- Jun 15, 2018
-
-
Bernd Edlinger authored
Prevent a possible recursion in ERR_get_state and fix the problem that was pointed out in commit aef84bb4 differently. Fixes: #6493 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6494)
-
- Jun 13, 2018
-
-
Matt Caswell authored
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an ECDSA signature operation. During signing the signer calculates: s:= k^-1 * (m + r * priv_key) mod order The addition operation above provides a sufficient signal for a flush+reload attack to derive the private key given sufficient signature operations. As a mitigation (based on a suggestion from Keegan) we add blinding to the operation so that: s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order Since this attack is a localhost side channel only no CVE is assigned. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Jun 12, 2018
-
-
Nicola Tuveri authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6460) (cherry picked from commit 8fe4c0b0)
-
Guido Vranken authored
CVE-2018-0732 Signed-off-by: Guido Vranken <guidovranken@gmail.com> (cherry picked from commit 91f7361f ) Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6457)
-
- Jun 11, 2018
-
-
Richard Levitte authored
Fixes #6449 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6450)
-
- Jun 09, 2018
-
-
Andy Polyakov authored
This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6440) (cherry picked from commit f55ef97b)
-
- Jun 08, 2018
-
-
Mingtao Yang authored
Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent variables in the OCB_CTX. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6420) (cherry picked from commit bbb02a5b)
-
- Jun 07, 2018
-
-
Marcus Huewe authored
If the remove_session_cb accesses the session's data (for instance, via SSL_SESSION_get_protocol_version), a potential use after free can occur. For this, consider the following scenario when adding a new session via SSL_CTX_add_session: - The session cache is full (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) - Only the session cache has a reference to ctx->session_cache_tail (that is, ctx->session_cache_tail->references == 1) Since the cache is full, remove_session_lock is called to remove ctx->session_cache_tail from the cache. That is, it SSL_SESSION_free()s the session, which free()s the data. Afterwards, the free()d session is passed to the remove_session_cb. If the callback accesses the session's data, we have a use after free. The free before calling the callback behavior was introduced in commit e4612d02 ("Remove sessions from external cache, even if internal cache not used."). CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6222) (cherry picked from commit c0a58e03)
-
- Jun 05, 2018
-
-
Rich Salz authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6413) (cherry picked from commit 630fe1da)
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6404) (cherry picked from commit 886c2e61)
-
- Jun 02, 2018
-
-
Ken Goldman authored
ECDSA_SIG_new() returns NULL on error. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6398) (cherry picked from commit 6da34cfb)
-
- May 31, 2018
-
-
Richard Levitte authored
Just because an engine implements algorithm methods, that doesn't mean it also implements the ASN1 method. Therefore, be careful when looking for an ASN1 method among all engines, don't try to use one that doesn't exist. Fixes #6381 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6383) (cherry picked from commit 1ac3cd62)
-
Richard Levitte authored
XN_FLAG_COMPAT has a unique property, its zero for value. This means it needs special treatment; if it has been set (which can only be determined indirectly) and set alone (*), no other flags should be set. (*) if any other nameopt flag has been set by the user, compatibility mode is blown away. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6382) (cherry picked from commit 3190d1dc)
-
- May 30, 2018
-
-
Mingtao Yang authored
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so applications that were previously able to define a custom lookup method are not able to be ported. This commit adds getters and setters for each of the current fields of X509_LOOKUP_METHOD, along with getters and setters on several associated opaque types (such as X509_LOOKUP and X509_OBJECT). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6152) (cherry picked from commit 0124f32a)
-
- May 29, 2018
-
-
Matt Caswell authored
Thanks to Guido Vranken and OSSFuzz for finding this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6355) (cherry picked from commit 4aa5b725)
-
- May 26, 2018
-
-
Bernd Edlinger authored
[extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6362)
-
- May 24, 2018
-
-
David Benjamin authored
TlsGetValue clears the last error even on success, so that callers may distinguish it successfully returning NULL or failing. This error-mangling behavior interferes with the caller's use of GetLastError. In particular SSL_get_error queries the error queue to determine whether the caller should look at the OS's errors. To avoid destroying state, save and restore the Windows error. Fixes #6299. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2de108df) (Merged from https://github.com/openssl/openssl/pull/6349)
-
Matt Caswell authored
We check that the curve name associated with the point is the same as that for the curve. Fixes #6302 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6323) (cherry picked from commit b14e6015)
-
- May 23, 2018
-
-
Viktor Dukhovni authored
Only check the CN against DNS name contraints if the `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the certificate has no DNS subject alternative names or the `X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set. Add pertinent documentation, and touch up some stale text about name checks and DANE. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Viktor Dukhovni authored
