[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Andy Polyakov]

The branch OpenSSL_1_0_1-stable has been updated
   via  edfca4e3daab653ec6db79ef1b01762db7ba1a52 (commit)
  from  ca88f01d6c84cff55032b0a39a2d128b266b6b7c (commit)


- Log -
commit edfca4e3daab653ec6db79ef1b01762db7ba1a52
Author: Andy Polyakov 
Date:   Sun Nov 20 23:38:12 2016 +0100

modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell 
(cherry picked from commit 76f572ed0469a277d92378848250b7a9705d3071)

---

Summary of changes:
 crypto/modes/ctr128.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index bcafd6b..d4b2272 100644
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -100,7 +100,7 @@ static void ctr128_inc_aligned(unsigned char *counter)
 --n;
 d = data[n] += c;
 /* did addition carry? */
-c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
+c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
 } while (n);
 }
 #endif
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  ca88f01d6c84cff55032b0a39a2d128b266b6b7c (commit)
  from  9fca473bf23f50a9fc940cd16c3edf69e753ea75 (commit)


- Log -
commit ca88f01d6c84cff55032b0a39a2d128b266b6b7c
Author: Rich Salz 
Date:   Fri Nov 4 10:27:47 2016 -0400

Missed a mention of RT

Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/1849)
(cherry picked from commit 1e62cc12f35408508594be254f40bf9b65d2a3a9)

---

Summary of changes:
 INSTALL | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/INSTALL b/INSTALL
index 679b30d..475ac92 100644
--- a/INSTALL
+++ b/INSTALL
@@ -159,18 +159,18 @@
  OpenSSL binary ("openssl"). The libraries will be built in the top-level
  directory, and the binary will be in the "apps" directory.
 
- If "make" fails, look at the output.  There may be reasons for
- the failure that aren't problems in OpenSSL itself (like missing
- standard headers).  If it is a problem with OpenSSL itself, please
- report the problem to  (note that your
- message will be recorded in the request tracker publicly readable
- at https://www.openssl.org/community/index.html#bugs and will be
- forwarded to a public mailing list). Include the output of "make
- report" in your message.  Please check out the request tracker. Maybe
- the bug was already reported or has already been fixed.
-
- [If you encounter assembler error messages, try the "no-asm"
- configuration option as an immediate fix.]
+ If the build fails, look at the output.  There may be reasons
+ for the failure that aren't problems in OpenSSL itself (like
+ missing standard headers).  If you are having problems you can
+ get help by sending an email to the openssl-users email list (see
+ https://www.openssl.org/community/mailinglists.html for details). If
+ it is a bug with OpenSSL itself, please open an issue on GitHub, at
+ https://github.com/openssl/openssl/issues. Please review the existing
+ ones first; maybe the bug was already reported or has already been
+ fixed.
+
+ (If you encounter assembler error messages, try the "no-asm"
+ configuration option as an immediate fix.)
 
  Compiling parts of OpenSSL with gcc and others with the system
  compiler will result in unresolved symbols on some systems.
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  649fdbd278c03d943410d35e991fc716e29469fb (commit)
  from  a100602d58b0a2cfba1c0419470e637bb5fd227d (commit)


- Log -
commit 649fdbd278c03d943410d35e991fc716e29469fb
Author: Benjamin Kaduk 
Date:   Mon Sep 26 15:30:42 2016 -0500

Fix grammar-o in CONTRIBUTING

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/1625)
(cherry picked from commit e4d94269a5a41594852dc60716500580f1d47cef)

---

Summary of changes:
 CONTRIBUTING | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING b/CONTRIBUTING
index 7cc3850..f734d77 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -1,4 +1,4 @@
-HOW TO CONTRIBUTE TO PATCHES OpenSSL
+HOW TO CONTRIBUTE PATCHES TO OpenSSL
 
 
 (Please visit https://www.openssl.org/community/getting-started.html for
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  a100602d58b0a2cfba1c0419470e637bb5fd227d (commit)
  from  9d9e0535366b4e5cfb2eb4d74be6b3d546b98fe8 (commit)


- Log -
commit a100602d58b0a2cfba1c0419470e637bb5fd227d
Author: Dr. Matthias St. Pierre 
Date:   Sun Oct 16 00:53:33 2016 +0200

Fix leak of secrecy in ecdh_compute_key()

A temporary buffer containing g^xy was not cleared in ecdh_compute_key()
before freeing it, so the shared secret was leaked in memory.

Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(cherry picked from commit 0e4690165b4beb6777b747b0aeb1646a301f41d9)

---

Summary of changes:
 crypto/ecdh/ech_ossl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index d448b19..2d14252 100644
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -202,7 +202,9 @@ static int ecdh_compute_key(void *out, size_t outlen, const 
EC_POINT *pub_key,
 BN_CTX_end(ctx);
 if (ctx)
 BN_CTX_free(ctx);
-if (buf)
+if (buf) {
+OPENSSL_cleanse(buf, buflen);
 OPENSSL_free(buf);
+}
 return (ret);
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  9d9e0535366b4e5cfb2eb4d74be6b3d546b98fe8 (commit)
  from  329a5f361513154ebfbd616c79b628750df16de1 (commit)


- Log -
commit 9d9e0535366b4e5cfb2eb4d74be6b3d546b98fe8
Author: Vitezslav Cizek 
Date:   Mon Oct 10 16:41:57 2016 +0200

Degrade 3DES to MEDIUM in SSL2

The SWEET32 fix moved 3DES from HIGH to MEDIUM, but omitted SSL2.

CLA: trivial
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/1683)

(cherry picked from commit 6d69dc56de8f0535be9ccabea7a8d4e61c04c2f1)

---

Summary of changes:
 ssl/s2_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 7bcb81a..0322dc8 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_3DES,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
  0,
  112,
  168,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  329a5f361513154ebfbd616c79b628750df16de1 (commit)
  from  52a69c480d243f727c8393fb42b9ff9da742c143 (commit)


- Log -
commit 329a5f361513154ebfbd616c79b628750df16de1
Author: Rich Salz 
Date:   Wed Oct 12 15:49:06 2016 -0400

RT is put out to pasture

Reviewed-by: Tim Hudson 
(Merged from https://github.com/openssl/openssl/pull/1702)
(cherry picked from commit 7954dced19a7e59e7055eab95a981fa943c7d100)

---

Summary of changes:
 CONTRIBUTING | 53 -
 README   | 34 --
 2 files changed, 24 insertions(+), 63 deletions(-)

diff --git a/CONTRIBUTING b/CONTRIBUTING
index 07115e5..7cc3850 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -11,34 +11,12 @@ OpenSSL community you might want to discuss it on the 
openssl-dev mailing
 list first.  Someone may be already working on the same thing or there
 may be a good reason as to why that feature isn't implemented.
 
-The best way to submit a patch is to make a pull request on GitHub.
-(It is not necessary to send mail to r...@openssl.org to open a ticket!)
-If you think the patch could use feedback from the community, please
-start a thread on openssl-dev.
+To submit a patch, make a pull request on GitHub.  If you think the patch
+could use feedback from the community, please start a thread on openssl-dev
+to discuss it.
 
-You can also submit patches by sending it as mail to r...@openssl.org.
-Please include the word "PATCH" and an explanation of what the patch
-does in the subject line.  If you do this, our preferred format is "git
-format-patch" output. For example to provide a patch file containing the
-last commit in your local git repository use the following command:
-
-% git format-patch --stdout HEAD^ >mydiffs.patch
-
-Another method of creating an acceptable patch file without using git is as
-follows:
-
-% cd openssl-work
-...make your changes...
-% ./Configure dist; make clean
-% cd ..
-% diff -ur openssl-orig openssl-work >mydiffs.patch
-
-Note that pull requests are generally easier for the team, and community, to
-work with.  Pull requests benefit from all of the standard GitHub features,
-including code review tools, simpler integration, and CI build support.
-
-No matter how a patch is submitted, the following items will help make
-the acceptance and review process faster:
+Having addressed the following items before the PR will help make the
+acceptance and review process faster:
 
 1. Anything other than trivial contributions will require a contributor
 licensing agreement, giving us permission to use your code. See
@@ -55,21 +33,22 @@ the acceptance and review process faster:
 in the file LICENSE in the source distribution or at
 https://www.openssl.org/source/license.html
 
-3.  Patches should be as current as possible.  When using GitHub, please
-expect to have to rebase and update often. Note that we do not accept merge
-commits. You will be asked to remove them before a patch is considered
-acceptable.
+3.  Patches should be as current as possible; expect to have to rebase
+often. We do not accept merge commits; You will be asked to remove
+them before a patch is considered acceptable.
 
 4.  Patches should follow our coding style (see
 https://www.openssl.org/policies/codingstyle.html) and compile without
 warnings. Where gcc or clang is availble you should use the
 --strict-warnings Configure option.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.
+Clean builds via Travis and AppVeyor are expected, and done whenever
+a PR is created or updated.
 
-5.  When at all possible, patches should include tests. These can either be
-added to an existing test, or completely new.  Please see test/README
-for information on the test framework.
+5.  When at all possible, patches should include tests. These can
+either be added to an existing test, or completely new.  Please see
+test/README for information on the test framework.
 
-6.  New features or changed functionality must include documentation. 
Please
-look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
-our style.
+6.  New features or changed functionality must include
+documentation. Please look at the "pod" files in doc/apps, doc/crypto
+and doc/ssl for examples of our style.
diff --git a/README b/README
index 9d8e192..d572936 100644
--- a/README
+++ b/README
@@ -66,13 +66,13 @@
  If you have any problems with OpenSSL then please take the following steps
  first:
 
-- Download the current snapshot from ftp://ftp.openssl.org/snapshot/
+- 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  52a69c480d243f727c8393fb42b9ff9da742c143 (commit)
   via  888759a1d38197f29de7227876c3b58fbff8549f (commit)
   via  16ec56f0cd6337a2506dce4a1e7ef91e0b7ecb76 (commit)
   via  ab650f07a0dabc01a4410f8f702c3cea7932da62 (commit)
   via  2c0d295e26306e15a92eb23a84a1802005c1c137 (commit)
  from  151adf2e5cc23284a059e0f155505006a1c9fad9 (commit)


- Log -
commit 52a69c480d243f727c8393fb42b9ff9da742c143
Author: Matt Caswell 
Date:   Thu Sep 22 11:31:45 2016 +0100

Prepare for 1.0.1v-dev

Reviewed-by: Richard Levitte 

commit 888759a1d38197f29de7227876c3b58fbff8549f
Author: Matt Caswell 
Date:   Thu Sep 22 11:30:27 2016 +0100

Prepare for 1.0.1u release

Reviewed-by: Richard Levitte 

commit 16ec56f0cd6337a2506dce4a1e7ef91e0b7ecb76
Author: Matt Caswell 
Date:   Wed Sep 21 23:20:45 2016 +0100

Updates CHANGES and NEWS for new release

Reviewed-by: Richard Levitte 

commit ab650f07a0dabc01a4410f8f702c3cea7932da62
Author: Dmitry Belyavsky 
Date:   Mon Sep 19 16:05:53 2016 +0100

Avoid KCI attack for GOST

Russian GOST ciphersuites are vulnerable to the KCI attack because they use
long-term keys to establish the connection when ssl client authorization is
on. This change brings the GOST implementation into line with the latest
specs in order to avoid the attack. It should not break backwards
compatibility.

Reviewed-by: Rich Salz 
Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 

commit 2c0d295e26306e15a92eb23a84a1802005c1c137
Author: Matt Caswell 
Date:   Fri Sep 9 10:08:45 2016 +0100

Fix OCSP Status Request extension unbounded memory growth

A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation,
sending a large OCSP Status Request extension each time, then there will
be unbounded memory growth on the server. This will eventually lead to a
Denial Of Service attack through memory exhaustion. Servers with a
default configuration are vulnerable even if they do not support OCSP.
Builds using the "no-ocsp" build time option are not affected.

I have also checked other extensions to see if they suffer from a similar
problem but I could not find any other issues.

CVE-2016-6304

Issue reported by Shi Lei.

Reviewed-by: Rich Salz 

---

Summary of changes:
 CHANGES   | 164 +-
 NEWS  |  16 +-
 README|   2 +-
 crypto/opensslv.h |   6 +-
 openssl.spec  |   2 +-
 ssl/s3_clnt.c |  19 ---
 ssl/t1_lib.c  |  24 +---
 7 files changed, 198 insertions(+), 35 deletions(-)

diff --git a/CHANGES b/CHANGES
index f89b50b..e2edbaf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,12 +2,170 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.1t and 1.0.1u [xx XXX ]
+ Changes between 1.0.1u and 1.0.1v [xx XXX ]
 
-  *) In order to mitigate the SWEET32 attack (CVE-2016-2183),
- the DES ciphers were moved from HIGH to MEDIUM.
+  *)
+
+ Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
+
+  *) OCSP Status Request extension unbounded memory growth
+
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be 
unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds 
using
+ the "no-ocsp" build time option are not affected.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6304)
+ [Matt Caswell]
+
+  *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+ HIGH to MEDIUM.
+
+ This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+ Leurent (INRIA)
+ (CVE-2016-2183)
  [Rich Salz]
 
+  *) OOB write in MDC2_Update()
+
+ An overflow can occur in MDC2_Update() either if called directly or
+ through the EVP_DigestUpdate() function using MDC2. If an attacker
+ is able to supply very large amounts of input data after a previous
+ call to EVP_EncryptUpdate() with a partial block then a length check
+ can overflow resulting in a heap corruption.
+
+ The amount of data needed is comparable to SIZE_MAX which 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  151adf2e5cc23284a059e0f155505006a1c9fad9 (commit)
  from  bb1a4866034255749ac578adb06a76335fc117b1 (commit)


- Log -
commit 151adf2e5cc23284a059e0f155505006a1c9fad9
Author: Dr. Stephen Henson 
Date:   Wed Sep 21 20:19:31 2016 +0100

update default dependency options

Reviewed-by: Rich Salz 

---

Summary of changes:
 Configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Configure b/Configure
index 93c4cc1..6a50cb1 100755
--- a/Configure
+++ b/Configure
@@ -741,7 +741,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP 
-DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 
-DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP 
-DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 
-DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST 
-DOPENSSL_NO_WEAK_SSL_CIPHERS";
 
 # Explicit "no-..." options will be collected in %disabled along with the 
defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's 
experimental).
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  bb1a4866034255749ac578adb06a76335fc117b1 (commit)
   via  8289755d54e4cf34d502c630613d1dba60e30830 (commit)
   via  aa388af1e18988894a48b8f64ae994eaa4366d5d (commit)
  from  52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 (commit)


- Log -
commit bb1a4866034255749ac578adb06a76335fc117b1
Author: Dr. Stephen Henson 
Date:   Wed Sep 21 13:26:01 2016 +0100

Make message buffer slightly larger than message.

Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against
OOB reads. In most cases this will have no effect because the message buffer
will be large enough already.

Reviewed-by: Matt Caswell 
(cherry picked from commit 006a788c84e541c8920dd2ad85fb62b52185c519)

commit 8289755d54e4cf34d502c630613d1dba60e30830
Author: Dr. Stephen Henson 
Date:   Wed Sep 21 12:54:13 2016 +0100

Use SSL3_HM_HEADER_LENGTH instead of 4.

Reviewed-by: Matt Caswell 
(cherry picked from commit bc9563f83d28342b5ec0073ec12d9e581e4f3317)

commit aa388af1e18988894a48b8f64ae994eaa4366d5d
Author: Dr. Stephen Henson 
Date:   Wed Sep 21 12:57:01 2016 +0100

Remove unnecessary check.

The overflow check will never be triggered because the
the n2l3 result is always less than 2^24.

Reviewed-by: Matt Caswell 
(cherry picked from commit 709ec8b3848e2ac201b86f49c5561debb8572ccd)

---

Summary of changes:
 ssl/d1_both.c |  5 -
 ssl/s3_both.c | 35 ---
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ae292c4..0cf1e49 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -577,9 +577,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct 
hm_header_st *msg_hdr,
 /*
  * msg_len is limited to 2^24, but is effectively checked against max
  * above
+ *
+ * Make buffer slightly larger than message length as a precaution
+ * against small OOB reads e.g. CVE-2016-6306
  */
 if (!BUF_MEM_grow_clean
-(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
+(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
 return SSL_AD_INTERNAL_ERROR;
 }
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index c51fc6e..d798d83 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -427,21 +427,22 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, 
long max, int *ok)
 }
 *ok = 1;
 s->state = stn;
-s->init_msg = s->init_buf->data + 4;
+s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
 s->init_num = (int)s->s3->tmp.message_size;
 return s->init_num;
 }
 
 p = (unsigned char *)s->init_buf->data;
 
-if (s->state == st1) {  /* s->init_num < 4 */
+if (s->state == st1) {  /* s->init_num < SSL3_HM_HEADER_LENGTH */
 int skip_message;
 
 do {
-while (s->init_num < 4) {
+while (s->init_num < SSL3_HM_HEADER_LENGTH) {
 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
   [s->init_num],
-  4 - s->init_num, 0);
+  SSL3_HM_HEADER_LENGTH -
+  s->init_num, 0);
 if (i <= 0) {
 s->rwstate = SSL_READING;
 *ok = 0;
@@ -465,12 +466,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, 
long max, int *ok)
 
 if (s->msg_callback)
 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
-p, 4, s, s->msg_callback_arg);
+p, SSL3_HM_HEADER_LENGTH, s,
+s->msg_callback_arg);
 }
 }
 while (skip_message);
 
-/* s->init_num == 4 */
+/* s->init_num == SSL3_HM_HEADER_LENGTH */
 
 if ((mt >= 0) && (*p != mt)) {
 al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -497,19 +499,20 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, 
long max, int *ok)
 SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
 goto f_err;
 }
-if (l > (INT_MAX - 4)) { /* BUF_MEM_grow takes an 'int' parameter */
-al = SSL_AD_ILLEGAL_PARAMETER;
-SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
-goto f_err;
-}
-if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 (commit)
  from  515a0105652a1b84d712b4d162cf859c02bf5450 (commit)


- Log -
commit 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9
Author: Dr. Stephen Henson 
Date:   Sat Sep 17 12:36:58 2016 +0100

Fix small OOB reads.

In ssl3_get_client_certificate, ssl3_get_server_certificate and
ssl3_get_certificate_request check we have enough room
before reading a length.

Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.

CVE-2016-6306

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)

---

Summary of changes:
 ssl/s3_clnt.c | 11 +++
 ssl/s3_srvr.c |  6 ++
 2 files changed, 17 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9e5875f..40ca13d 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s)
 goto f_err;
 }
 for (nc = 0; nc < llen;) {
+if (nc + 3 > llen) {
+al = SSL_AD_DECODE_ERROR;
+SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+   SSL_R_CERT_LENGTH_MISMATCH);
+goto f_err;
+}
 n2l3(p, l);
 if ((l + nc + 3) > llen) {
 al = SSL_AD_DECODE_ERROR;
@@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s)
 }
 
 for (nc = 0; nc < llen;) {
+if (nc + 2 > llen) {
+ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+goto err;
+}
 n2s(p, l);
 if ((l + nc + 2) > llen) {
 if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 591b13e..4f1a2e9 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3234,6 +3234,12 @@ int ssl3_get_client_certificate(SSL *s)
 goto f_err;
 }
 for (nc = 0; nc < llen;) {
+if (nc + 3 > llen) {
+al = SSL_AD_DECODE_ERROR;
+SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+   SSL_R_CERT_LENGTH_MISMATCH);
+goto f_err;
+}
 n2l3(p, l);
 if ((l + nc + 3) > llen) {
 al = SSL_AD_DECODE_ERROR;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  515a0105652a1b84d712b4d162cf859c02bf5450 (commit)
  from  2b4029e68fd7002d2307e6c3cde0f3784eef9c83 (commit)


- Log -
commit 515a0105652a1b84d712b4d162cf859c02bf5450
Author: David Woodhouse 
Date:   Fri Jul 8 20:46:07 2016 +0100

Fix SSL_export_keying_material() for DTLS1_BAD_VER

Commit d8e8590e ("Fix missing return value checks in SCTP") made the
DTLS handshake fail, even for non-SCTP connections, if
SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER.

Apply the trivial fix to make it succeed, since there's no real reason
why it shouldn't even though we never need it.

Reviewed-by: Rich Salz 
Reviewed-by: Matt Caswell 
(cherry picked from commit c8a18468caef4d62778381be0acdadc8a88d6e51)

---

Summary of changes:
 ssl/ssl_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 896b5a3..83ef233 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1662,7 +1662,7 @@ int SSL_export_keying_material(SSL *s, unsigned char 
*out, size_t olen,
const unsigned char *p, size_t plen,
int use_context)
 {
-if (s->version < TLS1_VERSION)
+if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
 return -1;
 
 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  2b4029e68fd7002d2307e6c3cde0f3784eef9c83 (commit)
  from  e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 (commit)


- Log -
commit 2b4029e68fd7002d2307e6c3cde0f3784eef9c83
Author: Dr. Stephen Henson 
Date:   Fri Aug 19 23:28:29 2016 +0100

Avoid overflow in MDC2_Update()

Thanks to Shi Lei for reporting this issue.

CVE-2016-6303

Reviewed-by: Matt Caswell 
(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)

---

Summary of changes:
 crypto/mdc2/mdc2dgst.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
index 6615cf8..2dce493 100644
--- a/crypto/mdc2/mdc2dgst.c
+++ b/crypto/mdc2/mdc2dgst.c
@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t 
len)
 
 i = c->num;
 if (i != 0) {
-if (i + len < MDC2_BLOCK) {
+if (len < MDC2_BLOCK - i) {
 /* partial block */
 memcpy(&(c->data[i]), in, len);
 c->num += (int)len;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 (commit)
  from  1bbe48ab149893a78bf99c8eb8895c928900a16f (commit)


- Log -
commit e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60
Author: Rich Salz 
Date:   Thu Aug 18 09:26:52 2016 -0400

SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM

Reviewed-by: Viktor Dukhovni 
Reviewed-by: Emilia Käsper 
(cherry picked from commit 0fff5065884d5ac61123a604bbcee30a53c808ff)

---

Summary of changes:
 CHANGES  |  4 +++-
 ssl/s3_lib.c | 34 +-
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9442f3d..f89b50b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
 
  Changes between 1.0.1t and 1.0.1u [xx XXX ]
 
-  *)
+  *) In order to mitigate the SWEET32 attack (CVE-2016-2183),
+ the DES ciphers were moved from HIGH to MEDIUM.
+ [Rich Salz]
 
  Changes between 1.0.1s and 1.0.1t [3 May 2016]
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 35d6587..6b1822d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -334,7 +334,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -387,7 +387,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -439,7 +439,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -544,7 +544,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -717,7 +717,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_MD5,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_EXP | SSL_MEDIUM,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -1733,7 +1733,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -2110,7 +2110,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -2190,7 +2190,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -2270,7 +2270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -2350,7 +2350,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  112,
  168,
@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_3DES,
  SSL_SHA1,
  SSL_TLSV1,
- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
  

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  1bbe48ab149893a78bf99c8eb8895c928900a16f (commit)
  from  3612ff6fcec0e3d1f2a598135fe12177c0419582 (commit)


- Log -
commit 1bbe48ab149893a78bf99c8eb8895c928900a16f
Author: Dr. Stephen Henson 
Date:   Tue Aug 23 18:14:54 2016 +0100

Sanity check ticket length.

If a ticket callback changes the HMAC digest to SHA512 the existing
sanity checks are not sufficient and an attacker could perform a DoS
attack with a malformed ticket. Add additional checks based on
HMAC size.

Thanks to Shi Lei for reporting this bug.

CVE-2016-6302

Reviewed-by: Rich Salz 
(cherry picked from commit baaabfd8fdcec04a691695fad9a664bea43202b6)

---

Summary of changes:
 ssl/t1_lib.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d961e4a..7680491 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2273,9 +2273,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char 
*etick,
 HMAC_CTX hctx;
 EVP_CIPHER_CTX ctx;
 SSL_CTX *tctx = s->initial_ctx;
-/* Need at least keyname + iv + some encrypted data */
-if (eticklen < 48)
-return 2;
+
 /* Initialize session ticket encryption and HMAC contexts */
 HMAC_CTX_init();
 EVP_CIPHER_CTX_init();
@@ -2309,6 +2307,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned 
char *etick,
 if (mlen < 0) {
 goto err;
 }
+/* Sanity check ticket length: must exceed keyname + IV + HMAC */
+if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length() + mlen) {
+HMAC_CTX_cleanup();
+EVP_CIPHER_CTX_cleanup();
+return 2;
+}
+
 eticklen -= mlen;
 /* Check HMAC of encrypted ticket */
 if (HMAC_Update(, etick, eticklen) <= 0
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  cfd40fd39e69f5e3c654ae8fbf9acb1d2a051144 (commit)
   via  00a4c1421407b6ac796688871b0a49a179c694d9 (commit)
  from  f3e01c8d85d98eab502d7734a1f9f0b8e375 (commit)


- Log -
commit cfd40fd39e69f5e3c654ae8fbf9acb1d2a051144
Author: Matt Caswell 
Date:   Thu Jun 30 15:06:27 2016 +0100

Prevent DTLS Finished message injection

Follow on from CVE-2016-2179

The investigation and analysis of CVE-2016-2179 highlighted a related flaw.

This commit fixes a security "near miss" in the buffered message handling
code. Ultimately this is not currently believed to be exploitable due to
the reasons outlined below, and therefore there is no CVE for this on its
own.

The issue this commit fixes is a MITM attack where the attacker can inject
a Finished message into the handshake. In the description below it is
assumed that the attacker injects the Finished message for the server to
receive it. The attack could work equally well the other way around (i.e
where the client receives the injected Finished message).

The MITM requires the following capabilities:
- The ability to manipulate the MTU that the client selects such that it
is small enough for the client to fragment Finished messages.
- The ability to selectively drop and modify records sent from the client
- The ability to inject its own records and send them to the server

The MITM forces the client to select a small MTU such that the client
will fragment the Finished message. Ideally for the attacker the first
fragment will contain all but the last byte of the Finished message,
with the second fragment containing the final byte.

During the handshake and prior to the client sending the CCS the MITM
injects a plaintext Finished message fragment to the server containing
all but the final byte of the Finished message. The message sequence
number should be the one expected to be used for the real Finished message.

OpenSSL will recognise that the received fragment is for the future and
will buffer it for later use.

After the client sends the CCS it then sends its own Finished message in
two fragments. The MITM causes the first of these fragments to be
dropped. The OpenSSL server will then receive the second of the fragments
and reassemble the complete Finished message consisting of the MITM
fragment and the final byte from the real client.

The advantage to the attacker in injecting a Finished message is that
this provides the capability to modify other handshake messages (e.g.
the ClientHello) undetected. A difficulty for the attacker is knowing in
advance what impact any of those changes might have on the final byte of
the handshake hash that is going to be sent in the "real" Finished
message. In the worst case for the attacker this means that only 1 in
256 of such injection attempts will succeed.

