openssl/ssl
Matt Caswell c1c1bb7c5e Fix invalid handling of verify errors in libssl
In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.

CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-12-14 13:48:34 +00:00
..
record Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix 2021-11-17 15:48:34 +01:00
statem Fix invalid handling of verify errors in libssl 2021-12-14 13:48:34 +00:00
bio_ssl.c Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE 2021-10-04 10:55:39 +02:00
build.info Do not duplicate symbols between libcrypto and libssl in static builds 2021-06-14 09:21:05 +10:00
d1_lib.c Fix dtls timeout dead code 2021-07-29 10:08:07 -07:00
d1_msg.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
d1_srtp.c Convert all {NAME}err() in ssl/ to their corresponding ERR_raise() call 2020-11-11 12:12:11 +01:00
ktls.c KTLS: use EVP_CIPHER_is_a instead of nid 2021-11-08 17:40:01 +08:00
methods.c
pqueue.c Update copyright year 2020-11-26 14:18:57 +00:00
s3_cbc.c fips module header inclusion fine-tunning 2021-07-06 10:52:27 +10:00
s3_enc.c tls: remove TODOs 2021-06-02 16:30:15 +10:00
s3_lib.c Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions 2021-12-07 12:16:50 +00:00
s3_msg.c Update copyright year 2021-05-20 14:22:33 +01:00
ssl_asn1.c Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests 2021-08-31 12:20:12 +02:00
ssl_cert_table.h
ssl_cert.c Fix invalid handling of verify errors in libssl 2021-12-14 13:48:34 +00:00
ssl_ciph.c Don't include any TLSv1.3 ciphersuites that are disabled 2021-11-29 12:17:30 +10:00
ssl_conf.c Disabling Encrypt-then-MAC extension in s_client/s_server 2021-06-15 22:14:34 +02:00
ssl_err_legacy.c Update copyright year 2021-06-17 13:24:59 +01:00
ssl_err.c err: rename err_load_xxx_strings_int functions 2021-05-26 13:01:47 +10:00
ssl_init.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
ssl_lib.c Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions 2021-12-07 12:16:50 +00:00
ssl_local.h Enable brainpool curves for TLS1.3 2021-11-26 06:45:19 +01:00
ssl_mcnf.c SSL: refactor all SSLfatal() calls 2020-11-11 12:12:23 +01:00
ssl_rsa_legacy.c Deprecate RSA harder 2020-11-18 23:38:34 +01:00
ssl_rsa.c Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix 2021-11-17 15:48:34 +01:00
ssl_sess.c Add missing session timeout calc 2021-07-28 10:37:21 +10:00
ssl_stat.c Update copyright year 2021-09-07 13:35:43 +02:00
ssl_txt.c Update copyright year 2021-06-17 13:24:59 +01:00
ssl_utst.c
sslerr.h err: rename err_load_xxx_strings_int functions 2021-05-26 13:01:47 +10:00
t1_enc.c tls: remove TODOs 2021-06-02 16:30:15 +10:00
t1_lib.c Enable brainpool curves for TLS1.3 2021-11-26 06:45:19 +01:00
t1_trce.c Enable brainpool curves for TLS1.3 2021-11-26 06:45:19 +01:00
tls13_enc.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
tls_depr.c Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c 2021-10-06 15:18:10 +02:00
tls_srp.c ssl: add zero strenght arguments to BN and RAND RNG calls 2021-05-29 17:17:12 +10:00