| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Reported by the LibreSSL project as a follow on to CVE-2015-0209
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Update the NEWS file with the latest entries from CHANGES ready for the
release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Update CHANGES file with all the latest fixes ready for the release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
There was a discrepancy between the 1.0.2 version of NEWS and the 1.0.1
version. This fixes it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
There were some discrepancies in the CHANGES file between the 1.0.1 version
and 1.0.2. This corrects it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.
This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.
Correcting all low-level API calls requires further work.
CVE-2015-0289
Thanks to Michal Zalewski (Google) for reporting this issue.
Reviewed-by: Steve Henson <steve@openssl.org>
|
|
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.
CVE-2015-1787
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.
Thanks to David Ramos of Stanford University for reporting this bug.
CVE-2015-0291
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/t1_lib.c
|
|
Fix a bug where invalid PSS parameters are not rejected resulting in a
NULL pointer exception. This can be triggered during certificate
verification so could be a DoS attack against a client or a server
enabling client authentication.
Thanks to Brian Carpenter for reporting this issues.
CVE-2015-0208
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
CVE-2015-0287
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.
CVE-2015-0207
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.
CVE-2015-0290
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
Add support for ServerInfo SSL_CONF option and update documentation. This
was wrongly omitted from the 1.0.2 release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259e899f4f7da4a3e80781e84b0fb1a64)
|
|
Some miscellaneous removal of dead code from lib crypto.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c1932ef709b2455ffab47348b5c54e5)
|
|
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f277327e118fdd0fe34486852c2789b6)
|
|
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c62177ab5893fc26ebb67053aafdffc8)
|
|
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac830fa08d9a936e011d7c541b0c52115b33)
|
|
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477adc97e76f4b83ed8075589f529069bd5d1)
|
|
Add some missing checks for memory allocation failures in ca app.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a561bfe944c0beba73551731cb98af70dfee3549)
|
|
Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if
s < t, and 0 if s == t.
This behavior was broken in a refactor [0], resulting in the opposite
time comparison behavior.
[0]: 904348a4922333106b613754136305db229475ea
PR#3706
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit da27006df06853a33b132133699a7aa9d4277920)
|
|
Other curves don't have this problem.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9fbbdd73c58c29dc46cc314f7165e45e6d43fd60)
|
|
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.
(For consistency, cast other shifts, too.)
Caught by -fsanitize=shift
Submitted by Nick Lewycky (Google)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8b37e5c14f0eddb10c7f91ef91004622d90ef361)
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a24e3dca1a3ee57202ce3c818d592141)
|
|
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a7494f50c88ce7492518bbe0ce6f124fa)
|
|
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d813f9eb383a93e472e69750cd1edbb170205ad2)
|
|
Fixed assorted missing return value checks in c3_cpols.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)
|
|
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0c7ca4033dcf5398334d4b78a7dfb941c8167a40)
|
|
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)
|
|
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)
|
|
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)
|
|
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit a01087027bd0c5ec053d4eabd972bd942bfcd92f)
|
|
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)
|
|
- SIGSEGV/ILL in CCM (RT#3688);
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit ac5a110621ca48f0bebd5b4d76d081de403da29e)
|
|
Cleanse various intermediate buffers used by the PRF (backported version
from master).
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Ensure all malloc failures return -1.
Reported by Adam Langley (Google).
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)
|
|
BIO_debug_callback() no longer assumes the hexadecimal representation of
a pointer fits in 8 characters.
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 460e920d8a274e27aab36346eeda6685a42c3314)
|
|
Fix security issue where under certain conditions a client can complete a
handshake with an unseeded PRNG. The conditions are:
- Client is on a platform where the PRNG has not been seeded, and the
user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data
from the PRNG beyond the initial ClientHello client random
(e.g. PSK-RC4-SHA)
If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore
the output may be predictable.
For example using the following command with an unseeded openssl will
succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
CVE-2015-0285
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e1b568dd2462f7cacf98f3d117936c34e2849a6b)
|
|
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0b142f022e2c5072295e00ebc11c5b707a726d74)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.
RT#3711
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f7683aaf36341dc65672ac2ccdbfd4a232e3626d)
|
|
Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
from dtls1_buffer_message() which was needed to distinguish between DTLS
1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER).
Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3703
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5178a16c4375471d25e1f5ef5de46febb62a5529)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
