Skip to content
  1. Oct 26, 2017
    • Matt Caswell's avatar
      Don't use strcasecmp and strncasecmp for IA5 strings · 44cbf6a9
      Matt Caswell authored 
      

The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.

This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).

This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4570)
      44cbf6a9
  3. Oct 25, 2017
    • Matt Caswell's avatar
      Don't make any changes to the lhash structure if we are going to fail · 1aa0fcfb
      Matt Caswell authored 
      

The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.

This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.

Thanks to Pavel Kopyl (Samsung) for reporting this issue.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4551)
      1aa0fcfb
  5. Oct 24, 2017
  7. Oct 23, 2017
  9. Oct 19, 2017
  11. Oct 13, 2017
  13. Oct 11, 2017
    • Matt Caswell's avatar
      Ensure we test all parameters for BN_FLG_CONSTTIME · 86ccadf5
      Matt Caswell authored 
      

RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:

BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)

ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.

Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.

This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)

(cherry picked from commit e913d11f)
      86ccadf5
  15. Oct 03, 2017
  17. Oct 02, 2017
  19. Sep 29, 2017
  21. Sep 27, 2017
  23. Sep 26, 2017
  25. Sep 19, 2017
  27. Sep 11, 2017
  29. Sep 07, 2017
  31. Aug 28, 2017
  33. Aug 25, 2017
  35. Aug 24, 2017
  37. Aug 23, 2017
  39. Aug 22, 2017
  41. Aug 18, 2017
  43. Aug 17, 2017
  45. Aug 15, 2017
  47. Aug 09, 2017
  49. Aug 07, 2017
  51. Aug 04, 2017
  53. Jul 31, 2017
  55. Jul 29, 2017
  57. Jul 28, 2017