It may be possible in some situations for the attacker to improve this such
that all attempts succeed. For example if the handshake includes client
authentication then the final message flight sent by the client will
include a Certificate. Certificates are ASN.1 objects where the signed
portion is DER encoded. The non-signed portion could be BER encoded and so
the attacker could re-encode the certificate such that the hash for the
whole handshake comes to a different value. The certificate re-encoding
would not be detectable because only the non-signed portion is changed. As
this is the final flight of messages sent from the client the attacker
knows what the complete hanshake hash value will be that the client will
send - and therefore knows what the final byte will be. Through a process
of trial and error the attacker can re-encode the certificate until the
modified handhshake also has a hash with the same final byte. This means
that when the Finished message is verified by the server it will be
correct in all cases.

In practice the MITM would need to be able to perform the same attack
against both the client and the server. If the attack is only performed
against the server (say) then the server will not detect the modified
handshake, but the client will and will abort the connection.
Fortunately, although OpenSSL is vulnerable to Finished message
injection, it is not vulnerable if *both* client and server are OpenSSL.
The reason is that OpenSSL has a hard "floor" for a minimum MTU size
that it will never go below. This minimum means that a Finished message
will never be sent in a fragmented form and therefore the MITM does not
have one of its pre-requisites. Therefore this could only be exploited
if using OpenSSL 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  5802758eb480c5f14a768f6a061df1dd20aec8c4 (commit)
   via  b77ab018b79a00f789b0fb85596b446b08be4c9d (commit)
   via  fa75569758298e2930c78989b516cac937118acc (commit)
  from  6c858db32b1ae293d7649ea593de3359225a4f7e (commit)


- Log -
commit 5802758eb480c5f14a768f6a061df1dd20aec8c4
Author: Matt Caswell 
Date:   Wed Aug 17 17:55:36 2016 +0100

Update function error code

A function error code needed updating due to merge issues.

Reviewed-by: Richard Levitte 

commit b77ab018b79a00f789b0fb85596b446b08be4c9d
Author: Matt Caswell 
Date:   Tue Jul 5 12:04:37 2016 +0100

Fix DTLS replay protection

The DTLS implementation provides some protection against replay attacks
in accordance with RFC6347 section 4.1.2.6.

A sliding "window" of valid record sequence numbers is maintained with
the "right" hand edge of the window set to the highest sequence number we
have received so far. Records that arrive that are off the "left" hand
edge of the window are rejected. Records within the window are checked
against a list of records received so far. If we already received it then
we also reject the new record.

If we have not already received the record, or the sequence number is off
the right hand edge of the window then we verify the MAC of the record.
If MAC verification fails then we discard the record. Otherwise we mark
the record as received. If the sequence number was off the right hand edge
of the window, then we slide the window along so that the right hand edge
is in line with the newly received sequence number.

Records may arrive for future epochs, i.e. a record from after a CCS being
sent, can arrive before the CCS does if the packets get re-ordered. As we
have not yet received the CCS we are not yet in a position to decrypt or
validate the MAC of those records. OpenSSL places those records on an
unprocessed records queue. It additionally updates the window immediately,
even though we have not yet verified the MAC. This will only occur if
currently in a handshake/renegotiation.

This could be exploited by an attacker by sending a record for the next
epoch (which does not have to decrypt or have a valid MAC), with a very
large sequence number. This means the right hand edge of the window is
moved very far to the right, and all subsequent legitimate packets are
dropped causing a denial of service.

A similar effect can be achieved during the initial handshake. In this
case there is no MAC key negotiated yet. Therefore an attacker can send a
message for the current epoch with a very large sequence number. The code
will process the record as normal. If the hanshake message sequence number
(as opposed to the record sequence number that we have been talking about
so far) is in the future then the injected message is bufferred to be
handled later, but the window is still updated. Therefore all subsequent
legitimate handshake records are dropped. This aspect is not considered a
security issue because there are many ways for an attacker to disrupt the
initial handshake and prevent it from completing successfully (e.g.
injection of a handshake message will cause the Finished MAC to fail and
the handshake to be aborted). This issue comes about as a result of trying
to do replay protection, but having no integrity mechanism in place yet.
Does it even make sense to have replay protection in epoch 0? That
issue isn't addressed here though.

This addressed an OCAP Audit issue.

CVE-2016-2181

Reviewed-by: Richard Levitte 

commit fa75569758298e2930c78989b516cac937118acc
Author: Matt Caswell 
Date:   Tue Jul 5 11:46:26 2016 +0100

Fix DTLS unprocessed records bug

During a DTLS handshake we may get records destined for the next epoch
arrive before we have processed the CCS. In that case we can't decrypt or
verify the record yet, so we buffer it for later use. When we do receive
the CCS we work through the queue of unprocessed records and process them.

Unfortunately the act of processing wipes out any existing packet data
that we were still working through. This includes any records from the new
epoch that were in the same packet as the CCS. We should only process the
buffered records if we've not got any data left.

Reviewed-by: Richard Levitte 

---

Summary of changes:
 ssl/d1_pkt.c  | 83 +--
 ssl/ssl.h |  1 +
 ssl/ssl_err.c |  4 ++-
 3 files changed, 73 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  6c858db32b1ae293d7649ea593de3359225a4f7e (commit)
  from  17603dd994d6738c36ef7ab27e352aec9d6bd605 (commit)


- Log -
commit 6c858db32b1ae293d7649ea593de3359225a4f7e
Author: Richard Levitte 
Date:   Tue Aug 16 14:14:33 2016 +0200

make update to have PEM_R_HEADER_TOO_LONG defined

(cherry picked from commit a1be17a72f6e0fe98275dc113cddd799bf55df44)

Conflicts:
crypto/pem/pem_err.c

Reviewed-by: Rich Salz 
Reviewed-by: Stephen Henson 

---

Summary of changes:
 crypto/pem/pem.h | 1 +
 crypto/pem/pem_err.c | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h
index 2cdad8a..de4ba3e 100644
--- a/crypto/pem/pem.h
+++ b/crypto/pem/pem.h
@@ -588,6 +588,7 @@ void ERR_load_PEM_strings(void);
 # define PEM_R_ERROR_CONVERTING_PRIVATE_KEY   115
 # define PEM_R_EXPECTING_PRIVATE_KEY_BLOB 119
 # define PEM_R_EXPECTING_PUBLIC_KEY_BLOB  120
+# define PEM_R_HEADER_TOO_LONG128
 # define PEM_R_INCONSISTENT_HEADER121
 # define PEM_R_KEYBLOB_HEADER_PARSE_ERROR 122
 # define PEM_R_KEYBLOB_TOO_SHORT  123
diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c
index 702c5ad..f02de5c 100644
--- a/crypto/pem/pem_err.c
+++ b/crypto/pem/pem_err.c
@@ -1,6 +1,6 @@
 /* crypto/pem/pem_err.c */
 /* 
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -130,6 +130,7 @@ static ERR_STRING_DATA PEM_str_reasons[] = {
  "expecting private key blob"},
 {ERR_REASON(PEM_R_EXPECTING_PUBLIC_KEY_BLOB),
  "expecting public key blob"},
+{ERR_REASON(PEM_R_HEADER_TOO_LONG), "header too long"},
 {ERR_REASON(PEM_R_INCONSISTENT_HEADER), "inconsistent header"},
 {ERR_REASON(PEM_R_KEYBLOB_HEADER_PARSE_ERROR),
  "keyblob header parse error"},
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  17603dd994d6738c36ef7ab27e352aec9d6bd605 (commit)
  from  28a89639da50b1caed4ff3015508f23173bf3e49 (commit)


- Log -
commit 17603dd994d6738c36ef7ab27e352aec9d6bd605
Author: Dr. Stephen Henson 
Date:   Mon Aug 15 16:52:21 2016 +0100

Limit reads in do_b2i_bio()

Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.

Thanks to Shi Lei for reporting this.

Reviewed-by: Rich Salz 
(cherry picked from commit 66bcba145740e4f1210499ba6e5033035a2a4647)

---

Summary of changes:
 crypto/pem/pvkfmt.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 6186446..1ce5a1e 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -127,6 +127,9 @@ static int read_lebn(const unsigned char **in, unsigned int 
nbyte, BIGNUM **r)
 # define MS_KEYTYPE_KEYX 0x1
 # define MS_KEYTYPE_SIGN 0x2
 
+/* Maximum length of a blob after header */
+# define BLOB_MAX_LENGTH  102400
+
 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
 # define MS_PVKMAGIC 0xb0b5f11eL
 /* Salt length for PVK files */
@@ -272,6 +275,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
 return NULL;
 
 length = blob_length(bitlen, isdss, ispub);
+if (length > BLOB_MAX_LENGTH) {
+PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG);
+return NULL;
+}
 buf = OPENSSL_malloc(length);
 if (!buf) {
 PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  28a89639da50b1caed4ff3015508f23173bf3e49 (commit)
   via  ff0571b10c5e95f72daed39a30e5b18667f4d51e (commit)
  from  7a4979815b3ce7d280ed30b3b1df2a23481c2331 (commit)


- Log -
commit 28a89639da50b1caed4ff3015508f23173bf3e49
Author: Dr. Stephen Henson 
Date:   Fri Aug 5 14:26:03 2016 +0100

Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson 
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)

Conflicts:
crypto/bn/bn_print.c

commit ff0571b10c5e95f72daed39a30e5b18667f4d51e
Author: Dr. Stephen Henson 
Date:   Fri Aug 5 14:33:03 2016 +0100

Check for errors in a2d_ASN1_OBJECT()

Check for error return in BN_div_word().

Reviewed-by: Tim Hudson 
(cherry picked from commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa)

---

Summary of changes:
 crypto/asn1/a_object.c |  8 ++--
 crypto/bn/bn_print.c   | 11 ---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index fba9f66..229a40f 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -174,8 +174,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const 
char *buf, int num)
 if (!tmp)
 goto err;
 }
-while (blsize--)
-tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+while (blsize--) {
+BN_ULONG t = BN_div_word(bl, 0x80L);
+if (t == (BN_ULONG)-1)
+goto err;
+tmp[i++] = (unsigned char)t;
+}
 } else {
 
 for (;;) {
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index bfa31ef..b44403e 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
 char *p;
 BIGNUM *t = NULL;
 BN_ULONG *bn_data = NULL, *lp;
+int bn_data_num;
 
 /*-
  * get an upper bound for the length of the decimal integer
@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
  */
 i = BN_num_bits(a) * 3;
 num = (i / 10 + i / 1000 + 1) + 1;
-bn_data =
-(BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
-buf = (char *)OPENSSL_malloc(num + 3);
+bn_data_num = num / BN_DEC_NUM + 1;
+bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+buf = OPENSSL_malloc(num + 3);
 if ((buf == NULL) || (bn_data == NULL)) {
 BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
 goto err;
@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
 i = 0;
 while (!BN_is_zero(t)) {
 *lp = BN_div_word(t, BN_DEC_CONV);
+if (*lp == (BN_ULONG)-1)
+goto err;
 lp++;
+if (lp - bn_data >= bn_data_num)
+goto err;
 }
 lp--;
 /*
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  7a4979815b3ce7d280ed30b3b1df2a23481c2331 (commit)
  from  d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9 (commit)


- Log -
commit 7a4979815b3ce7d280ed30b3b1df2a23481c2331
Author: Dr. Stephen Henson 
Date:   Fri Aug 5 17:59:32 2016 +0100

Sanity check input length in OPENSSL_uni2asc().

Thanks to Hanno Böck for reporting this bug.

Reviewed-by: Rich Salz 
(cherry picked from commit 39a43280316f1b9c45be5ac5b04f4f5c3f923686)

Conflicts:
crypto/pkcs12/p12_utl.c

---

Summary of changes:
 crypto/pkcs12/p12_utl.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index a0b992e..e466f76 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -91,6 +91,10 @@ char *OPENSSL_uni2asc(unsigned char *uni, int unilen)
 {
 int asclen, i;
 char *asctmp;
+
+/* string must contain an even number of bytes */
+if (unilen & 1)
+return NULL;
 asclen = unilen / 2;
 /* If no terminating zero allow for one */
 if (!unilen || uni[unilen - 1])
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9 (commit)
  from  3c39313f7bba2663961f6085bcd010e61004fe6e (commit)


- Log -
commit d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9
Author: Dr. Stephen Henson 
Date:   Fri Aug 5 16:21:26 2016 +0100

Leak fixes.

Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and
a2i_ASN1_ENUMERATED().

Thanks to Shi Lei for reporting these issues.

Reviewed-by: Rich Salz 
(cherry picked from commit e1be1dce7722ee40ced16b1b91d5e1b9fce13d08)

---

Summary of changes:
 crypto/asn1/f_enum.c   | 4 ++--
 crypto/asn1/f_int.c| 4 ++--
 crypto/asn1/f_string.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c
index 591c3b5..94cd54d 100644
--- a/crypto/asn1/f_enum.c
+++ b/crypto/asn1/f_enum.c
@@ -160,8 +160,6 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char 
*buf, int size)
   i * 2);
 if (sp == NULL) {
 ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
-if (s != NULL)
-OPENSSL_free(s);
 goto err;
 }
 s = sp;
@@ -199,5 +197,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char 
*buf, int size)
  err_sl:
 ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_SHORT_LINE);
 }
+if (ret != 1)
+OPENSSL_free(s);
 return (ret);
 }
diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c
index 4a81f81..2bdc78d 100644
--- a/crypto/asn1/f_int.c
+++ b/crypto/asn1/f_int.c
@@ -172,8 +172,6 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, 
int size)
 sp = OPENSSL_realloc_clean(s, slen, num + i * 2);
 if (sp == NULL) {
 ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
-if (s != NULL)
-OPENSSL_free(s);
 goto err;
 }
 s = sp;
@@ -211,5 +209,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, 
int size)
  err_sl:
 ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE);
 }
+if (ret != 1)
+OPENSSL_free(s);
 return (ret);
 }
diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c
index 6a6cf34..0f7b9cf 100644
--- a/crypto/asn1/f_string.c
+++ b/crypto/asn1/f_string.c
@@ -166,8 +166,6 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, 
int size)
   i * 2);
 if (sp == NULL) {
 ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE);
-if (s != NULL)
-OPENSSL_free(s);
 goto err;
 }
 s = sp;
@@ -205,5 +203,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, 
int size)
  err_sl:
 ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE);
 }
+if (ret != 1)
+OPENSSL_free(s);
 return (ret);
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  6592de7c8c090bbb7ec82bad07b3249153bb692f (commit)
  from  5db2a579b72b94aa0dacb08530768a1a5759237d (commit)


- Log -
commit 6592de7c8c090bbb7ec82bad07b3249153bb692f
Author: Dr. Stephen Henson 
Date:   Thu Aug 4 13:54:51 2016 +0100

Check for overflows in i2d_ASN1_SET()

Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz 
(cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f)

---

Summary of changes:
 crypto/asn1/a_set.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c
index bf3f971..5fb5865 100644
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -57,6 +57,7 @@
  */
 
 #include 
+#include 
 #include "cryptlib.h"
 #include 
 
@@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char 
**pp,
 
 if (a == NULL)
 return (0);
-for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--)
+for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) {
+int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+if (tmplen > INT_MAX - ret)
+return -1;
 ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+}
 r = ASN1_object_size(1, ret, ex_tag);
-if (pp == NULL)
+if (pp == NULL || r == -1)
 return (r);
 
 p = *pp;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  c648bdcc4cd8a7d1699081d339ff33deda69a3be (commit)
  from  7149c709a24802f044f15e6a8e47d3926a547c2d (commit)


- Log -
commit c648bdcc4cd8a7d1699081d339ff33deda69a3be
Author: Dr. Stephen Henson 
Date:   Tue Aug 2 23:41:45 2016 +0100

include 

Reviewed-by: Rich Salz 
(cherry picked from commit 134ab5139a8d41455a81d9fcc31b3edb8a4b2f5c)

---

Summary of changes:
 crypto/asn1/tasn_enc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 255b11e..081a9d5 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -59,6 +59,7 @@
 
 #include 
 #include 
+#include 
 #include "cryptlib.h"
 #include 
 #include 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  6adf409c7432b90c06d9890787fe56c48f2a16e7 (commit)
  from  beaa2c03e70b523f006003a489497a18b4d53e6c (commit)


- Log -
commit 6adf409c7432b90c06d9890787fe56c48f2a16e7
Author: Dr. Stephen Henson 
Date:   Thu Jul 21 15:24:16 2016 +0100

Fix OOB read in TS_OBJ_print_bio().

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell 
(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)

---

Summary of changes:
 crypto/ts/ts_lib.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
index c51538a..e0f1063 100644
--- a/crypto/ts/ts_lib.c
+++ b/crypto/ts/ts_lib.c
@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
 {
 char obj_txt[128];
 
-int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
-BIO_write(bio, obj_txt, len);
-BIO_write(bio, "\n", 1);
+OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+BIO_printf(bio, "%s\n", obj_txt);
 
 return 1;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  beaa2c03e70b523f006003a489497a18b4d53e6c (commit)
  from  08327bfb261eea4a3c356d6ebff81d838f063d1b (commit)


- Log -
commit beaa2c03e70b523f006003a489497a18b4d53e6c
Author: Matt Caswell 
Date:   Fri Jun 24 23:37:27 2016 +0100

Convert memset calls to OPENSSL_cleanse

Ensure things really do get cleared when we intend them to.

Addresses an OCAP Audit issue.

Reviewed-by: Andy Polyakov 
(cherry picked from commit cb5ebf961333896776fbce10ef88c2af7bec8aea)

---

Summary of changes:
 crypto/bn/bn_lib.c|  2 +-
 crypto/evp/digest.c   |  2 +-
 crypto/md2/md2_dgst.c |  2 +-
 crypto/md32_common.h  | 10 +-
 crypto/rand/rand_unix.c   |  2 +-
 crypto/whrlpool/wp_dgst.c |  3 ++-
 6 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
index 80105ff..10b78f5 100644
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -569,7 +569,7 @@ void BN_clear(BIGNUM *a)
 {
 bn_check_top(a);
 if (a->d != NULL)
-memset(a->d, 0, a->dmax * sizeof(a->d[0]));
+OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
 a->top = 0;
 a->neg = 0;
 }
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 5d419ef..0654050 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -273,7 +273,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, 
unsigned int *size)
 ctx->digest->cleanup(ctx);
 EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
 }
-memset(ctx->md_data, 0, ctx->digest->ctx_size);
+OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
 return ret;
 }
 
diff --git a/crypto/md2/md2_dgst.c b/crypto/md2/md2_dgst.c
index 9cd79f8..7f5d9ba 100644
--- a/crypto/md2/md2_dgst.c
+++ b/crypto/md2/md2_dgst.c
@@ -219,6 +219,6 @@ int MD2_Final(unsigned char *md, MD2_CTX *c)
 
 for (i = 0; i < 16; i++)
 md[i] = (UCHAR) (p1[i] & 0xff);
-memset((char *), 0, sizeof(c));
+OPENSSL_cleanse(c, sizeof(*c));
 return 1;
 }
diff --git a/crypto/md32_common.h b/crypto/md32_common.h
index 1823833..aac7191 100644
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -109,6 +109,8 @@
  *  
  */
 
+#include 
+
 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 # error "DATA_ORDER must be defined!"
 #endif
@@ -311,6 +313,12 @@ int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len)
 data += n;
 len -= n;
 c->num = 0;
+/*
+ * We use memset rather than OPENSSL_cleanse() here deliberately.
+ * Using OPENSSL_cleanse() here could be a performance issue. It
+ * will get properly cleansed on finalisation so this isn't a
+ * security problem.
+ */
 memset(p, 0, HASH_CBLOCK); /* keep it zeroed */
 } else {
 memcpy(p + n, data, len);
@@ -366,7 +374,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c)
 p -= HASH_CBLOCK;
 HASH_BLOCK_DATA_ORDER(c, p, 1);
 c->num = 0;
-memset(p, 0, HASH_CBLOCK);
+OPENSSL_cleanse(p, HASH_CBLOCK);
 
 #ifndef HASH_MAKE_STRING
 # error "HASH_MAKE_STRING must be defined!"
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index 266111e..6c5b65d 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -235,7 +235,7 @@ int RAND_poll(void)
 rnd >>= 8;
 }
 RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
-memset(buf, 0, sizeof(buf));
+OPENSSL_cleanse(buf, sizeof(buf));
 
 return 1;
 }
diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c
index e33bb4f..807d1c4 100644
--- a/crypto/whrlpool/wp_dgst.c
+++ b/crypto/whrlpool/wp_dgst.c
@@ -51,6 +51,7 @@
  * input. This is done for perfomance.
  */
 
+#include 
 #include "wp_locl.h"
 #include 
 #include 
@@ -237,7 +238,7 @@ int WHIRLPOOL_Final(unsigned char *md, WHIRLPOOL_CTX *c)
 
 if (md) {
 memcpy(md, c->H.c, WHIRLPOOL_DIGEST_LENGTH);
-memset(c, 0, sizeof(*c));
+OPENSSL_cleanse(c, sizeof(*c));
 return (1);
 }
 return (0);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  08327bfb261eea4a3c356d6ebff81d838f063d1b (commit)
   via  f7c95287b602191a971c1cec9427029b453a68e8 (commit)
   via  26576cf9cea7841c9abb54e0609cdf09d3f4c663 (commit)
  from  05200ee5c61ecd38cdcacf9c547b0c3877e8cfef (commit)


- Log -
commit 08327bfb261eea4a3c356d6ebff81d838f063d1b
Author: Richard Levitte 
Date:   Sun Jun 19 10:55:43 2016 +0200

Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz 
(cherry picked from commit 6ad8c48291622a6ccc51489b9a230c9a05ca5614)

commit f7c95287b602191a971c1cec9427029b453a68e8
Author: Richard Levitte 
Date:   Sun Jun 19 10:55:29 2016 +0200

Fix proxy certificate pathlength verification

While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: Rich Salz 
(cherry picked from commit 30aeb3128199c15760a785d88a4eda9e156d5af6)

commit 26576cf9cea7841c9abb54e0609cdf09d3f4c663
Author: Richard Levitte 
Date:   Sun Jun 19 10:55:16 2016 +0200

Check that the subject name in a proxy cert complies to RFC 3820

The subject name MUST be the same as the issuer name, with a single CN
entry added.

RT#1852

Reviewed-by: Rich Salz 
(cherry picked from commit 338fb1688fbfb7efe0bdd475b01791a6de5ef94b)

---

Summary of changes:
 apps/apps.c|   2 +
 crypto/x509/x509.h |   6 ++-
 crypto/x509/x509_err.c |   1 +
 crypto/x509/x509_txt.c |   2 +
 crypto/x509/x509_vfy.c | 103 +
 crypto/x509/x509_vfy.h |   2 +
 doc/apps/verify.pod|   5 +++
 7 files changed, 112 insertions(+), 9 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 8ab4833..ca9179e 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *pargc,
 flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
 else if (!strcmp(arg, "-no_alt_chains"))
 flags |= X509_V_FLAG_NO_ALT_CHAINS;
+else if (!strcmp(arg, "-allow_proxy_certs"))
+flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
 else
 return 0;
 
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index bd600de..dc326a7 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1216,6 +1216,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+
 void ERR_load_X509_strings(void);
 
 /* Error codes for the X509 functions. */
@@ -1223,6 +1224,7 @@ void ERR_load_X509_strings(void);
 /* Function codes. */
 # define X509_F_ADD_CERT_DIR  100
 # define X509_F_BY_FILE_CTRL  101
+# define X509_F_CHECK_NAME_CONSTRAINTS106
 # define X509_F_CHECK_POLICY  145
 # define X509_F_DIR_CTRL  102
 # define X509_F_GET_CERT_BY_SUBJECT   103
@@ -1296,7 +1298,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_WRONG_LOOKUP_TYPE 112
 # define X509_R_WRONG_TYPE122
 
-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index a2b8b7f..174b65e 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -72,6 +72,7 @@
 static ERR_STRING_DATA X509_str_functs[] = {
 {ERR_FUNC(X509_F_ADD_CERT_DIR), "ADD_CERT_DIR"},
 {ERR_FUNC(X509_F_BY_FILE_CTRL), "BY_FILE_CTRL"},
+{ERR_FUNC(X509_F_CHECK_NAME_CONSTRAINTS), "CHECK_NAME_CONSTRAINTS"},
 {ERR_FUNC(X509_F_CHECK_POLICY), "CHECK_POLICY"},
 {ERR_FUNC(X509_F_DIR_CTRL), "DIR_CTRL"},
 {ERR_FUNC(X509_F_GET_CERT_BY_SUBJECT), "GET_CERT_BY_SUBJECT"},
diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c
index 0952813..b249d42 100644
--- a/crypto/x509/x509_txt.c
+++ b/crypto/x509/x509_txt.c
@@ -187,6 +187,8 @@ const char *X509_verify_cert_error_string(long n)
 return ("Invalid certificate verification context");
 case X509_V_ERR_STORE_LOOKUP:
 return ("Issuer certificate lookup error");
+case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION:
+return ("proxy subject name violation");
 
 default:
 BIO_snprintf(buf, sizeof buf, "error number %ld", n);
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2e2287e..f0fa7f4 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -633,13 +633,27 @@ static int 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  05200ee5c61ecd38cdcacf9c547b0c3877e8cfef (commit)
  from  3681a4558c13198944e6f7f149c4be188e076e14 (commit)


- Log -
commit 05200ee5c61ecd38cdcacf9c547b0c3877e8cfef
Author: Matt Caswell 
Date:   Mon Apr 25 17:06:56 2016 +0100

Change usage of RAND_pseudo_bytes to RAND_bytes

RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().

