Compare commits
12 Commits
Author | SHA1 | Date |
---|---|---|
Tom Callaway | 4b20642107 | |
Tom Callaway | 1c2ab61fa1 | |
Tomas Mraz | d84c65b444 | |
Tomas Mraz | 929846e5d1 | |
Tomas Mraz | c0a499bb31 | |
Tomas Mraz | 546bf977b5 | |
Tomas Mraz | 20c4fd7c9c | |
Tomas Mraz | a3963e794f | |
Tomas Mraz | fc6854bd38 | |
Tomas Mraz | be99ed71a5 | |
Tomas Mraz | ed457feb49 | |
Tomas Mraz | 4fcc430a48 |
|
@ -0,0 +1,103 @@
|
||||||
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read openssl-1.0.1e/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read 2015-05-25 12:03:41.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2015-06-09 15:01:51.688640453 +0200
|
||||||
|
@@ -1702,49 +1702,92 @@ int X509_cmp_time(const ASN1_TIME *ctm,
|
||||||
|
ASN1_TIME atm;
|
||||||
|
long offset;
|
||||||
|
char buff1[24],buff2[24],*p;
|
||||||
|
- int i,j;
|
||||||
|
+ int i, j, remaining;
|
||||||
|
|
||||||
|
p=buff1;
|
||||||
|
- i=ctm->length;
|
||||||
|
+ remaining=ctm->length;
|
||||||
|
str=(char *)ctm->data;
|
||||||
|
+ /*
|
||||||
|
+ * Note that the following (historical) code allows much more slack in the
|
||||||
|
+ * time format than RFC5280. In RFC5280, the representation is fixed:
|
||||||
|
+ * UTCTime: YYMMDDHHMMSSZ
|
||||||
|
+ * GeneralizedTime: YYYYMMDDHHMMSSZ
|
||||||
|
+ */
|
||||||
|
if (ctm->type == V_ASN1_UTCTIME)
|
||||||
|
{
|
||||||
|
- if ((i < 11) || (i > 17)) return 0;
|
||||||
|
+ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
|
||||||
|
+ int min_length = sizeof("YYMMDDHHMMZ") - 1;
|
||||||
|
+ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
|
||||||
|
+ if (remaining < min_length || remaining > max_length)
|
||||||
|
+ return 0;
|
||||||
|
memcpy(p,str,10);
|
||||||
|
p+=10;
|
||||||
|
str+=10;
|
||||||
|
+ remaining -= 10;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- if (i < 13) return 0;
|
||||||
|
+ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
|
||||||
|
+ int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
|
||||||
|
+ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
|
||||||
|
+ if (remaining < min_length || remaining > max_length)
|
||||||
|
+ return 0;
|
||||||
|
memcpy(p,str,12);
|
||||||
|
p+=12;
|
||||||
|
str+=12;
|
||||||
|
+ remaining -= 12;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((*str == 'Z') || (*str == '-') || (*str == '+'))
|
||||||
|
{ *(p++)='0'; *(p++)='0'; }
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ /* SS (seconds) */
|
||||||
|
+ if (remaining < 2)
|
||||||
|
+ return 0;
|
||||||
|
*(p++)= *(str++);
|
||||||
|
*(p++)= *(str++);
|
||||||
|
- /* Skip any fractional seconds... */
|
||||||
|
- if (*str == '.')
|
||||||
|
+ remaining -= 2;
|
||||||
|
+ /*
|
||||||
|
+ * Skip any (up to three) fractional seconds...
|
||||||
|
+ * TODO(emilia): in RFC5280, fractional seconds are forbidden.
|
||||||
|
+ * Can we just kill them altogether?
|
||||||
|
+ */
|
||||||
|
+ if (remaining && *str == '.')
|
||||||
|
{
|
||||||
|
str++;
|
||||||
|
- while ((*str >= '0') && (*str <= '9')) str++;
|
||||||
|
+ remaining--;
|
||||||
|
+ for (i = 0; i < 3 && remaining; i++, str++, remaining--)
|
||||||
|
+ {
|
||||||
|
+ if (*str < '0' || *str > '9')
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
*(p++)='Z';
|
||||||
|
*(p++)='\0';
|
||||||
|
|
||||||
|
+ /* We now need either a terminating 'Z' or an offset. */
|
||||||
|
+ if (!remaining)
|
||||||
|
+ return 0;
|
||||||
|
if (*str == 'Z')
|
||||||
|
+ {
|
||||||
|
+ if (remaining != 1)
|
||||||
|
+ return 0;
|
||||||
|
offset=0;
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
{
|
||||||
|
+ /* (+-)HHMM */
|
||||||
|
if ((*str != '+') && (*str != '-'))
|
||||||
|
return 0;
|
||||||
|
+ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
|
||||||
|
+ if (remaining != 5)
|
||||||
|
+ return 0;
|
||||||
|
+ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
|
||||||
|
+ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
|
||||||
|
+ return 0;
|
||||||
|
offset=((str[1]-'0')*10+(str[2]-'0'))*60;
|
||||||
|
offset+=(str[3]-'0')*10+(str[4]-'0');
|
||||||
|
if (*str == '-')
|
|
@ -0,0 +1,55 @@
|
||||||
|
diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
|
||||||
|
--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content 2015-05-25 12:03:41.000000000 +0200
|
||||||
|
+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-09 15:21:21.377951520 +0200
|
||||||
|
@@ -472,6 +472,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
switch (i)
|
||||||
|
{
|
||||||
|
case NID_pkcs7_signed:
|
||||||
|
+ /*
|
||||||
|
+ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
|
||||||
|
+ * field and optional content.
|
||||||
|
+ * data_body is NULL if that structure has no (=detached) content
|
||||||
|
+ * or if the contentType is wrong (i.e., not "data").
