Skip to content
  1. Dec 02, 2015
  3. Nov 30, 2015
    • Matt Caswell's avatar
      Return errors even if the cookie validation has succeeded · 41d049e1
      Matt Caswell authored 
      

In the DTLS ClientHello processing the return value is stored in |ret| which
by default is -1. We wish to return 1 on success or 2 on success *and* we
have validated the DTLS cookie. Previously on successful validation of the
cookie we were setting |ret| to 2. Unfortunately if we later encounter an
error then we can end up returning a successful (positive) return code from
the function because we already set |ret| to a positive value.

This does not appear to have a security consequence because the handshake
just fails at a later point.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      41d049e1
  5. Nov 24, 2015
  7. Nov 22, 2015
  9. Nov 21, 2015
  11. Nov 20, 2015
  13. Nov 18, 2015
  15. Nov 13, 2015
  17. Nov 10, 2015
    • Matt Caswell's avatar
      Stop DTLS servers asking for unsafe legacy renegotiation · 78b9d134
      Matt Caswell authored 
      

If a DTLS client that does not support secure renegotiation connects to an
OpenSSL DTLS server then, by default, renegotiation is disabled. If a
server application attempts to initiate a renegotiation then OpenSSL is
supposed to prevent this. However due to a discrepancy between the TLS and
DTLS code, the server sends a HelloRequest anyway in DTLS.

This is not a security concern because the handshake will still fail later
in the process when the client responds with a ClientHello.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(cherry picked from commit d40ec4ab)
      78b9d134
    • Matt Caswell's avatar
      Only call ssl3_init_finished_mac once for DTLS · e8300984
      Matt Caswell authored 
      

In DTLS if an IO retry occurs during writing of a fragmented ClientHello
then we can end up reseting the finish mac variables on the retry, which
causes a handshake failure. We should only reset on the first attempt not
on retries.

Thanks to BoringSSL for reporting this issue.

RT#4119

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(cherry picked from commit 15a7164e)
      e8300984
  19. Nov 09, 2015
  21. Nov 04, 2015
  23. Nov 02, 2015
  25. Nov 01, 2015
  27. Oct 29, 2015
  29. Oct 23, 2015
  31. Oct 10, 2015
  33. Oct 09, 2015
  35. Oct 08, 2015
    • Matt Caswell's avatar
      Don't treat a bare OCTETSTRING as DigestInfo in int_rsa_verify · ec1f1255
      Matt Caswell authored 
      

The function int_rsa_verify is an internal function used for verifying an
RSA signature. It takes an argument |dtype| which indicates the digest type
that was used. Dependant on that digest type the processing of the
signature data will vary. In particular if |dtype == NID_mdc2| and the
signature data is a bare OCTETSTRING then it is treated differently to the
default case where the signature data is treated as a DigestInfo (X509_SIG).

Due to a missing "else" keyword the logic actually correctly processes the
OCTETSTRING format signature first, and then attempts to continue and
process it as DigestInfo. This will invariably fail because we already know
that it is a bare OCTETSTRING.

This failure doesn't actualy make a real difference because it ends up at
the |err| label regardless and still returns a "success" result. This patch
just cleans things up to make it look a bit more sane.

RT#4076

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(cherry picked from commit dffe5109)
      ec1f1255
    • Richard Levitte's avatar
      When ENGINE_add finds that id or name is missing, actually return · 363c8fd5
      Richard Levitte authored 
      

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 5850cc75)
      363c8fd5
  37. Oct 07, 2015
  39. Oct 06, 2015
  41. Oct 05, 2015