[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1l and 1.0.1m [xx XXX xxxx]

  *)

 Changes between 1.0.1k and 1.0.1l [15 Jan 2015]

  *) Build fixes for the Windows and OpenVMS platforms
     [Matt Caswell and Richard Levitte]

 Changes between 1.0.1j and 1.0.1k [8 Jan 2015]

  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]

  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
     dtls1_buffer_record function under certain conditions. In particular this
     could occur if an attacker sent repeated DTLS records with the same
     sequence number but for the next epoch. The memory leak could be exploited
     by an attacker in a Denial of Service attack through memory exhaustion.
     Thanks to Chris Mueller for reporting this issue.
     (CVE-2015-0206)
     [Matt Caswell]

  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]

  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
     reporting this issue.
     (CVE-2014-3572)
     [Steve Henson]

  *) Remove non-export ephemeral RSA code on client and server. This code
     violated the TLS standard by allowing the use of temporary RSA keys in
     non-export ciphersuites and could be used by a server to effectively
     downgrade the RSA key length used to a value smaller than the server
     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
     INRIA or reporting this issue.
     (CVE-2015-0204)
     [Steve Henson]

  *) Fixed issue where DH client certificates are accepted without verification.
     An OpenSSL server will accept a DH certificate for client authentication
     without the certificate verify message. This effectively allows a client to
     authenticate without the use of a private key. This only affects servers
     which trust a client certificate authority which issues certificates
     containing DH keys: these are extremely rare and hardly ever encountered.
     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
     this issue.
     (CVE-2015-0205)
     [Steve Henson]

  *) Ensure that the session ID context of an SSL is updated when its
     SSL_CTX is updated via SSL_set_SSL_CTX.

     The session ID context is typically set from the parent SSL_CTX,
     and can vary with the CTX.
     [Adam Langley]

  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
     certificate the fingerprint can be changed without breaking the signature.
     Although no details of the signed portion of the certificate can be changed
     this can cause problems with some applications: e.g. those using the
     certificate fingerprint for blacklists.

     1. Reject signatures with non zero unused bits.

     If the BIT STRING containing the signature has non zero unused bits reject
     the signature. All current signature algorithms require zero unused bits.

     2. Check certificate algorithm consistency.

     Check the AlgorithmIdentifier inside TBS matches the one in the
     certificate signature. NB: this will result in signature failure
     errors for some broken certificates.

     Thanks to Konrad Kraszewski from Google for reporting this issue.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received
     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature
     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
     (negative or with leading zeroes).

     Further analysis was conducted and fixes were developed by Stephen Henson
     of the OpenSSL core team.

     (CVE-2014-8275)
     [Steve Henson]

   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]

