Commit graph

11283 commits

Author SHA1 Message Date
Guy Leaver (guleaver)
f15c99f4d4 Fix seg fault with 0 p val in SKE
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)

The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.

CVE-2015-1794

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 20:23:00 +01:00
Matt Caswell
507ea77b82 Fix warning when compiling with no-ec2m
EC_KEY_set_public_key_affine_coordinates was using some variables that only
apply if OPENSSL_NO_EC2M is not defined.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 8d11b7c7ee)
2015-08-04 10:52:09 +01:00
Dirk Wetter
556803fc3d GH336: Return an exit code if report fails
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e36ce2d986)
2015-08-01 14:33:21 -04:00
Loganaden Velvindron
1a9a506cfb Clear BN-mont values when free'ing it.
From a CloudFlare patch.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1a586b3942)
2015-07-31 13:38:48 -04:00
Dr. Stephen Henson
5030cc69ff use X9.31 keygen by default in FIPS mode
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d0c9a90640)
2015-07-30 14:35:42 +01:00
Martin Vejnar
721cbae7e6 RT3774: double-free in DSA
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit fa4629b6a2)
2015-07-29 21:21:47 -04:00
Rich Salz
372e74903e Tweak README about rt and bug reporting.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 932af1617e)
2015-07-29 10:39:14 -04:00
Matt Caswell
728432aed0 Fix SSL_set_session_ticket_ext when used with SSLv23_method
The function SSL_set_session_ticket_ext can be used to set custom session
ticket data passed in the initial ClientHello. This can be particularly
useful for EAP-FAST. However, when using SSLv23_method, the session does
not get created until the ServerHello has been received. The extension code
will only add the SessionTicket data to the ClientHello if a session already
exists. Therefore SSL_set_session_ticket_ext has no impact when used in
conjunction with SSLv23_method. The solution is to simply create the session
during creation of the ClientHello instead of waiting for the ServerHello.

This commit fixes the test failure introduced by the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-27 16:47:00 +01:00
Matt Caswell
8e75dcf587 Add test for SSL_set_session_ticket_ext
The function SSL_set_session_ticket_ext sets the ticket data to be sent in
the ClientHello. This is useful for EAP-FAST. This commit adds a test to
ensure that when this function is called the expected ticket data actually
appears in the ClientHello.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-27 16:14:02 +01:00
mancha
396a2dc071 Fix author credit for e5c0bc6
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
Rich Salz
001c957676 Revert "Missing perldoc markup around < literal"
This reverts commit e5c0bc6cc4.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
Ernie Hershey
2507d846e1 GH322: Fix typo in generated comment.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit ad282e638b)
2015-07-15 03:33:26 -04:00
GitHub User
432785095c Missing perldoc markup around < literal
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e5c0bc6cc4)
2015-07-14 01:33:29 -04:00
Richard Levitte
a027bba22a Conversion to UTF-8 where needed
This leaves behind files with names ending with '.iso-8859-1'.  These
should be safe to remove.  If something went wrong when re-encoding,
there will be some files with names ending with '.utf8' left behind.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:18:57 +02:00
Richard Levitte
13e742a439 Small script to re-encode files that need it to UTF-8
This requires 'iconv' and that 'file' can take the options '-b' and '-i'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f608b4064d)
2015-07-14 01:13:52 +02:00
Richard Levitte
2794dec7b2 Remove extra '; \' in apps/Makefile
Fixes GH#330

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit eeb97bce75)

Conflicts:
	apps/Makefile
2015-07-13 17:15:38 +02:00
Richard Levitte
2035e2db68 Set numeric IDs for tar as well
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit da24e6f8a0)
2015-07-10 20:31:57 +02:00
Richard Levitte
be85620419 Stop using tardy
Instead of piping through tardy, and possibly suffering from bugs in certain
versions, use --transform, --owner and --group directly with GNU tar (we
already expect that tar variant).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27f98436b9)

Conflicts:
	Makefile.org
2015-07-10 17:31:32 +02:00
Peter Waltenberg
b5e972fdd3 Exit on error in ecparam
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 99dcd88035)
2015-07-09 15:43:34 -04:00
Dr. Stephen Henson
a15ba3cca3 Sort @sstacklst correctly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a7059c56f)
2015-07-09 16:58:07 +01:00
Matt Caswell
7c17c20a56 Prepare for 1.0.1q-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:29:59 +01:00
Matt Caswell
5ab53da9fb Prepare for 1.0.1p release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:22:23 +01:00
Matt Caswell
245daa2b73 Update CHANGES and NEWS for the new release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 09:32:04 +01:00
Matt Caswell
cb22d2ae5a Fix alt chains bug
This is a follow up to the alternate chains certificate forgery issue
(CVE-2015-1793). That issue is exacerbated in 1.0.1 by a related bug which
means that we *always* check for an alternative chain, even if we have
already found a chain. The code is supposed to stop as soon as it has found
one (and does do in master and 1.0.2).

