summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2015-06-12Prepare for 1.0.1o releaseOpenSSL_1_0_1oMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12Updated CHANGES and NEWS entries for new releaseMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12Allow a zero length extension blockAdam Langley
It is valid for an extension block to be present in a ClientHello, but to be of zero length. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-12Fix ABI break with HMACMatt Caswell
Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX. This backs that change out, and does it a different way. Thanks to Timo Teras for the concept. Conflicts: crypto/hmac/hmac.c Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11Prepare for 1.0.1o-devMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11Prepare for 1.0.1n releaseOpenSSL_1_0_1nMatt Caswell
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.Andy Polyakov
CVE-2015-1788 Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 4924b37ee01f71ae19c94a8934b80eeb2f677932)
2015-06-11Update CHANGES and NEWSMatt Caswell
Updates to CHANGES and NEWS to take account of the latest security fixes. Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11PKCS#7: Fix NULL dereference with missing EncryptedContent.Emilia Kasper
CVE-2015-1790 Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11Fix length checks in X509_cmp_time to avoid out-of-bounds reads.Emilia Kasper
Also tighten X509_cmp_time to reject more than three fractional seconds in the time; and to reject trailing garbage after the offset. CVE-2015-1789 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11Fix infinite loop in CMSDr. Stephen Henson
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting to verify and a digest is not recognised. Reported by Johannes Bauer. CVE-2015-1792 Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11Correction of make depend merge errorRichard Levitte
$(PROGS) was mistakenly removed, adding it back. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 5ef5b9ffa91ad6061c42291564a1dc786300ebdd)
2015-06-11More ssl_session_dup fixesMatt Caswell
Fix error handling in ssl_session_dup, as well as incorrect setting up of the session ticket. Follow on from CVE-2015-1791. Thanks to LibreSSL project for reporting these issues. Conflicts: ssl/ssl_sess.c Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11Only allow a temporary rsa key exchange when they key is larger than 512.Kurt Roeckx
Reviewed-by: Rich Salz <rsalz@openssl.org> MR #838 (cherry picked from commit 57e477b9ec66542afc8c9c13ae7c4271209fb88f)
2015-06-11Properly check certificate in case of export ciphers.Kurt Roeckx
Reviewed-by: Rich Salz <rsalz@openssl.org> MR #838 (cherry picked from commit 39a298a1c0e7a76e301b9f2ebe8d33d90ad0a3b4)
2015-06-10DTLS handshake message fragments musn't span packetsMatt Caswell
It should not be possible for DTLS message fragments to span multiple packets. However previously if the message header fitted exactly into one packet, and the fragment body was in the next packet then this would work. Obviously this would fail if packets get re-ordered mid-flight. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-10Fix leak in HMAC error pathMatt Caswell
In the event of an error in the HMAC function, leaks can occur because the HMAC_CTX does not get cleaned up. Thanks to the BoringSSL project for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit e43a13c807e42688c72c4f3d001112bf0a110464)
2015-06-10EC_POINT_is_on_curve does not return a booleanMatt Caswell
The function EC_POINT_is_on_curve does not return a boolean value. It returns 1 if the point is on the curve, 0 if it is not, and -1 on error. Many usages within OpenSSL were incorrectly using this function and therefore not correctly handling error conditions. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 68886be7e2cd395a759fcd41d2cede461b68843d)
2015-06-10Tighten extension handlingMatt Caswell
This adds additional checks to the processing of extensions in a ClientHello to ensure that either no extensions are present, or if they are then they take up the exact amount of space expected. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Stephen Henson <steve@openssl.org> Conflicts: ssl/t1_lib.c
2015-06-10Fix memory leaks in BIO_dup_chain()Matt Caswell
This fixes a memory leak that can occur whilst duplicating a BIO chain if the call to CRYPTO_dup_ex_data() fails. It also fixes a second memory leak where if a failure occurs after successfully creating the first BIO in the chain, then the beginning of the new chain was not freed. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Stephen Henson <steve@openssl.org> Conflicts: crypto/bio/bio_lib.c
2015-06-10Replace memset with OPENSSL_cleanse()Matt Caswell
BUF_MEM_free() attempts to cleanse memory using memset immediately prior to a free. This is at risk of being optimised away by the compiler, so replace with a call to OPENSSL_cleanse() instead. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-10Fix Kerberos issue in ssl_session_dupMatt Caswell
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for Kerberos. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit dcad51bc13c9b716d9a66248bcc4038c071ff158)
2015-06-10When making libcrypto from apps or test, make sure to include enginesRichard Levitte
For librypto to be complete, the stuff in both crypto/ and engines/ have to be built. Doing 'make test' or 'make apps' from a clean source tree failed to do so. Corrected by using the new 'build_libcrypto' in the top Makefile. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit acaff3b797f50a0a0e17a0be45b7fafad962004e)
2015-06-10Add and rearrange building of librariesRichard Levitte
There's a need for a target that will build all of libcrypto, so let's add 'build_libcrypto' that does this. For ortogonality, let's also add 'build_libssl'. Have both also depend on 'libcrypto.pc' and 'libssl.pc' so those get built together with the libraries. This makes 'all' depend on fewer things directly. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 177b5f9c82e1152d6ce20a83556db629697fff65) Conflicts: Makefile.org
2015-06-08return correct NID for undefined objectDr. Stephen Henson
Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 0fb9990480919163cc375a2b6c0df1d8d901a77b)
