Skip to content
  1. Jan 24, 2018
  3. Jan 23, 2018
  5. Jan 22, 2018
  7. Jan 21, 2018
  9. Jan 16, 2018
    • Matt Caswell's avatar
      Revert BN_copy() flag copy semantics change · 8837a048
      Matt Caswell authored 
      Commit 9f944291

 changed the semantics of BN_copy() to additionally
copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be
ill advised as it has unintended consequences. For example calling
BN_mod_inverse_no_branch() can sometimes return a result with the flag
set and sometimes not as a result. This can lead to later failures if we
go down code branches that do not support constant time, but check for
the presence of the flag.

The original commit was made due to an issue in BN_MOD_CTX_set(). The
original PR fixed the problem in that function, but it was changed in
review to fix it in BN_copy() instead. The solution seems to be to revert
the BN_copy() change and go back to the originally proposed way.

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5080)

(cherry picked from commit 7d461736)
      8837a048
  11. Jan 09, 2018
    • Matt Caswell's avatar
      Tolerate DTLS alerts with an incorrect version number · da9ed725
      Matt Caswell authored 
      

In the case of a protocol version alert being sent by a peer the record
version number may not be what we are expecting. In DTLS records with an
unexpected version number are silently discarded. This probably isn't
appropriate for alerts, so we tolerate a mismatch in the minor version
number.

This resolves an issue reported on openssl-users where an OpenSSL server
chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version
alert with a 1.2 record number. This was silently ignored by the server.

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5019)
      da9ed725
  13. Jan 07, 2018
  15. Jan 06, 2018
  17. Jan 05, 2018
  19. Dec 27, 2017
  21. Dec 23, 2017
  23. Dec 13, 2017
  25. Dec 11, 2017
  27. Dec 10, 2017
  29. Dec 09, 2017
  31. Dec 08, 2017
  33. Dec 07, 2017
  35. Dec 06, 2017
    • Matt Caswell's avatar
      Add a test for CVE-2017-3737 · c7383fb5
      Matt Caswell authored 
      

Test reading/writing to an SSL object after a fatal error has been
detected.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      c7383fb5
    • Matt Caswell's avatar
      Don't allow read/write after fatal error · 898fb884
      Matt Caswell authored 
      

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
mechanism. The intent was that if a fatal error occurred during a handshake
then OpenSSL would move into the error state and would immediately fail if
you attempted to continue the handshake. This works as designed for the
explicit handshake functions (SSL_do_handshake(), SSL_accept() and
SSL_connect()), however due to a bug it does not work correctly if
SSL_read() or SSL_write() is called directly. In that scenario, if the
handshake fails then a fatal error will be returned in the initial function
call. If SSL_read()/SSL_write() is subsequently called by the application
for the same SSL object then it will succeed and the data is passed without
being decrypted/encrypted directly from the SSL/TLS record layer.

In order to exploit this issue an attacker would have to trick an
application into behaving incorrectly by issuing an SSL_read()/SSL_write()
after having already received a fatal error.

Thanks to David Benjamin (Google) for reporting this issue and suggesting
this fix.

CVE-2017-3737

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      898fb884
    • Andy Polyakov's avatar
      bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2. · ca51bafc
      Andy Polyakov authored 
      

Credit to OSS-Fuzz for finding this.

CVE-2017-3738

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      ca51bafc
  37. Dec 04, 2017
  39. Nov 30, 2017
  41. Nov 16, 2017
  43. Nov 14, 2017
  45. Nov 13, 2017