Reviewed-by: Rich Salz 

---

Summary of changes:
 apps/enc.c   |  2 +-
 apps/passwd.c|  4 ++--
 apps/s_server.c  |  2 +-
 crypto/asn1/asn_mime.c   |  2 +-
 crypto/asn1/p5_pbe.c |  2 +-
 crypto/asn1/p5_pbev2.c   |  4 ++--
 crypto/bio/bf_nbio.c |  4 ++--
 crypto/bn/bn_rand.c  | 10 +++---
 crypto/cms/cms_enc.c |  2 +-
 crypto/cms/cms_ess.c |  3 +--
 crypto/cms/cms_pwri.c|  4 ++--
 crypto/des/des.c |  2 +-
 crypto/des/enc_writ.c|  2 +-
 crypto/dsa/dsa_gen.c |  2 +-
 crypto/evp/bio_ok.c  |  2 +-
 crypto/ocsp/ocsp_ext.c   |  2 +-
 crypto/pem/pem_lib.c |  2 +-
 crypto/pkcs12/p12_mutl.c |  2 +-
 crypto/pkcs7/pk7_doit.c  |  2 +-
 crypto/srp/srp_vfy.c |  6 +++---
 ssl/d1_both.c|  6 +++---
 ssl/d1_pkt.c |  3 ++-
 ssl/d1_srvr.c|  5 -
 ssl/s23_clnt.c   |  8 
 ssl/s2_clnt.c|  4 ++--
 ssl/s2_srvr.c| 12 
 ssl/s3_srvr.c|  7 ++-
 ssl/ssl_lib.c|  2 +-
 ssl/ssl_sess.c   |  2 +-
 ssl/t1_lib.c |  6 +++---
 30 files changed, 54 insertions(+), 62 deletions(-)

diff --git a/apps/enc.c b/apps/enc.c
index 7b7c70b..8e2ef27 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -509,7 +509,7 @@ int MAIN(int argc, char **argv)
 BIO_printf(bio_err, "invalid hex salt value\n");
 goto end;
 }
-} else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+} else if (RAND_bytes(salt, sizeof salt) <= 0)
 goto end;
 /*
  * If -P option then don't bother writing
diff --git a/apps/passwd.c b/apps/passwd.c
index 5ff53b5..798a6d5 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, char **salt_p, char 
**salt_malloc_p,
 if (*salt_malloc_p == NULL)
 goto err;
 }
-if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
 goto err;
 (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
 (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, char **salt_p, char 
**salt_malloc_p,
 if (*salt_malloc_p == NULL)
 goto err;
 }
-if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
 goto err;
 
 for (i = 0; i < 8; i++)
diff --git a/apps/s_server.c b/apps/s_server.c
index a53cadd..40782bb 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2968,7 +2968,7 @@ static int generate_session_id(const SSL *ssl, unsigned 
char *id,
 {
 unsigned int count = 0;
 do {
-if (RAND_pseudo_bytes(id, *id_len) < 0)
+if (RAND_bytes(id, *id_len) <= 0)
 return 0;
 /*
  * Prefix the session_id with the required prefix. NB: If our prefix
diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index 96110c5..9fd5bef 100644
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, 
int flags,
 if ((flags & SMIME_DETACHED) && data) {
 /* We want multipart/signed */
 /* Generate a random boundary */
-if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0)
+if (RAND_bytes((unsigned char *)bound, 32) <= 0)
 return 0;
 for (i = 0; i < 32; i++) {
 c = bound[i] & 0xf;
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index bdbfdcd..e2a1def 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int 
iter,
 sstr = ASN1_STRING_data(pbe->salt);
 if (salt)
 memcpy(sstr, salt, saltlen);
-else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
+else if (RAND_bytes(sstr, saltlen) <= 0)
 goto err;
 
 if 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  3681a4558c13198944e6f7f149c4be188e076e14 (commit)
  from  d168705e11526a4b487640c7cac5b53ee3646cbc (commit)


- Log -
commit 3681a4558c13198944e6f7f149c4be188e076e14
Author: Matt Caswell 
Date:   Tue Jun 7 09:12:51 2016 +0100

More fix DSA, preserve BN_FLG_CONSTTIME

The previous "fix" still left "k" exposed to constant time problems in
the later BN_mod_inverse() call. Ensure both k and kq have the
BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.

CVE-2016-2178

Reviewed-by: Rich Salz 
(cherry picked from commit b7d0f2834e139a20560d64c73e2565e93715ce2b)

---

Summary of changes:
 crypto/dsa/dsa_ossl.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 01e3d74..06cd2a2 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM 
**kinvp,
 do
 if (!BN_rand_range(, dsa->q))
 goto err;
-while (BN_is_zero()) ;
+while (BN_is_zero());
+
+if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+BN_set_flags(, BN_FLG_CONSTTIME);
+}
+
 
 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
 if (!BN_MONT_CTX_set_locked(>method_mont_p,
@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM 
**kinvp,
 if (!BN_copy(, ))
 goto err;
 
+BN_set_flags(, BN_FLG_CONSTTIME);
+
 /*
  * We do not want timing information to leak the length of k, so we
  * compute g^k using an equivalent exponent of fixed length. (This
@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM 
**kinvp,
 }
 
 K = 
-
-BN_set_flags(K, BN_FLG_CONSTTIME);
 } else {
 K = 
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  d168705e11526a4b487640c7cac5b53ee3646cbc (commit)
  from  ac29a0fed67ea1aeba71bad91f48593b644db4fd (commit)


- Log -
commit d168705e11526a4b487640c7cac5b53ee3646cbc
Author: Cesar Pereida 
Date:   Mon May 23 12:45:25 2016 +0300

Fix DSA, preserve BN_FLG_CONSTTIME

Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

Reviewed-by: Richard Levitte 
Reviewed-by: Matt Caswell 
(cherry picked from commit 621eaf49a289bfac26d4cbcdb7396e796784c534)

---

Summary of changes:
 crypto/dsa/dsa_ossl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 9a3772e..01e3d74 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM 
**kinvp,
 if (!BN_rand_range(, dsa->q))
 goto err;
 while (BN_is_zero()) ;
-if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-BN_set_flags(, BN_FLG_CONSTTIME);
-}
 
 if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
 if (!BN_MONT_CTX_set_locked(>method_mont_p,
@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM 
**kinvp,
 }
 
 K = 
+
+BN_set_flags(K, BN_FLG_CONSTTIME);
 } else {
 K = 
 }
+
 DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
dsa->method_mont_p);
 if (!BN_mod(r, r, dsa->q, ctx))
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  ac29a0fed67ea1aeba71bad91f48593b644db4fd (commit)
  from  6f35f6deb5ca7daebe289f86477e061ce3ee5f46 (commit)


- Log -
commit ac29a0fed67ea1aeba71bad91f48593b644db4fd
Author: Matt Caswell 
Date:   Fri Jun 3 17:12:08 2016 +0100

Update CONTRIBUTING

Fix typos and clarify a few things in the CONTRIBUTING file.

Reviewed-by: Rich Salz 

---

Summary of changes:
 CONTRIBUTING | 25 -
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/CONTRIBUTING b/CONTRIBUTING
index 1bfbc1b..07115e5 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -1,11 +1,11 @@
 HOW TO CONTRIBUTE TO PATCHES OpenSSL
 
 
-(Please visit https://openssl.org/community/getting-started.html for
+(Please visit https://www.openssl.org/community/getting-started.html for
 other ideas about how to contribute.)
 
 Development is coordinated on the openssl-dev mailing list (see the
-above link or http://mta.openssl.org for information on subscribing).
+above link or https://mta.openssl.org for information on subscribing).
 If you are unsure as to whether a feature will be useful for the general
 OpenSSL community you might want to discuss it on the openssl-dev mailing
 list first.  Someone may be already working on the same thing or there
@@ -16,7 +16,7 @@ The best way to submit a patch is to make a pull request on 
GitHub.
 If you think the patch could use feedback from the community, please
 start a thread on openssl-dev.
 
-You can also submit patches by sending it as mail to rt@opensslorg.
+You can also submit patches by sending it as mail to r...@openssl.org.
 Please include the word "PATCH" and an explanation of what the patch
 does in the subject line.  If you do this, our preferred format is "git
 format-patch" output. For example to provide a patch file containing the
@@ -42,7 +42,7 @@ the acceptance and review process faster:
 
 1. Anything other than trivial contributions will require a contributor
 licensing agreement, giving us permission to use your code. See
-https://openssl.org/policies/cla.html for details.
+https://www.openssl.org/policies/cla.html for details.
 
 2.  All source files should start with the following text (with
 appropriate comment characters at the start of each line and the
@@ -56,13 +56,20 @@ the acceptance and review process faster:
 https://www.openssl.org/source/license.html
 
 3.  Patches should be as current as possible.  When using GitHub, please
-expect to have to rebase and update often.
+expect to have to rebase and update often. Note that we do not accept merge
+commits. You will be asked to remove them before a patch is considered
+acceptable.
 
-3.  Patches should follow our coding style (see
+4.  Patches should follow our coding style (see
 https://www.openssl.org/policies/codingstyle.html) and compile without
-warnings using the --strict-warnings flag.  OpenSSL compiles on many
-varied platforms: try to ensure you only use portable features.
+warnings. Where gcc or clang is availble you should use the
+--strict-warnings Configure option.  OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
 
-4.  When at all possible, patches should include tests. These can either be
+5.  When at all possible, patches should include tests. These can either be
 added to an existing test, or completely new.  Please see test/README
 for information on the test framework.
+
+6.  New features or changed functionality must include documentation. 
Please
+look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
+our style.
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  6f35f6deb5ca7daebe289f86477e061ce3ee5f46 (commit)
  from  3d4f83a5c4c0278ae136e70cdf0799d25f01cde3 (commit)


- Log -
commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46
Author: Matt Caswell 
Date:   Thu May 5 11:10:26 2016 +0100

Avoid some undefined pointer arithmetic

A common idiom in the codebase is:

if (p + len > limit)
{
return; /* Too long */
}

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!

Issue reported by Guido Vranken.

CVE-2016-2177

Reviewed-by: Rich Salz 

---

Summary of changes:
 ssl/s3_srvr.c  | 14 +++---
 ssl/ssl_sess.c |  2 +-
 ssl/t1_lib.c   | 48 ++--
 3 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 04cf93a..6c74caa 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
 
 session_length = *(p + SSL3_RANDOM_SIZE);
 
-if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
+if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
 goto f_err;
@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
 /* get the session-id */
 j = *(p++);
 
-if (p + j > d + n) {
+if ((d + n) - p < j) {
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
 goto f_err;
@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
 
 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
 /* cookie stuff */
-if (p + 1 > d + n) {
+if ((d + n) - p < 1) {
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
 goto f_err;
 }
 cookie_len = *(p++);
 
-if (p + cookie_len > d + n) {
+if ((d + n ) - p < cookie_len) {
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
 goto f_err;
@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
 p += cookie_len;
 }
 
-if (p + 2 > d + n) {
+if ((d + n ) - p < 2) {
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
 goto f_err;
@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
 }
 
 /* i bytes of cipher data + 1 byte for compression length later */
-if ((p + i + 1) > (d + n)) {
+if ((d + n) - p < i + 1) {
 /* not enough data */
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
 
 /* compression */
 i = *(p++);
-if ((p + i) > (d + n)) {
+if ((d + n) - p < i) {
 /* not enough data */
 al = SSL_AD_DECODE_ERROR;
 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 48fc451..a97d060 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, 
int len,
 int r;
 #endif
 
-if (session_id + len > limit) {
+if (limit - session_id < len) {
 fatal = 1;
 goto err;
 }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 0bdb77d..8ed1793 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned 
char *data,
 0x02, 0x03, /* SHA-1/ECDSA */
 };
 
-if (data >= (limit - 2))
+if (limit - data <= 2)
 return;
 data += 2;
 
-if (data > (limit - 4))
+if (limit - data < 4)
 return;
 n2s(data, type);
 n2s(data, size);
@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned 
char *data,
 if (type != TLSEXT_TYPE_server_name)
 return;
 
-if (data + size > limit)
+if (limit - data < size)
 return;
 data += size;
 
@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned 
char *data,
 const size_t len1 = 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  051b9604f1421fe54d10185bc5c348bd343388da (commit)
  from  eea595ff6b554b3876bab51b2560df5fb0006696 (commit)


- Log -
commit 051b9604f1421fe54d10185bc5c348bd343388da
Author: Matt Caswell 
Date:   Mon Apr 25 16:22:31 2016 +0100

Fix error return value in SRP functions

The functions SRP_Calc_client_key() and SRP_Calc_server_key() were
incorrectly returning a valid pointer in the event of error.

Issue reported by Yuan Jochen Kang

Reviewed-by: Richard Levitte 
(cherry picked from commit 308ff28673ae1a4a1b346761224b4a8851d41f58)

---

Summary of changes:
 crypto/srp/srp_lib.c | 20 +---
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
index e9a2e05..e310946 100644
--- a/crypto/srp/srp_lib.c
+++ b/crypto/srp/srp_lib.c
@@ -159,8 +159,7 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM 
*u, BIGNUM *b,
 if (u == NULL || A == NULL || v == NULL || b == NULL || N == NULL)
 return NULL;
 
-if ((bn_ctx = BN_CTX_new()) == NULL ||
-(tmp = BN_new()) == NULL || (S = BN_new()) == NULL)
+if ((bn_ctx = BN_CTX_new()) == NULL || (tmp = BN_new()) == NULL)
 goto err;
 
 /* S = (A*v**u) ** b */
@@ -169,8 +168,12 @@ BIGNUM *SRP_Calc_server_key(BIGNUM *A, BIGNUM *v, BIGNUM 
*u, BIGNUM *b,
 goto err;
 if (!BN_mod_mul(tmp, A, tmp, N, bn_ctx))
 goto err;
-if (!BN_mod_exp(S, tmp, b, N, bn_ctx))
-goto err;
+
+S = BN_new();
+if (S != NULL && !BN_mod_exp(S, tmp, b, N, bn_ctx)) {
+BN_free(S);
+S = NULL;
+}
  err:
 BN_CTX_free(bn_ctx);
 BN_clear_free(tmp);
@@ -267,7 +270,7 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM 
*g, BIGNUM *x,
 
 if ((tmp = BN_new()) == NULL ||
 (tmp2 = BN_new()) == NULL ||
-(tmp3 = BN_new()) == NULL || (K = BN_new()) == NULL)
+(tmp3 = BN_new()) == NULL)
 goto err;
 
 if (!BN_mod_exp(tmp, g, x, N, bn_ctx))
@@ -283,8 +286,11 @@ BIGNUM *SRP_Calc_client_key(BIGNUM *N, BIGNUM *B, BIGNUM 
*g, BIGNUM *x,
 goto err;
 if (!BN_mod_add(tmp2, a, tmp3, N, bn_ctx))
 goto err;
-if (!BN_mod_exp(K, tmp, tmp2, N, bn_ctx))
-goto err;
+K = BN_new();
+if (K != NULL && !BN_mod_exp(K, tmp, tmp2, N, bn_ctx)) {
+BN_free(K);
+K = NULL;
+}
 
  err:
 BN_CTX_free(bn_ctx);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  bdbfb8477eac725639469a50e55698e371d86d2f (commit)
  from  24762dee178bace3c39d6bdbea44f0455d9a240b (commit)


- Log -
commit bdbfb8477eac725639469a50e55698e371d86d2f
Author: Rich Salz 
Date:   Wed May 11 16:46:44 2016 -0400

Recommend GH over RT, per team vote.

Reviewed-by: Richard Levitte 
(cherry picked from commit c393a5de99b5c565a124af8f69936dadde77184f)

---

Summary of changes:
 CONTRIBUTING | 86 
 1 file changed, 58 insertions(+), 28 deletions(-)

diff --git a/CONTRIBUTING b/CONTRIBUTING
index 9d63d8a..1bfbc1b 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -1,38 +1,68 @@
-HOW TO CONTRIBUTE TO OpenSSL
-
+HOW TO CONTRIBUTE TO PATCHES OpenSSL
+
 
-Development is coordinated on the openssl-dev mailing list (see
-http://www.openssl.org for information on subscribing). If you
-would like to submit a patch, send it to r...@openssl.org with
-the string "[PATCH]" in the subject. Please be sure to include a
-textual explanation of what your patch does.
-
-You can also make GitHub pull requests. If you do this, please also send
-mail to r...@openssl.org with a brief description and a link to the PR so
-that we can more easily keep track of it.
+(Please visit https://openssl.org/community/getting-started.html for
+other ideas about how to contribute.)
 
+Development is coordinated on the openssl-dev mailing list (see the
+above link or http://mta.openssl.org for information on subscribing).
 If you are unsure as to whether a feature will be useful for the general
-OpenSSL community please discuss it on the openssl-dev mailing list first.
-Someone may be already working on the same thing or there may be a good
-reason as to why that feature isn't implemented.
+OpenSSL community you might want to discuss it on the openssl-dev mailing
+list first.  Someone may be already working on the same thing or there
+may be a good reason as to why that feature isn't implemented.
 
-Patches should be as up to date as possible, preferably relative to the
-current Git or the last snapshot. They should follow our coding style
-(see https://www.openssl.org/policies/codingstyle.html) and compile without
-warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
-platforms: try to ensure you only use portable features.
+The best way to submit a patch is to make a pull request on GitHub.
+(It is not necessary to send mail to r...@openssl.org to open a ticket!)
+If you think the patch could use feedback from the community, please
+start a thread on openssl-dev.
 
-Our preferred format for patch files is "git format-patch" output. For example
-to provide a patch file containing the last commit in your local git repository
-use the following command:
+You can also submit patches by sending it as mail to rt@opensslorg.
+Please include the word "PATCH" and an explanation of what the patch
+does in the subject line.  If you do this, our preferred format is "git
+format-patch" output. For example to provide a patch file containing the
+last commit in your local git repository use the following command:
 
-# git format-patch --stdout HEAD^ >mydiffs.patch
+% git format-patch --stdout HEAD^ >mydiffs.patch
 
 Another method of creating an acceptable patch file without using git is as
 follows:
 
-# cd openssl-work
-# [your changes]
-# ./Configure dist; make clean
-# cd ..
-# diff -ur openssl-orig openssl-work > mydiffs.patch
+% cd openssl-work
+...make your changes...
+% ./Configure dist; make clean
+% cd ..
+% diff -ur openssl-orig openssl-work >mydiffs.patch
+
+Note that pull requests are generally easier for the team, and community, to
+work with.  Pull requests benefit from all of the standard GitHub features,
+including code review tools, simpler integration, and CI build support.
+
+No matter how a patch is submitted, the following items will help make
+the acceptance and review process faster:
+
+1. Anything other than trivial contributions will require a contributor
+licensing agreement, giving us permission to use your code. See
+https://openssl.org/policies/cla.html for details.
+
+2.  All source files should start with the following text (with
+appropriate comment characters at the start of each line and the
+year(s) updated):
+
+Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+https://www.openssl.org/source/license.html
+
+3.  Patches 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  24762dee178bace3c39d6bdbea44f0455d9a240b (commit)
  from  6ec73ea2f59d2f587185017b49b0357cfd25df2f (commit)


- Log -
commit 24762dee178bace3c39d6bdbea44f0455d9a240b
Author: Dr. Stephen Henson 
Date:   Wed May 11 18:00:52 2016 +0100

Update S/MIME certificates.

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 test/smime-certs/smdsa1.pem | 75 ++---
 test/smime-certs/smdsa2.pem | 75 ++---
 test/smime-certs/smdsa3.pem | 75 ++---
 test/smime-certs/smroot.pem | 75 -
 test/smime-certs/smrsa1.pem | 74 +++-
 test/smime-certs/smrsa2.pem | 74 +++-
 test/smime-certs/smrsa3.pem | 74 +++-
 7 files changed, 317 insertions(+), 205 deletions(-)

diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
index d5677db..b424f67 100644
--- a/test/smime-certs/smdsa1.pem
+++ b/test/smime-certs/smdsa1.pem
@@ -1,34 +1,47 @@
--BEGIN DSA PRIVATE KEY-
-MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
-SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
-YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
-C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
-9fMUZq1v0ePD4Wo0Xkxo
--END DSA PRIVATE KEY-
+-BEGIN PRIVATE KEY-
+MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
+k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
+zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
+wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
+v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
+0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
+rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
+zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
+DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
+xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
+ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
+Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
+TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
+-END PRIVATE KEY-
 -BEGIN CERTIFICATE-
-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
+MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
 CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
-CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
-7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
-h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
-4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
-c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
-kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
-phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
-hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
+ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
+uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
+7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
+wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
+Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
+AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
+0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  0377ad3974acabf15f7585df4383717c96285455 (commit)
   via  5255b49fb736350de1840d9df0bd1fb78fefb3d0 (commit)
  from  4d71891ad13f3e1e1b1f55f5e8fa55b497f1cd43 (commit)


- Log -
commit 0377ad3974acabf15f7585df4383717c96285455
Author: Dr. Stephen Henson 
Date:   Fri May 6 03:46:09 2016 +0100

Constify PKCS12_newpass()

PR#4449

Reviewed-by: Rich Salz 

(cherry picked from commit b1f8ba4dc7032a061d60b960c393178263e4a471)

commit 5255b49fb736350de1840d9df0bd1fb78fefb3d0
Author: Dr. Stephen Henson 
Date:   Thu May 5 15:37:23 2016 +0100

Tidy up PKCS12_newpass() fix memory leaks.

PR#4466

Reviewed-by: Rich Salz 

(cherry picked from commit 06227924ad77fee9ead79189328aebf078c37add)

---

Summary of changes:
 crypto/pkcs12/p12_npas.c | 113 ++-
 crypto/pkcs12/pkcs12.h   |   2 +-
 2 files changed, 55 insertions(+), 60 deletions(-)

diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index a89b61a..9e8ebb2 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -66,17 +66,18 @@
 
 /* PKCS#12 password change routine */
 
-static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass);
-static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass,
-char *newpass);
-static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass);
+static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass);
+static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass,
+const char *newpass);
+static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass,
+const char *newpass);
 static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen);
 
 /*
  * Change the password on a PKCS#12 structure.
  */
 
-int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass)
+int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass)
 {
 /* Check for NULL PKCS12 structure */
 
@@ -103,20 +104,21 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char 
*newpass)
 
 /* Parse the outer PKCS#12 structure */
 
-static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
+static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
 {
-STACK_OF(PKCS7) *asafes, *newsafes;
-STACK_OF(PKCS12_SAFEBAG) *bags;
+STACK_OF(PKCS7) *asafes = NULL, *newsafes = NULL;
+STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
 int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
 PKCS7 *p7, *p7new;
-ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
+ASN1_OCTET_STRING *p12_data_tmp = NULL;
 unsigned char mac[EVP_MAX_MD_SIZE];
 unsigned int maclen;
+int rv = 0;
 
-if (!(asafes = PKCS12_unpack_authsafes(p12)))
-return 0;
-if (!(newsafes = sk_PKCS7_new_null()))
-return 0;
+if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
+goto err;
+if ((newsafes = sk_PKCS7_new_null()) == NULL)
+goto err;
 for (i = 0; i < sk_PKCS7_num(asafes); i++) {
 p7 = sk_PKCS7_value(asafes, i);
 bagnid = OBJ_obj2nid(p7->type);
@@ -125,67 +127,57 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char 
*newpass)
 } else if (bagnid == NID_pkcs7_encrypted) {
 bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
 if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- _nid, _iter, _saltlen)) {
-sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-bags = NULL;
-}
-} else
+ _nid, _iter, _saltlen))
+goto err;
+} else {
 continue;
-if (!bags) {
-sk_PKCS7_pop_free(asafes, PKCS7_free);
-return 0;
-}
-if (!newpass_bags(bags, oldpass, newpass)) {
-sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-sk_PKCS7_pop_free(asafes, PKCS7_free);
-return 0;
 }
+if (bags == NULL)
+goto err;
+if (!newpass_bags(bags, oldpass, newpass))
+goto err;
 /* Repack bag in same form with new password */
 if (bagnid == NID_pkcs7_data)
 p7new = PKCS12_pack_p7data(bags);
 else
 p7new = PKCS12_pack_p7encdata(pbe_nid, newpass, -1, NULL,
   pbe_saltlen, pbe_iter, bags);
+if (!p7new || !sk_PKCS7_push(newsafes, p7new))
+goto err;
 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-if (!p7new) {
-sk_PKCS7_pop_free(asafes, 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  4d71891ad13f3e1e1b1f55f5e8fa55b497f1cd43 (commit)
  from  b0e1362a9432ccc65b529602e64a59f108ca539d (commit)


- Log -
commit 4d71891ad13f3e1e1b1f55f5e8fa55b497f1cd43
Author: Dr. Stephen Henson 
Date:   Fri May 6 19:27:49 2016 +0100

Only set CMS parameter when encrypting

Reviewed-by: Rich Salz 
(cherry picked from commit 708cf5ded249f871fcd5e3de27d9281b1f37ae71)

---

Summary of changes:
 crypto/cms/cms_enc.c | 31 ---
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 9f8e514..e282c9d 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -179,21 +179,22 @@ BIO 
*cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
CMS_R_CIPHER_INITIALISATION_ERROR);
 goto err;
 }
-
-calg->parameter = ASN1_TYPE_new();
-if (calg->parameter == NULL) {
-CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE);
-goto err;
-}
-if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
-CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
-   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
-goto err;
-}
-/* If parameter type not set omit parameter */
-if (calg->parameter->type == V_ASN1_UNDEF) {
-ASN1_TYPE_free(calg->parameter);
-calg->parameter = NULL;
+if (enc) {
+calg->parameter = ASN1_TYPE_new();
+if (calg->parameter == NULL) {
+CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE);
+goto err;
+}
+if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
+CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
+   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
+goto err;
+}
+/* If parameter type not set omit parameter */
+if (calg->parameter->type == V_ASN1_UNDEF) {
+ASN1_TYPE_free(calg->parameter);
+calg->parameter = NULL;
+}
 }
 ok = 1;
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  b0e1362a9432ccc65b529602e64a59f108ca539d (commit)
  from  852034b8b20963594d2f37f8ae8eb83d3e538624 (commit)


- Log -
commit b0e1362a9432ccc65b529602e64a59f108ca539d
Author: Dr. Stephen Henson 
Date:   Thu May 5 22:17:05 2016 +0100

Use default ASN.1 for SEED.

The default ASN.1 handling can be used for SEED. This also makes
CMS work with SEED.

PR#4504

Reviewed-by: Rich Salz 
(cherry picked from commit c0aa8c274843c5b8a70d70fc05d71fa3dfd510db)

---

Summary of changes:
 crypto/evp/e_seed.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/evp/e_seed.c b/crypto/evp/e_seed.c
index 7249d1b..3d01eac 100644
--- a/crypto/evp/e_seed.c
+++ b/crypto/evp/e_seed.c
@@ -70,7 +70,8 @@ typedef struct {
 } EVP_SEED_KEY;
 
 IMPLEMENT_BLOCK_CIPHER(seed, ks, SEED, EVP_SEED_KEY, NID_seed,
-   16, 16, 16, 128, 0, seed_init_key, 0, 0, 0, 0)
+   16, 16, 16, 128, EVP_CIPH_FLAG_DEFAULT_ASN1,
+   seed_init_key, 0, 0, 0, 0)
 
 static int seed_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
  const unsigned char *iv, int enc)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  852034b8b20963594d2f37f8ae8eb83d3e538624 (commit)
  from  b583c1bd069f6928c3973dc6d6864930f6c4bb3e (commit)


- Log -
commit 852034b8b20963594d2f37f8ae8eb83d3e538624
Author: Dr. Stephen Henson 
Date:   Mon Mar 21 15:48:51 2016 +

Always try to set ASN.1 parameters for CMS.

Try to set the ASN.1 parameters for CMS encryption even if the IV
length is zero as the underlying cipher should still set the type.

This will correctly result in errors if an attempt is made to use
an unsupported cipher type.

