oweals/openssl.git
9 years agoRT2943: Check sizes if -iv and -K arguments
Richard Levitte [Mon, 4 May 2015 15:34:40 +0000 (17:34 +0200)]
RT2943: Check sizes if -iv and -K arguments

RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.

Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH.  we can be more precise and
check against the size of the actual cipher used.

(cherry picked from commit 8920a7cd04f43b1a090d0b0a8c9e16b94c6898d4)

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoRT3820: Don't call GetDesktopWindow()
Gilles Khouzam [Sat, 2 May 2015 02:20:42 +0000 (22:20 -0400)]
RT3820: Don't call GetDesktopWindow()

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bed2edf1cb73f1fe2c11029acc694086bc14443e)

9 years agoFix uninitialized variable.
Hanno Böck [Sat, 2 May 2015 02:27:20 +0000 (22:27 -0400)]
Fix uninitialized variable.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 539ed89f686866b82a9ec9a4c3b112878d29cd73)

9 years agoFix buffer overrun in RSA signing
Matt Caswell [Wed, 29 Apr 2015 12:22:18 +0000 (13:22 +0100)]
Fix buffer overrun in RSA signing

The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding.
It is only triggered if the RSA key size is smaller than the digest length.
So with SHA512 you can trigger the overflow with anything less than an RSA
512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA
key. This wasn't sufficient to cause a crash, although your mileage may
vary.

In practice RSA keys of this length are never used and X931 padding is very
rare. Even if someone did use an excessively short RSA key, the chances of
them combining that with a longer digest and X931 padding is very
small. For these reasons I do not believe there is a security implication to
this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 34166d41892643a36ad2d1f53cc0025e2edc2a39)

9 years agoAdd sanity check to print_bin function
Matt Caswell [Wed, 29 Apr 2015 08:58:10 +0000 (09:58 +0100)]
Add sanity check to print_bin function

Add a sanity check to the print_bin function to ensure that the |off|
argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da)

9 years agoAdd sanity check to ssl_get_prev_session
Matt Caswell [Tue, 28 Apr 2015 14:28:23 +0000 (15:28 +0100)]
Add sanity check to ssl_get_prev_session

Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5)

9 years agoSanity check the return from final_finish_mac
Matt Caswell [Tue, 28 Apr 2015 14:19:50 +0000 (15:19 +0100)]
Sanity check the return from final_finish_mac

The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c427570e5098e120cbcb66e799f85c317aac7b91)

Conflicts:
ssl/ssl_locl.h

Conflicts:
ssl/ssl_locl.h

9 years agoAdd sanity check in ssl3_cbc_digest_record
Matt Caswell [Mon, 27 Apr 2015 14:41:42 +0000 (15:41 +0100)]
Add sanity check in ssl3_cbc_digest_record

For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 29b0a15a480626544dd0c803d5de671552544de6)

9 years agoClarify logic in BIO_*printf functions
Matt Caswell [Mon, 27 Apr 2015 14:41:03 +0000 (15:41 +0100)]
Clarify logic in BIO_*printf functions

The static function dynamically allocates an output buffer if the output
grows larger than the static buffer that is normally used. The original
logic implied that |currlen| could be greater than |maxlen| which is
incorrect (and if so would cause a buffer overrun). Also the original
logic would call OPENSSL_malloc to create a dynamic buffer equal to the
size of the static buffer, and then immediately call OPENSSL_realloc to
make it bigger, rather than just creating a buffer than was big enough in
the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9d9e37744cd5119f9921315864d1cd28717173cd)

9 years agoSanity check EVP_EncodeUpdate buffer len
Matt Caswell [Mon, 27 Apr 2015 10:13:56 +0000 (11:13 +0100)]
Sanity check EVP_EncodeUpdate buffer len

There was already a sanity check to ensure the passed buffer length is not
zero. Extend this to ensure that it also not negative. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b86d7dca69f5c80abd60896c8ed3039fc56210cc)

9 years agoSanity check EVP_CTRL_AEAD_TLS_AAD
Matt Caswell [Mon, 27 Apr 2015 10:07:06 +0000 (11:07 +0100)]
Sanity check EVP_CTRL_AEAD_TLS_AAD

The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c8269881093324b881b81472be037055571f73f3)

