- Oct 24, 2017
-
-
Richard Levitte authored
asn1_item_embed_free() will try unlocking and fail in this case, and since the new item was just allocated on the heap, free it directly with OPENSSL_free() instead. Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4579)
-
Richard Levitte authored
The previous change with this intention didn't quite do it. An embedded item must not be freed itself, but might potentially contain non-embedded elements, which must be freed. So instead of calling ASN1_item_ex_free(), where we can't pass the embed flag, we call asn1_item_embed_free() directly. This changes asn1_item_embed_free() from being a static function to being a private non-static function. Reviewed-by:
-
Matt Caswell authored
The lhash expand() function can fail if realloc fails. The previous implementation made changes to the structure and then attempted to do a realloc. If the realloc failed then it attempted to undo the changes it had just made. Unfortunately changes to lh->p were not undone correctly, ultimately causing subsequent expand() calls to increment num_nodes to a value higher than num_alloc_nodes, which can cause out-of-bounds reads/ writes. This is not considered a security issue because an attacker cannot cause realloc to fail. This commit moves the realloc call to near the beginning of the function before any other changes are made to the lhash structure. That way if a failure occurs we can immediately fail without having to undo anything. Thanks to Pavel Kopyl (Samsung) for reporting this issue. Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4550)
-
- Oct 23, 2017
-
-
Xiangyu Bu authored
CLA: trivial Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4544)
-
Richard Levitte authored
An embedded item wasn't allocated separately on the heap, so don't free it as if it was. Issue discovered by Pavel Kopyl Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4572)
-
Matt Caswell authored
The function BN_security_bits() uses the values from SP800-57 to assign security bit values for different FF key sizes. However the value for 192 security bits is wrong. SP800-57 has it as 7680 but the code had it as 7690. Reviewed-by:
-
- Oct 22, 2017
-
-
Patrick Steuer authored
Signed-off-by:
Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4534)
-
KaoruToda authored
apps/s_server.c: remove unnecessary null check Reviewed-by:
-
- Oct 21, 2017
-
-
KaoruToda authored
Reviewed-by:
-
KaoruToda authored
Add a check for NULL return in t1_lib.c. Since return type of ssl_cert_lookup_by_idx is pointer and unify coding style, I changed from zero to NULL in ssl_cert.c. Remove unnecessary space for ++. Fix incorrect condition Expression is always false because 'else if' condition matches previous condition. SInce the next line of 'else if' condition has substituted TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if' condition should compare with NID_X9_62_characteristic_two_field. Reviewed-by:
-
- Oct 20, 2017
-
-
Jakub Jelen authored
CLA: trivial Reviewed-by:
Ben Laurie <ben@links.org> Reviewed-by:
-
- Oct 18, 2017
-
-
Rich Salz authored
Add openssl-foo as a name for the openssl "foo" command. Addresses an issue found by a usability study to be published. Reviewed-by:
-
KaoruToda authored
Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by:
-
Benjamin Kaduk authored
The drbg's lock must be held across calls to RAND_DRBG_generate() to prevent simultaneous modification of internal state. This was observed in practice with simultaneous SSL_new() calls attempting to seed the (separate) per-SSL RAND_DRBG instances from the global rand_drbg instance; this eventually led to simultaneous calls to ctr_BCC_update() attempting to increment drbg->bltmp_pos for their respective partial final block, violating the invariant that bltmp_pos < 16. The AES operations performed in ctr_BCC_blocks() makes the race window quite easy to trigger. A value of bltmp_pos greater than 16 induces catastrophic failure in ctr_BCC_final(), with subtraction overflowing and leading to an attempt to memset() to zero a very large range, which eventually reaches an unmapped page and segfaults. Provide the needed locking in get_entropy_from_parent(), as well as fixing a similar issue in RAND_priv_bytes(). There is also an unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the requisite serialization is already guaranteed by the requirements on the application's usage of SSL objects, and no further locking is needed for correct behavior. In that case, leave a comment noting the apparent discrepancy and the reason for its safety (at present). Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Dr. Matthias St. Pierre authored