Reviewed-by: Rich Salz 
(cherry picked from commit 3fd60dc42288591737a35a90368d72dbd00fdef8)

Conflicts:
crypto/cms/cms_enc.c

---

Summary of changes:
 crypto/cms/cms_enc.c | 25 ++---
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index b14b4b6..9f8e514 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -180,17 +180,20 @@ BIO 
*cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
 goto err;
 }
 
-if (piv) {
-calg->parameter = ASN1_TYPE_new();
-if (!calg->parameter) {
-CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE);
-goto err;
-}
-if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
-CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
-   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
-goto err;
-}
+calg->parameter = ASN1_TYPE_new();
+if (calg->parameter == NULL) {
+CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE);
+goto err;
+}
+if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) {
+CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
+   CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
+goto err;
+}
+/* If parameter type not set omit parameter */
+if (calg->parameter->type == V_ASN1_UNDEF) {
+ASN1_TYPE_free(calg->parameter);
+calg->parameter = NULL;
 }
 ok = 1;
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  b583c1bd069f6928c3973dc6d6864930f6c4bb3e (commit)
  from  28dab7cfba522603d88ca95aab16b335060b6c3d (commit)


- Log -
commit b583c1bd069f6928c3973dc6d6864930f6c4bb3e
Author: Dr. Stephen Henson 
Date:   Wed May 4 16:09:06 2016 +0100

Fix name length limit check.

The name length limit check in x509_name_ex_d2i() includes
the containing structure as well as the actual X509_NAME. This will
cause large CRLs to be rejected.

Fix by limiting the length passed to ASN1_item_ex_d2i() which will
then return an error if the passed X509_NAME exceeds the length.

RT#4531

Reviewed-by: Rich Salz 
(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)

---

Summary of changes:
 crypto/asn1/x_name.c | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
index a858c29..26378fd 100644
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
 int i, j, ret;
 STACK_OF(X509_NAME_ENTRY) *entries;
 X509_NAME_ENTRY *entry;
-if (len > X509_NAME_MAX) {
-ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
-return 0;
-}
+if (len > X509_NAME_MAX)
+len = X509_NAME_MAX;
 q = p;
 
 /* Get internal representation of Name */
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  28dab7cfba522603d88ca95aab16b335060b6c3d (commit)
   via  c3011e3e1d60babb18ffdf3af4b5e9cb2cfd832c (commit)
  from  c33e68971fa5a37ecb443755da22db9af5c35c80 (commit)


- Log -
commit 28dab7cfba522603d88ca95aab16b335060b6c3d
Author: Dr. Stephen Henson 
Date:   Tue May 3 15:05:31 2016 +0100

Fix double free in d2i_PrivateKey().

RT#4527

Reviewed-by: Matt Caswell 
(cherry picked from commit 3340e8bb186f689df5720352f65a9c0c42b6046b)

commit c3011e3e1d60babb18ffdf3af4b5e9cb2cfd832c
Author: Dr. Stephen Henson 
Date:   Tue May 3 15:21:41 2016 +0100

add documentation

Reviewed-by: Matt Caswell 
(cherry picked from commit b1b3e14fbeb373a288ba20402600e071e6f402f8)

---

Summary of changes:
 crypto/asn1/d2i_pr.c  |  8 +++---
 doc/crypto/d2i_PrivateKey.pod | 59 +++
 2 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 doc/crypto/d2i_PrivateKey.pod

diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c
index d21829a..86dcf5f 100644
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -97,15 +97,17 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const 
unsigned char **pp,
 if (!ret->ameth->old_priv_decode ||
 !ret->ameth->old_priv_decode(ret, , length)) {
 if (ret->ameth->priv_decode) {
+EVP_PKEY *tmp;
 PKCS8_PRIV_KEY_INFO *p8 = NULL;
 p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, , length);
 if (!p8)
 goto err;
-EVP_PKEY_free(ret);
-ret = EVP_PKCS82PKEY(p8);
+tmp = EVP_PKCS82PKEY(p8);
 PKCS8_PRIV_KEY_INFO_free(p8);
-if (ret == NULL)
+if (tmp == NULL)
 goto err;
+EVP_PKEY_free(ret);
+ret = tmp;
 } else {
 ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
 goto err;
diff --git a/doc/crypto/d2i_PrivateKey.pod b/doc/crypto/d2i_PrivateKey.pod
new file mode 100644
index 000..e06ab6c
--- /dev/null
+++ b/doc/crypto/d2i_PrivateKey.pod
@@ -0,0 +1,59 @@
+=pod
+
+=head1 NAME
+
+d2i_Private_key, d2i_AutoPrivateKey, i2d_PrivateKey - decode and encode
+functions for reading and saving EVP_PKEY structures.
+
+=head1 SYNOPSIS
+
+ #include 
+
+ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
+  long length);
+ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
+  long length);
+ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+d2i_PrivateKey() decodes a private key using algorithm B. It attempts to
+use any key specific format or PKCS#8 unencrypted PrivateKeyInfo format. The
+B parameter should be a public key algorithm constant such as
+B. An error occurs if the decoded key does not match B.
+
+d2i_AutoPrivateKey() is similar to d2i_PrivateKey() except it attempts to
+automatically detect the private key format.
+
+i2d_PrivateKey() encodes B. It uses a key specific format or, if none is
+defined for that key type, PKCS#8 unencrypted PrivateKeyInfo format.
+
+These functions are similar to the d2i_X509() functions, and you should refer 
to
+that page for a detailed description (see L).
+
+=head1 NOTES
+
+All these functions use DER format and unencrypted keys. Applications wishing
+to encrypt or decrypt private keys should use other functions such as
+d2i_PKC8PrivateKey() instead.
+
+If the B<*a> is not NULL when calling d2i_PrivateKey() or d2i_AutoPrivateKey()
+(i.e. an existing structure is being reused) and the key format is PKCS#8
+then B<*a> will be freed and replaced on a successful call.
+
+=head1 RETURN VALUES
+
+d2i_PrivateKey() and d2i_AutoPrivateKey() return a valid B structure
+or B if an error occurs. The error code can be obtained by calling
+L.
+
+i2d_PrivateKey() returns the number of bytes successfully encoded or a
+negative value if an error occurs. The error code can be obtained by calling
+L.
+
+=head1 SEE ALSO
+
+L,
+L
+
+=cut
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  c33e68971fa5a37ecb443755da22db9af5c35c80 (commit)
   via  3d2e575b3f71b4d66c0b948d411d8e936f192127 (commit)
   via  289cc052d3d8c4790264c2f7f10c8152b473bb67 (commit)
   via  0e6b8bf4bb83d9ebf8371cf2fde92438d31a6699 (commit)
   via  f5da52e308a6aeea6d5f3df98c4da295d7e9cc27 (commit)
   via  4159f311671cf3bac03815e5de44681eb758304a (commit)
  from  e903aaf894d542c02dc9bfd5065f906dc720d841 (commit)


- Log -
commit c33e68971fa5a37ecb443755da22db9af5c35c80
Author: Matt Caswell 
Date:   Tue May 3 14:50:37 2016 +0100

Prepare for 1.0.1u-dev

Reviewed-by: Rich Salz 

commit 3d2e575b3f71b4d66c0b948d411d8e936f192127
Author: Matt Caswell 
Date:   Tue May 3 14:49:52 2016 +0100

Prepare for 1.0.1t release

Reviewed-by: Rich Salz 

commit 289cc052d3d8c4790264c2f7f10c8152b473bb67
Author: Matt Caswell 
Date:   Tue May 3 14:49:52 2016 +0100

make update

Reviewed-by: Rich Salz 

commit 0e6b8bf4bb83d9ebf8371cf2fde92438d31a6699
Author: Matt Caswell 
Date:   Tue May 3 09:37:23 2016 +0100

Update CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte 

commit f5da52e308a6aeea6d5f3df98c4da295d7e9cc27
Author: Dr. Stephen Henson 
Date:   Fri Apr 15 02:37:09 2016 +0100

Fix ASN1_INTEGER handling.

Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.

Thanks to David Benjamin  for reporting this bug.

This was found using libFuzzer.

RT#4364 (part)CVE-2016-2108.

Reviewed-by: Emilia Käsper 

commit 4159f311671cf3bac03815e5de44681eb758304a
Author: Kurt Roeckx 
Date:   Sat Apr 16 23:08:56 2016 +0200

Check that we have enough padding characters.

Reviewed-by: Emilia Käsper 

CVE-2016-2107

MR: #2572

---

Summary of changes:
 CHANGES  | 93 +++-
 NEWS | 15 ++-
 README   |  2 +-
 crypto/asn1/a_type.c |  2 -
 crypto/asn1/tasn_dec.c   |  2 -
 crypto/asn1/tasn_enc.c   |  2 -
 crypto/evp/Makefile  |  8 ++--
 crypto/evp/e_aes_cbc_hmac_sha1.c |  3 ++
 crypto/opensslv.h|  6 +--
 openssl.spec |  2 +-
 10 files changed, 118 insertions(+), 17 deletions(-)

diff --git a/CHANGES b/CHANGES
index d4e9887..9442f3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,98 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.1s and 1.0.1t [xx XXX ]
+ Changes between 1.0.1t and 1.0.1u [xx XXX ]
+
+  *)
+
+ Changes between 1.0.1s and 1.0.1t [3 May 2016]
+
+  *) Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+
+  *) Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very 
large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+
+  *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call 
to
+ EVP_EncryptUpdate() with a partial block then a 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  e903aaf894d542c02dc9bfd5065f906dc720d841 (commit)
  from  fec6d1e868aad9c133e9096fc089ff52293612bf (commit)


- Log -
commit e903aaf894d542c02dc9bfd5065f906dc720d841
Author: Matt Caswell 
Date:   Tue May 3 12:45:45 2016 +0100

Remove some documentation for functions not in 1.0.x

A few functions in the recently added EVP_EncodeInit docs don't apply to
the 1.0.x branches.

Reviewed-by: Richard Levitte 

---

Summary of changes:
 doc/crypto/EVP_EncodeInit.pod | 25 +++--
 1 file changed, 3 insertions(+), 22 deletions(-)

diff --git a/doc/crypto/EVP_EncodeInit.pod b/doc/crypto/EVP_EncodeInit.pod
index bc35acf..c6f1267 100644
--- a/doc/crypto/EVP_EncodeInit.pod
+++ b/doc/crypto/EVP_EncodeInit.pod
@@ -2,18 +2,14 @@
 
 =head1 NAME
 
-EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_num, EVP_EncodeInit,
-EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, EVP_DecodeInit,
-EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 64 encode/decode
-routines
+EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock,
+EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 
64
+encode/decode routines
 
 =head1 SYNOPSIS
 
  #include 
 
- EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);
- void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);
- int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx);
  void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
  void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl);
@@ -37,12 +33,6 @@ plus some occasional newlines (see below). If the input data 
length is not a
 multiple of 3 then the output data will be padded at the end using the "="
 character.
 
-EVP_ENCODE_CTX_new() allocates, initializes and returns a context to be used 
for
-the encode/decode functions.
-
-EVP_ENCODE_CTX_free() cleans up an encode/decode context B and frees up 
the
-space allocated to it.
-
 Encoding of binary data is performed in blocks of 48 input bytes (or less for
 the final block). For each 48 byte input block encoded 64 bytes of base 64 data
 is output plus an additional newline character (i.e. 65 bytes in total). The
@@ -75,9 +65,6 @@ in B<*outl>. It is the caller's responsibility to ensure that 
B is
 sufficiently large to accommodate the output data which will never be more than
 65 bytes plus an additional NUL terminator (i.e. 66 bytes in total).
 
-EVP_ENCODE_CTX_num() will return the number of as yet unprocessed bytes still 
to
-be encoded or decoded that are pending in the B object.
-
 EVP_EncodeBlock() encodes a full block of input data in B and of length
 B and stores it in B. For every 3 bytes of input provided 4 bytes of
 output data will be produced. If B is not divisible by 3 then the block 
is
@@ -123,12 +110,6 @@ the data decoded or -1 on error.
 
 =head1 RETURN VALUES
 
-EVP_ENCODE_CTX_new() returns a pointer to the newly allocated EVP_ENCODE_CTX
-object or NULL on error.
-
-EVP_ENCODE_CTX_num() returns the number of bytes pending encoding or decoding 
in
-B.
-
 EVP_EncodeBlock() returns the number of bytes encoded excluding the NUL
 terminator.
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  fec6d1e868aad9c133e9096fc089ff52293612bf (commit)
   via  5d20e98465ad2d9af52190d42ca2b9deedcf9e8e (commit)
   via  5b814481f3573fa9677f3a31ee51322e2a22ee6a (commit)
  from  2919516136a4227d9e6d8f2fe66ef976aaf8c561 (commit)


- Log -
commit fec6d1e868aad9c133e9096fc089ff52293612bf
Author: Matt Caswell 
Date:   Mon Apr 25 11:54:30 2016 +0100

Add documentation for EVP_EncodeInit() and similar functions

Reviewed-by: Richard Levitte 

commit 5d20e98465ad2d9af52190d42ca2b9deedcf9e8e
Author: Matt Caswell 
Date:   Mon Apr 25 09:06:29 2016 +0100

Ensure EVP_EncodeUpdate handles an output length that is too long

With the EVP_EncodeUpdate function it is the caller's responsibility to
determine how big the output buffer should be. The function writes the
amount actually used to |*outl|. However this could go negative with a
sufficiently large value for |inl|. We add a check for this error
condition.

Reviewed-by: Richard Levitte 

commit 5b814481f3573fa9677f3a31ee51322e2a22ee6a
Author: Matt Caswell 
Date:   Fri Mar 4 10:17:17 2016 +

Avoid overflow in EVP_EncodeUpdate

An overflow can occur in the EVP_EncodeUpdate function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption. Due to the very large amounts of data involved this will most
likely result in a crash.

Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes
data from an untrusted source and outputs it as a PEM file should be
considered vulnerable to this issue.

User applications that call these APIs directly with large amounts of
untrusted data may also be vulnerable.

Issue reported by Guido Vranken.

CVE-2016-2105

Reviewed-by: Richard Levitte 

---

Summary of changes:
 crypto/evp/encode.c   |  12 +++-
 doc/crypto/EVP_EncodeInit.pod | 146 ++
 doc/crypto/evp.pod|   5 ++
 3 files changed, 160 insertions(+), 3 deletions(-)
 create mode 100644 doc/crypto/EVP_EncodeInit.pod

diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
index c6abc4a..c6c775e 100644
--- a/crypto/evp/encode.c
+++ b/crypto/evp/encode.c
@@ -57,6 +57,7 @@
  */
 
 #include 
+#include 
 #include "cryptlib.h"
 #include 
 
@@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char 
*out, int *outl,
   const unsigned char *in, int inl)
 {
 int i, j;
-unsigned int total = 0;
+size_t total = 0;
 
 *outl = 0;
 if (inl <= 0)
 return;
 OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-if ((ctx->num + inl) < ctx->length) {
+if (ctx->length - ctx->num > inl) {
 memcpy(&(ctx->enc_data[ctx->num]), in, inl);
 ctx->num += inl;
 return;
@@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char 
*out, int *outl,
 *out = '\0';
 total = j + 1;
 }
-while (inl >= ctx->length) {
+while (inl >= ctx->length && total <= INT_MAX) {
 j = EVP_EncodeBlock(out, in, ctx->length);
 in += ctx->length;
 inl -= ctx->length;
@@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char 
*out, int *outl,
 *out = '\0';
 total += j + 1;
 }
+if (total > INT_MAX) {
+/* Too much output data! */
+*outl = 0;
+return;
+}
 if (inl != 0)
 memcpy(&(ctx->enc_data[0]), in, inl);
 ctx->num = inl;
diff --git a/doc/crypto/EVP_EncodeInit.pod b/doc/crypto/EVP_EncodeInit.pod
new file mode 100644
index 000..bc35acf
--- /dev/null
+++ b/doc/crypto/EVP_EncodeInit.pod
@@ -0,0 +1,146 @@
+=pod
+
+=head1 NAME
+
+EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_num, EVP_EncodeInit,
+EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, EVP_DecodeInit,
+EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 64 encode/decode
+routines
+
+=head1 SYNOPSIS
+
+ #include 
+
+ EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);
+ void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);
+ int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx);
+ void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
+ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+   const unsigned char *in, int inl);
+ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl);
+ int 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  2919516136a4227d9e6d8f2fe66ef976aaf8c561 (commit)
  from  56ea22458f3f5f1d0148b0a97957de4d56f3d328 (commit)


- Log -
commit 2919516136a4227d9e6d8f2fe66ef976aaf8c561
Author: Matt Caswell 
Date:   Thu Apr 28 10:46:55 2016 +0100

Prevent EBCDIC overread for very long strings

ASN1 Strings that are over 1024 bytes can cause an overread in
applications using the X509_NAME_oneline() function on EBCDIC systems.
This could result in arbitrary stack data being returned in the buffer.

Issue reported by Guido Vranken.

CVE-2016-2176

Reviewed-by: Andy Polyakov 

---

Summary of changes:
 crypto/x509/x509_obj.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index f7daac2..3de3ac7 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -130,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 type == V_ASN1_PRINTABLESTRING ||
 type == V_ASN1_TELETEXSTRING ||
 type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
- ? sizeof ebcdic_buf : num);
+if (num > (int)sizeof(ebcdic_buf))
+num = sizeof(ebcdic_buf);
+ascii2ebcdic(ebcdic_buf, q, num);
 q = ebcdic_buf;
 }
 #endif
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  56ea22458f3f5f1d0148b0a97957de4d56f3d328 (commit)
  from  1d29506fe0cfd585afcb17dfdf3ac42a30ab4087 (commit)


- Log -
commit 56ea22458f3f5f1d0148b0a97957de4d56f3d328
Author: Matt Caswell 
Date:   Thu Mar 3 23:36:23 2016 +

Fix encrypt overflow

An overflow can occur in the EVP_EncryptUpdate function. If an attacker is
able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate with a partial block then a length check can overflow
resulting in a heap corruption.

Following an analysis of all OpenSSL internal usage of the
EVP_EncryptUpdate function all usage is one of two forms.

The first form is like this:
EVP_EncryptInit()
EVP_EncryptUpdate()

i.e. where the EVP_EncryptUpdate() call is known to be the first called
function after an EVP_EncryptInit(), and therefore that specific call
must be safe.

The second form is where the length passed to EVP_EncryptUpdate() can be
seen from the code to be some small value and therefore there is no
possibility of an overflow.

Since all instances are one of these two forms, I believe that there can
be no overflows in internal code due to this problem.

It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate()
in certain code paths. Also EVP_CipherUpdate() is a synonym for
EVP_EncryptUpdate(). Therefore I have checked all instances of these
calls too, and came to the same conclusion, i.e. there are no instances
in internal usage where an overflow could occur.

This could still represent a security issue for end user code that calls
this function directly.

CVE-2016-2106

Issue reported by Guido Vranken.

Reviewed-by: Tim Hudson 
(cherry picked from commit 3f3582139fbb259a1c3cbb0a25236500a409bf26)

---

Summary of changes:
 crypto/evp/evp_enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 4e983c4..1831572 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char 
*out, int *outl,
 bl = ctx->cipher->block_size;
 OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
 if (i != 0) {
-if (i + inl < bl) {
+if (bl - i > inl) {
 memcpy(&(ctx->buf[i]), in, inl);
 ctx->buf_len += inl;
 *outl = 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  1d29506fe0cfd585afcb17dfdf3ac42a30ab4087 (commit)
  from  66ce2861c172b2eb344906f424e593337fbd1af8 (commit)


- Log -
commit 1d29506fe0cfd585afcb17dfdf3ac42a30ab4087
Author: Dr. Stephen Henson 
Date:   Mon May 2 17:33:50 2016 +0100

Fix i2d_X509_AUX: pp can be NULL.

Reported by David Benjamin

Reviewed-by: Emilia Käsper 
(cherry picked from commit 05aef4bbdbc18e7b9490512cdee41e8a608bcc0e)

---

Summary of changes:
 crypto/asn1/x_x509.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index 38ede71..1500871 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -202,14 +202,15 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, 
long length)
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
 int length, tmplen;
-unsigned char *start = *pp;
+unsigned char *start = pp != NULL ? *pp : NULL;
 length = i2d_X509(a, pp);
 if (length < 0 || a == NULL)
 return length;
 
 tmplen = i2d_X509_CERT_AUX(a->aux, pp);
 if (tmplen < 0) {
-*pp = start;
+if (start != NULL)
+*pp = start;
 return tmplen;
 }
 length += tmplen;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  66ce2861c172b2eb344906f424e593337fbd1af8 (commit)
  from  1c81a59503af23fa109e346c973e99c66222bf11 (commit)


- Log -
commit 66ce2861c172b2eb344906f424e593337fbd1af8
Author: Dr. Stephen Henson 
Date:   Wed Apr 27 20:27:41 2016 +0100

Don't free ret->data if malloc fails.

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell 
(cherry picked from commit 64eaf6c928f4066d62aa86f805796ef05bd0b1cc)

---

Summary of changes:
 crypto/asn1/a_bytes.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c
index 12715a7..385b539 100644
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const 
unsigned char **pp,
 } else {
 if (len != 0) {
 if ((ret->length < len) || (ret->data == NULL)) {
-if (ret->data != NULL)
-OPENSSL_free(ret->data);
 s = (unsigned char *)OPENSSL_malloc((int)len + 1);
 if (s == NULL) {
 i = ERR_R_MALLOC_FAILURE;
 goto err;
 }
+if (ret->data != NULL)
+OPENSSL_free(ret->data);
 } else
 s = ret->data;
 memcpy(s, p, (int)len);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  6dfa55ab2fbd9a0f45c3ce088b1dd61800fb03d3 (commit)
  from  a04d08fc18e3dba21dfce71e55f0decb971f9b91 (commit)


- Log -
commit 6dfa55ab2fbd9a0f45c3ce088b1dd61800fb03d3
Author: Dr. Stephen Henson 
Date:   Sat Apr 23 13:33:05 2016 +0100

Reject inappropriate private key encryption ciphers.

The traditional private key encryption algorithm doesn't function
properly if the IV length of the cipher is zero. These ciphers
(e.g. ECB mode) are not suitable for private key encryption
anyway.

Reviewed-by: Emilia Käsper 
(cherry picked from commit d78df5dfd650e6de159a19a033513481064644f5)

---

Summary of changes:
 crypto/pem/pem_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 5507161..ab45a84 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -344,7 +344,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, 
BIO *bp,
 
 if (enc != NULL) {
 objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-if (objstr == NULL) {
+if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) {
 PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER);
 goto err;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  a04d08fc18e3dba21dfce71e55f0decb971f9b91 (commit)
  from  1ee454157636a69400af56ea19f57c0b05c344ef (commit)


- Log -
commit a04d08fc18e3dba21dfce71e55f0decb971f9b91
Author: Matt Caswell 
Date:   Mon Apr 25 16:05:55 2016 +0100

Ensure we check i2d_X509 return val

The i2d_X509() function can return a negative value on error. Therefore
we should make sure we check it.

Issue reported by Yuan Jochen Kang.

Reviewed-by: Emilia Käsper 
(cherry picked from commit 446ba8de9af9aa4fa3debc7c76a38f4efed47a62)

---

Summary of changes:
 crypto/asn1/x_x509.c | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index bcd9166..38ede71 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -201,9 +201,18 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, 
long length)
 
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
-int length;
+int length, tmplen;
+unsigned char *start = *pp;
 length = i2d_X509(a, pp);
-if (a)
-length += i2d_X509_CERT_AUX(a->aux, pp);
+if (length < 0 || a == NULL)
+return length;
+
+tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+if (tmplen < 0) {
+*pp = start;
+return tmplen;
+}
+length += tmplen;
+
 return length;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  1ee454157636a69400af56ea19f57c0b05c344ef (commit)
  from  184ebf0fca31685bb03e2ed225f2c474769fe646 (commit)


- Log -
commit 1ee454157636a69400af56ea19f57c0b05c344ef
Author: Matt Caswell 
Date:   Mon Apr 25 17:45:11 2016 +0100

Fix a signed/unsigned warning

This causes a compilation failure when using --strict-warnings in 1.0.2
and 1.0.1

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 0ca67644ddedfd656d43a6639d89a6236ff64652)

---

Summary of changes:
 crypto/asn1/asn1_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 54b683c..874b1af 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -175,7 +175,7 @@ static int asn1_get_length(const unsigned char **pp, int 
*inf, long *rl,
 *inf = 0;
 i = *p & 0x7f;
 if (*(p++) & 0x80) {
-if (i > sizeof(ret) || max < i)
+if (i > sizeof(ret) || max < (long)i)
 return 0;
 while (i-- > 0) {
 ret <<= 8L;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  184ebf0fca31685bb03e2ed225f2c474769fe646 (commit)
  from  697283ba418b21c4c0682d7050264b492e2ea4e2 (commit)


- Log -
commit 184ebf0fca31685bb03e2ed225f2c474769fe646
Author: Rich Salz 
Date:   Mon Apr 25 08:56:54 2016 -0400

Fix NULL deref in apps/pkcs7

Thanks to Brian Carpenter for finding and reporting this.

Reviewed-by: Emilia Käsper 
(cherry picked from commit 79356a83b78a2d936dcd022847465d9ebf6c67b1)

---

Summary of changes:
 apps/pkcs7.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/apps/pkcs7.c b/apps/pkcs7.c
index 643507f..b677633 100644
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -235,12 +235,16 @@ int MAIN(int argc, char **argv)
 i = OBJ_obj2nid(p7->type);
 switch (i) {
 case NID_pkcs7_signed:
-certs = p7->d.sign->cert;
-crls = p7->d.sign->crl;
+if (p7->d.sign != NULL) {
+certs = p7->d.sign->cert;
+crls = p7->d.sign->crl;
+}
 break;
 case NID_pkcs7_signedAndEnveloped:
-certs = p7->d.signed_and_enveloped->cert;
-crls = p7->d.signed_and_enveloped->crl;
+if (p7->d.signed_and_enveloped != NULL) {
+certs = p7->d.signed_and_enveloped->cert;
+crls = p7->d.signed_and_enveloped->crl;
+}
 break;
 default:
 break;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Viktor Dukhovni]

The branch OpenSSL_1_0_1-stable has been updated
   via  697283ba418b21c4c0682d7050264b492e2ea4e2 (commit)
  from  3d411057a5e28530fffc40b257698f453c89aa87 (commit)


- Log -
commit 697283ba418b21c4c0682d7050264b492e2ea4e2
Author: Viktor Dukhovni 
Date:   Tue Apr 19 22:23:24 2016 -0400

Fix buffer overrun in ASN1_parse().

Backport of commits:

79c7f74d6cefd5d32fa20e69195ad3de834ce065
bdcd660e33710079b495cf5cc6a1aaa5d2dcd317

from master.

