- Aug 06, 2014
-
-
David Benjamin authored
CVE-2014-3511 Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Bodo Möller <bodo@openssl.org>
-
Adam Langley authored
In a couple of functions, a sequence number would be calculated twice. Additionally, in |dtls1_process_out_of_seq_message|, we know that |frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len < msg_hdr->msg_len| can be more clearly written as |frag_len != msg_hdr->msg_len|, since that's the only remaining case. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read. Problem identified by Emilia Käsper, based on previous issue/patch by Adam Langley. Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Adam Langley authored
Previously, a truncated DTLS fragment in |dtls1_process_out_of_seq_message| would cause *ok to be cleared, but the return value would still be the number of bytes read. This would cause |dtls1_get_message| not to consider it an error and it would continue processing as normal until the calling function noticed that *ok was zero. I can't see an exploit here because |dtls1_get_message| uses |s->init_num| as the length, which will always be zero from what I can see. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Adam Langley authored
The |pqueue_insert| function can fail if one attempts to insert a duplicate sequence number. When handling a fragment of an out of sequence message, |dtls1_process_out_of_seq_message| would not call |dtls1_reassemble_fragment| if the fragment's length was zero. It would then allocate a fresh fragment and attempt to insert it, but ignore the return value, leaking the fragment. This allows an attacker to exhaust the memory of a DTLS peer. Fixes CVE-2014-3507 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
In |dtls1_reassemble_fragment|, the value of |msg_hdr->frag_off+frag_len| was being checked against the maximum handshake message size, but then |msg_len| bytes were allocated for the fragment buffer. This means that so long as the fragment was within the allowed size, the pending handshake message could consume 16MB + 2MB (for the reassembly bitmap). Approx 10 outstanding handshake messages are allowed, meaning that an attacker could consume ~180MB per DTLS connection. In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no check was applied. Fixes CVE-2014-3506 Wholly based on patch by Adam Langley with one minor amendment. Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Matt Caswell authored
Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
Adam Langley authored
The |item| variable, in both of these cases, may contain a pointer to a |pitem| structure within |s->d1->buffered_messages|. It was being freed in the error case while still being in |buffered_messages|. When the error later caused the |SSL*| to be destroyed, the item would be double freed. Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was inconsistent with the other error paths (but correct). Fixes CVE-2014-3505 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
-
- Aug 01, 2014
-
-
Dr. Stephen Henson authored
Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Dr. Stephen Henson authored
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause an error code discrepancy. Instead keep ssleay_rand_bytes and add an extra parameter: since ssleay_rand_bytes is not part of the public API this wont cause any binary compatibility issues. Reviewed-by: Kurt Roeckx <kurt@openssl.org > (cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)
-
Bodo Moeller authored
-
Bodo Moeller authored
(which didn't always handle value 0 correctly). Reviewed-by: <emilia@openssl.org> Conflicts: CHANGES
-
- Jul 30, 2014
-
-
Dr. Stephen Henson authored
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode. PR#3176 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit a3efe1b6)
-
- Jul 24, 2014
-
-
Dr. Stephen Henson authored
Don't call internal functions directly call them through SSL_test_functions(). This also makes unit testing work on Windows and platforms that don't export internal functions from shared libraries. By default unit testing is not enabled: it requires the compile time option "enable-unit-test". Reviewed-by: Geoff Thorpe <geoff@openssl.org> (cherry picked from commit e0fc7961) Conflicts: ssl/Makefile util/mkdef.pl
-
- Jul 21, 2014
-
-
Billy Brumley authored
PR#2569 Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit cba11f57)
-
Tim Hudson authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org> (cherry picked from commit 62352b81)
-
Tim Hudson authored
statement of opinion rather than a fact. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit c8d133e4)
-
- Jul 19, 2014
-
-
Dr. Stephen Henson authored
PR#1675 Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
-
- Jul 17, 2014
-
-
Jeffrey Walton authored
PR#3456 Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit d48e78f0)
-
- Jul 16, 2014
-
-
Matt Caswell authored
PR#3442 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 2097a17c)
-
- Jul 15, 2014
-
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit 3bd54819)
-
Dr. Stephen Henson authored
PR#3452 (cherry picked from commit ca2015a6)
-
Dr. Stephen Henson authored
Use same logic when determining when to expect a client certificate for both TLS and DTLS. PR#3452 (cherry picked from commit c8d710dc)
-
Dr. Stephen Henson authored
The options which emulate a web server don't make sense when doing DTLS. Exit with an error if an attempt is made to use them. PR#3453 (cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
-
Dr. Stephen Henson authored
PR#3449
-
- Jul 14, 2014
-
-
Dr. Stephen Henson authored
PR#3445 (cherry picked from commit 1c3e9a7c)
-
Hubert Kario authored
Add description of the option to advertise support of Next Protocol Negotiation extension (-nextprotoneg) to man pages of s_client and s_server. PR#3444 (cherry picked from commit 7efd0e77) Conflicts: doc/apps/s_server.pod
-
Dr. Stephen Henson authored
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
-
- Jul 13, 2014
-
-
Matt Caswell authored
This is actually ok for this function, but initialised to zero anyway if PURIFY defined. This does have the impact of masking any *real* unitialised data reads in bn though. Patch based on approach suggested by Rich Salz. PR#3415 (cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
-
Peter Mosmans authored
PR#3440 (cherry picked from commit 924e5eda)
-
Richard Levitte authored
Detected by dcruette@qualitesys.com (cherry picked from commit 8b5dd340)
-
- Jul 10, 2014
-
-
Ben Laurie authored
(cherry picked from commit c1d1b011)
-
- Jul 09, 2014
-
-
Matt Caswell authored
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com> PR#3439 (cherry picked from commit 66816c53)
-
- Jul 07, 2014
-
-
David Lloyd authored
PR#2985 (cherry picked from commit 9d23f422)
-
- Jul 06, 2014
-
-
Dr. Stephen Henson authored
(cherry picked from commit ee724df7)
-
Dr. Stephen Henson authored
(cherry picked from commit cba3f1c7) Conflicts: doc/apps/s_client.pod doc/apps/s_server.pod
-
Dr. Stephen Henson authored
(cherry picked from commit a44f219c)
-
Dr. Stephen Henson authored
(cherry picked from commit a23a6e85)
-
- Jul 05, 2014
-
-
Dr. Stephen Henson authored
PR#2277 (cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)
-
Jeffrey Walton authored
-