:00
Bodo Möller
f7d2402cab Fix Valgrind warning. 
Submitted by: Adam Langley
 2012-09-24 19:50:07 +00:00
Richard Levitte
afa0580cd5 Remove duplicate symbol in crypto/symhacks.h 
Have the new names start in column 48, that makes it easy to see when
the 31 character limit is reached (on a 80 column display, do the math)
 2012-07-05 09:06:20 +00:00
Dr. Stephen Henson
4baee3031c PR: 2813 
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.
 2012-05-11 13:49:15 +00:00
Dr. Stephen Henson
db7a72b224 prepare for next version 2012-05-10 16:01:11 +00:00
Dr. Stephen Henson
f856173c43 prepare for 0.9.8x release 2012-05-10 14:36:07 +00:00
Dr. Stephen Henson
3978429ad5 Reported by: Solar Designer of Openwall 
Make sure tkeylen is initialised properly when encrypting CMS messages.
 2012-05-10 13:27:57 +00:00
Dr. Stephen Henson
e22e770147 prepare for next version 2012-04-23 21:15:22 +00:00
Dr. Stephen Henson
6dde222aae prepare form 0.9.8w release 2012-04-23 20:45:29 +00:00
Dr. Stephen Henson
8d038a08fb The fix for CVE-2012-2110 did not take into account that the 
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
 2012-04-23 20:35:55 +00:00
Dr. Stephen Henson
747c6ffda4 correct error code 2012-04-22 13:31:46 +00:00
Dr. Stephen Henson
eb7112c18e prepare for next version 2012-04-19 17:03:28 +00:00
Dr. Stephen Henson
8ab27e6ef7 prepare for 0.9.8v release 2012-04-19 11:39:03 +00:00
Dr. Stephen Henson
556e27b14f Check for potentially exploitable overflows in asn1_d2i_read_bio 
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
 2012-04-19 11:36:09 +00:00
Dr. Stephen Henson
e351e2a7cf prepare for next version 2012-03-12 16:35:13 +00:00
Dr. Stephen Henson
215276243d corrected fix to PR#2711 and also cover mime_param_cmp 2012-03-12 15:25:53 +00:00
Dr. Stephen Henson
2fad41d155 prepare for release 2012-03-12 14:53:14 +00:00
Dr. Stephen Henson
4f2fc3c2dd Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and 
continue with symmetric decryption process to avoid leaking timing
information to an attacker.

Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
 2012-03-12 14:51:45 +00:00
Dr. Stephen Henson
25d5d15fd5 check return value of BIO_write in PKCS7_decrypt 2012-03-08 14:01:44 +00:00
Dr. Stephen Henson
725713f74a PR: 2755 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions. [0.9.8 version of patch]
 2012-03-07 15:14:16 +00:00
Dr. Stephen Henson
73eb0972cf return failure code if I/O error 2012-03-06 19:08:30 +00:00
Dr. Stephen Henson
6720779c7e revert PR#2755: it breaks compilation 2012-03-06 18:25:33 +00:00
Dr. Stephen Henson
b2a2c6af2a PR: 2755 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
 2012-03-06 13:45:47 +00:00
Dr. Stephen Henson
272993bac4 PR: 2696 Submitted by: Rob Austein <sra@hactrn.net> 
Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.

[from HEAD]
 2012-03-06 13:37:52 +00:00
Dr. Stephen Henson
58532ae047 oops, revert unrelated patches 2012-03-06 13:22:32 +00:00
Dr. Stephen Henson
4e7f6d380d PR: 2748 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix possible DTLS timer deadlock.
 2012-03-06 13:20:20 +00:00
Dr. Stephen Henson
f0be325f88 Fix memory leak cause by race condition when creating public keys. 
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for reporting this bug.
 2012-02-28 14:47:36 +00:00
Dr. Stephen Henson
b66af23aa9 free headers after use in error message 2012-02-27 16:26:32 +00:00
Dr. Stephen Henson
29d0c13e97 Detect symmetric crypto errors in PKCS7_decrypt. 
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for reporting this bug.
 2012-02-27 15:23:20 +00:00
Dr. Stephen Henson
8a4e81a269 PR: 2711 
Submitted by: Tomas Mraz <tmraz@redhat.com>

Tolerate bad MIME headers in parser.
 2012-02-23 21:50:13 +00:00
Dr. Stephen Henson
a72ce94213 prepare for next version 2012-01-18 14:27:13 +00:00
Dr. Stephen Henson
3309f8313c prepare for release 2012-01-18 13:14:49 +00:00
Dr. Stephen Henson
875ac0ec00 fix warning 2012-01-10 14:37:00 +00:00
Dr. Stephen Henson
244788464a update for next version 2012-01-04 23:56:13 +00:00
Dr. Stephen Henson
b3cebd5acf prepare for 0.9.8s release 2012-01-04 19:20:49 +00:00
Dr. Stephen Henson
1db0bbdc76 Fix double free in policy check code (CVE-2011-4109) 2012-01-04 19:00:28 +00:00
Dr. Stephen Henson
0e3a930fb4 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 18:44:20 +00:00
Andy Polyakov
2ee77d36a0 x86-mont.pl: fix bug in integer-only squaring path [from HEAD]. 
PR: 2648
 2011-12-09 14:28:48 +00:00
Bodo Möller
72033fde7b Fix ecdsatest.c. 
Submitted by: Emilia Kasper
 2011-12-02 12:40:25 +00:00
Bodo Möller
9adf3fcf9a Fix BIO_f_buffer(). 
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
 2011-12-02 12:23:57 +00:00
Andy Polyakov
65f7456652 ppc.pl: fix bug in bn_mul_comba4 [from HEAD]. 
PR: 2636
Submitted by: Charles Bryant
 2011-11-05 10:17:06 +00:00
Dr. Stephen Henson
f8731bc2fd PR: 2632 
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve

Return -1 immediately if not affine coordinates as BN_CTX has not been
set up.
 2011-10-26 16:42:48 +00:00
Bodo Möller
195d6bf760 BN_BLINDING multi-threading fix. 
Submitted by: Emilia Kasper (Google)
 2011-10-19 14:57:59 +00:00
Dr. Stephen Henson
6d50bce79f PR: 2482 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
 2011-10-09 00:56:18 +00:00
Dr. Stephen Henson
85e776885b PR: 2606 
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.
 2011-09-23 13:40:06 +00:00
Bodo Möller
1c7c69a8a5 Fix memory leak on bad inputs. 2011-09-05 09:56:48 +00:00
Bodo Möller
24ad061037 Move OPENSSL_init declaration out of auto-generated code section 
(it is not auto-generated).
 2011-09-05 09:52:58 +00:00
Dr. Stephen Henson
92f96fa721 PR: 2576 
Submitted by: Doug Goldstein <cardoe@gentoo.org>
Reviewed by: steve

Include header file stdlib.h which is needed on some platforms to get
getenv() declaration.
 2011-09-02 11:20:49 +00:00
Dr. Stephen Henson
0d1e362363 PR: 2340 
Submitted by: "Mauro H. Leggieri" <mxmauro@caiman.com.ar>
Reviewed by: steve

Stop warnings if OPENSSL_NO_DGRAM is defined.
 2011-09-01 15:03:10 +00:00
Dr. Stephen Henson
a0bf2c86ab make timing attack protection unconditional 2011-09-01 14:23:41 +00:00
Dr. Stephen Henson
24d0524f31 PR: 2588 
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve

Close file pointer.
 2011-09-01 13:48:48 +00:00
Dr. Stephen Henson
46a1f2487e PR: 2559 
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS socket error bug
 2011-07-20 15:20:19 +00:00
Dr. Stephen Henson
82a5049f6a PR: 2556 (partial) 
Reported by: Daniel Marschall <daniel-marschall@viathinksoft.de>
Reviewed by: steve

Fix OID routines.

Check on encoding leading zero rejection should start at beginning of
encoding.

Allow for initial digit when testing when to use BIGNUMs which can increase
first value by 2 * 40.
 2011-07-14 12:01:08 +00:00
Andy Polyakov
d027b75b73 perlasm/cbc.pl: fix tail processing bug [from HEAD]. 
PR: 2557
 2011-07-13 06:25:15 +00:00
Dr. Stephen Henson
87d14a3625 PR: 2470 
Submitted by: Corinna Vinschen <vinschen@redhat.com>
Reviewed by: steve

Don't call ERR_remove_state from DllMain.
 2011-06-22 15:39:19 +00:00
Dr. Stephen Henson
22152d6885 PR: 2540 
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve

Prevent infinite loop in BN_GF2m_mod_inv().
 2011-06-22 15:23:20 +00:00
Dr. Stephen Henson
102bcbce8d correctly encode OIDs near 2^32 2011-06-22 15:15:20 +00:00
Andy Polyakov
8655de423d rc4_skey.c [0.9.8]: at some point rc4_skey and x86[_64]cpuid were modified 
to examine bit#20 on x86[_64], but it was erroneously reverted to bit#28
in 2008 in process of FIPS integration.
 2011-06-06 19:58:21 +00:00
Dr. Stephen Henson
bc7ee385f5 Fix the ECDSA timing attack mentioned in the paper at: 
http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
 2011-05-25 14:52:54 +00:00
Dr. Stephen Henson
1e368ab08f Fix the ECDSA timing attack mentioned in the paper at: 
http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
 2011-05-25 14:43:47 +00:00
Dr. Stephen Henson
6d12b1f82b check buffer is larger enough before overwriting 2011-04-06 18:07:12 +00:00
Bodo Möller
d430f56de6 start 0.9.8s-dev 2011-02-08 17:58:34 +00:00
Bodo Möller
957ebe98fb OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d) 
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
 2011-02-08 17:10:47 +00:00
Bodo Möller
9d09fc8485 Assorted bugfixes: 
- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Neel Mehta, Bodo Moeller)
 2011-02-03 12:04:48 +00:00
Dr. Stephen Henson
a3dc628d86 PR: 2433 
Submitted by: Chris Wilson <chris@qwirx.com>
Reviewed by: steve

Constify ASN1_STRING_set_default_mask_asc().
 2011-01-24 16:21:00 +00:00
Dr. Stephen Henson
3c159fc1a5 check EC public key isn't point at infinity 2011-01-24 15:08:12 +00:00
Dr. Stephen Henson
6056afd223 PR: 1612 
Submitted by: Robert Jackson <robert@rjsweb.net>
Reviewed by: steve

Fix EC_POINT_cmp function for case where b but not a is the point at infinity.
 2011-01-24 14:42:11 +00:00
Dr. Stephen Henson
f4a4a0fdc7 PR: 2411 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.
 2011-01-03 01:40:22 +00:00
Dr. Stephen Henson
9ad765173f Fix escaping code for string printing. If *any* escaping is enabled we 
must escape the escape character itself (backslash).
 2011-01-03 01:26:33 +00:00
Dr. Stephen Henson
c8e3c1a9b5 PR: 2410 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().
 2011-01-03 01:20:03 +00:00
Dr. Stephen Henson
ae378b769a use fips-dev not dev-fips 2011-01-03 00:43:47 +00:00