Justin Blanchard [Mon, 18 Aug 2014 15:01:15 +0000 (11:01 -0400)]
RT1815: More const'ness improvements
Add a dozen more const declarations where appropriate.
These are from Justin; while adding his patch, I noticed
ASN1_BIT_STRING_check could be fixed, too.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Jonas Maebe [Sun, 8 Dec 2013 21:53:29 +0000 (22:53 +0100)]
pub_decode_gost94, pub_decode_gost01: check for NULL after allocating databuf pub_encode_gost94, pub_encode_gost01: check for NULL after allocating databuf and octet
Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Jonas Maebe [Sun, 8 Dec 2013 17:14:59 +0000 (18:14 +0100)]
hashbn: check for NULL result when allocating bin and return an error if it fails all (in)direct callers of hashbn: propagate potential error in hashbn
Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Fri, 15 Aug 2014 21:20:26 +0000 (17:20 -0400)]
RT2751: Declare get_issuer_sk() earlier.
Add a declaration for get_issuer_sk() so that other
functions in x509_vf.c could use it. (Planned work
around cross-certification chains.) Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rob Austein [Fri, 15 Aug 2014 04:03:14 +0000 (00:03 -0400)]
RT2465: Silence some gcc warnings
"Another machine, another version of gcc, another batch
of compiler warnings." Add "=NULL" to some local variable
declarations that are set by passing thier address into a
utility function; confuses GCC it might not be set.
Move custom extension structures from SSL_CTX to CERT structure.
This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Ingo Schwarze [Tue, 12 Aug 2014 19:47:06 +0000 (15:47 -0400)]
RT3239: Extra comma in NAME lines of two manpages
In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.
While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).
Reviewed by: Dr Stephen Henson <shenson@drh-consultancy.co.uk>
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:
A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen. Reviewed-by: Matt Caswell <matt@openssl.org>
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.
CVE-2014-2970 Reviewed-by: Tim Hudson <tjh@openssl.org>
Adam Langley [Fri, 6 Jun 2014 21:47:07 +0000 (14:47 -0700)]
Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.
Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Thu, 24 Jul 2014 22:54:28 +0000 (23:54 +0100)]
Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.
Adam Langley [Fri, 6 Jun 2014 21:44:20 +0000 (14:44 -0700)]
Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.
I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Adam Langley [Fri, 6 Jun 2014 21:30:33 +0000 (14:30 -0700)]
Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.
This allows an attacker to exhaust the memory of a DTLS peer.
Fixes CVE-2014-3507
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Matt Caswell [Fri, 6 Jun 2014 21:25:52 +0000 (14:25 -0700)]
Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.
In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.
Fixes CVE-2014-3506
Wholly based on patch by Adam Langley with one minor amendment.
Adam Langley [Fri, 6 Jun 2014 21:19:21 +0000 (14:19 -0700)]
Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.
Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).
Fixes CVE-2014-3505
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
Bodo Moeller [Fri, 1 Aug 2014 16:41:17 +0000 (18:41 +0200)]
Sync with clean-up 1.0.2 CHANGES file.
(If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.)
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.
By default unit testing is not enabled: it requires the compile
time option "enable-unit-test". Reviewed-by: Geoff Thorpe <geoff@openssl.org>
The call to setenv in gost2814789t.c is not portable and may
not reflect the location of the GOST ENGINE on all platforms anyway.
Instead set OPENSSL_ENGINES in test/Makefile Reviewed-by: Geoff Thorpe <geoff@openssl.org>
This has been unmaintained for a long time. If it's still of interest
to anyone, it can be obtained easily enough by reverting this commit.
(It could join other demo code in some other repository, perhaps.) In
any case we don't want it taking up space in the baseline source
package, so <snip>.
Mike Bland [Wed, 18 Jun 2014 21:00:41 +0000 (17:00 -0400)]
Update heartbeat_test #includes
ssl/ssl_locl.h now comes first to ensure that it will compile standalone.
test/testutil.h is considered to be in the same directory as the test file,
since the test file will be linked into test/ and built there.
projects / openssl / log