- Jun 04, 2015
-
-
Matt Caswell authored
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account for this and can allocate a buffer one byte too short in the event of -0 being used, leading to a one byte buffer overrun. All usage within the OpenSSL library is considered safe. Any security risk is considered negligible. With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by:
Tim Hudson <tjh@openssl.org> (cherry picked from commit c5635307) Conflicts: crypto/bn/bn_print.c
-
Matt Caswell authored
The session object on the client side is initially created during construction of the ClientHello. If the client is DTLS1.2 capable then it will store 1.2 as the version for the session. However if the server is only DTLS1.0 capable then when the ServerHello comes back the client switches to using DTLS1.0 from then on. However the session version does not get updated. Therefore when the client attempts to resume that session the server throws an alert because of an incorrect protocol version. Reviewed-by:
-
- Jun 03, 2015
-
-
Dr. Stephen Henson authored
Reviewed-by:Matt Caswell <matt@openssl.org>
-
Sergey Agievich authored
PR#3872 Reviewed-by:
Stephen Henson <steve@openssl.org>
-
- Jun 02, 2015
-
-
Matt Caswell authored
Some tool chains (e.g. android) do not define IP_PMTUDISC_PROBE, and so this build breaks. Reviewed-by:
-
Annie Yousar authored
objects.pl only looked for a space to see if the name could be used as a C identifier. Improve the test to match the real C rules. Signed-off-by:
Rich Salz <rsalz@akamai.com> Reviewed-by:
-
Richard Levitte authored
This is for consistency. Additionally, have its presence define OPENSSL_SYS_WINDOWS as well. Reviewed-by:
-
Olaf Johansson authored
Signed-off-by:
Richard Levitte <levitte@openssl.org> (cherry picked from commit 8846adbd)
-
Per Allansson authored
The code in bss_dgram.c checks if IP_MTUDISCOVER is defined, where it should test for IP_MTU_DISCOVER RT#3888 Reviewed-by:
-
Matt Caswell authored
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by:
-
- May 31, 2015
-
-
Matt Caswell authored
dtls1_get_message has an |mt| variable which is the type of the message that is being requested. If it is negative then any message type is allowed. However the value of |mt| is not checked in one of the main code paths, so a peer can send a message of a completely different type and it will be processed as if it was the message type that we were expecting. This has very little practical consequences because the current behaviour will still fail when the format of the message isn't as expected. Reviewed-by:
Andy Polyakov <appro@openssl.org> (cherry picked from commit 8c2b1d87)
-
- May 28, 2015
-
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- May 26, 2015
-
-
Emilia Kasper authored
Also add more ciphersuite test coverage, and a negative test for 512-bit DHE. Reviewed-by:
-
Matt Caswell authored
The size of the SRP extension can never be negative (the variable |size| is unsigned). Therefore don't check if it is less than zero. RT#3862 Reviewed-by:
-
Matt Caswell authored
The return value of i2d functions can be negative if an error occurs. Therefore don't assign the return value to an unsigned type and *then* check if it is negative. RT#3862 Reviewed-by:
-
Matt Caswell authored
The members of struct timeval on OpenVMS are unsigned. The logic for calculating timeouts needs adjusting to deal with this. RT#3862 Reviewed-by:
-
Andy Polyakov authored
Reviewed-by: -
Andy Polyakov authored
RT#3860 Reviewed-by: -
Billy Brumley authored
RT#3858 Reviewed-by:
-
Andy Polyakov authored
RT#3859 Reviewed-by:
-
- May 25, 2015
-
-
Matt Caswell authored
If the record received is for a version that we don't support, previously we were sending an alert back. However if the incoming record already looks like an alert then probably we shouldn't do that. So suppress an outgoing alert if it looks like we've got one incoming. Reviewed-by:Kurt Roeckx <kurt@openssl.org>
-
- May 24, 2015
-
-
Andy Polyakov authored
bn_get_bits5 was overstepping array boundary by 1 byte. It was exclusively read overstep and data could not have been used. The only potential problem would be if array happens to end on the very edge of last accesible page. Reviewed-by:
-
Andy Polyakov authored
RT#3852 Reviewed-by:
-
Andy Polyakov authored
BLKINIT optimization worked on T4, but for some reason appears "too aggressive" for T3 triggering intermiitent EC failures. It's not clear why only EC is affected... Reviewed-by:
-
- May 23, 2015
-
-
Richard Levitte authored
The update: target in engines/ didn't recurse into engines/ccgost. The update: and depend: targets in engines/ccgost needed a fixup. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
We had updates of certain header files in both Makefile.org and the Makefile in the directory the header file lived in. This is error prone and also sometimes generates slightly different results (usually just a comment that differs) depending on which way the update was done. This removes the file update targets from the top level Makefile, adds an update: target in all Makefiles and has it depend on the depend: or local_depend: targets, whichever is appropriate, so we don't get a double run through the whole file tree. Reviewed-by:
-
- May 22, 2015
-
-
Matt Caswell authored
The certificate masks are used to select which ciphersuite we are going to use. The variables |emask_k| and |emask_a| relate to export grade key exchange and authentication respecitively. The variables |mask_k| and |mask_a| are the equivalent versions for non-export grade. This fixes an instance where the two usages of export/non-export were mixed up. In practice it makes little difference since it still works! Reviewed-by:
-
Matt Caswell authored
Remove support for the two export grade static DH ciphersuites. These two ciphersuites were newly added (along with a number of other static DH ciphersuites) to 1.0.2. However the two export ones have *never* worked since they were introduced. It seems strange in any case to be adding new export ciphersuites, and given "logjam" it also does not seem correct to fix them. Reviewed-by:
-
Matt Caswell authored
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte buffer overflow can occur. There are no such instances within the OpenSSL at the moment. Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for discovering and reporting this issue. Reviewed-by: -
Matt Caswell authored
The functions BN_rshift and BN_lshift shift their arguments to the right or left by a specified number of bits. Unpredicatable results (including crashes) can occur if a negative number is supplied for the shift value. Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by:
-
Lubom authored
If a client receives a bad hello request in DTLS then the alert is not sent correctly. RT#2801 Signed-off-by:
-
- May 20, 2015
-
-
Kurt Roeckx authored
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit. Reviewed-by:
-
Emilia Kasper authored
Also reorder preferences to prefer prime curves to binary curves, and P-256 to everything else. The result: $ openssl s_server -named_curves "auto" This command will negotiate an ECDHE ciphersuite with P-256: $ openssl s_client This command will negotiate P-384: $ openssl s_client -curves "P-384" This command will not negotiate ECDHE because P-224 is disabled with "auto": $ openssl s_client -curves "P-224" Reviewed-by:
-
Emilia Kasper authored
Since the client has no way of communicating her supported parameter range to the server, connections to servers that choose weak DH will simply fail. Reviewed-by: -
Emilia Kasper authored
- Do not advise generation of DH parameters with dsaparam to save computation time. - Promote use of custom parameters more, and explicitly forbid use of built-in parameters weaker than 2048 bits. - Advise the callback to ignore <keylength> - it is currently called with 1024 bits, but this value can and should be safely ignored by servers. Reviewed-by: -
Emilia Kasper authored
The default bitlength is now 2048. Also clarify that either the number of bits or the generator must be present: $ openssl dhparam -2 and $ openssl dhparam 2048 generate parameters but $ openssl dhparam does not. Reviewed-by: -
Emilia Kasper authored
Reviewed-by:
-