Conflicts:
ssl/record/ssl3_record.c

Conflicts:
apps/speed.c
crypto/evp/e_aes_cbc_hmac_sha256.c
crypto/evp/evp.h

9 years agoSanity check DES_enc_write buffer length
Matt Caswell [Mon, 27 Apr 2015 10:04:56 +0000 (11:04 +0100)]
Sanity check DES_enc_write buffer length

Add a sanity check to DES_enc_write to ensure the buffer length provided
is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 873fb39f20b6763daba226b74e83fb194924c7bf)

9 years agoAdd length sanity check in SSLv2 n_do_ssl_write()
Matt Caswell [Wed, 29 Apr 2015 15:15:40 +0000 (16:15 +0100)]
Add length sanity check in SSLv2 n_do_ssl_write()

Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the
code I do not believe there is a real problem here. However the logic flows
are complicated enough that a sanity check of |len| is probably worthwhile.

Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f8cd7bc661f90dc012c9d2bae1808a4281985f)

9 years agoFix CRYPTO_strdup
Loganaden Velvindron [Wed, 22 Apr 2015 15:16:30 +0000 (16:16 +0100)]
Fix CRYPTO_strdup

The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)

9 years agoRepair EAP-FAST session resumption
Emilia Kasper [Tue, 21 Apr 2015 16:12:58 +0000 (18:12 +0200)]
Repair EAP-FAST session resumption

EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec6114f5511b20c2e6ca741e61a39b99d6
and
7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6e3d015363ed09c4eff5c02ad41153387ffdf5af)

9 years agoInitialize variable
Emilia Kasper [Tue, 14 Apr 2015 15:42:42 +0000 (17:42 +0200)]
Initialize variable

newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 68249414405500660578b337f1c8dd5dd4bb5bcc)

9 years agomake update
Emilia Kasper [Thu, 16 Apr 2015 16:11:56 +0000 (18:11 +0200)]
make update

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
9 years agoInitialised 'ok' and redo the logic.
Richard Levitte [Wed, 25 Mar 2015 13:41:58 +0000 (14:41 +0100)]
Initialised 'ok' and redo the logic.

The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 06affe3dac65592a341547f5a47e52cedb7b71f8)

9 years agoFix return checks in GOST engine
Matt Caswell [Fri, 13 Mar 2015 16:48:01 +0000 (16:48 +0000)]
Fix return checks in GOST engine

Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d)

9 years agoFix misc NULL derefs in sureware engine
Matt Caswell [Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)]
Fix misc NULL derefs in sureware engine

Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7b611e5fe8eaac9512f72094c460f3ed6040076a)

9 years agoFix encoding bug in i2c_ASN1_INTEGER
Dr. Stephen Henson [Thu, 16 Apr 2015 15:43:09 +0000 (16:43 +0100)]
Fix encoding bug in i2c_ASN1_INTEGER

Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44)

9 years agoError out immediately on empty ciphers list.
Emilia Kasper [Wed, 15 Apr 2015 12:18:55 +0000 (14:18 +0200)]
Error out immediately on empty ciphers list.

A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)

9 years agoCode style: space after 'if'
Viktor Dukhovni [Thu, 16 Apr 2015 06:51:52 +0000 (02:51 -0400)]
Code style: space after 'if'

Reviewed-by: Matt Caswell <gitlab@openssl.org>
9 years agoPlease Clang's sanitizer, addendum.
Andy Polyakov [Tue, 8 Jul 2014 21:06:59 +0000 (23:06 +0200)]
Please Clang's sanitizer, addendum.

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoLimit depth of nested sequences when generating ASN.1
Dr. Stephen Henson [Wed, 15 Apr 2015 23:00:40 +0000 (00:00 +0100)]
Limit depth of nested sequences when generating ASN.1

Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e828d8fab0b244defb79257619dad8fc7)

9 years agoReject empty generation strings.
Dr. Stephen Henson [Wed, 15 Apr 2015 23:21:05 +0000 (00:21 +0100)]
Reject empty generation strings.

Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9)

9 years agoFix ssl_get_prev_session overrun
Matt Caswell [Fri, 10 Apr 2015 15:49:33 +0000 (16:49 +0100)]
Fix ssl_get_prev_session overrun

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)

9 years agoCheck for ClientHello message overruns
Matt Caswell [Fri, 10 Apr 2015 16:25:27 +0000 (17:25 +0100)]
Check for ClientHello message overruns

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)

9 years agodo_dirname: Don't change gen on failures
Kurt Roeckx [Sat, 11 Apr 2015 14:39:13 +0000 (16:39 +0200)]
do_dirname: Don't change gen on failures

It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd361343d9017eff8547b19e86e4944ebc)

9 years agoX509_VERIFY_PARAM_free: Check param for NULL
Kurt Roeckx [Sat, 11 Apr 2015 15:08:38 +0000 (17:08 +0200)]
X509_VERIFY_PARAM_free: Check param for NULL

Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff50d0be9c8d86aed6fb4a08841aa3da41)

9 years agoDon't set *pval to NULL in ASN1_item_ex_new.
Dr. Stephen Henson [Thu, 2 Apr 2015 12:45:14 +0000 (13:45 +0100)]
Don't set *pval to NULL in ASN1_item_ex_new.

While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb)

Conflicts:
crypto/asn1/tasn_new.c

9 years agoHave mkerr.pl treat already existing multiline string defs properly
Richard Levitte [Wed, 8 Apr 2015 17:26:11 +0000 (19:26 +0200)]
Have mkerr.pl treat already existing multiline string defs properly

Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7)

9 years agoIgnore the non-dll windows specific build directories
Richard Levitte [Wed, 1 Apr 2015 09:36:18 +0000 (11:36 +0200)]
Ignore the non-dll windows specific build directories

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174)

9 years agoHarden SSLv2-supporting servers against Bleichenbacher's attack.
Emilia Kasper [Wed, 1 Apr 2015 15:08:45 +0000 (17:08 +0200)]
Harden SSLv2-supporting servers against Bleichenbacher's attack.

There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae50d8270026edf5b3c7f8aaa0c6677462b33d97)

9 years agoFix intermittent s_server issues with ECDHE
John Foley [Tue, 7 Apr 2015 22:05:05 +0000 (23:05 +0100)]
Fix intermittent s_server issues with ECDHE

Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable.  Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b89549cbd07a81df1a5bdf51e062066.

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoEnsure EC private keys retain leading zeros
Douglas E Engert [Wed, 25 Mar 2015 23:52:28 +0000 (23:52 +0000)]
Ensure EC private keys retain leading zeros

RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294252c4b6a4b69cbef6a5b4117705d22)

Conflicts:
crypto/ec/ec_asn1.c

9 years agoFix uninitialized variable warning
Emilia Kasper [Tue, 24 Mar 2015 18:59:14 +0000 (19:59 +0100)]
Fix uninitialized variable warning

While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix bug in s_client. Previously default verify locations would only be loaded
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 70e5fd877890489a3972bf8bf50bfec1fca3875e)

9 years agoFix HMAC to pass invalid key len test
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoAdd HMAC test for invalid key len
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoEnsure that both the MD and key have been initialised before attempting to
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/hmac/hmac.c

9 years agoAdd more HMAC tests
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix RAND_(pseudo_)?_bytes returns
Matt Caswell [Thu, 26 Feb 2015 16:28:59 +0000 (16:28 +0000)]
Fix RAND_(pseudo_)?_bytes returns

Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f8e4e4f5253085ab673bb74094c3e492c56af44)

Conflicts:
crypto/evp/e_des3.c

9 years agoDon't send a for ServerKeyExchange for kDHr and kDHd
Kurt Roeckx [Sat, 14 Mar 2015 22:23:26 +0000 (23:23 +0100)]
Don't send a for ServerKeyExchange for kDHr and kDHd

The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619c5b41f2dcfdbf6ae666f867922a87a)

9 years agoConfiguration file examples.
Dr. Stephen Henson [Fri, 13 Mar 2015 14:16:32 +0000 (14:16 +0000)]
Configuration file examples.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da01b4eedcd546f81844156646387cacb)

9 years agoMake OCSP response verification more flexible.
Dr. Stephen Henson [Sun, 22 Mar 2015 17:34:56 +0000 (17:34 +0000)]
Make OCSP response verification more flexible.

