- Nov 02, 2017
-
-
Matt Caswell authored
Reviewed-by:Andy Polyakov <appro@openssl.org>
-
Andy Polyakov authored
Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Andy Polyakov authored
Credit to OSS-Fuzz for finding this. CVE-2017-3736 Reviewed-by: -
Richard Levitte authored
In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible and supported. In 1.1.0, a small typo ('F' instead of 'f') removed that possibility. This restores the pre 1.1.0 behavior. Fixes #4366 Reviewed-by:
-
- Nov 01, 2017
-
-
Pauli authored
information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4576)
-
Pauli authored
information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Reviewed-by:
-
- Oct 31, 2017
-
-
Richard Levitte authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4637)
-
Richard Levitte authored
It turns out that (some?) fuzzers can read a dictionary of OIDs, so we generate one as part of the usual 'make update'. Fixes #4615 Reviewed-by:
-
Ronald Tse authored
* ARIA, SEED, Camellia * AES-XTS, OCB, CTR * Key wrap for 3DES, AES * RC4-MD5 AD * CFB modes with 1-bit and 8-bit shifts Split EVP_EncryptInit cipher list to individual man pages. Consolidate cipher bit-lengths in EVP_EncryptInit cipher list. Clarify Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4564)
-
Ronald Tse authored
Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
-
Richard Levitte authored
Missing names slipped through Reviewed-by:
-
Dr. Matthias St. Pierre authored
A block of six TEST_int_xy() macro definitions was duplicated. Reviewed-by:
-
Baptiste Jonglez authored
The check should reject kernel versions < 4.1.0, not <= 4.1.0. The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h header advertises 4.1.0. CLA: trivial Fixes: 7f458a48 ("ALG: Add AFALG engine") Signed-off-by:
Baptiste Jonglez <git@bitsofnetworks.org> Reviewed-by:
-
Baptiste Jonglez authored
The eventfd syscall is deprecated and is not available on aarch64, causing build to fail: engines/e_afalg.c: In function 'eventfd': engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function) return syscall(__NR_eventfd, n); ^ Instead, switch to the newer eventfd2 syscall, which is supposed to be supported by all architectures. This kind of issues would be avoided by simply using the eventfd(2) wrapper from the libc, but there must be subtle reasons not to... Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling for aarch64 with LEDE (kernel 4.9). This properly fixes #1685. CLA: trivial Fixes: 7f458a48 ("ALG: Add AFALG engine") Signed-off-by: -
Ronald Tse authored
Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4552)
-
- Oct 30, 2017
-
-
Kurt Roeckx authored
This restores the 1.0.2 behaviour Reviewed-by:
Benjamin Kaduk <bkaduk@akamai.com> GH: #4613
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by:
-
Richard Levitte authored
[skip ci] Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Benjamin Kaduk authored
If the list of fds contains only (one or more) entries marked as deleted prior to the entry currently being deleted, and the entry currently being deleted was only just added, the 'prev' pointer would never be updated from its initial NULL value, and we would dereference NULL while trying to remove the entry from the linked list. Reported by Coverity. Reviewed-by:
-
Benjamin Kaduk authored
This would cut out some distracting noise in the test output if we ended up hitting these error cases. Reported by Coverity. Reviewed-by:
-
AlexDenisov authored
Thanks to David Benjamin for suggesting the fix needed by this fix. CLA: trivial Reviewed-by:
-
Benjamin Kaduk authored
We currently increment the SSL_CTX stats.sess_accept field in tls_setup_handshake(), which is invoked from the state machine well before ClientHello processing would have had a chance to switch the SSL_CTX attached to the SSL object due to a provided SNI value. However, stats.sess_accept_good is incremented in tls_finish_handshake(), and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched to as a result of SNI processing). This leads to the confusing (nonsensical) situation where stats.sess_accept_good is larger than stats.sess_accept, as the "sess_accept" value was counted on the s->session_ctx. In order to provide some more useful numbers, increment s->ctx.stats.sess_accept after SNI processing if the SNI processing changed s->ctx to differ from s->session_ctx. To preserve the property that any given accept is counted only once, make the corresponding decrement to s->session_ctx.stats.sess_accept when doing so. Reviewed-by:
