Matt Caswell [Tue, 5 Jul 2016 11:04:37 +0000 (12:04 +0100)]
Fix DTLS replay protection
The DTLS implementation provides some protection against replay attacks
in accordance with RFC6347 section 4.1.2.6.
A sliding "window" of valid record sequence numbers is maintained with
the "right" hand edge of the window set to the highest sequence number we
have received so far. Records that arrive that are off the "left" hand
edge of the window are rejected. Records within the window are checked
against a list of records received so far. If we already received it then
we also reject the new record.
If we have not already received the record, or the sequence number is off
the right hand edge of the window then we verify the MAC of the record.
If MAC verification fails then we discard the record. Otherwise we mark
the record as received. If the sequence number was off the right hand edge
of the window, then we slide the window along so that the right hand edge
is in line with the newly received sequence number.
Records may arrive for future epochs, i.e. a record from after a CCS being
sent, can arrive before the CCS does if the packets get re-ordered. As we
have not yet received the CCS we are not yet in a position to decrypt or
validate the MAC of those records. OpenSSL places those records on an
unprocessed records queue. It additionally updates the window immediately,
even though we have not yet verified the MAC. This will only occur if
currently in a handshake/renegotiation.
This could be exploited by an attacker by sending a record for the next
epoch (which does not have to decrypt or have a valid MAC), with a very
large sequence number. This means the right hand edge of the window is
moved very far to the right, and all subsequent legitimate packets are
dropped causing a denial of service.
A similar effect can be achieved during the initial handshake. In this
case there is no MAC key negotiated yet. Therefore an attacker can send a
message for the current epoch with a very large sequence number. The code
will process the record as normal. If the hanshake message sequence number
(as opposed to the record sequence number that we have been talking about
so far) is in the future then the injected message is bufferred to be
handled later, but the window is still updated. Therefore all subsequent
legitimate handshake records are dropped. This aspect is not considered a
security issue because there are many ways for an attacker to disrupt the
initial handshake and prevent it from completing successfully (e.g.
injection of a handshake message will cause the Finished MAC to fail and
the handshake to be aborted). This issue comes about as a result of trying
to do replay protection, but having no integrity mechanism in place yet.
Does it even make sense to have replay protection in epoch 0? That
issue isn't addressed here though.
This addressed an OCAP Audit issue.
CVE-2016-2181
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 5 Jul 2016 10:52:43 +0000 (11:52 +0100)]
Add DTLS replay protection test
Injects a record from epoch 1 during epoch 0 handshake, with a record
sequence number in the future, to test that the record replay protection
feature works as expected. This is described more fully in the next commit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 5 Jul 2016 10:46:26 +0000 (11:46 +0100)]
Fix DTLS unprocessed records bug
During a DTLS handshake we may get records destined for the next epoch
arrive before we have processed the CCS. In that case we can't decrypt or
verify the record yet, so we buffer it for later use. When we do receive
the CCS we work through the queue of unprocessed records and process them.
Unfortunately the act of processing wipes out any existing packet data
that we were still working through. This includes any records from the new
epoch that were in the same packet as the CCS. We should only process the
buffered records if we've not got any data left.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 5 Jul 2016 10:37:40 +0000 (11:37 +0100)]
Add a DTLS unprocesed records test
Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 5 Jul 2016 10:36:10 +0000 (11:36 +0100)]
Back port ssltestlib code to 1.0.2
Enables the testing of DTLS code in 1.0.2
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Wed, 3 Aug 2016 19:45:06 +0000 (21:45 +0200)]
VSI submission: RAND fixups
- make the VMS version of RAND_poll() faster and more secure
- avoid pointer size warnings with setvbuf()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Wed, 3 Aug 2016 19:33:31 +0000 (21:33 +0200)]
VSI submission: make better use of item lists in o_time.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Wed, 3 Aug 2016 19:22:34 +0000 (21:22 +0200)]
VSI submission: avoid pointer size warnings in mem.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Wed, 3 Aug 2016 19:18:55 +0000 (21:18 +0200)]
evp_test.c: avoid warning from having a pointer difference returned as int
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Thu, 18 Aug 2016 13:42:42 +0000 (15:42 +0200)]
VMS: synchronise tests with Unix
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 16 Aug 2016 12:14:33 +0000 (14:14 +0200)]
make update to have PEM_R_HEADER_TOO_LONG defined
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Mon, 15 Aug 2016 15:52:21 +0000 (16:52 +0100)]
Limit reads in do_b2i_bio()
Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.