Reviewed-by: Matt Caswell 

---

Summary of changes:
 crypto/asn1/asn1_lib.c | 18 +++---
 crypto/asn1/asn1_par.c | 17 +
 2 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 0b61fc9..54b683c 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -63,7 +63,7 @@
 #include 
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-   int max);
+   long max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char **pp, long 
*plength, int *ptag,
 }
 *ptag = tag;
 *pclass = xclass;
-if (!asn1_get_length(, , plength, (int)max))
+if (!asn1_get_length(, , plength, max))
 goto err;
 
 if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char **pp, long 
*plength, int *ptag,
 }
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-   int max)
+   long max)
 {
 const unsigned char *p = *pp;
 unsigned long ret = 0;
-unsigned int i;
+unsigned long i;
 
 if (max-- < 1)
-return (0);
+return 0;
 if (*p == 0x80) {
 *inf = 1;
 ret = 0;
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigned char **pp, int 
*inf, long *rl,
 *inf = 0;
 i = *p & 0x7f;
 if (*(p++) & 0x80) {
-if (i > sizeof(long))
+if (i > sizeof(ret) || max < i)
 return 0;
-if (max-- == 0)
-return (0);
 while (i-- > 0) {
 ret <<= 8L;
 ret |= *(p++);
-if (max-- == 0)
-return (0);
 }
 } else
 ret = i;
@@ -192,7 +188,7 @@ static int asn1_get_length(const unsigned char **pp, int 
*inf, long *rl,
 return 0;
 *pp = p;
 *rl = (long)ret;
-return (1);
+return 1;
 }
 
 /*
diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index 0ca985a..e85e339 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, 
long length,
 if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
 goto end;
 if (j & V_ASN1_CONSTRUCTED) {
+const unsigned char *sp;
+
 ep = p + len;
 if (BIO_write(bp, "\n", 1) <= 0)
 goto end;
@@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, 
long length,
 goto end;
 }
 if ((j == 0x21) && (len == 0)) {
+sp = p;
 for (;;) {
 r = asn1_parse2(bp, , (long)(tot - p),
 offset + (p - *pp), depth + 1,
@@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, 
long length,
 ret = 0;
 goto end;
 }
-if ((r == 2) || (p >= tot))
+if ((r == 2) || (p >= tot)) {
+len = p - sp;
 break;
+}
 }
-} else
+} else {
+long tmp = len;
+
 while (p < ep) {
-r = asn1_parse2(bp, , (long)len,
-offset + (p - *pp), depth + 1,
+sp = p;
+r = asn1_parse2(bp, , tmp, offset + (p - *pp), depth + 1,
 indent, dump);
 if (r == 0) {
 ret = 0;
 goto end;
 }
+tmp -= p - sp;
 }
+}
 } else if (xclass != 0) {
 p += len;
 if (BIO_write(bp, "\n", 1) <= 0)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  3d411057a5e28530fffc40b257698f453c89aa87 (commit)
  from  7a433893adbe7eab3c41581175493d9e5326ba3f (commit)


- Log -
commit 3d411057a5e28530fffc40b257698f453c89aa87
Author: Dr. Stephen Henson 
Date:   Mon Apr 11 13:57:20 2016 +0100

Harden ASN.1 BIO handling of large amounts of data.

If the ASN.1 BIO is presented with a large length field read it in
chunks of increasing size checking for EOF on each read. This prevents
small files allocating excessive amounts of data.

CVE-2016-2109

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807)

---

Summary of changes:
 crypto/asn1/a_d2i_fp.c | 36 ++--
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
index a1864b4..51b6f24 100644
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void 
*x)
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 {
 BUF_MEM *b;
@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 /* suck in c.slen bytes of data */
 want = c.slen;
 if (want > (len - off)) {
+size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
 want -= (len - off);
 if (want > INT_MAX /* BIO_read takes an int length */  ||
 len + want < len) {
 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
 goto err;
 }
-if (!BUF_MEM_grow_clean(b, len + want)) {
-ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
-goto err;
-}
 while (want > 0) {
-i = BIO_read(in, &(b->data[len]), want);
-if (i <= 0) {
-ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-ASN1_R_NOT_ENOUGH_DATA);
+/*
+ * Read content in chunks of increasing size
+ * so we can return an error for EOF without
+ * having to allocate the entire content length
+ * in one go.
+ */
+size_t chunk = want > chunk_max ? chunk_max : want;
+
+if (!BUF_MEM_grow_clean(b, len + chunk)) {
+ASN1err(ASN1_F_ASN1_D2I_READ_BIO, 
ERR_R_MALLOC_FAILURE);
 goto err;
 }
+want -= chunk;
+while (chunk > 0) {
+i = BIO_read(in, &(b->data[len]), chunk);
+if (i <= 0) {
+ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+ASN1_R_NOT_ENOUGH_DATA);
+goto err;
+}
 /*
  * This can't overflow because |len+want| didn't
  * overflow.
  */
-len += i;
-want -= i;
+len += i;
+chunk -= i;
+}
+if (chunk_max < INT_MAX/2)
+chunk_max *= 2;
 }
 }
 if (off + c.slen < off) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  7a433893adbe7eab3c41581175493d9e5326ba3f (commit)
  from  f4bed7c7b6fe8459dbc14e28f91c6150013b9c5e (commit)


- Log -
commit 7a433893adbe7eab3c41581175493d9e5326ba3f
Author: David Benjamin 
Date:   Mon Mar 14 15:03:07 2016 -0400

Fix memory leak on invalid CertificateRequest.

Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper 
Reviewed-by: Stephen Henson 
(cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7)

---

Summary of changes:
 ssl/s3_clnt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cfa5080..9e5875f 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
 goto err;
 }
+xn = NULL;
 
 p += l;
 nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
  err:
 s->state = SSL_ST_ERR;
  done:
+X509_NAME_free(xn);
 if (ca_sk != NULL)
 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
 return (ret);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  f4bed7c7b6fe8459dbc14e28f91c6150013b9c5e (commit)
  from  f16080718e4756ac1269c90f837263c5cd8dc412 (commit)


- Log -
commit f4bed7c7b6fe8459dbc14e28f91c6150013b9c5e
Author: Dr. Stephen Henson 
Date:   Sat Mar 26 15:00:53 2016 +

Fix FIPS SSLv2 test

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 21211ade53f92629250bbea5e37d9179a31d3be2)

---

Summary of changes:
 test/testfipsssl | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/test/testfipsssl b/test/testfipsssl
index c4836ed..b8bbb25 100644
--- a/test/testfipsssl
+++ b/test/testfipsssl
@@ -38,8 +38,12 @@ fi
 echo test ssl3 is forbidden in FIPS mode
 $ssltest -ssl3 $extra && exit 1
 
-echo test ssl2 is forbidden in FIPS mode
-$ssltest -ssl2 $extra && exit 1
+if ../util/shlib_wrap.sh ../apps/openssl ciphers SSLv2 >/dev/null 2>&1; then
+echo test ssl2 is forbidden in FIPS mode
+$ssltest -ssl2 $extra && exit 1
+else
+echo ssl2 disabled: skipping test
+fi
 
 echo test tls1
 $ssltest -tls1 $extra || exit 1
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  4161523ecd06b1e469b6e59e705ac8bec18611b6 (commit)
  from  66299660976540fa59450a5edc700e61ce4685d0 (commit)


- Log -
commit 4161523ecd06b1e469b6e59e705ac8bec18611b6
Author: Matt Caswell 
Date:   Mon Mar 14 17:06:19 2016 +

Fix a potential double free in EVP_DigestInit_ex

There is a potential double free in EVP_DigestInit_ex. This is believed
to be reached only as a result of programmer error - but we should fix it
anyway.

Issue reported by Guido Vranken.

Reviewed-by: Richard Levitte 
(cherry picked from commit ffe9150b1508a0ffc9e724f975691f24eb045c05)

---

Summary of changes:
 crypto/evp/digest.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 2e202c8..32167b2 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -200,8 +200,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, 
ENGINE *impl)
 }
 #endif
 if (ctx->digest != type) {
-if (ctx->digest && ctx->digest->ctx_size)
+if (ctx->digest && ctx->digest->ctx_size) {
 OPENSSL_free(ctx->md_data);
+ctx->md_data = NULL;
+}
 ctx->digest = type;
 if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
 ctx->update = type->update;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  f16080718e4756ac1269c90f837263c5cd8dc412 (commit)
  from  4275ee389b4092363ed8f2f2fa8aa0240b0ea122 (commit)


- Log -
commit f16080718e4756ac1269c90f837263c5cd8dc412
Author: Matt Caswell 
Date:   Thu Mar 17 12:55:02 2016 +

Fix the no-comp option for Windows

no-comp on Windows was not actually suppressing compilation of the code,
although it was suppressing its use.

Reviewed-by: Richard Levitte 
(cherry picked from commit a6406c95984a1009f5676bbcf60cc0d6db107af4)

---

Summary of changes:
 crypto/comp/comp.h |  4 
 util/libeay.num| 18 +-
 util/mk1mf.pl  |  8 +---
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/crypto/comp/comp.h b/crypto/comp/comp.h
index 406c428..60a0734 100644
--- a/crypto/comp/comp.h
+++ b/crypto/comp/comp.h
@@ -4,6 +4,10 @@
 
 # include 
 
+# ifdef OPENSSL_NO_COMP
+#  error COMP is disabled.
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/util/libeay.num b/util/libeay.num
index a83c3be..e71ca91 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -1065,8 +1065,8 @@ d2i_ASN1_BMPSTRING  1092  
EXIST::FUNCTION:
 i2d_ASN1_BMPSTRING  1093   EXIST::FUNCTION:
 BIO_f_ber   1094   NOEXIST::FUNCTION:
 BN_init 1095   EXIST::FUNCTION:
-COMP_CTX_new1096   EXIST::FUNCTION:
-COMP_CTX_free   1097   EXIST::FUNCTION:
+COMP_CTX_new1096   EXIST::FUNCTION:COMP
+COMP_CTX_free   1097   EXIST::FUNCTION:COMP
 COMP_CTX_compress_block 1098   NOEXIST::FUNCTION:
 COMP_CTX_expand_block   1099   NOEXIST::FUNCTION:
 X509_STORE_CTX_get_ex_new_index 1100   EXIST::FUNCTION:
@@ -1113,10 +1113,10 @@ PKCS7_digest_from_attributes1140
EXIST::FUNCTION:
 PKCS7_get_attribute 1141   EXIST::FUNCTION:
 PKCS7_get_issuer_and_serial 1142   EXIST::FUNCTION:
 PKCS7_get_signed_attribute  1143   EXIST::FUNCTION:
-COMP_compress_block 1144   EXIST::FUNCTION:
-COMP_expand_block   1145   EXIST::FUNCTION:
-COMP_rle1146   EXIST::FUNCTION:
-COMP_zlib   1147   EXIST::FUNCTION:
+COMP_compress_block 1144   EXIST::FUNCTION:COMP
+COMP_expand_block   1145   EXIST::FUNCTION:COMP
+COMP_rle1146   EXIST::FUNCTION:COMP
+COMP_zlib   1147   EXIST::FUNCTION:COMP
 ms_time_diff1148   NOEXIST::FUNCTION:
 ms_time_new 1149   NOEXIST::FUNCTION:
 ms_time_free1150   NOEXIST::FUNCTION:
@@ -1945,7 +1945,7 @@ ENGINE_get_ctrl_function2521  
EXIST::FUNCTION:ENGINE
 ENGINE_set_ctrl_function2522   EXIST::FUNCTION:ENGINE
 BN_pseudo_rand_range2523   EXIST::FUNCTION:
 X509_STORE_CTX_set_verify_cb2524   EXIST::FUNCTION:
-ERR_load_COMP_strings   2525   EXIST::FUNCTION:
+ERR_load_COMP_strings   2525   EXIST::FUNCTION:COMP
 PKCS12_item_decrypt_d2i 2526   EXIST::FUNCTION:
 ASN1_UTF8STRING_it  2527   
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ASN1_UTF8STRING_it  2527   
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -3545,8 +3545,8 @@ X509at_get0_data_by_OBJ 3931  
EXIST::FUNCTION:
 ASN1_TYPE_set1  3932   EXIST::FUNCTION:
 ASN1_STRING_set03933   EXIST::FUNCTION:
 i2d_X509_ALGORS 3934   EXIST::FUNCTION:
-BIO_f_zlib  3935   EXIST:ZLIB:FUNCTION:
-COMP_zlib_cleanup   3936   EXIST::FUNCTION:
+BIO_f_zlib  3935   EXIST:ZLIB:FUNCTION:COMP
+COMP_zlib_cleanup   3936   EXIST::FUNCTION:COMP
 d2i_X509_ALGORS 3937   EXIST::FUNCTION:
 CMS_ReceiptRequest_free 3938   EXIST::FUNCTION:CMS
 PEM_write_CMS   3939   EXIST:!WIN16:FUNCTION:CMS
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 02dc010..8c7780a 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -282,8 +282,9 @@ $cflags.=" -DOPENSSL_FIPS"if $fips;
 $cflags.=" -DOPENSSL_NO_JPAKE"if $no_jpake;
 $cflags.=" -DOPENSSL_NO_EC2M"if $no_ec2m;
 $cflags.=" -DOPENSSL_NO_WEAK_SSL_CIPHERS"   if $no_weak_ssl;
-$cflags.= " -DZLIB" if $zlib_opt;
-$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+$cflags.=" -DZLIB" if $zlib_opt;
+$cflags.=" 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  66299660976540fa59450a5edc700e61ce4685d0 (commit)
  from  03c71b84d351a3a5de0bc7d39a99336369277849 (commit)


- Log -
commit 66299660976540fa59450a5edc700e61ce4685d0
Author: Kurt Roeckx 
Date:   Wed Mar 9 18:10:52 2016 +0100

Add no-ssl2-method

Reviewed-by: Viktor Dukhovni 

MR: #2341
(cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086)

---

Summary of changes:
 CHANGES |  4 
 ssl/s2_meth.c   | 14 --
 ssl/ssl.h   |  2 ++
 util/mk1mf.pl   |  1 +
 util/mkdef.pl   |  6 +-
 util/ssleay.num |  6 +++---
 6 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index b0222cf..d4e9887 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
  default.
  [Kurt Roeckx]
 
+  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
  Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index 019d9dc..73885b7 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -57,7 +57,8 @@
  */
 
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
+#ifndef OPENSSL_NO_SSL2_METHOD
+# ifndef OPENSSL_NO_SSL2
 # include 
 # include 
 
@@ -72,10 +73,19 @@ static const SSL_METHOD *ssl2_get_method(int ver)
 
 IMPLEMENT_ssl2_meth_func(SSLv2_method,
  ssl2_accept, ssl2_connect, ssl2_get_method)
-#else   /* !OPENSSL_NO_SSL2 */
+
+# else /* !OPENSSL_NO_SSL2 */
 
 const SSL_METHOD *SSLv2_method(void) { return NULL; }
 const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
 const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
 
+# endif
+
+#else /* !OPENSSL_NO_SSL2_METHOD */
+
+# if PEDANTIC
+static void *dummy = 
+# endif
+
 #endif
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 06eb661..d6c475c 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2017,9 +2017,11 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
+# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
+# endif
 
 # ifndef OPENSSL_NO_SSL3_METHOD
 const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index e5fe37c..02dc010 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -1115,6 +1115,7 @@ sub read_options
"nw-mwasm" => \$nw_mwasm,
"gaswin" => \$gaswin,
"no-ssl2" => \$no_ssl2,
+   "no-ssl2-method" => 0,
"no-ssl3" => \$no_ssl3,
"no-ssl3-method" => 0,
"no-tlsext" => \$no_tlsext,
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 894f052..0b97aa4 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", 
"DES", "BF",
 "CAPIENG",
 # SSL v2
 "SSL2",
+# SSL v2 method
+"SSL2_METHOD",
 # SSL v3 method
 "SSL3_METHOD",
 # JPAKE
@@ -143,7 +145,7 @@ my $no_fp_api; my $no_static_engine=1; my $no_gmp; my 
$no_deprecated;
 my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
 my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; 
 my $no_nextprotoneg; my $no_sctp; my $no_srtp;
-my $no_unit_test; my $no_ssl3_method;
+my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
 
 my $fips;
 
@@ -238,6 +240,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-ec_nistp_64_gcc_128$/)  { $no_nistp_gcc=1; }
elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
elsif (/^no-ssl2$/) { $no_ssl2=1; }
+   elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; }
elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
elsif (/^no-capieng$/)  { $no_capieng=1; }
elsif (/^no-jpake$/){ $no_jpake=1; }
@@ -1211,6 +1214,7 @@ sub is_valid
if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
{ return 0; }
if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+   if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { 
return 0; }
if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { 
return 0; }
if ($keyword eq "CAPIENG" && $no_capieng) 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Viktor Dukhovni]

The branch OpenSSL_1_0_1-stable has been updated
   via  5bac9d44e712bc4acfbdd156244fca4486285ec9 (commit)
  from  a15971944091fa01d959566b17ce86225346c83c (commit)


- Log -
commit 5bac9d44e712bc4acfbdd156244fca4486285ec9
Author: Viktor Dukhovni 
Date:   Mon Mar 7 21:10:38 2016 +

Retain SSLv2 methods as functions that return NULL

This improves ABI compatibility when symbol resolution is not lazy.

Reviewed-by: Richard Levitte 

---

Summary of changes:
 ssl/s2_meth.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index b312f17..d46e2f5 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method,
  ssl2_accept, ssl2_connect, ssl2_get_method)
 #else   /* !OPENSSL_NO_SSL2 */
 
-# if PEDANTIC
-static void *dummy = 
-# endif
+SSL_METHOD *SSLv2_method(void) { return NULL; }
+SSL_METHOD *SSLv2_client_method(void) { return NULL; }
+SSL_METHOD *SSLv2_server_method(void) { return NULL; }
 
 #endif
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Andy Polyakov]

The branch OpenSSL_1_0_1-stable has been updated
   via  a15971944091fa01d959566b17ce86225346c83c (commit)
  from  6e7a1f35b71f35296257ce634fce933f8fe41c8c (commit)


- Log -
commit a15971944091fa01d959566b17ce86225346c83c
Author: Andy Polyakov 
Date:   Fri Mar 4 11:39:11 2016 +0100

bn/asm/x86[_64]-mont*.pl: complement alloca with page-walking.

Some OSes, *cough*-dows, insist on stack being "wired" to
physical memory in strictly sequential manner, i.e. if stack
allocation spans two pages, then reference to farmost one can
be punishable by SEGV. But page walking can do good even on
other OSes, because it guarantees that villain thread hits
the guard page before it can make damage to innocent one...

Reviewed-by: Rich Salz 
(cherry picked from commit adc4f1fc25b2cac90076f1e1695b05b7aeeae501)

Resolved conflicts:
crypto/bn/asm/x86_64-mont.pl
crypto/bn/asm/x86_64-mont5.pl

Reviewed-by: Richard Levitte 

---

Summary of changes:
 crypto/bn/asm/x86-mont.pl | 15 +++
 crypto/bn/asm/x86_64-mont.pl  | 40 +---
 crypto/bn/asm/x86_64-mont5.pl | 22 ++
 3 files changed, 74 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/asm/x86-mont.pl b/crypto/bn/asm/x86-mont.pl
index e8f6b05..89f4de6 100755
--- a/crypto/bn/asm/x86-mont.pl
+++ b/crypto/bn/asm/x86-mont.pl
@@ -85,6 +85,21 @@ $frame=32;   # size of above frame 
rounded up to 16n
 
("esp",-64);# align to cache line
 
+   # Some OSes, *cough*-dows, insist on stack being "wired" to
+   # physical memory in strictly sequential manner, i.e. if stack
+   # allocation spans two pages, then reference to farmost one can
+   # be punishable by SEGV. But page walking can do good even on
+   # other OSes, because it guarantees that villain thread hits
+   # the guard page before it can make damage to innocent one...
+   ("eax","ebp");
+   ("eax","esp");
+   ("eax",-4096);
+_label("page_walk");
+   ("edx",(0,"esp","eax"));
+   ("eax",4096);
+   _byte(0x2e);
+   (("page_walk"));
+
# load argument block...
("eax",(0*4,"esi"));# BN_ULONG *rp
("ebx",(1*4,"esi"));# const BN_ULONG *ap
diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 17fb94c..c8ae019 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -91,6 +91,20 @@ bn_mul_mont:
 
mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
 .Lmul_body:
+   # Some OSes, *cough*-dows, insist on stack being "wired" to
+   # physical memory in strictly sequential manner, i.e. if stack
+   # allocation spans two pages, then reference to farmost one can
+   # be punishable by SEGV. But page walking can do good even on
+   # other OSes, because it guarantees that villain thread hits
+   # the guard page before it can make damage to innocent one...
+   sub %rsp,%r11
+   and \$-4096,%r11
+.Lmul_page_walk:
+   mov (%rsp,%r11),%r10
+   sub \$4096,%r11
+   .byte   0x66,0x2e   # predict non-taken
+   jnc .Lmul_page_walk
+
mov $bp,%r12# reassign $bp
 ___
$bp="%r12";
@@ -296,6 +310,14 @@ bn_mul4x_mont:
 
mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp
 .Lmul4x_body:
+   sub %rsp,%r11
+   and \$-4096,%r11
+.Lmul4x_page_walk:
+   mov (%rsp,%r11),%r10
+   sub \$4096,%r11
+   .byte   0x2e# predict non-taken
+   jnc .Lmul4x_page_walk
+
mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
mov %rdx,%r12   # reassign $bp
 ___
@@ -707,6 +729,7 @@ $code.=<<___;
 .align 16
 bn_sqr4x_mont:
 .Lsqr4x_enter:
+   mov %rsp,%rax
push%rbx
push%rbp
push%r12
@@ -715,12 +738,23 @@ bn_sqr4x_mont:
push%r15
 
shl \$3,${num}d # convert $num to bytes
-   xor %r10,%r10
mov %rsp,%r11   # put aside %rsp
-   sub $num,%r10   # -$num
+   neg $num# -$num
mov ($n0),$n0   # *n0
-   lea -72(%rsp,%r10,2),%rsp   # alloca(frame+2*$num)
+   lea -72(%rsp,$num,2),%rsp   # alloca(frame+2*$num)
and \$-1024,%rsp# minimize TLB usage
+
+   sub %rsp,%r11
+   and \$-4096,%r11
+.Lsqr4x_page_walk:
+   mov (%rsp,%r11),%r10
+   sub \$4096,%r11
+   .byte   0x2e# predict non-taken
+   jnc .Lsqr4x_page_walk
+
+   mov   

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  6e7a1f35b71f35296257ce634fce933f8fe41c8c (commit)
  from  01992513186f3954934d08ef500bfd7cd55306a0 (commit)


- Log -
commit 6e7a1f35b71f35296257ce634fce933f8fe41c8c
Author: Kurt Roeckx 
Date:   Sun Jan 10 13:23:43 2016 +0100

Remove LOW from the default

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 29cce508972f61511318bf8cf7011fae027cddb2)

---

Summary of changes:
 CHANGES  |  4 ++-
 doc/apps/ciphers.pod |  2 +-
 ssl/s2_lib.c | 16 +-
 ssl/s3_lib.c | 88 ++--
 ssl/ssl.h|  2 +-
 ssl/ssl_ciph.c   | 16 +-
 ssl/ssl_locl.h   |  3 +-
 7 files changed, 67 insertions(+), 64 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2a78cc4..b0222cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,9 @@
 
  Changes between 1.0.1s and 1.0.1t [xx XXX ]
 
-  *)
+  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from 
the
+ default.
+ [Kurt Roeckx]
 
  Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
 
diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
index 888b8ed..34bb816 100644
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -107,7 +107,7 @@ The following is a list of all permitted cipher strings and 
their meanings.
 
 The default cipher list.
 This is determined at compile time and is normally
-B.
+B.
 When used, this must be the first cipherstring specified.
 
 =item B
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 82c1731..7bcb81a 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_RC4,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
  0,
  128,
  128,
@@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_RC4,
  SSL_MD5,
  SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
  SSL2_CF_5_BYTE_ENC,
  40,
  128,
@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_RC2,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
  0,
  128,
  128,
@@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_RC2,
  SSL_MD5,
  SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
  SSL2_CF_5_BYTE_ENC,
  40,
  128,
@@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_IDEA,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
  0,
  128,
  128,
@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_DES,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
  0,
  56,
  56,
@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_3DES,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
  0,
  112,
  168,
@@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
  SSL_RC4,
  SSL_MD5,
  SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
  SSL2_CF_8_BYTE_ENC,
  64,
  64,
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index a48f2b6..35d6587 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_RC4,
  SSL_MD5,
  SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  40,
  128,
@@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_RC2,
  SSL_MD5,
  SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  40,
  128,
@@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  40,
  56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_DES,
  SSL_SHA1,
  SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
  SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
  56,
  56,
@@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
  SSL_DES,
  SSL_SHA1,
  SSL_SSLV3,
- 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  298d823bf8dcf18d678b2f14124648356bcee313 (commit)
  from  73158771aa1d44b0904dc4b2f600969b4290f54f (commit)


- Log -
commit 298d823bf8dcf18d678b2f14124648356bcee313
Author: Dr. Stephen Henson 
Date:   Thu Mar 3 23:37:36 2016 +

Sanity check PVK file fields.

PVK files with abnormally large length or salt fields can cause an
integer overflow which can result in an OOB read and heap corruption.
However this is an rarely used format and private key files do not
normally come from untrusted sources the security implications not
significant.

Fix by limiting PVK length field to 100K and salt to 10K: these should be
more than enough to cover any files encountered in practice.

Issue reported by Guido Vranken.

Reviewed-by: Rich Salz 
(cherry picked from commit 5f57abe2b150139b8b057313d52b1fe8f126c952)

---

Summary of changes:
 crypto/pem/pvkfmt.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 82d4527..6186446 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -131,6 +131,10 @@ static int read_lebn(const unsigned char **in, unsigned 
int nbyte, BIGNUM **r)
 # define MS_PVKMAGIC 0xb0b5f11eL
 /* Salt length for PVK files */
 # define PVK_SALTLEN 0x10
+/* Maximum length in PVK header */
+# define PVK_MAX_KEYLEN  102400
+/* Maximum salt length */
+# define PVK_MAX_SALTLEN 10240
 
 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
  unsigned int bitlen, int ispub);
@@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned char **in, unsigned 
int length,
 *psaltlen = read_ledword();
 *pkeylen = read_ledword();
 
+if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
+return 0;
+
 if (is_encrypted && !*psaltlen) {
 PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
 return 0;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  73158771aa1d44b0904dc4b2f600969b4290f54f (commit)
   via  57ac73fb5d0a878f282cbcd9e7951c77fdc59e3c (commit)
   via  5d2b93ad7b57bd421579bf111882a0f495f03e38 (commit)
   via  f588db901705adfa774bf3e2604ffd60e55d16a5 (commit)
   via  8954b54182d45fde2d991e7ed80471457d5b2c16 (commit)
   via  c582e9d2139b9c9311718c20bbfeac37718e0b21 (commit)
   via  7f98aa7403a1244cf17d1aa489f5bb0f39bae431 (commit)
   via  d7a854c055ff22fb7da80c3b0e7cb08d248591d0 (commit)
   via  abd5d8fbef7085499ba7785622da4e8288068f46 (commit)
   via  a82cfd612b30258c7d720153298846727b06b046 (commit)
   via  56f1acf5ef8a432992497a04792ff4b3b2c6f286 (commit)
  from  8f651326a5cbec5ca7cf0bad0205d4c87dc8c2d0 (commit)


- Log -
commit 73158771aa1d44b0904dc4b2f600969b4290f54f
Author: Matt Caswell 
Date:   Tue Mar 1 13:42:02 2016 +

Prepare for 1.0.1t-dev

Reviewed-by: Richard Levitte 

commit 57ac73fb5d0a878f282cbcd9e7951c77fdc59e3c
Author: Matt Caswell 
Date:   Tue Mar 1 13:40:46 2016 +

Prepare for 1.0.1s release

Reviewed-by: Richard Levitte 

commit 5d2b93ad7b57bd421579bf111882a0f495f03e38
Author: Matt Caswell 
Date:   Tue Mar 1 13:40:45 2016 +

make update

Reviewed-by: Richard Levitte 

commit f588db901705adfa774bf3e2604ffd60e55d16a5
Author: Matt Caswell 
Date:   Tue Mar 1 12:08:33 2016 +

Ensure mk1mf.pl is aware of no-weak-ssl-ciphers option

Update mk1mf.pl to properly handle no-weak-ssl-ciphers

Reviewed-by: Richard Levitte 

commit 8954b54182d45fde2d991e7ed80471457d5b2c16
Author: Matt Caswell 
Date:   Tue Mar 1 11:00:48 2016 +

Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte 

commit c582e9d2139b9c9311718c20bbfeac37718e0b21
Author: Andy Polyakov 
Date:   Fri Sep 12 00:06:00 2014 +0200

perlasm/x86_64-xlate.pl: handle inter-bank movd.

