Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge OpenSSL 1.0.1k import
details: https://anonhg.NetBSD.org/src/rev/465385180ec7
branches: trunk
changeset: 335548:465385180ec7
user: spz <spz%NetBSD.org@localhost>
date: Tue Jan 13 08:16:08 2015 +0000
description:
merge OpenSSL 1.0.1k import
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 130 +
crypto/external/bsd/openssl/dist/Configure | 5 +
crypto/external/bsd/openssl/dist/Makefile | 2 +-
crypto/external/bsd/openssl/dist/NEWS | 11 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/ca.c | 2 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 98 +-
crypto/external/bsd/openssl/dist/apps/s_client.c | 22 +-
crypto/external/bsd/openssl/dist/apps/s_server.c | 22 +-
crypto/external/bsd/openssl/dist/apps/s_time.c | 6 -
crypto/external/bsd/openssl/dist/apps/speed.c | 23 +-
crypto/external/bsd/openssl/dist/crypto/LPdir_win.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/Makefile | 7 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/mips3.s | 2201 ----------
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c | 34 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn.h | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/bntest.c | 178 +-
crypto/external/bsd/openssl/dist/crypto/cversion.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/ec/ectest.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/evp/Makefile | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c | 58 +-
crypto/external/bsd/openssl/dist/crypto/md32_common.h | 6 +-
crypto/external/bsd/openssl/dist/crypto/mem.c | 12 +-
crypto/external/bsd/openssl/dist/crypto/opensslv.h | 6 +-
crypto/external/bsd/openssl/dist/doc/apps/dgst.pod | 11 +
crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod | 2 +-
crypto/external/bsd/openssl/dist/e_os.h | 27 +-
crypto/external/bsd/openssl/dist/engines/e_padlock.c | 2 +
crypto/external/bsd/openssl/dist/makevms.com | 7 +-
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 168 +-
crypto/external/bsd/openssl/dist/ssl/d1_enc.c | 3 +-
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 38 +-
crypto/external/bsd/openssl/dist/ssl/d1_pkt.c | 37 +-
crypto/external/bsd/openssl/dist/ssl/d1_srvr.c | 53 +-
crypto/external/bsd/openssl/dist/ssl/dtls1.h | 8 +
crypto/external/bsd/openssl/dist/ssl/s23_srvr.c | 7 +-
crypto/external/bsd/openssl/dist/ssl/s3_clnt.c | 131 +-
crypto/external/bsd/openssl/dist/ssl/s3_enc.c | 3 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 16 +-
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c | 143 +-
crypto/external/bsd/openssl/dist/ssl/srtp.h | 4 +-
crypto/external/bsd/openssl/dist/ssl/ssl.h | 28 +-
crypto/external/bsd/openssl/dist/ssl/ssl3.h | 13 +-
crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c | 12 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 46 +-
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h | 7 +-
crypto/external/bsd/openssl/dist/ssl/ssltest.c | 77 +-
crypto/external/bsd/openssl/dist/ssl/t1_enc.c | 70 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 38 +-
crypto/external/bsd/openssl/dist/util/mk1mf.pl | 16 +-
crypto/external/bsd/openssl/dist/util/mkdef.pl | 6 +-
crypto/external/bsd/openssl/dist/util/ssleay.num | 6 +-
55 files changed, 1061 insertions(+), 2770 deletions(-)
diffs (truncated from 5621 to 300 lines):
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Tue Jan 13 08:16:08 2015 +0000
@@ -2,6 +2,136 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ (CVE-2014-3571)
+ [Steve Henson]
+
+ *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+ dtls1_buffer_record function under certain conditions. In particular this
+ could occur if an attacker sent repeated DTLS records with the same
+ sequence number but for the next epoch. The memory leak could be exploited
+ by an attacker in a Denial of Service attack through memory exhaustion.
+ Thanks to Chris Mueller for reporting this issue.
+ (CVE-2015-0206)
+ [Matt Caswell]
+
+ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ (CVE-2014-3569)
+ [Kurt Roeckx]
+
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Fixed issue where DH client certificates are accepted without verification.
+ An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. This effectively allows a client to
+ authenticate without the use of a private key. This only affects servers
+ which trust a client certificate authority which issues certificates
+ containing DH keys: these are extremely rare and hardly ever encountered.
+ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+ this issue.
