Emilia Kasper [Tue, 21 Apr 2015 16:12:58 +0000 (18:12 +0200)]
Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec6114f5511b20c2e6ca741e61a39b99d6
and
7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
removed the lookahead so broke session resumption.
This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.
Regular handshakes are unaffected by this change.
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
6e3d015363ed09c4eff5c02ad41153387ffdf5af)
Emilia Kasper [Tue, 14 Apr 2015 15:42:42 +0000 (17:42 +0200)]
Initialize variable
newsig may be used (freed) uninitialized on a malloc error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
68249414405500660578b337f1c8dd5dd4bb5bcc)
Emilia Kasper [Thu, 16 Apr 2015 16:11:56 +0000 (18:11 +0200)]
make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Richard Levitte [Wed, 25 Mar 2015 13:41:58 +0000 (14:41 +0100)]
Initialised 'ok' and redo the logic.
The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
06affe3dac65592a341547f5a47e52cedb7b71f8)
Matt Caswell [Fri, 13 Mar 2015 16:48:01 +0000 (16:48 +0000)]
Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d)
Matt Caswell [Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)]
Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
7b611e5fe8eaac9512f72094c460f3ed6040076a)
Dr. Stephen Henson [Thu, 16 Apr 2015 15:43:09 +0000 (16:43 +0100)]
Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.
Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
a0eed48d37a4b7beea0c966caf09ad46f4a92a44)
Emilia Kasper [Wed, 15 Apr 2015 12:18:55 +0000 (14:18 +0200)]
Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)
Viktor Dukhovni [Thu, 16 Apr 2015 06:51:52 +0000 (02:51 -0400)]
Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
Andy Polyakov [Tue, 8 Jul 2014 21:06:59 +0000 (23:06 +0200)]
Please Clang's sanitizer, addendum.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 15 Apr 2015 23:00:40 +0000 (00:00 +0100)]
Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c4137b5e828d8fab0b244defb79257619dad8fc7)
Dr. Stephen Henson [Wed, 15 Apr 2015 23:21:05 +0000 (00:21 +0100)]
Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
111b60bea01d234b5873488c19ff2b9c5d4d58e9)
Matt Caswell [Fri, 10 Apr 2015 15:49:33 +0000 (16:49 +0100)]
Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.
This is probably made redundant by the previous commit - but you can never be
too careful.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)
Matt Caswell [Fri, 10 Apr 2015 16:25:27 +0000 (17:25 +0100)]
Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
Kurt Roeckx [Sat, 11 Apr 2015 14:39:13 +0000 (16:39 +0200)]
do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
8ec5c5dd361343d9017eff8547b19e86e4944ebc)
Kurt Roeckx [Sat, 11 Apr 2015 15:08:38 +0000 (17:08 +0200)]
X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit
f49baeff50d0be9c8d86aed6fb4a08841aa3da41)
Dr. Stephen Henson [Thu, 2 Apr 2015 12:45:14 +0000 (13:45 +0100)]
Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.
*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.
Thanks to Julien Kauffmann for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
f617b4969a9261b9d7d381670aefbe2cf766a2cb)
Conflicts:
crypto/asn1/tasn_new.c
Richard Levitte [Wed, 8 Apr 2015 17:26:11 +0000 (19:26 +0200)]
Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines. That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:
{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
"Peer haven't sent GOST certificate, required for selected ciphersuite"},
However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:
{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
"No gost certificate sent by peer"},
Clearly not what we wanted. This change fixes this problem.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
2cfdfe0918f03f8323c9523a2beb2b363ae86ca7)
Richard Levitte [Wed, 1 Apr 2015 09:36:18 +0000 (11:36 +0200)]
Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
37d92b1b2bb6e6e04d62d6f7774a2d8190a99174)
Emilia Kasper [Wed, 1 Apr 2015 15:08:45 +0000 (17:08 +0200)]
Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c
Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
ae50d8270026edf5b3c7f8aaa0c6677462b33d97)
John Foley [Tue, 7 Apr 2015 22:05:05 +0000 (23:05 +0100)]
Fix intermittent s_server issues with ECDHE
Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable. Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b89549cbd07a81df1a5bdf51e062066.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Douglas E Engert [Wed, 25 Mar 2015 23:52:28 +0000 (23:52 +0000)]
Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
30cd4ff294252c4b6a4b69cbef6a5b4117705d22)
Conflicts:
crypto/ec/ec_asn1.c
Emilia Kasper [Tue, 24 Mar 2015 18:59:14 +0000 (19:59 +0100)]
Fix uninitialized variable warning
While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
70e5fd877890489a3972bf8bf50bfec1fca3875e)
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC
Inspired by BoringSSL commit
2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/hmac/hmac.c
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 16:28:59 +0000 (16:28 +0000)]
Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
8f8e4e4f5253085ab673bb74094c3e492c56af44)
Conflicts:
crypto/evp/e_des3.c
Kurt Roeckx [Sat, 14 Mar 2015 22:23:26 +0000 (23:23 +0100)]
Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
93f1c13619c5b41f2dcfdbf6ae666f867922a87a)
Dr. Stephen Henson [Fri, 13 Mar 2015 14:16:32 +0000 (14:16 +0000)]
Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
7b68c30da01b4eedcd546f81844156646387cacb)
Dr. Stephen Henson [Sun, 22 Mar 2015 17:34:56 +0000 (17:34 +0000)]
Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
4ca5efc2874e094d6382b30416824eda6dde52fe)
Mike Frysinger [Sat, 21 Mar 2015 09:08:41 +0000 (05:08 -0400)]
Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.
Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828
RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
7c82e339a677f8546e1456c7a8f6788598a9de43)
Matt Caswell [Thu, 19 Mar 2015 13:41:07 +0000 (13:41 +0000)]
Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 11:35:33 +0000 (11:35 +0000)]
Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)]
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 17 Mar 2015 17:01:09 +0000 (17:01 +0000)]
Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 17 Mar 2015 16:56:27 +0000 (16:56 +0000)]
Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 18 Mar 2015 09:48:03 +0000 (09:48 +0000)]
Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Emilia Kasper [Wed, 4 Mar 2015 17:05:02 +0000 (09:05 -0800)]
Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Emilia Kasper [Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)]
PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.
This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.
Correcting all low-level API calls requires further work.
CVE-2015-0289
Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: Steve Henson <steve@openssl.org>
Dr. Stephen Henson [Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)]
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Mon, 23 Feb 2015 02:32:44 +0000 (02:32 +0000)]
Free up ADB and CHOICE if already initialised.
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Thu, 12 Mar 2015 14:09:00 +0000 (14:09 +0000)]
Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
11abf92259e899f4f7da4a3e80781e84b0fb1a64)
Matt Caswell [Thu, 12 Mar 2015 14:08:21 +0000 (14:08 +0000)]
Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
b7573c597c1932ef709b2455ffab47348b5c54e5)
Matt Caswell [Thu, 12 Mar 2015 16:42:55 +0000 (16:42 +0000)]
Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
dfef52f6f277327e118fdd0fe34486852c2789b6)
Matt Caswell [Thu, 12 Mar 2015 14:37:26 +0000 (14:37 +0000)]
Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
668f6f08c62177ab5893fc26ebb67053aafdffc8)
Matt Caswell [Thu, 12 Mar 2015 12:54:44 +0000 (12:54 +0000)]
Fix memset call in stack.c
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
7132ac830fa08d9a936e011d7c541b0c52115b33)
Matt Caswell [Thu, 12 Mar 2015 11:25:03 +0000 (11:25 +0000)]
Move malloc fail checks closer to malloc
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
be1477adc97e76f4b83ed8075589f529069bd5d1)
Matt Caswell [Thu, 12 Mar 2015 11:10:47 +0000 (11:10 +0000)]
Add malloc failure checks
Add some missing checks for memory allocation failures in ca app.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
a561bfe944c0beba73551731cb98af70dfee3549)
Andy Polyakov [Sat, 21 Feb 2015 12:51:56 +0000 (13:51 +0100)]
Avoid reading an unused byte after the buffer
Other curves don't have this problem.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit
9fbbdd73c58c29dc46cc314f7165e45e6d43fd60)
Emilia Kasper [Sat, 14 Mar 2015 04:10:13 +0000 (21:10 -0700)]
Fix undefined behaviour in shifts.
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.
(For consistency, cast other shifts, too.)
Caught by -fsanitize=shift
Submitted by Nick Lewycky (Google)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
8b37e5c14f0eddb10c7f91ef91004622d90ef361)
Dr. Stephen Henson [Sun, 1 Mar 2015 15:25:39 +0000 (15:25 +0000)]
additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
3d764db7a24e3dca1a3ee57202ce3c818d592141)
Dr. Stephen Henson [Wed, 11 Mar 2015 23:30:52 +0000 (23:30 +0000)]
ASN.1 print fix.
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
5dc1247a7494f50c88ce7492518bbe0ce6f124fa)
Matt Caswell [Wed, 11 Mar 2015 20:50:20 +0000 (20:50 +0000)]
Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)
Matt Caswell [Wed, 11 Mar 2015 20:19:08 +0000 (20:19 +0000)]
Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
0c7ca4033dcf5398334d4b78a7dfb941c8167a40)
Matt Caswell [Wed, 11 Mar 2015 20:08:16 +0000 (20:08 +0000)]
Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)
Conflicts:
crypto/dh/dh_ameth.c
Matt Caswell [Wed, 11 Mar 2015 19:41:01 +0000 (19:41 +0000)]
Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)
Matt Caswell [Wed, 11 Mar 2015 16:00:01 +0000 (16:00 +0000)]
ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
9e488fd6ab2c295941e91a47ab7bcd346b7540c7)
Matt Caswell [Wed, 11 Mar 2015 15:41:52 +0000 (15:41 +0000)]
Fix EVP_DigestInit_ex with NULL digest
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
a01087027bd0c5ec053d4eabd972bd942bfcd92f)
Matt Caswell [Wed, 11 Mar 2015 15:31:16 +0000 (15:31 +0000)]
Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)
Matt Caswell [Tue, 10 Mar 2015 23:15:15 +0000 (23:15 +0000)]
Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit
ac5a110621ca48f0bebd5b4d76d081de403da29e)
Matt Caswell [Mon, 9 Mar 2015 13:59:58 +0000 (13:59 +0000)]
Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
35fafc4dbc0b3a717ad1b208fe2867e8c64867de)
Conflicts:
ssl/s3_enc.c
Emilia Kasper [Wed, 4 Mar 2015 21:05:53 +0000 (13:05 -0800)]
Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.
Reported by Adam Langley (Google).
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)
Richard Godbee [Sun, 21 Sep 2014 06:14:11 +0000 (02:14 -0400)]
BIO_debug_callback: Fix output on 64-bit machines
BIO_debug_callback() no longer assumes the hexadecimal representation of
a pointer fits in 8 characters.
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
460e920d8a274e27aab36346eeda6685a42c3314)
Dmitry-Me [Sun, 1 Jun 2014 17:30:52 +0000 (21:30 +0400)]
Fix wrong numbers being passed as string lengths
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
0b142f022e2c5072295e00ebc11c5b707a726d74)
Dr. Stephen Henson [Mon, 9 Mar 2015 16:58:16 +0000 (16:58 +0000)]
update ordinals
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sun, 8 Mar 2015 17:31:48 +0000 (17:31 +0000)]
fix warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
d6ca1cee8b6efac5906ac66443d1ca67fe689ff8)
Dr. Stephen Henson [Tue, 3 Mar 2015 14:20:23 +0000 (14:20 +0000)]
Cleanse PKCS#8 private key components.
New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.
Call ASN1_STRING_clear_free on PKCS#8 private key components.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
a8ae0891d4bfd18f224777aed1fbb172504421f1)
Dr. Stephen Henson [Tue, 24 Feb 2015 16:35:37 +0000 (16:35 +0000)]
Additional CMS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
e3013932df2d899e8600c305342bc14b682dc0d1)
Kurt Roeckx [Wed, 4 Mar 2015 20:57:52 +0000 (21:57 +0100)]
Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
f417997a324037025be61737288e40e171a8218c)
Conflicts:
ssl/ssl_ciph.c
Matt Caswell [Fri, 6 Mar 2015 13:00:47 +0000 (13:00 +0000)]
Update mkerr.pl for new format
Make the output from mkerr.pl consistent with the newly reformatted code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Kurt Cancemi [Wed, 4 Mar 2015 10:57:45 +0000 (10:57 +0000)]
Use constants not numbers
This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c
RT#3725
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
fd865cadcb603918bdcfcf44e487721c657a1117)
Matt Caswell [Wed, 4 Mar 2015 17:49:51 +0000 (17:49 +0000)]
Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
918bb8652969fd53f0c390c1cd909265ed502c7e)
Conflicts:
crypto/bio/bss_dgram.c
Conflicts:
apps/cms.c
apps/s_cb.c
apps/s_server.c
apps/speed.c
crypto/dh/dh_pmeth.c
ssl/s3_pkt.c
Dr. Stephen Henson [Wed, 18 Feb 2015 00:34:59 +0000 (00:34 +0000)]
Check public key is not NULL.
CVE-2015-0288
PR#3708
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
28a00bcd8e318da18031b2ac8778c64147cd54f9)
Dr. Stephen Henson [Mon, 2 Mar 2015 13:26:29 +0000 (13:26 +0000)]
Fix format script.
The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
437b14b533fe7f7408e3ebca6d5569f1d3347b1a)
Matt Caswell [Fri, 27 Feb 2015 16:52:07 +0000 (16:52 +0000)]
Fix d2i_SSL_SESSION for DTLS1_BAD_VER
Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.