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:57:36 +01:00
Matt Caswell
b3b1eb5735 Reject calls to X509_verify_cert that have not been reinitialised
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase  where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.

With regards to the second of these, we should discount this - it should
not be supported to allow this.

With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.

Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:52:36 +01:00
Matt Caswell
d42d100433 Add test for CVE-2015-1793
This adds a test for CVE-2015-1793. This adds a new test file
verify_extra_test.c, which could form the basis for additional
verification tests.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	test/Makefile
2015-07-07 22:52:31 +01:00
Matt Caswell
9a0db453ba Fix alternate chains certificate forgery issue
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.

This occurs where at least one cert is added to the first chain from the
trust store, but that chain still ends up being untrusted. In that case
ctx->last_untrusted is decremented in error.

Patch provided by the BoringSSL project.

CVE-2015-1793

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:50:04 +01:00
Dr. Stephen Henson
cb6e0ed17a Relax CCM tag check.
In CCM mode don't require a tag before initialising decrypt: this allows
the tag length to be set without requiring the tag.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9cca7be11d)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
e5d5019a23 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf5)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
d6be3124f2 Fix PSK handling.
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669df)
2015-07-02 13:04:25 +01:00
Dr. Stephen Henson
eb0e2a5c5d Check for errors with SRP
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5fced2395d)
2015-06-29 19:21:34 +01:00
Dr. Stephen Henson
0d25eb7800 Don't output bogus errors in PKCS12_parse
PR#3923

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ffbf304d48)
2015-06-25 04:55:56 +01:00
Rich Salz
ae2f46597a RT3907-fix
Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit cc3f3fc2b1)
2015-06-22 20:50:36 -04:00
Rich Salz
9ad2eb6a6e RT3907: avoid "local" in testssl script
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 75ba5c58c6)
2015-06-22 15:50:14 -04:00
Richard Levitte
f4961dc2af Cleanup mttest.c : because we no longer use stdio here, don't include it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ca96efd24)
2015-06-21 22:13:28 +02:00
Richard Levitte
40ced6c187 Add -ldl to the build of mttest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d62c98c81c)
2015-06-21 22:13:28 +02:00
Richard Levitte
f1817dd4d0 Cleanup mttest.c : do not try to output reference counts when threads are done
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 964626957f)
2015-06-21 22:13:28 +02:00
Richard Levitte
5891dae67c Cleanup mttest.c : better error reporting when certs are missing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a1789d254)
2015-06-21 22:13:28 +02:00
Richard Levitte
1d6d4efea5 Cleanup mttest.c : make ssl_method a pointer to const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f4c73bfe0a)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
0fee334404 Cleanup mttest.c : more output changes
More fprintf()s and printf()s to turn into BIO calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-21 22:13:28 +02:00
Richard Levitte
141f7d263b Cleanup mttest.c : modernise output
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bb8abd6735)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
ae3254a52d Cleanup mttest.c : modernise the threads setup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5c78e18352)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
9720dd4314 Cleanup mttest.c : remove MS_CALLBACK
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3f9286556)
2015-06-21 22:13:28 +02:00
Rich Salz
83d6620986 RT1688: Add dependencies for parallel make
Backport to 1.0.1 and 1.0.2 to fix RT 3905

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8e6bb99979)
2015-06-21 15:27:30 -04:00
Richard Levitte
347fc5d8cd Make preprocessor error into real preprocessor error
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit b4f0d1a4a8)
2015-06-16 13:14:09 +02:00
Richard Levitte
a5d8c1c291 Remove one extraneous parenthesis
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 30cf91784b)
2015-06-16 13:14:09 +02:00
Matt Caswell
902795b2f1 Prepare for 1.0.1p-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:24:26 +01:00
Matt Caswell
2a8c2799e1 Prepare for 1.0.1o release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:20:59 +01:00
Matt Caswell
2ad310ffde Updated CHANGES and NEWS entries for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:02:04 +01:00
Adam Langley
6cbc78906b Allow a zero length extension block
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-12 15:45:17 +01:00