openssl

History

Emilia Kasper 380f18ed5f CVE-2016-0798: avoid memory leak in SRP The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. Reviewed-by: Rich Salz <rsalz@openssl.org>		2016-02-25 15:42:48 +01:00
..
aes	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
asn1	GH480: Don't break statements with CPP stuff.	2016-02-24 16:11:39 -05:00
async	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
bf	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
bio	GH480: Don't break statements with CPP stuff.	2016-02-24 16:11:39 -05:00
bn	RT4339: Fix handling of <internal/bn_conf.h>	2016-02-23 13:18:23 -05:00
buffer	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
camellia	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
cast	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
chacha	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
cmac	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
cms	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
comp	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
conf	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
ct	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
des	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
dh	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
dsa	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
dso	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
ec	ec/asm/ecp_nistz256-*.pl: get corner case logic right.	2016-02-23 21:22:30 +01:00
engine	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
err	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
evp	GH678: Add a few more zalloc	2016-02-22 12:13:37 -05:00
hmac	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
idea	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
include/internal	RT4339: Fix handling of <internal/bn_conf.h>	2016-02-23 13:18:23 -05:00
kdf	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
lhash	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
md2	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
md4	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
md5	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
mdc2	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
modes	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
objects	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
ocsp	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
pem	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
perlasm	Fix some issues near recent chomp changes.	2016-02-13 02:54:48 -05:00
pkcs7	Add PKCS7_NO_DUAL_CONTENT flag	2016-02-23 08:42:03 -05:00
pkcs12	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
poly1305	poly1305/asm/poly1305-armv4.pl: replace ambiguous instruction.	2016-02-23 21:14:25 +01:00
rand	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
rc2	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
rc4	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
rc5	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
ripemd	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
rsa	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
seed	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
sha	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
srp	CVE-2016-0798: avoid memory leak in SRP	2016-02-25 15:42:48 +01:00
stack	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
ts	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
txt_db	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
ui	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
whrlpool	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
x509	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
x509v3	GH480: Don't break statements with CPP stuff.	2016-02-24 16:11:39 -05:00
alphacpuid.pl
arm64cpuid.pl
arm_arch.h
armcap.c
armv4cpuid.pl
build.info	Make crypto/buildinf.h depend on configdata.pm rather than Makefile	2016-02-20 16:50:20 +01:00
c64xpluscpuid.pl
cpt_err.c	After renaming init, update errors.	2016-02-10 15:52:32 -05:00
cryptlib.c	Declare DllMain internally	2016-02-14 14:13:53 +01:00
cversion.c	Make it possible to get ENGINESDIR info from OpenSSL_versions	2016-02-10 19:36:48 +01:00
ebcdic.c	Use NON_EMPTY_TRANSLATION_UNIT, consistently.	2016-02-09 20:13:29 -05:00
ex_data.c	GH601: Various spelling fixes.	2016-02-05 15:25:50 -05:00
fips_err.h	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
fips_ers.c	Use NON_EMPTY_TRANSLATION_UNIT, consistently.	2016-02-09 20:13:29 -05:00
ia64cpuid.S
init.c	Fix windows thread stop code	2016-02-18 15:27:16 +00:00
lock.c	GH678: Add a few more zalloc	2016-02-22 12:13:37 -05:00
LPdir_nyi.c
LPdir_unix.c
LPdir_vms.c
LPdir_win.c
LPdir_win32.c
LPdir_wince.c
Makefile.in	Always build library object files with shared library cflags	2016-02-20 16:51:31 +01:00
mem.c	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
mem_clr.c	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
mem_dbg.c	Implement the use of heap manipulator implementions	2016-02-17 10:12:49 +01:00
mem_sec.c	Remove unused parameters from internal functions	2016-02-22 13:39:44 -05:00
o_dir.c	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
o_fips.c
o_init.c	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
o_str.c	GH614: Use memcpy()/strdup() when possible	2016-02-03 15:45:56 -05:00
o_time.c	GH601: Various spelling fixes.	2016-02-05 15:25:50 -05:00
pariscid.pl
ppc_arch.h
ppccap.c	Configurations: engage PPC ChaCha20 and Poly1305 modules.	2016-02-13 17:22:20 +01:00
ppccpuid.pl
s390xcap.c
s390xcpuid.S
sparc_arch.h
sparccpuid.S
sparcv9cap.c
thr_id.c	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
uid.c	Remove /* foo.c */ comments	2016-01-26 16:40:43 -05:00
vms_rms.h
x86_64cpuid.pl
x86cpuid.pl