Commits · 7fae32f6d69baf27ef69d92499c59c8a3277f3e3 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Jan 05, 2015

Return error when a bit string indicates an invalid amount of bits left · 7fae32f6
Kurt Roeckx authored Dec 15, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 86edf13b)
```
7fae32f6

Reject invalid constructed encodings. · 5260f1a4

Dr. Stephen Henson authored Dec 17, 2014



According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit f5e4b6b5)

Conflicts:
	crypto/asn1/asn1_err.c

5260f1a4

Dec 17, 2014

Revert "RT3425: constant-time evp_enc" · 1cb10d9c

Emilia Kasper authored Dec 17, 2014

Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 1bb01b1b

.

Reviewed-by: Andy Polyakov <appro@openssl.org>

1cb10d9c

Nov 11, 2014
- Fix warning about negative unsigned intergers · 62abc805
  Kurt Roeckx authored Nov 10, 2014
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  62abc805
Oct 29, 2014
- md32_common.h: address compiler warning in HOST_c2l. · 722fa142
  Andy Polyakov authored Oct 29, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc)
```
  722fa142
Oct 28, 2014
- Use only unsigned arithmetic in constant-time operations · a2ca66f3
  Samuel Neves authored Oct 04, 2014
```
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  a2ca66f3
Oct 21, 2014

Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation. · 6a04b0d5
Bodo Moeller authored Oct 21, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
6a04b0d5
When processing ClientHello.cipher_suites, don't ignore cipher suites · 1acca282
Bodo Moeller authored Oct 21, 2014
```
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
```
1acca282
Fix warning · d510c648
Kurt Roeckx authored Oct 21, 2014
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
d510c648

Keep old method in case of an unsupported protocol · b8292474

Kurt Roeckx authored Oct 21, 2014

When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc2

.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a9)

b8292474

Oct 20, 2014
- no-ssl2 with no-ssl3 does not mean drop the ssl lib · cbb6ccab
  Tim Hudson authored Oct 20, 2014
```
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
```
  cbb6ccab
Oct 17, 2014

Add constant_time_locl.h to HEADERS, · e369af36

Tim Hudson authored Sep 25, 2014


so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e2e5326e)

e369af36

Include "constant_time_locl.h" rather than "../constant_time_locl.h". · 15b7f5bf

Richard Levitte authored Sep 24, 2014


The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8202802f)

Conflicts:
	crypto/evp/evp_enc.c

15b7f5bf

e_os.h: refine inline override logic (to address warnings in debug build). · 9880f630
Andy Polyakov authored Sep 30, 2014
```
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 55c7a4cf)
```
9880f630
e_os.h: allow inline functions to be compiled by legacy compilers. · af32df0a
Andy Polyakov authored Sep 25, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 40155f40)

Conflicts:
	e_os.h
```
af32df0a
RT3547: Add missing static qualifier · bfb7bf1a
Kurt Cancemi authored Sep 28, 2014
```
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c9)
```
bfb7bf1a

Oct 16, 2014

Don't try 1**0 test with FIPS. · f33636fa

Dr. Stephen Henson authored Oct 16, 2014



The 1**0 test will fail for FIPS capable builds because it uses the
old BIGNUM code in the 1.2 FIPS module which can't be fixed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

f33636fa

Oct 15, 2014
- Prepare for 0.9.8zd-dev · 94f735ca
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  94f735ca
- Prepare for 0.9.8zc release · 36216218
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  OpenSSL_0_9_8zc
  
  36216218
- make update · 115eaf48
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  115eaf48
- Updates to NEWS · 53ce5647
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
```
  53ce5647
- Updates to CHANGES file · 4d2efa29
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Bodo Möller <bodo@openssl.org>
```
  4d2efa29
- Fix no-ssl3 configuration option · cd332a07
  Geoff Thorpe authored Oct 15, 2014
```
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  cd332a07
- Fix for session tickets memory leak. · 2ed80d14
  Dr. Stephen Henson authored Oct 15, 2014
```
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 90e53055939db40cf0fac1ad0c59630280aeee86)
```
  2ed80d14
- Fix SSL_R naming inconsistency. · d2866063
  Bodo Moeller authored Oct 15, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  d2866063
- Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv · 3f4d81e8
  Bodo Moeller authored Oct 15, 2014
```
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  3f4d81e8
- Oops -- fix typo in coment added with TLS_FALLBACK_SCSV support. · dc5dfe43
  Bodo Moeller authored Oct 15, 2014
```
Reviewed-by: Steve Henson <steve@openss.org>
```
  dc5dfe43
- Support TLS_FALLBACK_SCSV. · c6a87647
  Bodo Moeller authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  c6a87647
Sep 29, 2014

Add additional DigestInfo checks. · 5a7fc893

Dr. Stephen Henson authored Sep 29, 2014



Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>

5a7fc893

Sep 25, 2014

Add missing tests · 116fd373

Emilia Kasper authored Sep 25, 2014

Accidentally omitted from commit 455b65df



Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d)

116fd373

Sep 24, 2014

RT3425: constant-time evp_enc · 1bb01b1b

Emilia Kasper authored Sep 05, 2014



Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319)

Conflicts:
	crypto/evp/Makefile
	crypto/evp/evp_enc.c

1bb01b1b

RT3067: simplify patch · 699d78ce

Emilia Kasper authored Sep 04, 2014

(Original commit adb46dbc

)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65df)

Conflicts:
	ssl/Makefile

699d78ce

This change alters the processing of invalid, RSA pre-master secrets so · 43d613ec

Adam Langley authored Apr 24, 2013

that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc

)

Reviewed-by: Rich Salz <rsalz@openssl.org>

43d613ec

RT3066: rewrite RSA padding checks to be slightly more constant time. · 96e1015e

Emilia Kasper authored Aug 28, 2014



Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c

96e1015e

Sep 21, 2014

Fixed error introduced in commit · cf4b01a7

Tim Hudson authored Sep 21, 2014


that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559f)

cf4b01a7

Sep 04, 2014

Ensure that x**0 mod 1 = 0. · 45d12951

Adam Langley authored Apr 23, 2013

(cherry picked from commit 2b0180c3

)

Reviewed-by: Ben Laurie <ben@openssl.org>

45d12951

Sep 03, 2014

Followup on RT3334 fix: make sure that a directory that's the empty · 0976adac

Richard Levitte authored Aug 15, 2014


string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7)

0976adac

RT3334: Fix crypto/LPdir_win.c · db5b0d93

Phil Mesnier authored Aug 14, 2014



Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe75)

db5b0d93

Sep 02, 2014

Make the inline const-time functions static. · aeeedc8a

Emilia Kasper authored Aug 28, 2014



"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36)

aeeedc8a

Aug 29, 2014

Fixed double inclusion of string.h · c9038664

Matt Caswell authored Aug 29, 2014



PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5d33b70ef5a4768fdfb77a73f9817c4570613039)

c9038664