mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-11 14:22:43 +08:00
Code Issues Packages Projects Releases Wiki Activity
33d5ba8629
openssl/ssl
History
Emilia Kasper 33d5ba8629 Reject elliptic curve lists of odd lengths. 
The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-05 16:32:39 +01:00
..
bio_ssl.c OPENSSL_NO_SOCK fixes. 2012-04-16 17:42:36 +00:00
d1_both.c dtls1_heartbeat: check for NULL after allocating s->cert->ctypes 2014-12-04 23:48:44 +01:00
d1_clnt.c Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset 2014-11-20 14:57:15 +01:00
d1_lib.c dtls1_new: free s on error path 2014-12-04 23:48:44 +01:00
d1_meth.c Dual DTLS version methods. 2013-04-09 14:02:48 +01:00
d1_pkt.c Add checks to the return value of EVP_Cipher to prevent silent encryption failure. 2014-11-27 21:39:47 +00:00
d1_srtp.c Fix for SRTP Memory Leak 2014-10-15 08:56:16 -04:00
d1_srvr.c Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset 2014-11-20 14:57:15 +01:00
dtls1.h Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP) 2014-12-03 09:24:12 +00:00
heartbeat_test.c Add conditional unit testing interface. 2014-07-24 19:41:29 +01:00
install-ssl.com Install srtp.h 2012-07-05 13:20:19 +00:00
kssl_lcl.h Merge from 1.0.0-stable branch. 2009-04-23 16:32:42 +00:00
kssl.c RT2848: Remove extra NULL check 2014-08-19 12:43:58 -04:00
kssl.h Fix for WIN32 builds with KRB5 2014-02-26 15:33:11 +00:00
Makefile Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s3_both.c [PR3597] Advance to the next state variant when reusing messages. 2014-11-28 20:47:41 +01:00
s3_cbc.c RT3066: rewrite RSA padding checks to be slightly more constant time. 2014-09-24 12:45:42 +02:00
s3_clnt.c Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset 2014-11-20 14:57:15 +01:00
s3_enc.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s3_lib.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s3_meth.c New option no-ssl3-method which removes SSLv3_*method 2014-11-19 18:11:37 +00:00
s3_pkt.c Add checks to the return value of EVP_Cipher to prevent silent encryption failure. 2014-11-27 21:39:47 +00:00
s3_srvr.c Do not resume a session if the negotiated protocol version does not match 2014-11-20 16:29:04 +01:00
s23_clnt.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s23_lib.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s23_meth.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
s23_pkt.c Reorder inclusion of header files: 2002-07-10 07:01:54 +00:00
s23_srvr.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
srtp.h Add include of ssl.h which is required by srtp.h 2014-11-27 13:16:36 +00:00
ssl2.h Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl3.h Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset 2014-11-20 14:57:15 +01:00
ssl23.h Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
ssl_algs.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_asn1.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_cert.c ssl_cert_dup: Fix memory leak 2014-12-04 23:48:44 +01:00
ssl_ciph.c ssl_create_cipher_list: check whether push onto cipherstack succeeds 2014-12-04 23:48:44 +01:00
ssl_conf.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_err2.c Use new-style system-id macros everywhere possible. I hope I haven't 2001-02-20 08:13:47 +00:00
ssl_err.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_lib.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_locl.h Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_rsa.c Rename some callbacks, fix alignment. 2014-08-28 17:06:53 +01:00
ssl_sess.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_stat.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_task.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_txt.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssl_utst.c Add conditional unit testing interface. 2014-07-24 19:41:29 +01:00
ssl-lib.com Add d1_srtp and t1_trce. 2012-07-05 13:20:02 +00:00
ssl.h Remove SSLv2 support 2014-12-04 11:55:03 +01:00
ssltest.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
t1_clnt.c Use appropriate versions of SSL3_ENC_METHOD 2013-03-18 14:53:59 +00:00
t1_enc.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
t1_ext.c Rename some callbacks, fix alignment. 2014-08-28 17:06:53 +01:00
t1_lib.c Reject elliptic curve lists of odd lengths. 2014-12-05 16:32:39 +01:00
t1_meth.c Use appropriate versions of SSL3_ENC_METHOD 2013-03-18 14:53:59 +00:00
t1_reneg.c Update RI to match latest spec. 2009-12-27 22:58:55 +00:00
t1_srvr.c Use appropriate versions of SSL3_ENC_METHOD 2013-03-18 14:53:59 +00:00
t1_trce.c Remove SSLv2 support 2014-12-04 11:55:03 +01:00
tls1.h Support TLS_FALLBACK_SCSV. 2014-10-15 04:03:28 +02:00
tls_srp.c Check SRP parameters early. 2014-08-06 20:36:41 +01:00