Skip to content
GitLab
  1. 23 Sep, 2015 1 commit
  3. 22 Sep, 2015 2 commits
  5. 17 Sep, 2015 1 commit
    • Matt Caswell's avatar
      Make sure OPENSSL_cleanse checks for NULL · 5e7d583b
      Matt Caswell authored 
      

In master we have the function OPENSSL_clear_free(x,y), which immediately
returns if x == NULL. In <=1.0.2 this function does not exist so we have to
do:
OPENSSL_cleanse(x, y);
OPENSSL_free(x);

However, previously, OPENSSL_cleanse did not check that if x == NULL, so
the real equivalent check would have to be:
if (x != NULL)
    OPENSSL_cleanse(x, y);
OPENSSL_free(x);

It would be easy to get this wrong during cherry-picking to other branches
and therefore, for safety, it is best to just ensure OPENSSL_cleanse also
checks for NULL.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 020d8fc8)
      5e7d583b
  7. 01 Sep, 2015 1 commit
    • Matt Caswell's avatar
      Fix building with OPENSSL_NO_TLSEXT. · 27bc0555
      Matt Caswell authored 
      

Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the
issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code
consistency. However this commit will not fix no-tlsext in those branches
which have always been broken for other reasons. The commit is not applied
to master at all, because no-tlsext has been completely removed from that
branch.

Based on a patch by Marc Branchaud <marcnarc@xiplink.com>

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
(cherry picked from commit 9a931208)

Conflicts:
	ssl/ssl_sess.c
      27bc0555
  9. 31 Aug, 2015 4 commits
  11. 16 Aug, 2015 1 commit
  13. 29 Jul, 2015 1 commit
  15. 10 Jul, 2015 2 commits
  17. 06 Jul, 2015 1 commit
  19. 11 Jun, 2015 7 commits
  21. 10 Jun, 2015 2 commits
  23. 08 Jun, 2015 1 commit
  25. 04 Jun, 2015 2 commits
    • Matt Caswell's avatar
      Clean Kerberos pre-master secret · f803a417
      Matt Caswell authored 
      

Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 4e3dbe37)
      f803a417
    • Matt Caswell's avatar
      Fix off-by-one error in BN_bn2hex · 9759ff0c
      Matt Caswell authored 
      

A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.

With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(cherry picked from commit c5635307)

Conflicts:
	crypto/bn/bn_print.c
      9759ff0c
  27. 02 Jun, 2015 3 commits
    • Richard Levitte's avatar
      Add the macro OPENSSL_SYS_WIN64 · f9603f26
      Richard Levitte authored 
      

This is for consistency.
Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 3f131556)

Conflicts:
	e_os2.h
      f9603f26
    • Matt Caswell's avatar
      Fix race condition in NewSessionTicket · 467daf6b
      Matt Caswell authored 
      If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 27c76b9b)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
      467daf6b
    • Matt Caswell's avatar
      Clear state in DTLSv1_listen · 113d36a3
      Matt Caswell authored 
      This is a backport of commit e83ee04b

 from
the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
was CVE-2015-0207. For other branches there is no known security issue, but
this is being backported as a precautionary measure.

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit cce3e4ad)
      113d36a3
  29. 28 May, 2015 2 commits
  31. 22 May, 2015 2 commits
    • Matt Caswell's avatar
      Fix off-by-one in BN_rand · f3b555a6
      Matt Caswell authored 
      

If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      f3b555a6
    • Matt Caswell's avatar
      Reject negative shifts for BN_rshift and BN_lshift · c0de854c
      Matt Caswell authored 
      

The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d81)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
      c0de854c
  33. 13 May, 2015 1 commit
    • Rich Salz's avatar
      Add NULL checks from master · 155ca14e
      Rich Salz authored 
      

The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit f34b095f)
(cherry picked from commit 690d040b)
      155ca14e
  35. 18 Apr, 2015 1 commit
  37. 16 Apr, 2015 1 commit
  39. 14 Apr, 2015 2 commits
    • Matt Caswell's avatar
      Fix ssl_get_prev_session overrun · 5d28381a
      Matt Caswell authored 
      

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1)

Conflicts:
	ssl/ssl_sess.c
      5d28381a
    • Matt Caswell's avatar
      Check for ClientHello message overruns · eeda9661
      Matt Caswell authored 
      

The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
      eeda9661
  41. 10 Apr, 2015 1 commit
    • Dr. Stephen Henson's avatar
      Don't set *pval to NULL in ASN1_item_ex_new. · c5b0f5c4
      Dr. Stephen Henson authored 
      

While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit f617b496)

Conflicts:
	crypto/asn1/tasn_new.c
      c5b0f5c4
  43. 08 Apr, 2015 1 commit
    • Richard Levitte's avatar
      Have mkerr.pl treat already existing multiline string defs properly · 32fbe914
      Richard Levitte authored 
      

Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe09)

Conflicts:
	util/mkerr.pl
      32fbe914