| #
e3c9727f |
| 04-Oct-2016 |
Matt Caswell |
Resolve some outstanding size_t related TODOs
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
d736bc1a |
| 04-Oct-2016 |
Matt Caswell |
Update misc function params in libssl for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Revision tags: OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a |
|
| #
7ee8627f |
| 07-Sep-2016 |
Matt Caswell |
Convert libssl writing for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
eda75751 |
| 06-Sep-2016 |
Matt Caswell |
Further libssl size_t-ify of reading
Writing still to be done
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
4a01c59f |
| 30-Sep-2016 |
Matt Caswell |
Harmonise setting the header and closing construction
Ensure all message types work the same way including CCS so that the state
machine doesn't need to know about special cases. Put all
Harmonise setting the header and closing construction
Ensure all message types work the same way including CCS so that the state
machine doesn't need to know about special cases. Put all the special logic
into ssl_set_handshake_header() and ssl_close_construct_packet().
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
7cea05dc |
| 29-Sep-2016 |
Matt Caswell |
Move init of the WPACKET into write_state_machine()
Instead of initialising, finishing and cleaning up the WPACKET in every
message construction function, we should do it once in
wri
Move init of the WPACKET into write_state_machine()
Instead of initialising, finishing and cleaning up the WPACKET in every
message construction function, we should do it once in
write_state_machine().
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
a29fa98c |
| 29-Sep-2016 |
Matt Caswell |
Rename ssl_set_handshake_header2()
ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
W
Rename ssl_set_handshake_header2()
ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
WPACKET yet. No code remains that needed that so we can rename it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
48c054fe |
| 19-Sep-2016 |
Matt Caswell |
Excessive allocation of memory in dtls1_preprocess_fragment()
This issue is very similar to CVE-2016-6307 described in the previous
commit. The underlying defect is different but the sec
Excessive allocation of memory in dtls1_preprocess_fragment()
This issue is very similar to CVE-2016-6307 described in the previous
commit. The underlying defect is different but the security analysis and
impacts are the same except that it impacts DTLS.
A DTLS message includes 3 bytes for its length in the header for the
message.
This would allow for messages up to 16Mb in length. Messages of this length
are excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed
to service a connection. A flaw in the logic of version 1.1.0 means that
memory for the message is allocated too early, prior to the excessive
message length check. Due to way memory is allocated in OpenSSL this could
mean an attacker could force up to 21Mb to be allocated to service a
connection. This could lead to a Denial of Service through memory
exhaustion. However, the excessive message length check still takes place,
and this would cause the connection to immediately fail. Assuming that the
application calls SSL_free() on the failed conneciton in a timely manner
then the 21Mb of allocated memory will then be immediately freed again.
Therefore the excessive memory allocation will be transitory in nature.
This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the
event that the connection fails
or
2) The application is working in a constrained environment where there
is very little free memory
or
3) The attacker initiates multiple connection attempts such that there
are multiple connections in a state where memory has been allocated for
the connection; SSL_free() has not yet been called; and there is
insufficient memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to
be transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack
of memory - which would then mean a more serious Denial of Service.
This issue does not affect TLS users.
Issue was reported by Shi Lei (Gear Team, Qihoo 360 Inc.).
CVE-2016-6308
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
3c106325 |
| 21-Sep-2016 |
Matt Caswell |
make update and fix some associated mis-matched error codes
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| #
08029dfa |
| 20-Sep-2016 |
Matt Caswell |
Convert WPACKET_put_bytes to use convenience macros
All the other functions that take an argument for the number of bytes
use convenience macros for this purpose. We should do the same w
Convert WPACKET_put_bytes to use convenience macros
All the other functions that take an argument for the number of bytes
use convenience macros for this purpose. We should do the same with
WPACKET_put_bytes().
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
85a7a5e6 |
| 20-Sep-2016 |
Matt Caswell |
Convert CCS construction to WPACKET
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
f1ec23c0 |
| 13-Sep-2016 |
Matt Caswell |
Convert CKE construction to use the WPACKET API
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
c0f9e23c |
| 13-Sep-2016 |
Matt Caswell |
Fix a few style nits in the wpacket code
Addressing more feedback comments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
de451856 |
| 08-Sep-2016 |
Matt Caswell |
Address WPACKET review comments
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointe
Address WPACKET review comments
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointers can change if the buffer grows. Also dropped support for the
WPACKET_set_packet_len() function. I thought that was going to be needed
but so far it hasn't been. It doesn't really work any more due to the
offsets change.
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
0217dd19 |
| 06-Sep-2016 |
Matt Caswell |
Move from explicit sub-packets to implicit ones
No need to declare an explicit sub-packet. Just start one.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
ae2f7b37 |
| 05-Sep-2016 |
Matt Caswell |
Rename PACKETW to WPACKET
To avoid confusion with the read PACKET structure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Revision tags: OpenSSL_1_1_0, OpenSSL_1_1_0-pre6 |
|
| #
2c7b4dbc |
| 03-Aug-2016 |
Matt Caswell |
Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| #
f5c7f5df |
| 30-Jun-2016 |
Matt Caswell |
Fix DTLS buffered message DoS attack
DTLS can handle out of order record delivery. Additionally since
handshake messages can be bigger than will fit into a single packet, the
message
Fix DTLS buffered message DoS attack
DTLS can handle out of order record delivery. Additionally since
handshake messages can be bigger than will fit into a single packet, the
messages can be fragmented across multiple records (as with normal TLS).
