Skip to content
  1. Nov 08, 2017
  2. Nov 07, 2017
  3. Nov 03, 2017
  4. Nov 02, 2017
  5. Nov 01, 2017
  6. Oct 26, 2017
  7. Oct 25, 2017
    • Matt Caswell's avatar
      Don't make any changes to the lhash structure if we are going to fail · 1aa0fcfb
      Matt Caswell authored
      
      
      The lhash expand() function can fail if realloc fails. The previous
      implementation made changes to the structure and then attempted to do a
      realloc. If the realloc failed then it attempted to undo the changes it
      had just made. Unfortunately changes to lh->p were not undone correctly,
      ultimately causing subsequent expand() calls to increment num_nodes to a
      value higher than num_alloc_nodes, which can cause out-of-bounds reads/
      writes. This is not considered a security issue because an attacker cannot
      cause realloc to fail.
      
      This commit moves the realloc call to near the beginning of the function
      before any other changes are made to the lhash structure. That way if a
      failure occurs we can immediately fail without having to undo anything.
      
      Thanks to Pavel Kopyl (Samsung) for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4551)
      1aa0fcfb
  8. Oct 24, 2017
  9. Oct 23, 2017
  10. Oct 19, 2017
  11. Oct 13, 2017
  12. Oct 11, 2017
    • Matt Caswell's avatar
      Ensure we test all parameters for BN_FLG_CONSTTIME · 86ccadf5
      Matt Caswell authored
      
      
      RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
      BN_mod_exp() as follows:
      
      BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)
      
      ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
      BN_mod_exp() we only test the third param for the existence of this flag.
      We should test all the inputs.
      
      Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
      issue.
      
      This typically only happens once at key load, so this is unlikely to be
      exploitable in any real scenario.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4477)
      
      (cherry picked from commit e913d11f)
      86ccadf5
  13. Oct 03, 2017
  14. Oct 02, 2017
  15. Sep 29, 2017
  16. Sep 27, 2017
  17. Sep 26, 2017
  18. Sep 19, 2017
  19. Sep 11, 2017
  20. Sep 07, 2017
  21. Aug 28, 2017