- Apr 16, 2015
-
-
Viktor Dukhovni authored
Reviewed-by: Matt Caswell <gitlab@openssl.org>
-
Dr. Stephen Henson authored
Reported by Hanno Böck <hanno@hboeck.de> PR#3800 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c4137b5e)
-
Dr. Stephen Henson authored
Reported by Hanno Böck <hanno@hboeck.de> Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 111b60be)
-
- Apr 14, 2015
-
-
Matt Caswell authored
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 5e0a80c1)
-
Matt Caswell authored
The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
-
- Apr 11, 2015
-
-
Kurt Roeckx authored
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section failed. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 8ec5c5dd)
-
Kurt Roeckx authored
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org> (cherry picked from commit f49baeff)
-
- Apr 10, 2015
-
-
Dr. Stephen Henson authored
While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit f617b496) Conflicts: crypto/asn1/tasn_new.c
-
Dr. Stephen Henson authored
PR#3789 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 7a317fa0)
-
Dr. Stephen Henson authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 9fdbc9df)
-
- Apr 08, 2015
-
-
Richard Levitte authored
Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 2cfdfe09)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 37d92b1b)
-
Richard Levitte authored
The macros BSWAP4 and BSWAP8 have statetemnt expressions implementations that use local variable names that shadow variables outside the macro call, generating warnings like this e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable [-Wshadow] seqnum = BSWAP8(blocks[0].q[0]); ^ ../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8' ^ e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here size_t ret = 0; ^ Have clang be quiet by modifying the macro variable names slightly (suffixing them with an underscore). Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2da2a434)
-
Richard Levitte authored
We use GNU statement expressions in crypto/md32_common.h, surrounded by checks that GNU C is indeed used to compile. It seems that clang, at least on Linux, pretends to be GNU C, therefore finds the statement expressions and then warns about them. The solution is to have clang be quiet about it. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 04958e84)
-
Richard Levitte authored
ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one declaration [-Wempty-translation-unit] ^ 1 warning generated. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c25dea53)
-
Emilia Kasper authored
There is no indication that the timing differences are exploitable in OpenSSL, and indeed there is some indication (Usenix '14) that they are too small to be exploitable. Nevertheless, be careful and apply the same countermeasures as in s3_srvr.c Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Apr 02, 2015
-
-
Andy Polyakov authored
Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 7eeeb49e)
-
Andy Polyakov authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit be5a87a1)
-
Andy Polyakov authored
ARM has optimized Cortex-A5x pipeline to favour pairs of complementary AES instructions. While modified code improves performance of post-r0p0 Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts original r0p0. We favour later revisions, because one can't prevent future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%, while new code is not slower on r0p0, or Apple A7 for that matter. [Update even SHA results for latest Cortex-A53.] Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 94376ccc)
-
- Mar 31, 2015
-
-
Douglas E Engert authored
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447 for storing an EC Private Key. This converts the private key into an OCTETSTRING and retains any leading zeros. This commit ensures that those leading zeros are present if required. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 30cd4ff2) Conflicts: crypto/ec/ec_asn1.c
-
- Mar 28, 2015
-
-
Andy Polyakov authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit b06a6f7cc44baa0c17207a8f72c4ac360be7b555)
-
- Mar 25, 2015
-
-
Matt Caswell authored
if CAfile or CApath were also supplied and successfully loaded first. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
create an HMAC Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594 Reviewed-by: Richard Levitte <levitte@openssl.org> Conflicts: crypto/hmac/hmac.c
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return value checked correctly Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
In ssl3_send_new_session_ticket the message to be sent is constructed. We skip adding the length of the session ticket initially, then call ssl_set_handshake_header, and finally go back and add in the length of the ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side effect of buffering the message for subsequent retransmission if required. By adding the ticket length after the call to ssl_set_handshake_header the message that is buffered is incomplete, causing an invalid message to be sent on retransmission. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 4f9fab6b) Conflicts: ssl/s3_srvr.c
-
Matt Caswell authored
In DTLS, immediately prior to epoch change, the write_sequence is supposed to be stored in s->d1->last_write_sequence. The write_sequence is then reset back to 00000000. In the event of retransmits of records from the previous epoch, the last_write_sequence is restored. This commit fixes a bug in DTLS1.2 where the write_sequence was being reset before last_write_sequence was saved, and therefore retransmits are sent with incorrect sequence numbers. Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit d5d0a1cb)
-
- Mar 24, 2015
-
-
Kurt Roeckx authored
The certificate already contains the DH parameters in that case. ssl3_send_server_key_exchange() would fail in that case anyway. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 93f1c136)
-
Dr. Stephen Henson authored
OCSP verification changes mean the OCSP tests now need -trusted_first Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 7b68c30d)
-
Dr. Stephen Henson authored
If a set of certificates is supplied to OCSP_basic_verify use those in addition to any present in the OCSP response as untrusted CAs when verifying a certificate chain. PR#3668 Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 4ca5efc2)
-
Mike Frysinger authored
Fix compilation failure when SCTP is compiled due to incorrect define. Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de> URL: https://bugs.gentoo.org/543828 RT#3758 Signed-off-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 7c82e339)
-
- Mar 23, 2015
-
-
Matt Caswell authored
Don't check that the curve appears in the list of acceptable curves for the peer, if they didn't send us such a list (RFC 4492 does not require that the extension be sent). Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit b79d2410)
-
Andy Polyakov authored
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google). Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 2ecd32a1)
-
- Mar 22, 2015
-
-
Matt Caswell authored
Fix builds config'd with no-ec and no-ec2m. Technically this combination is redundant - but the fix is straight forward. Fix from OpenWrt. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
- Mar 20, 2015
-
-
Matt Caswell authored
Updated test/testssl script to include the new DTLS capability in ssltest. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 3c381e54)
-
David Woodhouse authored
Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 98b8cdd3) Conflicts: ssl/ssltest.c
-
David Woodhouse authored
Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 504e643e) Conflicts: ssl/ssl_lib.c
-