Reviewed-by: Rich Salz 
(cherry picked from commit 902b30df193afc3417a96ba72a81ed390bd50de3)

commit 7f98aa7403a1244cf17d1aa489f5bb0f39bae431
Author: Andy Polyakov 
Date:   Tue Jan 26 16:25:02 2016 +0100

crypto/bn/x86_64-mont5.pl: constant-time gather procedure.

[Backport from master]

CVE-2016-0702

Reviewed-by: Richard Levitte 

commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0
Author: Andy Polyakov 
Date:   Tue Jan 26 11:34:41 2016 +0100

bn/bn_exp.c: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.

Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%.

CVE-2016-0702

Reviewed-by: Richard Levitte 

commit abd5d8fbef7085499ba7785622da4e8288068f46
Author: Viktor Dukhovni 
Date:   Fri Feb 19 13:05:11 2016 -0500

Disable EXPORT and LOW SSLv3+ ciphers by default

Reviewed-by: Emilia Käsper 

commit a82cfd612b30258c7d720153298846727b06b046
Author: Viktor Dukhovni 
Date:   Wed Feb 17 23:22:59 2016 -0500

Bring SSL method documentation up to date

Reviewed-by: Emilia Käsper 

commit 56f1acf5ef8a432992497a04792ff4b3b2c6f286
Author: Viktor Dukhovni 
Date:   Wed Feb 17 21:37:15 2016 -0500

Disable SSLv2 default build, default negotiation and weak ciphers.

SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper 

---

Summary of changes:
 CHANGES | 117 -
 Configure   |   8 +-
 NEWS|  15 +-
 README  |   2 +-
 crypto/bn/Makefile  |   3 +-
 crypto/bn/asm/x86_64-mont5.pl   | 513 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  8f651326a5cbec5ca7cf0bad0205d4c87dc8c2d0 (commit)
  from  f16bc6f06c8eb454b8fcb457ef890c185d1d5746 (commit)


- Log -
commit 8f651326a5cbec5ca7cf0bad0205d4c87dc8c2d0
Author: Matt Caswell 
Date:   Mon Feb 22 10:27:18 2016 +

Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption

In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.

This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.

All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.

Issue reported by Guido Vranken.

CVE-2016-0797

Reviewed-by: Andy Polyakov 
(cherry picked from commit c175308407858afff3fc8c2e5e085d94d12edc7d)

---

Summary of changes:
 crypto/bn/bn.h   | 14 --
 crypto/bn/bn_print.c | 17 +
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
index 47d8c71..b39258d 100644
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -125,6 +125,7 @@
 #ifndef HEADER_BN_H
 # define HEADER_BN_H
 
+# include 
 # include 
 # ifndef OPENSSL_NO_FP_API
 #  include /* FILE */
@@ -739,8 +740,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);
 
 /* library internal functions */
 
-# define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
+# define bn_expand(a,bits) \
+( \
+bits > (INT_MAX - BN_BITS2 + 1) ? \
+NULL \
+: \
+(((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
+(a) \
+: \
+bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
+)
+
 # define bn_wexpand(a,words) (((words) <= 
(a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
 # ifndef OPENSSL_NO_DEPRECATED
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index ab10b95..bfa31ef 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -58,6 +58,7 @@
 
 #include 
 #include 
+#include 
 #include "cryptlib.h"
 #include 
 #include "bn_lcl.h"
@@ -189,7 +190,11 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 a++;
 }
 
-for (i = 0; isxdigit((unsigned char)a[i]); i++) ;
+for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++)
+continue;
+
+if (i > INT_MAX/4)
+goto err;
 
 num = i + neg;
 if (bn == NULL)
@@ -204,7 +209,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
 BN_zero(ret);
 }
 
-/* i is the number of hex digests; */
+/* i is the number of hex digits */
 if (bn_expand(ret, i * 4) == NULL)
 goto err;
 
@@ -260,7 +265,11 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
 a++;
 }
 
-for (i = 0; isdigit((unsigned char)a[i]); i++) ;
+for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++)
+continue;
+
+if (i > INT_MAX/4)
+goto err;
 
 num = i + neg;
 if (bn == NULL)
@@ -278,7 +287,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
 BN_zero(ret);
 }
 
-/* i is the number of digests, a bit of an over expand; */
+/* i is the number of digits, a bit of an over expand */
 if (bn_expand(ret, i * 4) == NULL)
 goto err;
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  f16bc6f06c8eb454b8fcb457ef890c185d1d5746 (commit)
  from  a801bf263849a2ef773e5bc0c86438cbba720835 (commit)


- Log -
commit f16bc6f06c8eb454b8fcb457ef890c185d1d5746
Author: Kurt Roeckx 
Date:   Sat Feb 27 13:38:01 2016 +0100

Revert "Don't check RSA_FLAG_SIGN_VER."

This reverts commit 23a58779f53a9060c823d00d76b3070cad61d9a3.

This broke existing engines that didn't properly implement the sign and 
verify
functions.

Reviewed-by: Richard Levitte 

MR: #2077

---

Summary of changes:
 crypto/rsa/rsa_sign.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index cf4c026..41c827f 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int 
m_len,
 return 0;
 }
 #endif
-if (rsa->meth->rsa_sign) {
+if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
 }
 /* Special case: SSL signature, just check the length */
@@ -304,7 +304,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned 
int m_len,
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 {
 
-if (rsa->meth->rsa_verify) {
+if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  a801bf263849a2ef773e5bc0c86438cbba720835 (commit)
  from  59a908f1e8380412a81392c468b83bf6071beb2a (commit)


- Log -
commit a801bf263849a2ef773e5bc0c86438cbba720835
Author: Matt Caswell 
Date:   Thu Feb 25 13:09:46 2016 +

Fix memory issues in BIO_*printf functions

The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov 
(cherry picked from commit 578b956fe741bf8e84055547b1e83c28dd902c73)

---

Summary of changes:
 crypto/bio/b_print.c | 187 ---
 1 file changed, 116 insertions(+), 71 deletions(-)

diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 7c81e25..90248fa 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -125,16 +125,16 @@
 # define LLONG long
 #endif
 
-static void fmtstr(char **, char **, size_t *, size_t *,
-   const char *, int, int, int);
-static void fmtint(char **, char **, size_t *, size_t *,
-   LLONG, int, int, int, int);
-static void fmtfp(char **, char **, size_t *, size_t *,
-  LDOUBLE, int, int, int);
-static void doapr_outch(char **, char **, size_t *, size_t *, int);
-static void _dopr(char **sbuffer, char **buffer,
-  size_t *maxlen, size_t *retlen, int *truncated,
-  const char *format, va_list args);
+static int fmtstr(char **, char **, size_t *, size_t *,
+  const char *, int, int, int);
+static int fmtint(char **, char **, size_t *, size_t *,
+  LLONG, int, int, int, int);
+static int fmtfp(char **, char **, size_t *, size_t *,
+ LDOUBLE, int, int, int);
+static int doapr_outch(char **, char **, size_t *, size_t *, int);
+static int _dopr(char **sbuffer, char **buffer,
+ size_t *maxlen, size_t *retlen, int *truncated,
+ const char *format, va_list args);
 
 /* format read states */
 #define DP_S_DEFAULT0
@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char **buffer,
 #define char_to_int(p) (p - '0')
 #define OSSL_MAX(p,q) ((p >= q) ? p : q)
 
-static void
+static int
 _dopr(char **sbuffer,
   char **buffer,
   size_t *maxlen,
@@ -196,7 +196,8 @@ _dopr(char **sbuffer,
 if (ch == '%')
 state = DP_S_FLAGS;
 else
-doapr_outch(sbuffer, buffer, , maxlen, ch);
+if(!doapr_outch(sbuffer, buffer, , maxlen, ch))
+return 0;
 ch = *format++;
 break;
 case DP_S_FLAGS:
@@ -302,8 +303,9 @@ _dopr(char **sbuffer,
 value = va_arg(args, int);
 break;
 }
-fmtint(sbuffer, buffer, , maxlen,
-   value, 10, min, max, flags);
+if (!fmtint(sbuffer, buffer, , maxlen, value, 10, min,
+max, flags))
+return 0;
 break;
 case 'X':
 flags |= DP_F_UP;
@@ -326,17 +328,19 @@ _dopr(char **sbuffer,
 value = (LLONG) 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Emilia Kasper]

The branch OpenSSL_1_0_1-stable has been updated
   via  59a908f1e8380412a81392c468b83bf6071beb2a (commit)
  from  3ee48ada8ce7a57b6ff185a0388aba1ae1a21684 (commit)


- Log -
commit 59a908f1e8380412a81392c468b83bf6071beb2a
Author: Emilia Kasper 
Date:   Wed Feb 24 12:59:59 2016 +0100

CVE-2016-0798: avoid memory leak in SRP

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz 

---

Summary of changes:
 CHANGES  | 19 +-
 apps/s_server.c  | 39 ++-
 crypto/srp/srp.h | 10 +
 crypto/srp/srp_vfy.c | 57 +++-
 util/libeay.num  |  2 ++
 5 files changed, 107 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index cdc4e6f..b95a3ed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,24 @@
 
  Changes between 1.0.1r and 1.0.1s [xx XXX ]
 
-  *)
+  *) Disable SRP fake user seed to address a server memory leak.
+
+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+ was changed to ignore the "fake user" SRP seed, even if the seed
+ is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ (CVE-2016-0798)
+ [Emilia Käsper]
 
  Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
 
diff --git a/apps/s_server.c b/apps/s_server.c
index a8aee77..a53cadd 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -416,6 +416,8 @@ typedef struct srpsrvparm_st {
 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 {
 srpsrvparm *p = (srpsrvparm *) arg;
+int ret = SSL3_AL_FATAL;
+
 if (p->login == NULL && p->user == NULL) {
 p->login = SSL_get_srp_username(s);
 BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
@@ -424,21 +426,25 @@ static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, 
int *ad, void *arg)
 
 if (p->user == NULL) {
 BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
-return SSL3_AL_FATAL;
+goto err;
 }
+
 if (SSL_set_srp_server_param
 (s, p->user->N, p->user->g, p->user->s, p->user->v,
  p->user->info) < 0) {
 *ad = SSL_AD_INTERNAL_ERROR;
-return SSL3_AL_FATAL;
+goto err;
 }
 BIO_printf(bio_err,
"SRP parameters set: username = \"%s\" info=\"%s\" \n",
p->login, p->user->info);
-/* need to check whether there are memory leaks */
+ret = SSL_ERROR_NONE;
+
+err:
+SRP_user_pwd_free(p->user);
 p->user = NULL;
 p->login = NULL;
-return SSL_ERROR_NONE;
+return ret;
 }
 
 #endif
@@ -2244,9 +2250,10 @@ static int sv_body(char *hostname, int s, unsigned char 
*context)
 #ifndef OPENSSL_NO_SRP
 while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
 BIO_printf(bio_s_out, "LOOKUP renego during write\n");
+SRP_user_pwd_free(srp_callback_parm.user);
 srp_callback_parm.user =
-SRP_VBASE_get_by_user(srp_callback_parm.vb,
-  srp_callback_parm.login);
+

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  3ee48ada8ce7a57b6ff185a0388aba1ae1a21684 (commit)
  from  ccb2a614074ee15c0fbbb9dd49e3cd258d68380a (commit)


- Log -
commit 3ee48ada8ce7a57b6ff185a0388aba1ae1a21684
Author: FdaSilvaYY 
Date:   Fri Feb 19 23:28:52 2016 +0100

GH714: missing field initialisation

Signed-off-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
(cherry picked from commit 04f2a0b50d219aafcef2fa718d91462b587aa23d)

---

Summary of changes:
 crypto/bn/bn_recp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c
index 7497ac6..f047040 100644
--- a/crypto/bn/bn_recp.c
+++ b/crypto/bn/bn_recp.c
@@ -65,6 +65,7 @@ void BN_RECP_CTX_init(BN_RECP_CTX *recp)
 BN_init(&(recp->N));
 BN_init(&(recp->Nr));
 recp->num_bits = 0;
+recp->shift = 0;
 recp->flags = 0;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  ccb2a614074ee15c0fbbb9dd49e3cd258d68380a (commit)
  from  3629c49d7a0f46eebfea87c33c4e3d2864ad6fa8 (commit)


- Log -
commit ccb2a614074ee15c0fbbb9dd49e3cd258d68380a
Author: Dr. Stephen Henson 
Date:   Thu Feb 18 12:47:23 2016 +

Fix double free in DSA private key parsing.

Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705

Reviewed-by: Emilia Käsper 
(cherry picked from commit 6c88c71b4e4825c7bc0489306d062d017634eb88)

---

Summary of changes:
 crypto/dsa/dsa_ameth.c | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 6ddef45..f5443e3 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, 
PKCS8_PRIV_KEY_INFO *p8)
 STACK_OF(ASN1_TYPE) *ndsa = NULL;
 DSA *dsa = NULL;
 
+int ret = 0;
+
 if (!PKCS8_pkey_get0(NULL, , , , p8))
 return 0;
 X509_ALGOR_get0(NULL, , , palg);
@@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, 
PKCS8_PRIV_KEY_INFO *p8)
 }
 
 EVP_PKEY_assign_DSA(pkey, dsa);
-BN_CTX_free(ctx);
-if (ndsa)
-sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-else
-ASN1_STRING_clear_free(privkey);
 
-return 1;
+ret = 1;
+goto done;
 
  decerr:
 DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
  dsaerr:
+DSA_free(dsa);
+ done:
 BN_CTX_free(ctx);
-if (privkey)
+if (ndsa)
+sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+else
 ASN1_STRING_clear_free(privkey);
-sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-DSA_free(dsa);
-return 0;
+return ret;
 }
 
 static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Andy Polyakov]

The branch OpenSSL_1_0_1-stable has been updated
   via  3629c49d7a0f46eebfea87c33c4e3d2864ad6fa8 (commit)
  from  b0b9f693b422ddc643840859a0755b7b4fde92de (commit)


- Log -
commit 3629c49d7a0f46eebfea87c33c4e3d2864ad6fa8
Author: Andy Polyakov 
Date:   Fri Feb 12 14:07:27 2016 +0100

modes/ctr128.c: pay attention to ecount_buf alignment in 
CRYPTO_ctr128_encrypt.

It's never problem if CRYPTO_ctr128_encrypt is called from EVP, because
buffer in question is always aligned within EVP_CIPHER_CTX structure.

RT#4218

Reviewed-by: Richard Levitte 
(cherry picked from commit 5e4bbeb49fb6522d858703201b5adee9611e7b7b)

---

Summary of changes:
 crypto/modes/ctr128.c | 41 +
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index f3bbcbf..bcafd6b 100644
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -67,23 +67,20 @@
 /* increment counter (128-bit int) by 1 */
 static void ctr128_inc(unsigned char *counter)
 {
-u32 n = 16;
-u8 c;
+u32 n = 16, c = 1;
 
 do {
 --n;
-c = counter[n];
-++c;
-counter[n] = c;
-if (c)
-return;
+c += counter[n];
+counter[n] = (u8)c;
+c >>= 8;
 } while (n);
 }
 
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
 static void ctr128_inc_aligned(unsigned char *counter)
 {
-size_t *data, c, n;
+size_t *data, c, d, n;
 const union {
 long one;
 char little;
@@ -91,20 +88,19 @@ static void ctr128_inc_aligned(unsigned char *counter)
 1
 };
 
-if (is_endian.little) {
+if (is_endian.little || ((size_t)counter % sizeof(size_t)) != 0) {
 ctr128_inc(counter);
 return;
 }
 
 data = (size_t *)counter;
+c = 1;
 n = 16 / sizeof(size_t);
 do {
 --n;
-c = data[n];
-++c;
-data[n] = c;
-if (c)
-return;
+d = data[n] += c;
+/* did addition carry? */
+c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
 } while (n);
 }
 #endif
@@ -144,14 +140,14 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, 
unsigned char *out,
 }
 
 # if defined(STRICT_ALIGNMENT)
-if (((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) !=
-0)
+if (((size_t)in | (size_t)out | (size_t)ecount_buf)
+% sizeof(size_t) != 0)
 break;
 # endif
 while (len >= 16) {
 (*block) (ivec, ecount_buf, key);
 ctr128_inc_aligned(ivec);
-for (; n < 16; n += sizeof(size_t))
+for (n = 0; n < 16; n += sizeof(size_t))
 *(size_t *)(out + n) =
 *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n);
 len -= 16;
@@ -189,16 +185,13 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, 
unsigned char *out,
 /* increment upper 96 bits of 128-bit counter by 1 */
 static void ctr96_inc(unsigned char *counter)
 {
-u32 n = 12;
-u8 c;
+u32 n = 12, c = 1;
 
 do {
 --n;
-c = counter[n];
-++c;
-counter[n] = c;
-if (c)
-return;
+c += counter[n];
+counter[n] = (u8)c;
+c >>= 8;
 } while (n);
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Andy Polyakov]

The branch OpenSSL_1_0_1-stable has been updated
   via  b0b9f693b422ddc643840859a0755b7b4fde92de (commit)
  from  9b6e183925bda28dde4a1efb8df4c8862e22e6d9 (commit)


- Log -
commit b0b9f693b422ddc643840859a0755b7b4fde92de
Author: Andy Polyakov 
Date:   Wed Feb 3 18:21:00 2016 +0100

util/mk1mf.pl: use LINK_CMD instead of LINK variable.

Trouble is that LINK variable assignment in make-file interferes with
LINK environment variable, which can be used to modify Microsoft's
LINK.EXE behaviour.

RT#4289

Reviewed-by: Richard Levitte 
(cherry picked from commit d44bb1c31ca00f4359090daa15659c0dd1a08f0d)

Resolved conflicts:
util/pl/VC-32.pl

(cherry picked from commit 0fffd522426c7fc022894c8dd079dc2625c04096)

---

Summary of changes:
 util/mk1mf.pl  |  2 +-
 util/pl/BC-32.pl   |  4 ++--
 util/pl/Mingw32.pl |  2 +-
 util/pl/OS2-EMX.pl |  4 ++--
 util/pl/VC-32.pl   | 10 +-
 util/pl/linux.pl   |  2 +-
 util/pl/netware.pl |  8 
 util/pl/ultrix.pl  |  2 +-
 util/pl/unix.pl|  2 +-
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/util/mk1mf.pl b/util/mk1mf.pl
index 5b86aa7..5280780 100755
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -459,7 +459,7 @@ EX_LIBS=$ex_libs
 # The OpenSSL directory
 SRC_D=$src_dir
 
-LINK=$link
+LINK_CMD=$link
 LFLAGS=$lflags
 RSC=$rsc
 
diff --git a/util/pl/BC-32.pl b/util/pl/BC-32.pl
index 6d03664..e124821 100644
--- a/util/pl/BC-32.pl
+++ b/util/pl/BC-32.pl
@@ -118,7 +118,7 @@ ___
{
local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
$ex.=' ws2_32.lib gdi32.lib';
-   $ret.="\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def 
@<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+   $ret.="\t\$(LINK_CMD) \$(MLFLAGS) $efile$target 
/def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
}
$ret.="\n";
return($ret);
@@ -132,7 +132,7 @@ sub do_link_rule
$file =~ s/\//$o/g if $o ne '/';
$n=($target);
$ret.="$target: $files $dep_libs\n";
-   $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, 
$libs\n\n";
+   $ret.="\t\$(LINK_CMD) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, 
$libs\n\n";
return($ret);
}
 
diff --git a/util/pl/Mingw32.pl b/util/pl/Mingw32.pl
index fe3fb27..55c85f6 100644
--- a/util/pl/Mingw32.pl
+++ b/util/pl/Mingw32.pl
@@ -98,7 +98,7 @@ sub do_link_rule
$file =~ s/\//$o/g if $o ne '/';
$n=($target);
$ret.="$target: $files $dep_libs\n";
-   $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+   $ret.="\t\$(LINK_CMD) ${efile}$target \$(LFLAGS) $files $libs\n\n";
return($ret);
}
 1;
diff --git a/util/pl/OS2-EMX.pl b/util/pl/OS2-EMX.pl
index 28cd116..92a332e 100644
--- a/util/pl/OS2-EMX.pl
+++ b/util/pl/OS2-EMX.pl
@@ -99,7 +99,7 @@ sub do_lib_rule
{
local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
$ex.=' -lsocket';
-   $ret.="\t\$(LINK) \$(SHLIB_CFLAGS) \$(MLFLAGS) $efile$target 
\$(SHLIB_EX_OBJ) \$(${Name}OBJ) $ex os2/${Name}.def\n";
+   $ret.="\t\$(LINK_CMD) \$(SHLIB_CFLAGS) \$(MLFLAGS) 
$efile$target \$(SHLIB_EX_OBJ) \$(${Name}OBJ) $ex os2/${Name}.def\n";
$ret.="\temximp -o $out_def/$name.a os2/${Name}.def\n";
$ret.="\temximp -o $out_def/$name.lib os2/${Name}.def\n\n";
}
@@ -113,7 +113,7 @@ sub do_link_rule
$file =~ s/\//$o/g if $o ne '/';
$n=($target);
$ret.="$target: $files $dep_libs\n";
-   $ret.="\t\$(LINK) ${efile}$target \$(CFLAG) \$(LFLAGS) $files 
$libs\n\n";
+   $ret.="\t\$(LINK_CMD) ${efile}$target \$(CFLAG) \$(LFLAGS) $files 
$libs\n\n";
return($ret);
}
 
diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl
index 88f0f7a..2f33ebc 100644
--- a/util/pl/VC-32.pl
+++ b/util/pl/VC-32.pl
@@ -314,7 +314,7 @@ sub do_lib_rule
if ($fips && $target =~ /O_CRYPTO/)
{
$ret.="$target: $objs \$(PREMAIN_DSO_EXE)";
-   $ret.="\n\tSET FIPS_LINK=\$(LINK)\n";
+   $ret.="\n\tSET FIPS_LINK=\$(LINK_CMD)\n";
$ret.="\tSET FIPS_CC=\$(CC)\n";
$ret.="\tSET 
FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
$ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
@@ -328,7 +328,7 @@ sub do_lib_rule
else
{
$ret.="$target: $objs";
-   $ret.="\n\t\$(LINK) \$(MLFLAGS) $efile$target $name 
@<<\n  \$(SHLIB_EX_OBJ) $objs $ex \$(EX_LIBS)\n<<\n";
+   

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  69ff2444908e73d4b973f42daf989b46c774772e (commit)
   via  09ccb58518e84f76939f7e69929723263a42ca2e (commit)
   via  6210c70992011d6f4c52b63b0a1da3c3471ba5b0 (commit)
   via  bea4cb2e804160f08bd7f10286946c422e38ac3c (commit)
   via  5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb (commit)
   via  4040a7fd104b412bd446338c6c28a62eb7d8e852 (commit)
   via  8bc643efc89cbcfba17369801cf4eeca037b6cc1 (commit)
  from  126ac21c80967ec00f802d356462c1b83fa0f54c (commit)


- Log -
commit 69ff2444908e73d4b973f42daf989b46c774772e
Author: Matt Caswell 
Date:   Thu Jan 28 14:22:09 2016 +

Prepare for 1.0.1s-dev

Reviewed-by: Richard Levitte 

commit 09ccb58518e84f76939f7e69929723263a42ca2e
Author: Matt Caswell 
Date:   Thu Jan 28 14:21:21 2016 +

Prepare for 1.0.1r release

Reviewed-by: Richard Levitte 

commit 6210c70992011d6f4c52b63b0a1da3c3471ba5b0
Author: Richard Levitte 
Date:   Thu Jan 28 15:18:50 2016 +0100

TARFILE wasn't correctly set

This solves an earlier cherry-pick mistake.

Reviewed-by: Matt Caswell 

commit bea4cb2e804160f08bd7f10286946c422e38ac3c
Author: Matt Caswell 
Date:   Thu Jan 28 12:28:53 2016 +

Further updates to CHANGES and NEWS

Reviewed-by: Richard Levitte 

commit 5fed60f9622c023c358f2f8e5cb6692b5cc2d9bb
Author: Matt Caswell 
Date:   Wed Jan 27 13:55:05 2016 +

Update CHANGES and NEWS ready for release

Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.

