Skip to content
  1. Nov 13, 2017
  2. Nov 11, 2017
  3. Nov 10, 2017
  4. Nov 08, 2017
  5. Nov 07, 2017
  6. Nov 03, 2017
  7. Nov 02, 2017
  8. Nov 01, 2017
  9. Oct 26, 2017
  10. Oct 25, 2017
    • Matt Caswell's avatar
      Don't make any changes to the lhash structure if we are going to fail · 1aa0fcfb
      Matt Caswell authored
      
      
      The lhash expand() function can fail if realloc fails. The previous
      implementation made changes to the structure and then attempted to do a
      realloc. If the realloc failed then it attempted to undo the changes it
      had just made. Unfortunately changes to lh->p were not undone correctly,
      ultimately causing subsequent expand() calls to increment num_nodes to a
      value higher than num_alloc_nodes, which can cause out-of-bounds reads/
      writes. This is not considered a security issue because an attacker cannot
      cause realloc to fail.
      
      This commit moves the realloc call to near the beginning of the function
      before any other changes are made to the lhash structure. That way if a
      failure occurs we can immediately fail without having to undo anything.
      
      Thanks to Pavel Kopyl (Samsung) for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4551)
      1aa0fcfb
  11. Oct 24, 2017
  12. Oct 23, 2017
  13. Oct 19, 2017
  14. Oct 13, 2017
  15. Oct 11, 2017
    • Matt Caswell's avatar
      Ensure we test all parameters for BN_FLG_CONSTTIME · 86ccadf5
      Matt Caswell authored
      
      
      RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
      BN_mod_exp() as follows:
      
      BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)
      
      ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
      BN_mod_exp() we only test the third param for the existence of this flag.
      We should test all the inputs.
      
      Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
      issue.
      
      This typically only happens once at key load, so this is unlikely to be
      exploitable in any real scenario.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4477)
      
      (cherry picked from commit e913d11f)
      86ccadf5
  16. Oct 03, 2017
  17. Oct 02, 2017
  18. Sep 29, 2017
  19. Sep 27, 2017