#
e3c9727f |
| 04-Oct-2016 |
Matt Caswell |
Resolve some outstanding size_t related TODOs Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
d736bc1a |
| 04-Oct-2016 |
Matt Caswell |
Update misc function params in libssl for size_t Reviewed-by: Rich Salz <rsalz@openssl.org>
|
Revision tags: OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a |
|
#
7ee8627f |
| 07-Sep-2016 |
Matt Caswell |
Convert libssl writing for size_t Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
eda75751 |
| 06-Sep-2016 |
Matt Caswell |
Further libssl size_t-ify of reading Writing still to be done Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
4a01c59f |
| 30-Sep-2016 |
Matt Caswell |
Harmonise setting the header and closing construction Ensure all message types work the same way including CCS so that the state machine doesn't need to know about special cases. Put all
Harmonise setting the header and closing construction Ensure all message types work the same way including CCS so that the state machine doesn't need to know about special cases. Put all the special logic into ssl_set_handshake_header() and ssl_close_construct_packet(). Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
7cea05dc |
| 29-Sep-2016 |
Matt Caswell |
Move init of the WPACKET into write_state_machine() Instead of initialising, finishing and cleaning up the WPACKET in every message construction function, we should do it once in wri
Move init of the WPACKET into write_state_machine() Instead of initialising, finishing and cleaning up the WPACKET in every message construction function, we should do it once in write_state_machine(). Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
a29fa98c |
| 29-Sep-2016 |
Matt Caswell |
Rename ssl_set_handshake_header2() ssl_set_handshake_header2() was only ever a temporary name while we had to have ssl_set_handshake_header() for code that hadn't been converted to W
Rename ssl_set_handshake_header2() ssl_set_handshake_header2() was only ever a temporary name while we had to have ssl_set_handshake_header() for code that hadn't been converted to WPACKET yet. No code remains that needed that so we can rename it. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
48c054fe |
| 19-Sep-2016 |
Matt Caswell |
Excessive allocation of memory in dtls1_preprocess_fragment() This issue is very similar to CVE-2016-6307 described in the previous commit. The underlying defect is different but the sec
Excessive allocation of memory in dtls1_preprocess_fragment() This issue is very similar to CVE-2016-6307 described in the previous commit. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect TLS users. Issue was reported by Shi Lei (Gear Team, Qihoo 360 Inc.). CVE-2016-6308 Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
3c106325 |
| 21-Sep-2016 |
Matt Caswell |
make update and fix some associated mis-matched error codes Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
08029dfa |
| 20-Sep-2016 |
Matt Caswell |
Convert WPACKET_put_bytes to use convenience macros All the other functions that take an argument for the number of bytes use convenience macros for this purpose. We should do the same w
Convert WPACKET_put_bytes to use convenience macros All the other functions that take an argument for the number of bytes use convenience macros for this purpose. We should do the same with WPACKET_put_bytes(). Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
85a7a5e6 |
| 20-Sep-2016 |
Matt Caswell |
Convert CCS construction to WPACKET Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
f1ec23c0 |
| 13-Sep-2016 |
Matt Caswell |
Convert CKE construction to use the WPACKET API Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
c0f9e23c |
| 13-Sep-2016 |
Matt Caswell |
Fix a few style nits in the wpacket code Addressing more feedback comments. Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
de451856 |
| 08-Sep-2016 |
Matt Caswell |
Address WPACKET review comments A few style tweaks here and there. The main change is that curr and packet_len are now offsets into the buffer to account for the fact that the pointe
Address WPACKET review comments A few style tweaks here and there. The main change is that curr and packet_len are now offsets into the buffer to account for the fact that the pointers can change if the buffer grows. Also dropped support for the WPACKET_set_packet_len() function. I thought that was going to be needed but so far it hasn't been. It doesn't really work any more due to the offsets change. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
0217dd19 |
| 06-Sep-2016 |
Matt Caswell |
Move from explicit sub-packets to implicit ones No need to declare an explicit sub-packet. Just start one. Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
ae2f7b37 |
| 05-Sep-2016 |
Matt Caswell |
Rename PACKETW to WPACKET To avoid confusion with the read PACKET structure. Reviewed-by: Rich Salz <rsalz@openssl.org>
|
Revision tags: OpenSSL_1_1_0, OpenSSL_1_1_0-pre6 |
|
#
2c7b4dbc |
| 03-Aug-2016 |
Matt Caswell |
Convert tls_construct_client_hello() to use PACKETW Reviewed-by: Rich Salz <rsalz@openssl.org>
|
#
f5c7f5df |
| 30-Jun-2016 |
Matt Caswell |
Fix DTLS buffered message DoS attack DTLS can handle out of order record delivery. Additionally since handshake messages can be bigger than will fit into a single packet, the message
