oweals/openssl.git
9 years agomake X509_NAME opaque
Dr. Stephen Henson [Mon, 16 Mar 2015 17:43:17 +0000 (17:43 +0000)]
make X509_NAME opaque

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix bug in s_client. Previously default verify locations would only be loaded
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix HMAC to pass invalid key len test
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoAdd HMAC test for invalid key len
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoEnsure that both the MD and key have been initialised before attempting to
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoAdd more HMAC tests
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
Matt Caswell [Thu, 5 Feb 2015 16:04:58 +0000 (16:04 +0000)]
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
This commit sets the value of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG to
zero.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoDeprecate RAND_pseudo_bytes
Matt Caswell [Thu, 26 Feb 2015 13:52:30 +0000 (13:52 +0000)]
Deprecate RAND_pseudo_bytes

The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:

if(RAND_pseudo_bytes(...) <= 1)
goto err;

In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.

This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;

This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.

Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.

If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.

Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRAND_bytes updates
Matt Caswell [Thu, 26 Feb 2015 11:57:37 +0000 (11:57 +0000)]
RAND_bytes updates

Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix return checks in GOST engine
Matt Caswell [Fri, 13 Mar 2015 16:48:01 +0000 (16:48 +0000)]
Fix return checks in GOST engine

Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix misc NULL derefs in sureware engine
Matt Caswell [Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)]
Fix misc NULL derefs in sureware engine

Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoAdd ticket length before buffering DTLS message
Matt Caswell [Thu, 5 Feb 2015 13:59:16 +0000 (13:59 +0000)]
Add ticket length before buffering DTLS message

In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoEnsure last_write_sequence is saved in DTLS1.2
Matt Caswell [Thu, 5 Feb 2015 13:54:37 +0000 (13:54 +0000)]
Ensure last_write_sequence is saved in DTLS1.2

In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agofree NULL cleanup
Rich Salz [Tue, 24 Mar 2015 14:17:37 +0000 (10:17 -0400)]
free NULL cleanup

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoupdate ordinals
Dr. Stephen Henson [Tue, 24 Mar 2015 18:58:51 +0000 (18:58 +0000)]
update ordinals

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUpdate ordinals
Richard Levitte [Tue, 24 Mar 2015 14:11:29 +0000 (15:11 +0100)]
Update ordinals

Thanks to the change of mkdef.pl, a few more deprecated functions were
properly defined in util/libeay.num.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoTeach mkdef.pl to handle multiline declarations.
Richard Levitte [Tue, 24 Mar 2015 14:02:51 +0000 (15:02 +0100)]
Teach mkdef.pl to handle multiline declarations.

For the moment, this is specially crafted for DECLARE_DEPRECATED because
that's where we found the problem, but it can easily be expanded to other
types of special delarations when needed.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoFix verify algorithm.
Dr. Stephen Henson [Tue, 24 Mar 2015 16:21:21 +0000 (16:21 +0000)]
Fix verify algorithm.

Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agomake ASN1_OBJECT opaque
Dr. Stephen Henson [Sun, 15 Mar 2015 16:26:04 +0000 (16:26 +0000)]
make ASN1_OBJECT opaque

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoConfiguration file examples.
Dr. Stephen Henson [Fri, 13 Mar 2015 14:16:32 +0000 (14:16 +0000)]
Configuration file examples.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoMake OCSP response verification more flexible.
Dr. Stephen Henson [Sun, 22 Mar 2015 17:34:56 +0000 (17:34 +0000)]
Make OCSP response verification more flexible.

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agomake depend
Dr. Stephen Henson [Tue, 24 Mar 2015 12:05:05 +0000 (12:05 +0000)]
make depend

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoMove some EVP internals to evp_int.h
Dr. Stephen Henson [Mon, 23 Mar 2015 22:57:47 +0000 (22:57 +0000)]
Move some EVP internals to evp_int.h

Move EVP internals to evp_int.h, remove -Ievp hack from crypto/Makefile

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoMove some ASN.1 internals to asn1_int.h
Dr. Stephen Henson [Mon, 23 Mar 2015 18:42:42 +0000 (18:42 +0000)]
Move some ASN.1 internals to asn1_int.h

Move ASN.1 internals used across multiple directories into new internal
header file asn1_int.h remove crypto/Makefile hack which allowed other
directories to include "asn1_locl.h"

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agofree NULL cleanup
Rich Salz [Tue, 24 Mar 2015 11:52:24 +0000 (07:52 -0400)]
free NULL cleanup

Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoFix malloc define typo
Mike Frysinger [Sat, 21 Mar 2015 09:08:41 +0000 (05:08 -0400)]
Fix malloc define typo

Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoUse OPENSSL_malloc rather than malloc/calloc
Richard Levitte [Tue, 24 Mar 2015 11:16:31 +0000 (12:16 +0100)]
Use OPENSSL_malloc rather than malloc/calloc

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoFix eng_cryptodev to not depend on BN internals.
Richard Levitte [Tue, 24 Mar 2015 07:38:22 +0000 (08:38 +0100)]
Fix eng_cryptodev to not depend on BN internals.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoAdjust include path
Richard Levitte [Tue, 24 Mar 2015 10:59:01 +0000 (11:59 +0100)]
Adjust include path

Thanks to a -I.., the path does work, at least on unix.  However, this
doesn't work so well on VMS.  Correcting the path to not rely on given
-I does work on both.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoJPAKE Makefile missing 'files' target
Richard Levitte [Tue, 24 Mar 2015 10:57:14 +0000 (11:57 +0100)]
JPAKE Makefile missing 'files' target

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoRemove old style ASN.1 support.
Dr. Stephen Henson [Mon, 9 Feb 2015 14:54:48 +0000 (14:54 +0000)]
Remove old style ASN.1 support.

Remove old ASN.1 COMPAT type. This was meant as a temporary measure
so older ASN.1 code (from OpenSSL 0.9.6) still worked. It's a hack
which breaks constification and hopefully nothing uses it now, if
it ever did.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoreturn unexpected message when receiving kx with kDHr or kDHd
Kurt Roeckx [Sat, 14 Mar 2015 23:26:26 +0000 (00:26 +0100)]
return unexpected message when receiving kx with kDHr or kDHd

It was saying that it was an illegal parameter / unsupported cipher

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoDon't send a for ServerKeyExchange for kDHr and kDHd
Kurt Roeckx [Sat, 14 Mar 2015 22:23:26 +0000 (23:23 +0100)]
Don't send a for ServerKeyExchange for kDHr and kDHd

The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoMake sure that cert is never NULL
Kurt Roeckx [Wed, 18 Mar 2015 18:02:50 +0000 (19:02 +0100)]
Make sure that cert is never NULL

Also removes for it being NULL

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoFix build.
Dr. Stephen Henson [Mon, 23 Mar 2015 18:47:05 +0000 (18:47 +0000)]
Fix build.

Remove x_exten.c and x_exten.o from crypto/asn1/Makefile: they've moved now.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agomake X509_EXTENSION opaque
Dr. Stephen Henson [Sun, 15 Mar 2015 13:43:56 +0000 (13:43 +0000)]
make X509_EXTENSION opaque

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoFix SSL_clear unused return
Matt Caswell [Mon, 23 Mar 2015 15:27:40 +0000 (15:27 +0000)]
Fix SSL_clear unused return

Fix missing return value check in dtls1_listen when calling SSL_clear().

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agossl3_set_handshake_header returns
Matt Caswell [Mon, 9 Mar 2015 15:33:46 +0000 (15:33 +0000)]
ssl3_set_handshake_header returns

Change ssl_set_handshake_header from return void to returning int, and
handle error return code appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoapps return value checks
Matt Caswell [Fri, 6 Mar 2015 14:39:46 +0000 (14:39 +0000)]
apps return value checks

Ensure that all libssl functions called from within the apps have their
return values checked where appropriate.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix missing return value checks
Matt Caswell [Fri, 6 Mar 2015 14:37:17 +0000 (14:37 +0000)]
Fix missing return value checks

Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoCheck libssl function returns
Matt Caswell [Thu, 5 Mar 2015 10:14:40 +0000 (10:14 +0000)]
Check libssl function returns

Mark most functions returning a result defined in any libssl header file
with __owur to warn if they are used without checking the return value.
Use -DUNUSED_RETURN compiler flag with gcc to activate these warnings.
Some functions returning a result are skipped if it is common and valid to
use these functions without checking the return value.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoAdd -DDEBUG_UNUSED to --strict-warnings
Matt Caswell [Fri, 6 Mar 2015 14:22:22 +0000 (14:22 +0000)]
Add -DDEBUG_UNUSED to --strict-warnings

In order to receive warnings on unused function return values the flag
-DDEBUG_UNUSED must be passed to the compiler. This change adds that for the
--strict-warnings Configure option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRemove PREFIX, as it's not used any more.
Richard Levitte [Sun, 22 Mar 2015 08:00:43 +0000 (09:00 +0100)]
Remove PREFIX, as it's not used any more.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoActually remove TABLE from version control
Richard Levitte [Sun, 22 Mar 2015 07:56:02 +0000 (08:56 +0100)]
Actually remove TABLE from version control

Follow up on the earlier "Do not keep TABLE in version control".
Actually removing TABLE from version control was forgotten.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoDon't check curves that haven't been sent
Matt Caswell [Fri, 20 Mar 2015 15:10:16 +0000 (15:10 +0000)]
Don't check curves that haven't been sent

Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoRemove deleted functions, update ordinals.
Dr. Stephen Henson [Mon, 23 Mar 2015 13:47:57 +0000 (13:47 +0000)]
Remove deleted functions, update ordinals.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoRemove {i2d,d2i}_ASN1_BOOLEAN
Dr. Stephen Henson [Sat, 14 Mar 2015 18:06:59 +0000 (18:06 +0000)]
Remove {i2d,d2i}_ASN1_BOOLEAN

Remove {i2d,d2i}_ASN1_BOOLEAN.

Rewrite single occurrence of d2i_ASN1_BOOLEAN in asn1_parse2

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoRemove old ASN.1 code.
Dr. Stephen Henson [Sat, 14 Mar 2015 04:16:42 +0000 (04:16 +0000)]
Remove old ASN.1 code.

Remove old M_ASN1_ macros and replace any occurences with the corresponding
function.

Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally.

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agosha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
Andy Polyakov [Mon, 23 Mar 2015 12:34:03 +0000 (13:34 +0100)]
sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.

In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRefer to $table{$target} rather than $table{$t}.
Richard Levitte [Sat, 21 Mar 2015 23:27:48 +0000 (00:27 +0100)]
Refer to $table{$target} rather than $table{$t}.

Using $t is an artifact from the earlier changes in Configure and was
unfortunately forgotten as is.

Reviewed-by: Stephen Henson <steve@openssl.org>
9 years agoAdd AES unwrap test with invalid key.
Dr. Stephen Henson [Fri, 20 Mar 2015 22:53:16 +0000 (22:53 +0000)]
Add AES unwrap test with invalid key.

This tests the unwrap algorithm with an invalid key. The result should
be rejected without returning any plaintext.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoFix memory leak.
Dr. Stephen Henson [Fri, 20 Mar 2015 23:08:30 +0000 (23:08 +0000)]
Fix memory leak.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoCRYPTO_128_unwrap(): Fix refactoring damage
Richard Godbee [Sat, 14 Mar 2015 04:23:21 +0000 (21:23 -0700)]
CRYPTO_128_unwrap(): Fix refactoring damage

crypto/modes/wrap128.c was heavily refactored to support AES Key Wrap
with Padding, and four bugs were introduced into CRYPTO_128_unwrap() at
that time:

- crypto_128_unwrap_raw()'s return value ('ret') is checked incorrectly,
  and the function immediately returns 'ret' in (almost) all cases.
  This makes the IV checking code later in the function unreachable, but
  callers think the IV check succeeded since CRYPTO_128_unwrap()'s
  return value is non-zero.

  FIX: Return 0 (error) if crypto_128_unwrap_raw() returned 0 (error).

- crypto_128_unwrap_raw() writes the IV to the 'got_iv' buffer, not to
  the first 8 bytes of the output buffer ('out') as the IV checking code
  expects.  This makes the IV check fail.

  FIX: Compare 'iv' to 'got_iv', not 'out'.

- The data written to the output buffer ('out') is "cleansed" if the IV
  check fails, but the code passes OPENSSL_cleanse() the input buffer
  length ('inlen') instead of the number of bytes that
  crypto_128_unwrap_raw() wrote to the output buffer ('ret').  This
  means that OPENSSL_cleanse() could potentially write past the end of
  'out'.

  FIX: Change 'inlen' to 'ret' in the OPENSSL_cleanse() call.

- CRYPTO_128_unwrap() is returning the length of the input buffer
  ('inlen') instead of the number of bytes written to the output buffer
  ('ret').  This could cause the caller to read past the end of 'out'.

  FIX: Return 'ret' instead of 'inlen' at the end of the function.

PR#3749

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agowrap128.c: Fix Doxygen comments
Richard Godbee [Sat, 14 Mar 2015 03:54:39 +0000 (20:54 -0700)]
wrap128.c: Fix Doxygen comments

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoAdd DTLS tests to make test
Matt Caswell [Tue, 3 Mar 2015 16:08:58 +0000 (16:08 +0000)]
Add DTLS tests to make test

Updated test/testssl script to include the new DTLS capability in ssltest.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoAdd DTLS support to ssltest
David Woodhouse [Tue, 3 Mar 2015 15:47:08 +0000 (15:47 +0000)]
Add DTLS support to ssltest

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoAdd DTLS to SSL_get_version
David Woodhouse [Tue, 3 Mar 2015 15:39:26 +0000 (15:39 +0000)]
Add DTLS to SSL_get_version

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoIf the target is an old style debug- target, it will not have debugging [cl]flags
Richard Levitte [Thu, 19 Mar 2015 21:35:12 +0000 (22:35 +0100)]
If the target is an old style debug- target, it will not have debugging [cl]flags

Reviewed-by: Stephen Henson <steve@openssl.org>
9 years agoFix a failure to NULL a pointer freed on error.
Matt Caswell [Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)]
Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUpdate NEWS
Matt Caswell [Wed, 18 Mar 2015 10:10:01 +0000 (10:10 +0000)]
Update NEWS

Resync NEWS with the latest version from 1.0.2

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUpdate CHANGES
Matt Caswell [Wed, 18 Mar 2015 09:35:22 +0000 (09:35 +0000)]
Update CHANGES

Resync CHANGES with the latest version from 1.0.2.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoPKCS#7: avoid NULL pointer dereferences with missing content
Emilia Kasper [Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)]
PKCS#7: avoid NULL pointer dereferences with missing content

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
9 years agoFix ASN1_TYPE_cmp
Dr. Stephen Henson [Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)]
Fix ASN1_TYPE_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix DHE Null CKE vulnerability
Matt Caswell [Tue, 10 Mar 2015 16:38:32 +0000 (16:38 +0000)]
Fix DHE Null CKE vulnerability

If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.

CVE-2015-1787

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix for CVE-2015-0291
Dr. Stephen Henson [Tue, 3 Mar 2015 13:20:57 +0000 (13:20 +0000)]
Fix for CVE-2015-0291

If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoReject invalid PSS parameters.
Dr. Stephen Henson [Mon, 9 Mar 2015 23:16:33 +0000 (23:16 +0000)]
Reject invalid PSS parameters.

Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.

Thanks to Brian Carpenter for reporting this issues.

CVE-2015-0208

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoFree up ADB and CHOICE if already initialised.
Dr. Stephen Henson [Mon, 23 Feb 2015 02:32:44 +0000 (02:32 +0000)]
Free up ADB and CHOICE if already initialised.

CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoFix Seg fault in DTLSv1_listen
Matt Caswell [Mon, 9 Mar 2015 16:09:04 +0000 (16:09 +0000)]
Fix Seg fault in DTLSv1_listen

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.