+ (CVE-2015-0205)
+ [Steve Henson]
+
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ (CVE-2014-3570)
+ [Andy Polyakov]
+
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
+ [David Benjamin, Emilia Käsper]
+
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
+ [Emilia Käsper]
+
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
+
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
+ [Emilia Käsper]
+
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Tue Jan 13 08:16:08 2015 +0000
@@ -804,6 +804,11 @@
{
$disabled{"tls1"} = "option(tls)"
}
+ elsif ($1 eq "ssl3-method")
+ {
+ $disabled{"ssl3-method"} = "option(ssl)";
+ $disabled{"ssl3"} = "option(ssl)";
+ }
else
{
$disabled{$1} = "option";
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Tue Jan 13 08:16:08 2015 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1j
+VERSION=1.0.1k
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Tue Jan 13 08:16:08 2015 +0000
@@ -5,6 +5,17 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+ o Fix for CVE-2014-3571
+ o Fix for CVE-2015-0206
+ o Fix for CVE-2014-3569
+ o Fix for CVE-2014-3572
+ o Fix for CVE-2015-0204
+ o Fix for CVE-2015-0205
+ o Fix for CVE-2014-8275
+ o Fix for CVE-2014-3570
+
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/README Tue Jan 13 08:16:08 2015 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1j 15 Oct 2014
+ OpenSSL 1.0.1k 8 Jan 2015
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/apps/ca.c
--- a/crypto/external/bsd/openssl/dist/apps/ca.c Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ca.c Tue Jan 13 08:16:08 2015 +0000
@@ -703,7 +703,7 @@
ERR_clear_error();
#ifdef RL_DEBUG
if (!p)
- BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+ BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
#endif
#ifdef RL_DEBUG
BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
diff -r 3b4d110e0937 -r 465385180ec7 crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c Tue Jan 13 07:59:08 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c Tue Jan 13 08:16:08 2015 +0000
@@ -583,51 +583,52 @@
BIO_printf (bio_err, "OCSP utility\n");
BIO_printf (bio_err, "Usage ocsp [options]\n");
BIO_printf (bio_err, "where options are\n");
- BIO_printf (bio_err, "-out file output filename\n");
- BIO_printf (bio_err, "-issuer file issuer certificate\n");
- BIO_printf (bio_err, "-cert file certificate to check\n");
- BIO_printf (bio_err, "-serial n serial number to check\n");
- BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
- BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
- BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
- BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
- BIO_printf (bio_err, "-req_text print text form of request\n");
- BIO_printf (bio_err, "-resp_text print text form of response\n");
- BIO_printf (bio_err, "-text print text form of request and response\n");
- BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
- BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
- BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
- BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
- BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
- BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
- BIO_printf (bio_err, "-url URL OCSP responder URL\n");
- BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
- BIO_printf (bio_err, "-path path to use in OCSP request\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
- BIO_printf (bio_err, "-VAfile file validator certificates file\n");
- BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
- BIO_printf (bio_err, "-noverify don't verify response at all\n");
- BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
- BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
- BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
+ BIO_printf (bio_err, "-out file output filename\n");
+ BIO_printf (bio_err, "-issuer file issuer certificate\n");
+ BIO_printf (bio_err, "-cert file certificate to check\n");
+ BIO_printf (bio_err, "-serial n serial number to check\n");
+ BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
+ BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
+ BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
+ BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
+ BIO_printf (bio_err, "-req_text print text form of request\n");
+ BIO_printf (bio_err, "-resp_text print text form of response\n");
+ BIO_printf (bio_err, "-text print text form of request and response\n");
+ BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
+ BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
+ BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
+ BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
+ BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
+ BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
+ BIO_printf (bio_err, "-url URL OCSP responder URL\n");
+ BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
+ BIO_printf (bio_err, "-path path to use in OCSP request\n");
+ BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
+ BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf (bio_err, "-VAfile file validator certificates file\n");
+ BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
+ BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
+ BIO_printf (bio_err, "-noverify don't verify response at all\n");
+ BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
+ BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
+ BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
- BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
- BIO_printf (bio_err, "-no_chain don't chain verify response\n");
- BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
- BIO_printf (bio_err, "-port num port to run responder on\n");
- BIO_printf (bio_err, "-index file certificate status index file\n");
- BIO_printf (bio_err, "-CA file CA certificate\n");
- BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
- BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
- BIO_printf (bio_err, "-rother file other certificates to include in response\n");
- BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
- BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
- BIO_printf (bio_err, "-ndays n number of days before next update\n");
- BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
- BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n");
+ BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
+ BIO_printf (bio_err, "-no_chain don't chain verify response\n");
+ BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
+ BIO_printf (bio_err, "-port num port to run responder on\n");
+ BIO_printf (bio_err, "-index file certificate status index file\n");
+ BIO_printf (bio_err, "-CA file CA certificate\n");
+ BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
+ BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
+ BIO_printf (bio_err, "-rother file other certificates to include in response\n");
Home |
Main Index |
Thread Index |
Old Index