OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)

Submitted by: Neel Mehta, Adam Langley, Bodo Moeller

CHANGES

@@ -2,6 +2,16 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
+
+  *) Fix parsing of OCSP stapling ClientHello extension.  CVE-2011-0014
+     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
+
+  *) Fix bug in string printing code: if *any* escaping is enabled we must
+     escape the escape character (backslash) or the resulting string is
+     ambiguous.
+     [Steve Henson]
+
  Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
 
   *) Disable code workaround for ancient and obsolete Netscape browsers

Configure

@@ -371,6 +371,9 @@ my %table=(
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
 
+# Android: Linux but without -DTERMIO and pointers to headers and libs.
+"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
 #### *BSD [do see comment about ${BSDthreads} above!]
 "BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "BSD-x86",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

FAQ

@@ -82,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0c was released on Dec 2nd, 2010.
+OpenSSL 1.0.0d was released on Feb 8th, 2011.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

LICENSE

@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

NEWS

@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+
+      o Fix for security issue CVE-2011-0014
+
   Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
 
       o Fix for security issue CVE-2010-4180
@@ -181,6 +185,11 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+
+      o FIPS 1.1.1 module linking.
+      o Various ciphersuite selection fixes.
+
   Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)

README

@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.8q 2 Dec 2010
+ OpenSSL 0.9.8r
 
- Copyright (c) 1998-2009 The OpenSSL Project
+ Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 

STATUS

@@ -1,13 +1,17 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2010/12/02 18:53:51 $
+  ______________                           $Date: 2011/02/08 17:10:45 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 1.1.0:  Under development...
+    o  OpenSSL 1.0.1:  Under development...
+    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
+    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
     o  OpenSSL 1.0.0b: Released on November  16th, 2010
     o  OpenSSL 1.0.0a: Released on June      1st,  2010
     o  OpenSSL 1.0.0:  Released on March     29th, 2010
+    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
     o  OpenSSL 0.9.8q: Released on December   2nd, 2010
     o  OpenSSL 0.9.8p: Released on November  16th, 2010
     o  OpenSSL 0.9.8o: Released on June       1st, 2010

TABLE

@@ -864,6 +864,33 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = -X64
 
+*** android
+$cc           = gcc
+$cflags       = -mandroid -I$(ANDROID_DEV)/include -B$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR
+$cpuid_obj    = 
+$bn_obj       = 
+$des_obj      = 
+$aes_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** aux3-gcc
 $cc           = gcc
 $cflags       = -O2 -DTERMIO

crypto/asn1/a_strex.c

@@ -74,6 +74,11 @@
 
 #define CHARTYPE_BS_ESC		(ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
 
+#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+		  ASN1_STRFLGS_ESC_QUOTE | \
+		  ASN1_STRFLGS_ESC_CTRL | \
+		  ASN1_STRFLGS_ESC_MSB)
+
 
 /* Three IO functions for sending data to memory, a BIO and
  * and a FILE pointer.
@@ -148,6 +153,13 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, ch
 		if(!io_ch(arg, tmphex, 3)) return -1;
 		return 3;
 	}
+	/* If we get this far and do any escaping at all must escape 
+	 * the escape character itself: backslash.
+	 */
+	if (chtmp == '\\' && flags & ESC_FLAGS) {
+		if(!io_ch(arg, "\\\\", 2)) return -1;
+		return 2;
+	}
 	if(!io_ch(arg, &chtmp, 1)) return -1;
 	return 1;
 }
@@ -292,11 +304,6 @@ static const signed char tag2nbyte[] = {
 	4, -1, 2		/* 28-30 */
 };
 
-#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
-		  ASN1_STRFLGS_ESC_QUOTE | \
-		  ASN1_STRFLGS_ESC_CTRL | \
-		  ASN1_STRFLGS_ESC_MSB)
-
 /* This is the main function, print out an
  * ASN1_STRING taking note of various escape
  * and display options. Returns number of

crypto/asn1/a_strnid.c

@@ -96,7 +96,7 @@ unsigned long ASN1_STRING_get_default_mask(void)
  * default:   the default value, Printable, T61, BMP.
  */
 
-int ASN1_STRING_set_default_mask_asc(char *p)
+int ASN1_STRING_set_default_mask_asc(const char *p)
 {
 	unsigned long mask;
 	char *end;

crypto/asn1/asn1.h

@@ -1051,7 +1051,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
 ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
 
 void ASN1_STRING_set_default_mask(unsigned long mask);
-int ASN1_STRING_set_default_mask_asc(char *p);
+int ASN1_STRING_set_default_mask_asc(const char *p);
 unsigned long ASN1_STRING_get_default_mask(void);
 int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
 					int inform, unsigned long mask);

crypto/comp/c_rle.c

@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 	{
 	int i;
 