Thanks to Shi Lei for reporting this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
66bcba145740e4f1210499ba6e5033035a2a4647)
Dr. Stephen Henson [Fri, 5 Aug 2016 13:26:03 +0000 (14:26 +0100)]
Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Thanks to Shi Lei for reporting this bug.
CVE-2016-2182
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
07bed46f332fce8c1d157689a2cdf915a982ae34)
Conflicts:
crypto/bn/bn_print.c
Dr. Stephen Henson [Fri, 5 Aug 2016 13:33:03 +0000 (14:33 +0100)]
Check for errors in a2d_ASN1_OBJECT()
Check for error return in BN_div_word().
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
8b9afbc0fc7f8be0049d389d34d9416fa377e2aa)
Andy Polyakov [Sun, 31 Jul 2016 19:19:57 +0000 (21:19 +0200)]
sha/asm/sha1-x86_64.pl: fix crash in SHAEXT code on Windows.
RT#4530
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
7123aa81e9fb19afb11fdf3850662c5f7ff1f19c)
Dr. Stephen Henson [Fri, 5 Aug 2016 16:59:32 +0000 (17:59 +0100)]
Sanity check input length in OPENSSL_uni2asc().
Thanks to Hanno Böck for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
39a43280316f1b9c45be5ac5b04f4f5c3f923686)
Conflicts:
crypto/pkcs12/p12_utl.c
Dr. Stephen Henson [Fri, 5 Aug 2016 15:21:26 +0000 (16:21 +0100)]
Leak fixes.
Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and
a2i_ASN1_ENUMERATED().
Thanks to Shi Lei for reporting these issues.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Kurt Roeckx [Sat, 16 Jul 2016 14:56:54 +0000 (16:56 +0200)]
Return error when trying to print invalid ASN1 integer
GH: #1322
(cherry picked from commit
5e3553c2de9a365479324b8ba8b998f0cce3e527)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Dr. Stephen Henson [Thu, 4 Aug 2016 14:00:26 +0000 (15:00 +0100)]
Limit recursion depth in old d2i_ASN1_bytes function
Thanks to Shi Lei for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Thu, 4 Aug 2016 12:54:51 +0000 (13:54 +0100)]
Check for overflows in i2d_ASN1_SET()
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Tue, 2 Aug 2016 20:38:37 +0000 (21:38 +0100)]
Limit status message sisze in ts_get_status_check
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
20fc103f782bb0bcd41d211c6423187b02146b9d)
Conflicts:
include/openssl/ts.h
Richard Levitte [Wed, 3 Aug 2016 14:02:20 +0000 (16:02 +0200)]
Don't check any revocation info on proxy certificates
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail. Better not to try
checking such information for them at all.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
790555d6756285b3ec18e3efbb195cf33f217d8f)
Dr. Stephen Henson [Tue, 2 Aug 2016 22:53:41 +0000 (23:53 +0100)]
Calculate sequence length properly.
Use correct length in old ASN.1 indefinite length sequence decoder
(only used by SSL_SESSION).
This bug was discovered by Hanno Böck using libfuzzer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Tue, 2 Aug 2016 22:41:45 +0000 (23:41 +0100)]
include <limits.h>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Mon, 1 Aug 2016 23:30:47 +0000 (00:30 +0100)]
Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
e9f17097e9fbba3e7664cd67e54eebf2bd438863)
Dr. Stephen Henson [Mon, 1 Aug 2016 23:45:31 +0000 (00:45 +0100)]
Check for overlows and error return from ASN1_object_size()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
56f9953c846204cb3251ab27605e403c7444fd72)
Dr. Stephen Henson [Fri, 29 Jul 2016 16:54:52 +0000 (17:54 +0100)]
Fix CRL time comparison.
