X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=ff430c7e5870661c2759c9cf84b8385bd8d9be5d;hb=953a1665e2a3ea0423f3deb2a71972486d0ee61e;hp=343d847061f75e3411fce7afaafe8d7519197b7f;hpb=cc42e4af2cb88279555753a4f167347492ddc523;p=oweals%2Fopenssl.git diff --git a/CHANGES b/CHANGES index 343d847061..ff430c7e58 100644 --- a/CHANGES +++ b/CHANGES @@ -2,456 +2,588 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2d and 1.0.2e [xx XXX xxxx] + This is a high-level summary of the most important changes. + For a full list of changes, see the git commit log; for example, + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. - *) In DSA_generate_parameters_ex, if the provided seed is too short, - return an error - [Rich Salz and Ismo Puustinen ] + Changes between 1.0.2l and 1.0.2m [xx XXX xxxx] - *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites - from RFC4279, RFC4785, RFC5487, RFC5489. + *) - Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the - original RSA_PSK patch. - [Steve Henson] - - *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay - era flag was never set throughout the codebase (only read). Also removed - SSL3_FLAGS_POP_BUFFER which was only used if - SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. - [Matt Caswell] + Changes between 1.0.2k and 1.0.2l [25 May 2017] - *) Changed the default name options in the "ca", "crl", "req" and "x509" - to be "oneline" instead of "compat". + *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target + platform rather than 'mingw'. [Richard Levitte] - *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're - not aware of clients that still exhibit this bug, and the workaround - hasn't been working properly for a while. - [Emilia Käsper] + Changes between 1.0.2j and 1.0.2k [26 Jan 2017] - *) The return type of BIO_number_read() and BIO_number_written() as well as - the corresponding num_read and num_write members in the BIO structure has - changed from unsigned long to uint64_t. On platforms where an unsigned - long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is - transferred. - [Matt Caswell] + *) Truncated packet could crash via OOB read - *) Given the pervasive nature of TLS extensions it is inadvisable to run - OpenSSL without support for them. It also means that maintaining - the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably - not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. - [Matt Caswell] + If one side of an SSL/TLS path is running on a 32-bit host and a specific + cipher is being used, then a truncated packet can cause that host to + perform an out-of-bounds read, usually resulting in a crash. - *) Removed support for the two export grade static DH ciphersuites - EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites - were newly added (along with a number of other static DH ciphersuites) to - 1.0.2. However the two export ones have *never* worked since they were - introduced. It seems strange in any case to be adding new export - ciphersuites, and given "logjam" it also does not seem correct to fix them. - [Matt Caswell] + This issue was reported to OpenSSL by Robert Święcki of Google. + (CVE-2017-3731) + [Andy Polyakov] - *) Version negotiation has been rewritten. In particular SSLv23_method(), - SSLv23_client_method() and SSLv23_server_method() have been deprecated, - and turned into macros which simply call the new preferred function names - TLS_method(), TLS_client_method() and TLS_server_method(). All new code - should use the new names instead. Also as part of this change the ssl23.h - header file has been removed. - [Matt Caswell] + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very + similar to CVE-2015-3193 but must be treated as a separate problem. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3732) + [Andy Polyakov] + + *) Montgomery multiplication may produce incorrect results + + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an input + of the attacker's direct choice. Otherwise the bug can manifest itself as + transient authentication and key negotiation failures or reproducible + erroneous outcome of public-key operations with specially crafted input. + Among EC algorithms only Brainpool P-512 curves are affected and one + presumably can attack ECDH key negotiation. Impact was not analyzed in + detail, because pre-requisites for attack are considered unlikely. Namely + multiple clients have to choose the curve in question and the server has to + share the private key among them, neither of which is default behaviour. + Even then only clients that chose the curve will be affected. + + This issue was publicly reported as transient failures and was not + initially recognized as a security issue. Thanks to Richard Morgan for + providing reproducible case. + (CVE-2016-7055) + [Andy Polyakov] - *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This - code and the associated standard is no longer considered fit-for-purpose. + *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 + or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to + prevent issues where no progress is being made and the peer continually + sends unrecognised record types, using up resources processing them. [Matt Caswell] - *) RT2547 was closed. When generating a private key, try to make the - output file readable only by the owner. This behavior change might - be noticeable when interacting with other software. + Changes between 1.0.2i and 1.0.2j [26 Sep 