Matt Caswell [Tue, 27 Jan 2015 10:03:29 +0000 (10:03 +0000)]
In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store.
When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.
RT3637
RT3621
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Kurt Roeckx [Sat, 18 Apr 2015 10:50:25 +0000 (12:50 +0200)]
Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
ac38115c1a4fb61c66c2a8cd2a9800751828d328)
Emilia Kasper [Tue, 19 May 2015 10:05:22 +0000 (12:05 +0200)]
client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Emilia Kasper [Tue, 12 May 2015 14:10:05 +0000 (16:10 +0200)]
Update documentation with Diffie-Hellman best practices.
- Do not advise generation of DH parameters with dsaparam to save
computation time.
- Promote use of custom parameters more, and explicitly forbid use of
built-in parameters weaker than 2048 bits.
- Advise the callback to ignore <keylength> - it is currently called
with 1024 bits, but this value can and should be safely ignored by
servers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Wed, 13 May 2015 10:05:41 +0000 (12:05 +0200)]
dhparam: fix documentation
The default bitlength is now 2048. Also clarify that either the number
of bits or the generator must be present:
$ openssl dhparam -2
and
$ openssl dhparam 2048
generate parameters but
$ openssl dhparam
does not.
Reviewed-by: Matt Caswell <matt@openssl.org>
Emilia Kasper [Wed, 13 May 2015 09:57:55 +0000 (11:57 +0200)]
dhparam: set the default to 2048 bits
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Emilia Kasper [Tue, 12 May 2015 18:15:46 +0000 (20:15 +0200)]
s_server: Use 2048-bit DH parameters by default.
Reviewed-by: Rich Salz <rsalz@openssl.org>
StudioEtrange [Wed, 20 May 2015 08:35:39 +0000 (04:35 -0400)]
GitHub284: Fix typo in xx-32.pl scripts.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Robert Swiecki [Mon, 18 May 2015 23:08:02 +0000 (19:08 -0400)]
Don't add write errors into bytecounts
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
00d565cfbe90fab3b157e644caca4eb4a2ebec79)
Andy Polyakov [Sun, 15 Jul 2012 13:40:04 +0000 (13:40 +0000)]
mk1mf.pl: replace chop for windows.
Backport old patch to make it work in mixture of perls for Windows.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Cherry-picked from
7bb98eee3c9e4694dfc2217001d5075ce8d2906e
(cherry picked from commit
051b41df4105355a5a9c7f1c0bd00cc70b2d324c)
Rich Salz [Tue, 12 May 2015 15:49:32 +0000 (11:49 -0400)]
Add NULL checks from master
The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given. This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"
This commit addresses those tickets: 3798 3799 3801.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
f34b095fab1569d093b639bfcc9a77d6020148ff)
Hanno Böck [Mon, 11 May 2015 10:33:37 +0000 (11:33 +0100)]
Call of memcmp with null pointers in obj_cmp()
The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.
This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem
What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.
RT#3816
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
2b8dc08b74fc3c6d4c2fc855cc23bac691d985be)
Matt Caswell [Wed, 6 May 2015 20:31:16 +0000 (21:31 +0100)]
Don't allow a CCS when expecting a CertificateVerify
Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.
Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.
RT#2958
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit
a0bd6493369d960abef11c2346b9bbb308b4285a)
Kurt Cancemi [Thu, 7 May 2015 20:12:33 +0000 (16:12 -0400)]
Add missing NULL check in X509V3_parse_list()
Matt's note: I added a call to X509V3err to Kurt's original patch.
RT#3840
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
344c271eb339fc2982e9a3584a94e51112d84584)
Bjoern D. Rasmussen [Sun, 10 May 2015 05:51:29 +0000 (07:51 +0200)]
Fix for memcpy() and strcmp() being undefined.
clang says: "s_cb.c:958:9: error: implicitly declaring library function
'memcpy'"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
8f744cceff5bce8cb00a6ddd739c1bbb85c142ea)
Conflicts:
apps/s_cb.c
Matt Caswell [Sat, 9 May 2015 05:51:25 +0000 (13:51 +0800)]
Check sk_SSL_CIPHER_new_null return value
If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.
