Skip to content
  1. Jun 16, 2015
  2. Jun 11, 2015
  3. Jun 10, 2015
  4. Jun 08, 2015
  5. Jun 04, 2015
    • Matt Caswell's avatar
      Remove misleading comment · bb82db1c
      Matt Caswell authored
      
      
      Remove a comment that suggested further clean up was required.
      DH_free() performs the necessary cleanup.
      
      With thanks to the Open Crypto Audit Project for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit f3d88952)
      bb82db1c
    • Matt Caswell's avatar
      Clean premaster_secret for GOST · 470446db
      Matt Caswell authored
      
      
      Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.
      
      With thanks to the Open Crypto Audit Project for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit b7ee4815)
      
      Conflicts:
      	ssl/s3_srvr.c
      470446db
    • Matt Caswell's avatar
      Clean Kerberos pre-master secret · 91e64e14
      Matt Caswell authored
      
      
      Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.
      
      With thanks to the Open Crypto Audit Project for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 4e3dbe37)
      91e64e14
    • Matt Caswell's avatar
      Fix off-by-one error in BN_bn2hex · 0d3a7e7c
      Matt Caswell authored
      
      
      A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
      for this and can allocate a buffer one byte too short in the event of -0
      being used, leading to a one byte buffer overrun. All usage within the
      OpenSSL library is considered safe. Any security risk is considered
      negligible.
      
      With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
      Filip Palian for discovering and reporting this issue.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      (cherry picked from commit c5635307)
      
      Conflicts:
      	crypto/bn/bn_print.c
      0d3a7e7c
  6. Jun 02, 2015
    • Richard Levitte's avatar
      Add the macro OPENSSL_SYS_WIN64 · a85eef72
      Richard Levitte authored
      
      
      This is for consistency.
      Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit 3f131556)
      
      Conflicts:
      	e_os2.h
      a85eef72
    • Matt Caswell's avatar
      Fix race condition in NewSessionTicket · 0ae3473e
      Matt Caswell authored
      If a NewSessionTicket is received by a multi-threaded client when
      attempting to reuse a previous ticket then a race condition can occur
      potentially leading to a double free of the ticket data.
      
      CVE-2015-1791
      
      This also fixes RT#3808 where a session ID is changed for a session already
      in the client session cache. Since the session ID is the key to the cache
      this breaks the cache access.
      
      Parts of this patch were inspired by this Akamai change:
      https://github.com/akamai/openssl/commit/c0bf69a791239ceec64509f9f19fcafb2461b0d3
      
      
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 27c76b9b)
      
      Conflicts:
      	ssl/ssl.h
      	ssl/ssl_err.c
      0ae3473e
    • Matt Caswell's avatar
      Clear state in DTLSv1_listen · 98377858
      Matt Caswell authored
      This is a backport of commit e83ee04b
      
       from
      the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
      was CVE-2015-0207. For other branches there is no known security issue, but
      this is being backported as a precautionary measure.
      
      The DTLSv1_listen function is intended to be stateless and processes
      the initial ClientHello from many peers. It is common for user code to
      loop over the call to DTLSv1_listen until a valid ClientHello is received
      with an associated cookie. A defect in the implementation of DTLSv1_listen
      means that state is preserved in the SSL object from one invokation to the
      next.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit cce3e4ad)
      98377858
  7. May 28, 2015
  8. May 23, 2015
    • Richard Levitte's avatar
      Have mkerr.pl treat already existing multiline string defs properly · 079495ca
      Richard Levitte authored
      
      
      Since source reformat, we ended up with some error reason string
      definitions that spanned two lines.  That in itself is fine, but we
      sometimes edited them to provide better strings than what could be
      automatically determined from the reason macro, for example:
      
          {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
           "Peer haven't sent GOST certificate, required for selected ciphersuite"},
      
      However, mkerr.pl didn't treat those two-line definitions right, and
      they ended up being retranslated to whatever the macro name would
      indicate, for example:
      
          {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
           "No gost certificate sent by peer"},
      
      Clearly not what we wanted.  This change fixes this problem.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit 2cfdfe09)
      079495ca
    • Richard Levitte's avatar
      Fix update and depend in engines/ · 591c819c
      Richard Levitte authored
      