2016] - *) Added HTTP GET support to the ocsp command. - [Rich Salz] + *) Missing CRL sanity check + + A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 + but was omitted from OpenSSL 1.0.2i. As a result any attempt to use + CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. - *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. + This issue only affects the OpenSSL 1.0.2i + (CVE-2016-7052) [Matt Caswell] - *) Added support for TLS extended master secret from - draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an - initial patch which was a great help during development. - [Steve Henson] + Changes between 1.0.2h and 1.0.2i [22 Sep 2016] - *) All libssl internal structures have been removed from the public header - files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is - now redundant). Users should not attempt to access internal structures - directly. Instead they should use the provided API functions. - [Matt Caswell] + *) OCSP Status Request extension unbounded memory growth - *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used. - Access to deprecated functions can be re-enabled by running config with - "enable-deprecated". In addition applications wishing to use deprecated - functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour - will, by default, disable some transitive includes that previously existed - in the header files (e.g. ec.h will no longer, by default, include bn.h) - [Matt Caswell] + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp" build time option are not affected. - *) Added support for OCB mode. OpenSSL has been granted a patent license - compatible with the OpenSSL license for use of OCB. Details are available - at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support - for OCB can be removed by calling config with no-ocb. + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6304) [Matt Caswell] - *) SSLv2 support has been removed. It still supports receiving a SSLv2 - compatible client hello. - [Kurt Roeckx] - - *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], - done while fixing the error code for the key-too-small case. - [Annie Yousar ] + *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from + HIGH to MEDIUM. - *) CA.sh has been removmed; use CA.pl instead. + This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan + Leurent (INRIA) + (CVE-2016-2183) [Rich Salz] - *) Removed old DES API. - [Rich Salz] + *) OOB write in MDC2_Update() - *) Remove various unsupported platforms: - Sony NEWS4 - BEOS and BEOS_R5 - NeXT - SUNOS - MPE/iX - Sinix/ReliantUNIX RM400 - DGUX - NCR - Tandem - Cray - 16-bit platforms such as WIN16 - [Rich Salz] + An overflow can occur in MDC2_Update() either if called directly or + through the EVP_DigestUpdate() function using MDC2. If an attacker + is able to supply very large amounts of input data after a previous + call to EVP_EncryptUpdate() with a partial block then a length check + can overflow resulting in a heap corruption. - *) Clean up OPENSSL_NO_xxx #define's - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY - OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP - OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK - OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY - Remove MS_STATIC; it's a relic from platforms <32 bits. - [Rich Salz] + The amount of data needed is comparable to SIZE_MAX which is impractical + on most platforms. - *) Cleaned up dead code - Remove all but one '#ifdef undef' which is to be looked at. - [Rich Salz] + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6303) + [Stephen Henson] - *) Clean up calling of xxx_free routines. - Just like free(), fix most of the xxx_free routines to accept - NULL. Remove the non-null checks from callers. Save much code. - [Rich Salz] + *) Malformed SHA512 ticket DoS - *) Add secure heap for storage of private keys (when possible). - Add BIO_s_secmem(), CBIGNUM, etc. - Contributed by Akamai Technologies under our Corporate CLA. - [Rich Salz] + If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a + DoS attack where a malformed ticket will result in an OOB read which will + ultimately crash. - *) Experimental support for a new, fast, unbiased prime candidate generator, - bn_probable_prime_dh_coprime(). Not currently used by any prime generator. - [Felix Laurie von Massenbach ] + The use of SHA512 in TLS session tickets is comparatively rare as it requires + a custom server callback and ticket lookup mechanism. - *) New output format NSS in the sess_id command line tool. This allows - exporting the session id and the master key in NSS keylog format. - [Martin Kaiser ] + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6302) + [Stephen Henson] - *) Harmonize version and its documentation. -f flag is used to display - compilation flags. - [mancha ] + *) OOB write in BN_bn2dec() - *) Fix eckey_priv_encode so it immediately returns an error upon a failure - in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. - [mancha ] + The function BN_bn2dec() does not check the return value of BN_div_word(). + This can cause an OOB write if an application uses this function with an + overly large BIGNUM. This could be a problem if an overly large certificate + or CRL is printed out from an untrusted source. TLS is not affected because + record limits will reject an oversized certificate before it is parsed. - *) Fix some double frees. These are not thought to be exploitable. - [mancha ] + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2182) + [Stephen Henson] - *) A missing bounds check in the handling of the TLS heartbeat extension - can be used to reveal up to 64k of memory to a connected client or - server. + *) OOB read in TS_OBJ_print_bio() - Thanks for Neel Mehta of Google Security for discovering this bug and to - Adam Langley and Bodo Moeller for - preparing the fix (CVE-2014-0160) - [Adam Langley, Bodo Moeller] + The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is + the total length the OID text representation would use and not the amount + of data written. This will result in OOB reads when large OIDs are + presented. - *) Fix for the attack described in the paper "Recovering OpenSSL - ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" - by Yuval Yarom and Naomi Benger. Details can be obtained from: - http://eprint.iacr.org/2014/140 + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2180) + [Stephen Henson] - Thanks to Yuval Yarom and Naomi Benger for discovering this - flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) - [Yuval Yarom and Naomi Benger] + *) Pointer arithmetic undefined behaviour - *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): - this fixes a limitation in previous versions of OpenSSL. - [Steve Henson] + Avoid some undefined pointer arithmetic - *) Experimental encrypt-then-mac support. - - Experimental support for encrypt then mac from - draft-gutmann-tls-encrypt-then-mac-02.txt + A common idiom in the codebase is to check limits in the following manner: + "p + len > limit" - To enable it set the appropriate extension number (0x42 for the test - server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 - - For non-compliant peers (i.e. just about everything) this should have no - effect. + Where "p" points to some malloc'd data of SIZE bytes and + limit == p + SIZE - WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. + "len" here could be from some externally supplied data (e.g. from a TLS + message). - [Steve Henson] + The rules of C pointer arithmetic are such that "p + len" is only well + defined where len <= SIZE. Therefore the above idiom is actually + undefined behaviour. - *) Add EVP support for key wrapping algorithms, to avoid problems with - existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in - the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap - algorithms and include tests cases. - [Steve Henson] + For example this could cause problems if some malloc implementation + provides an address for "p" such that "p + len" actually overflows for + values of len that are too big and therefore p + len < limit. - *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for - enveloped data. - [Steve Henson] + This issue was reported to OpenSSL by Guido Vranken + (CVE-2016-2177) + [Matt Caswell] - *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, - MGF1 digest and OAEP label. - [Steve Henson] + *) Constant time flag not preserved in DSA signing + + Operations in the DSA signing algorithm should run in constant time in + order to avoid side channel attacks. A flaw in the OpenSSL DSA + implementation means that a non-constant time codepath is followed for + certain operations. This has been demonstrated through a cache-timing + attack to be sufficient for an attacker to recover the private DSA key. + + This issue was reported by César Pereida (Aalto University), Billy Brumley + (Tampere University of Technology), and Yuval Yarom (The University of + Adelaide and NICTA). + (CVE-2016-2178) + [César Pereida] + + *) DTLS buffered message DoS + + In a DTLS connection where handshake messages are delivered out-of-order + those messages that OpenSSL is not yet ready to process will be buffered + for later use. Under certain circumstances, a flaw in the logic means that + those messages do not get removed from the buffer even though the handshake + has been completed. An attacker could force up to approx. 15 messages to + remain in the buffer when they are no longer required. These messages will + be cleared when the DTLS connection is closed. The default maximum size for + a message is 100k. Therefore the attacker could force an additional 1500k + to be consumed per connection. By opening many simulataneous connections an + attacker could cause a DoS attack through memory exhaustion. + + This issue was reported to OpenSSL by Quan Luo. + (CVE-2016-2179) + [Matt Caswell] - *) Make openssl verify return errors. - [Chris Palmer and Ben Laurie] + *) DTLS replay protection DoS - *) New function ASN1_TIME_diff to calculate the difference between two - ASN1_TIME structures or one structure and the current time. - [Steve Henson] + A flaw in the DTLS replay attack protection mechanism means that records + that arrive for future epochs update the replay protection "window" before + the MAC for the record has been validated. This could be exploited by an + attacker by sending a record for the next epoch (which does not have to + decrypt or have a valid MAC), with a very large sequence number. This means + that all subsequent legitimate packets are dropped causing a denial of + service for a specific DTLS connection. - *) Update fips_test_suite to support multiple command line options. New - test to induce all self test errors in sequence and check expected - failures. - [Steve Henson] + This issue was reported to OpenSSL by the OCAP audit team. + (CVE-2016-2181) + [Matt Caswell] - *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and - sign or verify all in one operation. - [Steve Henson] + *) Certificate message OOB reads - *) Add fips_algvs: a multicall fips utility incorporating all the algorithm - test programs and fips_test_suite. Includes functionality to parse - the minimal script output of fipsalgest.pl directly. - [Steve Henson] + In OpenSSL 1.0.2 and earlier some missing message length checks can result + in OOB reads of up to 2 bytes beyond an allocated buffer. There is a + theoretical DoS risk but this has not been observed in practice on common + platforms. - *) Add authorisation parameter to FIPS_module_mode_set(). - [Steve Henson] + The messages affected are client certificate, client certificate request + and server certificate. As a result the attack can only be performed + against a client or a server which enables client authentication. - *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. - [Steve Henson] + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6306) + [Stephen Henson] - *) Use separate DRBG fields for internal and external flags. New function - FIPS_drbg_health_check() to perform on demand health checking. Add - generation tests to fips_test_suite with reduced health check interval to - demonstrate periodic health checking. Add "nodh" option to - fips_test_suite to skip very slow DH test. - [Steve Henson] + Changes between 1.0.2g and 1.0.2h [3 May 2016] - *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers - based on NID. - [Steve Henson] + *) Prevent padding oracle in AES-NI CBC MAC check - *) More extensive health check for DRBG checking many more failure modes. - New function FIPS_selftest_drbg_all() to handle every possible DRBG - combination: call this in fips_test_suite. - [Steve Henson] + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. - *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test - and POST to handle Dual EC cases. - [Steve Henson] + This issue was introduced as part of the fix for Lucky 13 padding + attack (CVE-2013-0169). The padding check was rewritten to be in + constant time by making sure that always the same bytes are read and + compared against either the MAC or padding bytes. But it no longer + checked that there was enough data to have both the MAC and padding + bytes. - *) Add support for canonical generation of DSA parameter 'g'. See - FIPS 186-3 A.2.3. + This issue was reported by Juraj Somorovsky using TLS-Attacker. + (CVE-2016-2107) + [Kurt Roeckx] - *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and - POST to handle HMAC cases. - [Steve Henson] + *) Fix EVP_EncodeUpdate overflow - *) Add functions FIPS_module_version() and FIPS_module_version_text() - to return numerical and string versions of the FIPS module number. - [Steve Henson] + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. - *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and - FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented - outside the validated module in the FIPS capable OpenSSL. - [Steve Henson] + Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by + the PEM_write_bio* family of functions. These are mainly used within the + OpenSSL command line applications, so any application which processes data + from an untrusted source and outputs it as a PEM file should be considered + vulnerable to this issue. User applications that call these APIs directly + with large amounts of untrusted data may also be vulnerable. - *) Minor change to DRBG entropy callback semantics. In some cases - there is no multiple of the block length between min_len and - max_len. Allow the callback to return more than max_len bytes - of entropy but discard any extra: it is the callback's responsibility - to ensure that the extra data discarded does not impact the - requested amount of entropy. - [Steve Henson] + This issue was reported by Guido Vranken. + (CVE-2016-2105) + [Matt Caswell] - *) Add PRNG security strength checks to RSA, DSA and ECDSA using - information in FIPS186-3, SP800-57 and SP800-131A. - [Steve Henson] + *) Fix EVP_EncryptUpdate overflow + + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. Following an analysis of all OpenSSL + internal usage of the EVP_EncryptUpdate() function all usage is one of two + forms. The first form is where the EVP_EncryptUpdate() call is known to be + the first called function after an EVP_EncryptInit(), and therefore that + specific call must be safe. The second form is where the length passed to + EVP_EncryptUpdate() can be seen from the code to be some small value and + therefore there is no possibility of an overflow. Since all instances are + one of these two forms, it is believed that there can be no overflows in + internal code due to this problem. It should be noted that + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances + of these calls have also been analysed too and it is believed there are no + instances in internal usage where an overflow could occur. + + This issue was reported by Guido Vranken. + (CVE-2016-2106) + [Matt Caswell] - *) CCM support via EVP. Interface is very similar to GCM case except we - must supply all data in one chunk (i.e. no update, final) and the - message length must be supplied if AAD is used. Add algorithm test - support. - [Steve Henson] + *) Prevent ASN.1 BIO excessive memory allocation - *) Initial version of POST overhaul. Add POST callback to allow the status - of POST to be monitored and/or failures induced. Modify