Based on an original patch by mrpre <mrpre@163.com>.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
14def5f5375594830597cc153e11c6017f6adddf)
Matt Caswell [Thu, 30 Apr 2015 10:50:08 +0000 (11:50 +0100)]
Add more error state transitions (DTLS)
Ensure all fatal errors transition into the new error state for DTLS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
cefc93910c4c0f7fa9f8c1f8f7aad084a7fa87d2)
Conflicts:
ssl/d1_srvr.c
Conflicts:
ssl/d1_srvr.c
Matt Caswell [Thu, 30 Apr 2015 10:32:35 +0000 (11:32 +0100)]
Add more error state transitions (client)
Ensure all fatal errors transition into the new error state on the client
side.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
cc273a93617a5c1e69cb5db6f655e463f8e31806)
Conflicts:
ssl/s3_clnt.c
Conflicts:
ssl/s3_clnt.c
Matt Caswell [Thu, 30 Apr 2015 10:11:04 +0000 (11:11 +0100)]
Add more error state transitions
Ensure all fatal errors transition into the new error state on the server
side.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
cf9b0b6fb253fd40225d7c648a08646686e62d2d)
Conflicts:
ssl/s3_srvr.c
Matt Caswell [Thu, 23 Apr 2015 19:01:33 +0000 (20:01 +0100)]
Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
a89db885e0d8aac3a9df1bbccb0c1ddfd8b2e10a)
Conflicts:
ssl/s3_srvr.c
ssl/ssl_stat.c
Richard Levitte [Mon, 4 May 2015 15:34:40 +0000 (17:34 +0200)]
RT2943: Check sizes if -iv and -K arguments
RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.
Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH. we can be more precise and
check against the size of the actual cipher used.
(cherry picked from commit
8920a7cd04f43b1a090d0b0a8c9e16b94c6898d4)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Gilles Khouzam [Sat, 2 May 2015 02:20:42 +0000 (22:20 -0400)]
RT3820: Don't call GetDesktopWindow()
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
bed2edf1cb73f1fe2c11029acc694086bc14443e)
Hanno Böck [Sat, 2 May 2015 02:27:20 +0000 (22:27 -0400)]
Fix uninitialized variable.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit
539ed89f686866b82a9ec9a4c3b112878d29cd73)
Matt Caswell [Wed, 29 Apr 2015 12:22:18 +0000 (13:22 +0100)]
Fix buffer overrun in RSA signing
The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding.
It is only triggered if the RSA key size is smaller than the digest length.
So with SHA512 you can trigger the overflow with anything less than an RSA
512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA
key. This wasn't sufficient to cause a crash, although your mileage may
vary.
In practice RSA keys of this length are never used and X931 padding is very
rare. Even if someone did use an excessively short RSA key, the chances of
them combining that with a longer digest and X931 padding is very
small. For these reasons I do not believe there is a security implication to
this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
34166d41892643a36ad2d1f53cc0025e2edc2a39)
Matt Caswell [Wed, 29 Apr 2015 08:58:10 +0000 (09:58 +0100)]
Add sanity check to print_bin function
Add a sanity check to the print_bin function to ensure that the |off|
argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
3deeeeb61b0c5b9b5f0993a67b7967d2f85186da)
Matt Caswell [Tue, 28 Apr 2015 14:28:23 +0000 (15:28 +0100)]
Add sanity check to ssl_get_prev_session
Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5)
Matt Caswell [Tue, 28 Apr 2015 14:19:50 +0000 (15:19 +0100)]
Sanity check the return from final_finish_mac
The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
c427570e5098e120cbcb66e799f85c317aac7b91)
Conflicts:
ssl/ssl_locl.h
Conflicts:
ssl/ssl_locl.h
Matt Caswell [Mon, 27 Apr 2015 14:41:42 +0000 (15:41 +0100)]
Add sanity check in ssl3_cbc_digest_record
For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
29b0a15a480626544dd0c803d5de671552544de6)
Matt Caswell [Mon, 27 Apr 2015 14:41:03 +0000 (15:41 +0100)]
Clarify logic in BIO_*printf functions
The static function dynamically allocates an output buffer if the output
grows larger than the static buffer that is normally used. The original
logic implied that |currlen| could be greater than |maxlen| which is
incorrect (and if so would cause a buffer overrun). Also the original
