- Jun 08, 2015
-
-
Dr. Stephen Henson authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 0fb99904)
-
Emilia Kasper authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 05627d57)
-
Emilia Kasper authored
Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley (Google). Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 1e4a355d) (cherry picked from commit ac32a77c)
-
- Jun 04, 2015
-
-
Matt Caswell authored
Remove a comment that suggested further clean up was required. DH_free() performs the necessary cleanup. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit f3d88952)
-
Matt Caswell authored
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit b7ee4815) Conflicts: ssl/s3_srvr.c
-
Matt Caswell authored
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4e3dbe37)
-
Matt Caswell authored
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account for this and can allocate a buffer one byte too short in the event of -0 being used, leading to a one byte buffer overrun. All usage within the OpenSSL library is considered safe. Any security risk is considered negligible. With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit c5635307) Conflicts: crypto/bn/bn_print.c
-
- Jun 02, 2015
-
-
Annie Yousar authored
objects.pl only looked for a space to see if the name could be used as a C identifier. Improve the test to match the real C rules. Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 591b7aef)
-
Richard Levitte authored
This is for consistency. Additionally, have its presence define OPENSSL_SYS_WINDOWS as well. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 3f131556) Conflicts: e_os2.h
-
Matt Caswell authored
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 27c76b9b) Conflicts: ssl/ssl.h ssl/ssl_err.c
-
Matt Caswell authored
This is a backport of commit e83ee04b from the master branch (and this has also been applied to 1.0.2). In 1.0.2 this was CVE-2015-0207. For other branches there is no known security issue, but this is being backported as a precautionary measure. The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- May 31, 2015
-
-
Matt Caswell authored
dtls1_get_message has an |mt| variable which is the type of the message that is being requested. If it is negative then any message type is allowed. However the value of |mt| is not checked in one of the main code paths, so a peer can send a message of a completely different type and it will be processed as if it was the message type that we were expecting. This has very little practical consequences because the current behaviour will still fail when the format of the message isn't as expected. Reviewed-by: Andy Polyakov <appro@openssl.org> (cherry picked from commit 8c2b1d87)
-
- May 28, 2015
-
-
Dr. Stephen Henson authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2849707f)
-
Dr. Stephen Henson authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit f097f81c)
-
- May 26, 2015
-
-
Andy Polyakov authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Emilia Kasper authored
Also add more ciphersuite test coverage, and a negative test for 512-bit DHE. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
The size of the SRP extension can never be negative (the variable |size| is unsigned). Therefore don't check if it is less than zero. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 9c89d290)
-
Matt Caswell authored
The return value of i2d functions can be negative if an error occurs. Therefore don't assign the return value to an unsigned type and *then* check if it is negative. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 90e7cdff)
-
Matt Caswell authored
The members of struct timeval on OpenVMS are unsigned. The logic for calculating timeouts needs adjusting to deal with this. RT#3862 Reviewed-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit fc52ac90)
-
Andy Polyakov authored
RT#3860 Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit aa1e4221)
-
Billy Brumley authored
RT#3858 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 71f6130b)
-
Andy Polyakov authored
RT#3859 Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 60c268b2)
-
Andy Polyakov authored
RT#3843 Reviewed-by: Matt Caswell <matt@openssl.org>
-
- May 25, 2015
-
-
Matt Caswell authored
If the record received is for a version that we don't support, previously we were sending an alert back. However if the incoming record already looks like an alert then probably we shouldn't do that. So suppress an outgoing alert if it looks like we've got one incoming. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
- May 23, 2015
-
-
Richard Levitte authored
The update: target in engines/ didn't recurse into engines/ccgost. The update: and depend: targets in engines/ccgost needed a fixup. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 8b822d25)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 6f45032f) Conflicts: apps/Makefile
-
Richard Levitte authored
We had updates of certain header files in both Makefile.org and the Makefile in the directory the header file lived in. This is error prone and also sometimes generates slightly different results (usually just a comment that differs) depending on which way the update was done. This removes the file update targets from the top level Makefile, adds an update: target in all Makefiles and has it depend on the depend: or local_depend: targets, whichever is appropriate, so we don't get a double run through the whole file tree. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 0f539dc1) Conflicts: Makefile.org apps/Makefile test/Makefile
-
- May 22, 2015
-
-
Matt Caswell authored
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte buffer overflow can occur. There are no such instances within the OpenSSL at the moment. Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for discovering and reporting this issue. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
Matt Caswell authored
The functions BN_rshift and BN_lshift shift their arguments to the right or left by a specified number of bits. Unpredicatable results (including crashes) can occur if a negative number is supplied for the shift value. Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 7cc18d81) Conflicts: crypto/bn/bn.h crypto/bn/bn_err.c
-
Lubom authored
If a client receives a bad hello request in DTLS then the alert is not sent correctly. RT#2801 Signed-off-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 4dc1aa04)
-
- May 20, 2015
-
-
Matt Caswell authored
Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Conflicts: doc/apps/cms.pod doc/apps/ocsp.pod doc/apps/s_client.pod doc/apps/s_server.pod doc/apps/smime.pod doc/apps/verify.pod
-
Matt Caswell authored
Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Conflicts: apps/cms.c apps/ocsp.c apps/s_client.c apps/s_server.c apps/smime.c apps/verify.c
-
Matt Caswell authored
Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
-
Matt Caswell authored
In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store. When building a trust chain if the first attempt fails, then try to see if alternate chains could be constructed that are trusted. RT3637 RT3621 Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
-
Kurt Roeckx authored
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit ac38115c)
-
Emilia Kasper authored
Since the client has no way of communicating her supported parameter range to the server, connections to servers that choose weak DH will simply fail. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
Emilia Kasper authored
- Do not advise generation of DH parameters with dsaparam to save computation time. - Promote use of custom parameters more, and explicitly forbid use of built-in parameters weaker than 2048 bits. - Advise the callback to ignore <keylength> - it is currently called with 1024 bits, but this value can and should be safely ignored by servers. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Emilia Kasper authored
The default bitlength is now 2048. Also clarify that either the number of bits or the generator must be present: $ openssl dhparam -2 and $ openssl dhparam 2048 generate parameters but $ openssl dhparam does not. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Emilia Kasper authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
-
Emilia Kasper authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-