The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable, the scope of which is limited to the RAND_DRBG_generate() function. Hence there is no need for a DRBG_RESEED state outside of the generate function. This state was removed and replaced by a local variable |reseed_required|. Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
-
Dr. Matthias St. Pierre authored
Reseeding is handled very differently by the classic RAND_METHOD API and the new RAND_DRBG api. These differences led to some problems when the new RAND_DRBG was made the default OpenSSL RNG. In particular, RAND_add() did not work as expected anymore. These issues are discussed on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API' and in Pull Request #4328. This commit fixes the mentioned issues, introducing the following changes: - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which facilitates collecting entropy by the get_entropy() callback. - Don't use RAND_poll()/RAND_add() for collecting entropy from the get_entropy() callback anymore. Instead, replace RAND_poll() by RAND_POOL_acquire_entropy(). - Add a new function rand_drbg_restart() which tries to get the DRBG in an instantiated state by all means, regardless of the current state (uninstantiated, error, ...) the DRBG is in. If the caller provides entropy or additional input, it will be used for reseeding. - Restore the original documented behaviour of RAND_add() and RAND_poll() (namely to reseed the DRBG immediately) by a new implementation based on rand_drbg_restart(). - Add automatic error recovery from temporary failures of the entropy source to RAND_DRBG_generate() using the rand_drbg_restart() function. Reviewed-by:
-
- Oct 17, 2017
-
-
Patrick Steuer authored
An instruction's QUERY function is executed at initialization, iff the required MSA level is installed. Therefore, it is sufficient to check the bits returned by the QUERY functions. The MSA level does not have to be checked at every function call. crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the required KM or KMC function codes are not available. Formally, the availability of a KMC function code does not imply the availability of the corresponding KM function code. Signed-off-by:
-
Patrick Steuer authored
Signed-off-by:
-
Rich Salz authored
Reviewed-by:
-
Andy Polyakov authored
Thanks to David Benjamin for spotting this. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
- Oct 16, 2017
-
-
FdaSilvaYY authored
Few code format fixup Fix limit computation; was too strict by 2 bytes. Simplify computation of buffer limits Checking is strictly same as sizeof(".pem") == 5 Simplify loop of code for certificate filename creation Fix MAX_PATH usage Reviewed-by: -
Paul Yang authored
And also make '-xmpphost' an alias of the '-name' option. Reviewed-by:
-
Ben Laurie authored
Reviewed-by:
-
EasySec authored
Reviewed-by:
-
Michael Richardson authored
Reviewed-by:
-
Mouse authored
CLA: trivial Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
The previous commit removed version negotiation on an HRR. However we should still sanity check the contents of the version field. Reviewed-by:
-
Matt Caswell authored
Previously if a client received an HRR then we would do version negotiation immediately - because we know we are going to get TLSv1.3. However this causes a problem when we emit the 2nd ClientHello because we start changing a whole load of stuff to ommit things that aren't relevant for < TLSv1.3. The spec requires that the 2nd ClientHello is the same except for changes required from the HRR. Therefore the simplest thing to do is to defer the version negotiation until we receive the ServerHello. Fixes #4292 Reviewed-by:
-
daurnimator authored
CLA: trivial Reviewed-by:
-
Paul Yang authored
Reviewed-by:
-
Paul Yang authored
Caught by AddressSanitizer Reviewed-by:
-
Richard Levitte authored
Fixes #4444 [extended tests] Reviewed-by:
-
- Oct 13, 2017
-
-
Rich Salz authored
Names were not removed. Some comments were updated. Replace Andy's address with openssl.org Reviewed-by:
-
Rich Salz authored
Use atomic operations for the counters Rename malloc_lock to memdbg_lock Also fix some style errors in mem_dbg.c Reviewed-by:
-
- Oct 12, 2017
-
-
Benjamin Kaduk authored
If q is non-NULL but p is indeed a safe prime, a modified copy of p could be leaked. Reviewed-by:
-
Matt Caswell authored
Test for the bug where early_data is not accepted by the server when it does not have an SNI callback set up, but the client sent a servername in the initial ClientHello establishing the session. Reviewed-by:
-
Matt Caswell authored
Fixes #4496 Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