That means that the messages can arrive mixed up, and we have to
reassemble them. We keep a queue of buffered messages that are "from the
future", i.e. messages we're not ready to deal with yet but have arrived
early. The messages held there may not be full yet - they could be one
or more fragments that are still in the process of being reassembled.
The code assumes that we will eventually complete the reassembly and
when that occurs the complete message is removed from the queue at the
point that we need to use it.
However, DTLS is also tolerant of packet loss. To get around that DTLS
messages can be retransmitted. If we receive a full (non-fragmented)
message from the peer after previously having received a fragment of
that message, then we ignore the message in the queue and just use the
non-fragmented version. At that point the queued message will never get
removed.
Additionally the peer could send "future" messages that we never get to
in order to complete the handshake. Each message has a sequence number
(starting from 0). We will accept a message fragment for the current
message sequence number, or for any sequence up to 10 into the future.
However if the Finished message has a sequence number of 2, anything
greater than that in the queue is just left there.
So, in those two ways we can end up with "orphaned" data in the queue
that will never get removed - except when the connection is closed. At
that point all the queues are flushed.
An attacker could seek to exploit this by filling up the queues with
lots of large messages that are never going to be used in order to
attempt a DoS by memory exhaustion.
I will assume that we are only concerned with servers here. It does not
seem reasonable to be concerned about a memory exhaustion attack on a
client. They are unlikely to process enough connections for this to be
an issue.
A "long" handshake with many messages might be 5 messages long (in the
incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
CertificateVerify, Finished. So this would be message sequence numbers 0
to 4. Additionally we can buffer up to 10 messages in the future.
Therefore the maximum number of messages that an attacker could send
that could get orphaned would typically be 15.
The maximum size that a DTLS message is allowed to be is defined by
max_cert_list, which by default is 100k. Therefore the maximum amount of
"orphaned" memory per connection is 1500k.
Message sequence numbers get reset after the Finished message, so
renegotiation will not extend the maximum number of messages that can be
orphaned per connection.
As noted above, the queues do get cleared when the connection is closed.
Therefore in order to mount an effective attack, an attacker would have
to open many simultaneous connections.
Issue reported by Quan Luo.
CVE-2016-2179
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
a230b26e |
| 05-Aug-2016 |
Emilia Kasper |
Indent ssl/
Run util/openssl-format-source on ssl/
Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.
Reviewed-by: Rich Salz <
Indent ssl/
Run util/openssl-format-source on ssl/
Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.
Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
| #
60250017 |
| 05-Aug-2016 |
klemens |
spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull
spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
show more ...
|
|
Revision tags: OpenSSL-fips-2_0_13 |
|
| #
2e7dc7cd |
| 17-Jun-2016 |
Matt Caswell |
Never expose ssl->bbio in the public API.
This is adapted from BoringSSL commit 2f87112b963.
This fixes a number of bugs where the existence of bbio was leaked in the
public API
Never expose ssl->bbio in the public API.
This is adapted from BoringSSL commit 2f87112b963.
This fixes a number of bugs where the existence of bbio was leaked in the
public API and broke things.
- SSL_get_wbio returned the bbio during the handshake. It must always return
the BIO the consumer configured. In doing so, some internal accesses of
SSL_get_wbio should be switched to ssl->wbio since those want to see bbio.
- The logic in SSL_set_rfd, etc. (which I doubt is quite right since
SSL_set_bio's lifetime is unclear) would get confused once wbio got
wrapped. Those want to compare to SSL_get_wbio.
- If SSL_set_bio was called mid-handshake, bbio would get disconnected and
lose state. It forgets to reattach the bbio afterwards. Unfortunately,
Conscrypt does this a lot. It just never ended up calling it at a point
where the bbio would cause problems.
- Make more explicit the invariant that any bbio's which exist are always
attached. Simplify a few things as part of that.
RT#4572
Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
| #
e8aa8b6c |
| 28-Jun-2016 |
FdaSilvaYY |
Fix a few if(, for(, while( inside code.
Fix some indentation at the same time
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merge
Fix a few if(, for(, while( inside code.
Fix some indentation at the same time
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
show more ...
|
| #
d166ed8c |
| 18-Jun-2016 |
Dr. Stephen Henson |
check return values for EVP_Digest*() APIs
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
| #
823146d6 |
| 04-Jun-2016 |
FdaSilvaYY |
Useless header include of openssl/rand.h
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1
Useless header include of openssl/rand.h
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1168)
show more ...
|
| #
255cf605 |
| 04-Jun-2016 |
Rich Salz |
RT3895: Remove fprintf's from SSL library.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
