- 07 Dec, 2017 3 commits
-
-
Matt Caswell authored
Reviewed-by:Andy Polyakov <appro@openssl.org>
-
Matt Caswell authored
Reviewed-by:Rich Salz <rsalz@openssl.org>
-
Matt Caswell authored
Reviewed-by:
-
- 06 Dec, 2017 3 commits
-
-
Matt Caswell authored
Test reading/writing to an SSL object after a fatal error has been detected. Reviewed-by: -
Matt Caswell authored
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an attacker would have to trick an application into behaving incorrectly by issuing an SSL_read()/SSL_write() after having already received a fatal error. Thanks to David Benjamin (Google) for reporting this issue and suggesting this fix. CVE-2017-3737 Reviewed-by: -
Andy Polyakov authored
Credit to OSS-Fuzz for finding this. CVE-2017-3738 Reviewed-by:
-
- 04 Dec, 2017 1 commit
-
-
MerQGh authored
This line will allow use private keys, which created by Crypto Pro, to sign with OpenSSL. CLA: trivial Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4836) (cherry picked from commit b35bb37a)
-
- 30 Nov, 2017 1 commit
-
-
FdaSilvaYY authored
Fixes #4775 Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4815) (cherry picked from commit a61c15eb)
-
- 16 Nov, 2017 1 commit
-
-
FdaSilvaYY authored
Backport of #4677 / 1687aa76 Reviewed-by:
-
- 14 Nov, 2017 1 commit
-
-
Richard Levitte authored
Fixes #4734 #4649 Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4735)
-
- 13 Nov, 2017 2 commits
-
-
Andy Polyakov authored
We had /WX (treat warnings as errors) in VC-WIN32 for long time. At some point it was somehow omitted. It's argued that it allows to keep better focus on new code, which motivates the comeback... Reviewed-by:
-
Andy Polyakov authored
It's argued that /WX allows to keep better focus on new code, which motivates its comeback... Reviewed-by:
-
- 11 Nov, 2017 2 commits
-
-
Long Qin authored
* addressing", Proc. 6th Conference on Very Large Databases: 212–223 ^ The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93). Under some code page setting (e.g. 936), Visual Studio may report C4819 warning: The file contains a character that cannot be represented in the current code page. Replace this character with the ASCII char '-' (Hex Code: 2D). Reviewed-by: -
Richard Levitte authored
cb_ticket2() does an exit, and should therefore not need to return anything. Some compilers don't detect that, or don't care, and warn about a non-void function without a return statement. Reviewed-by:
-
- 10 Nov, 2017 1 commit
-
-
Richard Levitte authored
Reviewed-by:
-
- 08 Nov, 2017 1 commit
-
-
Andy Polyakov authored
In earlier 5.1x Perl versions quoting globs works only if there is white space. If there is none, it's looking for names starting with ". Reviewed-by:
-
- 07 Nov, 2017 4 commits
-
-
Andy Polyakov authored
It's not clear if it's a feature or bug, but binutils-2.29[.1] interprets 'adr' instruction with Thumb2 code reference differently, in a way that affects calculation of addresses of constants' tables. Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4673)
-
Bernd Edlinger authored
Fixes: #4590 Reviewed-by:
-
Matt Caswell authored
The man pages say that BIGNUM arithmetic operations fail with a 0 return. However some functions were returning -1 on error. In master and 1.1.0 they already return 0, so this brings 1.0.2 in line. Reviewed-by:
-
Rich Salz authored
Cherry-picked by Matt Caswell from 69795831 . Reviewed-by:
-
- 03 Nov, 2017 3 commits
-
-
Pavel Kopyl authored
CLA: trivial Reviewed-by:
-
Pavel Kopyl authored
CLA: trivial Reviewed-by:
-
Kurt Roeckx authored
Reviewed-by:
-
- 02 Nov, 2017 5 commits
-
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Andy Polyakov authored
Credit to OSS-Fuzz for finding this. CVE-2017-3736 Reviewed-by:
-
- 01 Nov, 2017 3 commits
-
-
Pauli authored
information about the length of the scalar used in ECDSA operations from a large number (2^32) of signatures. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Refer to #4576 for further details. Reviewed-by:
-
Pauli authored
