Commits · e8e380ce013b4d14a2eccda9475536729b72af8e · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Oct 13, 2016

Rich Salz authored Oct 12, 2016



Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1702)
(cherry picked from commit 7954dced)

e8e380ce

Oct 11, 2016
- Add missing error string for SSL_R_TOO_MANY_WARN_ALERTS · f1f97699
  Kurt Cancemi authored Sep 22, 2016
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  f1f97699
Sep 28, 2016

apps/apps.c: initialize and de-initialize engine around key loading · 53a71b74

Richard Levitte authored Sep 28, 2016



Before loading a key from an engine, it may need to be initialized.
When done loading the key, we must de-initialize the engine.
(if the engine is already initialized somehow, only the reference
counter will be incremented then decremented)

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 49e476a5)

53a71b74

Revert "Call ENGINE_init() before trying to use keys from engine" · a269e5f0

Rich Salz authored Sep 28, 2016

This reverts commit 4badd2b3

.
This fails to call ENGINE_finish; an alternate fix is coming.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

a269e5f0

Call ENGINE_init() before trying to use keys from engine · 4badd2b3

David Woodhouse authored Sep 28, 2016

Things like 'openssl s_client' only ever worked with keys from an engine
which provided a default generic method for some key type — because it
called ENGINE_set_default() and that ended up being an implicit
initialisation and functional refcount.

But an engine which doesn't provide generic methods doesn't get
initialised, and then when you try to use it you get an error:

cannot load client certificate private key file from engine
140688147056384:error:26096075:engine routines:ENGINE_load_private_key:not initialised:crypto/engine/eng_pkey.c:66:
unable to load client certificate private key file

cf. https://github.com/OpenSC/libp11/issues/107

 (in which we discover
that engine_pkcs11 *used* to provide generic methods that OpenSSL would
try to use for ephemeral DH keys when negotiating ECDHE cipher suites in
TLS, and that didn't work out very well.)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1640)

4badd2b3

Sep 26, 2016

Fix NEWS error · 9702bf5f

Matt Caswell authored Sep 26, 2016



The NEWS file referenced the wrong CVE for 1.0.2

Reviewed-by: Richard Levitte <levitte@openssl.org>

9702bf5f

Prepare for 1.0.2k-dev · f6e43fee
Matt Caswell authored Sep 26, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
f6e43fee
Prepare for 1.0.2j release · e216bf9d
Matt Caswell authored Sep 26, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
OpenSSL_1_0_2j

e216bf9d
Update CHANGES and NEWS for the new release · ca430ece
Matt Caswell authored Sep 26, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
ca430ece

Add some sanity checks when checking CRL scores · 6e629b5b

Matt Caswell authored Aug 23, 2016



Note: this was accidentally omitted from OpenSSL 1.0.2 branch.
Without this fix any attempt to use CRLs will crash.

CVE-2016-7052

Thanks to Bruce Stephens and Thomas Jakobi for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

6e629b5b

Sep 22, 2016

Fix build with no-nextprotoneg · f15a7e39

Dirk Feytons authored Sep 22, 2016



Add a missing ifdef. Same change is already present in master.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1100)

f15a7e39

Fix typo introduced by a03f81f4 · 581215a5
Rich Salz authored Sep 22, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
581215a5
Prepare for 1.0.2j-dev · 9d264d11
Matt Caswell authored Sep 22, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
9d264d11
Prepare for 1.0.2i release · 32c13016
Matt Caswell authored Sep 22, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
OpenSSL_1_0_2i

32c13016
Updates CHANGES and NEWS for new release · 35aede1c
Matt Caswell authored Sep 21, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
35aede1c

Avoid KCI attack for GOST · 92c8d6ae

Dmitry Belyavsky authored Sep 19, 2016



Russian GOST ciphersuites are vulnerable to the KCI attack because they use
long-term keys to establish the connection when ssl client authorization is
on. This change brings the GOST implementation into line with the latest
specs in order to avoid the attack. It should not break backwards
compatibility.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

92c8d6ae

Fix a mem leak in NPN handling · 38f59bd1

Matt Caswell authored Sep 09, 2016

If a server sent multiple NPN extensions in a single ClientHello then a
mem leak can occur. This will only happen where the client has requested
NPN in the first place. It does not occur during renegotiation. Therefore
the maximum that could be leaked in a single connection with a malicious
server is 64k (the maximum size of the ServerHello extensions section). As
this is client side, only occurs if NPN has been requested and does not
occur during renegotiation this is unlikely to be exploitable.

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>

38f59bd1

Fix OCSP Status Request extension unbounded memory growth · ea39b16b

Matt Caswell authored Sep 09, 2016



A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation,
sending a large OCSP Status Request extension each time, then there will
be unbounded memory growth on the server. This will eventually lead to a
Denial Of Service attack through memory exhaustion. Servers with a
default configuration are vulnerable even if they do not support OCSP.
Builds using the "no-ocsp" build time option are not affected.

