OpenSSL CHANGES
_______________
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+ *) Build fixes for the Windows and OpenVMS platforms
+ [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ (CVE-2014-3571)
+ [Steve Henson]
+
+ *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+ dtls1_buffer_record function under certain conditions. In particular this
+ could occur if an attacker sent repeated DTLS records with the same
+ sequence number but for the next epoch. The memory leak could be exploited
+ by an attacker in a Denial of Service attack through memory exhaustion.
+ Thanks to Chris Mueller for reporting this issue.
+ (CVE-2015-0206)
+ [Matt Caswell]
+
+ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ (CVE-2014-3569)
+ [Kurt Roeckx]
+
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Fixed issue where DH client certificates are accepted without verification.
+ An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. This effectively allows a client to
+ authenticate without the use of a private key. This only affects servers
+ which trust a client certificate authority which issues certificates
+ containing DH keys: these are extremely rare and hardly ever encountered.
+ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+ this issue.
+ (CVE-2015-0205)
+ [Steve Henson]
+
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ (CVE-2014-3570)
+ [Andy Polyakov]
+
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
+ [David Benjamin, Emilia Käsper]
+
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
+ [Emilia Käsper]
+
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
+
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
+ [Emilia Käsper]
+
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
int ASN1_TYPE_get(ASN1_TYPE *a);\r
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);\r
int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);\r
-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);\r
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);\r
\r
ASN1_OBJECT * ASN1_OBJECT_new(void );\r
void ASN1_OBJECT_free(ASN1_OBJECT *a);\r
#define ASN1_R_ILLEGAL_TIME_VALUE 184\r
#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185\r
#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128\r
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220\r
#define ASN1_R_INVALID_BMPSTRING_LENGTH 129\r
#define ASN1_R_INVALID_DIGIT 130\r
#define ASN1_R_INVALID_MIME_TYPE 205\r
#define ASN1_R_TIME_NOT_ASCII_FORMAT 193\r
#define ASN1_R_TOO_LONG 155\r
#define ASN1_R_TYPE_NOT_CONSTRUCTED 156\r
+#define ASN1_R_TYPE_NOT_PRIMITIVE 218\r
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157\r
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158\r
#define ASN1_R_UNEXPECTED_EOC 159\r
#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to\r
* adjust socket timeouts */\r
\r
+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49\r
+\r
#ifndef OPENSSL_NO_SCTP\r
/* SCTP stuff */\r
#define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50\r
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)\r
#define BIO_dgram_set_peer(b,peer) \\r
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)\r
+#define BIO_dgram_get_mtu_overhead(b) \\r
+ (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)\r
\r
/* These two aren't currently implemented */\r
/* int BIO_get_ex_num(BIO *bio); */\r
#define bn_wcheck_size(bn, words) \\r
do { \\r
const BIGNUM *_bnum2 = (bn); \\r
- assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \\r
+ assert((words) <= (_bnum2)->dmax && (words) >= (_bnum2)->top); \\r
+ /* avoid unused variable warning with NDEBUG */ \\r
+ (void)(_bnum2); \\r
} while(0)\r
\r
#else /* !BN_DEBUG */\r
#define DTLS1_SCTP_AUTH_LABEL "EXPORTER_DTLS_OVER_SCTP"\r
#endif\r
\r
+/* Max MTU overhead we know about so far is 40 for IPv6 + 8 for UDP */\r
