Fix memory leak by freeing up saved_message.data if it is not NULL.
PR#3489
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 41cd41c441)
This facilitates "universal" builds, ones that target multiple
architectures, e.g. ARMv5 through ARMv7. See commentary in
Configure for details.
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c1669e1c20)
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 684400ce19)
We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
ports. There shouldn't be a problem defining this on systems not using glibc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Return an error code for I/O errors instead of an assertion failure.
PR#3470
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2521fcd852)
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.
This reverts commit 738911cde6.
Reviewed-by: Andy Polyakov <appro@openssl.org>
master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdde6.
This code is now in 1.0.2/1.0.1, so also backport the test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
used with no explanation. Some of this was introduced as part of RT#1929. The
value 28 is the length of the IP header (20 bytes) plus the UDP header (8
bytes). However use of this constant is incorrect because there may be
instances where a different value is needed, e.g. an IPv4 header is 20 bytes
but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP).
This commit introduces a new BIO_CTRL that provides the value to be used for
this mtu "overhead". It will be used by subsequent commits.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0d3ae34df5)
ECDH_compute_key is silently ignored and the KDF is run on duff data
Thanks to github user tomykaira for the suggested fix.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8d02bebddf)
Don't attempt to access msg structure if recvmsg returns an error.
PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 012aa9ec76)
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 55f7fb8848)
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.
PR3584, https://bugs.debian.org/534534
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.
PR#3551
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49)
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.
Note: this is a precautionary measure, there is no known attack
which can exploit this.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75)
Conflicts:
crypto/evp/evp_enc.c
(Original commit adb46dbc6d)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_pk1.c
ssl/s3_cbc.c
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752cc7)
This reverts commit cacdfcb247.
Conflicts:
crypto/x509/x509.h
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 99b00fd993)
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit. Need more code-review? :)
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit eb63bce040)
When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1f18f50c4b)
This is a more comprehensive fix. It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1. This is from
Kurt's upstream Debian changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 44e0c2bae4)
Can't really happen, but the flow of control isn't obvious.
Add an initializer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ff3687eab)
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
Pull constant-time methods out to a separate header, add tests.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)
Conflicts:
ssl/s3_cbc.c
test/Makefile
Add the wrapper to all public header files (Configure
generates one). Don't bother for those that are just
lists of #define's that do renaming.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Cherry-pick of commit 17e80c6bd0
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:
-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
CVE-2014-3508
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