-	if (olen < (ilen-1))
+	if (ilen == 0 || olen < (ilen-1))
 		{
 		/* ZZZZZZZZZZZZZZZZZZZZZZ */
 		return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
 		}
 	return(ilen-1);
 	}
-

crypto/ec/ec2_smpl.c

@@ -871,6 +871,9 @@ int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT
 		{
 		return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
 		}
+
+	if (EC_POINT_is_at_infinity(group, b))
+		return 1;
 	
 	if (a->Z_is_one && b->Z_is_one)
 		{

crypto/ec/ec_key.c

@@ -304,7 +304,13 @@ int EC_KEY_check_key(const EC_KEY *eckey)
 		ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 		}
-	
+
+	if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key))
+		{
+		ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY);
+		goto err;
+		}
+
 	if ((ctx = BN_CTX_new()) == NULL)
 		goto err;
 	if ((point = EC_POINT_new(eckey->group)) == NULL)

crypto/ec/ecp_smpl.c

@@ -1406,6 +1406,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
 		{
 		return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
 		}
+
+	if (EC_POINT_is_at_infinity(group, b))
+		return 1;
 	
 	if (a->Z_is_one && b->Z_is_one)
 		{

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090811f
+#define OPENSSL_VERSION_NUMBER	0x0090812fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q-fips 2 Dec 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8r-fips 8 Feb 2011"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8q 2 Dec 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8r 8 Feb 2011"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/rc4/asm/rc4-x86_64.pl

@@ -167,7 +167,7 @@ $code.=<<___;
 	movzb	($dat,$XX[0]),$TX[0]#d
 	test	\$-8,$len
 	jz	.Lcloop1
-	cmp	\$0,260($dat)
+	cmpl	\$0,260($dat)
 	jnz	.Lcloop1
 	push	%rbx
 	jmp	.Lcloop8

crypto/x509v3/v3_addr.c

@@ -177,12 +177,18 @@ static int i2r_address(BIO *out,
   unsigned char addr[ADDR_RAW_BUF_LEN];
   int i, n;
 
+  if (bs->length < 0)
+    return 0;
   switch (afi) {
   case IANA_AFI_IPV4:
+    if (bs->length > 4)
+      return 0;
     addr_expand(addr, bs, 4, fill);
     BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
     break;
   case IANA_AFI_IPV6:
+    if (bs->length > 16)
+      return 0;
     addr_expand(addr, bs, 16, fill);
     for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
       ;

crypto/x509v3/v3_asid.c

@@ -61,7 +61,6 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <assert.h>
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
@@ -172,11 +171,11 @@ static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
 {
   const ASIdOrRange *a = *a_, *b = *b_;
 
-  assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
+  OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
 	 (a->type == ASIdOrRange_range && a->u.range != NULL &&
 	  a->u.range->min != NULL && a->u.range->max != NULL));
 
-  assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
+  OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
 	 (b->type == ASIdOrRange_range && b->u.range != NULL &&
 	  b->u.range->min != NULL && b->u.range->max != NULL));
 
@@ -215,7 +214,7 @@ int v3_asid_add_inherit(ASIdentifiers *asid, int which)
   if (*choice == NULL) {
     if ((*choice = ASIdentifierChoice_new()) == NULL)
       return 0;
-    assert((*choice)->u.inherit == NULL);
+    OPENSSL_assert((*choice)->u.inherit == NULL);
     if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
       return 0;
     (*choice)->type = ASIdentifierChoice_inherit;
@@ -250,7 +249,7 @@ int v3_asid_add_id_or_range(ASIdentifiers *asid,
   if (*choice == NULL) {
     if ((*choice = ASIdentifierChoice_new()) == NULL)
       return 0;
-    assert((*choice)->u.asIdsOrRanges == NULL);
+    OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
     (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
     if ((*choice)->u.asIdsOrRanges == NULL)
       return 0;
@@ -286,7 +285,7 @@ static void extract_min_max(ASIdOrRange *aor,
 			    ASN1_INTEGER **min,
 			    ASN1_INTEGER **max)
 {
-  assert(aor != NULL && min != NULL && max != NULL);
+  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
   switch (aor->type) {
   case ASIdOrRange_id:
     *min = aor->u.id;
@@ -373,7 +372,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
 int v3_asid_is_canonical(ASIdentifiers *asid)
 {
   return (asid == NULL ||
-	  (ASIdentifierChoice_is_canonical(asid->asnum) ||
+	  (ASIdentifierChoice_is_canonical(asid->asnum) &&
 	   ASIdentifierChoice_is_canonical(asid->rdi)));
 }
 
