Skip to content
GitLab
  1. 02 Jun, 2015 1 commit
  3. 31 May, 2015 1 commit
    • Matt Caswell's avatar
      Check the message type requested is the type received in DTLS · 8744ba5e
      Matt Caswell authored 
      

dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(cherry picked from commit 8c2b1d87)
      8744ba5e
  5. 28 May, 2015 2 commits
  7. 26 May, 2015 8 commits
  9. 25 May, 2015 1 commit
  11. 24 May, 2015 3 commits
  13. 23 May, 2015 3 commits
  15. 22 May, 2015 5 commits
    • Matt Caswell's avatar
      Fix typo setting up certificate masks · e4731f76
      Matt Caswell authored 
      

The certificate masks are used to select which ciphersuite we are going to
use. The variables |emask_k| and |emask_a| relate to export grade key
exchange and authentication respecitively. The variables |mask_k| and
|mask_a| are the equivalent versions for non-export grade. This fixes an
instance where the two usages of export/non-export were mixed up. In
practice it makes little difference since it still works!

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit fdfe8b06)
      e4731f76
    • Matt Caswell's avatar
      Remove export static DH ciphersuites · 595487ea
      Matt Caswell authored 
      

Remove support for the two export grade static DH ciphersuites. These two
ciphersuites were newly added (along with a number of other static DH
ciphersuites) to 1.0.2. However the two export ones have *never* worked
since they were introduced. It seems strange in any case to be adding new
export ciphersuites, and given "logjam" it also does not seem correct to
fix them.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit 13f8eb47)

Conflicts:
	CHANGES
      595487ea
    • Matt Caswell's avatar
      Fix off-by-one in BN_rand · c6eb1cbd
      Matt Caswell authored 
      

If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      c6eb1cbd
    • Matt Caswell's avatar
      Reject negative shifts for BN_rshift and BN_lshift · 1a9499cf
      Matt Caswell authored 
      

The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d81)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
      1a9499cf
    • Lubom's avatar
      Lost alert in DTLS · 254c01ed
      Lubom authored 
      

If a client receives a bad hello request in DTLS then the alert is not
sent correctly.

RT#2801

Signed-off-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4dc1aa04)
      254c01ed
  17. 20 May, 2015 7 commits
  19. 19 May, 2015 1 commit
  21. 15 May, 2015 1 commit
  23. 13 May, 2015 5 commits
    • Rich Salz's avatar
      RT1207: document SSL_COMP_free_compression_methods. · c59bd61b
      Rich Salz authored 
      

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit c490a551)
      c59bd61b
    • Rich Salz's avatar
      Add NULL checks from master · f34b095f
      Rich Salz authored 
      

The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      f34b095f
    • Andy Polyakov's avatar
      aes/asm/aesni-sha256-x86_64.pl: fix Windows compilation failure with old assembler. · d3bb25e3
      Andy Polyakov authored 
      

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 82c4a079)
      d3bb25e3
    • Hanno Böck's avatar
      Call of memcmp with null pointers in obj_cmp() · eba8bf48
      Hanno Böck authored 
      

The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.

This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem

What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.

RT#3816

Signed-off-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(cherry picked from commit 2b8dc08b)
      eba8bf48
    • Matt Caswell's avatar
      Don't allow a CCS when expecting a CertificateVerify · 464774d7
      Matt Caswell authored 
      

Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.

Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.

RT#2958

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
(cherry picked from commit a0bd6493)
      464774d7
  25. 11 May, 2015 2 commits