[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]

  *)

 Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]

  *) Build fixes for the Windows and OpenVMS platforms
     [Matt Caswell and Richard Levitte]

 Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]

  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]

  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]

  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
     reporting this issue.
     (CVE-2014-3572)
     [Steve Henson]

  *) Remove non-export ephemeral RSA code on client and server. This code
     violated the TLS standard by allowing the use of temporary RSA keys in
     non-export ciphersuites and could be used by a server to effectively
     downgrade the RSA key length used to a value smaller than the server
     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
     INRIA or reporting this issue.
     (CVE-2015-0204)
     [Steve Henson]

  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
     certificate the fingerprint can be changed without breaking the signature.
     Although no details of the signed portion of the certificate can be changed
     this can cause problems with some applications: e.g. those using the
     certificate fingerprint for blacklists.

     1. Reject signatures with non zero unused bits.

     If the BIT STRING containing the signature has non zero unused bits reject
     the signature. All current signature algorithms require zero unused bits.

     2. Check certificate algorithm consistency.

     Check the AlgorithmIdentifier inside TBS matches the one in the
     certificate signature. NB: this will result in signature failure
     errors for some broken certificates.

     Thanks to Konrad Kraszewski from Google for reporting this issue.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received
     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature
     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
     (negative or with leading zeroes).

     Further analysis was conducted and fixes were developed by Stephen Henson
     of the OpenSSL core team.

     (CVE-2014-8275)
     [Steve Henson]

   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]

 Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]

  *) Session Ticket Memory Leak.

     When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
     integrity of that ticket is first verified. In the event of a session
     ticket integrity check failing, OpenSSL will fail to free memory
     causing a memory leak. By sending a large number of invalid session
     tickets an attacker could exploit this issue in a Denial Of Service
     attack.
     (CVE-2014-3567)
     [Steve Henson]

  *) Build option no-ssl3 is incomplete.

     When OpenSSL is configured with "no-ssl3" as a build option, servers
     could accept and complete a SSL 3.0 handshake, and clients could be
     configured to send them.
     (CVE-2014-3568)
     [Akamai and the OpenSSL team]

  *) Add support for TLS_FALLBACK_SCSV.
     Client applications doing fallback retries should call
     SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
     (CVE-2014-3566)
     [Adam Langley, Bodo Moeller]

  *) Add additional DigestInfo checks.
 
     Reencode DigestInto in DER and check against the original when
     verifying RSA signature: this will reject any improperly encoded
     DigestInfo structures.

     Note: this is a precautionary measure and no attacks are currently known.

     [Steve Henson]

 Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]

