| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
|
|
|
|
|
|
|
| |
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.
This issue was introduced by c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
CVE-2021-3449
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
|
|
|
| |
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates with
explicitly encoded elliptic curve parameters in the chain was added to the
strict checks.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then a subsequent check that the
certificate is consistent with that purpose also checks that it is a
valid CA. Therefore where a purpose is set the certificate chain will
still be rejected even when the strict flag has been used. A purpose is
set by default in libssl client and server certificate verification
routines, but it can be overriden by an application.
Affected applications explicitly set the X509_V_FLAG_X509_STRICT
verification flag and either do not set a purpose for the certificate
verification or, in the case of TLS client or server applications,
override the default purpose to make it not set.
CVE-2021-3450
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
| |
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14639)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output. Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.
Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.
Fixes #14626
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14627)
(cherry picked from commit 6e34a1048ce4871371eac224b995c3b4338f6166)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some of the callbacks in rand_lib.c were being invoked without the
RUN_ONCE for that file being called. We add it during rand_pool_new
which should cover all cases.
Fixes #7870
Fixes #11144
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14603)
|
|
|
|
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14586)
(cherry picked from commit 7e7e034a10842dad3866c9447481b8527024bf44)
|
|
|
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14585)
(cherry picked from commit 3de7f014a985637361bdee775f78209300c88aae)
|
|
|
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
(cherry picked from commit b875e0e820b07420429ebb90724ed28686a98853)
|
|
|
|
|
|
|
| |
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
(cherry picked from commit 145f12d12dc83c737676883c625c2a95d34251ed)
|
|
|
|
|
|
|
|
|
|
| |
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14469)
(cherry picked from commit 1aa7ecd0d3f6d9c3739cf2e2d87673a3be03b352)
|
|
|
|
|
|
|
| |
Fixes #11940
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14388)
|
|
|
|
|
|
|
|
| |
This adds a new job to trigger the bug reported in
<https://github.com/openssl/openssl/issues/11940>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14388)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return an error instead of trying to malloc a negative number.
The other usage in this file already had a similar check, and the caller
should have put an entry on the error stack already.
Note that we only check the initial calls to obtain the encoded length,
and assume that the follow-up call to actually encode to the allocated
storage will succeed if the first one did.
Fixes: #14177
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14308)
(cherry picked from commit 90b4247cc5dca58cee9da5f6975bb38fd200100a)
|
|
|
|
|
|
|
|
|
|
|
| |
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14301)
(cherry picked from commit 2d968951227acd422f0e712035de3216d47fc980)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow.
I think leaving offset_hms as an int is still safe.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14252)
(cherry picked from commit 75de54363506e2b2480fc6baf0cd45b1f7fc8816)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The incorrect code is in #ifdef branch that is normally
not compiled in.
Signed-off-by: Zhang Jinde <zjd5536@163.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12968)
(cherry picked from commit 1d724b5e82ba36fb50fd24db3cd664da570daf84)
|
|
|
|
|
|
|
|
|
|
| |
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit 3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c)
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13853)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeBSD's current /dev/crypto implementation requires that consumers
clone a separate file descriptor via the CRIOGET ioctl that can then
be used with other ioctls such as CIOCGSESSION.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4)
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13853)
|
|
|
|
|
|
|
|
|
| |
Compiler complained.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14204)
(cherry picked from commit 55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63)
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
| |
CVE-2021-23840
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This also fixes the public function RSA_padding_check_SSLv23.
Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.
This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.
Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.
CVE-2021-23839
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
| |
Reduce code copying by factoring out common code into a separate function.
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
|
|
|
|
|
|
| |
Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 55869f594f052561b11a2db6a7c42690051868de)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
CVE-2021-23841
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 8130d654d1de922ea224fa18ee3bc7262edc39c0)
|
|
|
|
|
|
|
|
|
| |
This mostly clarifies details.
Fixes #13789
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13834)
|
|
|
|
|
|
|
|
|
|
|
|
| |
DCL has a total command line limitation that's too easily broken by
them.
We solve them by creating separate message scripts and using them.
Fixes #13789
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13834)
|
|
|
|
|
|
|
|
|
|
|
| |
This field has not been used since #3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13991)
(cherry picked from commit 3bc0b621a7baf1a11bc5cad69a287ad093674d68)
|
|
|
|
|
|
|
| |
'no-tests' wasn't entirely respected by test/build.info.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14081)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The options listed in the array @disablables are regular expressions.
For most of them, it's not visible, but there are a few.
However, configdata.pm didn't quite treat them that way, which meant
that the few that are visibly regular expressions, there's a
difference between that and the corresponding the key in %disabled,
which is never a regular expression.
To correctly display the enabled and disabled options with --dump,
we must therefore go through a bit of Perl gymnastics to get the
output correct enough, primarly so that disabled features don't look
enabled.
Fixes #13790
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14081)
|
|
|
|
|
|
|
|
|
| |
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14078)
|
|
|
|
|
|
|
|
|
|
| |
This folder "../apps/include" is accidentally created.
This prevents this glitch.
Fixes 19b4fe5844b ("Add a CMAC test")
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14051)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes #13944
+ changed ASN1_UTCTIME to ASN1_TIME
+ removed all Y2K code from do_updatedb
+ changed compare to ASN1_TIME_compare
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14026)
|
|
|
|
|
|
|
|
|
|
| |
Fixes #13815
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14029)
(cherry picked from commit af403db090ee66715e81f0062d1ef614e8d921b5)
|
|
|
|
|
|
|
|
|
| |
This (re-)allows RSA-PSS signers
Fixes #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13982)
|
|
|
|
|
|
|
|
| |
At this point, we have transitioned completely from Travis to GitHub Actions
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13941)
|
|
|
|
|
|
|
|
|
| |
There are some options that seem to belong to the legacy build.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13903)
(cherry picked from commit adcaebc3148fe0fde3f7641c4b607f30e1479986)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes #13910
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13911)
(cherry picked from commit 6857058016e91d3182c2117922dd8001b27f5639)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.
Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13889)
|
|
|
|
|
|
|
|
|
| |
Also add a new no-deprecated CI build to test it.
Fixes #13896
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13902)
|