|
||||||
|
+ */
|
||||||
|
data_body=PKCS7_get_octet_string(p7->d.sign->contents);
|
||||||
|
if (!PKCS7_is_detached(p7) && data_body == NULL)
|
||||||
|
{
|
||||||
|
@@ -484,6 +490,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
case NID_pkcs7_signedAndEnveloped:
|
||||||
|
rsk=p7->d.signed_and_enveloped->recipientinfo;
|
||||||
|
md_sk=p7->d.signed_and_enveloped->md_algs;
|
||||||
|
+ /* data_body is NULL if the optional EncryptedContent is missing. */
|
||||||
|
data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
|
||||||
|
enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
|
||||||
|
evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
|
||||||
|
@@ -496,6 +503,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
case NID_pkcs7_enveloped:
|
||||||
|
rsk=p7->d.enveloped->recipientinfo;
|
||||||
|
enc_alg=p7->d.enveloped->enc_data->algorithm;
|
||||||
|
+ /* data_body is NULL if the optional EncryptedContent is missing. */
|
||||||
|
data_body=p7->d.enveloped->enc_data->enc_data;
|
||||||
|
evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
|
||||||
|
if (evp_cipher == NULL)
|
||||||
|
@@ -509,6 +517,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Detached content must be supplied via in_bio instead. */
|
||||||
|
+ if (data_body == NULL && in_bio == NULL)
|
||||||
|
+ {
|
||||||
|
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* We will be checking the signature */
|
||||||
|
if (md_sk != NULL)
|
||||||
|
{
|
||||||
|
@@ -665,7 +680,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
|
||||||
|
}
|
||||||
|
|
||||||
|
#if 1
|
||||||
|
- if (PKCS7_is_detached(p7) || (in_bio != NULL))
|
||||||
|
+ if (in_bio != NULL)
|
||||||
|
{
|
||||||
|
bio=in_bio;
|
||||||
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
diff -up openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash openssl-1.0.1e/crypto/cms/cms_smime.c
|
||||||
|
--- openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/cms/cms_smime.c 2015-06-09 16:07:16.001516190 +0200
|
||||||
|
@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up
|
||||||
|
BIO_free(f);
|
||||||
|
f = tbio;
|
||||||
|
}
|
||||||
|
- while (f != upto);
|
||||||
|
+ while (f && f != upto);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
BIO_free_all(f);
|
|
@ -5,8 +5,8 @@ diff -up openssl-1.0.1h/ssl/ssl_lib.c.v2v3 openssl-1.0.1h/ssl/ssl_lib.c
|
||||||
*/
|
*/
|
||||||
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
||||||
|
|
||||||
+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */
|
+ /* Disable SSLv2 by default (affects the SSLv23_method() only) */
|
||||||
+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
|
+ ret->options |= SSL_OP_NO_SSLv2;
|
||||||
+
|
+
|
||||||
return(ret);
|
return(ret);
|
||||||
err:
|
err:
|
||||||
|
|
|
@ -0,0 +1,407 @@
|
||||||
|
diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c
|
||||||
|
--- openssl-1.0.1k/apps/apps.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/apps.c 2015-07-09 14:58:55.970754174 +0200
|
||||||
|
@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
|
||||||
|
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
||||||
|
else if (!strcmp(arg, "-check_ss_sig"))
|
||||||
|
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
|
||||||
|
+ else if (!strcmp(arg, "-no_alt_chains"))
|
||||||
|
+ flags |= X509_V_FLAG_NO_ALT_CHAINS;
|
||||||
|
else if (!strcmp(arg, "-trusted_first"))
|
||||||
|
flags |= X509_V_FLAG_TRUSTED_FIRST;
|
||||||
|
else
|
||||||
|
diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c
|
||||||
|
--- openssl-1.0.1k/apps/cms.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/cms.c 2015-07-09 14:58:55.970754174 +0200
|
||||||
|
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
|
BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c
|
||||||
|
--- openssl-1.0.1k/apps/ocsp.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/ocsp.c 2015-07-09 14:58:55.971754198 +0200
|
||||||
|
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-path path to use in OCSP request\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
|
BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
|
||||||
|
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
|
||||||
|
diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client.c
|
||||||
|
--- openssl-1.0.1k/apps/s_client.c.alt-chains 2015-07-09 14:58:55.956753841 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/s_client.c 2015-07-09 14:58:55.971754198 +0200
|
||||||
|
@@ -299,6 +299,7 @@ static void sc_usage(void)
|
||||||
|
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
|
||||||
|
BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||||
|
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||||
|
diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c
|
||||||
|
--- openssl-1.0.1k/apps/smime.c.alt-chains 2015-07-09 14:58:55.950753698 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/smime.c 2015-07-09 14:58:55.971754198 +0200
|
||||||
|
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||||
|
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||||
|
BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
|
||||||
|
+ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
|
||||||
|
BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||||
|
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||||
|
diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server.c
|
||||||
|
--- openssl-1.0.1k/apps/s_server.c.alt-chains 2015-07-09 14:58:55.950753698 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/s_server.c 2015-07-09 14:58:55.971754198 +0200
|
||||||
|
@@ -502,6 +502,7 @@ static void sv_usage(void)
|
||||||
|
BIO_printf(bio_err," -state - Print the SSL states\n");
|
||||||
|
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||||
|
BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
|
||||||
|
+ BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
|
||||||
|
BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
|
||||||
|
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
|
||||||
|
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||||
|
diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c
|
||||||
|
--- openssl-1.0.1k/apps/verify.c.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||||
|
+++ openssl-1.0.1k/apps/verify.c 2015-07-09 14:58:55.972754221 +0200
|
||||||
|
@@ -238,7 +238,7 @@ int MAIN(int argc, char **argv)
|
||||||
|
end:
|
||||||
|
if (ret == 1) {
|
||||||
|
BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
|
||||||
|
- BIO_printf(bio_err," [-attime timestamp]");
|
||||||
|
+ BIO_printf(bio_err," [-no_alt_chains] [-attime timestamp]");
|
||||||
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
BIO_printf(bio_err," [-engine e]");
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.c
|
||||||
|
--- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||||
|
+++ openssl-1.0.1k/crypto/x509/x509_vfy.c 2015-07-09 15:28:03.630442145 +0200
|
||||||
|
@@ -154,11 +154,11 @@ static int x509_subject_cmp(X509 **a, X5
|
||||||
|
|
||||||
|
int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||||
|
{
|
||||||
|
- X509 *x,*xtmp,*chain_ss=NULL;
|
||||||
|
+ X509 *x,*xtmp,*xtmp2,*chain_ss=NULL;
|
||||||
|
int bad_chain = 0;
|
||||||
|
X509_VERIFY_PARAM *param = ctx->param;
|
||||||
|
int depth,i,ok=0;
|
||||||
|
- int num;
|
||||||
|
+ int num, j, retry;
|
||||||
|
int (*cb)(int xok,X509_STORE_CTX *xctx);
|
||||||
|
STACK_OF(X509) *sktmp=NULL;
|
||||||
|
if (ctx->cert == NULL)
|
||||||
|
@@ -167,21 +167,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ctx->chain != NULL) {
|
||||||
|
+ /*
|
||||||
|
+ * This X509_STORE_CTX has already been used to verify a cert. We
|
||||||
|
+ * cannot do another one.
|
||||||
|
+ */
|
||||||
|
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
cb=ctx->verify_cb;
|
||||||
|
|
||||||
|
/* first we make sure the chain we are going to build is
|
||||||
|
* present and that the first entry is in place */
|
||||||
|
- if (ctx->chain == NULL)
|
||||||
|
+ if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
|
||||||
|
+ (!sk_X509_push(ctx->chain,ctx->cert)))
|
||||||
|
{
|
||||||
|
- if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
|
||||||
|
- (!sk_X509_push(ctx->chain,ctx->cert)))
|
||||||
|
- {
|
||||||
|
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
|
||||||
|
- ctx->last_untrusted=1;
|
||||||
|
+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
+ CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
|
||||||
|
+ ctx->last_untrusted=1;
|
||||||
|
|
||||||
|
/* We use a temporary STACK so we can chop and hack at it */
|
||||||
|
if (ctx->untrusted != NULL
|
||||||
|
@@ -247,10 +253,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Remember how many untrusted certs we have */
|
||||||
|
+ j = num;
|
||||||
|
+
|
||||||
|
/* at this point, chain should contain a list of untrusted
|
||||||
|
* certificates. We now need to add at least one trusted one,
|
||||||
|
* if possible, otherwise we complain. */
|
||||||
|
|
||||||
|
+ do {
|
||||||
|
/* Examine last certificate in chain and see if it
|
||||||
|
* is self signed.
