Commits · fc4f4cdb8bf9981904e652abf69b892a45bddacf · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Aug 06, 2014

Fix protocol downgrade bug in case of fragmented packets · fc4f4cdb

David Benjamin authored Jul 23, 2014



CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>

fc4f4cdb

Remove some duplicate DTLS code. · 4e0fbdc4

Adam Langley authored Jun 06, 2014



In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

4e0fbdc4

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS... · 0c37aed3

Matt Caswell authored Jul 24, 2014

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

0c37aed3

Fix return code for truncated DTLS fragment. · 099ccdb8

Adam Langley authored Jun 06, 2014



Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

099ccdb8

Fix memory leak from zero-length DTLS fragments. · 9871417f

Adam Langley authored Jun 06, 2014



The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

9871417f

Fix DTLS handshake message size checks. · fc7804ec

Matt Caswell authored Jun 06, 2014



In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

fc7804ec

Added comment for the frag->reassembly == NULL case as per feedback from Emilia · e7b9d9be
Matt Caswell authored Jul 24, 2014
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
e7b9d9be

Avoid double free when processing DTLS packets. · 2172d4f6

Adam Langley authored Jun 06, 2014

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74

 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

2172d4f6

Aug 01, 2014

make update · c34091d4
Dr. Stephen Henson authored Aug 01, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
c34091d4

Fix error discrepancy. · a9f4ebd7

Dr. Stephen Henson authored Jul 31, 2014

We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
(cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)

a9f4ebd7

Update $default_depflags to match current defaults. · 604c9948
Bodo Moeller authored Aug 01, 2014

604c9948

Simplify and fix ec_GFp_simple_points_make_affine · 281720c2

Bodo Moeller authored Aug 01, 2014


(which didn't always handle value 0 correctly).

Reviewed-by:  <emilia@openssl.org>

Conflicts:
	CHANGES

281720c2

Jul 30, 2014

Avoid multiple lock using FIPS DRBG. · 2a9023f7

Dr. Stephen Henson authored Jul 30, 2014



Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3efe1b6)

2a9023f7

Jul 24, 2014

Add conditional unit testing interface. · 36e8c398

Dr. Stephen Henson authored Jul 23, 2014



Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961)

Conflicts:

	ssl/Makefile
	util/mkdef.pl

36e8c398

Jul 21, 2014

"EC_POINT_invert" was checking "dbl" function pointer instead of "invert". · e3f009c5
Billy Brumley authored Jul 21, 2014
```
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57)
```
e3f009c5
Remove old unused and unmaintained demonstration code. · fbe3baa7
Tim Hudson authored Jul 22, 2014
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b81)
```
fbe3baa7

Minor documentation update removing "really" and a · 690998f9

Tim Hudson authored Jul 21, 2014


statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4)

690998f9

Jul 19, 2014

Fix documentation for RSA_set_method(3) · 3221da84

Dr. Stephen Henson authored Jul 19, 2014



PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)

3221da84

Jul 17, 2014

Fix typo, add reference. · 9aeb4104

Jeffrey Walton authored Jul 17, 2014



PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0)

9aeb4104

Jul 16, 2014

Disabled XTS mode in enc utility as it is not supported · bf4519cd

Matt Caswell authored Jul 13, 2014



PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c)

bf4519cd

Jul 15, 2014
- Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date · e967b943
  Matt Caswell authored Jul 15, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd54819)
```
  e967b943
- Clarify -Verify and PSK. · 2316286c
  Dr. Stephen Henson authored Jul 15, 2014
```
PR#3452
(cherry picked from commit ca2015a6)
```
  2316286c
- Fix DTLS certificate requesting code. · 67bde7d4
  Dr. Stephen Henson authored Jul 15, 2014
```
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc)
```
  67bde7d4
- Don't allow -www etc options with DTLS. · cd63f94d
  Dr. Stephen Henson authored Jul 15, 2014
```
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
```
  cd63f94d
- Add ECC extensions with DTLS. · 2054eb77
  Dr. Stephen Henson authored Jul 15, 2014
```
PR#3449
```
  2054eb77
Jul 14, 2014

Use case insensitive compare for servername. · ea0ceb11
Dr. Stephen Henson authored Jul 14, 2014
```
PR#3445
(cherry picked from commit 1c3e9a7c)
```
ea0ceb11

document -nextprotoneg option in man pages · 00579b98

Hubert Kario authored Jun 06, 2014

Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e77)

Conflicts:

	doc/apps/s_server.pod

00579b98

Use more common name for GOST key exchange. · ee5a8d3e
Dr. Stephen Henson authored Jul 14, 2014
```
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
```
ee5a8d3e

Jul 13, 2014

Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data. · 72370164

Matt Caswell authored Jul 10, 2014

This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)

72370164

Add names of GOST algorithms. · 704422ce
Peter Mosmans authored Jul 13, 2014
```
PR#3440
(cherry picked from commit 924e5eda)
```
704422ce
* crypto/ui/ui_lib.c: misplaced brace in switch statement. · 8e8d7e1b
Richard Levitte authored Jul 13, 2014
```
  Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd340)
```
8e8d7e1b

Jul 10, 2014
- Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259). · 3ed63275
  Ben Laurie authored Jul 10, 2014
```
(cherry picked from commit c1d1b011)
```
  3ed63275
Jul 09, 2014

Fix memory leak in BIO_free if there is no destroy function. · efd4f1df

Matt Caswell authored Jul 09, 2014

Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53)

efd4f1df

Jul 07, 2014
- Prevent infinite loop loading config files. · 00032b0b
  David Lloyd authored Jul 07, 2014
```
PR#2985
(cherry picked from commit 9d23f422)
```
  00032b0b
Jul 06, 2014
- Usage for -hack and -prexit -verify_return_error · a07f514f
  Dr. Stephen Henson authored Jul 06, 2014
```
(cherry picked from commit ee724df7)
```
  a07f514f
- Document certificate status request options. · b197c770
  Dr. Stephen Henson authored Jul 06, 2014
```
(cherry picked from commit cba3f1c7)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/s_server.pod
```
  b197c770
- s_server usage for certificate status requests · b7c97625
  Dr. Stephen Henson authored Jul 06, 2014
```
(cherry picked from commit a44f219c)
```
  b7c97625
- Update ticket callback docs. · a414bc8c
  Dr. Stephen Henson authored Jul 03, 2014
```
(cherry picked from commit a23a6e85)
```
  a414bc8c
Jul 05, 2014
- Sanity check keylength in PVK files. · 98a3c3c5
  Dr. Stephen Henson authored Jul 06, 2014
```
PR#2277
(cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)
```
  98a3c3c5
- Added reference to platform specific cryptographic acceleration such as AES-NI · 157fd05a
  Jeffrey Walton authored Jul 05, 2014
  
  157fd05a