Matt Caswell [Mon, 2 Feb 2015 12:18:03 +0000 (12:18 +0000)]
Introduce the functions RECORD_LAYER_release, RECORD_LAYER_read_pending, and
RECORD_LAYER_write_pending.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 2 Feb 2015 11:53:20 +0000 (11:53 +0000)]
Create RECORD_LAYER_clear function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 2 Feb 2015 11:41:29 +0000 (11:41 +0000)]
Tidy up rec_layer.h. Add some comments regarding which functions should be
being used for what purpose.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 2 Feb 2015 10:38:12 +0000 (10:38 +0000)]
Moved s3_pkt.c, s23_pkt.c and d1_pkt.c into the record layer.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 2 Feb 2015 10:05:09 +0000 (10:05 +0000)]
Split out non record layer functions out of s3_pkt.c and d1_pkt.c into
the new files s3_msg.c and s1_msg.c respectively.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Sun, 1 Feb 2015 17:14:43 +0000 (17:14 +0000)]
Move more SSL3_RECORD oriented functions into ssl3_record.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Sun, 1 Feb 2015 16:47:15 +0000 (16:47 +0000)]
Move SSL3_RECORD oriented functions into ssl3_record.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Sun, 1 Feb 2015 16:03:18 +0000 (16:03 +0000)]
Move SSL3_BUFFER set up and release code into ssl3_buffer.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Sun, 1 Feb 2015 15:41:06 +0000 (15:41 +0000)]
Move s->s3->wrec to s>rlayer>wrec
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Sun, 1 Feb 2015 15:30:37 +0000 (15:30 +0000)]
Encapsulate s->s3->wrec
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 23:27:17 +0000 (23:27 +0000)]
Move s->s3->rrec to s->rlayer->rrec
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 17:29:41 +0000 (17:29 +0000)]
Encapsulate s->s3->rrec
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 16:17:25 +0000 (16:17 +0000)]
Move s->s3->wbuf to s->rlayer->wbuf
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 16:05:47 +0000 (16:05 +0000)]
Encapsulate access to s->s3->wbuf
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 15:38:10 +0000 (15:38 +0000)]
Move s->s3->rrec into s->rlayer
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 14:57:54 +0000 (14:57 +0000)]
Encapsulate SSL3_BUFFER and all access to s->s3->rbuf.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 30 Jan 2015 13:46:43 +0000 (13:46 +0000)]
Create a RECORD_LAYER structure and move read_ahead into it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 22:21:39 +0000 (22:21 +0000)]
update ordinals
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 22:02:42 +0000 (22:02 +0000)]
Move more internal only functions to asn1_locl.h
Reviewed-by: Matt Caswell <matt@openssl.org>
Rich Salz [Wed, 25 Mar 2015 22:35:24 +0000 (18:35 -0400)]
free NULL cleanup.
This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free,
EC_POINT_clear_free, EC_POINT_free
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Matt Caswell [Tue, 24 Mar 2015 15:10:15 +0000 (15:10 +0000)]
Resolve swallowed returns codes
The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 15:44:45 +0000 (15:44 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 15:42:56 +0000 (15:42 +0000)]
Move internal only ASN.1 functions to asn1_locl.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 15:08:55 +0000 (15:08 +0000)]
Remove X509_ATTRIBUTE hack.
The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rich Salz [Wed, 25 Mar 2015 15:31:18 +0000 (11:31 -0400)]
free NULL cleanup
This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 16 Feb 2015 13:44:22 +0000 (13:44 +0000)]
Support key loading from certificate file
Support loading of key and certificate from the same file if
SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the
filename used for each certificate type and attempting to load a private
key from the file when SSL_CONF_CTX_finish is called.
Update docs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Wed, 25 Mar 2015 12:25:16 +0000 (12:25 +0000)]
make depend
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Mon, 16 Mar 2015 17:43:17 +0000 (17:43 +0000)]
make X509_NAME opaque
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC
Inspired by BoringSSL commit
2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 5 Feb 2015 16:04:58 +0000 (16:04 +0000)]
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
This commit sets the value of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG to
zero.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 13:52:30 +0000 (13:52 +0000)]
Deprecate RAND_pseudo_bytes
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:
if(RAND_pseudo_bytes(...) <= 1)
goto err;
In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.
This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;
This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.
Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.
If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.
Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 11:57:37 +0000 (11:57 +0000)]
RAND_bytes updates
Ensure RAND_bytes return value is checked correctly, and that we no longer
use RAND_pseudo_bytes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 13 Mar 2015 16:48:01 +0000 (16:48 +0000)]
Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)]
Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 5 Feb 2015 13:59:16 +0000 (13:59 +0000)]
Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 5 Feb 2015 13:54:37 +0000 (13:54 +0000)]
Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to
00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rich Salz [Tue, 24 Mar 2015 14:17:37 +0000 (10:17 -0400)]
free NULL cleanup
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Tue, 24 Mar 2015 18:58:51 +0000 (18:58 +0000)]
update ordinals
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 14:11:29 +0000 (15:11 +0100)]
Update ordinals
Thanks to the change of mkdef.pl, a few more deprecated functions were
properly defined in util/libeay.num.
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 14:02:51 +0000 (15:02 +0100)]
Teach mkdef.pl to handle multiline declarations.
For the moment, this is specially crafted for DECLARE_DEPRECATED because
that's where we found the problem, but it can easily be expanded to other
types of special delarations when needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Tue, 24 Mar 2015 16:21:21 +0000 (16:21 +0000)]
Fix verify algorithm.
Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sun, 15 Mar 2015 16:26:04 +0000 (16:26 +0000)]
make ASN1_OBJECT opaque
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Fri, 13 Mar 2015 14:16:32 +0000 (14:16 +0000)]
Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sun, 22 Mar 2015 17:34:56 +0000 (17:34 +0000)]
Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Tue, 24 Mar 2015 12:05:05 +0000 (12:05 +0000)]
make depend
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 23 Mar 2015 22:57:47 +0000 (22:57 +0000)]
Move some EVP internals to evp_int.h
Move EVP internals to evp_int.h, remove -Ievp hack from crypto/Makefile
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 23 Mar 2015 18:42:42 +0000 (18:42 +0000)]
Move some ASN.1 internals to asn1_int.h
Move ASN.1 internals used across multiple directories into new internal
header file asn1_int.h remove crypto/Makefile hack which allowed other
directories to include "asn1_locl.h"
Reviewed-by: Matt Caswell <matt@openssl.org>
Rich Salz [Tue, 24 Mar 2015 11:52:24 +0000 (07:52 -0400)]
free NULL cleanup
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.
Reviewed-by: Matt Caswell <matt@openssl.org>
Mike Frysinger [Sat, 21 Mar 2015 09:08:41 +0000 (05:08 -0400)]
Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.
Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828
RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 11:16:31 +0000 (12:16 +0100)]
Use OPENSSL_malloc rather than malloc/calloc
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 07:38:22 +0000 (08:38 +0100)]
Fix eng_cryptodev to not depend on BN internals.
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 10:59:01 +0000 (11:59 +0100)]
Adjust include path
Thanks to a -I.., the path does work, at least on unix. However, this
doesn't work so well on VMS. Correcting the path to not rely on given
-I does work on both.
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 24 Mar 2015 10:57:14 +0000 (11:57 +0100)]
JPAKE Makefile missing 'files' target
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 9 Feb 2015 14:54:48 +0000 (14:54 +0000)]
Remove old style ASN.1 support.
Remove old ASN.1 COMPAT type. This was meant as a temporary measure
so older ASN.1 code (from OpenSSL 0.9.6) still worked. It's a hack
which breaks constification and hopefully nothing uses it now, if
it ever did.
Reviewed-by: Matt Caswell <matt@openssl.org>
Kurt Roeckx [Sat, 14 Mar 2015 23:26:26 +0000 (00:26 +0100)]
return unexpected message when receiving kx with kDHr or kDHd
It was saying that it was an illegal parameter / unsupported cipher
Reviewed-by: Matt Caswell <matt@openssl.org>
Kurt Roeckx [Sat, 14 Mar 2015 22:23:26 +0000 (23:23 +0100)]
Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
Kurt Roeckx [Wed, 18 Mar 2015 18:02:50 +0000 (19:02 +0100)]
Make sure that cert is never NULL
Also removes for it being NULL
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 23 Mar 2015 18:47:05 +0000 (18:47 +0000)]
Fix build.
