- Feb 21, 2018
-
-
Pavel Kopyl authored
X509v3_add_ext: free 'sk' if the memory pointed to by it was malloc-ed inside this function. X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails. This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num(). Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4896)
-
Matt Caswell authored
This could in theory result in an overread - but due to the over allocation of the underlying buffer does not represent a security issue. Thanks to Fedor Indutny for reporting this issue. Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5417)
-
- Feb 13, 2018
-
-
Bernd Edlinger authored
when the data block ends with SPACEs or NULs. The problem is, you can't see if the data ends with SPACE or NUL or a combination of both. This can happen for instance with openssl rsautl -decrypt -hexdump Reviewed-by:
-
- Feb 09, 2018
-
-
Bernd Edlinger authored
the possibly indeterminate pointer value in wpend_buf. Reviewed-by:
-
- Feb 02, 2018
-
-
Andy Polyakov authored
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. (backport from f345b1f3 signed off by David Benjamin <davidben@google.com>) Reviewed-by:
Kurt Roeckx <kurt@roeckx.be>
-
- Feb 01, 2018
-
-
David Benjamin authored
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its bit length are both secret. The only public upper bound is the bit width of the corresponding modulus (RSA n, p, and q, respectively). Although BN_num_bits is constant-time (sort of; see bn_correct_top notes in preceding patch), this does not fix the root problem, which is that the windows are based on the minimal bit width, not the upper bound. We could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API and may be called with larger exponents. Instead, use all top*BN_BITS2 bits in the BIGNUM. This is still sensitive to the long-standing bn_correct_top leak, but we need to fix that regardless. This may cause us to do a handful of extra multiplications for RSA keys which are just above a whole number of words, but that is not a standard RSA key size. Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
-
David Benjamin authored
(This patch was written by Andy Polyakov. I only wrote the commit message. Mistakes in the analysis are my fault.) BN_num_bits, by way of BN_num_bits_word, currently leaks the most-significant word of its argument via branching and memory access pattern. BN_num_bits is called on RSA prime factors in various places. These have public bit lengths, but all bits beyond the high bit are secret. This fully resolves those cases. There are a few places where BN_num_bits is called on an input where the bit length is also secret. This does *not* fully resolve those cases as we still only look at the top word. Today, that is guaranteed to be non-zero, but only because of the long-standing bn_correct_top timing leak. Once that is fixed, a constant-time BN_num_bits on such inputs must count bits on each word. Instead, those cases should not call BN_num_bits at all. In particular, BN_mod_exp_mont_consttime uses the exponent bit width to pick windows, but it should be using the maximum bit width. The next patch will fix this. Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu for reporting this issue. Reviewed-by:
-
- Jan 30, 2018
-
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by:
-
- Jan 24, 2018
-
-
Rich Salz authored
Thanks to Yun Jiang for pointing this out. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5164)
-
Rich Salz authored
Backport from https://github.com/openssl/openssl/pull/5141 Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
-
Todd Short authored
Reviewed-by:
-
Jonathan Scalise authored
Updated uses of gmtime to now call OPENSSL_gmtime instead. Used similar preprocessor logic to make sure localtime_r is called instead of localtime when applicable. Reviewed-by:
-
J Mohan Rao Arisankala authored
If tlsext ticket decrypt callback returns error, cleanup ctxs Reviewed-by:
-
- Jan 23, 2018
-
-
Cristian Stoica authored
CLA: trivial Signed-off-by:
Cristian Stoica <cristian.stoica@nxp.com> Reviewed-by:
-
Cristian Stoica authored
CLA: trivial Signed-off-by:
-
- Jan 22, 2018
-
-
Matt Caswell authored
An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by:
-
Matt Caswell authored
Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by:
-
- Jan 21, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Jan 16, 2018
-
-
Matt Caswell authored
Commit 9f944291 changed the semantics of BN_copy() to additionally copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be ill advised as it has unintended consequences. For example calling BN_mod_inverse_no_branch() can sometimes return a result with the flag set and sometimes not as a result. This can lead to later failures if we go down code branches that do not support constant time, but check for the presence of the flag. The original commit was made due to an issue in BN_MOD_CTX_set(). The original PR fixed the problem in that function, but it was changed in review to fix it in BN_copy() instead. The solution seems to be to revert the BN_copy() change and go back to the originally proposed way. Reviewed-by:
-
- Jan 09, 2018
-
-
Matt Caswell authored
In the case of a protocol version alert being sent by a peer the record version number may not be what we are expecting. In DTLS records with an unexpected version number are silently discarded. This probably isn't appropriate for alerts, so we tolerate a mismatch in the minor version number. This resolves an issue reported on openssl-users where an OpenSSL server chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version alert with a 1.2 record number. This was silently ignored by the server. Reviewed-by:
-
- Jan 07, 2018
-
-
Rich Salz authored
Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4906) (cherry picked from commit 794bf5f7)
-
- Jan 06, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Thanks to Douglas Fyfe @ VSI for making me aware of this Reviewed-by:
-
- Jan 05, 2018
-
-
Konstantin Shemyak authored
A backport of #4997. Fixes #4996. Reviewed-by:
-
- Dec 27, 2017
-
-
Andy Polyakov authored
Reviewed-by:
-
- Dec 23, 2017
-
-
Viktor Dukhovni authored
Reviewed-by:
-
- Dec 13, 2017
-
-
Viktor Dukhovni authored
Also documented X509_V_FLAG_TRUSTED_FIRST Reviewed-by:
-
- Dec 11, 2017
-
-
Matt Caswell authored
SSL_trace() has a case which was inadvertently falling through. Reviewed-by:
-
- Dec 10, 2017
-
-
Richard Levitte authored
Looking for 'gcc' and 'clang' in the output from the C compiler is uncertain. Some versions report argv[0], which might be /usr/bin/cc (for example), and others might mention gcc without being gcc or a derivate. Better then to fetch predefined macros and checking if __GNUC__ and __clang__ are defined. Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4755)
-
- Dec 09, 2017
-
-
Richard Levitte authored
They are from the 1.1.0 or master branches Fixes #4863 Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4887)
-
- Dec 08, 2017
-
-
Rich Salz authored
Reviewed-by:
-
FdaSilvaYY authored
Pointer 'o' is set inside a local buffer, so it can't be NULL. Also fix coding style and add comments Reviewed-by:
-
Richard Levitte authored
Some compilers react badly to non-ASCII characters Fixes #4877 Reviewed-by:
-
Dr. Matthias St. Pierre authored
Fixes #2533 The call to FIPS_crypto_set_id_callback() was added in revision a43cfd7b , but there is no prototype for it in <openssl/fips.h>. Signed-off-by:
Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- Dec 07, 2017
-
-
Matt Caswell authored
Fixes #4865 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by:
-