|
||||||
|
*/
|
||||||
|
@@ -294,6 +304,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
chain_ss=sk_X509_pop(ctx->chain);
|
||||||
|
ctx->last_untrusted--;
|
||||||
|
num--;
|
||||||
|
+ j--;
|
||||||
|
x=sk_X509_value(ctx->chain,num-1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -322,7 +333,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||||
|
num++;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* we now have our chain, lets check it... */
|
||||||
|
+ /*
|
||||||
|
+ * If we haven't got a least one certificate from our store then check
|
||||||
|
+ * if there is an alternative chain that could be used. We only do this
|
||||||
|
+ * if the user hasn't switched off alternate chain checking
|
||||||
|
+ */
|
||||||
|
+ retry = 0;
|
||||||
|
+ if (num == ctx->last_untrusted &&
|
||||||
|
+ !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
||||||
|
+ while (j-- > 1) {
|
||||||
|
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
||||||
|
+ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
|
||||||
|
+ if (ok < 0)
|
||||||
|
+ goto end;
|
||||||
|
+ /* Check if we found an alternate chain */
|
||||||
|
+ if (ok > 0) {
|
||||||
|
+ /*
|
||||||
|
+ * Free up the found cert we'll add it again later
|
||||||
|
+ */
|
||||||
|
+ X509_free(xtmp);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Dump all the certs above this point - we've found an
|
||||||
|
+ * alternate chain
|
||||||
|
+ */
|
||||||
|
+ while (num > j) {
|
||||||
|
+ xtmp = sk_X509_pop(ctx->chain);
|
||||||
|
+ X509_free(xtmp);
|
||||||
|
+ num--;
|
||||||
|
+ }
|
||||||
|
+ ctx->last_untrusted = j;
|
||||||
|
+ retry = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ } while (retry);
|
||||||
|
|
||||||
|
/* Is last certificate looked up self signed? */
|
||||||
|
if (!ctx->check_issued(ctx,x,x))
|
||||||
|
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.h
|
||||||
|
--- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||||
|
+++ openssl-1.0.1k/crypto/x509/x509_vfy.h 2015-07-09 14:58:55.972754221 +0200
|
||||||
|
@@ -391,7 +391,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
||||||
|
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
||||||
|
/* Use trusted store first */
|
||||||
|
#define X509_V_FLAG_TRUSTED_FIRST 0x8000
|
||||||
|
-
|
||||||
|
+/*
|
||||||
|
+ * If the initial chain is not trusted, do not attempt to build an alternative
|
||||||
|
+ * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
|
||||||
|
+ * this flag will force the behaviour to match that of previous versions.
|
||||||
|
+ */
|
||||||
|
+#define X509_V_FLAG_NO_ALT_CHAINS 0x100000
|
||||||
|
|
||||||
|
#define X509_VP_FLAG_DEFAULT 0x1
|
||||||
|
#define X509_VP_FLAG_OVERWRITE 0x2
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/cms.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/cms.pod 2015-07-09 14:58:55.972754221 +0200
|
||||||
|
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||||
|
[B<-print>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
|
[B<-trusted_first>]
|
||||||
|
[B<-md digest>]
|
||||||
|
[B<-[cipher]>]
|
||||||
|
@@ -413,7 +414,7 @@ portion of a message so they may be incl
|
||||||
|
then many S/MIME mail clients check the signers certificate's email
|
||||||
|
address matches that specified in the From: address.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||||
|
|
||||||
|
Set various certificate chain valiadition option. See the
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocsp.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/ocsp.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||||
|
[B<-path>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
+[B<-no_alt_chains>]]
|
||||||
|
[B<-trusted_first>]
|
||||||
|
[B<-VAfile file>]
|
||||||
|
[B<-validity_period n>]
|
||||||
|
@@ -143,6 +144,10 @@ connection timeout to the OCSP responder
|
||||||
|
file or pathname containing trusted CA certificates. These are used to verify
|
||||||
|
the signature on the OCSP response.
|
||||||
|
|
||||||
|
+=item B<-no_alt_chains>
|
||||||
|
+
|
||||||
|
+See L<B<verify>|verify(1)> manual page for details.
|
||||||
|
+
|
||||||
|
=item B<-trusted_first>
|
||||||
|
|
||||||
|
Use certificates in CA file or CA directory over certificates provided
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps/s_client.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/s_client.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
||||||
|
[B<-pass arg>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
|
[B<-trusted_first>]
|
||||||
|
[B<-reconnect>]
|
||||||
|
[B<-pause>]
|
||||||
|
@@ -122,7 +123,7 @@ also used when building the client certi
|
||||||
|
A file containing trusted certificates to use during server authentication
|
||||||
|
and to use when attempting to build the client certificate chain.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||||
|
|
||||||
|
Set various certificate chain valiadition option. See the
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/smime.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/smime.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/smime.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -17,6 +17,7 @@ B<openssl> B<smime>
|
||||||
|
[B<-in file>]
|
||||||
|
[B<-CAfile file>]
|
||||||
|
[B<-CApath dir>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
|
[B<-trusted_first>]
|
||||||
|
[B<-certfile file>]
|
||||||
|
[B<-signer file>]
|
||||||
|
@@ -268,7 +269,7 @@ portion of a message so they may be incl
|
||||||
|
then many S/MIME mail clients check the signers certificate's email
|
||||||
|
address matches that specified in the From: address.
|
||||||
|
|
||||||
|
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
|
||||||
|
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
|
||||||
|
|
||||||
|
Set various options of certificate chain verification. See
|
||||||
|
L<B<verify>|verify(1)> manual page for details.
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps/s_server.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/s_server.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||||
|
[B<-state>]
|
||||||
|
[B<-CApath directory>]
|
||||||
|
[B<-CAfile filename>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
|
[B<-trusted_first>]
|
||||||
|
[B<-nocert>]
|
||||||
|
[B<-cipher cipherlist>]
|
||||||
|
@@ -179,6 +180,10 @@ and to use when attempting to build the
|
||||||
|
is also used in the list of acceptable client CAs passed to the client when
|
||||||
|
a certificate is requested.
|
||||||
|
|
||||||
|
+=item B<-no_alt_chains>
|
||||||
|
+
|
||||||
|
+See the L<B<verify>|verify(1)> manual page for details.
|
||||||
|
+
|
||||||
|
=item B<-trusted_first>
|
||||||
|
|
||||||
|
Use certificates in CA file or CA directory before other certificates
|
||||||
|
diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/verify.pod
|
||||||
|
--- openssl-1.0.1k/doc/apps/verify.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/apps/verify.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -23,6 +23,7 @@ B<openssl> B<verify>
|
||||||
|
[B<-extended_crl>]
|
||||||
|
[B<-use_deltas>]
|
||||||
|
[B<-policy_print>]
|
||||||
|
+[B<-no_alt_chains>]
|
||||||
|
[B<-untrusted file>]
|
||||||
|
[B<-help>]
|
||||||
|
[B<-issuer_checks>]
|
||||||
|
@@ -115,6 +116,14 @@ Set policy variable inhibit-any-policy (
|
||||||
|
|
||||||
|
Set policy variable inhibit-policy-mapping (see RFC5280).
