- Mar 23, 2015
-
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Richard Levitte authored
Follow up on the earlier "Do not keep TABLE in version control". Actually removing TABLE from version control was forgotten. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
Don't check that the curve appears in the list of acceptable curves for the peer, if they didn't send us such a list (RFC 4492 does not require that the extension be sent). Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Remove {i2d,d2i}_ASN1_BOOLEAN. Rewrite single occurrence of d2i_ASN1_BOOLEAN in asn1_parse2 Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Dr. Stephen Henson authored
Remove old M_ASN1_ macros and replace any occurences with the corresponding function. Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google). Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 21, 2015
-
-
Richard Levitte authored
Using $t is an artifact from the earlier changes in Configure and was unfortunately forgotten as is. Reviewed-by: Stephen Henson <steve@openssl.org>
-
- Mar 20, 2015
-
-
Dr. Stephen Henson authored
This tests the unwrap algorithm with an invalid key. The result should be rejected without returning any plaintext. Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Richard Godbee authored
crypto/modes/wrap128.c was heavily refactored to support AES Key Wrap with Padding, and four bugs were introduced into CRYPTO_128_unwrap() at that time: - crypto_128_unwrap_raw()'s return value ('ret') is checked incorrectly, and the function immediately returns 'ret' in (almost) all cases. This makes the IV checking code later in the function unreachable, but callers think the IV check succeeded since CRYPTO_128_unwrap()'s return value is non-zero. FIX: Return 0 (error) if crypto_128_unwrap_raw() returned 0 (error). - crypto_128_unwrap_raw() writes the IV to the 'got_iv' buffer, not to the first 8 bytes of the output buffer ('out') as the IV checking code expects. This makes the IV check fail. FIX: Compare 'iv' to 'got_iv', not 'out'. - The data written to the output buffer ('out') is "cleansed" if the IV check fails, but the code passes OPENSSL_cleanse() the input buffer length ('inlen') instead of the number of bytes that crypto_128_unwrap_raw() wrote to the output buffer ('ret'). This means that OPENSSL_cleanse() could potentially write past the end of 'out'. FIX: Change 'inlen' to 'ret' in the OPENSSL_cleanse() call. - CRYPTO_128_unwrap() is returning the length of the input buffer ('inlen') instead of the number of bytes written to the output buffer ('ret'). This could cause the caller to read past the end of 'out'. FIX: Return 'ret' instead of 'inlen' at the end of the function. PR#3749 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Richard Godbee authored
Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
Updated test/testssl script to include the new DTLS capability in ssltest. Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
David Woodhouse authored
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
David Woodhouse authored
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
- Mar 19, 2015
-
-
Richard Levitte authored
Reviewed-by: Stephen Henson <steve@openssl.org>
-
Matt Caswell authored
Reported by the LibreSSL project as a follow on to CVE-2015-0209 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Resync NEWS with the latest version from 1.0.2 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Resync CHANGES with the latest version from 1.0.2. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Emilia Kasper authored
In PKCS#7, the ASN.1 content component is optional. This typically applies to inner content (detached signatures), however we must also handle unexpected missing outer content correctly. This patch only addresses functions reachable from parsing, decryption and verification, and functions otherwise associated with reading potentially untrusted data. Correcting all low-level API calls requires further work. CVE-2015-0289 Thanks to Michal Zalewski (Google) for reporting this issue. Reviewed-by: Steve Henson <steve@openssl.org>
-
Dr. Stephen Henson authored
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
If client auth is used then a server can seg fault in the event of a DHE cipher being used and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. CVE-2015-1787 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
If a client renegotiates using an invalid signature algorithms extension it will crash a server with a NULL pointer dereference. Thanks to David Ramos of Stanford University for reporting this bug. CVE-2015-0291 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Dr. Stephen Henson authored
Fix a bug where invalid PSS parameters are not rejected resulting in a NULL pointer exception. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. Thanks to Brian Carpenter for reporting this issues. CVE-2015-0208 Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Dr. Stephen Henson authored
CVE-2015-0287 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next that can lead to a segmentation fault. Erorrs processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server. CVE-2015-0207 Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. CVE-2015-0290 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
-
- Mar 18, 2015
-
-
Andy Polyakov authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Mar 17, 2015
-
-
Richard Levitte authored
./config would translate -d into having the target get a 'debug-' prefix, and then run './Configure LIST' to find out if such a debugging target exists or not. With the recent changes, the separate 'debug-foo' targets are disappearing, and we're giving the normal targets debugging capabilities instead. Unfortunately, './config' wasn't changed to match this new behavior. This change introduces the arguments '--debug' and '--release' - the latter just for orthogonality - to ./Configure, and ./config now treats -d by adding '--debug' to the options for ./Configure. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Matt Caswell authored
Some miscellaneous removal of dead code from apps. Also fix an issue with error handling with pkcs7. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Some miscellaneous removal of dead code from lib crypto. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
In the probable_prime() function we behave slightly different if the number of bits we are interested in is <= BN_BITS2 (the num of bits in a BN_ULONG). As part of the calculation we work out a size_limit as follows: size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1; There is a problem though if bits == BN_BITS2. Shifting by that much causes undefined behaviour. I did some tests. On my system BN_BITS2 == 64. So I set bits to 64 and calculated the result of: (((BN_ULONG)1) << bits) I was expecting to get the result 0. I actually got 1! Strangely this... (((BN_ULONG)0) << BN_BITS2) ...does equal 0! This means that, on my system at least, size_limit will be off by 1 when bits == BN_BITS2. This commit fixes the behaviour so that we always get consistent results. Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Matt Caswell authored
The function CRYPTO_128_unwrap_pad uses an 8 byte AIV (Alternative Initial Value). The least significant 4 bytes of this is placed into the local variable |ptext_len|. This is done as follows: ptext_len = (aiv[4] << 24) | (aiv[5] << 16) | (aiv[6] << 8) | aiv[7]; aiv[4] is an unsigned char, but (aiv[4] << 24) is promoted to a *signed* int - therefore we could end up shifting into the sign bit and end up with a negative value. |ptext_len| is a size_t (typically 64-bits). If the result of the shifts is negative then the upper bits of |ptext_len| will all be 1. This commit fixes the issue by explicitly casting to an unsigned int. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Passing a negative value for the "-time" option to s_time results in a seg fault. This commit fixes it so that time has to be greater than 0. Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Matt Caswell authored
The function tls1_PRF counts the number of digests in use and partitions security evenly between them. There always needs to be at least one digest in use, otherwise this is an internal error. Add a sanity check for this. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
The function sk_zero is supposed to zero the elements held within a stack. It uses memset to do this. However it calculates the size of each element as being sizeof(char **) instead of sizeof(char *). This probably doesn't make much practical difference in most cases, but isn't a portable assumption. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Move memory allocation failure checks closer to the site of the malloc in dgst app. Only a problem if the debug flag is set...but still should be fixed. Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Matt Caswell authored
Add some missing checks for memory allocation failures in ca app. Reviewed-by: Tim Hudson <tjh@openssl.org>
-
- Mar 16, 2015
-
-
Richard Levitte authored
TABLE was always a debugging tool, and permitted everyone to see the effect of changes in the string-format configs. The hash-format configs being much more readable, distributing TABLE becomes much less necessary. Being able to produce a TABLE is kept, however, as it still is a useful debugging tool for configs, what with multi-level inheritance and all. Reviewed-by: Andy Polyakov <appro@openssl.org>
-
Richard Levitte authored
Move obviously personal configurations to personal files. Note: those files should really not be in the main repo at all Reviewed-by: Andy Polyakov <appro@openssl.org>
-