wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/apps
History
Emilia Kasper 259b664f95 CVE-2016-0798: avoid memory leak in SRP 
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 18:39:13 +01:00
..
demoCA Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
demoSRP Add SRP. 2011-03-16 11:26:40 +00:00
set Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
app_rand.c GH345: Remove stderr output 2015-08-16 21:09:45 -04:00
apps.c Fix pkeyutl/rsautl empty encrypt-input/decrypt-output handling 2016-02-02 12:41:33 -05:00
apps.h Fix pkeyutl/rsautl empty encrypt-input/decrypt-output handling 2016-02-02 12:41:33 -05:00
asn1pars.c Don't try and parse boolean type. 2015-10-06 15:16:05 +01:00
ca-cert.srl Update test server certificate in apps/server.pem (it was expired). 2000-10-16 22:56:10 +00:00
ca-key.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
ca-req.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
ca.c Fix missing malloc return value checks 2015-11-09 22:54:19 +00:00
CA.com Corrections to the VMS build system. 2011-03-25 16:21:08 +00:00
CA.pl.in Fix from stable branch. 2006-04-28 00:30:49 +00:00
CA.sh PR: 1847 2009-10-15 17:27:47 +00:00
cert.pem Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
ciphers.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
client.pem Replace expired test server and client certificates with new ones. 2011-12-08 14:45:15 +00:00
cms.c Add -no_alt_chains option to apps to implement the new 2015-04-20 13:42:17 +01:00
crl.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
crl2p7.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
dgst.c Move malloc fail checks closer to malloc 2015-03-17 13:48:04 +00:00
dh.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
dh512.pem Include SKIP DH parameters with OpenSSL. 2000-08-02 09:04:44 +00:00
dh1024.pem Include SKIP DH parameters with OpenSSL. 2000-08-02 09:04:44 +00:00
dh2048.pem Include SKIP DH parameters with OpenSSL. 2000-08-02 09:04:44 +00:00
dh4096.pem Include SKIP DH parameters with OpenSSL. 2000-08-02 09:04:44 +00:00
dhparam.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
dsa-ca.pem Fix the gendsa program and add it to the app list. The progs.h file is 1999-01-09 17:29:34 +00:00
dsa-pca.pem Fix the gendsa program and add it to the app list. The progs.h file is 1999-01-09 17:29:34 +00:00
dsa.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
dsa512.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dsa1024.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
dsap.pem Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
dsaparam.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
ec.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
ecparam.c Remove useless code 2015-10-23 20:32:59 +02:00
enc.c RT2943: Check sizes if -iv and -K arguments 2015-05-04 20:21:21 +02:00
engine.c Remove the "eay" c-file-style indicators 2015-12-18 13:39:34 +01:00
errstr.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
gendh.c Re-align some comments after running the reformat script. 2015-01-22 09:31:48 +00:00
gendsa.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
genpkey.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
genrsa.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
install-apps.com Apply all the changes submitted by Steven M. Schweda <sms@antinode.info> 2011-03-19 09:47:47 +00:00
makeapps.com Make sure that disabling the MAYLOSEDATA3 warning is only done when the 2014-06-14 16:58:11 +02:00
Makefile Remove extra '; \' in apps/Makefile 2015-07-13 17:14:38 +02:00
nseq.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
ocsp.c To avoid possible time_t overflow use X509_time_adj_ex() 2016-01-14 03:02:27 +00:00
oid.cnf Import of old SSLeay release: SSLeay 0.9.1b (unreleased) 1998-12-21 11:00:56 +00:00
openssl-vms.cnf make update 2014-09-23 18:20:26 +02:00
openssl.c Fix memory leak reporting. 2015-02-09 13:01:15 +00:00
openssl.cnf RT2626: Change default_bits from 1K to 2K 2014-09-08 17:23:37 -04:00
passwd.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
pca-cert.srl Update test server certificate in apps/server.pem (it was expired). 2000-10-16 22:56:10 +00:00
pca-key.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
pca-req.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
pkcs7.c Dead code removal from apps 2015-03-17 14:49:47 +00:00
pkcs8.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
pkcs12.c Fix X509_STORE_CTX_cleanup() 2016-01-02 11:14:05 -05:00
pkey.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
pkeyparam.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
pkeyutl.c Fix pkeyutl/rsautl empty encrypt-input/decrypt-output handling 2016-02-02 12:41:33 -05:00
prime.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
privkey.pem Oops... 2006-05-17 12:29:16 +00:00
progs.h Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
progs.pl Make no-ssl3 no-ssl2 do more sensible things. 2014-06-29 03:05:21 +01:00
rand.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
req.c RT 3854: Update apps/req 2016-02-12 14:17:57 +01:00
req.pem Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
rsa.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
rsa8192.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
rsautl.c Fix pkeyutl/rsautl empty encrypt-input/decrypt-output handling 2016-02-02 12:41:33 -05:00
s512-key.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
s512-req.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
s1024key.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
s1024req.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
s_apps.h Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
s_cb.c GH371: Print debug info for ALPN extension 2015-08-26 07:09:27 -04:00
s_client.c GH611: s_client help message bug 2016-02-02 12:16:10 -05:00
s_server.c CVE-2016-0798: avoid memory leak in SRP 2016-02-24 18:39:13 +01:00
s_socket.c Re-align some comments after running the reformat script. 2015-01-22 09:31:48 +00:00
s_time.c Code style: space after 'if' 2015-04-16 13:50:01 -04:00
server.pem Replace expired test server and client certificates with new ones. 2011-12-08 14:45:15 +00:00
server.srl Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
server2.pem Replace expired test server and client certificates with new ones. 2011-12-08 14:45:15 +00:00
sess_id.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
smime.c Add -no_alt_chains option to apps to implement the new 2015-04-20 13:42:17 +01:00
speed.c Remove the "eay" c-file-style indicators 2015-12-18 13:39:34 +01:00
spkac.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
srp.c Code style: space after 'if' 2015-04-16 13:50:01 -04:00
testCA.pem Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
testdsa.h Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
testrsa.h Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
timeouts.h Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
ts.c Re-align some comments after running the reformat script. 2015-01-22 09:31:48 +00:00
tsget PR: 2031 2009-09-07 17:57:02 +00:00
verify.c Add -no_alt_chains option to apps to implement the new 2015-04-20 13:42:17 +01:00
version.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
vms_decc_init.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
winrand.c Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
x509.c To avoid possible time_t overflow use X509_time_adj_ex() 2016-01-14 03:02:27 +00:00