- Apr 24, 2015
-
-
Emilia Kasper authored
Thanks to Brian Smith for reporting these issues. Reviewed-by:
Rich Salz <rsalz@openssl.org> (cherry picked from commit 53dd4ddf)
-
Emilia Kasper authored
Also add a few comments about constant-timeness. Thanks to Brian Smith for reporting this issue. Reviewed-by:
-
- Apr 22, 2015
-
-
Loganaden Velvindron authored
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return value from CRYPTO_malloc to see if it is NULL before attempting to use it. This patch adds a NULL check. RT3786 Signed-off-by:
Matt Caswell <matt@openssl.org> (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60) Reviewed-by:
-
- Apr 21, 2015
-
-
Emilia Kasper authored
EAP-FAST session resumption relies on handshake message lookahead to determine server intentions. Commits 980bc1ec and 7b3ba508 removed the lookahead so broke session resumption. This change partially reverts the commits and brings the lookahead back in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not support regular session tickets, the lookahead now only checks for a Finished message. Regular handshakes are unaffected by this change. Reviewed-by:
David Benjamin <davidben@chromium.org> Reviewed-by:
-
Emilia Kasper authored
newsig may be used (freed) uninitialized on a malloc error. Reviewed-by:
-
Emilia Kasper authored
Reviewed-by:
Dr. Stephen Henson <steve@openssl.org> Reviewed-by:
-
- Apr 20, 2015
-
-
Richard Levitte authored
The logic with how 'ok' was calculated didn't quite convey what's "ok", so the logic is slightly redone to make it less confusing. Reviewed-by:
Andy Polyakov <appro@openssl.org> (cherry picked from commit 06affe3d)
-
Matt Caswell authored
Filled in lots of return value checks that were missing the GOST engine, and added appropriate error handling. Reviewed-by:
Richard Levitte <levitte@openssl.org> (cherry picked from commit 8817e2e0)
-
Matt Caswell authored
Fix miscellaneous NULL pointer derefs in the sureware engine. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
This addresses - request for improvement for faster key setup in RT#3576; - clearing registers and stack in RT#3554 (this is more of a gesture to see if there will be some traction from compiler side); - more commentary around input parameters handling and stack layout (desired when RT#3553 was reviewed); - minor size and single block performance optimization (was lying around); Reviewed-by:
-
Dr. Stephen Henson authored
Disable loop checking when we retry verification with an alternative path. This fixes the case where an intermediate CA is explicitly trusted and part of the untrusted certificate list. By disabling loop checking for this case the untrusted CA can be replaced by the explicitly trusted case and verification will succeed. Signed-off-by:
-
Matt Caswell authored
the X509_V_FLAG_NO_ALT_CHAINS flag. Conflicts: doc/apps/cms.pod doc/apps/ocsp.pod doc/apps/s_client.pod doc/apps/s_server.pod doc/apps/smime.pod doc/apps/verify.pod Reviewed-by: -
Matt Caswell authored
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Conflicts: apps/cms.c apps/ocsp.c apps/s_client.c apps/s_server.c apps/smime.c apps/verify.c Reviewed-by: -
Matt Caswell authored
behaviour will force behaviour as per previous versions of OpenSSL Reviewed-by: -
Matt Caswell authored
valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store. When building a trust chain if the first attempt fails, then try to see if alternate chains could be constructed that are trusted. RT3637 RT3621 Reviewed-by:
-
- Apr 18, 2015
-
-
Dr. Stephen Henson authored
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and Hanno Böck <hanno@hboeck.de> for reporting this issue. Reviewed-by:
-
- Apr 17, 2015
-
-
Emilia Kasper authored
A 0-length ciphers list is never permitted. The old code only used to reject an empty ciphers list for connections with a session ID. It would later error out on a NULL structure, so this change just moves the alert closer to the problem source. Reviewed-by:
-
Emilia Kasper authored
The disabled set of -Weverything is hard to maintain across versions. Use -Wall -Wextra but also document other useful warnings that currently trigger. Reviewed-by:
-
- Apr 16, 2015
-
-
Viktor Dukhovni authored
Reviewed-by:Matt Caswell <gitlab@openssl.org>
-
Dr. Stephen Henson authored
Reported by Hanno Böck <hanno@hboeck.de> PR#3800 Reviewed-by:
-
Dr. Stephen Henson authored
Reported by Hanno Böck <hanno@hboeck.de> Reviewed-by:
-
- Apr 14, 2015
-
-
Matt Caswell authored
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by:
-
Matt Caswell authored
The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by:
-
- Apr 11, 2015
-
-
Kurt Roeckx authored
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section failed. Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:
Viktor Dukhovni <openssl-users@dukhovni.org> (cherry picked from commit f49baeff)
-
- Apr 10, 2015
-
-
Dr. Stephen Henson authored
While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by:
-
Dr. Stephen Henson authored
PR#3789 Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- Apr 08, 2015
-
-
Richard Levitte authored
Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: -
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
The macros BSWAP4 and BSWAP8 have statetemnt expressions implementations that use local variable names that shadow variables outside the macro call, generating warnings like this e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable [-Wshadow] seqnum = BSWAP8(blocks[0].q[0]); ^ ../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8' ^ e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here size_t ret = 0; ^ Have clang be quiet by modifying the macro variable names slightly (suffixing them with an underscore). Reviewed-by: -
Richard Levitte authored
We use GNU statement expressions in crypto/md32_common.h, surrounded by checks that GNU C is indeed used to compile. It seems that clang, at least on Linux, pretends to be GNU C, therefore finds the statement expressions and then warns about them. The solution is to have clang be quiet about it. Reviewed-by:
-
Richard Levitte authored
ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one declaration [-Wempty-translation-unit] ^ 1 warning generated. Reviewed-by: -
Emilia Kasper authored
There is no indication that the timing differences are exploitable in OpenSSL, and indeed there is some indication (Usenix '14) that they are too small to be exploitable. Nevertheless, be careful and apply the same countermeasures as in s3_srvr.c Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for reporting this issue. Reviewed-by:
-
- Apr 02, 2015
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
ARM has optimized Cortex-A5x pipeline to favour pairs of complementary AES instructions. While modified code improves performance of post-r0p0 Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts original r0p0. We favour later revisions, because one can't prevent future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%, while new code is not slower on r0p0, or Apple A7 for that matter. [Update even SHA results for latest Cortex-A53.] Reviewed-by:
-
- Mar 31, 2015
-
-
Douglas E Engert authored
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447 for storing an EC Private Key. This converts the private key into an OCTETSTRING and retains any leading zeros. This commit ensures that those leading zeros are present if required. Reviewed-by:
-
- Mar 28, 2015
-
-
Andy Polyakov authored
Reviewed-by:
-