   *) Do not resume sessions on the server if the negotiated protocol
      version does not match the session's version. Resuming with a different
      version, while not strictly forbidden by the RFC, is of questionable
      sanity and breaks all known clients.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
3a9a0321 MC	5	Changes between 1.0.1l and 1.0.1m [xx XXX xxxx]
	6
	7	*)
	8
b83ceba7	9	Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
8437225d	10
583f0bc4 MC	11	*) Build fixes for the Windows and OpenVMS platforms
583f0bc4 MC	12	[Matt Caswell and Richard Levitte]
8437225d	13
b4a57c4c	14	Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
e356ac5c	15
e02863b5 MC	16	*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
	17	message can cause a segmentation fault in OpenSSL due to a NULL pointer
	18	dereference. This could lead to a Denial Of Service attack. Thanks to
	19	Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
	20	(CVE-2014-3571)
	21	[Steve Henson]
	22
	23	*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
	24	dtls1_buffer_record function under certain conditions. In particular this
	25	could occur if an attacker sent repeated DTLS records with the same
	26	sequence number but for the next epoch. The memory leak could be exploited
	27	by an attacker in a Denial of Service attack through memory exhaustion.
	28	Thanks to Chris Mueller for reporting this issue.
	29	(CVE-2015-0206)
	30	[Matt Caswell]
	31
	32	*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
	33	built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
	34	method would be set to NULL which could later result in a NULL pointer
	35	dereference. Thanks to Frank Schmirler for reporting this issue.
	36	(CVE-2014-3569)
	37	[Kurt Roeckx]
	38
ef28c6d6 DSH	39	*) Abort handshake if server key exchange message is omitted for ephemeral
	40	ECDH ciphersuites.
	41
293c1e22 DSH	42	Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
293c1e22 DSH	43	reporting this issue.
ef28c6d6 DSH	44	(CVE-2014-3572)
	45	[Steve Henson]
	46
37580f43 DSH	47	*) Remove non-export ephemeral RSA code on client and server. This code
	48	violated the TLS standard by allowing the use of temporary RSA keys in
	49	non-export ciphersuites and could be used by a server to effectively
	50	downgrade the RSA key length used to a value smaller than the server
293c1e22 DSH	51	certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
293c1e22 DSH	52	INRIA or reporting this issue.
37580f43 DSH	53	(CVE-2015-0204)
	54	[Steve Henson]
	55
e02863b5 MC	56	*) Fixed issue where DH client certificates are accepted without verification.
	57	An OpenSSL server will accept a DH certificate for client authentication
	58	without the certificate verify message. This effectively allows a client to
	59	authenticate without the use of a private key. This only affects servers
	60	which trust a client certificate authority which issues certificates
	61	containing DH keys: these are extremely rare and hardly ever encountered.
	62	Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
	63	this issue.
	64	(CVE-2015-0205)
	65	[Steve Henson]
	66
2357cd2e AL	67	*) Ensure that the session ID context of an SSL is updated when its
	68	SSL_CTX is updated via SSL_set_SSL_CTX.
	69
	70	The session ID context is typically set from the parent SSL_CTX,
	71	and can vary with the CTX.
	72	[Adam Langley]
	73
a8565530 DSH	74	*) Fix various certificate fingerprint issues.
	75
	76	By using non-DER or invalid encodings outside the signed portion of a
	77	certificate the fingerprint can be changed without breaking the signature.
	78	Although no details of the signed portion of the certificate can be changed
	79	this can cause problems with some applications: e.g. those using the
	80	certificate fingerprint for blacklists.
	81
	82	1. Reject signatures with non zero unused bits.
	83
	84	If the BIT STRING containing the signature has non zero unused bits reject
	85	the signature. All current signature algorithms require zero unused bits.
	86
	87	2. Check certificate algorithm consistency.
	88
	89	Check the AlgorithmIdentifier inside TBS matches the one in the
	90	certificate signature. NB: this will result in signature failure
	91	errors for some broken certificates.
	92
	93	Thanks to Konrad Kraszewski from Google for reporting this issue.
	94
	95	3. Check DSA/ECDSA signatures use DER.
	96
	97	Reencode DSA/ECDSA signatures and compare with the original received
	98	signature. Return an error if there is a mismatch.
	99
	100	This will reject various cases including garbage after signature
	101	(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
	102	program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
	103	(negative or with leading zeroes).
	104
	105	Further analysis was conducted and fixes were developed by Stephen Henson
	106	of the OpenSSL core team.
	107
	108	(CVE-2014-8275)
	109	[Steve Henson]
	110
e02863b5 MC	111	*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
	112	results on some platforms, including x86_64. This bug occurs at random
	113	with a very low probability, and is not known to be exploitable in any
	114	way, though its exact impact is difficult to determine. Thanks to Pieter
	115	Wuille (Blockstream) who reported this issue and also suggested an initial
	116	fix. Further analysis was conducted by the OpenSSL development team and
	117	Adam Langley of Google. The final fix was developed by Andy Polyakov of
	118	the OpenSSL core team.
	119	(CVE-2014-3570)
	120	[Andy Polyakov]
	121
7fc5f4f1 DB	122	*) Do not resume sessions on the server if the negotiated protocol
	123	version does not match the session's version. Resuming with a different
	124	version, while not strictly forbidden by the RFC, is of questionable
	125	sanity and breaks all known clients.
	126