|
||||||
|
|
||||||
|
+=item B<-no_alt_chains>
|
||||||
|
+
|
||||||
|
+When building a certificate chain, if the first certificate chain found is not
|
||||||
|
+trusted, then OpenSSL will continue to check to see if an alternative chain can
|
||||||
|
+be found that is trusted. With this option that behaviour is suppressed so that
|
||||||
|
+only the first chain found is ever used. Using this option will force the
|
||||||
|
+behaviour to match that of previous OpenSSL versions.
|
||||||
|
+
|
||||||
|
=item B<-policy_print>
|
||||||
|
|
||||||
|
Print out diagnostics related to policy processing.
|
||||||
|
diff -up openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod
|
||||||
|
--- openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod 2015-07-09 15:29:16.461174414 +0200
|
||||||
|
@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees u
|
||||||
|
is no longer valid.
|
||||||
|
|
||||||
|
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
|
||||||
|
-The trusted certificate store is set to B<store>, the end entity certificate
|
||||||
|
-to be verified is set to B<x509> and a set of additional certificates (which
|
||||||
|
-will be untrusted but may be used to build the chain) in B<chain>. Any or
|
||||||
|
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
|
||||||
|
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
|
||||||
|
+good for one call to X509_verify_cert(); if you want to verify a second
|
||||||
|
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
|
||||||
|
+and then X509_STORE_CTX_init() again before the second call to
|
||||||
|
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
|
||||||
|
+entity certificate to be verified is set to B<x509> and a set of additional
|
||||||
|
+certificates (which will be untrusted but may be used to build the chain) in
|
||||||
|
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
|
||||||
|
+B<NULL>.
|
||||||
|
|
||||||
|
X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
|
||||||
|
to B<sk>. This is an alternative way of specifying trusted certificates
|
||||||
|
diff -up openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_verify_cert.pod
|
||||||
|
--- openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/crypto/X509_verify_cert.pod 2015-07-09 15:29:16.461174414 +0200
|
||||||
|
@@ -32,7 +32,8 @@ OpenSSL internally for certificate valid
|
||||||
|
SSL/TLS code.
|
||||||
|
|
||||||
|
The negative return value from X509_verify_cert() can only occur if no
|
||||||
|
-certificate is set in B<ctx> (due to a programming error) or if a retry
|
||||||
|
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
|
||||||
|
+twice without reinitialising B<ctx> in between; or if a retry
|
||||||
|
operation is requested during internal lookups (which never happens with
|
||||||
|
standard lookup methods). It is however recommended that application check
|
||||||
|
for <= 0 return value on error.
|
||||||
|
diff -up openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
|
||||||
|
--- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-01-08 15:00:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-07-09 14:58:55.973754245 +0200
|
||||||
|
@@ -133,6 +133,12 @@ verification. If this flag is set then a
|
||||||
|
to the verification callback and it B<must> be prepared to handle such cases
|
||||||
|
without assuming they are hard errors.
|
||||||
|
|
||||||
|
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
|
||||||
|
+chains. By default, when building a certificate chain, if the first certificate
|
||||||
|
+chain found is not trusted, then OpenSSL will continue to check to see if an
|
||||||
|
+alternative chain can be found that is trusted. With this flag set the behaviour
|
||||||
|
+will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b.
|
||||||
|
+
|
||||||
|
=head1 NOTES
|
||||||
|
|
||||||
|
The above functions should be used to manipulate verification parameters
|
||||||
|
@@ -166,6 +172,6 @@ L<X509_verify_cert(3)|X509_verify_cert(3
|
||||||
|
|
||||||
|
=head1 HISTORY
|
||||||
|
|
||||||
|
-TBA
|
||||||
|
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in upstream OpenSSL 1.0.1n and 1.0.2b
|
||||||
|
|
||||||
|
=cut
|
|
@ -1,3 +1,34 @@
|
||||||
|
diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c
|
||||||
|
--- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100
|
||||||
|
+++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200
|
||||||
|
@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
|
||||||
|
{
|
||||||
|
const unsigned char *q;
|
||||||
|
X509 *ret;
|
||||||
|
+ int freeret = 0;
|
||||||
|
+
|
||||||
|
/* Save start position */
|
||||||
|
q = *pp;
|
||||||
|
+
|
||||||
|
+ if(!a || *a == NULL) {
|
||||||
|
+ freeret = 1;
|
||||||
|
+ }
|
||||||
|
ret = d2i_X509(a, pp, length);
|
||||||
|
/* If certificate unreadable then forget it */
|
||||||
|
if(!ret) return NULL;
|
||||||
|
@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
|
||||||
|
if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
|
||||||
|
return ret;
|
||||||
|
err:
|
||||||
|
- X509_free(ret);
|
||||||
|
+ if(freeret) {
|
||||||
|
+ X509_free(ret);
|
||||||
|
+ if (a)
|
||||||
|
+ *a = NULL;
|
||||||
|
+ }
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
diff -up openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1k/crypto/ec/ec_asn1.c
|
diff -up openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1k/crypto/ec/ec_asn1.c
|
||||||
--- openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free 2014-10-15 15:49:54.000000000 +0200
|
--- openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free 2014-10-15 15:49:54.000000000 +0200
|
||||||
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 17:28:03.349627040 +0100
|
+++ openssl-1.0.1k/crypto/ec/ec_asn1.c 2015-03-19 17:28:03.349627040 +0100
|
||||||
|
@ -25,3 +56,27 @@ diff -up openssl-1.0.1k/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1k/crypto
|
||||||
EC_KEY_free(ret);
|
EC_KEY_free(ret);
|
||||||
ret = NULL;
|
ret = NULL;
|
||||||
}
|
}
|
||||||
|
@@ -1377,8 +1377,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
|
||||||
|
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
- if (a)
|
||||||
|
- *a = ret;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
ret = *a;
|
||||||
|
@@ -1386,9 +1384,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con
|
||||||
|
if (!d2i_ECPKParameters(&ret->group, in, len))
|
||||||
|
{
|
||||||
|
ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
|
||||||
|
+ if (a == NULL || *a != ret)
|
||||||
|
+ EC_KEY_free(ret);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (a)
|
||||||
|
+ *a = ret;
|
||||||
|
+
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,231 @@
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl_err.c.ticket-race openssl-1.0.1k/ssl/ssl_err.c
|
||||||
|
--- openssl-1.0.1k/ssl/ssl_err.c.ticket-race 2015-06-15 17:06:22.699702477 +0200
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl_err.c 2015-06-15 17:06:22.704702592 +0200
|
||||||
|
@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||||
|
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
|
||||||
|
+{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
|
||||||
|
{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl.h.ticket-race openssl-1.0.1k/ssl/ssl.h
|
||||||
|
--- openssl-1.0.1k/ssl/ssl.h.ticket-race 2015-06-15 17:06:22.700702500 +0200
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl.h 2015-06-15 17:06:22.704702592 +0200
|
||||||
|
@@ -2203,6 +2203,7 @@ void ERR_load_SSL_strings(void);
|
||||||
|
#define SSL_F_SSL_READ 223
|
||||||
|
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