-
Benjamin Kaduk authored
For client SSL objects and before any callbacks have had a chance to be called, we can write the stats accesses using the session_ctx, which makes sense given that these values are all prefixed with "sess_". For servers after a client_hello or servername callback has been called, retain the existing behavior of modifying the statistics for the current (non-session) context. This has some value, in that it allows the statistics to be viewed on a per-vhost level. Reviewed-by:
-
Benjamin Kaduk authored
It is expected that SSL_CTX objects are shared across threads, and as such we are responsible for ensuring coherent data accesses. Aligned integer accesses ought to be atomic already on all supported architectures, but we can be formally correct. Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Patrick Steuer authored
Extend the s390x capability vector to store the longer facility list available from z13 onwards. The bits indicating the vector extensions are set to zero, if the kernel does not enable the vector facility. Also add capability bits returned by the crypto instructions' query functions. Signed-off-by:
Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4542)
-
- Oct 26, 2017
-
-
Paul Yang authored
Use the newly introduced sk_TYPE_new_reserve API to simplify the reservation of stack as creating it. Reviewed-by:
-
Benjamin Kaduk authored
Only the 'new' variant of sk_TYPE_new_reserve() deals with compression functions. Mention both new 'reserve' APIs as being added in OpenSSL 1.1.1. Reviewed-by:
-
Matt Caswell authored
The functions strcasecmp() and strncasecmp() will use locale specific rules when performing comparison. This could cause some problems in certain locales. For example in the Turkish locale an 'I' character is not the uppercase version of 'i'. However IA5 strings should not use locale specific rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the Turkish locale. This fixes a bug in name constraints checking reported by Thomas Pornin (NCCGroup). This is not considered a security issue because it would require both a Turkish locale (or other locale with similar issues) and malfeasance by a trusted name-constrained CA for a certificate to pass name constraints in error. The constraints also have to be for excluded sub-trees which are extremely rare. Failure to match permitted subtrees is a bug, not a vulnerability. Reviewed-by:
-
- Oct 25, 2017
-
-
Paul Yang authored
<compar> to <compare> to match the var name in function prototype Reviewed-by:
-
Paul Yang authored
Reviewed-by:
-
Paul Yang authored
This is a combination of sk_new and sk_reserve, to make it more convenient to allocate a new stack with reserved memory and comaprison function (if any). Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Ronald Tse authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
- Oct 24, 2017
-
-
Richard Levitte authored
asn1_item_embed_free() will try unlocking and fail in this case, and since the new item was just allocated on the heap, free it directly with OPENSSL_free() instead. Reviewed-by:
-
Richard Levitte authored
The previous change with this intention didn't quite do it. An embedded item must not be freed itself, but might potentially contain non-embedded elements, which must be freed. So instead of calling ASN1_item_ex_free(), where we can't pass the embed flag, we call asn1_item_embed_free() directly. This changes asn1_item_embed_free() from being a static function to being a private non-static function. Reviewed-by:
-
Matt Caswell authored
The lhash expand() function can fail if realloc fails. The previous implementation made changes to the structure and then attempted to do a realloc. If the realloc failed then it attempted to undo the changes it had just made. Unfortunately changes to lh->p were not undone correctly, ultimately causing subsequent expand() calls to increment num_nodes to a value higher than num_alloc_nodes, which can cause out-of-bounds reads/ writes. This is not considered a security issue because an attacker cannot cause realloc to fail. This commit moves the realloc call to near the beginning of the function before any other changes are made to the lhash structure. That way if a failure occurs we can immediately fail without having to undo anything. Thanks to Pavel Kopyl (Samsung) for reporting this issue. Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4550)
-
