- Oct 11, 2017
-
-
Matt Caswell authored
RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls BN_mod_exp() as follows: BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx) ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In BN_mod_exp() we only test the third param for the existence of this flag. We should test all the inputs. Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this issue. This typically only happens once at key load, so this is unlikely to be exploitable in any real scenario. Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4477) (cherry picked from commit e913d11f)
-
- Oct 09, 2017
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
RESULT_D can be used to provide a separate directory for test results. Let's use that to separate them from other files. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Mouse authored
CLA: trivial Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4494)
-
Richard Levitte authored
Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4499) (cherry picked from commit 0ed78e78)
-
Richard Levitte authored
Reviewed-by:
-
- Oct 08, 2017
-
-
Rich Salz authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4491) (cherry picked from commit 24b0be11)
-
- Oct 06, 2017
-
-
Richard Levitte authored
Fixes #4471 and more Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4473)
-
- Oct 05, 2017
-
-
Emilia Kasper authored
Verify that the encrypt-then-mac negotiation is handled correctly. Additionally, when compiled with no-asm, this test ensures coverage for the constant-time MAC copying code in ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as well but it's nevertheless better to have an explicit handshake test for mac-then-encrypt. Reviewed-by:
-
David Woodhouse authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
- Oct 04, 2017
-
-
Matt Caswell authored
Reviewed-by:
-
Richard Levitte authored
This avoids issues that can come with an ending backslash, among other. Fixes #4458 Reviewed-by:
-
- Oct 02, 2017
-
-
Bernd Edlinger authored
Change argument type of xxxelem_is_zero_int to const void* to avoid the need of type casts. Fixes #4413 Reviewed-by:
-
- Sep 30, 2017
-
-
Andy Polyakov authored
Reviewed-by:
-
David Benjamin authored
This guards against the name constraints check consuming large amounts of CPU time when certificates in the presented chain contain an excessive number of names (specifically subject email names or subject alternative DNS names) and/or name constraints. Name constraints checking compares the names presented in a certificate against the name constraints included in a certificate higher up in the chain using two nested for loops. Move the name constraints check so that it happens after signature verification so peers cannot exploit this using a chain with invalid signatures. Also impose a hard limit on the number of name constraints check loop iterations to further mitigate the issue. Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by:
-
- Sep 29, 2017
-
-
Samuel Weiser authored
Reviewed-by:
-
Hubert Kario authored
BN_new() and BN_secure_new() not only allocate memory, but also initialise it to deterministic value - 0. Document that behaviour to make it explicit backport from #4438 Reviewed-by:
-
- Sep 27, 2017
-
-
David Benjamin authored
The pub_key field for DH isn't actually used in DH_compute_key at all. (Note the peer public key is passed in as as BIGNUM.) It's mostly there so the caller may extract it from DH_generate_key. It doesn't particularly need to be present if filling in a DH from external parameters. The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node. Their public API is a thin wrapper over the old OpenSSL one: https://nodejs.org/api/crypto.html#crypto_class_diffiehellman They have separate setPrivateKey and setPublicKey methods, so the public key may be set last or not at all. In 1.0.2, either worked fine since operations on DH objects generally didn't use the public key. (Like with OpenSSL, Node's setPublicKey method is also largely a no-op, but so it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH object. (cherry picked from commit d58ad9a2a287d1c0bc99ba63c997eed88cc161b5) Reviewed-by:
-
Samuel Weiser authored
Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
-
Samuel Weiser authored
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q. Reviewed-by:
-
- Sep 26, 2017
-
-
Richard Levitte authored
Fixes #4419 Reviewed-by:
-
- Sep 23, 2017
-
-
Pichulin Dmitrii authored
Reviewed-by:
Stephen Henson <steve@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4405) (cherry picked from commit 75c445e4)
-
Dr. Stephen Henson authored
Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list: dhparam is handled manually by s_server. Reviewed-by:
-
- Sep 21, 2017
-
-
Benjamin Kaduk authored
This option was lost when converting to a table-driven option parser in commit 7e1b7485 . Reviewed-by:
-
- Sep 19, 2017
-
-
David Benjamin authored
c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by:
-
- Sep 17, 2017
-
-
Pauli authored
Address coverity report of null pointer being dereferenced. Reviewed-by:
-
- Sep 15, 2017
-
-
Christian Heimes authored
OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new API to set the minimum and maximum protocol version for SSL_CTX with TLS_method(). Add getters to introspect the configured versions: int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); int SSL_get_min_proto_version(SSL *ssl); int SSL_get_max_proto_version(SSL *ssl); NOTE: The getters do not resolv the version in case when the minimum or maxium version are configured as '0' (meaning auto-select lowest and highst version number). Signed-off-by:
Christian Heimes <christian@python.org> Reviewed-by:
-
Benjamin Kaduk authored
If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call leaves the min and max version identical, and support for that version is compiled out of the library, return an error. Such an object has no hope of successfully completing a handshake, and this error may be easier to decipher than the resulting handshake failure. Reviewed-by:
-
- Sep 12, 2017
-
-
Richard Levitte authored
crypto/rand/rand_egd.c makes extensive use of stdio functions. When they are disabled, it makes sense to disable egd as well. Reviewed-by:
-
- Sep 11, 2017
-
-
multics authored
Fixes the typo CLA: trivial Reviewed-by:
-
- Sep 08, 2017
-
-
Matt Caswell authored
If an alert gets sent and then we close the connection immediately with data still in the input buffer then a TCP-RST gets sent. Some OSs immediately abandon data in their input buffer if a TCP-RST is received - meaning the alert data itself gets ditched. Sending a TCP-FIN before the TCP-RST seems to avoid this. This was causing test failures in MSYS2 builds. Reviewed-by:
-
- Sep 07, 2017
-
-
Rich Salz authored
Reviewed-by:
-
- Sep 06, 2017
-
-
Rich Salz authored
Reviewed-by:
-
- Sep 01, 2017
-
-
Richard Levitte authored
Reviewed-by:
-
Andy Polyakov authored
The commit subject is a bit misleading in sense that decisions affect only gcc and gcc-alikes, like clang, recent icc... This is back-port of 54cf3b98 , GH#4281. Reviewed-by:
-
Andy Polyakov authored
OPENSSL_ia32cap.pod discusses possibility to disable operations on XMM register bank. This formally means that this flag has to be checked in combination with other flags. But it customarily isn't. But instead of chasing all the cases we can flip more bits together with FXSR one. Reviewed-by:
-
- Aug 31, 2017
-
-
Richard Levitte authored
When parsing the header files, mkdef.pl didn't clear the line terminator properly. In most cases, this didn't matter, but there were moments when this caused parsing errors (such as CRLFs in certain cases). Fixes #4267 Reviewed-by:
-
Zhu Qun-Ying authored
CLA: trivial Reviewed-by:
-
- Aug 28, 2017
-
-
Rich Salz authored
Fixes CVE 2017-3735 Reviewed-by:
-