logic would call OPENSSL_malloc to create a dynamic buffer equal to the
size of the static buffer, and then immediately call OPENSSL_realloc to
make it bigger, rather than just creating a buffer than was big enough in
the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
9d9e37744cd5119f9921315864d1cd28717173cd)
Matt Caswell [Mon, 27 Apr 2015 10:13:56 +0000 (11:13 +0100)]
Sanity check EVP_EncodeUpdate buffer len
There was already a sanity check to ensure the passed buffer length is not
zero. Extend this to ensure that it also not negative. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
b86d7dca69f5c80abd60896c8ed3039fc56210cc)
Matt Caswell [Mon, 27 Apr 2015 10:07:06 +0000 (11:07 +0100)]
Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
c8269881093324b881b81472be037055571f73f3)
Conflicts:
ssl/record/ssl3_record.c
Conflicts:
apps/speed.c
crypto/evp/e_aes_cbc_hmac_sha256.c
crypto/evp/evp.h
Matt Caswell [Mon, 27 Apr 2015 10:04:56 +0000 (11:04 +0100)]
Sanity check DES_enc_write buffer length
Add a sanity check to DES_enc_write to ensure the buffer length provided
is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
873fb39f20b6763daba226b74e83fb194924c7bf)
Matt Caswell [Wed, 29 Apr 2015 15:15:40 +0000 (16:15 +0100)]
Add length sanity check in SSLv2 n_do_ssl_write()
Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the
code I do not believe there is a real problem here. However the logic flows
are complicated enough that a sanity check of |len| is probably worthwhile.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c5f8cd7bc661f90dc012c9d2bae1808a4281985f)
Loganaden Velvindron [Wed, 22 Apr 2015 15:16:30 +0000 (16:16 +0100)]
Fix CRYPTO_strdup
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.
RT3786
Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
37b0cf936744d9edb99b5dd82cae78a7eac6ad60)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
Emilia Kasper [Tue, 21 Apr 2015 16:12:58 +0000 (18:12 +0200)]
Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec6114f5511b20c2e6ca741e61a39b99d6
and
7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
removed the lookahead so broke session resumption.
This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.
Regular handshakes are unaffected by this change.
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
6e3d015363ed09c4eff5c02ad41153387ffdf5af)
Emilia Kasper [Tue, 14 Apr 2015 15:42:42 +0000 (17:42 +0200)]
Initialize variable
newsig may be used (freed) uninitialized on a malloc error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
68249414405500660578b337f1c8dd5dd4bb5bcc)
Emilia Kasper [Thu, 16 Apr 2015 16:11:56 +0000 (18:11 +0200)]
make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Richard Levitte [Wed, 25 Mar 2015 13:41:58 +0000 (14:41 +0100)]
Initialised 'ok' and redo the logic.
The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
06affe3dac65592a341547f5a47e52cedb7b71f8)
Matt Caswell [Fri, 13 Mar 2015 16:48:01 +0000 (16:48 +0000)]
Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d)
Matt Caswell [Fri, 13 Mar 2015 15:04:54 +0000 (15:04 +0000)]
Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
7b611e5fe8eaac9512f72094c460f3ed6040076a)
Dr. Stephen Henson [Thu, 16 Apr 2015 15:43:09 +0000 (16:43 +0100)]
Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.
Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
a0eed48d37a4b7beea0c966caf09ad46f4a92a44)
Emilia Kasper [Wed, 15 Apr 2015 12:18:55 +0000 (14:18 +0200)]
Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)
Viktor Dukhovni [Thu, 16 Apr 2015 06:51:52 +0000 (02:51 -0400)]
Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
Andy Polyakov [Tue, 8 Jul 2014 21:06:59 +0000 (23:06 +0200)]
Please Clang's sanitizer, addendum.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 15 Apr 2015 23:00:40 +0000 (00:00 +0100)]
Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c4137b5e828d8fab0b244defb79257619dad8fc7)
Dr. Stephen Henson [Wed, 15 Apr 2015 23:21:05 +0000 (00:21 +0100)]
Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
111b60bea01d234b5873488c19ff2b9c5d4d58e9)
Matt Caswell [Fri, 10 Apr 2015 15:49:33 +0000 (16:49 +0100)]
Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.
