| Age | Commit message (Collapse) | Author |
|---|
|
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.
Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.
CVE-2015-0293
This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
If client auth is used then a server can seg fault in the event of a DHE
cipher being used and a zero length ClientKeyExchange message being sent
by the client. This could be exploited in a DoS attack.
CVE-2015-1787
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.
Thanks to David Ramos of Stanford University for reporting this bug.
CVE-2015-0291
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/t1_lib.c
|
|
The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next that can lead to a segmentation fault. Erorrs processing the initial
ClientHello can trigger this scenario. An example of such an error could
be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.
CVE-2015-0207
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.
CVE-2015-0290
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
Add support for ServerInfo SSL_CONF option and update documentation. This
was wrongly omitted from the 1.0.2 release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c62177ab5893fc26ebb67053aafdffc8)
|
|
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d813f9eb383a93e472e69750cd1edbb170205ad2)
|
|
Cleanse various intermediate buffers used by the PRF (backported version
from master).
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Ensure all malloc failures return -1.
Reported by Adam Langley (Google).
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)
|
|
Fix security issue where under certain conditions a client can complete a
handshake with an unseeded PRNG. The conditions are:
- Client is on a platform where the PRNG has not been seeded, and the
user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data
from the PRNG beyond the initial ClientHello client random
(e.g. PSK-RC4-SHA)
If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore
the output may be predictable.
For example using the following command with an unseeded openssl will
succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
CVE-2015-0285
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e1b568dd2462f7cacf98f3d117936c34e2849a6b)
|
|
Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
version into our ClientHello for DTLS1_BAD_VER. The old DTLS
code which used ssl->version was replaced by the more generic SSL3 code
which uses ssl->client_version. The Cisco ASA no longer likes our
ClientHello.
RT#3711
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f7683aaf36341dc65672ac2ccdbfd4a232e3626d)
|
|
Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
from dtls1_buffer_message() which was needed to distinguish between DTLS
1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER).
Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3703
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5178a16c4375471d25e1f5ef5de46febb62a5529)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c
RT#3725
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fd865cadcb603918bdcfcf44e487721c657a1117)
|
|
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 918bb8652969fd53f0c390c1cd909265ed502c7e)
Conflicts:
crypto/bio/bss_dgram.c
|
|
Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.
This change fixes d2i_SSL_SESSION for that DTLS version.
Based on an original patch by David Woodhouse <dwmw2@infradead.org>
RT#3704
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/ssl_asn1.c
|
|
Added various missing return value checks in tls1_change_cipher_state.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
ssl/s3_srvr.c
|
|
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1d2932de4cefcc200f175863a42c311916269981)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae632974f905c59176fa5f312826f8f692890b67)
|
|
is ignored for DTLS.
RT#3657
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8dd4ad0ff5d1d07ec4b6dd5d5104131269a472aa)
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
PR#3673
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
This should be a one off operation (subsequent invokation of the
script should not move them)
This commit is for the 1.0.2 changes
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Conflicts:
ssl/ssl_ciph.c
ssl/ssl_locl.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Conflicts:
crypto/dsa/dsa.h
demos/engines/ibmca/hw_ibmca.c
ssl/ssl_locl.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Conflicts:
crypto/hmac/hmac.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.
Conflicts:
crypto/bn/bn.h
crypto/ec/ec_lcl.h
crypto/rsa/rsa.h
demos/engines/ibmca/hw_ibmca.c
ssl/ssl.h
ssl/ssl3.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Conflicts:
ssl/s3_lib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Conflicts:
apps/ciphers.c
ssl/s3_pkt.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
(cherry picked from commit 4a7fa26ffd65bf36beb8d1cb8f29fc0ae203f5c5)
Conflicts:
crypto/x509v3/pcy_tree.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
indent will not alter them when reformatting comments
(cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960)
Conflicts:
crypto/bn/bn_lcl.h
crypto/bn/bn_prime.c
crypto/engine/eng_all.c
crypto/rc4/rc4_utl.c
crypto/sha/sha.h
ssl/kssl.c
ssl/t1_lib.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.
Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.
CVE-2015-0206
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 652ff0f4796eecd8729b4690f2076d1c7ccb2862)
|
|
Fix to prevent use of DH client certificates without sending
certificate verify message.
If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.
We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
|
|
separate reads performed - one for the header and one for the body of the
handshake record.
CVE-2014-3571
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d4158572fd8b3dc641851b8378e791df7972d)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
context was also inherited (matches that of the existing SSL_CTX).
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ac8e9cbe14b59dacfe4ac52bc5ff06f8003e9b01)
|
|
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.
Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.
Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
|