|
||||||
|
#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
|
||||||
|
+#define SSL_F_SSL_SESSION_DUP 348
|
||||||
|
#define SSL_F_SSL_SESSION_NEW 189
|
||||||
|
#define SSL_F_SSL_SESSION_PRINT_FP 190
|
||||||
|
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl_locl.h.ticket-race openssl-1.0.1k/ssl/ssl_locl.h
|
||||||
|
--- openssl-1.0.1k/ssl/ssl_locl.h.ticket-race 2015-06-15 17:06:22.543698865 +0200
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl_locl.h 2015-06-15 17:06:22.705702616 +0200
|
||||||
|
@@ -831,6 +831,7 @@ void ssl_sess_cert_free(SESS_CERT *sc);
|
||||||
|
int ssl_set_peer_cert_type(SESS_CERT *c, int type);
|
||||||
|
int ssl_get_new_session(SSL *s, int session);
|
||||||
|
int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
|
||||||
|
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
|
||||||
|
int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
|
||||||
|
DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
|
||||||
|
ssl_cipher_id);
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl_sess.c.ticket-race openssl-1.0.1k/ssl/ssl_sess.c
|
||||||
|
--- openssl-1.0.1k/ssl/ssl_sess.c.ticket-race 2015-01-08 15:00:56.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl_sess.c 2015-06-15 17:06:22.705702616 +0200
|
||||||
|
@@ -224,6 +224,146 @@ SSL_SESSION *SSL_SESSION_new(void)
|
||||||
|
return(ss);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
|
||||||
|
+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
|
||||||
|
+ */
|
||||||
|
+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
|
||||||
|
+{
|
||||||
|
+ SSL_SESSION *dest;
|
||||||
|
+
|
||||||
|
+ dest = OPENSSL_malloc(sizeof(*src));
|
||||||
|
+ if (dest == NULL)
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ memcpy(dest, src, sizeof(*dest));
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
|
||||||
|
+ * the case of an error whilst halfway through constructing dest
|
||||||
|
+ */
|
||||||
|
+#ifndef OPENSSL_NO_PSK
|
||||||
|
+ dest->psk_identity_hint = NULL;
|
||||||
|
+ dest->psk_identity = NULL;
|
||||||
|
+#endif
|
||||||
|
+ dest->ciphers = NULL;
|
||||||
|
+#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
+ dest->tlsext_hostname = NULL;
|
||||||
|
+# ifndef OPENSSL_NO_EC
|
||||||
|
+ dest->tlsext_ecpointformatlist = NULL;
|
||||||
|
+ dest->tlsext_ellipticcurvelist = NULL;
|
||||||
|
+# endif
|
||||||
|
+#endif
|
||||||
|
+ dest->tlsext_tick = NULL;
|
||||||
|
+#ifndef OPENSSL_NO_SRP
|
||||||
|
+ dest->srp_username = NULL;
|
||||||
|
+#endif
|
||||||
|
+ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
|
||||||
|
+
|
||||||
|
+ /* We deliberately don't copy the prev and next pointers */
|
||||||
|
+ dest->prev = NULL;
|
||||||
|
+ dest->next = NULL;
|
||||||
|
+
|
||||||
|
+ dest->references = 1;
|
||||||
|
+
|
||||||
|
+ if (src->sess_cert != NULL)
|
||||||
|
+ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
|
||||||
|
+
|
||||||
|
+ if (src->peer != NULL)
|
||||||
|
+ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_PSK
|
||||||
|
+ if (src->psk_identity_hint)
|
||||||
|
+ {
|
||||||
|
+ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
|
||||||
|
+ if (dest->psk_identity_hint == NULL)
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (src->psk_identity)
|
||||||
|
+ {
|
||||||
|
+ dest->psk_identity = BUF_strdup(src->psk_identity);
|
||||||
|
+ if (dest->psk_identity == NULL)
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if(src->ciphers != NULL)
|
||||||
|
+ {
|
||||||
|
+ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
|
||||||
|
+ if (dest->ciphers == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
|
||||||
|
+ &dest->ex_data, &src->ex_data))
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_TLSEXT
|
||||||
|
+ if (src->tlsext_hostname)
|
||||||
|
+ {
|
||||||
|
+ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
|
||||||
|
+ if (dest->tlsext_hostname == NULL)
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+# ifndef OPENSSL_NO_EC
|
||||||
|
+ if (src->tlsext_ecpointformatlist)
|
||||||
|
+ {
|
||||||
|
+ dest->tlsext_ecpointformatlist =
|
||||||
|
+ BUF_memdup(src->tlsext_ecpointformatlist,
|
||||||
|
+ src->tlsext_ecpointformatlist_length);
|
||||||
|
+ if (dest->tlsext_ecpointformatlist == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ if (src->tlsext_ellipticcurvelist)
|
||||||
|
+ {
|
||||||
|
+ dest->tlsext_ellipticcurvelist =
|
||||||
|
+ BUF_memdup(src->tlsext_ellipticcurvelist,
|
||||||
|
+ src->tlsext_ellipticcurvelist_length);
|
||||||
|
+ if (dest->tlsext_ellipticcurvelist == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+# endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (ticket != 0)
|
||||||
|
+ {
|
||||||
|
+ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
|
||||||
|
+ if(dest->tlsext_tick == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ dest->tlsext_tick_lifetime_hint = 0;
|
||||||
|
+ dest->tlsext_ticklen = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_NO_SRP
|
||||||
|
+ if (src->srp_username)
|
||||||
|
+ {
|
||||||
|
+ dest->srp_username = BUF_strdup(src->srp_username);
|
||||||
|
+ if (dest->srp_username == NULL)
|
||||||
|
+ {
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return dest;
|
||||||
|
+err:
|
||||||
|
+ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
|
||||||
|
+ SSL_SESSION_free(dest);
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
|
||||||
|
{
|
||||||
|
if(len)
|
||||||
|
diff -up openssl-1.0.1k/ssl/s3_clnt.c.ticket-race openssl-1.0.1k/ssl/s3_clnt.c
|
||||||
|
--- openssl-1.0.1k/ssl/s3_clnt.c.ticket-race 2015-06-15 17:06:22.700702500 +0200
|
||||||
|
+++ openssl-1.0.1k/ssl/s3_clnt.c 2015-06-15 17:06:37.434043557 +0200
|
||||||
|
@@ -2191,6 +2191,44 @@ int ssl3_get_new_session_ticket(SSL *s)
|
||||||
|
}
|
||||||
|
|
||||||
|
p=d=(unsigned char *)s->init_msg;
|
||||||
|
+
|
||||||
|
+ if (s->session->session_id_length > 0)
|
||||||
|
+ {
|
||||||
|
+ int i = s->session_ctx->session_cache_mode;
|
||||||
|
+ SSL_SESSION *new_sess;
|
||||||
|
+ /*
|
||||||
|
+ * We reused an existing session, so we need to replace it with a new
|
||||||
|
+ * one
|
||||||
|
+ */
|
||||||
|
+ if (i & SSL_SESS_CACHE_CLIENT)
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * Remove the old session from the cache
|
||||||
|
+ */
|
||||||
|
+ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
|
||||||
|
+ {
|
||||||
|
+ if (s->session_ctx->remove_session_cb != NULL)
|
||||||
|
+ s->session_ctx->remove_session_cb(s->session_ctx,
|
||||||
|
+ s->session);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ /* We carry on if this fails */
|
||||||
|
+ SSL_CTX_remove_session(s->session_ctx, s->session);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((new_sess = ssl_session_dup(s->session, 0)) == 0)
|
||||||
|
+ {
|
||||||
|
+ al = SSL_AD_INTERNAL_ERROR;
|
||||||
|
+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
|
||||||
|
+ goto f_err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ SSL_SESSION_free(s->session);
|
||||||
|
+ s->session = new_sess;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
n2l(p, s->session->tlsext_tick_lifetime_hint);
|
||||||
|
n2s(p, ticklen);
|
||||||
|
/* ticket_lifetime_hint + ticket_length + ticket */
|
|
@ -0,0 +1,208 @@
|
||||||
|
diff -up openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
|
||||||
|
--- openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam 2015-05-29 16:02:33.335187143 +0200
|
||||||
|
+++ openssl-1.0.1k/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-05-29 16:05:16.611940775 +0200
|
||||||
|
@@ -61,12 +61,12 @@ negotiation is being saved.