CVE-2015-0207

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoMultiblock corrupted pointer fix
Matt Caswell [Mon, 2 Mar 2015 09:27:10 +0000 (09:27 +0000)]
Multiblock corrupted pointer fix

OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.

CVE-2015-0290

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoConfigure: fold related configurations more aggressively and clean-up.
Andy Polyakov [Mon, 16 Mar 2015 21:33:36 +0000 (22:33 +0100)]
Configure: fold related configurations more aggressively and clean-up.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoCorrect the request of debug builds
Richard Levitte [Tue, 17 Mar 2015 15:30:54 +0000 (16:30 +0100)]
Correct the request of debug builds

./config would translate -d into having the target get a 'debug-'
prefix, and then run './Configure LIST' to find out if such a
debugging target exists or not.

With the recent changes, the separate 'debug-foo' targets are
disappearing, and we're giving the normal targets debugging
capabilities instead.  Unfortunately, './config' wasn't changed to
match this new behavior.

This change introduces the arguments '--debug' and '--release' - the
latter just for orthogonality - to ./Configure, and ./config now
treats -d by adding '--debug' to the options for ./Configure.

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agoDead code removal from apps
Matt Caswell [Thu, 12 Mar 2015 14:09:00 +0000 (14:09 +0000)]
Dead code removal from apps

Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRemove dead code from crypto
Matt Caswell [Thu, 12 Mar 2015 14:08:21 +0000 (14:08 +0000)]
Remove dead code from crypto

Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix probable_prime over large shift
Matt Caswell [Fri, 13 Mar 2015 12:48:57 +0000 (12:48 +0000)]
Fix probable_prime over large shift

In the probable_prime() function we behave slightly different if the number
of bits we are interested in is <= BN_BITS2 (the num of bits in a BN_ULONG).
As part of the calculation we work out a size_limit as follows:

    size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;

There is a problem though if bits == BN_BITS2. Shifting by that much causes
undefined behaviour. I did some tests. On my system BN_BITS2 == 64. So I
set bits to 64 and calculated the result of:

    (((BN_ULONG)1) << bits)

I was expecting to get the result 0. I actually got 1! Strangely this...

    (((BN_ULONG)0) << BN_BITS2)

...does equal 0! This means that, on my system at least, size_limit will be
off by 1 when bits == BN_BITS2.

This commit fixes the behaviour so that we always get consistent results.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoFix unintended sign extension
Matt Caswell [Thu, 12 Mar 2015 15:59:07 +0000 (15:59 +0000)]
Fix unintended sign extension

The function CRYPTO_128_unwrap_pad uses an 8 byte AIV (Alternative Initial
Value). The least significant 4 bytes of this is placed into the local
variable |ptext_len|. This is done as follows:

    ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7];

aiv[4] is an unsigned char, but (aiv[4] << 24) is promoted to a *signed*
int - therefore we could end up shifting into the sign bit and end up with
a negative value. |ptext_len| is a size_t (typically 64-bits). If the
result of the shifts is negative then the upper bits of |ptext_len| will
all be 1.

This commit fixes the issue by explicitly casting to an unsigned int.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix seg fault in s_time
Matt Caswell [Thu, 12 Mar 2015 16:42:55 +0000 (16:42 +0000)]
Fix seg fault in s_time

Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoAdd sanity check to PRF
Matt Caswell [Thu, 12 Mar 2015 14:37:26 +0000 (14:37 +0000)]
Add sanity check to PRF

The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix memset call in stack.c
Matt Caswell [Thu, 12 Mar 2015 12:54:44 +0000 (12:54 +0000)]
Fix memset call in stack.c

The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoMove malloc fail checks closer to malloc
Matt Caswell [Thu, 12 Mar 2015 11:25:03 +0000 (11:25 +0000)]
Move malloc fail checks closer to malloc

Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoAdd malloc failure checks
Matt Caswell [Thu, 12 Mar 2015 11:10:47 +0000 (11:10 +0000)]
Add malloc failure checks

Add some missing checks for memory allocation failures in ca app.

