Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60be)

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1)

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)

It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd)

Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff)

While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b496)

Conflicts:
	crypto/asn1/tasn_new.c

Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe09)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b)

There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae50d827)

Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable.  Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
05990777

.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff2)

Conflicts:
	crypto/ec/ec_asn1.c

While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.

Reviewed-by: Richard Levitte <levitte@openssl.org>

if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 70e5fd87)

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c

Reviewed-by: Richard Levitte <levitte@openssl.org>

Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f8e4e4f)

Conflicts:
	crypto/evp/e_des3.c

The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c136)

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30d)

If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc2)

Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828



RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339)

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>

This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>

CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf922)

Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c59)

Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6)

The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08)

The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac83)

Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477ad)