Remove x_exten.c and x_exten.o from crypto/asn1/Makefile: they've moved now.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sun, 15 Mar 2015 13:43:56 +0000 (13:43 +0000)]
make X509_EXTENSION opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 23 Mar 2015 15:27:40 +0000 (15:27 +0000)]
Fix SSL_clear unused return
Fix missing return value check in dtls1_listen when calling SSL_clear().
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 9 Mar 2015 15:33:46 +0000 (15:33 +0000)]
ssl3_set_handshake_header returns
Change ssl_set_handshake_header from return void to returning int, and
handle error return code appropriately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 6 Mar 2015 14:39:46 +0000 (14:39 +0000)]
apps return value checks
Ensure that all libssl functions called from within the apps have their
return values checked where appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 6 Mar 2015 14:37:17 +0000 (14:37 +0000)]
Fix missing return value checks
Ensure that all functions have their return values checked where
appropriate. This covers all functions defined and called from within
libssl.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 5 Mar 2015 10:14:40 +0000 (10:14 +0000)]
Check libssl function returns
Mark most functions returning a result defined in any libssl header file
with __owur to warn if they are used without checking the return value.
Use -DUNUSED_RETURN compiler flag with gcc to activate these warnings.
Some functions returning a result are skipped if it is common and valid to
use these functions without checking the return value.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 6 Mar 2015 14:22:22 +0000 (14:22 +0000)]
Add -DDEBUG_UNUSED to --strict-warnings
In order to receive warnings on unused function return values the flag
-DDEBUG_UNUSED must be passed to the compiler. This change adds that for the
--strict-warnings Configure option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Sun, 22 Mar 2015 08:00:43 +0000 (09:00 +0100)]
Remove PREFIX, as it's not used any more.
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Sun, 22 Mar 2015 07:56:02 +0000 (08:56 +0100)]
Actually remove TABLE from version control
Follow up on the earlier "Do not keep TABLE in version control".
Actually removing TABLE from version control was forgotten.
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 20 Mar 2015 15:10:16 +0000 (15:10 +0000)]
Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Dr. Stephen Henson [Mon, 23 Mar 2015 13:47:57 +0000 (13:47 +0000)]
Remove deleted functions, update ordinals.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sat, 14 Mar 2015 18:06:59 +0000 (18:06 +0000)]
Remove {i2d,d2i}_ASN1_BOOLEAN
Remove {i2d,d2i}_ASN1_BOOLEAN.
Rewrite single occurrence of d2i_ASN1_BOOLEAN in asn1_parse2
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Sat, 14 Mar 2015 04:16:42 +0000 (04:16 +0000)]
Remove old ASN.1 code.
Remove old M_ASN1_ macros and replace any occurences with the corresponding
function.
Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Mon, 23 Mar 2015 12:34:03 +0000 (13:34 +0100)]
sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Sat, 21 Mar 2015 23:27:48 +0000 (00:27 +0100)]
Refer to $table{$target} rather than $table{$t}.
Using $t is an artifact from the earlier changes in Configure and was
unfortunately forgotten as is.
Reviewed-by: Stephen Henson <steve@openssl.org>
Dr. Stephen Henson [Fri, 20 Mar 2015 22:53:16 +0000 (22:53 +0000)]
Add AES unwrap test with invalid key.
This tests the unwrap algorithm with an invalid key. The result should
be rejected without returning any plaintext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Dr. Stephen Henson [Fri, 20 Mar 2015 23:08:30 +0000 (23:08 +0000)]
Fix memory leak.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Richard Godbee [Sat, 14 Mar 2015 04:23:21 +0000 (21:23 -0700)]
CRYPTO_128_unwrap(): Fix refactoring damage
crypto/modes/wrap128.c was heavily refactored to support AES Key Wrap
with Padding, and four bugs were introduced into CRYPTO_128_unwrap() at
that time:
- crypto_128_unwrap_raw()'s return value ('ret') is checked incorrectly,
and the function immediately returns 'ret' in (almost) all cases.
This makes the IV checking code later in the function unreachable, but
callers think the IV check succeeded since CRYPTO_128_unwrap()'s
return value is non-zero.
FIX: Return 0 (error) if crypto_128_unwrap_raw() returned 0 (error).
- crypto_128_unwrap_raw() writes the IV to the 'got_iv' buffer, not to
the first 8 bytes of the output buffer ('out') as the IV checking code
expects. This makes the IV check fail.
FIX: Compare 'iv' to 'got_iv', not 'out'.
