Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist OpenSSL CHANGES
details: https://anonhg.NetBSD.org/src/rev/75273cf6ec7f
branches: trunk
changeset: 329711:75273cf6ec7f
user: christos <christos%NetBSD.org@localhost>
date: Thu Jun 05 14:25:44 2014 +0000
description:
OpenSSL CHANGES
_______________
Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. (CVE-2014-0224)
[KIKUCHI Masashi, Steve Henson]
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(CVE-2014-0221)
[Imre Rad, Steve Henson]
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
Thanks to J?ri Aedla for reporting this issue. (CVE-2014-0195)
[J?ri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
Thanks to Felix Gr?bert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
[Felix Gr?bert, Ivan Fratric, Steve Henson]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha <mancha1%zoho.com@localhost>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey.
[mancha <mancha1%zoho.com@localhost>]
*) Fix some double frees. These are not thought to be exploitable.
[mancha <mancha1%zoho.com@localhost>]
diffstat:
crypto/external/bsd/openssl/dist/ACKNOWLEDGMENTS | 9 +-
crypto/external/bsd/openssl/dist/CHANGES | 44 +
crypto/external/bsd/openssl/dist/Makefile | 2 +-
crypto/external/bsd/openssl/dist/NEWS | 8 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/enc.c | 6 +
crypto/external/bsd/openssl/dist/apps/req.c | 15 +-
crypto/external/bsd/openssl/dist/apps/s_cb.c | 4 +
crypto/external/bsd/openssl/dist/apps/s_socket.c | 5 +-
crypto/external/bsd/openssl/dist/apps/smime.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/asn1/a_strnid.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c | 2 +
crypto/external/bsd/openssl/dist/crypto/cms/cms_sd.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/dso/dso_vms.c | 16 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c | 1 +
crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c | 1 +
crypto/external/bsd/openssl/dist/crypto/evp/encode.c | 1 +
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_crt.c | 8 +
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_kiss.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/pkcs7/pk7_doit.c | 6 +
crypto/external/bsd/openssl/dist/crypto/pkcs7/pkcs7.h | 1 +
crypto/external/bsd/openssl/dist/crypto/pkcs7/pkcs7err.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/srp/srp_vfy.c | 3 +
crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_verify.c | 1 +
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c | 6 +-
crypto/external/bsd/openssl/dist/doc/apps/cms.pod | 27 +-
crypto/external/bsd/openssl/dist/doc/apps/enc.pod | 4 +
crypto/external/bsd/openssl/dist/doc/apps/s_server.pod | 6 +
crypto/external/bsd/openssl/dist/doc/apps/smime.pod | 14 +-
crypto/external/bsd/openssl/dist/doc/apps/verify.pod | 9 +-
crypto/external/bsd/openssl/dist/doc/apps/version.pod | 3 +-
crypto/external/bsd/openssl/dist/doc/apps/x509v3_config.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/crypto/CMS_decrypt.pod | 16 +-
crypto/external/bsd/openssl/dist/doc/crypto/CONF_modules_free.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/CONF_modules_load_file.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/OPENSSL_config.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/X509_NAME_ENTRY_get_object.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/fingerprints.txt | 7 +
crypto/external/bsd/openssl/dist/doc/ssl/SSL_COMP_add_compression_method.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_add_session.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_load_verify_locations.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_msg_callback.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_options.pod | 6 +
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_session_id_context.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_ssl_version.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_clear.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_connect.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_get_peer_cert_chain.pod | 8 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_read.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_session_reused.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_fd.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_session.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_write.pod | 2 +-
crypto/external/bsd/openssl/dist/engines/ccgost/gost_ameth.c | 2 +-
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/Makefile | 2 +-
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 15 +-
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 9 +-
crypto/external/bsd/openssl/dist/ssl/heartbeat_test.c | 465 ++++++++++
crypto/external/bsd/openssl/dist/ssl/ssl-lib.com | 14 +-
crypto/external/bsd/openssl/dist/ssl/ssl_asn1.c | 4 +
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 4 +
crypto/external/bsd/openssl/dist/test/Makefile | 40 +-
69 files changed, 802 insertions(+), 98 deletions(-)
diffs (truncated from 1932 to 300 lines):
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/ACKNOWLEDGMENTS
--- a/crypto/external/bsd/openssl/dist/ACKNOWLEDGMENTS Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/ACKNOWLEDGMENTS Thu Jun 05 14:25:44 2014 +0000
@@ -10,13 +10,18 @@
We would like to identify and thank the following such sponsors for their past
or current significant support of the OpenSSL project:
+Major support:
+
+ Qualys http://www.qualys.com/
+
Very significant support:
- OpenGear: www.opengear.com
+ OpenGear: http://www.opengear.com/
Significant support:
- PSW Group: www.psw.net
+ PSW Group: http://www.psw.net/
+ Acano Ltd. http://acano.com/
Please note that we ask permission to identify sponsors and that some sponsors
we consider eligible for inclusion here have requested to remain anonymous.
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Thu Jun 05 14:25:44 2014 +0000
@@ -2,6 +2,50 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+ *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
+
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. (CVE-2014-0224)
+ [KIKUCHI Masashi, Steve Henson]
+
+ *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
+
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ (CVE-2014-0221)
+ [Imre Rad, Steve Henson]
+
+ *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
+
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
+
+ *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
+
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. (CVE-2014-3470)
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+ *) Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
+ [mancha <mancha1%zoho.com@localhost>]
+
+ *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
+ [mancha <mancha1%zoho.com@localhost>]
+
+ *) Fix some double frees. These are not thought to be exploitable.
