[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]

  *) Removed the export and SSLv2 ciphers from the DEFAULT ciphers
     [Kurt Roeckx]

 Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]

  *) Build fixes for the Windows and OpenVMS platforms
     [Matt Caswell and Richard Levitte]

 Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]

  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]

  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]

  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
     reporting this issue.
     (CVE-2014-3572)
     [Steve Henson]

  *) Remove non-export ephemeral RSA code on client and server. This code
     violated the TLS standard by allowing the use of temporary RSA keys in
     non-export ciphersuites and could be used by a server to effectively
     downgrade the RSA key length used to a value smaller than the server
     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
     INRIA or reporting this issue.
     (CVE-2015-0204)
     [Steve Henson]

  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
     certificate the fingerprint can be changed without breaking the signature.
     Although no details of the signed portion of the certificate can be changed
     this can cause problems with some applications: e.g. those using the
     certificate fingerprint for blacklists.

     1. Reject signatures with non zero unused bits.

     If the BIT STRING containing the signature has non zero unused bits reject
     the signature. All current signature algorithms require zero unused bits.

     2. Check certificate algorithm consistency.

     Check the AlgorithmIdentifier inside TBS matches the one in the
     certificate signature. NB: this will result in signature failure
     errors for some broken certificates.

     Thanks to Konrad Kraszewski from Google for reporting this issue.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received
     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature
     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
     (negative or with leading zeroes).

     Further analysis was conducted and fixes were developed by Stephen Henson
     of the OpenSSL core team.

     (CVE-2014-8275)
     [Steve Henson]

   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]

 Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]

  *) Session Ticket Memory Leak.

     When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
     integrity of that ticket is first verified. In the event of a session
     ticket integrity check failing, OpenSSL will fail to free memory
     causing a memory leak. By sending a large number of invalid session
     tickets an attacker could exploit this issue in a Denial Of Service
     attack.
     (CVE-2014-3567)
     [Steve Henson]

  *) Build option no-ssl3 is incomplete.

     When OpenSSL is configured with "no-ssl3" as a build option, servers
     could accept and complete a SSL 3.0 handshake, and clients could be
     configured to send them.
     (CVE-2014-3568)
     [Akamai and the OpenSSL team]

  *) Add support for TLS_FALLBACK_SCSV.
     Client applications doing fallback retries should call
     SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
     (CVE-2014-3566)
     [Adam Langley, Bodo Moeller]

  *) Add additional DigestInfo checks.
 
     Reencode DigestInto in DER and check against the original when
     verifying RSA signature: this will reject any improperly encoded
     DigestInfo structures.

     Note: this is a precautionary measure and no attacks are currently known.

     [Steve Henson]

 Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]