+#define DTLS1_MAX_MTU_OVERHEAD 48\r
+\r
typedef struct dtls1_bitmap_st\r
{\r
unsigned long map; /* track 32 packets on 32-bit systems\r
/* Is set when listening for new connections with dtls1_listen() */\r
unsigned int listen;\r
\r
+ unsigned int link_mtu; /* max on-the-wire DTLS packet size */\r
unsigned int mtu; /* max DTLS packet size */\r
\r
struct hm_header_st w_msg_hdr;\r
unsigned int handshake_fragment_len;\r
\r
unsigned int retransmitting;\r
+ /*\r
+ * Set when the handshake is ready to process peer's ChangeCipherSpec message.\r
+ * Cleared after the message has been processed.\r
+ */\r
unsigned int change_cipher_spec_ok;\r
\r
#ifndef OPENSSL_NO_SCTP\r
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for\r
* major minor fix final patch/beta)\r
*/\r
-#define OPENSSL_VERSION_NUMBER 0x100010afL\r
+#define OPENSSL_VERSION_NUMBER 0x100010cfL\r
#ifdef OPENSSL_FIPS\r
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1j-fips 15 Oct 2014"\r
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1l-fips 15 Jan 2015"\r
#else\r
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1j 15 Oct 2014"\r
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1l 15 Jan 2015"\r
#endif\r
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT\r
\r
-/* ssl/tls1.h */\r
+/* ssl/srtp.h */\r
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)\r
* All rights reserved.\r
*\r
#ifndef HEADER_D1_SRTP_H\r
#define HEADER_D1_SRTP_H\r
\r
+#include <openssl/ssl.h>\r
+\r
#ifdef __cplusplus\r
extern "C" {\r
#endif\r
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L\r
/* If set, always create a new key when using tmp_dh parameters */\r
#define SSL_OP_SINGLE_DH_USE 0x00100000L\r
-/* Set to always use the tmp_rsa key when doing RSA operations,\r
- * even when this violates protocol specs */\r
-#define SSL_OP_EPHEMERAL_RSA 0x00200000L\r
+/* Does nothing: retained for compatibiity */\r
+#define SSL_OP_EPHEMERAL_RSA 0x0\r
/* Set on servers to choose the cipher according to the server's\r
* preferences */\r
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L\r
#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L\r
#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L\r
/* Send TLS_FALLBACK_SCSV in the ClientHello.\r
- * To be set by applications that reconnect with a downgraded protocol\r
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */\r
+ * To be set only by applications that reconnect with a downgraded protocol\r
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.\r
+ *\r
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.\r
+ * Only use this in explicit fallback retries, following the guidance\r
+ * in draft-ietf-tls-downgrade-scsv-00.\r
+ */\r
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L\r
\r
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,\r
SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)\r
#define SSL_set_mtu(ssl, mtu) \\r
SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)\r
+#define DTLS_set_link_mtu(ssl, mtu) \\r
+ SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL)\r
+#define DTLS_get_link_min_mtu(ssl) \\r
+ SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL)\r
\r
#define SSL_get_secure_renegotiation_support(ssl) \\r
SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)\r
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83\r
\r
#define SSL_CTRL_CHECK_PROTO_VERSION 119\r
+#define DTLS_CTRL_SET_LINK_MTU 120\r
+#define DTLS_CTRL_GET_LINK_MIN_MTU 121\r
\r
#define DTLSv1_get_timeout(ssl, arg) \\r
SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)\r
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */\r
#endif\r
\r
+#ifndef OPENSSL_NO_SSL3_METHOD\r
const SSL_METHOD *SSLv3_method(void); /* SSLv3 */\r
const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */\r