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc2874e094d6382b30416824eda6dde52fe)

9 years agoFix malloc define typo
Mike Frysinger [Sat, 21 Mar 2015 09:08:41 +0000 (05:08 -0400)]
Fix malloc define typo

Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 7c82e339a677f8546e1456c7a8f6788598a9de43)

9 years agoPrepare for 1.0.1n-dev
Matt Caswell [Thu, 19 Mar 2015 13:41:07 +0000 (13:41 +0000)]
Prepare for 1.0.1n-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoPrepare for 1.0.1m release OpenSSL_1_0_1m
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
Prepare for 1.0.1m release

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agomake update
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix unsigned/signed warnings
Matt Caswell [Thu, 19 Mar 2015 11:35:33 +0000 (11:35 +0000)]
Fix unsigned/signed warnings

Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix a failure to NULL a pointer freed on error.
Matt Caswell [Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)]
Fix a failure to NULL a pointer freed on error.

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUpdate NEWS file
Matt Caswell [Tue, 17 Mar 2015 17:01:09 +0000 (17:01 +0000)]
Update NEWS file

Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUpdate CHANGES for release
Matt Caswell [Tue, 17 Mar 2015 16:56:27 +0000 (16:56 +0000)]
Update CHANGES for release

Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRemove overlapping CHANGES/NEWS entries
Matt Caswell [Wed, 18 Mar 2015 09:48:03 +0000 (09:48 +0000)]
Remove overlapping CHANGES/NEWS entries

Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFix reachable assert in SSLv2 servers.
Emilia Kasper [Wed, 4 Mar 2015 17:05:02 +0000 (09:05 -0800)]
Fix reachable assert in SSLv2 servers.

This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoPKCS#7: avoid NULL pointer dereferences with missing content
Emilia Kasper [Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)]
PKCS#7: avoid NULL pointer dereferences with missing content

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
9 years agoFix ASN1_TYPE_cmp
Dr. Stephen Henson [Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)]
Fix ASN1_TYPE_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoFree up ADB and CHOICE if already initialised.
Dr. Stephen Henson [Mon, 23 Feb 2015 02:32:44 +0000 (02:32 +0000)]
Free up ADB and CHOICE if already initialised.

CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoDead code removal from apps
Matt Caswell [Thu, 12 Mar 2015 14:09:00 +0000 (14:09 +0000)]
Dead code removal from apps

Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259e899f4f7da4a3e80781e84b0fb1a64)

9 years agoRemove dead code from crypto
Matt Caswell [Thu, 12 Mar 2015 14:08:21 +0000 (14:08 +0000)]
Remove dead code from crypto

Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c1932ef709b2455ffab47348b5c54e5)

9 years agoFix seg fault in s_time
Matt Caswell [Thu, 12 Mar 2015 16:42:55 +0000 (16:42 +0000)]
Fix seg fault in s_time

Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f277327e118fdd0fe34486852c2789b6)

9 years agoAdd sanity check to PRF
Matt Caswell [Thu, 12 Mar 2015 14:37:26 +0000 (14:37 +0000)]
Add sanity check to PRF

The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c62177ab5893fc26ebb67053aafdffc8)

9 years agoFix memset call in stack.c
Matt Caswell [Thu, 12 Mar 2015 12:54:44 +0000 (12:54 +0000)]
Fix memset call in stack.c

The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac830fa08d9a936e011d7c541b0c52115b33)

9 years agoMove malloc fail checks closer to malloc
Matt Caswell [Thu, 12 Mar 2015 11:25:03 +0000 (11:25 +0000)]
Move malloc fail checks closer to malloc

Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477adc97e76f4b83ed8075589f529069bd5d1)

9 years agoAdd malloc failure checks
Matt Caswell [Thu, 12 Mar 2015 11:10:47 +0000 (11:10 +0000)]
Add malloc failure checks

Add some missing checks for memory allocation failures in ca app.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a561bfe944c0beba73551731cb98af70dfee3549)

9 years agoAvoid reading an unused byte after the buffer
Andy Polyakov [Sat, 21 Feb 2015 12:51:56 +0000 (13:51 +0100)]
Avoid reading an unused byte after the buffer

Other curves don't have this problem.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9fbbdd73c58c29dc46cc314f7165e45e6d43fd60)

9 years agoFix undefined behaviour in shifts.
Emilia Kasper [Sat, 14 Mar 2015 04:10:13 +0000 (21:10 -0700)]
Fix undefined behaviour in shifts.

Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8b37e5c14f0eddb10c7f91ef91004622d90ef361)

9 years agoadditional configuration documentation
Dr. Stephen Henson [Sun, 1 Mar 2015 15:25:39 +0000 (15:25 +0000)]
additional configuration documentation

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a24e3dca1a3ee57202ce3c818d592141)

9 years agoASN.1 print fix.
Dr. Stephen Henson [Wed, 11 Mar 2015 23:30:52 +0000 (23:30 +0000)]
ASN.1 print fix.

When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a7494f50c88ce7492518bbe0ce6f124fa)

9 years agoFix missing return checks in v3_cpols.c
Matt Caswell [Wed, 11 Mar 2015 20:50:20 +0000 (20:50 +0000)]
Fix missing return checks in v3_cpols.c

Fixed assorted missing return value checks in c3_cpols.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)

9 years agoFix dsa_pub_encode
Matt Caswell [Wed, 11 Mar 2015 20:19:08 +0000 (20:19 +0000)]
Fix dsa_pub_encode

The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0c7ca4033dcf5398334d4b78a7dfb941c8167a40)

9 years agoFix dh_pub_encode
Matt Caswell [Wed, 11 Mar 2015 20:08:16 +0000 (20:08 +0000)]
Fix dh_pub_encode

The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)

Conflicts:
crypto/dh/dh_ameth.c

9 years agoFix asn1_item_print_ctx
Matt Caswell [Wed, 11 Mar 2015 19:41:01 +0000 (19:41 +0000)]
Fix asn1_item_print_ctx

The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)

9 years agoASN1_primitive_new NULL param handling
Matt Caswell [Wed, 11 Mar 2015 16:00:01 +0000 (16:00 +0000)]
ASN1_primitive_new NULL param handling

ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)

9 years agoFix EVP_DigestInit_ex with NULL digest
Matt Caswell [Wed, 11 Mar 2015 15:41:52 +0000 (15:41 +0000)]
Fix EVP_DigestInit_ex with NULL digest

Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit a01087027bd0c5ec053d4eabd972bd942bfcd92f)

9 years agoFix error handling in bn_exp
Matt Caswell [Wed, 11 Mar 2015 15:31:16 +0000 (15:31 +0000)]
Fix error handling in bn_exp

In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)

9 years agoFix seg fault in ASN1_generate_v3/ASN1_generate_nconf
Matt Caswell [Tue, 10 Mar 2015 23:15:15 +0000 (23:15 +0000)]
Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit ac5a110621ca48f0bebd5b4d76d081de403da29e)

9 years agoCleanse buffers
Matt Caswell [Mon, 9 Mar 2015 13:59:58 +0000 (13:59 +0000)]
Cleanse buffers

Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4dbc0b3a717ad1b208fe2867e8c64867de)

Conflicts:
ssl/s3_enc.c

9 years agoHarmonize return values in dtls1_buffer_record
Emilia Kasper [Wed, 4 Mar 2015 21:05:53 +0000 (13:05 -0800)]
Harmonize return values in dtls1_buffer_record

Ensure all malloc failures return -1.

Reported by Adam Langley (Google).

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)

9 years agoBIO_debug_callback: Fix output on 64-bit machines
Richard Godbee [Sun, 21 Sep 2014 06:14:11 +0000 (02:14 -0400)]
BIO_debug_callback: Fix output on 64-bit machines

BIO_debug_callback() no longer assumes the hexadecimal representation of
a pointer fits in 8 characters.

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 460e920d8a274e27aab36346eeda6685a42c3314)

9 years agoFix wrong numbers being passed as string lengths
Dmitry-Me [Sun, 1 Jun 2014 17:30:52 +0000 (21:30 +0400)]
Fix wrong numbers being passed as string lengths

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0b142f022e2c5072295e00ebc11c5b707a726d74)

9 years agoupdate ordinals
Dr. Stephen Henson [Mon, 9 Mar 2015 16:58:16 +0000 (16:58 +0000)]
update ordinals

Reviewed-by: Matt Caswell <matt@openssl.org>
9 years agofix warning
Dr. Stephen Henson [Sun, 8 Mar 2015 17:31:48 +0000 (17:31 +0000)]
fix warning

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d6ca1cee8b6efac5906ac66443d1ca67fe689ff8)

9 years agoCleanse PKCS#8 private key components.
Dr. Stephen Henson [Tue, 3 Mar 2015 14:20:23 +0000 (14:20 +0000)]
Cleanse PKCS#8 private key components.