|
||||||
|
|
||||||
|
If "strong" primes were used to generate the DH parameters, it is not strictly
|
||||||
|
necessary to generate a new key for each handshake but it does improve forward
|
||||||
|
-secrecy. If it is not assured, that "strong" primes were used (see especially
|
||||||
|
-the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used
|
||||||
|
-in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
|
||||||
|
-has an impact on the computer time needed during negotiation, but it is not
|
||||||
|
-very large, so application authors/users should consider to always enable
|
||||||
|
-this option.
|
||||||
|
+secrecy. If it is not assured that "strong" primes were used,
|
||||||
|
+SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup
|
||||||
|
+attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the
|
||||||
|
+computer time needed during negotiation, but it is not very large, so
|
||||||
|
+application authors/users should consider always enabling this option.
|
||||||
|
+The option is required to implement perfect forward secrecy (PFS).
|
||||||
|
|
||||||
|
As generating DH parameters is extremely time consuming, an application
|
||||||
|
should not generate the parameters on the fly but supply the parameters.
|
||||||
|
@@ -74,82 +74,62 @@ DH parameters can be reused, as the actu
|
||||||
|
the negotiation. The risk in reusing DH parameters is that an attacker
|
||||||
|
may specialize on a very often used DH group. Applications should therefore
|
||||||
|
generate their own DH parameters during the installation process using the
|
||||||
|
-openssl L<dhparam(1)|dhparam(1)> application. In order to reduce the computer
|
||||||
|
-time needed for this generation, it is possible to use DSA parameters
|
||||||
|
-instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
|
||||||
|
-is mandatory.
|
||||||
|
+openssl L<dhparam(1)|dhparam(1)> application. This application
|
||||||
|
+guarantees that "strong" primes are used.
|
||||||
|
|
||||||
|
-Application authors may compile in DH parameters. Files dh512.pem,
|
||||||
|
-dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current
|
||||||
|
+Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
|
||||||
|
version of the OpenSSL distribution contain the 'SKIP' DH parameters,
|
||||||
|
which use safe primes and were generated verifiably pseudo-randomly.
|
||||||
|
These files can be converted into C code using the B<-C> option of the
|
||||||
|
-L<dhparam(1)|dhparam(1)> application.
|
||||||
|
-Authors may also generate their own set of parameters using
|
||||||
|
-L<dhparam(1)|dhparam(1)>, but a user may not be sure how the parameters were
|
||||||
|
-generated. The generation of DH parameters during installation is therefore
|
||||||
|
-recommended.
|
||||||
|
+L<dhparam(1)|dhparam(1)> application. Generation of custom DH
|
||||||
|
+parameters during installation should still be preferred to stop an
|
||||||
|
+attacker from specializing on a commonly used group. Files dh1024.pem
|
||||||
|
+and dh512.pem contain old parameters that must not be used by
|
||||||
|
+applications.
|
||||||
|
|
||||||
|
An application may either directly specify the DH parameters or
|
||||||
|
-can supply the DH parameters via a callback function. The callback approach
|
||||||
|
-has the advantage, that the callback may supply DH parameters for different
|
||||||
|
-key lengths.
|
||||||
|
-
|
||||||
|
-The B<tmp_dh_callback> is called with the B<keylength> needed and
|
||||||
|
-the B<is_export> information. The B<is_export> flag is set, when the
|
||||||
|
-ephemeral DH key exchange is performed with an export cipher.
|
||||||
|
+can supply the DH parameters via a callback function.
|
||||||
|
+
|
||||||
|
+Previous versions of the callback used B<is_export> and B<keylength>
|
||||||
|
+parameters to control parameter generation for export and non-export
|
||||||
|
+cipher suites. Modern servers that do not support export ciphersuites
|
||||||
|
+are advised to either use SSL_CTX_set_tmp_dh() in combination with
|
||||||
|
+SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore
|
||||||
|
+B<keylength> and B<is_export> and simply supply at least 2048-bit
|
||||||
|
+parameters in the callback.
|
||||||
|
|
||||||
|
=head1 EXAMPLES
|
||||||
|
|
||||||
|
-Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling
|
||||||
|
+Setup DH parameters with a key length of 2048 bits. (Error handling
|
||||||
|
partly left out.)
|
||||||
|
|
||||||
|
- ...
|
||||||
|
- /* Set up ephemeral DH stuff */
|
||||||
|
- DH *dh_512 = NULL;
|
||||||
|
- DH *dh_1024 = NULL;
|
||||||
|
- FILE *paramfile;
|
||||||
|
+ Command-line parameter generation:
|
||||||
|
+ $ openssl dhparam -out dh_param_2048.pem 2048
|
||||||
|
+
|
||||||
|
+ Code for setting up parameters during server initialization:
|
||||||
|
|
||||||
|
...
|
||||||
|
- /* "openssl dhparam -out dh_param_512.pem -2 512" */
|
||||||
|
- paramfile = fopen("dh_param_512.pem", "r");
|
||||||
|
+ SSL_CTX ctx = SSL_CTX_new();
|
||||||
|
+ ...
|
||||||
|
+
|
||||||
|
+ /* Set up ephemeral DH parameters. */
|
||||||
|
+ DH *dh_2048 = NULL;
|
||||||
|
+ FILE *paramfile;
|
||||||
|
+ paramfile = fopen("dh_param_2048.pem", "r");
|
||||||
|
if (paramfile) {
|
||||||
|
- dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
|
||||||
|
+ dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
|
||||||
|
fclose(paramfile);
|
||||||
|
+ } else {
|
||||||
|
+ /* Error. */
|
||||||
|
}
|
||||||
|
- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */
|
||||||
|
- paramfile = fopen("dh_param_1024.pem", "r");
|
||||||
|
- if (paramfile) {
|
||||||
|
- dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
|
||||||
|
- fclose(paramfile);
|
||||||
|
+ if (dh_2048 == NULL) {
|
||||||
|
+ /* Error. */
|
||||||
|
}
|
||||||
|
- ...