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoDo not keep TABLE in version control.
Richard Levitte [Mon, 16 Mar 2015 21:36:19 +0000 (22:36 +0100)]
Do not keep TABLE in version control.

TABLE was always a debugging tool, and permitted everyone to see the
effect of changes in the string-format configs.  The hash-format
configs being much more readable, distributing TABLE becomes much less
necessary.

Being able to produce a TABLE is kept, however, as it still is a
useful debugging tool for configs, what with multi-level inheritance
and all.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoConfiguration cleanup: personal configs
Richard Levitte [Thu, 12 Mar 2015 13:58:07 +0000 (14:58 +0100)]
Configuration cleanup: personal configs

Move obviously personal configurations to personal files.

Note: those files should really not be in the main repo at all

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoUpdated TABLE
Richard Levitte [Mon, 16 Mar 2015 21:01:01 +0000 (22:01 +0100)]
Updated TABLE

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoFind debug- targets that can be combined with their non-debug counterparts and do so
Richard Levitte [Thu, 12 Mar 2015 13:55:05 +0000 (14:55 +0100)]
Find debug- targets that can be combined with their non-debug counterparts and do so

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoChange all the main configurations to the new format.
Richard Levitte [Tue, 10 Mar 2015 23:58:50 +0000 (00:58 +0100)]
Change all the main configurations to the new format.

As part of this, remove some levitte examples that never were relevant.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoRethink templates.
Richard Levitte [Tue, 10 Mar 2015 21:04:44 +0000 (22:04 +0100)]
Rethink templates.

Because base templates express inheritance of values, the attribute is
renamed to 'inherit_from', and texts about this talk about 'inheritance(s)'
rather than base templates.

As they were previously implemented, base templates that were listed
together would override one another, the first one acting as defaults for
the next and so on.

However, it was pointed out that a strength of inheritance would be to
base configurations on several templates - for example one for CPU, one
for operating system and one for compiler - and that requires a different
way of combining those templates.  With this change, inherited values
from several inheritances are concatenated by default (keep on reading).

Also, in-string templates with the double-curly syntax are removed,
replaced with the possibility to have a configuration value be a coderef
(i.e. a 'sub { /* your code goes here */ }') that gets the list of values
from all inheritances as the list @_.  The result of executing such a
coderef on a list of values is assumed to become a string.  ANY OTHER
FORM OF VALUE WILL CURRENTLY BREAK.

As a matter of fact, an attribute in the current config with no value is
assumed to have this coderef as value:

    sub { join(' ', @_) }

While we're at it, rename debug-[cl]flags to debug_[cl]flags and
nodebug-[cl]flags to release_[cl]flags.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoProvide a few examples by converting my own strings to hash table configurations
Richard Levitte [Fri, 6 Mar 2015 09:16:05 +0000 (10:16 +0100)]
Provide a few examples by converting my own strings to hash table configurations

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoAdd base template processing.
Richard Levitte [Fri, 6 Mar 2015 09:01:08 +0000 (10:01 +0100)]
Add base template processing.

Base templates are templates that are used to inherit from.  They can
loosely be compared with parent class inheritance in object orientation.
They can be used for the same purpose as the variables with multi-field
strings are used in old-style string configurations.

Base templates are declared with the base_templates configuration
attribute, like so:

"example_target" => {
base_templates => [ "x86_asm", ... ]
...
}

Note: The value of base_templates MUST be an array reference (an array
enclosed in square brackets).

Any configuration target can be used as a base template by another.  It
is also possible to have a target that's a pure template and not meant to
be used directly as a configuration target.  Such a target is marked with
the template configuration attribute, like so:

"example_template" => {
template => 1,
cc => "mycc",
...
},

As part of this commit, all variables with multi-field strings have been
translated to pure templates.  The variables currently remain since we
can't expect people to shift to hash table configurations immediately.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoAdd template reference processing.
Richard Levitte [Fri, 6 Mar 2015 02:00:53 +0000 (03:00 +0100)]
Add template reference processing.

Template references are words with double brackets, and refer to the
same field in the target pointed at the the double bracketed word.