- The data written to the output buffer ('out') is "cleansed" if the IV
check fails, but the code passes OPENSSL_cleanse() the input buffer
length ('inlen') instead of the number of bytes that
crypto_128_unwrap_raw() wrote to the output buffer ('ret'). This
means that OPENSSL_cleanse() could potentially write past the end of
'out'.
FIX: Change 'inlen' to 'ret' in the OPENSSL_cleanse() call.
- CRYPTO_128_unwrap() is returning the length of the input buffer
('inlen') instead of the number of bytes written to the output buffer
('ret'). This could cause the caller to read past the end of 'out'.
FIX: Return 'ret' instead of 'inlen' at the end of the function.
PR#3749
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Richard Godbee [Sat, 14 Mar 2015 03:54:39 +0000 (20:54 -0700)]
wrap128.c: Fix Doxygen comments
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Tue, 3 Mar 2015 16:08:58 +0000 (16:08 +0000)]
Add DTLS tests to make test
Updated test/testssl script to include the new DTLS capability in ssltest.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
David Woodhouse [Tue, 3 Mar 2015 15:47:08 +0000 (15:47 +0000)]
Add DTLS support to ssltest
Reviewed-by: Emilia Käsper <emilia@openssl.org>
David Woodhouse [Tue, 3 Mar 2015 15:39:26 +0000 (15:39 +0000)]
Add DTLS to SSL_get_version
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Richard Levitte [Thu, 19 Mar 2015 21:35:12 +0000 (22:35 +0100)]
If the target is an old style debug- target, it will not have debugging [cl]flags
Reviewed-by: Stephen Henson <steve@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)]
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 18 Mar 2015 10:10:01 +0000 (10:10 +0000)]
Update NEWS
Resync NEWS with the latest version from 1.0.2
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 18 Mar 2015 09:35:22 +0000 (09:35 +0000)]
Update CHANGES
Resync CHANGES with the latest version from 1.0.2.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Emilia Kasper [Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)]
PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.
This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.
Correcting all low-level API calls requires further work.
CVE-2015-0289
Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: Steve Henson <steve@openssl.org>
Dr. Stephen Henson [Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)]
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Mar 2015 16:38:32 +0000 (16:38 +0000)]
Fix DHE Null CKE vulnerability
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.
CVE-2015-1787
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Tue, 3 Mar 2015 13:20:57 +0000 (13:20 +0000)]
Fix for CVE-2015-0291
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.
Thanks to David Ramos of Stanford University for reporting this bug.
CVE-2015-0291
Reviewed-by: Tim Hudson <tjh@openssl.org>
Dr. Stephen Henson [Mon, 9 Mar 2015 23:16:33 +0000 (23:16 +0000)]
Reject invalid PSS parameters.
Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.
Thanks to Brian Carpenter for reporting this issues.
CVE-2015-0208
Reviewed-by: Tim Hudson <tjh@openssl.org>
Dr. Stephen Henson [Mon, 23 Feb 2015 02:32:44 +0000 (02:32 +0000)]
Free up ADB and CHOICE if already initialised.
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Mon, 9 Mar 2015 16:09:04 +0000 (16:09 +0000)]
Fix Seg fault in DTLSv1_listen
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.
CVE-2015-0207
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 2 Mar 2015 09:27:10 +0000 (09:27 +0000)]
Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.
CVE-2015-0290
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Andy Polyakov [Mon, 16 Mar 2015 21:33:36 +0000 (22:33 +0100)]
Configure: fold related configurations more aggressively and clean-up.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 17 Mar 2015 15:30:54 +0000 (16:30 +0100)]
Correct the request of debug builds
./config would translate -d into having the target get a 'debug-'
prefix, and then run './Configure LIST' to find out if such a
debugging target exists or not.
With the recent changes, the separate 'debug-foo' targets are
disappearing, and we're giving the normal targets debugging
capabilities instead. Unfortunately, './config' wasn't changed to
match this new behavior.
This change introduces the arguments '--debug' and '--release' - the
latter just for orthogonality - to ./Configure, and ./config now
treats -d by adding '--debug' to the options for ./Configure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Thu, 12 Mar 2015 14:09:00 +0000 (14:09 +0000)]
Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 12 Mar 2015 14:08:21 +0000 (14:08 +0000)]
Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.
Reviewed-by: Richard Levitte <levitte@openssl.org>