fips_test_suite - to use callback. Always run all selftests even if one fails. - [Steve Henson] + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can casuse allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. - *) XTS support including algorithm test driver in the fips_gcmtest program. - Note: this does increase the maximum key length from 32 to 64 bytes but - there should be no binary compatibility issues as existing applications - will never use XTS mode. - [Steve Henson] + Any application parsing untrusted data through d2i BIO functions is + affected. The memory based functions such as d2i_X509() are *not* affected. + Since the memory based functions are used by the TLS library, TLS + applications are not affected. - *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies - to OpenSSL RAND code and replace with a tiny FIPS RAND API which also - performs algorithm blocking for unapproved PRNG types. Also do not - set PRNG type in FIPS_mode_set(): leave this to the application. - Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with - the standard OpenSSL PRNG: set additional data to a date time vector. - [Steve Henson] + This issue was reported by Brian Carpenter. + (CVE-2016-2109) + [Stephen Henson] - *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. - This shouldn't present any incompatibility problems because applications - shouldn't be using these directly and any that are will need to rethink - anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 - [Steve Henson] + *) EBCDIC overread - *) Extensive self tests and health checking required by SP800-90 DRBG. - Remove strength parameter from FIPS_drbg_instantiate and always - instantiate at maximum supported strength. - [Steve Henson] + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. - *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. - [Steve Henson] + This issue was reported by Guido Vranken. + (CVE-2016-2176) + [Matt Caswell] - *) New algorithm test program fips_dhvs to handle DH primitives only testing. - [Steve Henson] + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] - *) New function DH_compute_key_padded() to compute a DH key and pad with - leading zeroes if needed: this complies with SP800-56A et al. - [Steve Henson] + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + [Kurt Roeckx] - *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by - anything, incomplete, subject to change and largely untested at present. - [Steve Henson] + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] - *) Modify fipscanisteronly build option to only build the necessary object - files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. - [Steve Henson] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] + + * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. + Builds that are not configured with "enable-weak-ssl-ciphers" will not + provide any "EXPORT" or "LOW" strength ciphers. + [Viktor Dukhovni] + + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 + is by default disabled at build-time. Builds that are not configured with + "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, + users who want to negotiate SSLv2 via the version-flexible SSLv23_method() + will need to explicitly call either of: + + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); + or + SSL_clear_options(ssl, SSL_OP_NO_SSLv2); + + as appropriate. Even if either of those is used, or the application + explicitly uses the version-specific SSLv2_method() or its client and + server variants, SSLv2 ciphers vulnerable to exhaustive search key + recovery have been removed. Specifically, the SSLv2 40-bit EXPORT + ciphers, and SSLv2 56-bit DES are no longer available. + (CVE-2016-0800) + [Viktor Dukhovni] + + *) Fix a double-free in DSA code + + A double free bug was discovered when OpenSSL parses malformed DSA private + keys and could lead to a DoS attack or memory corruption for applications + that receive DSA private keys from untrusted sources. This scenario is + considered rare. + + This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using + libFuzzer. + (CVE-2016-0705) + [Stephen Henson] - *) Add experimental option FIPSSYMS to give all symbols in - fipscanister.o and FIPS or fips prefix. This will avoid - conflicts with future versions of OpenSSL. Add perl script - util/fipsas.pl to preprocess assembly language source files - and rename any affected symbols. - [Steve Henson] + *) Disable SRP fake user seed to address a server memory leak. - *) Add selftest checks and algorithm block of non-fips algorithms in - FIPS mode. Remove DES2 from selftests. - [Steve Henson] + Add a new method SRP_VBASE_get1_by_user that handles the seed properly. - *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just - return internal method without any ENGINE dependencies. Add new - tiny fips sign and verify functions. - [Steve Henson] + SRP_VBASE_get_by_user had inconsistent memory management behaviour. + In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user + was changed to ignore the "fake user" SRP seed, even if the seed + is configured. - *) New build option no-ec2m to disable characteristic 2 code. - [Steve Henson] + Users should use SRP_VBASE_get1_by_user instead. Note that in + SRP_VBASE_get1_by_user, caller must free the returned value. Note + also that even though configuring the SRP seed attempts to hide + invalid usernames by continuing the handshake with fake + credentials, this behaviour is not constant