For example, if a target's configuration has the following entry:

    'cflags' => '-DFOO {{x86_debug}}'

... then {{x86_debug}} will be replaced with the 'cflags' value from
target 'x86_debug'.

Note: template references are resolved recursively, and circular
references are not allowed

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoRewrite Configure to handle the target values as hash tables.
Richard Levitte [Fri, 6 Mar 2015 01:00:21 +0000 (02:00 +0100)]
Rewrite Configure to handle the target values as hash tables.

The reasoning is that configuration strings are hard to read and error
prone, and that a better way would be for them to be key => value hashes.

Configure is made to be able to handle target configuration values as a
string as well as a hash.  It also does the best it can to combine a
"debug-foo" target with a "foo" target, given that they are similar
except for the cflags and lflags values.  The latter are spliced into
options that are common for "debug-foo" and "foo", options that exist
only with "debug-foo" and options that exist only with "foo", and make
them into combinable attributes that holds common cflags, extra cflags
for debuggin and extra cflags for non-debugging configurations.

The next step is to make it possible to have template configurations.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoMake X509_ATTRIBUTE opaque.
Dr. Stephen Henson [Sat, 14 Mar 2015 23:48:47 +0000 (23:48 +0000)]
Make X509_ATTRIBUTE opaque.

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoFix regression in ASN1_UTCTIME_cmp_time_t
Carl Jackson [Sat, 31 Jan 2015 10:22:47 +0000 (02:22 -0800)]
Fix regression in ASN1_UTCTIME_cmp_time_t

Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if
s < t, and 0 if s == t.

This behavior was broken in a refactor [0], resulting in the opposite
time comparison behavior.

[0]: 904348a4922333106b613754136305db229475ea

PR#3706

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoOPENSSL_NO_EC* merge; missed one file
Rich Salz [Sun, 15 Mar 2015 18:49:15 +0000 (14:49 -0400)]
OPENSSL_NO_EC* merge; missed one file

Missed one file in the #ifdef merge; thanks Kurt.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
9 years agoUpdate ordinals, fix error message.
Dr. Stephen Henson [Sat, 14 Mar 2015 22:42:55 +0000 (22:42 +0000)]
Update ordinals, fix error message.

Update error messages to say "EC is disabled" these can then be picked up
by mkdef.pl.

Update ordinals.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
9 years agoRemove ssl_cert_inst()
Kurt Roeckx [Sat, 14 Mar 2015 17:09:44 +0000 (18:09 +0100)]
Remove ssl_cert_inst()

It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
9 years agoAvoid reading an unused byte after the buffer
Andy Polyakov [Sat, 21 Feb 2015 12:51:56 +0000 (13:51 +0100)]
Avoid reading an unused byte after the buffer

Other curves don't have this problem.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoFix undefined behaviour in shifts.
Emilia Kasper [Sat, 14 Mar 2015 04:10:13 +0000 (21:10 -0700)]
Fix undefined behaviour in shifts.

Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoAllocate string types directly.
Dr. Stephen Henson [Tue, 24 Feb 2015 00:57:51 +0000 (00:57 +0000)]
Allocate string types directly.

Allocate and free ASN.1 string types directly instead of going through
the ASN.1 item code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoFix key wrapping mode with padding to conform to RFC 5649.
Petr Spacek [Mon, 26 Jan 2015 13:39:50 +0000 (14:39 +0100)]
Fix key wrapping mode with padding to conform to RFC 5649.

According to RFC 5649 section 4.1 step 1) we should not add padding
if plaintext length is multiply of 8 ockets.

This matches pseudo-code in http://dx.doi.org/10.6028/NIST.SP.800-38F
on page 15, section 6.3 KWP, algorithm 5 KWP-AE, step 2.

PR#3675

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoRemove obsolete declarations.
Dr. Stephen Henson [Thu, 12 Mar 2015 14:12:17 +0000 (14:12 +0000)]
Remove obsolete declarations.

Remove DECLARE_ASN1_SET_OF and DECLARE_PKCS12_STACK_OF these haven't been
used internally in OpenSSL for some time.

Reviewed-by: Rich Salz <rsalz@openssl.org>