Thanks to David Benjamin <davidben@google.com> for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
e032117db251968bd09badc7d4718c2497302e55)
Rich Salz [Wed, 27 Jul 2016 15:09:07 +0000 (11:09 -0400)]
Add missing casts.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Dr. Stephen Henson [Tue, 26 Jul 2016 19:22:49 +0000 (20:22 +0100)]
Note cipher BIO write errors too.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
976ef6adcc157233fb641ca99e2424630ef1814f)
Conflicts:
crypto/evp/bio_enc.c
Dr. Stephen Henson [Tue, 26 Jul 2016 15:51:49 +0000 (16:51 +0100)]
Set error if EVP_CipherUpdate fails.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
ee6ce5cc368574c0b0b470e61ee2f82a0efadbb7)
Conflicts:
crypto/evp/bio_enc.c
Dr. Stephen Henson [Fri, 22 Jul 2016 12:43:41 +0000 (13:43 +0100)]
Use newest CRL.
If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.
RT#4615
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
626aa24849be549b7ef4f049d8427989940c8a37)
Dr. Stephen Henson [Fri, 22 Jul 2016 15:02:07 +0000 (16:02 +0100)]
Send alert for bad DH CKE
RT#4511
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Thu, 21 Jul 2016 14:24:16 +0000 (15:24 +0100)]
Fix OOB read in TS_OBJ_print_bio().
TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.
CVE-2016-2180
Thanks to Shi Lei for reporting this bug.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
0ed26acce328ec16a3aa635f1ca37365e8c7403a)
Dr. Stephen Henson [Fri, 22 Jul 2016 13:11:13 +0000 (14:11 +0100)]
Clarify digest change in HMAC_Init_ex()
RT#4603
Reviewed-by: Rich Salz <rsalz@openssl.org>
Todd Short [Tue, 5 Jul 2016 13:59:29 +0000 (09:59 -0400)]
OCSP_request_add0_id() inconsistent error return
There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed
This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)
(cherry picked from commit
415e7c488e09119a42be24129e38ddd43524ee06)
Dr. Stephen Henson [Tue, 19 Jul 2016 15:03:10 +0000 (16:03 +0100)]
Sanity check in ssl_get_algorithm2().
RT#4600
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
52eede5a970fdb30c4ed6d3663e51f36bd1b1c73)
Conflicts:
ssl/s3_lib.c
Dr. Stephen Henson [Tue, 19 Jul 2016 16:20:58 +0000 (17:20 +0100)]
Send alert on CKE error.
RT#4610
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Tue, 19 Jul 2016 11:32:05 +0000 (12:32 +0100)]
Support PKCS v2.0 print in pkcs12 utility.
Extended alg_print() in pkcs12 utility to support PBES2 algorithms.
RT#4588
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Mon, 18 Jul 2016 22:59:39 +0000 (23:59 +0100)]
Check and print out boolean type properly.
If underlying type is boolean don't check field is NULL.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
ad72d9fdf7709ddb97a58d7d45d755e6e0504b96)
Dr. Stephen Henson [Mon, 18 Jul 2016 16:52:56 +0000 (17:52 +0100)]
Fix print of ASN.1 BIGNUM type.
The ASN.1 BIGNUM type needs to be handled in a custom way as it is
not a generic ASN1_STRING type.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
3cea73a7fcaaada1ea0ee4b4353ed0176fee1112)
Conflicts:
crypto/asn1/x_bignum.c
Richard Levitte [Fri, 15 Jul 2016 16:41:37 +0000 (18:41 +0200)]
Remove the silly CVS markers from LPdir_*.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
28e90f69fbcdcd3c06359a53adceb2dbdfaba614)
Richard Levitte [Fri, 15 Jul 2016 11:31:26 +0000 (13:31 +0200)]
Fix ASN.1 private encode of EC_KEY to not change the input key
RT#4611
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit
b8a7bd83e68405fdf595077973035ac6fe24cb97)
Matt Caswell [Tue, 5 Jul 2016 15:56:33 +0000 (16:56 +0100)]
Disallow multiple protocol flags to s_server and s_client
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".
