By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
3. Check DSA/ECDSA signatures use DER.
Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 684400ce19)
We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
ports. There shouldn't be a problem defining this on systems not using glibc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Return an error code for I/O errors instead of an assertion failure.
PR#3470
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2521fcd852)
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f5e4b6b5b5)
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.
This reverts commit f2df488a1c.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Various build fixes, mostly uncovered by clang's unused-const-variable
and unused-function errors.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 0e1c318ece)
master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdde6.
This code is now in 1.0.2/1.0.1, so also backport the test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bb565cd29e)
Invalid zero-padding in the divisor could cause a division by 0.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a43bcd9e96)
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6af16ec5ee)
used with no explanation. Some of this was introduced as part of RT#1929. The
value 28 is the length of the IP header (20 bytes) plus the UDP header (8
bytes). However use of this constant is incorrect because there may be
instances where a different value is needed, e.g. an IPv4 header is 20 bytes
but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP).
This commit introduces a new BIO_CTRL that provides the value to be used for
this mtu "overhead". It will be used by subsequent commits.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0d3ae34df5)
Conflicts:
crypto/bio/bss_dgram.c
Don't attempt to access msg structure if recvmsg returns an error.
PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 012aa9ec76)
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 55f7fb8848)
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.
PR3584, https://bugs.debian.org/534534
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.
PR#3551
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49)
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.
Note: this is a precautionary measure, there is no known attack
which can exploit this.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75)
Conflicts:
crypto/evp/evp_enc.c
(cherry picked from commit 738911cde6)
(Original commit adb46dbc6d)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