Don't apply DNS name constraints to the subject CN when there's a least one DNS-ID subjectAlternativeName. Don't apply DNS name constraints to subject CN's that are sufficiently unlike DNS names. Checked name must have at least two labels, with all labels non-empty, no trailing '.' and all hyphens must be internal in each label. In addition to the usual LDH characters, we also allow "_", since some sites use these for hostnames despite all the standards. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- May 21, 2018
-
-
Tilman Keskinöz authored
NULL-check for cipher is redundant, instead check if cipher->name is NULL While here fix formatting of BIO_printf calls as suggested by Andy Polyakov. CLA: trivial Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6282) (cherry picked from commit d61e6040)
-
Matt Caswell authored
If the lengths of both names is 0 then don't attempt to do a memcmp. Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6291) (cherry picked from commit 511190b6)
-
- May 20, 2018
-
-
Richard Levitte authored
This adds the possibility to exclude files by regexp in util/copy.pl Partial fix for #3254 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6303) (cherry picked from commit 246bd8fd)
-
Richard Levitte authored
--quiet stops warnings of this sort: Cannot find "BIO_read_ex" in podpath: cannot find suitable replacement path, cannot resolve link We know what causes these warnings, it's perfectly innocuous, and we don't want to hear it any more. Partial fix for #3254 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6304) (cherry picked from commit 6439e343)
-
Richard Levitte authored
A previous change of this function introduced a fragility when the destination happens to be the same as the source. Such alias isn't recommended, but could still happen, for example in this kind of code: X509_NAME *subject = X509_get_issuer_name(x); /* ... some code passes ... */ X509_set_issuer_name(x, subject); Fixes #4710 Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6280) (cherry picked from commit c1c1783d)
-
- May 19, 2018
-
-
Bernd Edlinger authored
Thanks to Darovskikh Andrei for for reporting this issue. Fixes: #5785 Fixes: #6302 Cherry-picked from f91e026e (without test/bntest.c) Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6310)
-
- May 18, 2018
-
-
FdaSilvaYY authored
because there are actually 17 curves defined, but only 16 are plugged for ecdsa test. Deduce array size using OSSL_NELEM and so remove various magic numbers, which required some declarations moving. Implement OPT_PAIR list search without a null-ending element. Fix some comparison between signed and unsigned integer expressions. cherry-picking from commit 5c6a69f5 . Partial Back-port of #6133 to 1.1.0 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6245)
-
- May 17, 2018
-
-
Matt Caswell authored
Experiments have shown that the lookup table used by BN_GF2m_mod_arr introduces sufficient timing signal to recover the private key for an attacker with access to cache timing information on the victim's host. This only affects binary curves (which are less frequently used). No CVE is considered necessary for this issue. The fix is to replace the lookup table with an on-the-fly calculation of the value from the table instead, which can be performed in constant time. Thanks to Youngjoo Shin for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6270) (cherry picked from commit b336ce57)
-
Richard Levitte authored
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6249) (cherry picked from commit 029c11c2)
-
- May 16, 2018
-
-
Richard Levitte authored
There are *roff parsers that are strict about the NAME section being one line only. The man(7) on Debian GNU/Linux suggests that this is appropriate, so we compensate our multi-line NAME sections by fixing the *roff output. Noted by Eric S. Raymond Related to #6264 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6268) (cherry picked from commit 8d483b2d)
-
- May 15, 2018
-
-
Matt Caswell authored
The TLS code marks records as read when its finished using a record. The DTLS code did not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6160)
-
- May 14, 2018
-
-
Richard Levitte authored
'install' depends on 'install_docs', so making the latter explicit is a waste. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6250) (cherry picked from commit 986caf9e)
-
Richard Levitte authored
The Console UI method always set echo on after prompting without echo. However, echo might not have been on originally, so just restore the original TTY settings. Fixes #2373 Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6157)
-
- May 12, 2018
-
-
Pavel Kopyl authored
(cherry picked from commit aebd0e5c ) Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6237)
-
Matt Caswell authored
In DTLS if we have buffered a fragment for a zero length message (e.g. ServerHelloDone) then, when we unbuffered the fragment, we were attempting to memcpy the contents of the fragment which is zero length and a NULL pointer. This is undefined behaviour. We should check first whether we have a zero length fragment. Fixes a travis issue. [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6224)
-
Richard Levitte authored
Fixes #4716 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6173) (cherry picked from commit c82c3462)
-
- May 11, 2018
-
-
Dr. Matthias St. Pierre authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6230)
-
Matt Caswell authored
During a full handshake the server is the last one to "speak". The timer should continue to run until we know that the client has received our last flight (e.g. because we receive some application data). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6196)
-
Matt Caswell authored
Otherwise we may end up in a hang when using blocking sockets Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6196)
-
Matt Caswell authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6196)
-