Commit graph

1734 commits

Author SHA1 Message Date
Matt Caswell
c33e68971f Prepare for 1.0.1u-dev
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-03 14:50:37 +01:00
Matt Caswell
3d2e575b3f Prepare for 1.0.1t release
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-03 14:49:52 +01:00
Matt Caswell
0e6b8bf4bb Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 13:20:26 +01:00
Kurt Roeckx
6629966097 Add no-ssl2-method
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2341
(cherry picked from commit 4256957570)
2016-03-14 21:17:18 +01:00
Kurt Roeckx
6e7a1f35b7 Remove LOW from the default
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 29cce50897)
2016-03-07 18:57:40 +01:00
Matt Caswell
73158771aa Prepare for 1.0.1t-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 13:42:02 +00:00
Matt Caswell
57ac73fb5d Prepare for 1.0.1s release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 13:40:46 +00:00
Matt Caswell
8954b54182 Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 11:51:00 +00:00
Viktor Dukhovni
abd5d8fbef Disable EXPORT and LOW SSLv3+ ciphers by default
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:24:02 +00:00
Viktor Dukhovni
56f1acf5ef Disable SSLv2 default build, default negotiation and weak ciphers.
SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:23:45 +00:00
Emilia Kasper
59a908f1e8 CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:44:21 +01:00
Kurt Roeckx
99a5c8a659 Fix CHANGES entry about DSA_generate_parameters_ex
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 2b0c11a620)
2016-01-28 19:56:49 +01:00
Matt Caswell
69ff244490 Prepare for 1.0.1s-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
09ccb58518 Prepare for 1.0.1r release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
bea4cb2e80 Further updates to CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
5fed60f962 Update CHANGES and NEWS ready for release
Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-28 17:06:38 +00:00
Kurt Roeckx
f5fc9404c2 Change minimum DH size from 768 to 1024
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-11 00:13:54 +01:00
Matt Caswell
d82626caec Prepare for 1.0.1r-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:51:13 +00:00
Matt Caswell
55615e8d48 Prepare for 1.0.1q release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:50:26 +00:00
Matt Caswell
ac3dd9b7e6 Update CHANGES and NEWS
Update the CHANGES and NEWS files for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 13:45:13 +01:00
Emilia Kasper
76067c75fd RT3757: base64 encoding bugs
Rewrite EVP_DecodeUpdate.

In particular: reject extra trailing padding, and padding in the middle
of the content. Don't limit line length. Add tests.

Previously, the behaviour was ill-defined, and depended on the position
of the padding within the input.

In addition, this appears to fix a possible two-byte oob read.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 3cdd1e94b1)
(cherry picked from commit 37faf11796)
2015-09-17 20:15:41 +02:00
Emilia Kasper
5999b897ff OpenSSL 1.0.1n: add missing CHANGES entry
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-01 20:13:21 +02:00
Ismo Puustinen
9a97446468 GH367: Fix dsa keygen for too-short seed
If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f00a10b897)
2015-08-28 11:25:44 -04:00
Richard Levitte
a027bba22a Conversion to UTF-8 where needed
This leaves behind files with names ending with '.iso-8859-1'.  These
should be safe to remove.  If something went wrong when re-encoding,
there will be some files with names ending with '.utf8' left behind.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:18:57 +02:00
Matt Caswell
7c17c20a56 Prepare for 1.0.1q-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:29:59 +01:00
Matt Caswell
5ab53da9fb Prepare for 1.0.1p release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:22:23 +01:00
Matt Caswell
245daa2b73 Update CHANGES and NEWS for the new release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 09:32:04 +01:00
Matt Caswell
902795b2f1 Prepare for 1.0.1p-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:24:26 +01:00
Matt Caswell
2a8c2799e1 Prepare for 1.0.1o release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:20:59 +01:00
Matt Caswell
2ad310ffde Updated CHANGES and NEWS entries for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:02:04 +01:00
Matt Caswell
3adca975dc Prepare for 1.0.1o-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:08:34 +01:00
Matt Caswell
517899e6c8 Prepare for 1.0.1n release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:05:11 +01:00
Matt Caswell
1f31458a77 Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 15:02:21 +01:00
Emilia Kasper
63830384e9 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 15:01:36 +02:00
Matt Caswell
a6a704f448 Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:41:07 +00:00
Matt Caswell
506c106880 Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
ffc69bd942 Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
82123b5e94 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Kurt Roeckx
bc2e18a3c8 Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f417997a32)

Conflicts:
	ssl/ssl_ciph.c
2015-03-07 23:08:12 +01:00
Matt Caswell
3a9a032163 Prepare for 1.0.1m-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:49:54 +00:00
Matt Caswell
b83ceba7d5 Prepare for 1.0.1l release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:45:15 +00:00
Matt Caswell
583f0bc402 Updates to CHANGES and NEWS
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-15 13:17:18 +00:00
Matt Caswell
8437225d34 Prepare for 1.0.1l-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:07:43 +00:00
Matt Caswell
b4a57c4c41 Prepare for 1.0.1k release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:03:40 +00:00
Matt Caswell
e02863b5ac CHANGES and NEWS updates for release
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Steve Henson <steve@openssl.org>
2015-01-08 13:51:50 +00:00
Dr. Stephen Henson
293c1e2235 use correct credit in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e38825)
2015-01-06 22:41:36 +00:00
Dr. Stephen Henson
37580f43b5 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 4b4c1fcc88)

Conflicts:
	doc/ssl/SSL_CTX_set_options.pod
2015-01-06 13:14:05 +00:00
Dr. Stephen Henson
ef28c6d676 ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f876964)
2015-01-05 23:48:55 +00:00
Adam Langley
2357cd2e20 Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99)
2015-01-05 17:33:28 +01:00
Dr. Stephen Henson
a8565530e2 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 684400ce19)
2015-01-05 14:36:20 +00:00