New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a8ae0891d4bfd18f224777aed1fbb172504421f1)

9 years agoAdditional CMS documentation.
Dr. Stephen Henson [Tue, 24 Feb 2015 16:35:37 +0000 (16:35 +0000)]
Additional CMS documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e3013932df2d899e8600c305342bc14b682dc0d1)

9 years agoRemove export ciphers from the DEFAULT cipher list
Kurt Roeckx [Wed, 4 Mar 2015 20:57:52 +0000 (21:57 +0100)]
Remove export ciphers from the DEFAULT cipher list

They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f417997a324037025be61737288e40e171a8218c)

Conflicts:
ssl/ssl_ciph.c

9 years agoUpdate mkerr.pl for new format
Matt Caswell [Fri, 6 Mar 2015 13:00:47 +0000 (13:00 +0000)]
Update mkerr.pl for new format

Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoUse constants not numbers
Kurt Cancemi [Wed, 4 Mar 2015 10:57:45 +0000 (10:57 +0000)]
Use constants not numbers

This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fd865cadcb603918bdcfcf44e487721c657a1117)

9 years agoUnchecked malloc fixes
Matt Caswell [Wed, 4 Mar 2015 17:49:51 +0000 (17:49 +0000)]
Unchecked malloc fixes

Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 918bb8652969fd53f0c390c1cd909265ed502c7e)

Conflicts:
crypto/bio/bss_dgram.c

Conflicts:
apps/cms.c
apps/s_cb.c
apps/s_server.c
apps/speed.c
crypto/dh/dh_pmeth.c
ssl/s3_pkt.c

9 years agoCheck public key is not NULL.
Dr. Stephen Henson [Wed, 18 Feb 2015 00:34:59 +0000 (00:34 +0000)]
Check public key is not NULL.

CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9)

9 years agoFix format script.
Dr. Stephen Henson [Mon, 2 Mar 2015 13:26:29 +0000 (13:26 +0000)]
Fix format script.

The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 437b14b533fe7f7408e3ebca6d5569f1d3347b1a)

9 years agoFix d2i_SSL_SESSION for DTLS1_BAD_VER
Matt Caswell [Fri, 27 Feb 2015 16:52:07 +0000 (16:52 +0000)]
Fix d2i_SSL_SESSION for DTLS1_BAD_VER

Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/ssl_asn1.c

Conflicts:
ssl/dtls1.h

9 years agoFixed missing return value checks.
Matt Caswell [Thu, 26 Feb 2015 11:54:58 +0000 (11:54 +0000)]
Fixed missing return value checks.

Added various missing return value checks in tls1_change_cipher_state.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
ssl/t1_enc.c

9 years agoFix missing return value checks.
Matt Caswell [Thu, 26 Feb 2015 11:53:55 +0000 (11:53 +0000)]
Fix missing return value checks.

Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
ssl/s3_srvr.c

Conflicts:
ssl/s3_srvr.c

9 years agoFix warning with no-ec
Matt Caswell [Fri, 27 Feb 2015 00:02:06 +0000 (00:02 +0000)]
Fix warning with no-ec

This fixes another warning when config'd with no-ec

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
9 years agoFix no-ec warning
Matt Caswell [Thu, 26 Feb 2015 23:52:19 +0000 (23:52 +0000)]
Fix no-ec warning

This is a partial back port of commit 5b430cfc to remove a warning when
compiling with no-ec.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
9 years agoFix evp_extra_test.c with no-ec
Matt Caswell [Thu, 26 Feb 2015 10:35:50 +0000 (10:35 +0000)]
Fix evp_extra_test.c with no-ec
When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a988036259a4e119f6787b4c585f506226330120)

9 years agoFix some minor documentation issues
Matt Caswell [Fri, 20 Feb 2015 09:18:29 +0000 (09:18 +0000)]
Fix some minor documentation issues

Reviewed-by: Emilia Käsper <emilia@openssl.org>
9 years agoRemove pointless free, and use preferred way of calling d2i_* functions
Matt Caswell [Tue, 10 Feb 2015 16:21:30 +0000 (16:21 +0000)]
Remove pointless free, and use preferred way of calling d2i_* functions

Reviewed-by: Emilia Käsper <emilia@openssl.org>