]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
e356ac5c MC |
5 | Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] |
6 | ||
a8565530 DSH |
7 | *) Fix various certificate fingerprint issues. |
8 | ||
9 | By using non-DER or invalid encodings outside the signed portion of a | |
10 | certificate the fingerprint can be changed without breaking the signature. | |
11 | Although no details of the signed portion of the certificate can be changed | |
12 | this can cause problems with some applications: e.g. those using the | |
13 | certificate fingerprint for blacklists. | |
14 | ||
15 | 1. Reject signatures with non zero unused bits. | |
16 | ||
17 | If the BIT STRING containing the signature has non zero unused bits reject | |
18 | the signature. All current signature algorithms require zero unused bits. | |
19 | ||
20 | 2. Check certificate algorithm consistency. | |
21 | ||
22 | Check the AlgorithmIdentifier inside TBS matches the one in the | |
23 | certificate signature. NB: this will result in signature failure | |
24 | errors for some broken certificates. | |
25 | ||
26 | Thanks to Konrad Kraszewski from Google for reporting this issue. | |
27 | ||
28 | 3. Check DSA/ECDSA signatures use DER. | |
29 | ||
30 | Reencode DSA/ECDSA signatures and compare with the original received | |
31 | signature. Return an error if there is a mismatch. | |
32 | ||
33 | This will reject various cases including garbage after signature | |
34 | (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
35 | program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
36 | (negative or with leading zeroes). | |
37 | ||
38 | Further analysis was conducted and fixes were developed by Stephen Henson | |
39 | of the OpenSSL core team. | |
40 | ||
41 | (CVE-2014-8275) | |
42 | [Steve Henson] | |
43 | ||
7fc5f4f1 DB |
44 | *) Do not resume sessions on the server if the negotiated protocol |
45 | version does not match the session's version. Resuming with a different | |
46 | version, while not strictly forbidden by the RFC, is of questionable | |
47 | sanity and breaks all known clients. | |
48 |