This fixes Github Issue #1268
Reviewed-by: Rich Salz <rsalz@openssl.org>
Orgad Shaneh [Wed, 6 Jul 2016 05:44:51 +0000 (08:44 +0300)]
Fix compilation with CMS disabled
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1293)
Dr. Stephen Henson [Tue, 5 Jul 2016 22:24:26 +0000 (23:24 +0100)]
Don't indicate errors during initial adb decode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
b385889640517531a9cfeb672b15db7089b1bbb8)
Cristian Stoica [Tue, 10 Sep 2013 09:46:46 +0000 (12:46 +0300)]
remove double initialization of cryptodev engine
cryptodev engine is initialized together with the other engines in
ENGINE_load_builtin_engines. The initialization done through
OpenSSL_add_all_algorithms is redundant.
Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 1 Jul 2016 10:58:05 +0000 (11:58 +0100)]
Avoid an overflow in constructing the ServerKeyExchange message
We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.
Addresses an OCAP Audit issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 30 Jun 2016 13:57:57 +0000 (15:57 +0200)]
SPARC assembly pack: enforce V8+ ABI constraints.
Even though it's hard to imagine, it turned out that upper half of
arguments passed to V8+ subroutine can be non-zero.
["n" pseudo-instructions, such as srln being srl in 32-bit case and
srlx in 64-bit one, were implemented in binutils 2.10. It's assumed
that Solaris assembler implemented it around same time, i.e. 2000.]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
f198cc43a0eca4bf1a8e7f60c51af560f4346dc8)
Matt Caswell [Fri, 24 Jun 2016 22:37:27 +0000 (23:37 +0100)]
Convert memset calls to OPENSSL_cleanse
Ensure things really do get cleared when we intend them to.
Addresses an OCAP Audit issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Richard Levitte [Sun, 19 Jun 2016 08:55:43 +0000 (10:55 +0200)]
Allow proxy certs to be present when verifying a chain
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Sun, 19 Jun 2016 08:55:29 +0000 (10:55 +0200)]
Fix proxy certificate pathlength verification
While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly. This corresponds to
RFC 3820, 4.1.4 (a).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Sun, 19 Jun 2016 08:55:16 +0000 (10:55 +0200)]
Check that the subject name in a proxy cert complies to RFC 3820
The subject name MUST be the same as the issuer name, with a single CN
entry added.
RT#1852
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 25 Apr 2016 16:06:56 +0000 (17:06 +0100)]
Change usage of RAND_pseudo_bytes to RAND_bytes
RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Sun, 26 Jun 2016 13:24:49 +0000 (09:24 -0400)]
RT2964: Fix it via doc
OBJ_nid2obj() and friends should be treated as const.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit
5d28ff38fd4127c5894d22533e842ee446c3d3c2)
Rich Salz [Sun, 26 Jun 2016 02:09:05 +0000 (22:09 -0400)]
Revert "RT2964: Fix it via doc"
This reverts commit
58b18779ba6e6060ac357cd0803d83317ed00f8b.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Sat, 25 Jun 2016 18:51:53 +0000 (14:51 -0400)]
RT2964: Fix it via doc
OBJ_nid2obj() and friends should be treated as const.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit
82f31fe4dd0dac30229fa8684229b49d2bcef404)
Matt Caswell [Fri, 24 Jun 2016 09:31:08 +0000 (10:31 +0100)]
Ensure HMAC key gets cleansed after use
aesni_cbc_hmac_sha256_ctrl() and aesni_cbc_hmac_sha1_ctrl() cleanse the
HMAC key after use, but static int rc4_hmac_md5_ctrl() doesn't.