const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */\r
+#endif\r
\r
-const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */\r
-const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */\r
-const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */\r
+const SSL_METHOD *SSLv23_method(void); /* Negotiate highest available SSL/TLS version */\r
+const SSL_METHOD *SSLv23_server_method(void); /* Negotiate highest available SSL/TLS version */\r
+const SSL_METHOD *SSLv23_client_method(void); /* Negotiate highest available SSL/TLS version */\r
\r
const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */\r
const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */\r
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008\r
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010\r
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020\r
+/*\r
+ * Set when the handshake is ready to process peer's ChangeCipherSpec message.\r
+ * Cleared after the message has been processed.\r
+ */\r
#define SSL3_FLAGS_CCS_OK 0x0080\r
\r
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we\r
* and freed and MD_CTX-es for all required digests are stored in\r
* this array */\r
EVP_MD_CTX **handshake_dgst;\r
- /* this is set whenerver we see a change_cipher_spec message\r
- * come in when we are not looking for one */\r
+ /*\r
+ * Set whenever an expected ChangeCipherSpec message is processed.\r
+ * Unset when the peer's Finished message is received.\r
+ * Unexpected ChangeCipherSpec messages trigger a fatal alert.\r
+ */\r
int change_cipher_spec;\r
\r
int warn_alert;\r
void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,\r
X509_ALGOR *algor);\r
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);\r
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);\r
\r
X509_NAME *X509_NAME_dup(X509_NAME *xn);\r
X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);\r
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
+
+ o Build fixes for the Windows and OpenVMS platforms
+
+ Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+ o Fix for CVE-2014-3571
+ o Fix for CVE-2015-0206
+ o Fix for CVE-2014-3569
+ o Fix for CVE-2014-3572
+ o Fix for CVE-2015-0204
+ o Fix for CVE-2015-0205
+ o Fix for CVE-2014-8275
+ o Fix for CVE-2014-3570
+
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
- OpenSSL 1.0.1j 15 Oct 2014
+ OpenSSL 1.0.1l 15 Jan 2015
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
#ifdef ENABLE_PROCESS_PROTECTION\r
// 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること\r
#if defined(_M_IX86)\r
- // ssleay32.dll 1.0.1j\r
- RegisterTrustedModuleSHA1Hash("\x57\x83\x70\x2D\x44\x8F\x1F\xB3\x83\xC2\xC1\x93\xB5\x92\xC8\x14\xFE\x2B\x31\x59");\r
- // libeay32.dll 1.0.1j\r
- RegisterTrustedModuleSHA1Hash("\x66\x15\x03\xCA\xFB\x5C\x08\x96\x4B\x80\x9A\x55\x14\xDB\x1F\x12\x4A\x9C\x53\x52");\r
+ // ssleay32.dll 1.0.1l\r
+ RegisterTrustedModuleSHA1Hash("\xC1\xBC\x62\xEA\xE8\xC5\x97\xC1\x3A\xD4\x58\x55\x14\x14\x35\x2E\xA0\x3A\xF2\x17");\r
+ // libeay32.dll 1.0.1l\r
+ RegisterTrustedModuleSHA1Hash("\x3B\x8D\xCB\x6F\xDC\x48\xDB\xFD\xEC\x78\x9B\xF8\xA7\x18\x24\x87\x18\x1D\x3A\xED");\r
#elif defined(_M_AMD64)\r
- // ssleay32.dll 1.0.1j\r
- RegisterTrustedModuleSHA1Hash("\x4C\xBD\xC5\x05\xB5\xB2\x48\xA8\xC2\x0B\xE4\xB3\x17\x02\x9C\x32\xE2\x84\x87\xA9");\r
- // libeay32.dll 1.0.1j\r
- RegisterTrustedModuleSHA1Hash("\xF7\x31\xBF\xF6\x2C\x51\xBA\x00\x38\x7E\x76\x2F\x8B\xB3\xF9\x52\x5D\xED\xA4\xE6");\r
+ // ssleay32.dll 1.0.1l\r
+ RegisterTrustedModuleSHA1Hash("\x8E\x0C\x3E\xEA\x5A\x30\xBD\xAF\xB5\x04\xAF\xD4\xB9\x6E\xE2\x16\x1B\x30\x49\x24");\r
+ // libeay32.dll 1.0.1l\r
+ RegisterTrustedModuleSHA1Hash("\x87\x8A\xC2\x2E\x34\x85\xAC\x89\xE9\x44\x30\xB1\xE9\x11\x8B\x46\x72\x19\xAD\x22");\r
#endif\r
#endif\r
g_hOpenSSL = LoadLibrary("ssleay32.dll");\r