1. 06 3月, 2019 2 次提交
    • M
      Test an overlong ChaCha20-Poly1305 nonce · 9b10d1bf
      Matt Caswell 提交于
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8406)
      
      (cherry picked from commit a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)
      9b10d1bf
    • M
      Prevent over long nonces in ChaCha20-Poly1305 · f426625b
      Matt Caswell 提交于
      ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
      every encryption operation. RFC 7539 specifies that the nonce value (IV)
      should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
      front pads the nonce with 0 bytes if it is less than 12 bytes. However it
      also incorrectly allows a nonce to be set of up to 16 bytes. In this case
      only the last 12 bytes are significant and any additional leading bytes are
      ignored.
      
      It is a requirement of using this cipher that nonce values are unique.
      Messages encrypted using a reused nonce value are susceptible to serious
      confidentiality and integrity attacks. If an application changes the
      default nonce length to be longer than 12 bytes and then makes a change to
      the leading bytes of the nonce expecting the new value to be a new unique
      nonce then such an application could inadvertently encrypt messages with a
      reused nonce.
      
      Additionally the ignored bytes in a long nonce are not covered by the
      integrity guarantee of this cipher. Any application that relies on the
      integrity of these ignored leading bytes of a long nonce may be further
      affected.
      
      Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
      because no such use sets such a long nonce value. However user
      applications that use this cipher directly and set a non-default nonce
      length to be longer than 12 bytes may be vulnerable.
      
      CVE-2019-1543
      
      Fixes #8345
      Reviewed-by: NPaul Dale <paul.dale@oracle.com>
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8406)
      
      (cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
      f426625b
  2. 05 3月, 2019 1 次提交
  3. 04 3月, 2019 1 次提交
  4. 02 3月, 2019 1 次提交
  5. 01 3月, 2019 1 次提交
  6. 28 2月, 2019 6 次提交
  7. 27 2月, 2019 6 次提交
  8. 26 2月, 2019 12 次提交
  9. 23 2月, 2019 3 次提交
    • R
      Windows: Call TerminateProcess, not ExitProcess · 4af54c9b
      Richard Levitte 提交于
      Ty Baen-Price explains:
      
      > Problem and Resolution:
      > The following lines of code make use of the Microsoft API ExitProcess:
      >
      > ```
      > Apps\Speed.c line 335:	ExitProcess(ret);
      > Ms\uplink.c line 22: ExitProcess(1);
      > ```
      >
      > These function calls are made after fatal errors are detected and
      > program termination is desired. ExitProcess(), however causes
      > _orderly_ shutdown of a process and all its threads, i.e. it unloads
      > all dlls and runs all destructors. See MSDN for details of exactly
      > what happens
      > (https://msdn.microsoft.com/en-us/library/windows/desktop/ms682658(v=vs.85).aspx).
      > The MSDN page states that ExitProcess should never be called unless
      > it is _known to be safe_ to call it. These calls should simply be
      > replaced with calls to TerminateProcess(), which is what should be
      > called for _disorderly_ shutdown.
      >
      > An example of usage:
      >
      > ```
      > TerminateProcess(GetCurrentProcess(), exitcode);
      > ```
      >
      > Effect of Problem:
      > Because of a compilation error (wrong c++ runtime), my program
      > executed the uplink.c ExitProcess() call. This caused the single
      > OpenSSL thread to start executing the destructors of all my dlls,
      > and their objects. Unfortunately, about 30 other threads were
      > happily using those objects at that time, eventually causing a
      > 0xC0000005 ACCESS_VIOLATION. Obviously an ACCESS_VIOLATION is the
      > best case scenario, as I'm sure you can imagine at the consequences
      > of undiscovered memory corruption, even in a terminating process.
      
      And on the subject of `TerminateProcess()` being asynchronous:
      
      > That is technically true, but I think it's probably synchronous
      > "enough" for your purposes, since a call to TerminateProcess
      > suspends execution of all threads in the target process. This means
      > it's really only asynchronous if you're calling TerminateProcess one
      > some _other_ process. If you're calling TerminateProcess on your own
      > process, you'll never return from the TerminateProcess call.
      
      Fixes #2489
      Was originally RT-4526
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8301)
      
      (cherry picked from commit 925795995018bddb053e863db8b5c52d2a9005d9)
      4af54c9b
    • M
      Don't restrict the number of KeyUpdate messages we can process · f6d64b51
      Matt Caswell 提交于
      Prior to this commit we were keeping a count of how many KeyUpdates we
      have processed and failing if we had had too many. This simplistic approach
      is not sufficient for long running connections. Since many KeyUpdates
      would not be a particular good DoS route anyway, the simplest solution is
      to simply remove the key update count.
      
      Fixes #8068
      Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
      (Merged from https://github.com/openssl/openssl/pull/8299)
      
      (cherry picked from commit 3409a5ff8a44ddaf043d83ed22e657ae871be289)
      f6d64b51
    • D
      engines/dasync: add explaining comments about AES-128-CBC-HMAC-SHA1 · 4a81b8b6
      Dr. Matthias St. Pierre 提交于
      Fixes #7950
      
      It was reported that there might be a null pointer dereference in the
      implementation of the dasync_aes_128_cbc_hmac_sha1() cipher, because
      EVP_aes_128_cbc_hmac_sha1() can return a null pointer if AES-NI is
      not available. It took some analysis to find out that this is not
      an issue in practice, and these comments explain the reason to comfort
      further NPD hunters.
      
      Detected by GitHub user @wurongxin1987 using the Sourcebrella Pinpoint
      static analyzer.
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/8305)
      
      (cherry picked from commit a4a0a1eb43cfccd128d085932a567e0482fbfe47)
      4a81b8b6
  10. 22 2月, 2019 1 次提交
  11. 21 2月, 2019 6 次提交