2015-06-08Use CRYPTO_memcmp in s3_cbc.cEmilia Kasper
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 05627d57e55517eae21c251fe287760bd1137218)
2015-06-08Use CRYPTO_memcmp when comparing authenticatorsEmilia Kasper
Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley (Google). Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 1e4a355dcabe2f75df5bb8b41b394d37037169d2) (cherry picked from commit ac32a77cd69784568090e934a31622ddfee49ca7)
2015-06-04Remove misleading commentMatt Caswell
Remove a comment that suggested further clean up was required. DH_free() performs the necessary cleanup. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit f3d889523ee84f1e87e4da0d59e2702a4bee7907)
2015-06-04Clean premaster_secret for GOSTMatt Caswell
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit b7ee4815f2452c854cc859e8dda88f2673cdddea) Conflicts: ssl/s3_srvr.c
2015-06-04Clean Kerberos pre-master secretMatt Caswell
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4e3dbe37ca39fa68b6949fbde62f3ec0f0584f7e)
2015-06-04Fix off-by-one error in BN_bn2hexMatt Caswell
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account for this and can allocate a buffer one byte too short in the event of -0 being used, leading to a one byte buffer overrun. All usage within the OpenSSL library is considered safe. Any security risk is considered negligible. With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit c56353071d9849220714d8a556806703771b9269) Conflicts: crypto/bn/bn_print.c
2015-06-02RT3230: Better test for C identifierAnnie Yousar
objects.pl only looked for a space to see if the name could be used as a C identifier. Improve the test to match the real C rules. Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 591b7aef05b22cba09b179e5787a9bf40dfc9508)
2015-06-02Add the macro OPENSSL_SYS_WIN64Richard Levitte
This is for consistency. Additionally, have its presence define OPENSSL_SYS_WINDOWS as well. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 3f131556d6678bc3754f1e6d98a9a5bfc24e368c) Conflicts: e_os2.h
2015-06-02Fix race condition in NewSessionTicketMatt Caswell
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 27c76b9b8010b536687318739c6f631ce4194688) Conflicts: ssl/ssl.h ssl/ssl_err.c
2015-06-02Clear state in DTLSv1_listenMatt Caswell
This is a backport of commit e83ee04bb7de800cdb71d522fa562e99328003a3 from the master branch (and this has also been applied to 1.0.2). In 1.0.2 this was CVE-2015-0207. For other branches there is no known security issue, but this is being backported as a precautionary measure. The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-01Check the message type requested is the type received in DTLSMatt Caswell
dtls1_get_message has an |mt| variable which is the type of the message that is being requested. If it is negative then any message type is allowed. However the value of |mt| is not checked in one of the main code paths, so a peer can send a message of a completely different type and it will be processed as if it was the message type that we were expecting. This has very little practical consequences because the current behaviour will still fail when the format of the message isn't as expected. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 8c2b1d872b25f3ec78e04f5cd2de8f21e853c4a6)
2015-05-28check for error when creating PKCS#8 structureDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2849707fa65d2803e6d1c1603fdd3fd1fdc4c6cc)
2015-05-28PEM doc fixesDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit f097f81c891bb1f479426d8ac9c9541390334983)
2015-05-26Housekeeping 'make TABLE' update.Andy Polyakov
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26Fix ssltest to use 1024-bit DHE parametersEmilia Kasper
Also add more ciphersuite test coverage, and a negative test for 512-bit DHE. Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26Don't check for a negative SRP extension sizeMatt Caswell
The size of the SRP extension can never be negative (the variable |size| is unsigned). Therefore don't check if it is less than zero. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 9c89d290834f3ed9146eeb8b64fe5de817679a0b)
2015-05-26Fix error check in GOST engineMatt Caswell
The return value of i2d functions can be negative if an error occurs. Therefore don't assign the return value to an unsigned type and *then* check if it is negative. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 90e7cdff3aa66779486914f88333f6601f0c1cf4)
2015-05-26Handle unsigned struct timeval membersMatt Caswell
The members of struct timeval on OpenVMS are unsigned. The logic for calculating timeouts needs adjusting to deal with this. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit fc52ac9028b9492fb086ba35a3352ea46e03ecfc)
2015-05-26Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.Andy Polyakov
RT#3860 Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit aa1e42215b6729c0143fb056e3791e3fcdf7af6a)
2015-05-26fix copy paste error in ec_GF2m function prototypesBilly Brumley
RT#3858 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 71f6130b7a96bacbffae4611796ed98c2f724d96)
2015-05-26bn/bn_lcl.h: fix MIPS-specific gcc version check.Andy Polyakov
RT#3859 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 60c268b21ac81cc6b1af5c5470282a613b96f6fd)
2015-05-26md32_common.h: backport ICC fix.Andy Polyakov
RT#3843 Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-25Don't send an alert if we've just received oneMatt Caswell
If the record received is for a version that we don't support, previously we were sending an alert back. However if the incoming record already looks like an alert then probably we shouldn't do that. So suppress an outgoing alert if it looks like we've got one incoming. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-23Fix update and depend in engines/Richard Levitte
The update: target in engines/ didn't recurse into engines/ccgost. The update: and depend: targets in engines/ccgost needed a fixup. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 8b822d2566853ee5e313c37529f71336209b28ab)
2015-05-23Missed a couple of spots in the update changeRichard Levitte
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 6f45032f6730622e8d484d92e07c7fce7d1f88ac) Conflicts: apps/Makefile