Age | Commit message (Collapse) | Author |
|
CVE-2014-3511
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
|
|
In a couple of functions, a sequence number would be calculated twice.
Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.
I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.
This allows an attacker to exhaust the memory of a DTLS peer.
Fixes CVE-2014-3507
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.
In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.
Fixes CVE-2014-3506
Wholly based on patch by Adam Langley with one minor amendment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.
Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).
Fixes CVE-2014-3505
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.
By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
|
|
ssl/ssl_locl.h now comes first to ensure that it will compile standalone.
test/testutil.h is considered to be in the same directory as the test file,
since the test file will be linked into test/ and built there.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.
PR#3452
|
|
|
|
PR#3440
|
|
PR: #3424,#3423,#3422
|
|
|
|
|
|
PR#319 (reoponed version).
|
|
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
|
|
|
|
(cherry picked from commit 2db3ea29298bdc347f15fbfab6d5746022f05101)
Conflicts:
ssl/t1_lib.c
|
|
|
|
|
|
|
|
(cherry picked from commit c97ec5631bb08a2171a125008d2f0d2a75687aaa)
|
|
|
|
|
|
|
|
PR#2531
|
|
Some state strings were erronously not compiled when no-ssl2
was set.
PR#3295
|
|
PR#3141
|
|
PR#3174
|
|
PR#2800
|
|
PR#3374
|
|
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.
Bug discovered and fixed by Miod Vallat from the OpenBSD team.
PR#3375
|
|
This reverts commit abfb989fe0b749ad61f1aa4cdb0ea4f952fc13e0.
Incorrect attribution
|
|
|
|
|
|
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.
PR#3400
|
|
Based on an original patch by Joel Sing (OpenBSD) who also originally identified the issue.
|
|
This reverts commit 2f1dffa88e1b120add4f0b3a794fbca65aa7768d.
Missing attribution.
|
|
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.
PR#3375
|
|
<rainer.jung@kippdata.de>
|
|
|
|
|
|
Defines SETUP_TEST_FIXTURE and EXECUTE_TEST, and updates ssl/heartbeat_test.c
using these macros. SETUP_TEST_FIXTURE makes use of the new TEST_CASE_NAME
macro, defined to use __func__ or __FUNCTION__ on platforms that support those
symbols, or to use the file name and line number otherwise. This should fix
several reported build problems related to lack of C99 support.
|
|
PR#3394
|
|
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
|
|
Fix strength_bits to 112 for 3DES.
|
|
If application uses tls_session_secret_cb for session resumption
set the CCS_OK flag.
|