      
      The update: target in engines/ didn't recurse into engines/ccgost.
      The update: and depend: targets in engines/ccgost needed a fixup.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 8b822d25)
      591c819c
    • Richard Levitte's avatar
      Missed a couple of spots in the update change · 439c1934
      Richard Levitte authored
      
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 6f45032f)
      
      Conflicts:
      	apps/Makefile
      439c1934
    • Richard Levitte's avatar
      Fix the update target and remove duplicate file updates · 1b840388
      Richard Levitte authored
      
      
      We had updates of certain header files in both Makefile.org and the
      Makefile in the directory the header file lived in.  This is error
      prone and also sometimes generates slightly different results (usually
      just a comment that differs) depending on which way the update was
      done.
      
      This removes the file update targets from the top level Makefile, adds
      an update: target in all Makefiles and has it depend on the depend: or
      local_depend: targets, whichever is appropriate, so we don't get a
      double run through the whole file tree.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 0f539dc1)
      
      Conflicts:
      	Makefile.org
      	apps/Makefile
      	test/Makefile
      	crypto/cmac/Makefile
      	crypto/srp/Makefile
      1b840388
  9. May 22, 2015
    • Matt Caswell's avatar
      Fix off-by-one in BN_rand · e261cf5a
      Matt Caswell authored
      
      
      If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
      buffer overflow can occur. There are no such instances within the OpenSSL at
      the moment.
      
      Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
      discovering and reporting this issue.
      
      Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      e261cf5a
    • Matt Caswell's avatar
      Reject negative shifts for BN_rshift and BN_lshift · b3c72148
      Matt Caswell authored
      
      
      The functions BN_rshift and BN_lshift shift their arguments to the right or
      left by a specified number of bits. Unpredicatable results (including
      crashes) can occur if a negative number is supplied for the shift value.
      
      Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
      for discovering and reporting this issue.
      
      Reviewed-by: default avatarKurt Roeckx <kurt@openssl.org>
      (cherry picked from commit 7cc18d81)
      
      Conflicts:
      	crypto/bn/bn.h
      	crypto/bn/bn_err.c
      b3c72148
  10. May 20, 2015
  11. May 19, 2015
  12. May 13, 2015
    • Rich Salz's avatar
      Add NULL checks from master · 690d040b
      Rich Salz authored
      
      
      The big "don't check for NULL" cleanup requires backporting some
      of the lowest-level functions to actually do nothing if NULL is
      given.  This will make it easier to backport fixes to release
      branches, where master assumes those lower-level functions are "safe"
      
      This commit addresses those tickets: 3798 3799 3801.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (cherry picked from commit f34b095f)
      690d040b
  13. May 02, 2015
  14. Apr 22, 2015
  15. Apr 18, 2015
  16. Apr 16, 2015
  17. Apr 14, 2015
    • Matt Caswell's avatar
      Fix ssl_get_prev_session overrun · 4bbff0f9
      Matt Caswell authored
      
      
      If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
      past the end of the ClientHello message if the session_id length in the
      ClientHello is invalid. This should not cause any security issues since the
      underlying buffer is 16k in size. It should never be possible to overrun by
      that many bytes.
      
      This is probably made redundant by the previous commit - but you can never be
      too careful.
      
      With thanks to Qinghao Tang for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 5e0a80c1)
      
      Conflicts:
      	ssl/ssl_sess.c
      4bbff0f9
    • Matt Caswell's avatar
      Check for ClientHello message overruns · 923552bd
      Matt Caswell authored
      
      
      The ClientHello processing is insufficiently rigorous in its checks to make
      sure that we don't read past the end of the message. This does not have
      security implications due to the size of the underlying buffer - but still
      needs to be fixed.
      
      With thanks to Qinghao Tang for reporting this issue.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
      923552bd
  18. Apr 10, 2015
    • Dr. Stephen Henson's avatar
      Don't set *pval to NULL in ASN1_item_ex_new. · dafa9534
      Dr. Stephen Henson authored
      
      
      While *pval is usually a pointer in rare circumstances it can be a long
      value. One some platforms (e.g. WIN64) where
      sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.
      
      *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
      to NULL is unecessary anyway.
      
      Thanks to Julien Kauffmann for reporting this issue.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit f617b496)
      
      Conflicts:
      	crypto/asn1/tasn_new.c
      dafa9534