Skip to content
GitLab
  1. 29 Feb, 2016 7 commits
    • Matt Caswell's avatar
      Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption · 99ba9fd0
      Matt Caswell authored 
      

In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.

This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.

All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.

Issue reported by Guido Vranken.

CVE-2016-0797

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      99ba9fd0
    • Dr. Stephen Henson's avatar
      remove unused variables · 15e58273
      Dr. Stephen Henson authored 
      

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
      15e58273
    • Matt Caswell's avatar
      Fix use before init warnings in asynctest · 174a74ef
      Matt Caswell authored 
      

If the tests fail early before an ASYNC_WAIT_CTX is created then there
can be a use before init problem in asynctest.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      174a74ef
    • Matt Caswell's avatar
      Clarify ASYNC_WAIT_CTX_clear_fd() docs · 83856523
      Matt Caswell authored 
      

Clarify that the "cleanup" routing does not get called if you invoke
ASYNC_WAIT_CTX_clear_fd() directly.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      83856523
    • Matt Caswell's avatar
      Refactor the async wait fd logic · ff75a257
      Matt Caswell authored 
      

Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      ff75a257
    • Matt Caswell's avatar
      Workaround for VisualStudio 2015 bug · b32166b4
      Matt Caswell authored 
      

VisualStudio 2015 has a bug where an internal compiler error was occurring.
By reordering the DEFINE_STACK_OF declarations for SSL_CIPHER and SSL_COMP
until after the ssl3.h include everything seems ok again.

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      b32166b4
    • Richard Levitte's avatar
      Add forgotten change of check of disabled-dynamic-engine · 0421c00e
      Richard Levitte authored 
      

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      0421c00e
  3. 28 Feb, 2016 26 commits
  5. 27 Feb, 2016 7 commits