Fixes an OCAP Audit issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
0def528bc502a888a3f4ef3c38ea4c5e69fd7375)
Matt Caswell [Thu, 23 Jun 2016 18:54:06 +0000 (19:54 +0100)]
Fix ASN1_STRING_to_UTF8 could not convert NumericString
tag2nbyte had -1 at 18th position, but underlying ASN1_mbstring_copy
supports NumericString. tag2nbyte is also used in do_print_ex which will
not be broken by setting 1 at 18th position of tag2nbyte
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit
d6079a87db58ad17550b5d00a74512464e6a029e)
Andy Polyakov [Mon, 20 Jun 2016 10:47:44 +0000 (12:47 +0200)]
doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.
[Note that in master declaration is different.]
RT#4568
Reviewed-by: Rich Salz <rsalz@openssl.org>
John Foley [Mon, 20 Jun 2016 16:11:35 +0000 (12:11 -0400)]
RT3752: Add FIPS callback for thread id
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Richard Levitte [Mon, 20 Jun 2016 19:12:29 +0000 (21:12 +0200)]
Fix missing opening braces
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Matthias St. Pierre [Mon, 20 Jun 2016 17:32:34 +0000 (13:32 -0400)]
RT3925: Remove trailing semi from #define's.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Richard Levitte [Mon, 20 Jun 2016 18:07:13 +0000 (20:07 +0200)]
apps/req.c: Increment the right variable when parsing '+'
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
14d3c0dd2c31b9fd1f92d608524dd650f5ec5a7e)
Andy Polyakov [Sat, 18 Jun 2016 13:49:57 +0000 (15:49 +0200)]
aes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
4973a60cb92dc121fc09246bff3815afc0f8ab9a)
Andy Polyakov [Sat, 18 Jun 2016 13:37:25 +0000 (15:37 +0200)]
aes/asm/bsaes-armv7.pl: fix XTS decrypt test failure.
RT#4578
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
3d32bab8f1742a3b57742e18f92a408f0403df8d)
Rich Salz [Thu, 16 Jun 2016 15:21:37 +0000 (11:21 -0400)]
RT4545: Backport 2877 to 1.0.2
Sender verified that the fix works. This is a backport/cherry-pick
of just the bugfix part of
0f91e1dff4ab2e7c25bbae5a48dfabbd1a4eae3c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 16 Jun 2016 15:01:58 +0000 (16:01 +0100)]
Revert "RT4526: Call TerminateProcess, not ExitProcess"
This reverts commit
75f90688fb2dec0f897cad8be8b92be725c5016b.
TerminateProcess is asynchronous, so the code as written in the above
commit is not correct (and doesn't even compile at the moment). It is
also probably not needed in the speed case. Reverting in order to figure
out the correct solution.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Pauli [Wed, 15 Jun 2016 13:59:24 +0000 (09:59 -0400)]
RT4573: Synopsis for RAND_add is wrong
Reviewed-by: Matt Caswell <matt@openssl.org>
Rich Salz [Tue, 14 Jun 2016 20:19:37 +0000 (16:19 -0400)]
RT4526: Call TerminateProcess, not ExitProcess
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
9c1a9ccf65d0ea1912675d3a622fa8e51b524b9e)
Richard Levitte [Tue, 14 Jun 2016 23:31:14 +0000 (01:31 +0200)]
Change (!seqtt) to (seqtt == NULL)
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit
fdcb499cc2cd57412e496302a4bca8c5d9f1a9c7)
Richard Levitte [Tue, 14 Jun 2016 21:54:56 +0000 (23:54 +0200)]
Always check that the value returned by asn1_do_adb() is non-NULL
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit
bace847eae24f48adc6a967c6cce7f8d05bbeda3)
Rich Salz [Mon, 30 May 2016 19:01:09 +0000 (15:01 -0400)]
RT4546: Backport doc fix
Reviewed-by: Matt Caswell <matt@openssl.org>
Manual cherry-pick of
538860a3ce0b9fd142a7f1a62e597cccb74475d3.