This is probably made redundant by the previous commit - but you can never be
too careful.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)
Matt Caswell [Fri, 10 Apr 2015 16:25:27 +0000 (17:25 +0100)]
Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
Kurt Roeckx [Sat, 11 Apr 2015 14:39:13 +0000 (16:39 +0200)]
do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
8ec5c5dd361343d9017eff8547b19e86e4944ebc)
Kurt Roeckx [Sat, 11 Apr 2015 15:08:38 +0000 (17:08 +0200)]
X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit
f49baeff50d0be9c8d86aed6fb4a08841aa3da41)
Dr. Stephen Henson [Thu, 2 Apr 2015 12:45:14 +0000 (13:45 +0100)]
Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.
*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.
Thanks to Julien Kauffmann for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
f617b4969a9261b9d7d381670aefbe2cf766a2cb)
Conflicts:
crypto/asn1/tasn_new.c
Richard Levitte [Wed, 8 Apr 2015 17:26:11 +0000 (19:26 +0200)]
Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines. That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:
{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
"Peer haven't sent GOST certificate, required for selected ciphersuite"},
However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:
{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
"No gost certificate sent by peer"},
Clearly not what we wanted. This change fixes this problem.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
2cfdfe0918f03f8323c9523a2beb2b363ae86ca7)
Richard Levitte [Wed, 1 Apr 2015 09:36:18 +0000 (11:36 +0200)]
Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
37d92b1b2bb6e6e04d62d6f7774a2d8190a99174)
Emilia Kasper [Wed, 1 Apr 2015 15:08:45 +0000 (17:08 +0200)]
Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c
Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
ae50d8270026edf5b3c7f8aaa0c6677462b33d97)
John Foley [Tue, 7 Apr 2015 22:05:05 +0000 (23:05 +0100)]
Fix intermittent s_server issues with ECDHE
Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable. Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b89549cbd07a81df1a5bdf51e062066.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Douglas E Engert [Wed, 25 Mar 2015 23:52:28 +0000 (23:52 +0000)]
Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
30cd4ff294252c4b6a4b69cbef6a5b4117705d22)
Conflicts:
crypto/ec/ec_asn1.c
Emilia Kasper [Tue, 24 Mar 2015 18:59:14 +0000 (19:59 +0100)]
Fix uninitialized variable warning
While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
70e5fd877890489a3972bf8bf50bfec1fca3875e)
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC
Inspired by BoringSSL commit
2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/hmac/hmac.c
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 26 Feb 2015 16:28:59 +0000 (16:28 +0000)]
Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
8f8e4e4f5253085ab673bb74094c3e492c56af44)
Conflicts:
crypto/evp/e_des3.c
Kurt Roeckx [Sat, 14 Mar 2015 22:23:26 +0000 (23:23 +0100)]
Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
93f1c13619c5b41f2dcfdbf6ae666f867922a87a)
Dr. Stephen Henson [Fri, 13 Mar 2015 14:16:32 +0000 (14:16 +0000)]
Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
7b68c30da01b4eedcd546f81844156646387cacb)
Dr. Stephen Henson [Sun, 22 Mar 2015 17:34:56 +0000 (17:34 +0000)]
Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.
PR#3668
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
4ca5efc2874e094d6382b30416824eda6dde52fe)
Mike Frysinger [Sat, 21 Mar 2015 09:08:41 +0000 (05:08 -0400)]
Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.
Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828
RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
7c82e339a677f8546e1456c7a8f6788598a9de43)
Matt Caswell [Thu, 19 Mar 2015 13:41:07 +0000 (13:41 +0000)]
Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 13:38:37 +0000 (13:38 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 11:35:33 +0000 (11:35 +0000)]
Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 19 Mar 2015 10:16:32 +0000 (10:16 +0000)]
Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 17 Mar 2015 17:01:09 +0000 (17:01 +0000)]
Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 17 Mar 2015 16:56:27 +0000 (16:56 +0000)]
Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 18 Mar 2015 09:48:03 +0000 (09:48 +0000)]
Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Emilia Kasper [Wed, 4 Mar 2015 17:05:02 +0000 (09:05 -0800)]
Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Emilia Kasper [Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)]
PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.
This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.
Correcting all low-level API calls requires further work.
CVE-2015-0289
Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: Steve Henson <steve@openssl.org>
Dr. Stephen Henson [Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)]
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dr. Stephen Henson [Mon, 23 Feb 2015 02:32:44 +0000 (02:32 +0000)]
Free up ADB and CHOICE if already initialised.