time and no strong + guarantees are made that the handshake is indistinguishable from + that of a valid user. + (CVE-2016-0798) + [Emilia Käsper] - *) New build option "fipscanisteronly". This only builds fipscanister.o - and (currently) associated fips utilities. Uses the file Makefile.fips - instead of Makefile.org as the prototype. - [Steve Henson] + *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + + In the BN_hex2bn function the number of hex digits is calculated using an + int value |i|. Later |bn_expand| is called with a value of |i * 4|. For + large values of |i| this can result in |bn_expand| not allocating any + memory because |i * 4| is negative. This can leave the internal BIGNUM data + field as NULL leading to a subsequent NULL ptr deref. For very large values + of |i|, the calculation |i * 4| could be a positive value smaller than |i|. + In this case memory is allocated to the internal BIGNUM data field, but it + is insufficiently sized leading to heap corruption. A similar issue exists + in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn + is ever called by user applications with very large untrusted hex/dec data. + This is anticipated to be a rare occurrence. + + All OpenSSL internal usage of these functions use data that is not expected + to be untrusted, e.g. config file data or application command line + arguments. If user developed applications generate config file data based + on untrusted data then it is possible that this could also lead to security + consequences. This is also anticipated to be rare. + + This issue was reported to OpenSSL by Guido Vranken. + (CVE-2016-0797) + [Matt Caswell] - *) Add some FIPS mode restrictions to GCM. Add internal IV generator. - Update fips_gcmtest to use IV generator. - [Steve Henson] + *) Fix memory issues in BIO_*printf functions + + The internal |fmtstr| function used in processing a "%s" format string in + the BIO_*printf functions could overflow while calculating the length of a + string and cause an OOB read when printing very long strings. + + Additionally the internal |doapr_outch| function can attempt to write to an + OOB memory location (at an offset from the NULL pointer) in the event of a + memory allocation failure. In 1.0.2 and below this could be caused where + the size of a buffer to be allocated is greater than INT_MAX. E.g. this + could be in processing a very long "%s" format string. Memory leaks can + also occur. + + The first issue may mask the second issue dependent on compiler behaviour. + These problems could enable attacks where large amounts of untrusted data + is passed to the BIO_*printf functions. If applications use these functions + in this way then they could be vulnerable. OpenSSL itself uses these + functions when printing out human-readable dumps of ASN.1 data. Therefore + applications that print this data could be vulnerable if the data is from + untrusted sources. OpenSSL command line applications could also be + vulnerable where they print out ASN.1 data, or if untrusted data is passed + as command line arguments. + + Libssl is not considered directly vulnerable. Additionally certificates etc + received via remote connections via libssl are also unlikely to be able to + trigger these issues because of message size limits enforced within libssl. + + This issue was reported to OpenSSL Guido Vranken. + (CVE-2016-0799) + [Matt Caswell] - *) Initial, experimental EVP support for AES-GCM. AAD can be input by - setting output buffer to NULL. The *Final function must be - called although it will not retrieve any additional data. The tag - can be set or retrieved with a ctrl. The IV length is by default 12 - bytes (96 bits) but can be set to an alternative value. If the IV - length exceeds the maximum IV length (currently 16 bytes) it cannot be - set before the key. - [Steve Henson] + *) Side channel attack on modular exponentiation - *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the - underlying do_cipher function handles all cipher semantics itself - including padding and finalisation. This is useful if (for example) - an ENGINE cipher handles block padding itself. The behaviour of - do_cipher is subtly changed if this flag is set: the return value - is the number of characters written to the output buffer (zero is - no longer an error code) or a negative error code. Also if the - input buffer is NULL and length 0 finalisation should be performed. - [Steve Henson] + A side-channel attack was found which makes use of cache-bank conflicts on + the Intel Sandy-Bridge microarchitecture which could lead to the recovery + of RSA keys. The ability to exploit this issue is limited as it relies on + an attacker who has control of code in a thread running on the same + hyper-threaded core as the victim thread which is performing decryptions. - *) If a candidate issuer certificate is already part of the constructed - path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. - [Steve Henson] + This issue was reported to OpenSSL by Yuval Yarom, The University of + Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and + Nadia Heninger, University of Pennsylvania with more information at + http://cachebleed.info. + (CVE-2016-0702) + [Andy Polyakov] - *) Improve forward-security support: add functions + *) Change the req app to generate a 2048-bit RSA/DSA key by default, + if no keysize is specified with default_bits. This fixes an + omission in an earlier change that changed all RSA/DSA key generation + apps to use 2048 bits by default. + [Emilia Käsper] - void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) - void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] + + *) DH small subgroups + + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in + TLS. It is not on by default. If the option is not set then the server + reuses the same private DH exponent for the life of the server process and + would be vulnerable to this attack. It is believed that many popular + applications do set this option and would therefore not be at risk. + + The fix for this issue adds an additional check where a "q" parameter is + available (as is the case in X9.42 based parameters). This detects the + only known attack, and is the only possible defense for static DH + ciphersuites. This could have some performance impact. + + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by + default and cannot be disabled. This could have some performance impact. + + This issue was reported to OpenSSL by Antonio Sanso (Adobe). + (CVE-2016-0701) + [Matt Caswell] - for use by SSL/TLS servers; the callback function will be called whenever a - new session is created, and gets to decide whether the session may be - cached to make it resumable (return 0) or not (return 1). (As by the - SSL/TLS protocol specifications, the session_id sent by the server will be - empty to indicate that the session is not resumable; also, the server will - not generate RFC 4507 (RFC 5077) session tickets.) + *) SSLv2 doesn't block disabled ciphers - A simple reasonable callback implementation is to return is_forward_secure. - This parameter will be set to 1 or 0 depending on the ciphersuite selected - by the SSL/TLS server library, indicating whether it can provide forward - security. - [Emilia Käsper (Google)] + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. - *) New -verify_name option in command line utilities to set verification - parameters by name. - [Steve Henson] + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] - *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. - Add CMAC pkey methods. - [Steve Henson] + *) Reject DH handshakes with parameters shorter than 1024 bits. + [Kurt Roeckx] - *) Experimental renegotiation in s_server -www mode. If the client - browses /reneg connection is renegotiated. If /renegcert it is - renegotiated requesting a certificate. - [Steve Henson] + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. + + This issue was reported to OpenSSL by Hanno Böck. + (CVE-2015-3193) + [Andy Polyakov] - *) Add an "external" session cache for debugging purposes to s_server. This - should help trace issues which normally are only apparent in deployed - multi-process servers. - [Steve Henson] + *) Certificate verify crash with missing PSS parameter - *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where - return value is ignored. NB. The functions RAND_add(), RAND_seed(), - BIO_set_cipher() and some obscure PEM functions were changed so they - can now return an error. The RAND changes required a change to the - RAND_METHOD structure. - [Steve Henson] + The signature verification routines will crash with a NULL pointer + dereference if presented with an ASN.1 signature using the RSA PSS + algorithm and absent mask generation function parameter. Since these + routines are used to verify certificate signature algorithms this can be + used to crash any certificate verification operation and exploited in a + DoS attack. Any application which performs certificate verification is + vulnerable including OpenSSL clients and servers which enable client + authentication. + + This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). + (CVE-2015-3194) + [Stephen Henson] - *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of - a gcc attribute to warn if the result of a function is ignored. This - is enable if DEBUG_UNUSED is set. Add to several functions in evp.h - whose return value is often ignored. - [Steve Henson] ->>>>>>> f00a10b... GH367: Fix dsa keygen for too-short seed + *) X509_ATTRIBUTE memory leak + + When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak + memory. This structure is used by the PKCS#7 and CMS routines so any + application which reads PKCS#7 or CMS data from untrusted sources is + affected. SSL/TLS is not affected. + + This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using + libFuzzer. + (CVE-2015-3195) + [Stephen Henson] + + *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. + This changes the decoding behaviour for some invalid messages, + though the change is mostly in the more lenient direction, and + legacy behaviour is preserved as much as possible. + [Emilia Käsper] + + *) In DSA_generate_parameters_ex, if the provided seed is too short, + use a random seed, as already documented. + [Rich Salz and Ismo Puustinen ] Changes between 1.0.2c and 1.0.2d [9 Jul 2015] @@ -466,8 +598,18 @@ This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL). + (CVE-2015-1793) [Matt Caswell] + *) Race condition handling PSK identify hint + + If PSK identity hints are received by a multi-threaded client then + the values are wrongly updated in the parent SSL_CTX structure. This can + result in a race condition potentially leading to a double free of the + identify hint data. + (CVE-2015-3196) + [Stephen Henson] + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] *) Fix HMAC ABI incompatibility. The previous version introduced an ABI