This change fixes d2i_SSL_SESSION for that DTLS version.
Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3704
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/ssl_asn1.c
Conflicts:
ssl/dtls1.h
Matt Caswell [Thu, 26 Feb 2015 11:54:58 +0000 (11:54 +0000)]
Fixed missing return value checks.
Added various missing return value checks in tls1_change_cipher_state.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
ssl/t1_enc.c
Matt Caswell [Thu, 26 Feb 2015 11:53:55 +0000 (11:53 +0000)]
Fix missing return value checks.
Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
ssl/s3_srvr.c
Conflicts:
ssl/s3_srvr.c
Matt Caswell [Fri, 27 Feb 2015 00:02:06 +0000 (00:02 +0000)]
Fix warning with no-ec
This fixes another warning when config'd with no-ec
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 23:52:19 +0000 (23:52 +0000)]
Fix no-ec warning
This is a partial back port of commit
5b430cfc to remove a warning when
compiling with no-ec.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 10:35:50 +0000 (10:35 +0000)]
Fix evp_extra_test.c with no-ec
When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
a988036259a4e119f6787b4c585f506226330120)
Matt Caswell [Fri, 20 Feb 2015 09:18:29 +0000 (09:18 +0000)]
Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 16:21:30 +0000 (16:21 +0000)]
Remove pointless free, and use preferred way of calling d2i_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 16:08:33 +0000 (16:08 +0000)]
Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 15:45:56 +0000 (15:45 +0000)]
Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Conflicts:
doc/crypto/EC_KEY_new.pod
doc/crypto/EC_POINT_new.pod
Matt Caswell [Mon, 9 Feb 2015 11:38:41 +0000 (11:38 +0000)]
Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit
517073cd4b by Eric Roman <eroman@chromium.org>
CVE-2015-0209
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Mon, 9 Feb 2015 09:45:35 +0000 (09:45 +0000)]
Import evp_test.c from BoringSSL. Unfortunately we already have a file
called evp_test.c, so I have called this one evp_extra_test.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Conflicts:
crypto/evp/Makefile
test/Makefile
Conflicts:
test/Makefile
crypto/evp/evp_extra_test.c
Dr. Stephen Henson [Tue, 24 Feb 2015 13:52:21 +0000 (13:52 +0000)]
Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
384dee51242e950c56b3bac32145957bfbf3cd4b)
Edgar Pek [Sat, 21 Feb 2015 13:56:41 +0000 (14:56 +0100)]
Fix null-pointer dereference
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
bcfa19a8d19506c26b5f8d9d9934ca2aa5f96b43)
Kurt Roeckx [Sat, 21 Feb 2015 13:51:50 +0000 (14:51 +0100)]
Fix memory leak
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
edac5dc220d494dff7ee259dfd84335ffa50e938)
Doug Hogan [Thu, 8 Jan 2015 02:21:01 +0000 (18:21 -0800)]
Avoid a double-free in an error path.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
1549a265209d449b6aefd2b49d7d39f7fbe0689b)
Richard Levitte [Sun, 22 Feb 2015 07:27:36 +0000 (08:27 +0100)]
Restore -DTERMIO/-DTERMIOS on Windows platforms.
The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically. Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration. The answer is to restore those macro definitions for
the affected configuration targets.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
ba4bdee7184a5cea5bef8739eb360e5c2bc3b52c)
Conflicts:
Configure
Richard Levitte [Thu, 12 Feb 2015 10:41:48 +0000 (11:41 +0100)]
Assume TERMIOS is default, remove TERMIO on all Linux.
The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux. For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.
crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
64e6bf64b36136d487e2fbf907f09612e69ae911)
Conflicts:
Configure
crypto/ui/ui_openssl.c
Rich Salz [Thu, 12 Feb 2015 19:23:28 +0000 (14:23 -0500)]
RT3684: rand_egd needs stddef.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
872f91c4036e35d292d423e751741ba76f8c5594)
Graeme Perrow [Thu, 12 Feb 2015 18:00:42 +0000 (13:00 -0500)]
RT3670: Check return from BUF_MEM_grow_clean
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
b0333e697c008d639c56f48e9148cb8cba957e32)
Eric Dequin [Thu, 12 Feb 2015 15:44:30 +0000 (10:44 -0500)]
Missing OPENSSL_free on error path.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
1d2932de4cefcc200f175863a42c311916269981)
Andy Polyakov [Mon, 9 Feb 2015 14:59:09 +0000 (15:59 +0100)]
Bring objects.pl output even closer to new format.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
849037169d98d070c27d094ac341fc6aca1ed2ca)