Fix DTLS buffered message DoS attack DTLS can handle out of order record delivery. Additionally since handshake messages can be bigger than will fit into a single packet, the messages can be fragmented across multiple records (as with normal TLS). That means that the messages can arrive mixed up, and we have to reassemble them. We keep a queue of buffered messages that are "from the future", i.e. messages we're not ready to deal with yet but have arrived early. The messages held there may not be full yet - they could be one or more fragments that are still in the process of being reassembled. The code assumes that we will eventually complete the reassembly and when that occurs the complete message is removed from the queue at the point that we need to use it. However, DTLS is also tolerant of packet loss. To get around that DTLS messages can be retransmitted. If we receive a full (non-fragmented) message from the peer after previously having received a fragment of that message, then we ignore the message in the queue and just use the non-fragmented version. At that point the queued message will never get removed. Additionally the peer could send "future" messages that we never get to in order to complete the handshake. Each message has a sequence number (starting from 0). We will accept a message fragment for the current message sequence number, or for any sequence up to 10 into the future. However if the Finished message has a sequence number of 2, anything greater than that in the queue is just left there. So, in those two ways we can end up with "orphaned" data in the queue that will never get removed - except when the connection is closed. At that point all the queues are flushed. An attacker could seek to exploit this by filling up the queues with lots of large messages that are never going to be used in order to attempt a DoS by memory exhaustion. I will assume that we are only concerned with servers here. It does not seem reasonable to be concerned about a memory exhaustion attack on a client. They are unlikely to process enough connections for this to be an issue. A "long" handshake with many messages might be 5 messages long (in the incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange, CertificateVerify, Finished. So this would be message sequence numbers 0 to 4. Additionally we can buffer up to 10 messages in the future. Therefore the maximum number of messages that an attacker could send that could get orphaned would typically be 15. The maximum size that a DTLS message is allowed to be is defined by max_cert_list, which by default is 100k. Therefore the maximum amount of "orphaned" memory per connection is 1500k. Message sequence numbers get reset after the Finished message, so renegotiation will not extend the maximum number of messages that can be orphaned per connection. As noted above, the queues do get cleared when the connection is closed. Therefore in order to mount an effective attack, an attacker would have to open many simultaneous connections. Issue reported by Quan Luo. CVE-2016-2179 Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
a230b26e |
| 05-Aug-2016 |
Emilia Kasper |
Indent ssl/ Run util/openssl-format-source on ssl/ Some comments and hand-formatted tables were fixed up manually by disabling auto-formatting. Reviewed-by: Rich Salz <
Indent ssl/ Run util/openssl-format-source on ssl/ Some comments and hand-formatted tables were fixed up manually by disabling auto-formatting. Reviewed-by: Rich Salz <rsalz@openssl.org>
show more ...
|
#
60250017 |
| 05-Aug-2016 |
klemens |
spelling fixes, just comments and readme. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull
spelling fixes, just comments and readme. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1413)
show more ...
|
Revision tags: OpenSSL-fips-2_0_13 |
|
#
2e7dc7cd |
| 17-Jun-2016 |
Matt Caswell |
Never expose ssl->bbio in the public API. This is adapted from BoringSSL commit 2f87112b963. This fixes a number of bugs where the existence of bbio was leaked in the public API
Never expose ssl->bbio in the public API. This is adapted from BoringSSL commit 2f87112b963. This fixes a number of bugs where the existence of bbio was leaked in the public API and broke things. - SSL_get_wbio returned the bbio during the handshake. It must always return the BIO the consumer configured. In doing so, some internal accesses of SSL_get_wbio should be switched to ssl->wbio since those want to see bbio. - The logic in SSL_set_rfd, etc. (which I doubt is quite right since SSL_set_bio's lifetime is unclear) would get confused once wbio got wrapped. Those want to compare to SSL_get_wbio. - If SSL_set_bio was called mid-handshake, bbio would get disconnected and lose state. It forgets to reattach the bbio afterwards. Unfortunately, Conscrypt does this a lot. It just never ended up calling it at a point where the bbio would cause problems. - Make more explicit the invariant that any bbio's which exist are always attached. Simplify a few things as part of that. RT#4572 Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
e8aa8b6c |
| 28-Jun-2016 |
FdaSilvaYY |
Fix a few if(, for(, while( inside code. Fix some indentation at the same time Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merge
Fix a few if(, for(, while( inside code. Fix some indentation at the same time Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1292)
show more ...
|
#
d166ed8c |
| 18-Jun-2016 |
Dr. Stephen Henson |
check return values for EVP_Digest*() APIs Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
823146d6 |
| 04-Jun-2016 |
FdaSilvaYY |
Useless header include of openssl/rand.h Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1
Useless header include of openssl/rand.h Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1168)
show more ...
|
#
255cf605 |
| 04-Jun-2016 |
Rich Salz |
RT3895: Remove fprintf's from SSL library. Reviewed-by: Richard Levitte <levitte@openssl.org>
|