Dr. Stephen Henson [Tue, 14 Jun 2016 16:44:22 +0000 (17:44 +0100)]
Fix omitted selector handling.
The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
7c46746bf2958fd2eccc59ecb48039e4e20ce38a)
Andy Polyakov [Mon, 13 Jun 2016 21:30:08 +0000 (23:30 +0200)]
crypto/sparccpuid.S: limit symbol visibility.
Couple of never-used symbols were clasing with FIPS module, "weakening"
them allows to resolve linking errors.
RT#3699
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Tue, 14 Jun 2016 16:35:26 +0000 (12:35 -0400)]
RT4562: Backport doc fix.
Reviewed-by: Matt Caswell <matt@openssl.org>
Rich Salz [Mon, 13 Jun 2016 01:55:46 +0000 (21:55 -0400)]
RT4560: Initialize variable to NULL
Reviewed-by: Andy Polyakov <appro@openssl.org>
Dr. Stephen Henson [Sun, 12 Jun 2016 22:22:30 +0000 (23:22 +0100)]
Fix link error.
Use string_to_hex, OPENSSL_hexstr2buf() doesn't exist in OpenSSL 1.0.2
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Sun, 12 Jun 2016 18:04:50 +0000 (20:04 +0200)]
crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.
crypto/mem_clr.c was harmonized with master branch and doesn't use
cleanse_ctr kludge anymore.
RT#4563
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 8 Jun 2016 18:01:42 +0000 (19:01 +0100)]
Don't skip leading zeroes in PSK keys.
Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.
RT#4554
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
6ec6d5207187dbc1dbd971bd50ea17c9a94906d0)
Conflicts:
apps/s_client.c
apps/s_server.c
Phillip Hellewell [Sun, 12 Jun 2016 00:04:21 +0000 (20:04 -0400)]
RT3053: Check for NULL before dereferencing
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
6b3602882e089aaca18828a72d9f4072e6a20252)
Andy Polyakov [Thu, 9 Jun 2016 19:56:09 +0000 (21:56 +0200)]
crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from
It's probably worth reminding that this is a fall-back implementation
for platforms that don't have assembly OPENSSL_cleanse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 9 Jun 2016 19:54:19 +0000 (21:54 +0200)]
hmac/hmac.c: switch to OPENSSL_cleanse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 10 Jun 2016 14:30:41 +0000 (15:30 +0100)]
Fix an error path leak in int X509_ATTRIBUTE_set1_data()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
5000a6d1215ea7d6ed6179d0bcd44263f6e3c26b)
Matt Caswell [Fri, 10 Jun 2016 14:30:09 +0000 (15:30 +0100)]
Fix an error path leak in do_ext_nconf()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
8605abf13523579ecab8b1f2a4bcb8354d94af79)
Matt Caswell [Fri, 10 Jun 2016 13:25:15 +0000 (14:25 +0100)]
Fix seg fault in TS_RESP_verify_response()
The TS_RESP_verify_response() function is used for verifying the response
from a TSA. You can set the provided TS_VERIFY_CTX with different flags
depending on what aspects of the response you wish to verify.
A seg fault will occur if you supply the TS_VFY_SIGNER or TS_VFY_TSA_NAME
flags without also specifying TS_VFY_SIGNATURE.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Tue, 31 May 2016 10:38:52 +0000 (11:38 +0100)]
Add a BN_mod_word test()
The previous commit fixed a bug with BN_mod_word() which would have been
caught if we had a test for it. This commit adds one.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Matt Caswell [Tue, 31 May 2016 10:28:14 +0000 (11:28 +0100)]
Fix BN_mod_word bug
On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems)
then BN_mod_word() can return incorrect results if the supplied modulus is
too big.
RT#4501
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
37258dadaa9e36db4b96a3aa54aa6c67136160cc)
Matt Caswell [Tue, 7 Jun 2016 08:12:51 +0000 (09:12 +0100)]
More fix DSA, preserve BN_FLG_CONSTTIME
The previous "fix" still left "k" exposed to constant time problems in
the later BN_mod_inverse() call. Ensure both k and kq have the
BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.
