Age | Commit message (Collapse) | Author |
|
Fix typo in ssl3_get_cert_verify: we can only skip certificate verify
message if certificate is absent.
NB: OpenSSL 0.9.8 is NOT vulnerable to CVE-2015-0205 as it doesn't
support DH certificates and this typo prohibits skipping of
certificate verify message for sign only certificates anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.
Conflicts:
ssl/d1_pkt.c
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
|
|
separate reads performed - one for the header and one for the body of the
handshake record.
CVE-2014-3571
Reviewed-by: Matt Caswell <matt@openssl.org>
Conflicts:
ssl/s3_pkt.c
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d4158572fd8b3dc641851b8378e791df7972d)
|
|
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
Conflicts:
CHANGES
doc/ssl/SSL_CTX_set_options.pod
ssl/d1_srvr.c
ssl/s3_srvr.c
|
|
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
Conflicts:
CHANGES
ssl/s3_clnt.c
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
listed after TLS_FALLBACK_SCSV.
RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL. We didn't used to do that, and it breaks things. This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
method since the code is not able to deal with a NULL method at this time.
CVE-2014-3569, PR#3571
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952e97d82eac6958c81ed1e256e6b8ca5)
|
|
CVE-2014-3568
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
CVE-2014-3567
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 90e53055939db40cf0fac1ad0c59630280aeee86)
|
|
Reviewed-by: Steve Henson <steve@openss.org>
|
|
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab0de51c9f67b3c909311770f2b3f801)
Conflicts:
ssl/Makefile
|
|
that bad encryptions are treated like random session keys in constant
time.
(cherry picked from commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Conflicts:
crypto/rsa/rsa_oaep.c
|
|
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit
Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff90124c6fd53bbb49dae5edb4e821e0a)
|
|
Pull constant-time methods out to a separate header, add tests.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 73729e4cf3961e36b5534d270c11ff7cd811aa43)
Conflicts:
ssl/Makefile
test/Makefile
|
|
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.
Reported by "oftc_must_be_destroyed" and George Kadianakis.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82fbaf2bc23ee62f24611e5883d3e7b97)
|
|
PR#3450
Conflicts:
ssl/s3_clnt.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
CVE-2014-3510
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
CVE-2014-3511
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
|
|
In |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.
I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.
This allows an attacker to exhaust the memory of a DTLS peer.
Fixes CVE-2014-3507
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.
In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.
Fixes CVE-2014-3506
Wholly based on patch by Adam Langley with one minor amendment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.
Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).
Fixes CVE-2014-3505
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.
PR#3452
(cherry picked from commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65)
|
|
|
|
PR#319 (reoponed version).
(cherry picked from commit 7f6e9578648728478e84246fd3e64026b8b6a48e)
Conflicts:
ssl/s3_srvr.c
|
|
PR#2531.
(cherry picked from commit 59899c4d1b4b6ee4066a540bad2b62cb22ac3d91)
|
|
Some state strings were erronously not compiled when no-ssl2
was set.
PR#3295
(cherry picked from commit 0518a3e19e18cfc441cab261b28441b8c8bd77bf)
|
|
PR#3174
(cherry picked from commit fd331c0bb9b557903dd2ce88398570a3327b5ef0)
|
|
PR#3374
(cherry picked from commit 0436369fccd128cb7f6a8538d5fed1c876c437af)
|
|
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.
Bug discovered and fixed by Miod Vallat from the OpenBSD team.
PR#3375
|
|
This reverts commit def1490717c091c6ef669da9fc5ea4c8b2a4d776.
Incorrect attribution
|
|
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.
PR#3400
(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41)
|
|
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.
PR#3375
|
|
(Backported as a result of PR#3377 reported by Rainer Jung <rainer.jung@kippdata.de>)
|
|
PR#3394
(cherry picked from commit 7a9d59c148b773f59a41f8697eeecf369a0974c2)
|
|
|
|
Check session_cert is not NULL before dereferencing it.
|
|
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
|
|
Return a fatal error if an attempt is made to use a zero length
master secret.
|
|
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
|
|
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Fixed by adding consistency check for DTLS fragments.
Thanks to Jüri Aedla for reporting this issue.
|
|
PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
|