Commits · 679d0c8655fcf3c16c67385420be6ee1679c17ae · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Aug 15, 2014
- Fixed out-of-bounds read errors in ssl3_get_key_exchange. · 679d0c86
  Matt Caswell authored Jul 26, 2014
```
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  679d0c86
Aug 13, 2014

Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and · 1d5e58b5

Bodo Moeller authored Aug 13, 2014


group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by:  <emilia@openssl.org>

Conflicts:
	crypto/ec/ectest.c

1d5e58b5

Aug 06, 2014

Prepare for 1.0.0o-dev · 11814988
Matt Caswell authored Aug 06, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
11814988
Prepare for 1.0.0n release · bb505311
Matt Caswell authored Aug 06, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
OpenSSL_1_0_0n

bb505311
make update · f5fc85d3
Matt Caswell authored Aug 06, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
f5fc85d3
Updates to CHANGES and NEWS · 6e4929fc
Matt Caswell authored Aug 06, 2014
```
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
```
6e4929fc

Fix race condition in ssl_parse_serverhello_tlsext · 03a12c13

Gabor Tyukasz authored Jul 23, 2014



CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

03a12c13

Fix OID handling: · 57b0c469

Emilia Kasper authored Jul 02, 2014



- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

57b0c469

Fix DTLS anonymous EC(DH) denial of service · 9fd35553
Emilia Käsper authored Jul 24, 2014
```
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
9fd35553

Fix protocol downgrade bug in case of fragmented packets · 67e53f73

David Benjamin authored Jul 23, 2014



CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>

67e53f73

Remove some duplicate DTLS code. · 2281d10a

Adam Langley authored Jun 06, 2014



In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

2281d10a

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS... · e5861c88

Matt Caswell authored Jul 24, 2014

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

e5861c88

Fix return code for truncated DTLS fragment. · 60be1157

Adam Langley authored Jun 06, 2014



Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

60be1157

Fix memory leak from zero-length DTLS fragments. · 5ee775a4

Adam Langley authored Jun 06, 2014



The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

5ee775a4

Fix DTLS handshake message size checks. · 934ca071

Matt Caswell authored Jun 06, 2014



In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

934ca071

Added comment for the frag->reassembly == NULL case as per feedback from Emilia · ad007e0a
Matt Caswell authored Jul 24, 2014
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
ad007e0a

Avoid double free when processing DTLS packets. · 84361b89

Adam Langley authored Jun 06, 2014

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74

 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

84361b89

Fix warnings about ignored return values. · 1a80d390
Dr. Stephen Henson authored Mar 17, 2011
```
(cherry picked from commit 27131fe8

)
Reviewed-by: Matt Caswell <matt@openssl.org>
```
1a80d390

Aug 01, 2014

Simplify and fix ec_GFp_simple_points_make_affine · c5526a16

Bodo Moeller authored Aug 01, 2014


(which didn't always handle value 0 correctly).

Reviewed-by:  <emilia@openssl.org>

Conflicts:
	CHANGES
	crypto/ec/ectest.c

c5526a16

Jul 21, 2014

"EC_POINT_invert" was checking "dbl" function pointer instead of "invert". · b6b96700
Billy Brumley authored Jul 21, 2014
```
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57)
```
b6b96700
Remove old unused and unmaintained demonstration code. · 469665f6
Tim Hudson authored Jul 22, 2014
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b81)
```
469665f6

Minor documentation update removing "really" and a · c4eb02bc

Tim Hudson authored Jul 21, 2014


statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4)

c4eb02bc

Jul 19, 2014

Fix documentation for RSA_set_method(3) · 97f336f2

Dr. Stephen Henson authored Jul 19, 2014



PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)

97f336f2

Jul 17, 2014

Fix typo, add reference. · 5e05728a

Jeffrey Walton authored Jul 17, 2014



PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0)

5e05728a

Jul 15, 2014

Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date · 061a5bdb
Matt Caswell authored Jul 15, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd54819)
```
061a5bdb
Clarify -Verify and PSK. · e6ed83fb
Dr. Stephen Henson authored Jul 15, 2014
```
PR#3452
(cherry picked from commit ca2015a6)
```
e6ed83fb

Fix DTLS certificate requesting code. · c3f2fc41

Dr. Stephen Henson authored Jul 15, 2014

Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc)

c3f2fc41

Add ECC extensions with DTLS. · ec9cb40d
Dr. Stephen Henson authored Jul 15, 2014
```
PR#3449
(cherry picked from commit 2054eb77)
```
ec9cb40d

Don't allow -www etc options with DTLS. · ed1de381

Dr. Stephen Henson authored Jul 15, 2014

The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)

ed1de381

Jul 14, 2014
- Use case insensitive compare for servername. · df35da26
  Dr. Stephen Henson authored Jul 14, 2014
```
PR#3445
(cherry picked from commit 1c3e9a7c)
```
  df35da26
- Use more common name for GOST key exchange. · 26d60e29
  Dr. Stephen Henson authored Jul 14, 2014
```
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
```
  26d60e29
Jul 13, 2014

Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data. · 5a0df377

Matt Caswell authored Jul 10, 2014

This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)

5a0df377

Add names of GOST algorithms. · f7123634
Peter Mosmans authored Jul 13, 2014
```
PR#3440
(cherry picked from commit 924e5eda)

Conflicts:

	ssl/ssl_ciph.c
```
f7123634
* crypto/ui/ui_lib.c: misplaced brace in switch statement. · 7aeb3d79
Richard Levitte authored Jul 13, 2014
```
  Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd340)
```
7aeb3d79

Jul 09, 2014

Fix memory leak in BIO_free if there is no destroy function. · 182f1ad8

Matt Caswell authored Jul 09, 2014

Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53)

182f1ad8

Jul 07, 2014
- Prevent infinite loop loading config files. · 08191301
  David Lloyd authored Jul 07, 2014
```
PR#2985
(cherry picked from commit 9d23f422)
```
  08191301
Jul 06, 2014
- Usage for -hack and -prexit -verify_return_error · 3fe4fc47
  Dr. Stephen Henson authored Jul 06, 2014
```
(cherry picked from commit a07f514f)
```
  3fe4fc47
- Document certificate status request options. · 13267334
  Dr. Stephen Henson authored Jul 06, 2014
```
Conflicts:

	doc/apps/s_client.pod
	doc/apps/s_server.pod
(cherry picked from commit b197c770)
```
  13267334
- s_server usage for certificate status requests · d8426e6b
  Dr. Stephen Henson authored Jul 06, 2014
  
  d8426e6b
- Update ticket callback docs. · aa90ff7d
  Dr. Stephen Henson authored Jul 03, 2014
```
(cherry picked from commit a23a6e85)
```
  aa90ff7d