  *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
     to a denial of service attack. A malicious server can crash the client
     with a null pointer dereference (read) by specifying an anonymous (EC)DH
     ciphersuite and sending carefully crafted handshake messages.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
ba442a7e MC	5	Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]
	6
	7	*)
	8
e8ccaee3	9	Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]
bc253b09	10
346a46f0 MC	11	*) Build fixes for the Windows and OpenVMS platforms
346a46f0 MC	12	[Matt Caswell and Richard Levitte]
bc253b09	13
b873409e	14	Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]
94f735ca	15
1dc6a544 MC	16	*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
	17	message can cause a segmentation fault in OpenSSL due to a NULL pointer
	18	dereference. This could lead to a Denial Of Service attack. Thanks to
	19	Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
	20	(CVE-2014-3571)
	21	[Steve Henson]
	22
	23	*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
	24	built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
	25	method would be set to NULL which could later result in a NULL pointer
	26	dereference. Thanks to Frank Schmirler for reporting this issue.
	27	(CVE-2014-3569)
	28	[Kurt Roeckx]
	29
e42a2aba DSH	30	*) Abort handshake if server key exchange message is omitted for ephemeral
	31	ECDH ciphersuites.
	32
9c6c6640 DSH	33	Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
9c6c6640 DSH	34	reporting this issue.
e42a2aba DSH	35	(CVE-2014-3572)
	36	[Steve Henson]
	37
72f18153 DSH	38	*) Remove non-export ephemeral RSA code on client and server. This code
	39	violated the TLS standard by allowing the use of temporary RSA keys in
	40	non-export ciphersuites and could be used by a server to effectively
	41	downgrade the RSA key length used to a value smaller than the server
9c6c6640 DSH	42	certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
9c6c6640 DSH	43	INRIA or reporting this issue.
72f18153 DSH	44	(CVE-2015-0204)
	45	[Steve Henson]
	46
ec2fede9 DSH	47	*) Fix various certificate fingerprint issues.
	48
	49	By using non-DER or invalid encodings outside the signed portion of a
	50	certificate the fingerprint can be changed without breaking the signature.
	51	Although no details of the signed portion of the certificate can be changed
	52	this can cause problems with some applications: e.g. those using the
	53	certificate fingerprint for blacklists.
	54
	55	1. Reject signatures with non zero unused bits.
	56
	57	If the BIT STRING containing the signature has non zero unused bits reject
	58	the signature. All current signature algorithms require zero unused bits.
	59
	60	2. Check certificate algorithm consistency.
	61
	62	Check the AlgorithmIdentifier inside TBS matches the one in the
	63	certificate signature. NB: this will result in signature failure
	64	errors for some broken certificates.
	65
	66	Thanks to Konrad Kraszewski from Google for reporting this issue.
	67
	68	3. Check DSA/ECDSA signatures use DER.
	69
	70	Reencode DSA/ECDSA signatures and compare with the original received
	71	signature. Return an error if there is a mismatch.
	72
	73	This will reject various cases including garbage after signature
	74	(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
	75	program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
	76	(negative or with leading zeroes).
	77
	78	Further analysis was conducted and fixes were developed by Stephen Henson
	79	of the OpenSSL core team.
	80
	81	(CVE-2014-8275)
	82	[Steve Henson]
94f735ca	83
1dc6a544 MC	84	*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
	85	results on some platforms, including x86_64. This bug occurs at random
	86	with a very low probability, and is not known to be exploitable in any
	87	way, though its exact impact is difficult to determine. Thanks to Pieter
	88	Wuille (Blockstream) who reported this issue and also suggested an initial
	89	fix. Further analysis was conducted by the OpenSSL development team and
	90	Adam Langley of Google. The final fix was developed by Andy Polyakov of
	91	the OpenSSL core team.
	92	(CVE-2014-3570)
	93	[Andy Polyakov]
	94
36216218	95	Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
4ff07f4c	96
4d2efa29 MC	97	*) Session Ticket Memory Leak.
	98
	99	When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
	100	integrity of that ticket is first verified. In the event of a session
	101	ticket integrity check failing, OpenSSL will fail to free memory
	102	causing a memory leak. By sending a large number of invalid session
	103	tickets an attacker could exploit this issue in a Denial Of Service
	104	attack.
	105	(CVE-2014-3567)
	106	[Steve Henson]
	107
	108	*) Build option no-ssl3 is incomplete.
	109
	110	When OpenSSL is configured with "no-ssl3" as a build option, servers
	111	could accept and complete a SSL 3.0 handshake, and clients could be
	112	configured to send them.
	113	(CVE-2014-3568)
	114	[Akamai and the OpenSSL team]
	115
c6a87647 BM	116	*) Add support for TLS_FALLBACK_SCSV.
	117	Client applications doing fallback retries should call
	118	SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
	119	(CVE-2014-3566)
	120	[Adam Langley, Bodo Moeller]
	121
5a7fc893 DSH	122	*) Add additional DigestInfo checks.
	123
	124	Reencode DigestInto in DER and check against the original when
	125	verifying RSA signature: this will reject any improperly encoded
	126	DigestInfo structures.
	127
	128	Note: this is a precautionary measure and no attacks are currently known.
	129
	130	[Steve Henson]
4ff07f4c	131
1c5f396d	132	Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]
4a1190be	133
9fcaaef3 MC	134	*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
	135	to a denial of service attack. A malicious server can crash the client
	136	with a null pointer dereference (read) by specifying an anonymous (EC)DH
	137	ciphersuite and sending carefully crafted handshake messages.
	138
	139