OpenSSL CHANGES
_______________
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) TLS pad extension: draft-agl-tls-padding-03
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ [Adam Langley, Steve Henson]
+
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid
acknowledging receipt then resend or mail it directly to one of the
more active team members (e.g. Steve).
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues.
+
[PROG] ========================================================================
* Is OpenSSL thread-safe?
BIGNUM *BN_mod_sqrt(BIGNUM *ret,\r
const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);\r
\r
+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);\r
+\r
/* Deprecated versions */\r
#ifndef OPENSSL_NO_DEPRECATED\r
BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,\r
\r
#define bn_fix_top(a) bn_check_top(a)\r
\r
+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)\r
+#define bn_wcheck_size(bn, words) \\r
+ do { \\r
+ const BIGNUM *_bnum2 = (bn); \\r
+ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \\r
+ } while(0)\r
+\r
#else /* !BN_DEBUG */\r
\r
#define bn_pollute(a)\r
#define bn_check_top(a)\r
#define bn_fix_top(a) bn_correct_top(a)\r
+#define bn_check_size(bn, bits)\r
+#define bn_wcheck_size(bn, words)\r
\r
#endif\r
\r
#include <stdio.h>\r
#include <ctype.h>\r
#include <krb5.h>\r
+#ifdef OPENSSL_SYS_WIN32\r
+/* These can sometimes get redefined indirectly by krb5 header files\r
+ * after they get undefed in ossl_typ.h\r
+ */\r
+#undef X509_NAME\r
+#undef X509_EXTENSIONS\r
+#undef OCSP_REQUEST\r
+#undef OCSP_RESPONSE\r
+#endif\r
\r
#ifdef __cplusplus\r
extern "C" {\r
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for\r
* major minor fix final patch/beta)\r
*/\r
-#define OPENSSL_VERSION_NUMBER 0x1000106fL\r
+#define OPENSSL_VERSION_NUMBER 0x1000107fL\r
#ifdef OPENSSL_FIPS\r
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f-fips 6 Jan 2014"\r
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"\r
#else\r
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f 6 Jan 2014"\r
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"\r
#endif\r
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT\r
\r
*/\r
unsigned int max_send_fragment;\r
\r
-#ifndef OPENSSL_ENGINE\r
+#ifndef OPENSSL_NO_ENGINE\r
/* Engine to pass requests for client certs to\r
*/\r
ENGINE *client_cert_engine;\r
#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb\r
#undef SSL_CTX_set_next_proto_select_cb\r
#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb\r
+#undef ssl3_cbc_record_digest_supported\r
+#define ssl3_cbc_record_digest_supported ssl3_cbc_record_digest_support\r
+#undef ssl_check_clienthello_tlsext_late\r
+#define ssl_check_clienthello_tlsext_late ssl_check_clihello_tlsext_late\r
+#undef ssl_check_clienthello_tlsext_early\r
+#define ssl_check_clienthello_tlsext_early ssl_check_clihello_tlsext_early\r
\r
/* Hack some long ENGINE names */\r
#undef ENGINE_get_default_BN_mod_exp_crt\r
/* ExtensionType value from RFC5620 */\r
#define TLSEXT_TYPE_heartbeat 15\r
\r
+/* ExtensionType value for TLS padding extension.\r
+ * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml\r
+ * http://tools.ietf.org/html/draft-agl-tls-padding-03\r
+ */\r
+#define TLSEXT_TYPE_padding 21\r
+\r
/* ExtensionType value from RFC4507 */\r
#define TLSEXT_TYPE_session_ticket 35\r
\r
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
+
+ o Fix for CVE-2014-0160
+ o Add TLS padding extension workaround for broken servers.
+ o Fix for CVE-2014-0076
+
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+ o Don't include gmt_unix_time in TLS server and client random values
o Fix for TLS record tampering bug CVE-2013-4353
o Fix for TLS version checking bug CVE-2013-6449
o Fix for DTLS retransmission bug CVE-2013-6450
- OpenSSL 1.0.1f 6 Jan 2014
+ OpenSSL 1.0.1g 7 Apr 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
return FALSE;\r
#ifdef ENABLE_PROCESS_PROTECTION\r
// 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること\r
- // ssleay32.dll 1.0.1f\r
- RegisterTrustedModuleSHA1Hash("\x16\xFA\xD2\x39\x74\x27\xE4\x07\xCB\xF5\x1A\xF1\xC3\xCD\x1C\xBB\xFC\xD0\xFC\x40");\r
- // libeay32.dll 1.0.1f\r
- RegisterTrustedModuleSHA1Hash("\xA6\x2D\x10\xF8\x2A\xB9\xEF\x95\xC3\xF7\x0B\xE0\xD1\xCB\x1C\x9B\x0A\x99\x42\x1F");\r
+ // ssleay32.dll 1.0.1g\r
+ RegisterTrustedModuleSHA1Hash("\xCB\xBA\x62\x61\x3C\x44\x1E\x94\xD2\xF4\xAD\xD5\x03\x43\x6F\x26\xD2\xAF\x2F\x21");\r
+ // libeay32.dll 1.0.1g\r
+ RegisterTrustedModuleSHA1Hash("\x4E\x53\x29\xC4\x32\x1B\x17\xA5\x4D\x40\xDF\x6F\xF6\xD2\x53\x7E\xBC\x54\x69\x1B");\r
#endif\r
g_hOpenSSL = LoadLibrary("ssleay32.dll");\r
// バージョン固定のためlibssl32.dllの読み込みは脆弱性の原因になり得るので廃止\r