Skip to content
  1. Dec 07, 2017
  2. Dec 06, 2017
    • Matt Caswell's avatar
      Add a test for CVE-2017-3737 · c7383fb5
      Matt Caswell authored
      
      
      Test reading/writing to an SSL object after a fatal error has been
      detected.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      c7383fb5
    • Matt Caswell's avatar
      Don't allow read/write after fatal error · 898fb884
      Matt Caswell authored
      
      
      OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
      mechanism. The intent was that if a fatal error occurred during a handshake
      then OpenSSL would move into the error state and would immediately fail if
      you attempted to continue the handshake. This works as designed for the
      explicit handshake functions (SSL_do_handshake(), SSL_accept() and
      SSL_connect()), however due to a bug it does not work correctly if
      SSL_read() or SSL_write() is called directly. In that scenario, if the
      handshake fails then a fatal error will be returned in the initial function
      call. If SSL_read()/SSL_write() is subsequently called by the application
      for the same SSL object then it will succeed and the data is passed without
      being decrypted/encrypted directly from the SSL/TLS record layer.
      
      In order to exploit this issue an attacker would have to trick an
      application into behaving incorrectly by issuing an SSL_read()/SSL_write()
      after having already received a fatal error.
      
      Thanks to David Benjamin (Google) for reporting this issue and suggesting
      this fix.
      
      CVE-2017-3737
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      898fb884
    • Andy Polyakov's avatar
      bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2. · ca51bafc
      Andy Polyakov authored
      
      
      Credit to OSS-Fuzz for finding this.
      
      CVE-2017-3738
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      ca51bafc
  3. Dec 04, 2017
  4. Nov 30, 2017
  5. Nov 16, 2017
  6. Nov 14, 2017
  7. Nov 13, 2017
  8. Nov 11, 2017
  9. Nov 10, 2017
  10. Nov 08, 2017
  11. Nov 07, 2017
  12. Nov 03, 2017
  13. Nov 02, 2017
  14. Nov 01, 2017
  15. Oct 26, 2017
  16. Oct 25, 2017
    • Matt Caswell's avatar
      Don't make any changes to the lhash structure if we are going to fail · 1aa0fcfb
      Matt Caswell authored
      
      
      The lhash expand() function can fail if realloc fails. The previous
      implementation made changes to the structure and then attempted to do a
      realloc. If the realloc failed then it attempted to undo the changes it
      had just made. Unfortunately changes to lh->p were not undone correctly,
      ultimately causing subsequent expand() calls to increment num_nodes to a
      value higher than num_alloc_nodes, which can cause out-of-bounds reads/
      writes. This is not considered a security issue because an attacker cannot
      cause realloc to fail.
      
      This commit moves the realloc call to near the beginning of the function
      before any other changes are made to the lhash structure. That way if a
      failure occurs we can immediately fail without having to undo anything.
      
      Thanks to Pavel Kopyl (Samsung) for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4551)
      1aa0fcfb
  17. Oct 24, 2017
  18. Oct 23, 2017