CVE-2016-2178
Reviewed-by: Rich Salz <rsalz@openssl.org>
Cesar Pereida [Mon, 23 May 2016 09:45:25 +0000 (12:45 +0300)]
Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
CVE-2016-2178
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 3 Jun 2016 20:49:01 +0000 (21:49 +0100)]
Fix documentation error in x509 app certopt flag
According to the x509 man page in the section discussing -certopt it says
that the ca_default option is the same as that used by the ca utility and
(amongst other things) has the effect of suppressing printing of the
signature - but in fact it doesn't. This error seems to have been present
since the documentation was written back in 2001. It never had this effect.
The default config file sets the certopt value to ca_default. The ca utility
takes that and THEN adds additional options to suppress printing of the
signature. So the ca utility DOES suppress printing of the signature - but
it is not as a result of using the ca_default option.
GitHub Issue #247
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
39a470088af6f833bd1a912908c44bf4a9f48b0c)
Matt Caswell [Fri, 3 Jun 2016 14:53:54 +0000 (15:53 +0100)]
BIO_printf() can fail to print the last character
If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Jonas Maebe [Sun, 8 Dec 2013 16:24:18 +0000 (17:24 +0100)]
cryptodev_asym, zapparams: use OPENSSL_* allocation routines, handle errors
zapparams modification based on tip from Matt Caswell
RT#3198
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Dirk Feytons [Thu, 2 Jun 2016 13:31:57 +0000 (15:31 +0200)]
Fix build with no-cmac
Add missing ifdefs. Same change is already present in master, see
b4a3aeebd9f9280aa7e69a343f5c824e68466d90
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1155)
Matt Caswell [Fri, 3 Jun 2016 16:12:08 +0000 (17:12 +0100)]
Update CONTRIBUTING
Fix typos and clarify a few things in the CONTRIBUTING file.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 5 May 2016 10:10:26 +0000 (11:10 +0100)]
Avoid some undefined pointer arithmetic
A common idiom in the codebase is:
if (p + len > limit)
{
return; /* Too long */
}
Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE
"len" here could be from some externally supplied data (e.g. from a TLS
message).
The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.
For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!
Issue reported by Guido Vranken.
CVE-2016-2177
Reviewed-by: Rich Salz <rsalz@openssl.org>
FdaSilvaYY [Sun, 6 Mar 2016 20:26:46 +0000 (21:26 +0100)]
Fix some missing inits
Backport of
8e89e85f556f549f05d3b49f5408a217ac5e3700
From PR #1019 / #997
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1019)
Dr. Stephen Henson [Fri, 27 May 2016 13:18:40 +0000 (14:18 +0100)]
Parameter copy sanity checks.
Don't copy parameters is they're already present in the destination.
Return error if an attempt is made to copy different parameters to
destination. Update documentation.
If key type is not initialised return missing parameters
RT#4149
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
f72f00d49549c6620d7101f5e9bf7963da6df9ee)
Matt Caswell [Thu, 26 May 2016 14:54:48 +0000 (15:54 +0100)]
Check for malloc failure in EVP_PKEY_keygen()
After a call to EVP_PKEY_new() we should check for malloc failure.
RT#4180
Reviewed-by: Stephen Henson <steve@openssl.org>
Matt Caswell [Thu, 26 May 2016 14:45:14 +0000 (15:45 +0100)]
The ssl3_digest_cached_records() function does not handle errors properly
The ssl3_digest_cached_records() function was failing to handle errors
that might be returned from EVP_DigestSignInit() and
EVP_DigestSignUpdate().
RT#4180
Reviewed-by: Stephen Henson <steve@openssl.org>
Matt Caswell [Mon, 9 May 2016 16:44:26 +0000 (17:44 +0100)]
Fix a mem leak on an error path in OBJ_NAME_add()
If lh_OBJ_NAME_insert() fails then the allocated |onp| value is leaked.
RT#2238
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
0a618df059d93bf7fe9e3ec92e04db8bc1eeff07)