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Thu, 12 Mar 2015 14:09:00 +0000 (14:09 +0000)]
Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
11abf92259e899f4f7da4a3e80781e84b0fb1a64)
Matt Caswell [Thu, 12 Mar 2015 14:08:21 +0000 (14:08 +0000)]
Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
b7573c597c1932ef709b2455ffab47348b5c54e5)
Matt Caswell [Thu, 12 Mar 2015 16:42:55 +0000 (16:42 +0000)]
Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
dfef52f6f277327e118fdd0fe34486852c2789b6)
Matt Caswell [Thu, 12 Mar 2015 14:37:26 +0000 (14:37 +0000)]
Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
668f6f08c62177ab5893fc26ebb67053aafdffc8)
Matt Caswell [Thu, 12 Mar 2015 12:54:44 +0000 (12:54 +0000)]
Fix memset call in stack.c
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
7132ac830fa08d9a936e011d7c541b0c52115b33)
Matt Caswell [Thu, 12 Mar 2015 11:25:03 +0000 (11:25 +0000)]
Move malloc fail checks closer to malloc
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
be1477adc97e76f4b83ed8075589f529069bd5d1)
Matt Caswell [Thu, 12 Mar 2015 11:10:47 +0000 (11:10 +0000)]
Add malloc failure checks
Add some missing checks for memory allocation failures in ca app.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
a561bfe944c0beba73551731cb98af70dfee3549)
Andy Polyakov [Sat, 21 Feb 2015 12:51:56 +0000 (13:51 +0100)]
Avoid reading an unused byte after the buffer
Other curves don't have this problem.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit
9fbbdd73c58c29dc46cc314f7165e45e6d43fd60)
Emilia Kasper [Sat, 14 Mar 2015 04:10:13 +0000 (21:10 -0700)]
Fix undefined behaviour in shifts.
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.
(For consistency, cast other shifts, too.)
Caught by -fsanitize=shift
Submitted by Nick Lewycky (Google)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
8b37e5c14f0eddb10c7f91ef91004622d90ef361)
Dr. Stephen Henson [Sun, 1 Mar 2015 15:25:39 +0000 (15:25 +0000)]
additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
3d764db7a24e3dca1a3ee57202ce3c818d592141)
Dr. Stephen Henson [Wed, 11 Mar 2015 23:30:52 +0000 (23:30 +0000)]
ASN.1 print fix.
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
5dc1247a7494f50c88ce7492518bbe0ce6f124fa)
Matt Caswell [Wed, 11 Mar 2015 20:50:20 +0000 (20:50 +0000)]
Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)
Matt Caswell [Wed, 11 Mar 2015 20:19:08 +0000 (20:19 +0000)]
Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
0c7ca4033dcf5398334d4b78a7dfb941c8167a40)
Matt Caswell [Wed, 11 Mar 2015 20:08:16 +0000 (20:08 +0000)]
Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)
Conflicts:
crypto/dh/dh_ameth.c
Matt Caswell [Wed, 11 Mar 2015 19:41:01 +0000 (19:41 +0000)]
Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)
Matt Caswell [Wed, 11 Mar 2015 16:00:01 +0000 (16:00 +0000)]
ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
9e488fd6ab2c295941e91a47ab7bcd346b7540c7)
Matt Caswell [Wed, 11 Mar 2015 15:41:52 +0000 (15:41 +0000)]
Fix EVP_DigestInit_ex with NULL digest
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
a01087027bd0c5ec053d4eabd972bd942bfcd92f)
Matt Caswell [Wed, 11 Mar 2015 15:31:16 +0000 (15:31 +0000)]
Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit
8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)
Matt Caswell [Tue, 10 Mar 2015 23:15:15 +0000 (23:15 +0000)]
Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit
ac5a110621ca48f0bebd5b4d76d081de403da29e)
Matt Caswell [Mon, 9 Mar 2015 13:59:58 +0000 (13:59 +0000)]
Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
35fafc4dbc0b3a717ad1b208fe2867e8c64867de)
Conflicts:
ssl/s3_enc.c
Emilia Kasper [Wed, 4 Mar 2015 21:05:53 +0000 (13:05 -0800)]
Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.
Reported by Adam Langley (Google).
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)