  *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
     to a denial of service attack. A malicious server can crash the client
     with a null pointer dereference (read) by specifying an anonymous (EC)DH
     ciphersuite and sending carefully crafted handshake messages.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
ba442a7e MC	5	Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]
ba442a7e MC	6
c85c1e08 KR	7	*) Removed the export and SSLv2 ciphers from the DEFAULT ciphers
c85c1e08 KR	8	[Kurt Roeckx]
ba442a7e	9
e8ccaee3	10	Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]
bc253b09	11
346a46f0 MC	12	*) Build fixes for the Windows and OpenVMS platforms
346a46f0 MC	13	[Matt Caswell and Richard Levitte]
bc253b09	14
b873409e	15	Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]
94f735ca	16
1dc6a544 MC	17	*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
	18	message can cause a segmentation fault in OpenSSL due to a NULL pointer
	19	dereference. This could lead to a Denial Of Service attack. Thanks to
	20	Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
	21	(CVE-2014-3571)
	22	[Steve Henson]
	23
	24	*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
	25	built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
	26	method would be set to NULL which could later result in a NULL pointer
	27	dereference. Thanks to Frank Schmirler for reporting this issue.
	28	(CVE-2014-3569)
	29	[Kurt Roeckx]
	30
e42a2aba DSH	31	*) Abort handshake if server key exchange message is omitted for ephemeral
	32	ECDH ciphersuites.
	33
9c6c6640 DSH	34	Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
9c6c6640 DSH	35	reporting this issue.
e42a2aba DSH	36	(CVE-2014-3572)
	37	[Steve Henson]
	38
72f18153 DSH	39	*) Remove non-export ephemeral RSA code on client and server. This code
	40	violated the TLS standard by allowing the use of temporary RSA keys in
	41	non-export ciphersuites and could be used by a server to effectively
	42	downgrade the RSA key length used to a value smaller than the server
9c6c6640 DSH	43	certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
9c6c6640 DSH	44	INRIA or reporting this issue.
72f18153 DSH	45	(CVE-2015-0204)
	46	[Steve Henson]
	47
ec2fede9 DSH	48	*) Fix various certificate fingerprint issues.
	49
	50	By using non-DER or invalid encodings outside the signed portion of a
	51	certificate the fingerprint can be changed without breaking the signature.
	52	Although no details of the signed portion of the certificate can be changed
	53	this can cause problems with some applications: e.g. those using the
	54	certificate fingerprint for blacklists.
	55
	56	1. Reject signatures with non zero unused bits.
	57
	58	If the BIT STRING containing the signature has non zero unused bits reject
	59	the signature. All current signature algorithms require zero unused bits.
	60
	61	2. Check certificate algorithm consistency.
	62
	63	Check the AlgorithmIdentifier inside TBS matches the one in the
	64	certificate signature. NB: this will result in signature failure
	65	errors for some broken certificates.
	66
	67	Thanks to Konrad Kraszewski from Google for reporting this issue.
	68
	69	3. Check DSA/ECDSA signatures use DER.
	70
	71	Reencode DSA/ECDSA signatures and compare with the original received
	72	signature. Return an error if there is a mismatch.
	73
	74	This will reject various cases including garbage after signature
	75	(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
	76	program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
	77	(negative or with leading zeroes).
	78
	79	Further analysis was conducted and fixes were developed by Stephen Henson
	80	of the OpenSSL core team.
	81
	82	(CVE-2014-8275)
	83	[Steve Henson]
94f735ca	84
1dc6a544 MC	85	*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
	86	results on some platforms, including x86_64. This bug occurs at random
	87	with a very low probability, and is not known to be exploitable in any
	88	way, though its exact impact is difficult to determine. Thanks to Pieter
	89	Wuille (Blockstream) who reported this issue and also suggested an initial
	90	fix. Further analysis was conducted by the OpenSSL development team and
	91	Adam Langley of Google. The final fix was developed by Andy Polyakov of
	92	the OpenSSL core team.
	93	(CVE-2014-3570)
	94	[Andy Polyakov]
	95
36216218	96	Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
4ff07f4c	97
4d2efa29 MC	98	*) Session Ticket Memory Leak.
	99
	100	When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
	101	integrity of that ticket is first verified. In the event of a session
	102	ticket integrity check failing, OpenSSL will fail to free memory
	103	causing a memory leak. By sending a large number of invalid session
	104	tickets an attacker could exploit this issue in a Denial Of Service
	105	attack.
	106	(CVE-2014-3567)
	107	[Steve Henson]
	108
	109	*) Build option no-ssl3 is incomplete.
	110
	111	When OpenSSL is configured with "no-ssl3" as a build option, servers
	112	could accept and complete a SSL 3.0 handshake, and clients could be
	113	configured to send them.
	114	(CVE-2014-3568)
	115	[Akamai and the OpenSSL team]
	116
c6a87647 BM	117	*) Add support for TLS_FALLBACK_SCSV.
	118	Client applications doing fallback retries should call
	119	SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
	120	(CVE-2014-3566)
	121	[Adam Langley, Bodo Moeller]
	122
5a7fc893 DSH	123	*) Add additional DigestInfo checks.
	124
	125	Reencode DigestInto in DER and check against the original when
	126	verifying RSA signature: this will reject any improperly encoded
	127	DigestInfo structures.
	128
	129	Note: this is a precautionary measure and no attacks are currently known.
	130
	131	[Steve Henson]
4ff07f4c	132
1c5f396d	133	Changes between 0.9.8za and 0.9.8zb [6 Aug 2014]
4a1190be	134
9fcaaef3 MC	135	*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
	136	to a denial of service attack. A malicious server can crash the client
	137	with a null pointer dereference (read) by specifying an anonymous (EC)DH
	138	ciphersuite and sending carefully crafted handshake messages.
	139
	140