- Mar 19, 2015
-
-
Matt Caswell authored
Reported by the LibreSSL project as a follow on to CVE-2015-0209 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Update the NEWS file with the latest entries from CHANGES ready for the release. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Update CHANGES file with all the latest fixes ready for the release. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
There was a discrepancy between the 1.0.2 version of NEWS and the 1.0.1 version. This fixes it. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
There were some discrepancies in the CHANGES file between the 1.0.1 version and 1.0.2. This corrects it. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Remove entries from CHANGES and NEWS from letter releases that occur *after* the next point release. Without this we get duplicate entries for the same issue appearing multiple times. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Emilia Kasper authored
This assert is reachable for servers that support SSLv2 and export ciphers. Therefore, such servers can be DoSed by sending a specially crafted SSLv2 CLIENT-MASTER-KEY. Also fix s2_srvr.c to error out early if the key lengths are malformed. These lengths are sent unencrypted, so this does not introduce an oracle. CVE-2015-0293 This issue was discovered by Sean Burford (Google) and Emilia Käsper of the OpenSSL development team. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Emilia Kasper authored
In PKCS#7, the ASN.1 content component is optional. This typically applies to inner content (detached signatures), however we must also handle unexpected missing outer content correctly. This patch only addresses functions reachable from parsing, decryption and verification, and functions otherwise associated with reading potentially untrusted data. Correcting all low-level API calls requires further work. CVE-2015-0289 Thanks to Michal Zalewski (Google) for reporting this issue. Reviewed-by: Steve Henson <steve@openssl.org>
-
Dr. Stephen Henson authored
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
If client auth is used then a server can seg fault in the event of a DHE cipher being used and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. CVE-2015-1787 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
If a client renegotiates using an invalid signature algorithms extension it will crash a server with a NULL pointer dereference. Thanks to David Ramos of Stanford University for reporting this bug. CVE-2015-0291 Reviewed-by: Tim Hudson <tjh@openssl.org> Conflicts: ssl/t1_lib.c
-
Dr. Stephen Henson authored
Fix a bug where invalid PSS parameters are not rejected resulting in a NULL pointer exception. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. Thanks to Brian Carpenter for reporting this issues. CVE-2015-0208 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Dr. Stephen Henson authored
CVE-2015-0287 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next that can lead to a segmentation fault. Erorrs processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server. CVE-2015-0207 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. CVE-2015-0290 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
-
- Mar 18, 2015
-
-
Dr. Stephen Henson authored
Add support for ServerInfo SSL_CONF option and update documentation. This was wrongly omitted from the 1.0.2 release. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 17, 2015
-
-
Matt Caswell authored
Some miscellaneous removal of dead code from apps. Also fix an issue with error handling with pkcs7. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 11abf922)
-
Matt Caswell authored
Some miscellaneous removal of dead code from lib crypto. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit b7573c59)
-
Matt Caswell authored
Passing a negative value for the "-time" option to s_time results in a seg fault. This commit fixes it so that time has to be greater than 0. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit dfef52f6)
-
Matt Caswell authored
The function tls1_PRF counts the number of digests in use and partitions security evenly between them. There always needs to be at least one digest in use, otherwise this is an internal error. Add a sanity check for this. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 668f6f08)
-
Matt Caswell authored
The function sk_zero is supposed to zero the elements held within a stack. It uses memset to do this. However it calculates the size of each element as being sizeof(char **) instead of sizeof(char *). This probably doesn't make much practical difference in most cases, but isn't a portable assumption. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 7132ac83)
-
Matt Caswell authored
Move memory allocation failure checks closer to the site of the malloc in dgst app. Only a problem if the debug flag is set...but still should be fixed. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit be1477ad)
-
Matt Caswell authored
Add some missing checks for memory allocation failures in ca app. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit a561bfe9)
-
- Mar 15, 2015
-
-
Carl Jackson authored
Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if s < t, and 0 if s == t. This behavior was broken in a refactor [0], resulting in the opposite time comparison behavior. [0]: 904348a4 PR#3706 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit da27006d)
-
- Mar 14, 2015
-
-
Andy Polyakov authored
Other curves don't have this problem. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 9fbbdd73)
-
Emilia Kasper authored
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts. If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable in an integer, behaviour is undefined. In other words, you can't shift into the sign bit of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24. (For consistency, cast other shifts, too.) Caught by -fsanitize=shift Submitted by Nick Lewycky (Google) Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 8b37e5c1)
-
- Mar 12, 2015
-
-
Dr. Stephen Henson authored
Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 3d764db7)
-
Dr. Stephen Henson authored
When printing out an ASN.1 structure if the type is an item template don't fall thru and attempt to interpret as a primitive type. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 5dc1247a)
-
Matt Caswell authored
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY or the type of the public key is unrecognised then the local variable |cpk| in tls1_check_chain does not get initialised. Subsequently an attempt is made to deref it (after the "end" label), and a seg fault will result. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> (cherry picked from commit d813f9eb)
-
Matt Caswell authored
Fixed assorted missing return value checks in c3_cpols.c Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c5f2b533)
-
Matt Caswell authored
The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 0c7ca403)
-
Matt Caswell authored
The return value from ASN1_STRING_new() was not being checked which could lead to a NULL deref in the event of a malloc failure. Also fixed a mem leak in the error path. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 6aa8dab2)
-
Matt Caswell authored
The call to asn1_do_adb can return NULL on error, so we should check the return value before attempting to use it. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 34a7ed0c)
-
Matt Caswell authored
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple of conditional code paths that check whether |it| is NULL or not - but later |it| is deref'd unconditionally. If |it| was ever really NULL then this would seg fault. In practice ASN1_primitive_new is marked as an internal function in the public header file. The only places it is ever used internally always pass a non NULL parameter for |it|. Therefore, change the code to sanity check that |it| is not NULL, and remove the conditional checking. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 9e488fd6)
-
Matt Caswell authored
Calling EVP_DigestInit_ex which has already had the digest set up for it should be possible. You are supposed to be able to pass NULL for the type. However currently this seg faults. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit a0108702)
-
Matt Caswell authored
In the event of an error |rr| could be NULL. Therefore don't assume you can use |rr| in the error handling code. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 8c5a7b33)
-
Andy Polyakov authored
- SIGSEGV/ILL in CCM (RT#3688); Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Mar 11, 2015
-
-
Matt Caswell authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org> (cherry picked from commit ac5a1106)
-
Matt Caswell authored
Cleanse various intermediate buffers used by the PRF (backported version from master). Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 10, 2015
-
-
Emilia Kasper authored
Ensure all malloc failures return -1. Reported by Adam Langley (Google). Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 06c6a2b4)
-