|
||||||
|
-
|
||||||
|
- /* "openssl dhparam -C -2 512" etc... */
|
||||||
|
- DH *get_dh512() { ... }
|
||||||
|
- DH *get_dh1024() { ... }
|
||||||
|
-
|
||||||
|
- DH *tmp_dh_callback(SSL *s, int is_export, int keylength)
|
||||||
|
- {
|
||||||
|
- DH *dh_tmp=NULL;
|
||||||
|
-
|
||||||
|
- switch (keylength) {
|
||||||
|
- case 512:
|
||||||
|
- if (!dh_512)
|
||||||
|
- dh_512 = get_dh512();
|
||||||
|
- dh_tmp = dh_512;
|
||||||
|
- break;
|
||||||
|
- case 1024:
|
||||||
|
- if (!dh_1024)
|
||||||
|
- dh_1024 = get_dh1024();
|
||||||
|
- dh_tmp = dh_1024;
|
||||||
|
- break;
|
||||||
|
- default:
|
||||||
|
- /* Generating a key on the fly is very costly, so use what is there */
|
||||||
|
- setup_dh_parameters_like_above();
|
||||||
|
+ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
|
||||||
|
+ /* Error. */
|
||||||
|
}
|
||||||
|
- return(dh_tmp);
|
||||||
|
- }
|
||||||
|
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
|
||||||
|
+ ...
|
||||||
|
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl_err.c.logjam openssl-1.0.1k/ssl/ssl_err.c
|
||||||
|
--- openssl-1.0.1k/ssl/ssl_err.c.logjam 2015-01-08 15:00:36.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl_err.c 2015-05-29 16:02:33.336187166 +0200
|
||||||
|
@@ -362,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
|
||||||
|
{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
|
||||||
|
{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
|
||||||
|
{ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
|
||||||
|
+{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) ,"dh key too small"},
|
||||||
|
{ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
|
||||||
|
{ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
|
||||||
|
{ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
|
||||||
|
diff -up openssl-1.0.1k/ssl/ssl.h.logjam openssl-1.0.1k/ssl/ssl.h
|
||||||
|
--- openssl-1.0.1k/ssl/ssl.h.logjam 2015-05-29 16:02:19.210862433 +0200
|
||||||
|
+++ openssl-1.0.1k/ssl/ssl.h 2015-05-29 16:02:33.337187189 +0200
|
||||||
|
@@ -2317,6 +2317,7 @@ void ERR_load_SSL_strings(void);
|
||||||
|
#define SSL_R_DATA_LENGTH_TOO_LONG 146
|
||||||
|
#define SSL_R_DECRYPTION_FAILED 147
|
||||||
|
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
|
||||||
|
+#define SSL_R_DH_KEY_TOO_SMALL 372
|
||||||
|
#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
|
||||||
|
#define SSL_R_DIGEST_CHECK_FAILED 149
|
||||||
|
#define SSL_R_DTLS_MESSAGE_TOO_BIG 334
|
||||||
|
diff -up openssl-1.0.1k/ssl/s3_clnt.c.logjam openssl-1.0.1k/ssl/s3_clnt.c
|
||||||
|
--- openssl-1.0.1k/ssl/s3_clnt.c.logjam 2015-01-08 15:00:56.000000000 +0100
|
||||||
|
+++ openssl-1.0.1k/ssl/s3_clnt.c 2015-05-29 16:02:33.338187212 +0200
|
||||||
|
@@ -3393,24 +3393,34 @@ int ssl3_check_cert_and_algorithm(SSL *s
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DH
|
||||||
|
- if ((alg_k & SSL_kEDH) &&
|
||||||
|
- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
|
||||||
|
+ if ((alg_k & SSL_kEDH) && dh == NULL)
|
||||||
|
{
|
||||||
|
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
|
||||||
|
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
|
||||||
|
+ if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
|
||||||
|
+ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
|
||||||
|
goto f_err;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+ /* Check DHE only: static DH not implemented. */
|
||||||
|
+ if (alg_k & SSL_kEDH)
|
||||||
|
+ {
|
||||||
|
+ int dh_size = BN_num_bits(dh->p);
|
||||||
|
+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
|
||||||
|
+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512))
|
||||||
|
+ {
|
||||||
|
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
|
||||||
|
+ goto f_err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
|
|
@ -0,0 +1,59 @@
|
||||||
|
diff -up openssl-1.0.1k/crypto/ec/ec_curve.c.secp256k1 openssl-1.0.1k/crypto/ec/ec_curve.c
|
||||||
|
--- openssl-1.0.1k/crypto/ec/ec_curve.c.secp256k1 2015-08-13 07:47:37.890966462 -0400
|
||||||
|
+++ openssl-1.0.1k/crypto/ec/ec_curve.c 2015-08-13 08:01:31.697866786 -0400
|
||||||
|
@@ -82,6 +82,36 @@ typedef struct {
|
||||||
|
unsigned int cofactor; /* promoted to BN_ULONG */
|
||||||
|
} EC_CURVE_DATA;
|
||||||
|
|
||||||
|
+static const struct { EC_CURVE_DATA h; unsigned char data[0+32*6]; }
|
||||||
|
+ _EC_SECG_PRIME_256K1 = {
|
||||||
|
+ { NID_X9_62_prime_field,0,32,1 },
|
||||||
|
+ { /* no seed */
|
||||||
|
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* p */
|
||||||
|
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
|
||||||
|
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,
|
||||||
|
+ 0xFC,0x2F,
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* a */
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
+ 0x00,0x00,
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, /* b */
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
||||||
|
+ 0x00,0x07,
|
||||||
|
+ 0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0, /* x */
|
||||||
|
+ 0x62,0x95,0xCE,0x87,0x0B,0x07,0x02,0x9B,0xFC,0xDB,
|
||||||
|
+ 0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8,
|
||||||
|
+ 0x17,0x98,
|
||||||
|
+ 0x48,0x3a,0xda,0x77,0x26,0xa3,0xc4,0x65,0x5d,0xa4, /* y */
|
||||||
|
+ 0xfb,0xfc,0x0e,0x11,0x08,0xa8,0xfd,0x17,0xb4,0x48,
|
||||||
|
+ 0xa6,0x85,0x54,0x19,0x9c,0x47,0xd0,0x8f,0xfb,0x10,
|
||||||
|
+ 0xd4,0xb8,
|
||||||
|
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, /* order */
|
||||||
|
+ 0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,
|
||||||
|
+ 0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,0x8C,0xD0,0x36,
|
||||||
|
+ 0x41,0x41 }
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
static const struct { EC_CURVE_DATA h; unsigned char data[20+48*6]; }
|
||||||
|
_EC_NIST_PRIME_384 = {
|
||||||
|
{ NID_X9_62_prime_field,20,48,1 },
|
||||||
|
@@ -212,6 +242,7 @@ typedef struct _ec_list_element_st {
|
||||||
|
static const ec_list_element curve_list[] = {
|
||||||
|
/* prime field curves */
|
||||||
|
/* secg curves */
|
||||||
|
+ { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" },
|
||||||
|
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
||||||
|
{ NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
|
||||||
|
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
||||||
|
diff -up openssl-1.0.1k/ssl/t1_lib.c.secp256k1 openssl-1.0.1k/ssl/t1_lib.c
|
||||||
|
--- openssl-1.0.1k/ssl/t1_lib.c.secp256k1 2015-08-13 08:03:17.401589785 -0400
|
||||||
|
+++ openssl-1.0.1k/ssl/t1_lib.c 2015-08-13 08:05:44.283292971 -0400
|
||||||
|
@@ -218,6 +218,7 @@ static int pref_list[] =
|
||||||
|
NID_sect283k1, /* sect283k1 (9) */
|
||||||
|
NID_sect283r1, /* sect283r1 (10) */
|
||||||
|
#endif
|
||||||
|
+ NID_secp256k1, /* secp256k1 (22) */
|
||||||
|
NID_X9_62_prime256v1, /* secp256r1 (23) */
|
||||||
|
#ifndef OPENSSL_NO_EC2M
|
||||||
|
NID_sect239k1, /* sect239k1 (8) */
|
41
openssl.spec
41
openssl.spec
|
@ -23,7 +23,7 @@
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.0.1k
|
Version: 1.0.1k
|
||||||
Release: 7%{?dist}
|
Release: 12%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
|
@ -83,6 +83,7 @@ Patch77: openssl-1.0.1e-weak-ciphers.patch
|
||||||
Patch90: openssl-1.0.1e-enc-fail.patch
|
Patch90: openssl-1.0.1e-enc-fail.patch
|
||||||
Patch92: openssl-1.0.1h-system-cipherlist.patch
|
Patch92: openssl-1.0.1h-system-cipherlist.patch
|
||||||
Patch93: openssl-1.0.1h-disable-sslv2v3.patch
|
Patch93: openssl-1.0.1h-disable-sslv2v3.patch
|
||||||
|
Patch94: openssl-1.0.1k-secp256k1.patch
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch80: openssl-1.0.1j-evp-wrap.patch
|
Patch80: openssl-1.0.1j-evp-wrap.patch
|
||||||
Patch81: openssl-1.0.1k-padlock64.patch
|
Patch81: openssl-1.0.1k-padlock64.patch
|
||||||
|
@ -96,6 +97,12 @@ Patch103: openssl-1.0.1e-cve-2015-0287.patch
|
||||||
Patch104: openssl-1.0.1e-cve-2015-0288.patch
|
Patch104: openssl-1.0.1e-cve-2015-0288.patch
|
||||||
Patch105: openssl-1.0.1k-cve-2015-0289.patch
|
Patch105: openssl-1.0.1k-cve-2015-0289.patch
|
||||||
Patch106: openssl-1.0.1e-cve-2015-0293.patch
|
Patch106: openssl-1.0.1e-cve-2015-0293.patch
|
||||||
|
Patch107: openssl-1.0.1k-alt-chains.patch
|
||||||
|
Patch108: openssl-1.0.1k-cve-2015-4000.patch
|
||||||
|
Patch109: openssl-1.0.1e-cve-2015-1789.patch
|
||||||
|
Patch110: openssl-1.0.1e-cve-2015-1790.patch
|
||||||
|
Patch111: openssl-1.0.1k-cve-2015-1791.patch
|
||||||
|
Patch112: openssl-1.0.1e-cve-2015-1792.patch
|
||||||
|
|
||||||
License: OpenSSL
|
License: OpenSSL
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
|
@ -212,6 +219,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||||
%patch90 -p1 -b .enc-fail
|
%patch90 -p1 -b .enc-fail
|
||||||
%patch92 -p1 -b .system
|
%patch92 -p1 -b .system
|
||||||
%patch93 -p1 -b .v2v3
|
%patch93 -p1 -b .v2v3
|
||||||
|
%patch94 -p1 -b .secp256k1
|
||||||
|
|
||||||
%patch80 -p1 -b .wrap
|
%patch80 -p1 -b .wrap
|
||||||
%patch81 -p1 -b .padlock64
|
%patch81 -p1 -b .padlock64
|
||||||
|
@ -225,6 +233,12 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
|
||||||
%patch104 -p1 -b .req-null-deref
|
%patch104 -p1 -b .req-null-deref
|
||||||
%patch105 -p1 -b .pkcs7-null-deref
|
%patch105 -p1 -b .pkcs7-null-deref
|
||||||
%patch106 -p1 -b .ssl2-assert
|
%patch106 -p1 -b .ssl2-assert
|
||||||
|
%patch107 -p1 -b .alt-chains
|
||||||
|
%patch108 -p1 -b .logjam
|
||||||
|
%patch109 -p1 -b .oob-read
|
||||||
|
%patch110 -p1 -b .missing-content
|
||||||
|
%patch111 -p1 -b .ticket-race
|
||||||
|
%patch112 -p1 -b .unknown-hash
|
||||||
|
|
||||||
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
|
||||||
|
|
||||||
|
@ -492,6 +506,26 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 13 2015 Tom Callaway <spot@fedoraproject.org> 1.0.1k-12
|
||||||
|
- enable secp256k1 (bz1021898)
|
||||||
|
|
||||||
|
* Thu Jul 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-11
|
||||||
|
- fix CVE-2015-1793 - certificate verification forgery
|
||||||
|
|
||||||
|
* Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-10
|
||||||
|
- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
|
||||||
|
- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
|
||||||
|
- fix CVE-2015-1791 - race condition handling NewSessionTicket
|
||||||
|
- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function
|
||||||
|
- add missing parts of CVE-2015-0209 fix for corectness although unexploitable
|
||||||
|
|
||||||
|
* Fri May 29 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-9
|
||||||
|
- fix CVE-2015-4000 - prevent the logjam attack on client - restrict
|
||||||
|
the DH key size to at least 768 bits (limit will be increased in future)
|
||||||
|
|
||||||
|
* Thu Apr 30 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-8
|
||||||
|
- try to find alternative cert chains (#1166614)
|
||||||
|
|
||||||
* Thu Apr 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-7
|
* Thu Apr 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-7
|
||||||
- drop the AES-GCM restriction of 2^32 operations because the IV is
|
- drop the AES-GCM restriction of 2^32 operations because the IV is
|
||||||
always 96 bits (32 bit fixed field + 64 bit invocation field)
|
always 96 bits (32 bit fixed field + 64 bit invocation field)
|
||||||
|
@ -520,11 +554,6 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
||||||
* Fri Jan 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
|
* Fri Jan 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
|
||||||
- new upstream release fixing multiple security issues
|
- new upstream release fixing multiple security issues
|
||||||
|
|
||||||
* Thu Nov 20 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-3
|
|
||||||
- disable SSLv3 by default again (mail servers and possibly
|
|
||||||
LDAP servers should probably allow it explicitly for legacy
|
|
||||||
clients)
|
|
||||||
|
|
||||||
* Tue Oct 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-2
|
* Tue Oct 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-2
|
||||||
- update the FIPS RSA keygen to be FIPS 186-4 compliant
|
- update the FIPS RSA keygen to be FIPS 186-4 compliant
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue