- 11 Jun, 2015 8 commits
-
-
Matt Caswell authored
Reviewed-by:Stephen Henson <steve@openssl.org>
-
Andy Polyakov authored
CVE-2015-1788 Reviewed-by:
Matt Caswell <matt@openssl.org> (cherry picked from commit 4924b37e)
-
Matt Caswell authored
Updates to CHANGES and NEWS to take account of the latest security fixes. Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Emilia Kasper authored
CVE-2015-1790 Reviewed-by: -
Emilia Kasper authored
Also tighten X509_cmp_time to reject more than three fractional seconds in the time; and to reject trailing garbage after the offset. CVE-2015-1789 Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting to verify and a digest is not recognised. Reported by Johannes Bauer. CVE-2015-1792 Reviewed-by: -
Richard Levitte authored
$(PROGS) was mistakenly removed, adding it back. Reviewed-by:
-
Matt Caswell authored
Fix error handling in ssl_session_dup, as well as incorrect setting up of the session ticket. Follow on from CVE-2015-1791. Thanks to LibreSSL project for reporting these issues. Conflicts: ssl/ssl_sess.c Reviewed-by:Tim Hudson <tjh@openssl.org>
-
- 10 Jun, 2015 11 commits
-
-
Kurt Roeckx authored
Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:
-
Matt Caswell authored
It should not be possible for DTLS message fragments to span multiple packets. However previously if the message header fitted exactly into one packet, and the fragment body was in the next packet then this would work. Obviously this would fail if packets get re-ordered mid-flight. Reviewed-by: -
Matt Caswell authored
In the event of an error in the HMAC function, leaks can occur because the HMAC_CTX does not get cleaned up. Thanks to the BoringSSL project for reporting this issue. Reviewed-by:
-
Matt Caswell authored
The function EC_POINT_is_on_curve does not return a boolean value. It returns 1 if the point is on the curve, 0 if it is not, and -1 on error. Many usages within OpenSSL were incorrectly using this function and therefore not correctly handling error conditions. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by:
Kurt Roeckx <kurt@openssl.org> (cherry picked from commit 68886be7)
-
Matt Caswell authored
This adds additional checks to the processing of extensions in a ClientHello to ensure that either no extensions are present, or if they are then they take up the exact amount of space expected. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: -
Matt Caswell authored
This fixes a memory leak that can occur whilst duplicating a BIO chain if the call to CRYPTO_dup_ex_data() fails. It also fixes a second memory leak where if a failure occurs after successfully creating the first BIO in the chain, then the beginning of the new chain was not freed. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: -
Matt Caswell authored
BUF_MEM_free() attempts to cleanse memory using memset immediately prior to a free. This is at risk of being optimised away by the compiler, so replace with a call to OPENSSL_cleanse() instead. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by: -
Matt Caswell authored
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for Kerberos. Reviewed-by:
-
Richard Levitte authored
For librypto to be complete, the stuff in both crypto/ and engines/ have to be built. Doing 'make test' or 'make apps' from a clean source tree failed to do so. Corrected by using the new 'build_libcrypto' in the top Makefile. Reviewed-by:
-
Richard Levitte authored
There's a need for a target that will build all of libcrypto, so let's add 'build_libcrypto' that does this. For ortogonality, let's also add 'build_libssl'. Have both also depend on 'libcrypto.pc' and 'libssl.pc' so those get built together with the libraries. This makes 'all' depend on fewer things directly. Reviewed-by:
-
- 08 Jun, 2015 3 commits
-
-
Dr. Stephen Henson authored
Reviewed-by:
-
Emilia Kasper authored
Reviewed-by:
-
Emilia Kasper authored
Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley (Google). Reviewed-by:
-
- 04 Jun, 2015 4 commits
-
-
Matt Caswell authored
Remove a comment that suggested further clean up was required. DH_free() performs the necessary cleanup. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by:
-
Matt Caswell authored
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by:
-
Matt Caswell authored
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it. With thanks to the Open Crypto Audit Project for reporting this issue. Reviewed-by:
-
Matt Caswell authored
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account for this and can allocate a buffer one byte too short in the event of -0 being used, leading to a one byte buffer overrun. All usage within the OpenSSL library is considered safe. Any security risk is considered negligible. With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian for discovering and reporting this issue. Reviewed-by:
-
- 02 Jun, 2015 4 commits
-
-
Annie Yousar authored
objects.pl only looked for a space to see if the name could be used as a C identifier. Improve the test to match the real C rules. Signed-off-by:
Rich Salz <rsalz@akamai.com> Reviewed-by:
-
Richard Levitte authored
This is for consistency. Additionally, have its presence define OPENSSL_SYS_WINDOWS as well. Reviewed-by:
-
Matt Caswell authored
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. CVE-2015-1791 This also fixes RT#3808 where a session ID is changed for a session already in the client session cache. Since the session ID is the key to the cache this breaks the cache access. Parts of this patch were inspired by this Akamai change: https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3 Reviewed-by:
-
Matt Caswell authored
This is a backport of commit e83ee04b from the master branch (and this has also been applied to 1.0.2). In 1.0.2 this was CVE-2015-0207. For other branches there is no known security issue, but this is being backported as a precautionary measure. The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next. Reviewed-by:
-
- 31 May, 2015 1 commit
-
-
Matt Caswell authored
dtls1_get_message has an |mt| variable which is the type of the message that is being requested. If it is negative then any message type is allowed. However the value of |mt| is not checked in one of the main code paths, so a peer can send a message of a completely different type and it will be processed as if it was the message type that we were expecting. This has very little practical consequences because the current behaviour will still fail when the format of the message isn't as expected. Reviewed-by:
Andy Polyakov <appro@openssl.org> (cherry picked from commit 8c2b1d87)
-
- 28 May, 2015 2 commits
-
-
Dr. Stephen Henson authored
Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- 26 May, 2015 7 commits
-
-
Andy Polyakov authored
Reviewed-by: -
Emilia Kasper authored
Also add more ciphersuite test coverage, and a negative test for 512-bit DHE. Reviewed-by: -
Matt Caswell authored
The size of the SRP extension can never be negative (the variable |size| is unsigned). Therefore don't check if it is less than zero. RT#3862 Reviewed-by:
-
Matt Caswell authored
The return value of i2d functions can be negative if an error occurs. Therefore don't assign the return value to an unsigned type and *then* check if it is negative. RT#3862 Reviewed-by:
-
Matt Caswell authored
The members of struct timeval on OpenVMS are unsigned. The logic for calculating timeouts needs adjusting to deal with this. RT#3862 Reviewed-by:
-
Andy Polyakov authored
RT#3860 Reviewed-by:
-
Billy Brumley authored
RT#3858 Reviewed-by:
-