+ [mancha <mancha1%zoho.com@localhost>]
+
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Thu Jun 05 14:25:44 2014 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1g
+VERSION=1.0.1h
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Thu Jun 05 14:25:44 2014 +0000
@@ -5,6 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
+
+ o Fix for CVE-2014-0224
+ o Fix for CVE-2014-0221
+ o Fix for CVE-2014-0195
+ o Fix for CVE-2014-3470
+ o Fix for CVE-2010-5298
+
Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
o Fix for CVE-2014-0160
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/README Thu Jun 05 14:25:44 2014 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1g 7 Apr 2014
+ OpenSSL 1.0.1h 5 Jun 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/apps/enc.c
--- a/crypto/external/bsd/openssl/dist/apps/enc.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/enc.c Thu Jun 05 14:25:44 2014 +0000
@@ -331,6 +331,12 @@
setup_engine(bio_err, engine, 0);
#endif
+ if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ {
+ BIO_printf(bio_err, "AEAD ciphers not supported by the enc utility\n");
+ goto end;
+ }
+
if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/apps/req.c
--- a/crypto/external/bsd/openssl/dist/apps/req.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/req.c Thu Jun 05 14:25:44 2014 +0000
@@ -1489,7 +1489,13 @@
#ifdef CHARSET_EBCDIC
ebcdic2ascii(buf, buf, i);
#endif
- if(!req_check_len(i, n_min, n_max)) goto start;
+ if(!req_check_len(i, n_min, n_max))
+ {
+ if (batch || value)
+ return 0;
+ goto start;
+ }
+
if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
(unsigned char *) buf, -1,-1,mval)) goto err;
ret=1;
@@ -1548,7 +1554,12 @@
#ifdef CHARSET_EBCDIC
ebcdic2ascii(buf, buf, i);
#endif
- if(!req_check_len(i, n_min, n_max)) goto start;
+ if(!req_check_len(i, n_min, n_max))
+ {
+ if (batch || value)
+ return 0;
+ goto start;
+ }
if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
(unsigned char *)buf, -1)) {
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/apps/s_cb.c
--- a/crypto/external/bsd/openssl/dist/apps/s_cb.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_cb.c Thu Jun 05 14:25:44 2014 +0000
@@ -747,6 +747,10 @@
break;
#endif
+ case TLSEXT_TYPE_padding:
+ extname = "TLS padding";
+ break;
+
default:
extname = "unknown";
break;
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/apps/s_socket.c
--- a/crypto/external/bsd/openssl/dist/apps/s_socket.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_socket.c Thu Jun 05 14:25:44 2014 +0000
@@ -274,7 +274,7 @@
{
i=0;
i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
- if (i < 0) { perror("keepalive"); return(0); }
+ if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
}
#endif
@@ -450,6 +450,7 @@
if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
{
perror("OPENSSL_malloc");
+ closesocket(ret);
return(0);
}
BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@@ -458,11 +459,13 @@
if (h2 == NULL)
{
BIO_printf(bio_err,"gethostbyname failure\n");
+ closesocket(ret);
return(0);
}
if (h2->h_addrtype != AF_INET)
{
BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+ closesocket(ret);
return(0);
}
}
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/apps/smime.c
--- a/crypto/external/bsd/openssl/dist/apps/smime.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/smime.c Thu Jun 05 14:25:44 2014 +0000
@@ -541,8 +541,8 @@
{
if (!cipher)
{
-#ifndef OPENSSL_NO_RC2
- cipher = EVP_rc2_40_cbc();
+#ifndef OPENSSL_NO_DES
+ cipher = EVP_des_ede3_cbc();
#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/crypto/asn1/a_strnid.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_strnid.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_strnid.c Thu Jun 05 14:25:44 2014 +0000
@@ -74,7 +74,7 @@
* certain software (e.g. Netscape) has problems with them.
*/
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
void ASN1_STRING_set_default_mask(unsigned long mask)
{
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c
--- a/crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c Thu Jun 05 14:25:44 2014 +0000
@@ -1333,7 +1333,7 @@
bio_dgram_sctp_data *data = NULL;
socklen_t sockopt_len = 0;
struct sctp_authkeyid authkeyid;
- struct sctp_authkey *authkey;
+ struct sctp_authkey *authkey = NULL;
data = (bio_dgram_sctp_data *)b->ptr;
@@ -1388,6 +1388,11 @@
/* Add new key */
sockopt_len = sizeof(struct sctp_authkey) + 64 * sizeof(uint8_t);
authkey = OPENSSL_malloc(sockopt_len);
+ if (authkey == NULL)
+ {
+ ret = -1;
+ break;
+ }
memset(authkey, 0x00, sockopt_len);
authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
#ifndef __FreeBSD__
@@ -1399,6 +1404,8 @@
memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
+ OPENSSL_free(authkey);
+ authkey = NULL;
if (ret < 0) break;
/* Reset active key */
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c
--- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c Thu Jun 05 14:25:44 2014 +0000
@@ -185,6 +185,8 @@
if (flags & CMS_USE_KEYID)
{
ktri->version = 2;
+ if (env->version < 2)
+ env->version = 2;
type = CMS_RECIPINFO_KEYIDENTIFIER;
}
else
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/crypto/cms/cms_sd.c
--- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_sd.c Thu Jun 05 13:14:23 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_sd.c Thu Jun 05 14:25:44 2014 +0000
@@ -158,8 +158,8 @@
if (sd->version < 3)
sd->version = 3;
}
- else
- sd->version = 1;
+ else if (si->version < 1)
+ si->version = 1;
}
if (sd->version < 1)
diff -r 0150ddbb1431 -r 75273cf6ec7f crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c
Home |
Main Index |
Thread Index |
Old Index