1. 25 3月, 2015 1 次提交
  2. 24 3月, 2015 5 次提交
  3. 23 3月, 2015 4 次提交
  4. 20 3月, 2015 2 次提交
  5. 19 3月, 2015 4 次提交
    • M
      Fix DHE Null CKE vulnerability · d3cc5e61
      Matt Caswell 提交于
      If client auth is used then a server can seg fault in the event of a DHE
      cipher being used and a zero length ClientKeyExchange message being sent
      by the client. This could be exploited in a DoS attack.
      
      CVE-2015-1787
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d3cc5e61
    • D
      Fix for CVE-2015-0291 · 34e3edbf
      Dr. Stephen Henson 提交于
      If a client renegotiates using an invalid signature algorithms extension
      it will crash a server with a NULL pointer dereference.
      
      Thanks to David Ramos of Stanford University for reporting this bug.
      
      CVE-2015-0291
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      34e3edbf
    • M
      Fix Seg fault in DTLSv1_listen · e83ee04b
      Matt Caswell 提交于
      The DTLSv1_listen function is intended to be stateless and processes
      the initial ClientHello from many peers. It is common for user code to
      loop over the call to DTLSv1_listen until a valid ClientHello is received
      with an associated cookie. A defect in the implementation of DTLSv1_listen
      means that state is preserved in the SSL object from one invokation to the
      next that can lead to a segmentation fault. Erorrs processing the initial
      ClientHello can trigger this scenario. An example of such an error could
      be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
      server.
      
      CVE-2015-0207
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      e83ee04b
    • M
      Multiblock corrupted pointer fix · 1d2a18dc
      Matt Caswell 提交于
      OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
      feature only applies on 64 bit x86 architecture platforms that support AES
      NI instructions. A defect in the implementation of "multiblock" can cause
      OpenSSL's internal write buffer to become incorrectly set to NULL when
      using non-blocking IO. Typically, when the user application is using a
      socket BIO for writing, this will only result in a failed connection.
      However if some other BIO is used then it is likely that a segmentation
      fault will be triggered, thus enabling a potential DoS attack.
      
      CVE-2015-0290
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      Reviewed-by: NAndy Polyakov <appro@openssl.org>
      1d2a18dc
  6. 17 3月, 2015 1 次提交
    • M
      Add sanity check to PRF · 668f6f08
      Matt Caswell 提交于
      The function tls1_PRF counts the number of digests in use and partitions
      security evenly between them. There always needs to be at least one digest
      in use, otherwise this is an internal error. Add a sanity check for this.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      668f6f08
  7. 16 3月, 2015 1 次提交
  8. 15 3月, 2015 1 次提交
  9. 12 3月, 2015 2 次提交
  10. 11 3月, 2015 3 次提交
  11. 10 3月, 2015 1 次提交
    • M
      Prevent handshake with unseeded PRNG · e1b568dd
      Matt Caswell 提交于
      Fix security issue where under certain conditions a client can complete a
      handshake with an unseeded PRNG. The conditions are:
      - Client is on a platform where the PRNG has not been seeded, and the
      user has not seeded manually
      - A protocol specific client method version has been used (i.e. not
      SSL_client_methodv23)
      - A ciphersuite is used that does not require additional random data
      from the PRNG beyond the initial ClientHello client random
      (e.g. PSK-RC4-SHA)
      
      If the handshake succeeds then the client random that has been used will
      have been generated from a PRNG with insufficient entropy and therefore
      the output may be predictable.
      
      For example using the following command with an unseeded openssl will
      succeed on an unpatched platform:
      
      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
      
      CVE-2015-0285
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      e1b568dd
  12. 09 3月, 2015 2 次提交
    • D
      Wrong SSL version in DTLS1_BAD_VER ClientHello · f7683aaf
      David Woodhouse 提交于
      Since commit 741c9959 ("DTLS revision."), we put the wrong protocol
      version into our ClientHello for DTLS1_BAD_VER. The old DTLS
      code which used ssl->version was replaced by the more generic SSL3 code
      which uses ssl->client_version. The Cisco ASA no longer likes our
      ClientHello.
      
      RT#3711
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      f7683aaf
    • M
      Fix DTLS1_BAD_VER regression · 5178a16c
      Matt Caswell 提交于
      Commit 9cf0f187 in HEAD, and 68039af3 in 1.0.2, removed a version check
      from dtls1_buffer_message() which was needed to distinguish between DTLS
      1.x and Cisco's pre-standard version of DTLS (DTLS1_BAD_VER).
      
      Based on an original patch by David Woodhouse <dwmw2@infradead.org>
      RT#3703
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      5178a16c
  13. 05 3月, 2015 2 次提交
  14. 02 3月, 2015 1 次提交
    • R
      Remove experimental 56bit export ciphers · a258afaf
      Rich Salz 提交于
      These ciphers are removed:
          TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5
          TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
          TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA
          TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
          TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA
          TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
          TLS1_CK_DHE_DSS_WITH_RC4_128_SHA
      They were defined in a long-expired IETF internet-draft:
      draft-ietf-tls-56-bit-ciphersuites-01.txt
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      a258afaf
  15. 28 2月, 2015 1 次提交
    • M
      Fix d2i_SSL_SESSION for DTLS1_BAD_VER · af674d4e
      Matt Caswell 提交于
      Some Cisco appliances use a pre-standard version number for DTLS. We support
      this as DTLS1_BAD_VER within the code.
      
      This change fixes d2i_SSL_SESSION for that DTLS version.
      
      Based on an original patch by David Woodhouse <dwmw2@infradead.org>
      
      RT#3704
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      af674d4e
  16. 27 2月, 2015 4 次提交
  17. 24 2月, 2015 1 次提交
  18. 13 2月, 2015 1 次提交
  19. 11 2月, 2015 3 次提交
    • M
      Add SSL_SESSION_get0_ticket API function. · b7c9187b
      Matt Caswell 提交于
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      b7c9187b
    • M
      Correct reading back of tlsext_tick_lifetime_hint from ASN1. · ea6bd264
      Matt Caswell 提交于
      When writing out the hint, if the hint > 0, then we write it out otherwise
      we skip it.
      
      Previously when reading the hint back in, if were expecting to see one
      (because the ticket length > 0), but it wasn't present then we set the hint
      to -1, otherwise we set it to 0. This fails to set the hint to the same as
      when it was written out.
      
      The hint should never be negative because the RFC states the hint is
      unsigned. It is valid for a server to set the hint to 0 (this means the
      lifetime is unspecified according to the RFC). If the server set it to 0, it
      should still be 0 when we read it back in.
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      ea6bd264
    • M
      Provide the API functions SSL_SESSION_has_ticket and · f2baac27
      Matt Caswell 提交于
      SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as
      required to fix Qt for OpenSSL 1.1.0. I have also added the former in order
      to determine whether a ticket is present or not - otherwise it is difficult
      to know whether a zero lifetime hint is because the server set it to 0, or
      because there is no ticket.
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      f2baac27