I have also checked other extensions to see if they suffer from a similar
problem but I could not find any other issues.

CVE-2016-6304

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ea39b16b

mk1mf.pl: check for no-tls1 here as well · 90d6f351
Richard Levitte authored Sep 22, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
90d6f351

Sep 21, 2016

Don't allow too many consecutive warning alerts · 22646a07

Matt Caswell authored Sep 21, 2016



Certain warning alerts are ignored if they are received. This can mean that
no progress will be made if one peer continually sends those warning alerts.
Implement a count so that we abort the connection if we receive too many.

Issue reported by Shi Lei.

Reviewed-by: Rich Salz <rsalz@openssl.org>

22646a07

Make message buffer slightly larger than message. · 006a788c

Dr. Stephen Henson authored Sep 21, 2016



Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against
OOB reads. In most cases this will have no effect because the message buffer
will be large enough already.

Reviewed-by: Matt Caswell <matt@openssl.org>

006a788c

Use SSL3_HM_HEADER_LENGTH instead of 4. · bc9563f8
Dr. Stephen Henson authored Sep 21, 2016
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
bc9563f8

Remove unnecessary check. · 709ec8b3

Dr. Stephen Henson authored Sep 21, 2016



The overflow check will never be triggered because the
the n2l3 result is always less than 2^24.

Reviewed-by: Matt Caswell <matt@openssl.org>

709ec8b3

Dcoument -alpn flag · 62841a23

Rich Salz authored Sep 21, 2016



Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 776e15f9)

62841a23

GH1555: Don't bump size on realloc failure · ceb7342d

Rich Salz authored Sep 09, 2016



Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 6fcace45)

ceb7342d

apps/apps.c: include sys/socket.h to declare recv() · 9583e416
Richard Levitte authored Sep 20, 2016
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a19228b7)
```
9583e416

Fix small OOB reads. · ff553f83

Dr. Stephen Henson authored Sep 17, 2016



In ssl3_get_client_certificate, ssl3_get_server_certificate and
ssl3_get_certificate_request check we have enough room
before reading a length.

Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.

CVE-2016-6306

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

ff553f83

Fix a missing NULL check in dsa_builtin_paramgen · d0cbaa2f

Matt Caswell authored Sep 14, 2016



We should check the last BN_CTX_get() call to ensure that it isn't NULL
before we try and use any of the allocated BIGNUMs.

Issue reported by Shi Lei.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1ff7425d)

d0cbaa2f

Sep 20, 2016

RT4669: dgst can only sign/verify one file · a5e55f62
Richard Levitte authored Sep 20, 2016
```
Check arg count and print an error message.

Reviewed-by: Rich Salz <rsalz@openssl.org>
```
a5e55f62

initialize the RSA struct to 0. · 6180c0ff

Marcus Meissner authored Sep 06, 2016



This helps with program code linked against static builds accessing a uninitialized ->engine pointer.

CLA: none; trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1540)

6180c0ff

Sep 15, 2016

update default dependencies · 32cc4c26
Dr. Stephen Henson authored Sep 15, 2016
```
Reviewed-by: Richard Levitte <levitte@openssl.org>
```
32cc4c26

Revert "Abort on unrecognised warning alerts" · 502fcc67

Matt Caswell authored Sep 15, 2016

This reverts commit 15d81749

.

There were some unexpected side effects to this commit, e.g. in SSLv3 a
warning alert gets sent "no_certificate" if a client does not send a
Certificate during Client Auth. With the above commit this causes the
connection to abort, which is incorrect. There may be some other edge cases
like this so we need to have a rethink on this.

Reviewed-by: Tim Hudson <tjh@openssl.org>

502fcc67

Finally, make sure vms_term_sock.c is built · 15c088e4

Richard Levitte authored Sep 14, 2016



Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

15c088e4

Refactor to avoid unnecessary preprocessor logic · d6d04b64
Richard Levitte authored Sep 15, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
d6d04b64
Reformat to fit OpenSSL source code standards · b5082672
Richard Levitte authored Sep 14, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
b5082672
Remove entirely unnecessary pointer size guards · a2d21200
Richard Levitte authored Sep 14, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
a2d21200
Add copyright and license on apps/vms_term_sock.[ch] · 45852545
Richard Levitte authored Sep 14, 2016
```
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
45852545

VSI submission: redirect terminal input through socket · 1015609a

Richard Levitte authored Aug 03, 2016



This is needed, because on VMS, select() can only be used on sockets.  being
able to use select() on all kinds of file descriptors is unique to Unix.

So, the solution for VMS is to create a layer that translates input from
standard input to socket communication.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

1015609a

Fix memory leak on realloc error. · d6924759

Dr. Stephen Henson authored Sep 14, 2016



Backport leak fix from master branch.

Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>

d6924759

Fix memory leak on error. · ea060e02

Dr. Stephen Henson authored Sep 14, 2016



Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>

ea060e02