@@ -395,7 +394,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
   /*
    * We have a list.  Sort it.
    */
-  assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
+  OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
   sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
 
   /*
@@ -413,7 +412,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
     /*
      * Make sure we're properly sorted (paranoia).
      */
-    assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+    OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
 
     /*
      * Check for overlaps.
@@ -472,7 +471,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
     }
   }
 
-  assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
+  OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
 
   ret = 1;
 
@@ -709,9 +708,9 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
   X509 *x = NULL;
 
-  assert(chain != NULL && sk_X509_num(chain) > 0);
-  assert(ctx != NULL || ext != NULL);
-  assert(ctx == NULL || ctx->verify_cb != NULL);
+  OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+  OPENSSL_assert(ctx != NULL || ext != NULL);
+  OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
 
   /*
    * Figure out where to start.  If we don't have an extension to
@@ -723,7 +722,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
   } else {
     i = 0;
     x = sk_X509_value(chain, i);
-    assert(x != NULL);
+    OPENSSL_assert(x != NULL);
     if ((ext = x->rfc3779_asid) == NULL)
       goto done;
   }
@@ -756,7 +755,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
    */
   for (i++; i < sk_X509_num(chain); i++) {
     x = sk_X509_value(chain, i);
-    assert(x != NULL);
+    OPENSSL_assert(x != NULL);
     if (x->rfc3779_asid == NULL) {
       if (child_as != NULL || child_rdi != NULL)
 	validation_err(X509_V_ERR_UNNESTED_RESOURCE);

fips/fips_canister.c

@@ -19,6 +19,7 @@
 	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
 	(defined(__i386) || defined(__i386__))				|| \
 	(defined(__x86_64) || defined(__x86_64__))			|| \
+	defined(__ANDROID__)						|| \
 	(defined(vax) || defined(__vax__))
 #  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
 # endif

openssl.spec

@@ -2,7 +2,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev q
+%define librev r
 Release: 1
 
 %define openssldir /var/ssl

ssl/d1_enc.c

@@ -220,11 +220,7 @@ int dtls1_enc(SSL *s, int send)
 		if (!send)
 			{
 			if (l == 0 || l%bs != 0)
-				{
-				SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-				return 0;
-				}
+				return -1;
 			}
 		
 		EVP_Cipher(ds,rec->data,rec->input,l);

ssl/d1_pkt.c

@@ -374,7 +374,8 @@ dtls1_process_record(SSL *s)
 			goto err;
 
 		/* otherwise enc_err == -1 */
-		goto err;
+		al=SSL_AD_BAD_RECORD_MAC;
+		goto f_err;
 		}
 
 #ifdef TLS_DEBUG

ssl/s2_srvr.c

@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
 		p+=3;
 		n2s(p,i); s->s2->tmp.clear=i;
 		n2s(p,i); s->s2->tmp.enc=i;
-		n2s(p,i); s->session->key_arg_length=i;
-		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+		n2s(p,i);
+		if(i > SSL_MAX_KEY_ARG_LENGTH)
 			{
 			ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
 			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
 			return -1;
 			}
+		s->session->key_arg_length=i;
 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
 		}
 

ssl/t1_lib.c

@@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 						}
 					n2s(data, idsize);
 					dsize -= 2 + idsize;
+					size -= 2 + idsize;
 					if (dsize < 0)
 						{
 						*al = SSL_AD_DECODE_ERROR;
@@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 					}
 
 				/* Read in request_extensions */
+				if (size < 2)
+					{
+					*al = SSL_AD_DECODE_ERROR;
+					return 0;
+					}
 				n2s(data,dsize);
 				size -= 2;
-				if (dsize > size) 
+				if (dsize != size)
 					{
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;

util/fipslink.pl

@@ -43,7 +43,12 @@ die "First stage Link failure" if $? != 0;
 
 
 print "$fips_premain_dso $fips_target\n";
-$fips_hash=`$fips_premain_dso $fips_target`;
+system("$fips_premain_dso $fips_target >$fips_target.sha1");
+die "Get hash failure" if $? != 0;
+open my $sha1_res, '<', $fips_target.".sha1" or die "Get hash failure";
+$fips_hash=<$sha1_res>;
+close $sha1_res;
+unlink $fips_target.".sha1";
 chomp $fips_hash;
 die "Get hash failure" if $? != 0;
 

util/mkerr.pl

@@ -313,7 +313,7 @@ foreach $lib (keys %csrc)
 	} else {
 	    push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2010 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",