information about the length of a value used in DSA operations from a large number of signatures. This doesn't rate as a CVE because: * For the non-constant time code, there are easier ways to extract more information. * For the constant time code, it requires a significant number of signatures to leak a small amount of information. Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for reporting this issue. Original commit by Paul Dale. Backported to 1.0.2 by Matt Caswell Reviewed-by:
-
David Benjamin authored
1ce95f19 was incomplete and did not handle the case when SSL_set_SSL_CTX was called from the cert_cb callback rather than the SNI callback. The consequence is any server using OpenSSL 1.0.2 and the cert_cb callback for SNI only ever signs a weak digest, SHA-1, even when connecting to clients which use secure ones. Fix this and add regression tests for both this and the original issue. Fixes #4554. Reviewed-by:
Emilia Käsper <emilia@openssl.org> Reviewed-by:
-
- 26 Oct, 2017 2 commits
-
-
Richard Levitte authored
Fixes: #2539 Reviewed-by:
-
Matt Caswell authored
The functions strcasecmp() and strncasecmp() will use locale specific rules when performing comparison. This could cause some problems in certain locales. For example in the Turkish locale an 'I' character is not the uppercase version of 'i'. However IA5 strings should not use locale specific rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the Turkish locale. This fixes a bug in name constraints checking reported by Thomas Pornin (NCCGroup). This is not considered a security issue because it would require both a Turkish locale (or other locale with similar issues) and malfeasance by a trusted name-constrained CA for a certificate to pass name constraints in error. The constraints also have to be for excluded sub-trees which are extremely rare. Failure to match permitted subtrees is a bug, not a vulnerability. Reviewed-by:
-
- 25 Oct, 2017 1 commit
-
-
Matt Caswell authored
The lhash expand() function can fail if realloc fails. The previous implementation made changes to the structure and then attempted to do a realloc. If the realloc failed then it attempted to undo the changes it had just made. Unfortunately changes to lh->p were not undone correctly, ultimately causing subsequent expand() calls to increment num_nodes to a value higher than num_alloc_nodes, which can cause out-of-bounds reads/ writes. This is not considered a security issue because an attacker cannot cause realloc to fail. This commit moves the realloc call to near the beginning of the function before any other changes are made to the lhash structure. That way if a failure occurs we can immediately fail without having to undo anything. Thanks to Pavel Kopyl (Samsung) for reporting this issue. Reviewed-by:
-
- 24 Oct, 2017 2 commits
-
-
Richard Levitte authored
The previous change with this intention didn't quite do it. An embedded item must not be freed itself, but might potentially contain non-embedded elements, which must be freed. So instead of calling ASN1_item_ex_free(), where we can't pass the combine flag, we call asn1_item_embed_free() directly. This changes asn1_item_embed_free() from being a static function to being a private non-static function. Reviewed-by:
-
Xiangyu Bu authored
CLA: trivial Reviewed-by:
-
- 23 Oct, 2017 1 commit
-
-
Richard Levitte authored
An embedded item wasn't allocated separately on the heap, so don't free it as if it was. Issue discovered by Pavel Kopyl Reviewed-by:
-
- 19 Oct, 2017 1 commit
-
-
Rich Salz authored
Add openssl-foo as a name for the openssl "foo" command. Recommended by a usability study conducted by Martin Ukrop at CRoCS, FI MU Fixes: #4548 Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4557)
-
- 13 Oct, 2017 1 commit
-
-
Rich Salz authored
Thanks to Jo Hornsby for reporting this and helping with the fix. Reviewed-by:
-
- 11 Oct, 2017 1 commit
-
-
Matt Caswell authored
RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls BN_mod_exp() as follows: BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx) ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In BN_mod_exp() we only test the third param for the existence of this flag. We should test all the inputs. Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this issue. This typically only happens once at key load, so this is unlikely to be exploitable in any real scenario. Reviewed-by:
-