Reviewed-by: Rich Salz 

commit 4040a7fd104b412bd446338c6c28a62eb7d8e852
Author: Viktor Dukhovni 
Date:   Wed Dec 30 22:44:51 2015 -0500

Better SSLv2 cipher-suite enforcement

Based on patch by: Nimrod Aviram 

CVE-2015-3197

Reviewed-by: Tim Hudson 
Reviewed-by: Richard Levitte 

commit 8bc643efc89cbcfba17369801cf4eeca037b6cc1
Author: Matt Caswell 
Date:   Thu Dec 17 02:57:20 2015 +

Always generate DH keys for ephemeral DH cipher suites

Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 CHANGES | 25 -
 Makefile.org|  2 +-
 NEWS|  7 ++-
 README  |  2 +-
 crypto/opensslv.h   |  6 +++---
 doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +
 openssl.spec|  2 +-
 ssl/s2_srvr.c   | 15 +--
 ssl/s3_lib.c| 14 --
 ssl/s3_srvr.c   | 17 +++--
 ssl/ssl.h   |  2 +-
 11 files changed, 58 insertions(+), 63 deletions(-)

diff --git a/CHANGES b/CHANGES
index 23ca912..39ab8bd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,30 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.1q and 1.0.1r [xx XXX ]
+ Changes between 1.0.1r and 1.0.1s [xx XXX ]
+
+  *)
+
+ Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+  *) Protection for DH small subgroup attacks
+
+ As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+ switched on by default and cannot be disabled. This could have some
+ performance impact.
+ [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  99a5c8a6592b18ce9b06be8d623d7e85f3e62e63 (commit)
  from  5d5de781a5e091ecc60b9171ce3fb8daf8c31156 (commit)


- Log -
commit 99a5c8a6592b18ce9b06be8d623d7e85f3e62e63
Author: Kurt Roeckx 
Date:   Wed Jan 27 20:31:57 2016 +0100

Fix CHANGES entry about DSA_generate_parameters_ex

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 2b0c11a620c3a3431410c5d56799286f60f60d8d)

---

Summary of changes:
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 39ab8bd..cdc4e6f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -66,7 +66,7 @@
  [Emilia Käsper]
 
   *) In DSA_generate_parameters_ex, if the provided seed is too short,
- return an error
+ use a random seed, as already documented.
  [Rich Salz and Ismo Puustinen ]
 
  Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  126ac21c80967ec00f802d356462c1b83fa0f54c (commit)
  from  51223748e5527db0e08049925bc2e9f430154d97 (commit)


- Log -
commit 126ac21c80967ec00f802d356462c1b83fa0f54c
Author: Richard Levitte 
Date:   Tue Jan 19 20:35:41 2016 +0100

Fix BSD -rpath parameter

For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit c64879d3f3cc4c7f1c436a9fe3bd109847a23629)

---

Summary of changes:
 Configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Configure b/Configure
index 84f627c..0a5ffac 100755
--- a/Configure
+++ b/Configure
@@ -1449,7 +1449,7 @@ if ($target =~ /\-icc$/)  # Intel C compiler
 # linker only when --prefix is not /usr.
 if ($target =~ /^BSD\-/)
{
-   $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ 
m|^/usr[/]*$|);
+   $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ 
m|^/usr[/]*$|);
}
 
 if ($sys_id ne "")
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  4c33d583f5f691d354b58ca27d5e2108cd890a9c (commit)
  from  e9a6c72e3c548be9d188292d1cd0ae56d7854d71 (commit)


- Log -
commit 4c33d583f5f691d354b58ca27d5e2108cd890a9c
Author: Prayag Verma 
Date:   Mon Jan 18 08:49:09 2016 +0530

Update license year range to 2016

Signed-off-by: Rich Salz 
Reviewed-by: Richard Levitte 
(cherry picked from commit 02f70372470b4dd3b21443bb615292175f5d2c88)

---

Summary of changes:
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index e47d101..fb03713 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@
   ---
 
 /* 
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  51223748e5527db0e08049925bc2e9f430154d97 (commit)
  from  4c33d583f5f691d354b58ca27d5e2108cd890a9c (commit)


- Log -
commit 51223748e5527db0e08049925bc2e9f430154d97
Author: Alessandro Ghedini 
Date:   Wed Jan 13 12:49:24 2016 +

Validate ClientHello session_id field length and send alert on failure

RT#4080

Reviewed-by: Rich Salz 
Reviewed-by: Matt Caswell 

---

Summary of changes:
 ssl/s2_srvr.c  | 5 +
 ssl/s3_srvr.c  | 6 ++
 ssl/ssl_sess.c | 3 ---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 4289272..5e2e0ac 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -598,6 +598,11 @@ static int get_client_hello(SSL *s)
 s->s2->tmp.cipher_spec_length = i;
 n2s(p, i);
 s->s2->tmp.session_id_length = i;
+if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
+ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+return -1;
+}
 n2s(p, i);
 s->s2->challenge_length = i;
 if ((i < SSL2_MIN_CHALLENGE_LENGTH) ||
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 4626a09..7eb7ea6 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1064,6 +1064,12 @@ int ssl3_get_client_hello(SSL *s)
 goto f_err;
 }
 
+if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) {
+al = SSL_AD_DECODE_ERROR;
+SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+goto f_err;
+}
+
 s->hit = 0;
 /*
  * Versions before 0.9.7 always allow clients to resume sessions in
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index de4c59e..48fc451 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -602,9 +602,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, 
int len,
 int r;
 #endif
 
-if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-goto err;
-
 if (session_id + len > limit) {
 fatal = 1;
 goto err;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  00cebd11317344989aeb9025202c2536b1490856 (commit)
  from  f5fc9404c231ed013e31c0284adcacfb0f71b86b (commit)


- Log -
commit 00cebd11317344989aeb9025202c2536b1490856
Author: Dr. Stephen Henson 
Date:   Thu Jan 14 00:25:25 2016 +

To avoid possible time_t overflow use X509_time_adj_ex()

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 9aa00b187a65b1f30789d6274ec31ea86efe7973)

Conflicts:
apps/x509.c

---

Summary of changes:
 apps/ocsp.c | 2 +-
 apps/x509.c | 7 +--
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 9fd9568..bb420c2 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1003,7 +1003,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, 
OCSP_REQUEST *req,
 bs = OCSP_BASICRESP_new();
 thisupd = X509_gmtime_adj(NULL, 0);
 if (ndays != -1)
-nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
 
 /* Examine each certificate id in the request */
 for (i = 0; i < id_count; i++) {
diff --git a/apps/x509.c b/apps/x509.c
index 929359b..e5fe610 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1170,12 +1170,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int 
clrext,
 if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
 goto err;
 
-/* Lets just make it 12:00am GMT, Jan 1 1970 */
-/* memcpy(x->cert_info->validity->notBefore,"70010112Z",13); */
-/* 28 days to be certified */
-
-if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) ==
-NULL)
+if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
 goto err;
 
 if (!X509_set_pubkey(x, pkey))
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  f5fc9404c231ed013e31c0284adcacfb0f71b86b (commit)
  from  ff9cef026633798801780c43a88093a297f0ca32 (commit)


- Log -
commit f5fc9404c231ed013e31c0284adcacfb0f71b86b
Author: Kurt Roeckx 
Date:   Sun Jan 10 13:55:08 2016 +0100

Change minimum DH size from 768 to 1024

Reviewed-by: Viktor Dukhovni 

---

Summary of changes:
 CHANGES   | 3 ++-
 ssl/s3_clnt.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 915b1f6..23ca912 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,8 @@
 
  Changes between 1.0.1q and 1.0.1r [xx XXX ]
 
-  *)
+  *) Reject DH handshakes with parameters shorter than 1024 bits.
+ [Kurt Roeckx]
 
  Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
 
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index af7f8fa..cfa5080 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3417,7 +3417,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 /* Check DHE only: static DH not implemented. */
 if (alg_k & SSL_kEDH) {
 int dh_size = BN_num_bits(dh->p);
-if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
+if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024)
 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, 
SSL_R_DH_KEY_TOO_SMALL);
 goto f_err;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Viktor Dukhovni]

The branch OpenSSL_1_0_1-stable has been updated
   via  737d57d0725551e473d4da176c3c431f1f9d36df (commit)
  from  b5dbbebbc226181585760c8caa1ce8990acab2e7 (commit)


- Log -
commit 737d57d0725551e473d4da176c3c431f1f9d36df
Author: Viktor Dukhovni 
Date:   Fri Jan 1 00:51:12 2016 -0500

Fix X509_STORE_CTX_cleanup()

Reviewed-by: Dr. Stephen Henson 

---

Summary of changes:
 apps/pkcs12.c | 42 --
 crypto/ts/ts_rsp_verify.c |  3 ++-
 crypto/x509/x509_vfy.c| 39 ---
 crypto/x509/x509_vfy.h|  2 +-
 4 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index e41b445..cbb75b7 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -79,7 +79,8 @@ const EVP_CIPHER *enc;
 # define CLCERTS 0x8
 # define CACERTS 0x10
 
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+  STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
 int options, char *pempass);
 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@@ -594,7 +595,7 @@ int MAIN(int argc, char **argv)
 vret = get_cert_chain(ucert, store, );
 X509_STORE_free(store);
 
-if (!vret) {
+if (vret == X509_V_OK) {
 /* Exclude verified certificate */
 for (i = 1; i < sk_X509_num(chain2); i++)
 sk_X509_push(certs, sk_X509_value(chain2, i));
@@ -602,7 +603,7 @@ int MAIN(int argc, char **argv)
 X509_free(sk_X509_value(chain2, 0));
 sk_X509_free(chain2);
 } else {
-if (vret >= 0)
+if (vret != X509_V_ERR_UNSPECIFIED)
 BIO_printf(bio_err, "Error %s getting chain.\n",
X509_verify_cert_error_string(vret));
 else
@@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, 
char *pass,
 
 /* Given a single certificate return a verified chain or NULL if error */
 
-/* Hope this is OK  */
-
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+  STACK_OF(X509) **chain)
 {
 X509_STORE_CTX store_ctx;
-STACK_OF(X509) *chn;
+STACK_OF(X509) *chn = NULL;
 int i = 0;
 
-/*
- * FIXME: Should really check the return status of X509_STORE_CTX_init
- * for an error, but how that fits into the return value of this function
- * is less obvious.
- */
-X509_STORE_CTX_init(_ctx, store, cert, NULL);
-if (X509_verify_cert(_ctx) <= 0) {
-i = X509_STORE_CTX_get_error(_ctx);
-if (i == 0)
-/*
- * avoid returning 0 if X509_verify_cert() did not set an
- * appropriate error value in the context
- */
-i = -1;
-chn = NULL;
-goto err;
-} else
+if (!X509_STORE_CTX_init(_ctx, store, cert, NULL)) {
+*chain = NULL;
+return X509_V_ERR_UNSPECIFIED;
+}
+
+if (X509_verify_cert(_ctx) > 0)
 chn = X509_STORE_CTX_get1_chain(_ctx);
- err:
+else if ((i = X509_STORE_CTX_get_error(_ctx)) == 0)
+i = X509_V_ERR_UNSPECIFIED;
+
 X509_STORE_CTX_cleanup(_ctx);
 *chain = chn;
-
 return i;
 }
 
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 1a3a7c5..e24b2d5 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -255,7 +255,8 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) 
*untrusted,
 
 /* chain is an out argument. */
 *chain = NULL;
-X509_STORE_CTX_init(_ctx, store, signer, untrusted);
+if (!X509_STORE_CTX_init(_ctx, store, signer, untrusted))
+return 0;
 X509_STORE_CTX_set_purpose(_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
 i = X509_verify_cert(_ctx);
 if (i <= 0) {
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7009ae6..3bad523 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2026,9 +2026,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE 
*store, X509 *x509,
 ctx->current_reasons = 0;
 ctx->tree = NULL;
 ctx->parent = NULL;
+/* Zero ex_data to make sure we're cleanup-safe */
+memset(>ex_data, 0, sizeof(ctx->ex_data));
 
 ctx->param = X509_VERIFY_PARAM_new();
-
 if (!ctx->param) {
 X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
 return 0;
@@ -2037,7 +2038,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE 
*store, X509 *x509,
 /*
  * 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  968bccee468dc8edee4388fe661f761c5179aa70 (commit)
   via  604f67f52109383f6aefc7c5bf2befaf7182eb98 (commit)
   via  a7316aace3871b637b8099a2efe30af38f988ad4 (commit)
  from  1967199f9f8ed3faf376ddbb077f41551541f08a (commit)


- Log -
commit 968bccee468dc8edee4388fe661f761c5179aa70
Author: Matt Caswell 
Date:   Mon Nov 30 16:04:51 2015 +

Add some documentation for the OCSP callback functions

Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53)

commit 604f67f52109383f6aefc7c5bf2befaf7182eb98
Author: Matt Caswell 
Date:   Mon Nov 30 13:29:41 2015 +

Ensure we don't call the OCSP callback if resuming a session

It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d)

commit a7316aace3871b637b8099a2efe30af38f988ad4
Author: Matt Caswell 
Date:   Thu Nov 5 14:52:27 2015 +

Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 905943af3b43116b64ae815db1a6b9c2f15e0356)

---

Summary of changes:
 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 73 
 ssl/s3_clnt.c| 61 ++
 ssl/t1_lib.c | 14 +++---
 3 files changed, 113 insertions(+), 35 deletions(-)
 create mode 100644 doc/ssl/SSL_CTX_set_tlsext_status_cb.pod

diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod 
b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
new file mode 100644
index 000..b8147ba
--- /dev/null
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -0,0 +1,73 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
+SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp,
+SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions
+
+=head1 SYNOPSIS
+
+ #include 
+
+ long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,
+   int (*callback)(SSL *, void *));
+ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
+
+ long SSL_set_tlsext_status_type(SSL *s, int type);
+
+ long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
+ long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
+
+=head1 DESCRIPTION
+
+A client application may request that a server send back an OCSP status 
response
+(also known as OCSP stapling). To do so the client should call the
+SSL_set_tlsext_status_type() function prior to the start of the handshake.
+Currently the only supported type is B. This value
+should be passed in the B argument. The client should additionally 
provide
+a callback function to decide what to do with the returned OCSP response by
+calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine
+whether the returned OCSP response is acceptable or not. The callback will be
+passed as an argument the value previously set via a call to
+SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in
+the event of a handshake where session resumption occurs (because there are no
+Certificates exchanged in such a handshake).
+
+The response returned by the server can be obtained via a call to
+SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
+to the OCSP response data and the return value will be the length of that data.
+Typically a callback would obtain an OCSP_RESPONSE object from this data via a
+call to the d2i_OCSP_RESPONSE() function. If the server has not provided any
+response data then B<*resp> will be NULL and the return value from
+SSL_get_tlsext_status_ocsp_resp() will be -1.
+
+A server application must also call the SSL_CTX_set_tlsext_status_cb() function
+if it wants to be able to provide clients with OCSP Certificate Status
+responses. Typically the server callback would obtain the server certificate
+that is being sent back to the client via a call to SSL_get_certificate();
+obtain the OCSP response to be sent back; and then set that response data by
+calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data 
should
+be 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  1967199f9f8ed3faf376ddbb077f41551541f08a (commit)
  from  23a58779f53a9060c823d00d76b3070cad61d9a3 (commit)


- Log -
commit 1967199f9f8ed3faf376ddbb077f41551541f08a
Author: David Benjamin 
Date:   Thu Dec 17 20:11:11 2015 +0100

Fix memory leak in DSA redo case.

Found by clang scan-build.

Signed-off-by: Kurt Roeckx 
Reviewed-by: Richard Levitte 

RT: #4184, MR: #1496
(cherry picked from commit 679d87515d23ca31491effdc264edc81c695a72a)

---

Summary of changes:
 crypto/dsa/dsa_ossl.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 6edb26d..9a3772e 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -187,9 +187,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int 
dlen, DSA *dsa)
 if (!BN_mod_mul(s, s, kinv, dsa->q, ctx))
 goto err;
 
-ret = DSA_SIG_new();
-if (ret == NULL)
-goto err;
 /*
  * Redo if r or s is zero as required by FIPS 186-3: this is very
  * unlikely.
@@ -201,11 +198,14 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, 
int dlen, DSA *dsa)
 }
 goto redo;
 }
+ret = DSA_SIG_new();
+if (ret == NULL)
+goto err;
 ret->r = r;
 ret->s = s;
 
  err:
-if (!ret) {
+if (ret == NULL) {
 DSAerr(DSA_F_DSA_DO_SIGN, reason);
 BN_free(r);
 BN_free(s);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  23a58779f53a9060c823d00d76b3070cad61d9a3 (commit)
  from  f9b52eb6b1623d927aa1b556b0b23110ca2a6b28 (commit)


- Log -
commit 23a58779f53a9060c823d00d76b3070cad61d9a3
Author: Dr. Stephen Henson 
Date:   Sun Dec 20 18:18:43 2015 +

Don't check RSA_FLAG_SIGN_VER.

Reviewed-by: Richard Levitte 
(cherry picked from commit 6656ba7152dfe4bba865e327dd362ea08544aa80)

---

Summary of changes:
 crypto/rsa/rsa_sign.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 41c827f..cf4c026 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int 
m_len,
 return 0;
 }
 #endif
-if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
+if (rsa->meth->rsa_sign) {
 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
 }
 /* Special case: SSL signature, just check the length */
@@ -304,7 +304,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned 
int m_len,
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 {
 
-if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
+if (rsa->meth->rsa_verify) {
 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  f9b52eb6b1623d927aa1b556b0b23110ca2a6b28 (commit)
   via  074821106cd7358e73e18d38ef7bf68bd84ed3cd (commit)
   via  0dae9636e8e1f1b48d7af2697b5d4c6fcfbfba37 (commit)
   via  f08360a16072e8bf58fd273eba41cdbc35448cbc (commit)
  from  583f4bf7e8e83e503046b7e5a1e01b48e64bce54 (commit)


- Log -
commit f9b52eb6b1623d927aa1b556b0b23110ca2a6b28
Author: Richard Levitte 
Date:   Mon Nov 2 16:43:28 2015 +0100

BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does

Reviewed-by: Rich Salz 
(cherry picked from commit 17592f323ac7dad381cc3b512573c291b1a820c0)

commit 074821106cd7358e73e18d38ef7bf68bd84ed3cd
Author: Richard Levitte 
Date:   Sun Nov 1 15:56:21 2015 +0100

Correct or add comments indicating what controls belong to what

Reviewed-by: Rich Salz 
(cherry picked from commit 6d97060ee00518efc99c5d89a78529dc111780fb)

commit 0dae9636e8e1f1b48d7af2697b5d4c6fcfbfba37
Author: Richard Levitte 
Date:   Sun Nov 1 15:45:49 2015 +0100

Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work

No dummy arguments.

Reviewed-by: Rich Salz 
(cherry picked from commit 7eb51251252ea0b269227d267512b98495f51bc4)

commit f08360a16072e8bf58fd273eba41cdbc35448cbc
Author: Richard Levitte 
Date:   Sun Nov 1 15:42:04 2015 +0100

Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl

BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Rich Salz 
(cherry picked from commit 2a60fccdd9b696e01fddaa268e92ea210beb0e8f)

---

Summary of changes:
 crypto/bio/bio.h |  8 ++--
 crypto/bio/bss_conn.c| 31 ---
 crypto/bio/bss_dgram.c   |  2 --
 doc/crypto/BIO_s_connect.pod |  4 ++--
 4 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
index d583cc1..c5c95de 100644
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -478,11 +478,11 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 # define BIO_get_conn_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 # define BIO_get_conn_ip(b)   BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
+# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL)
 
 # define BIO_set_nbio(b,n)   BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
 
-/* BIO_s_accept_socket() */
+/* BIO_s_accept() */
 # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char 
*)name)
 # define BIO_get_accept_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
 /* #define BIO_set_nbio(b,n)BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
@@ -495,6 +495,7 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
 # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
 
+/* BIO_s_accept() and BIO_s_connect() */
 # define BIO_do_connect(b)   BIO_do_handshake(b)
 # define BIO_do_accept(b)BIO_do_handshake(b)
 # define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
@@ -514,12 +515,15 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_url(b,url)  BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char 
*)(url))
 # define BIO_get_no_connect_return(b)
BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)
 
+/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and 
BIO_s_connect() */
 # define BIO_set_fd(b,fd,c)  BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
 # define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
 
+/* BIO_s_file() */
 # define BIO_set_fp(b,fp,c)  BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
 # define BIO_get_fp(b,fpp)   BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)
 
+/* BIO_s_fd() and BIO_s_file() */
 # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
 # define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
 
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 6a5e8de..ed214ca 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -419,7 +419,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
 BIO *dbio;
 int *ip;
-const char **pptr;
+const char **pptr = NULL;
 long ret = 1;
 BIO_CONNECT *data;
 
@@ -442,19 +442,28 @@ static long conn_ctrl(BIO *b, int cmd, long num, void 
*ptr)
 case BIO_C_GET_CONNECT:
 if (ptr != NULL) {
 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  583f4bf7e8e83e503046b7e5a1e01b48e64bce54 (commit)
   via  ff2c19efdbd6108acf9bff1c53adba8c2d3aa001 (commit)
  from  e961c7a201817cefd628a023a104c4ee8a216e13 (commit)


- Log -
commit 583f4bf7e8e83e503046b7e5a1e01b48e64bce54
Author: Matt Caswell 
Date:   Sat Dec 19 14:42:06 2015 +

Fix more URLs mangled by reformat

Fix some more URLs mangled by indent in the reformat. These ones don't exist
in master so we have a separate commit. Based on a patch supplied by Arnaud
Lacombe 

Reviewed-by: Richard Levitte 

commit ff2c19efdbd6108acf9bff1c53adba8c2d3aa001
Author: Matt Caswell 
Date:   Sat Dec 19 14:38:17 2015 +

Fix URLs mangled by reformat

Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe 

Reviewed-by: Richard Levitte 

---

Summary of changes:
 crypto/bn/bn_exp.c | 2 +-
 crypto/camellia/camellia.c | 2 +-
 crypto/ec/ectest.c | 2 +-
 demos/tunala/tunala.c  | 2 +-
 ssl/t1_enc.c   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 14a3689..4839625 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -590,7 +590,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int 
top,
  * precomputation memory layout to limit data-dependency to a minimum to
  * protect secret exponents (cf. the hyper-threading timing attacks pointed
  * out by Colin Percival,
- * http://www.daemong-consideredperthreading-considered-harmful/)
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
  */
 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
   const BIGNUM *m, BN_CTX *ctx,
diff --git a/crypto/camellia/camellia.c b/crypto/camellia/camellia.c
index 05887a9..719fa61 100644
--- a/crypto/camellia/camellia.c
+++ b/crypto/camellia/camellia.c
@@ -67,7 +67,7 @@
 
 /*
  * Algorithm Specification
- * http://info.isl.llia/specicrypt/eng/camellia/specifications.html
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
  */
 
 /*
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index fede530..efab0b0 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -1591,7 +1591,7 @@ struct nistp_test_params {
 int degree;
 /*
  * Qx, Qy and D are taken from
- * 
http://csrcdocut.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
+ * 
http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf
  * Otherwise, values are standard curve parameters from FIPS 180-3
  */
 const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d;
diff --git a/demos/tunala/tunala.c b/demos/tunala/tunala.c
index 11a7c5b..3ceea02 100644
--- a/demos/tunala/tunala.c
+++ b/demos/tunala/tunala.c
@@ -1154,7 +1154,7 @@ static int tunala_item_io(tunala_selector_t * selector, 
tunala_item_t * item)
 /*
  * This function name is attributed to the term donated by David Schwartz
  * on openssl-dev, message-ID:
- * . :-)
+ * . :-)
  */
 if (!state_machine_churn(>sm))
 /*
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 985356d..9786b26 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1137,7 +1137,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char 
*out, unsigned char *p,
 so = s->s3->server_opaque_prf_input;
 /*
  * must be same as col (see
- * draft-resc-00.txts-opaque-prf-input-00.txt, section 3.1)
+ * draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1)
  */
 sol = s->s3->client_opaque_prf_input_len;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  d7f7144391dd0cdffcd360e33d527e013df6dc42 (commit)
  from  d6af325d5192acf8aef91671c4f39c09b0f9 (commit)


- Log -
commit d7f7144391dd0cdffcd360e33d527e013df6dc42
Author: Rich Salz 
Date:   Thu Dec 10 12:31:01 2015 -0500

Provide better "make depend" warning.

Reviewed-by: Matt Caswell 
(cherry picked from commit 2e31ef0366d368ac8cf7f5ecc9052bff27337799)

---

Summary of changes:
 Configure | 31 +--
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/Configure b/Configure
index fdf8d9a..84f627c 100755
--- a/Configure
+++ b/Configure
@@ -105,6 +105,9 @@ my $usage="Usage: Configure [no- ...] 
[enable- ...] [experimenta
 
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long 
-Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror 
-DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
 
+# Warn that "make depend" should be run?
+my $warn_make_depend = 0;
+
 my $clang_devteam_warn = "-Wno-unused-parameter 
-Wno-missing-field-initializers -Wno-language-extension-token 
-Wno-extended-offsetof -Qunused-arguments";
 
 my $strict_warnings = 0;
@@ -1953,14 +1956,8 @@ EOF
("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
}
if ($depflags ne $default_depflags && !$make_depend) {
-   print <

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  36be5f77d0325ded25d0a36caee9860cffe721e8 (commit)
  from  f612bdb34252c3eae4808dd3e1360d0f0a3666bc (commit)


- Log -
commit 36be5f77d0325ded25d0a36caee9860cffe721e8
Author: Richard Levitte 
Date:   Mon Dec 14 03:53:06 2015 +0100

Fix tarball production to keep test/bctest and util/pod2mantest

Reviewed-by: Matt Caswell 
(cherry picked from commit 474a53b3a36568d19d7b918ee879efd2707e7c67)

---

Summary of changes:
 Makefile.org | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Makefile.org b/Makefile.org
index 308a6e6..b0e0f3d 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -506,7 +506,8 @@ TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list 
\
 $(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
   \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
-  \! -name '*test' \! -name '.#*' \! -name '*~' \! -type l \
+  \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
+  \! -name '.#*' \! -name '*~' \! -type l \
| sort > $(TARFILE).list
 
 tar: $(TARFILE).list
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Emilia Kasper]

The branch OpenSSL_1_0_1-stable has been updated
   via  d6af325d5192acf8aef91671c4f39c09b0f9 (commit)
  from  36be5f77d0325ded25d0a36caee9860cffe721e8 (commit)


- Log -
commit d6af325d5192acf8aef91671c4f39c09b0f9
Author: Emilia Kasper 
Date:   Mon Dec 14 16:38:15 2015 +0100

Fix a ** 0 mod 1 = 0 for real this time.

Commit 2b0180c37fa6ffc48ee40caa831ca398b828e680 attempted to do this but
only hit one of many BN_mod_exp codepaths. Fix remaining variants and add
a test for each method.

Thanks to Hanno Boeck for reporting this issue.

Reviewed-by: Rich Salz 
Reviewed-by: Dr. Stephen Henson 
(cherry picked from commit d911097d7c93e4cfeab624b34d73fe51da158b69)
(cherry picked from commit 44e4f5b04b43054571e278381662cebd3f3555e6)

---

Summary of changes:
 crypto/bn/bn_exp.c  | 39 +++--
 crypto/bn/exptest.c | 82 +++--
 2 files changed, 104 insertions(+), 17 deletions(-)

diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 7e33ba9..14a3689 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -271,9 +271,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const 
BIGNUM *p,
 }
 
 bits = BN_num_bits(p);
-
 if (bits == 0) {
-ret = BN_one(r);
+/* x**0 mod 1 is still zero. */
+if (BN_is_one(m)) {
+ret = 1;
+BN_zero(r);
+} else {
+ret = BN_one(r);
+}
 return ret;
 }
 
@@ -407,7 +412,13 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const 
BIGNUM *p,
 }
 bits = BN_num_bits(p);
 if (bits == 0) {
-ret = BN_one(rr);
+/* x**0 mod 1 is still zero. */
+if (BN_is_one(m)) {
+ret = 1;
+BN_zero(rr);
+} else {
+ret = BN_one(rr);
+}
 return ret;
 }
 
@@ -608,7 +619,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, 
const BIGNUM *p,
 
 bits = BN_num_bits(p);
 if (bits == 0) {
-ret = BN_one(rr);
+/* x**0 mod 1 is still zero. */
+if (BN_is_one(m)) {
+ret = 1;
+BN_zero(rr);
+} else {
+ret = BN_one(rr);
+}
 return ret;
 }
 
@@ -908,8 +925,9 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const 
BIGNUM *p,
 if (BN_is_one(m)) {
 ret = 1;
 BN_zero(rr);
-} else
+} else {
 ret = BN_one(rr);
+}
 return ret;
 }
 if (a == 0) {
@@ -1023,9 +1041,14 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const 
BIGNUM *p,
 }
 
 bits = BN_num_bits(p);
-
-if (bits == 0) {
-ret = BN_one(r);
+   if (bits == 0) {
+/* x**0 mod 1 is still zero. */
+if (BN_is_one(m)) {
+ret = 1;
+BN_zero(r);
+} else {
+ret = BN_one(r);
+}
 return ret;
 }
 
diff --git a/crypto/bn/exptest.c b/crypto/bn/exptest.c
index 8b3a4ba..ac611c2 100644
--- a/crypto/bn/exptest.c
+++ b/crypto/bn/exptest.c
@@ -73,14 +73,34 @@ static const char rnd_seed[] =
 "string to make the random number generator think it has entropy";
 
 /*
+ * Test that r == 0 in test_exp_mod_zero(). Returns one on success,
+ * returns zero and prints debug output otherwise.
+ */
+static int a_is_zero_mod_one(const char *method, const BIGNUM *r,
+ const BIGNUM *a) {
+if (!BN_is_zero(r)) {
+fprintf(stderr, "%s failed:\n", method);
+fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n");
+fprintf(stderr, "a = ");
+BN_print_fp(stderr, a);
+fprintf(stderr, "\nr = ");
+BN_print_fp(stderr, r);
+fprintf(stderr, "\n");
+return 0;
+}
+return 1;
+}
+
+/*
  * test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success.
  */
 static int test_exp_mod_zero()
 {
 BIGNUM a, p, m;
 BIGNUM r;
+BN_ULONG one_word = 1;
 BN_CTX *ctx = BN_CTX_new();
-int ret = 1;
+int ret = 1, failed = 0;
 
 BN_init();
 BN_one();
@@ -92,21 +112,65 @@ static int test_exp_mod_zero()
 BN_zero();
 
 BN_init();
-BN_mod_exp(, , , , ctx);
-BN_CTX_free(ctx);
 
-if (BN_is_zero())
-ret = 0;
-else {
-printf("1**0 mod 1 = ");
-BN_print_fp(stdout, );
-printf(", should be 0\n");
+if (!BN_rand(, 1024, 0, 0))
+goto err;
+
+if (!BN_mod_exp(, , , , ctx))
+goto err;
+
+if (!a_is_zero_mod_one("BN_mod_exp", , ))
+failed = 1;
+
+if (!BN_mod_exp_recp(, , , , ctx))
+goto err;
+
+if (!a_is_zero_mod_one("BN_mod_exp_recp", , ))
+failed = 1;
+
+if (!BN_mod_exp_simple(, , , , ctx))
+

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  f612bdb34252c3eae4808dd3e1360d0f0a3666bc (commit)
   via  4a534243183498ee1a5b3fb19f4be8a0bf731ca7 (commit)
  from  d724616f682cb374b613d7fbd57e4c2bf749469c (commit)


- Log -
commit f612bdb34252c3eae4808dd3e1360d0f0a3666bc
Author: Matt Caswell 
Date:   Wed Nov 4 11:20:50 2015 +

Ensure |rwstate| is set correctly on BIO_flush

A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.

Reviewed-by: Richard Levitte 
(cherry picked from commit 67f60be8c9ae5ff3129fcd6238baf124385a41d8)

commit 4a534243183498ee1a5b3fb19f4be8a0bf731ca7
Author: Matt Caswell 
Date:   Tue Nov 3 14:45:07 2015 +

Fix DTLS handshake fragment retries

If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.

Reviewed-by: Richard Levitte 
(cherry picked from commit 2ad226e88bee97847496e542d63c67997d5beda6)

---

Summary of changes:
 ssl/d1_both.c | 70 +--
 1 file changed, 49 insertions(+), 21 deletions(-)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index d453c07..aaa1867 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -291,8 +291,44 @@ int dtls1_do_write(SSL *s, int type)
 blocksize = 0;
 
 frag_off = 0;
+s->rwstate = SSL_NOTHING;
+
 /* s->init_num shouldn't ever be < 0...but just in case */
 while (s->init_num > 0) {
+if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) {
+/* We must be writing a fragment other than the first one */
+
+if (frag_off > 0) {
+/* This is the first attempt at writing out this fragment */
+
+if (s->init_off <= DTLS1_HM_HEADER_LENGTH) {
+/*
+ * Each fragment that was already sent must at least have
+ * contained the message header plus one other byte.
+ * Therefore |init_off| must have progressed by at least
+ * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something 
went
+ * wrong.
+ */
+return -1;
+}
+
+/*
+ * Adjust |init_off| and |init_num| to allow room for a new
+ * message header for this fragment.
+ */
+s->init_off -= DTLS1_HM_HEADER_LENGTH;
+s->init_num += DTLS1_HM_HEADER_LENGTH;
+} else {
+/*
+ * We must have been called again after a retry so use the
+ * fragment offset from our last attempt. We do not need
+ * to adjust |init_off| and |init_num| as above, because
+ * that should already have been done before the retry.
+ */
+frag_off = s->d1->w_msg_hdr.frag_off;
+}
+}
+
 used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH
 + mac_size + blocksize;
 if (s->d1->mtu > used_len)
@@ -305,8 +341,10 @@ int dtls1_do_write(SSL *s, int type)
  * grr.. we could get an error if MTU picked was wrong
  */
 ret = BIO_flush(SSL_get_wbio(s));
-if (ret <= 0)
+if (ret <= 0) {
+s->rwstate = SSL_WRITING;
 return ret;
+}
 used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
 if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) {
 curr_mtu = s->d1->mtu - used_len;
@@ -332,25 +370,6 @@ int dtls1_do_write(SSL *s, int type)
  * XDTLS: this function is too long.  split out the CCS part
  */
 if (type == SSL3_RT_HANDSHAKE) {
-if (s->init_off != 0) {
-OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH);
-s->init_off -= DTLS1_HM_HEADER_LENGTH;
-s->init_num += DTLS1_HM_HEADER_LENGTH;
-
-/*
- * We just checked that s->init_num > 0 so this cast should
- * be safe
- */
-if (((unsigned int)s->init_num) > curr_mtu)
-len = curr_mtu;
-else
-len = s->init_num;
-}
-
-/* Shouldn't ever happen */
-if (len > INT_MAX)
-len = INT_MAX;
-
 if (len < DTLS1_HM_HEADER_LENGTH) {

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  d724616f682cb374b613d7fbd57e4c2bf749469c (commit)
  from  d27f073bf5b1a88eed63c2aa919974e1fad04985 (commit)


- Log -
commit d724616f682cb374b613d7fbd57e4c2bf749469c
Author: Dr Stephen Henson 
Date:   Tue Dec 8 19:10:48 2015 +

Don't use applink for static builds.

Reviewed-by: Rich Salz 
(cherry picked from commit 10119938215298ad414468e7c2779d7fd1a0b979)

---

Summary of changes:
 util/pl/VC-32.pl | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl
index e5abb97..88f0f7a 100644
--- a/util/pl/VC-32.pl
+++ b/util/pl/VC-32.pl
@@ -345,9 +345,13 @@ sub do_link_rule
$ret.="$target: $files $dep_libs";
if ($standalone == 1)
{
-   $ret.=" \$(OBJ_D)${o}applink.obj\n";
+   $ret.=" \$(OBJ_D)${o}applink.obj" if $shlib;
+   $ret.="\n";
$ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
-   $ret.= "\$(EX_LIBS) \$(OBJ_D)${o}applink.obj " if ($files =~ 
/O_FIPSCANISTER/ && !$fipscanisterbuild);
+   if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild) {
+   $ret.= "\$(EX_LIBS) ";
+   $ret.= "\$(OBJ_D)${o}applink.obj " if $shlib;
+   }
$ret.="$files $libs\n<<\n";
}
elsif ($standalone == 2)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  66a1ccf494b8fe1b842cd7bdda2d1a025d325753 (commit)
  from  777adea16aded9e398fb691074da60891ef63c58 (commit)


- Log -
commit 66a1ccf494b8fe1b842cd7bdda2d1a025d325753
Author: Richard Levitte 
Date:   Tue Dec 8 01:01:13 2015 +0100

Cleanup the EVP_MD_CTX before exit rather than after

Reviewed-by: Matt Caswell 
(cherry picked from commit c44844d928ad3c471c8dbe8baf2df8957900125b)

---

Summary of changes:
 crypto/sha/sha1test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/sha/sha1test.c b/crypto/sha/sha1test.c
index 0052a95..551a348 100644
--- a/crypto/sha/sha1test.c
+++ b/crypto/sha/sha1test.c
@@ -157,8 +157,8 @@ int main(int argc, char *argv[])
 if (err)
 printf("ERROR: %d\n", err);
 # endif
-EXIT(err);
 EVP_MD_CTX_cleanup();
+EXIT(err);
 return (0);
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Richard Levitte]

The branch OpenSSL_1_0_1-stable has been updated
   via  777adea16aded9e398fb691074da60891ef63c58 (commit)
  from  641365436e363550486f74a3fe723b281c9ff81c (commit)


- Log -
commit 777adea16aded9e398fb691074da60891ef63c58
Author: Richard Levitte 
Date:   Mon Dec 7 16:50:15 2015 +0100

Change tar owner and group to just 0

It seems like some tar versions don't like the name:id form for
--owner and --group.  The closest known anonymous user being 0 (root),
that seems to be the most appropriate user/group to assign ownership
to.  It matters very little when unpacking either way.

Reviewed-by: Rich Salz 
(cherry picked from commit b91dd150d2b9b5ddca37722e7f52ea59ba7f80da)

---

Summary of changes:
 Makefile.org | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile.org b/Makefile.org
index 7e7728f..dbb7374 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -499,7 +499,7 @@ TABLE: Configure
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
-  --owner openssl:0 --group openssl:0 \
+  --owner 0 --group 0 \
   --transform 's|^|$(NAME)/|' \
   -cvf -
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Andy Polyakov]

The branch OpenSSL_1_0_1-stable has been updated
   via  005f4893dc770d77eb07a098da32e0fca87f07b6 (commit)
  from  d585cc32a55e65573051225b29dc62171f59e05a (commit)


- Log -
commit 005f4893dc770d77eb07a098da32e0fca87f07b6
Author: Andy Polyakov 
Date:   Thu Dec 3 12:29:49 2015 +0100

e_os.h: limit _MSC_VER trickery to older compilers.

PR: #3390, backport from 1.0.2.

Reviewed-by: Matt Caswell 

---

Summary of changes:
 e_os.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/e_os.h b/e_os.h
index c9c7aaf..76c471e 100644
--- a/e_os.h
+++ b/e_os.h
@@ -315,7 +315,7 @@ static __inline unsigned int _strlen31(const char *str)
 #undef isxdigit
 #   endif
 #   if defined(_MSC_VER) && !defined(_DLL) && defined(stdin)
-#if _MSC_VER>=1300
+#if _MSC_VER>=1300 && _MSC_VER<1600
 # undef stdin
 # undef stdout
 # undef stderr
@@ -323,7 +323,7 @@ FILE *__iob_func();
 # define stdin  (&__iob_func()[0])
 # define stdout (&__iob_func()[1])
 # define stderr (&__iob_func()[2])
-#elif defined(I_CAN_LIVE_WITH_LNK4049)
+#elif _MSC_VER<1300 && defined(I_CAN_LIVE_WITH_LNK4049)
 # undef stdin
 # undef stdout
 # undef stderr
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Matt Caswell]

The branch OpenSSL_1_0_1-stable has been updated
   via  d82626caec9cb3f8da346125434f17eb180d4ef1 (commit)
   via  55615e8d48a4ddd684fcbfc7ba6523ed6414c8fc (commit)
   via  56edb20184ac7ea5fec1636a4cae3b8ba5c0d5d1 (commit)
   via  ac3dd9b7e6e2182ae3d1a8dc6c522cef9385f511 (commit)
   via  d8541d7e9e63bf5f343af24644046c8d96498c17 (commit)
   via  b29ffa392e839d05171206523e84909146f7a77c (commit)
  from  005f4893dc770d77eb07a098da32e0fca87f07b6 (commit)


- Log -
commit d82626caec9cb3f8da346125434f17eb180d4ef1
Author: Matt Caswell 
Date:   Thu Dec 3 14:51:13 2015 +

Prepare for 1.0.1r-dev

Reviewed-by: Richard Levitte 

commit 55615e8d48a4ddd684fcbfc7ba6523ed6414c8fc
Author: Matt Caswell 
Date:   Thu Dec 3 14:50:26 2015 +

Prepare for 1.0.1q release

Reviewed-by: Richard Levitte 

commit 56edb20184ac7ea5fec1636a4cae3b8ba5c0d5d1
Author: Matt Caswell 
Date:   Thu Dec 3 14:50:26 2015 +

make update

Reviewed-by: Richard Levitte 

commit ac3dd9b7e6e2182ae3d1a8dc6c522cef9385f511
Author: Matt Caswell 
Date:   Tue Dec 1 14:39:47 2015 +

Update CHANGES and NEWS

Update the CHANGES and NEWS files for the new release.

Reviewed-by: Richard Levitte 

commit d8541d7e9e63bf5f343af24644046c8d96498c17
Author: Dr. Stephen Henson 
Date:   Fri Oct 2 13:10:29 2015 +0100

Add PSS parameter check.

Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.

CVE-2015-3194

Reviewed-by: Matt Caswell 

commit b29ffa392e839d05171206523e84909146f7a77c
Author: Dr. Stephen Henson 
Date:   Tue Nov 10 19:03:07 2015 +

Fix leak with ASN.1 combine.

When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: Richard Levitte 

---

Summary of changes:
 CHANGES| 47 ++-
 NEWS   | 11 ++-
 README |  2 +-
 crypto/asn1/tasn_dec.c |  7 +--
 crypto/opensslv.h  |  6 +++---
 crypto/rsa/rsa_ameth.c |  2 +-
 openssl.spec   |  2 +-
 test/Makefile  |  7 ---
 8 files changed, 67 insertions(+), 17 deletions(-)

diff --git a/CHANGES b/CHANGES
index 178d010..915b1f6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,38 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.1p and 1.0.1q [xx XXX ]
+ Changes between 1.0.1q and 1.0.1r [xx XXX ]
+
+  *)
+
+ Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
+
+  *) Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ (CVE-2015-3194)
+ [Stephen Henson]
+
+  *) X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) 
using
+ libFuzzer.
+ (CVE-2015-3195)
+ [Stephen Henson]
 
   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
  This changes the decoding behaviour for some invalid messages,
@@ -14,9 +45,6 @@
  return an error
  [Rich Salz and Ismo Puustinen ]
 
-  *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
- from RFC4279, RFC4785, RFC5487, 

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  98b94544e5dcab065404de1892d2aeb726dd6491 (commit)
  from  844de56ed6e96042d364da6020bd29a816293a0a (commit)


- Log -
commit 98b94544e5dcab065404de1892d2aeb726dd6491
Author: Kurt Roeckx 
Date:   Tue Nov 24 23:21:06 2015 +0100

Use both sun and __sun

Reviewed-by: Andy Polyakov 
(cherry picked from commit ed02493567390cac6d07447f193fcaac5b219af3)

---

Summary of changes:
 crypto/opensslconf.h.in | 2 +-
 e_os.h  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index d8e6abc..7a1c85d 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -120,7 +120,7 @@
optimization options.  Older Sparc's work better with only UNROLL, but
there's no way to tell at compile time what it is you're running on */
  
-#if defined( __sun )   /* Newer Sparc's */
+#if defined( __sun ) || defined ( sun )/* Newer Sparc's */
 #  define DES_PTR
 #  define DES_RISC1
 #  define DES_UNROLL
diff --git a/e_os.h b/e_os.h
index d84ffb4..c9c7aaf 100644
--- a/e_os.h
+++ b/e_os.h
@@ -612,7 +612,7 @@ struct servent *PASCAL getservbyname(const char *, const 
char *);
 #include 
 #   endif
 
-#   if defined(__sun)
+#   if defined(__sun) || defined(sun)
 #include 
 #   else
 #ifndef VMS
@@ -654,7 +654,7 @@ struct servent *PASCAL getservbyname(const char *, const 
char *);
 
 # endif
 
-# if defined(__sun) && !defined(__svr4__) && !defined(__SVR4)
+# if (defined(__sun) || defined(sun)) && !defined(__svr4__) && !defined(__SVR4)
   /* include headers first, so our defines don't break it */
 #  include 
 #  include 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  844de56ed6e96042d364da6020bd29a816293a0a (commit)
   via  784934498fac88eaeff106e22bcab44c272e2cc9 (commit)
   via  0b5f9ce37bd0e4030faf6af9e1b6356693239576 (commit)
  from  fc45da053535ee4de573aeb4d895ef6d6f7b72c9 (commit)


- Log -
commit 844de56ed6e96042d364da6020bd29a816293a0a
Author: Marcus Meissner 
Date:   Tue Nov 24 22:03:58 2015 +0100

mark openssl configuration as loaded at end of OPENSSL_config

Signed-off-by: Kurt Roeckx 
Reviewed-by: Rich Salz 

GH: #466
(cherry picked from commit 434b58457c8cca4d09f77a1774d6d2c446604bae)

commit 784934498fac88eaeff106e22bcab44c272e2cc9
Author: Pascal Cuoq 
Date:   Mon Nov 23 00:13:15 2015 +0100

ssl3_free(): Return if it wasn't created

If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() 
can
get called with s->s3 still being NULL.

Patch also provided by Willy Tarreau 

Signed-off-by: Kurt Roeckx 
Reviewed-by: Viktor Dukhovni 
(cherry picked from commit 3e7bd2ce0b16f8611298175d6dc7cb35ee06ea6d)

commit 0b5f9ce37bd0e4030faf6af9e1b6356693239576
Author: Kurt Roeckx 
Date:   Tue Nov 24 21:53:40 2015 +0100

Set reference count earlier

Backport of 0e04674e964b905e67e3d215bcf888932c92765f

Reviewed-by: Steve Henson 

RT #4047, #4110, MR #1356

---

Summary of changes:
 crypto/conf/conf_sap.c | 1 +
 ssl/s3_lib.c   | 2 +-
 ssl/ssl_cert.c | 2 +-
 ssl/ssl_lib.c  | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/conf/conf_sap.c b/crypto/conf/conf_sap.c
index 544fe97..c042cf2 100644
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c
@@ -90,6 +90,7 @@ void OPENSSL_config(const char *config_name)
 CONF_modules_load_file(NULL, config_name,
CONF_MFLAGS_DEFAULT_SECTION |
CONF_MFLAGS_IGNORE_MISSING_FILE);
+openssl_configured = 1;
 }
 
 void OPENSSL_no_config()
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index de917d3..f716d77 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2955,7 +2955,7 @@ int ssl3_new(SSL *s)
 
 void ssl3_free(SSL *s)
 {
-if (s == NULL)
+if (s == NULL || s->s3 == NULL)
 return;
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 5df2413..9a4e104 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -206,6 +206,7 @@ CERT *ssl_cert_dup(CERT *cert)
 
 memset(ret, 0, sizeof(CERT));
 
+ret->references = 1;
 ret->key = >pkeys[cert->key - >pkeys[0]];
 /*
  * or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that
@@ -282,7 +283,6 @@ CERT *ssl_cert_dup(CERT *cert)
  * chain is held inside SSL_CTX
  */
 
-ret->references = 1;
 /*
  * Set digests to defaults. NB: we don't copy existing values as they
  * will be set during handshake.
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9cfeaf3..93d1cbe 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -307,6 +307,7 @@ SSL *SSL_new(SSL_CTX *ctx)
 s->options = ctx->options;
 s->mode = ctx->mode;
 s->max_cert_list = ctx->max_cert_list;
+s->references = 1;
 
 if (ctx->cert != NULL) {
 /*
@@ -375,7 +376,6 @@ SSL *SSL_new(SSL_CTX *ctx)
 if (!s->method->ssl_new(s))
 goto err;
 
-s->references = 1;
 s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
 
 SSL_clear(s);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  fc45da053535ee4de573aeb4d895ef6d6f7b72c9 (commit)
  from  5844c9453f409c95fab3f295214b94dc27e38502 (commit)


- Log -
commit fc45da053535ee4de573aeb4d895ef6d6f7b72c9
Author: Dr. Stephen Henson 
Date:   Tue Nov 24 16:37:52 2015 +

Fix uninitialised p error.

Reviewed-by: Rich Salz 
(cherry picked from commit 63eb10a07ee29a312e50a227f5b3a290b1ad22b4)

---

Summary of changes:
 crypto/asn1/asn1_par.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index 21dfe0c..0ca985a 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -135,7 +135,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, 
long length,
 
 if (depth > ASN1_PARSE_MAXDEPTH) {
 BIO_puts(bp, "BAD RECURSION DEPTH\n");
-goto end;
+return 0;
 }
 
 p = *pp;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr . Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
   via  5844c9453f409c95fab3f295214b94dc27e38502 (commit)
  from  3f2ebff3927b52d609928f632cfe670b7ba9 (commit)


- Log -
commit 5844c9453f409c95fab3f295214b94dc27e38502
Author: Dr. Stephen Henson 
Date:   Thu Sep 3 14:27:19 2015 +0100

Limit depth of ASN1 parse printing.

Thanks to Guido Vranken  for reporting this issue.

Reviewed-by: Tim Hudson 
(cherry picked from commit 158e5207a794603f5d64ffa95e0247c7808ab445)

Conflicts:
crypto/asn1/asn1_par.c

---

Summary of changes:
 crypto/asn1/asn1_par.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c
index a5d2da1..21dfe0c 100644
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -62,6 +62,10 @@
 #include 
 #include 
 
+#ifndef ASN1_PARSE_MAXDEPTH
+#define ASN1_PARSE_MAXDEPTH 128
+#endif
+
 static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
int indent);
 static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
@@ -128,6 +132,12 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, 
long length,
 #else
 dump_indent = 6;/* Because we know BIO_dump_indent() */
 #endif
+
+if (depth > ASN1_PARSE_MAXDEPTH) {
+BIO_puts(bp, "BAD RECURSION DEPTH\n");
+goto end;
+}
+
 p = *pp;
 tot = p + length;
 op = p - 1;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Kurt Roeckx]

The branch OpenSSL_1_0_1-stable has been updated
   via  638856f40c67b1fa68d60ab2da3b1d83a5a97bc1 (commit)
  from  a5184a6c89ff954261e73d1e8691ab73b9b4b2d4 (commit)


- Log -
commit 638856f40c67b1fa68d60ab2da3b1d83a5a97bc1
Author: Alessandro Ghedini 
Date:   Wed Oct 28 21:11:37 2015 +0100

Add initial AppVeyor configuration

Original patch by Frank Morgner.

Signed-off-by: Kurt Roeckx 
Reviewed-by: Rich Salz 

GH: #456
(cherry picked from commit 68db80e2d1accdd4c4a6b4763559c6cfe9663820)

---

Summary of changes:
 appveyor.yml | 60 
 1 file changed, 60 insertions(+)
 create mode 100644 appveyor.yml

diff --git a/appveyor.yml b/appveyor.yml
new file mode 100644
index 000..8695359
--- /dev/null
+++ b/appveyor.yml
@@ -0,0 +1,60 @@
+platform:
+- x86
+- x64
+
+environment:
+matrix:
+- VSVER: 9
+- VSVER: 10
+- VSVER: 11
+- VSVER: 12
+- VSVER: 14
+
+configuration:
+- plain
+- shared
+
+matrix:
+allow_failures:
+- platform: x64
+  VSVER: 9
+- platform: x64
+  VSVER: 10
+- platform: x64
+  VSVER: 11
+
+before_build:
+- ps: >-
+If ($env:Platform -Match "x86") {
+$env:VCVARS_PLATFORM="x86"
+$env:TARGET="VC-WIN32"
+$env:DO="do_ms"
+} Else {
+$env:VCVARS_PLATFORM="amd64"
+$env:TARGET="VC-WIN64A"
+$env:DO="do_win64a"
+}
+- ps: >-
+If ($env:Configuration -Like "*shared*") {
+$env:MAK="ntdll.mak"
+} Else {
+$env:MAK="nt.mak"
+}
+- ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + 
"0COMNTOOLS"))
+- call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
+- perl Configure %TARGET% no-asm
+- call ms\%DO%
+
+build_script:
+- nmake /f ms\%MAK%
+
+test_script:
+- nmake /f ms\%MAK% test
+
+notifications:
+- provider: Email
+  to:
+  - openssl-commits@openssl.org
+  on_build_success: false
+  on_build_failure: true
+  on_build_status_changed: true
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  e71aab1c02e6a47ec56b1e341e80d09797d3d4de (commit)
  from  b77390a2ff1d8c707ea5aad4bd30cedbccedee5b (commit)


- Log -
commit e71aab1c02e6a47ec56b1e341e80d09797d3d4de
Author: Rich Salz 
Date:   Wed Nov 18 16:58:40 2015 -0500

Fix release in README.

Reviewed-by: Steve Marquess 

---

Summary of changes:
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index cc20f57..edf5138 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.0-dev
+ OpenSSL 1.0.1q-dev
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Rich Salz]

The branch OpenSSL_1_0_1-stable has been updated
   via  b77390a2ff1d8c707ea5aad4bd30cedbccedee5b (commit)
  from  78b9d13474e843205307da96ef348868fe6d71bb (commit)


- Log -
commit b77390a2ff1d8c707ea5aad4bd30cedbccedee5b
Author: Graeme Perrow 
Date:   Fri Nov 13 16:56:18 2015 -0500

RT32671: wrong multiple errs TS_check_status_info

Signed-off-by: Rich Salz 
Reviewed-by: Tim Hudson 
(cherry picked from commit f236ef27bd2ca99b3367554aa3e2fc9ca345deb5)

---

Summary of changes:
 crypto/ts/ts_rsp_verify.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 32b4d99..1a3a7c5 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -522,7 +522,7 @@ static int TS_check_status_info(TS_RESP *response)
 if (ASN1_BIT_STRING_get_bit(info->failure_info,
 TS_failure_info[i].code)) {
 if (!first)
-strcpy(failure_text, ",");
+strcat(failure_text, ",");
 else
 first = 0;
 strcat(failure_text, TS_failure_info[i].text);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits