[openssl-commits] Fixed: FdaSilvaYY/openssl#2028 (oss_add_cb_args - 050701d)
Build Update for FdaSilvaYY/openssl - Build: #2028 Status: Fixed Duration: 14 minutes and 47 seconds Commit: 050701d (oss_add_cb_args) Author: FdaSilvaYY Message: Move global 'ctx' pointers and BIO variables into callback context ... View the changeset: https://github.com/FdaSilvaYY/openssl/compare/336947238c17...050701da2171 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/162039501 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2027 (fix-ca-buf-usage - e75d4d6)
Build Update for FdaSilvaYY/openssl - Build: #2027 Status: Fixed Duration: 3 hours, 36 minutes, and 48 seconds Commit: e75d4d6 (fix-ca-buf-usage) Author: FdaSilvaYY Message: Introduce PATH_MAX and NAME_MAX to define the certificate filename storage buffer. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/13aeb3d6cc4e...e75d4d6636cd View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/162039263 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2026 (check_bn_wexpand_retcode - f963d47)
Build Update for FdaSilvaYY/openssl - Build: #2026 Status: Fixed Duration: 23 minutes and 23 seconds Commit: f963d47 (check_bn_wexpand_retcode) Author: FdaSilvaYY Message: Add missing checks on some conditional BN_copy return value View the changeset: https://github.com/FdaSilvaYY/openssl/compare/cad489529990...f963d474121a View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/162039141 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2025 (pack_argv_options - e629ea2)
Build Update for FdaSilvaYY/openssl - Build: #2025 Status: Fixed Duration: 1 hour, 17 minutes, and 53 seconds Commit: e629ea2 (pack_argv_options) Author: FdaSilvaYY Message: Use PATH_MAX and NAME_MAX View the changeset: https://github.com/FdaSilvaYY/openssl/compare/a53bfb922c18...e629ea2ad5dc View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/162037927 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2024 (master - 3014dda)
Build Update for FdaSilvaYY/openssl - Build: #2024 Status: Fixed Duration: 40 minutes and 25 seconds Commit: 3014dda (master) Author: FdaSilvaYY Message: Clean whitespaces on line ending View the changeset: https://github.com/FdaSilvaYY/openssl/compare/372025c54b65...3014ddae4d08 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/162037610 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via c536b6be1a72aefd632d5530106a67c516cb9f4b (commit) via 4b0fc9fc7a8767f3e6289b2b9f4527db186b3566 (commit) from f3b3d7f0033080f86ede5a53e8af2fb313091b5a (commit) - Log - commit c536b6be1a72aefd632d5530106a67c516cb9f4b Author: Matt CaswellDate: Wed Sep 21 11:26:47 2016 +0100 Convert HelloVerifyRequest construction to WPACKET We actually construct a HelloVerifyRequest in two places with common code pulled into a single function. This one commit handles both places. Reviewed-by: Rich Salz commit 4b0fc9fc7a8767f3e6289b2b9f4527db186b3566 Author: Matt Caswell Date: Wed Sep 21 11:20:18 2016 +0100 Add warning about a potential pitfall with WPACKET_allocate_bytes() If the underlying BUF_MEM gets realloc'd then the pointer returned could become invalid. Therefore we should always ensure that the allocated memory is filled in prior to any more WPACKET_* calls. Reviewed-by: Rich Salz --- Summary of changes: ssl/d1_lib.c | 116 +++ ssl/packet.c | 1 + ssl/packet_locl.h| 5 +- ssl/ssl_locl.h | 5 +- ssl/statem/statem_srvr.c | 51 +++-- 5 files changed, 101 insertions(+), 77 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 043057f..f34818b 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -437,8 +437,8 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) unsigned char cookie[DTLS1_COOKIE_LENGTH]; unsigned char seq[SEQ_NUM_SIZE]; const unsigned char *data; -unsigned char *p, *buf; -unsigned long reclen, fragoff, fraglen, msglen; +unsigned char *buf; +unsigned long fragoff, fraglen, msglen; unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; BIO *rbio, *wbio; BUF_MEM *bufm; @@ -680,6 +680,10 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) } if (next == LISTEN_SEND_VERIFY_REQUEST) { +WPACKET wpkt; +unsigned int version; +size_t wreclen; + /* * There was no cookie in the ClientHello so we need to send a * HelloVerifyRequest. If this fails we do not worry about trying @@ -703,60 +707,76 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) return -1; } -p = [DTLS1_RT_HEADER_LENGTH]; -msglen = dtls_raw_hello_verify_request(p + DTLS1_HM_HEADER_LENGTH, - cookie, cookielen); - -*p++ = DTLS1_MT_HELLO_VERIFY_REQUEST; - -/* Message length */ -l2n3(msglen, p); - -/* Message sequence number is always 0 for a HelloVerifyRequest */ -s2n(0, p); - -/* - * We never fragment a HelloVerifyRequest, so fragment offset is 0 - * and fragment length is message length - */ -l2n3(0, p); -l2n3(msglen, p); - -/* Set reclen equal to length of whole handshake message */ -reclen = msglen + DTLS1_HM_HEADER_LENGTH; - -/* Add the record header */ -p = buf; - -*(p++) = SSL3_RT_HANDSHAKE; /* * Special case: for hello verify request, client version 1.0 and we * haven't decided which version to use yet send back using version * 1.0 header: otherwise some clients will ignore it. */ -if (s->method->version == DTLS_ANY_VERSION) { -*(p++) = DTLS1_VERSION >> 8; -*(p++) = DTLS1_VERSION & 0xff; -} else { -*(p++) = s->version >> 8; -*(p++) = s->version & 0xff; +version = (s->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION + : s->version; + +/* Construct the record and message headers */ +if (!WPACKET_init(, s->init_buf) +|| !WPACKET_put_bytes_u8(, SSL3_RT_HANDSHAKE) +|| !WPACKET_put_bytes_u16(, version) + /* +* Record sequence number is always the same as in the +* received ClientHello +*/ +|| !WPACKET_memcpy(, seq, SEQ_NUM_SIZE) + /* End of record, start sub packet for message */ +|| !WPACKET_start_sub_packet_u16() + /* Message type */ +|| !WPACKET_put_bytes_u8(, + DTLS1_MT_HELLO_VERIFY_REQUEST) + /* +
[openssl-commits] [web] master update
The branch master has been updated via 50b169440002898052ea41e9a9393ed41a68e7b2 (commit) from d6a33b3c69b5776beaba29c61823e2474a00d17d (commit) - Log - commit 50b169440002898052ea41e9a9393ed41a68e7b2 Author: Richard LevitteDate: Thu Sep 22 20:48:34 2016 +0200 Make the links in the topmost sidebar.shtml rooted The reason is quite simple. If a URL doesn't lead to a page, err404.html is loaded and this sidebar along with it. Now, consider the URL https://www.openssl.org/files/. Clicking on "Downloads: source code" will get you to https://www.openssl.org/files/source rather than https://www.openssl.org/source... --- Summary of changes: sidebar.shtml | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/sidebar.shtml b/sidebar.shtml index 1b3d6b6..37b715e 100644 --- a/sidebar.shtml +++ b/sidebar.shtml @@ -1,28 +1,28 @@ -Home +Home -Downloads: Source code +Downloads: Source code -Docs: FAQ, FIPS, manpages, ... +Docs: FAQ, FIPS, manpages, ... -News: Latest information +News: Latest information -Policies: How we operate +Policies: How we operate -Community: Blog, bugs, email, ... +Community: Blog, bugs, email, ... -Support: Commercial support and contracting +Support: Commercial support and contracting -Sponsor Acknowledgements +Sponsor Acknowledgements _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Errored: openssl/openssl#6153 (OpenSSL_1_0_2-stable - f15a7e3)
Build Update for openssl/openssl - Build: #6153 Status: Errored Duration: 25 minutes and 33 seconds Commit: f15a7e3 (OpenSSL_1_0_2-stable) Author: Dirk Feytons Message: Fix build with no-nextprotoneg Add a missing ifdef. Same change is already present in master. Reviewed-by: Matt CaswellReviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1100) View the changeset: https://github.com/openssl/openssl/compare/581215a519c6...f15a7e39a1f7 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161931598 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via f15a7e39a1f7d41716ca5f07faef74f55147d2cf (commit) from 581215a519c66db7255ea360ed25bb00033ccd52 (commit) - Log - commit f15a7e39a1f7d41716ca5f07faef74f55147d2cf Author: Dirk FeytonsDate: Thu Sep 22 16:17:45 2016 +0200 Fix build with no-nextprotoneg Add a missing ifdef. Same change is already present in master. Reviewed-by: Matt Caswell Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1100) --- Summary of changes: ssl/t1_ext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index 724ddf7..79ed946 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -275,7 +275,9 @@ int SSL_extension_supported(unsigned int ext_type) case TLSEXT_TYPE_ec_point_formats: case TLSEXT_TYPE_elliptic_curves: case TLSEXT_TYPE_heartbeat: +# ifndef OPENSSL_NO_NEXTPROTONEG case TLSEXT_TYPE_next_proto_neg: +# endif case TLSEXT_TYPE_padding: case TLSEXT_TYPE_renegotiate: case TLSEXT_TYPE_server_name: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via d6a33b3c69b5776beaba29c61823e2474a00d17d (commit) from fbd32b1a5c7f0d7bc90e8a716bdf44cbfbeeb7a6 (commit) - Log - commit d6a33b3c69b5776beaba29c61823e2474a00d17d Author: Steve MarquessDate: Thu Sep 22 10:42:26 2016 -0400 Add 2.0.13 Security Policy --- Summary of changes: ...Policy-2.0.11.pdf => SecurityPolicy-2.0.13.pdf} | Bin 902341 -> 916608 bytes 1 file changed, 0 insertions(+), 0 deletions(-) copy docs/fips/{SecurityPolicy-2.0.11.pdf => SecurityPolicy-2.0.13.pdf} (87%) diff --git a/docs/fips/SecurityPolicy-2.0.11.pdf b/docs/fips/SecurityPolicy-2.0.13.pdf similarity index 87% copy from docs/fips/SecurityPolicy-2.0.11.pdf copy to docs/fips/SecurityPolicy-2.0.13.pdf index e4354dd..e4ea6c6 100644 Binary files a/docs/fips/SecurityPolicy-2.0.11.pdf and b/docs/fips/SecurityPolicy-2.0.13.pdf differ _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Passed: openssl/openssl#6147 (OpenSSL_1_1_0a - ac2c44c)
Build Update for openssl/openssl - Build: #6147 Status: Passed Duration: 48 minutes and 1 second Commit: ac2c44c (OpenSSL_1_1_0a) Author: Matt Caswell Message: Prepare for 1.1.0a release Reviewed-by: Richard LevitteView the changeset: https://github.com/openssl/openssl/compare/OpenSSL_1_1_0a View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161875987 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 581215a519c66db7255ea360ed25bb00033ccd52 (commit) from 9d264d11a93413d2724b7c8c873e56b2ddd8c53f (commit) - Log - commit 581215a519c66db7255ea360ed25bb00033ccd52 Author: Rich SalzDate: Thu Sep 22 08:47:45 2016 -0400 Fix typo introduced by a03f81f4 Reviewed-by: Richard Levitte --- Summary of changes: crypto/engine/eng_cryptodev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 65a74df..2a2b95c 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) if (fstate->mac_len != 0) { if (fstate->mac_data != NULL) { dstate->mac_data = OPENSSL_malloc(fstate->mac_len); -if (dstate->ac_data == NULL) { +if (dstate->mac_data == NULL) { printf("cryptodev_digest_init: malloc failed\n"); return 0; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f3b3d7f0033080f86ede5a53e8af2fb313091b5a (commit) from 39c136cc53d7b6fafdd1a0b52c035fd24358e01c (commit) - Log - commit f3b3d7f0033080f86ede5a53e8af2fb313091b5a Author: Rich SalzDate: Tue Aug 30 13:31:18 2016 -0400 Add -Wswitch-enum Change code so when switching on an enumeration, have case's for all enumeration values. Reviewed-by: Andy Polyakov --- Summary of changes: Configure| 3 +- apps/apps.c | 12 ++-- apps/openssl.c | 16 +++ apps/ts.c| 15 -- crypto/asn1/bio_asn1.c | 4 +-- crypto/ct/ct_sct.c | 13 + crypto/ec/ec_lib.c | 22 +++ crypto/ec/ecp_nistz256.c | 10 +++ crypto/ui/ui_lib.c | 51 ++ crypto/ui/ui_openssl.c | 9 -- crypto/x509/x509_lu.c| 8 +++--- ssl/statem/statem.c | 14 +++--- ssl/statem/statem_clnt.c | 72 +--- ssl/statem/statem_srvr.c | 69 +- test/ct_test.c | 5 +++- test/handshake_helper.c | 13 + 16 files changed, 200 insertions(+), 136 deletions(-) diff --git a/Configure b/Configure index 0cfc3ea..bfb9dbf 100755 --- a/Configure +++ b/Configure @@ -114,6 +114,7 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED" # it grew impossible to resolve this without sizeable additional # code, so we just tell compiler to be pedantic about everything # but 'long long' type. +. " -Wswitch" . " -DPEDANTIC -pedantic -Wno-long-long" . " -Wall" . " -Wsign-compare" @@ -127,7 +128,6 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED" # These are used in addition to $gcc_devteam_warn when the compiler is clang. # TODO(openssl-team): fix problems and investigate if (at least) the # following warnings can also be enabled: -# -Wswitch-enum # -Wcast-align # -Wunreachable-code # -Wlanguage-extension-token -- no, we use asm() @@ -136,6 +136,7 @@ my $gcc_devteam_warn = "-DDEBUG_UNUSED" my $clang_devteam_warn = "" . " -Qunused-arguments" . " -Wextra" +. " -Wswitch -Wswitch-default" . " -Wno-unused-parameter" . " -Wno-missing-field-initializers" . " -Wno-language-extension-token" diff --git a/apps/apps.c b/apps/apps.c index aa564b8..b287748 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -188,7 +188,11 @@ static int ui_read(UI *ui, UI_STRING *uis) return 1; } } -default: +break; +case UIT_NONE: +case UIT_BOOLEAN: +case UIT_INFO: +case UIT_ERROR: break; } } @@ -208,7 +212,11 @@ static int ui_write(UI *ui, UI_STRING *uis) if (password && password[0] != '\0') return 1; } -default: +break; +case UIT_NONE: +case UIT_BOOLEAN: +case UIT_INFO: +case UIT_ERROR: break; } } diff --git a/apps/openssl.c b/apps/openssl.c index 4f4175c..fceb458 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -393,26 +393,32 @@ int list_main(int argc, char **argv) return 0; } +typedef enum HELP_CHOICE { +OPT_hERR = -1, OPT_hEOF = 0, OPT_hHELP +} HELP_CHOICE; + OPTIONS help_options[] = { -{"help", OPT_HELP, '-', "Display this summary"}, +{"help", OPT_hHELP, '-', "Display this summary"}, {NULL} }; + int help_main(int argc, char **argv) { FUNCTION *fp; int i, nl; FUNC_TYPE tp; char *prog; -HELPLIST_CHOICE o; +HELP_CHOICE o; prog = opt_init(argc, argv, help_options); -while ((o = opt_next()) != OPT_EOF) { +while ((o = opt_next()) != OPT_hEOF) { switch (o) { -default: +case OPT_hERR: +case OPT_hEOF: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); return 1; -case OPT_HELP: +case OPT_hHELP: opt_help(help_options); return 0; } diff --git a/apps/ts.c b/apps/ts.c index eda5297..e785ea0 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -296,19 +296,14 @@ int ts_main(int argc, char **argv) goto end; /* Check parameter consistency and execute the appropriate function. */ -switch (mode) { -default: -case OPT_ERR: -goto opthelp; -case OPT_QUERY: +if (mode == OPT_QUERY) { if (vpmtouched) goto opthelp; if ((data != NULL) && (digest != NULL)) goto opthelp; ret = !query_command(data, digest, md, policy, no_nonce, cert, in, out, text); -
[openssl-commits] Passed: openssl/openssl#6146 (OpenSSL_1_0_2i - 32c1301)
Build Update for openssl/openssl - Build: #6146 Status: Passed Duration: 18 minutes and 44 seconds Commit: 32c1301 (OpenSSL_1_0_2i) Author: Matt Caswell Message: Prepare for 1.0.2i release Reviewed-by: Richard LevitteView the changeset: https://github.com/openssl/openssl/compare/OpenSSL_1_0_2i View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161875963 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [web] master update
The branch master has been updated via fbd32b1a5c7f0d7bc90e8a716bdf44cbfbeeb7a6 (commit) from 08e980caee8d6252b0838e9924498db12083203b (commit) - Log - commit fbd32b1a5c7f0d7bc90e8a716bdf44cbfbeeb7a6 Author: Matt Caswell <m...@openssl.org> Date: Thu Sep 22 11:10:48 2016 +0100 Update website for new release --- Summary of changes: news/newsflash.txt | 4 + news/secadv/20160922.txt | 361 + news/vulnerabilities.xml | 590 ++- 3 files changed, 954 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20160922.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 0a90069..6eb393c 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,10 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +22-Sep-2016: Security Advisory: several security fixes +22-Sep-2016: OpenSSL 1.1.0a is now available, including bug and security fixes +22-Sep-2016: OpenSSL 1.0.2i is now available, including bug and security fixes +22-Sep-2016: OpenSSL 1.0.1u is now available, including bug and security fixes 19-Sep-2016: OpenSSL 1.1.0a, 1.0.2i, 1.0.1u https://mta.openssl.org/pipermail/openssl-announce/2016-September/76.html;>security releases due 22nd Sep 2016 25-Aug-2016: OpenSSL 1.1.0 is now available 04-Aug-2016: Beta 3 (pre-release 6) of OpenSSL 1.1.0 is now available: please download and test it diff --git a/news/secadv/20160922.txt b/news/secadv/20160922.txt new file mode 100644 index 000..c35d70a --- /dev/null +++ b/news/secadv/20160922.txt @@ -0,0 +1,361 @@ + +OpenSSL Security Advisory [22 Sep 2016] + + +OCSP Status Request extension unbounded memory growth (CVE-2016-6304) += + +Severity: High + +A malicious client can send an excessively large OCSP Status Request extension. +If that client continually requests renegotiation, sending a large OCSP Status +Request extension each time, then there will be unbounded memory growth on the +server. This will eventually lead to a Denial Of Service attack through memory +exhaustion. Servers with a default configuration are vulnerable even if they do +not support OCSP. Builds using the "no-ocsp" build time option are not affected. + +Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default +configuration, instead only if an application explicitly enables OCSP stapling +support. + +OpenSSL 1.1.0 users should upgrade to 1.1.0a +OpenSSL 1.0.2 users should upgrade to 1.0.2i +OpenSSL 1.0.1 users should upgrade to 1.0.1u + +This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear Team, +Qihoo 360 Inc.). The fix was developed by Matt Caswell of the OpenSSL +development team. + +SSL_peek() hang on empty record (CVE-2016-6305) +=== + +Severity: Moderate + +OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer sends an +empty record. This could be exploited by a malicious peer in a Denial Of Service +attack. + +OpenSSL 1.1.0 users should upgrade to 1.1.0a + +This issue was reported to OpenSSL on 10th September 2016 by Alex Gaynor. The +fix was developed by Matt Caswell of the OpenSSL development team. + +SWEET32 Mitigation (CVE-2016-2183) +== + +Severity: Low + +SWEET32 (https://sweet32.info) is an attack on older block cipher algorithms +that use a block size of 64 bits. In mitigation for the SWEET32 attack DES based +ciphersuites have been moved from the HIGH cipherstring group to MEDIUM in +OpenSSL 1.0.1 and OpenSSL 1.0.2. OpenSSL 1.1.0 since release has had these +ciphersuites disabled by default. + +OpenSSL 1.0.2 users should upgrade to 1.0.2i +OpenSSL 1.0.1 users should upgrade to 1.0.1u + +This issue was reported to OpenSSL on 16th August 2016 by Karthikeyan +Bhargavan and Gaetan Leurent (INRIA). The fix was developed by Rich Salz of the +OpenSSL development team. + +OOB write in MDC2_Update() (CVE-2016-6303) +== + +Severity: Low + +An overflow can occur in MDC2_Update() either if called directly or +through the EVP_DigestUpdate() function using MDC2. If an attacker +is able to supply very large amounts of input data after a previous +call to EVP_EncryptUpdate() with a partial block then a length check +can overflow resulting in a heap corruption. + +The amount of data needed is comparable to SIZE_MAX which is impractical +on most platforms. + +OpenSSL 1.0.2 users should upgrade to 1.0.2i +OpenSSL 1.0.1 users should upgrade to 1.0.1u + +This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear Team, +Qihoo 360 Inc.). Th
[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
The branch OpenSSL_1_0_1-stable has been updated via 52a69c480d243f727c8393fb42b9ff9da742c143 (commit) via 888759a1d38197f29de7227876c3b58fbff8549f (commit) via 16ec56f0cd6337a2506dce4a1e7ef91e0b7ecb76 (commit) via ab650f07a0dabc01a4410f8f702c3cea7932da62 (commit) via 2c0d295e26306e15a92eb23a84a1802005c1c137 (commit) from 151adf2e5cc23284a059e0f155505006a1c9fad9 (commit) - Log - commit 52a69c480d243f727c8393fb42b9ff9da742c143 Author: Matt CaswellDate: Thu Sep 22 11:31:45 2016 +0100 Prepare for 1.0.1v-dev Reviewed-by: Richard Levitte commit 888759a1d38197f29de7227876c3b58fbff8549f Author: Matt Caswell Date: Thu Sep 22 11:30:27 2016 +0100 Prepare for 1.0.1u release Reviewed-by: Richard Levitte commit 16ec56f0cd6337a2506dce4a1e7ef91e0b7ecb76 Author: Matt Caswell Date: Wed Sep 21 23:20:45 2016 +0100 Updates CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit ab650f07a0dabc01a4410f8f702c3cea7932da62 Author: Dmitry Belyavsky Date: Mon Sep 19 16:05:53 2016 +0100 Avoid KCI attack for GOST Russian GOST ciphersuites are vulnerable to the KCI attack because they use long-term keys to establish the connection when ssl client authorization is on. This change brings the GOST implementation into line with the latest specs in order to avoid the attack. It should not break backwards compatibility. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell commit 2c0d295e26306e15a92eb23a84a1802005c1c137 Author: Matt Caswell Date: Fri Sep 9 10:08:45 2016 +0100 Fix OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. I have also checked other extensions to see if they suffer from a similar problem but I could not find any other issues. CVE-2016-6304 Issue reported by Shi Lei. Reviewed-by: Rich Salz --- Summary of changes: CHANGES | 164 +- NEWS | 16 +- README| 2 +- crypto/opensslv.h | 6 +- openssl.spec | 2 +- ssl/s3_clnt.c | 19 --- ssl/t1_lib.c | 24 +--- 7 files changed, 198 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index f89b50b..e2edbaf 100644 --- a/CHANGES +++ b/CHANGES @@ -2,12 +2,170 @@ OpenSSL CHANGES ___ - Changes between 1.0.1t and 1.0.1u [xx XXX ] + Changes between 1.0.1u and 1.0.1v [xx XXX ] - *) In order to mitigate the SWEET32 attack (CVE-2016-2183), - the DES ciphers were moved from HIGH to MEDIUM. + *) + + Changes between 1.0.1t and 1.0.1u [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth + + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp" build time option are not affected. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6304) + [Matt Caswell] + + *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from + HIGH to MEDIUM. + + This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan + Leurent (INRIA) + (CVE-2016-2183) [Rich Salz] + *) OOB write in MDC2_Update() + + An overflow can occur in MDC2_Update() either if called directly or + through the EVP_DigestUpdate() function using MDC2. If an attacker + is able to supply very large amounts of input data after a previous + call to EVP_EncryptUpdate() with a partial block then a length check + can overflow resulting in a heap corruption. + + The amount of data needed is comparable to SIZE_MAX which
[openssl-commits] [openssl] OpenSSL_1_0_2i create
The annotated tag OpenSSL_1_0_2i has been created at c3b111de3699ae812738e61c6b01101ea6a12b74 (tag) tagging 32c130160f7dac2cef5d0e30d94b335e4a87104d (commit) replaces OpenSSL_1_0_2h tagged by Matt Caswell on Thu Sep 22 11:24:53 2016 +0100 - Log - OpenSSL 1.0.2i release tag -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJX47F1AAoJENnE0m0OYESRc3sIAI79tKT3pLjuUua0+24tw8B8 Va/LslUflHIv9Ajt2Zr/erB9eVPBshVdMaTsaoHbYtKsNqHby7BKxmIpUfQQ+0ZQ YmWOFvHt2r5sUKMSTHldT2rY27M7v9LIIwxOL0BWSQ+odtxFMK8UxWwTBdKDKsaL c1+SGHiw7m2Eqqkc/RLGM5mc2EflnG0I3UDTMTAazzaev6SPDiN1F+bR3tqI6VMt DE0+5qYxlmgbJw0ndTUjqj4sH7bv7b3c2mR/DyE7AsrwVvUDq0siYi9BNTNn0aV8 O5sRNsioqdEoZ/o/nil3FIsfdsgnOoOXxUpe69nSBExjsSRpB8IcvUlT3nIFsBA= =2QfE -END PGP SIGNATURE- Alessandro Ghedini (1): Avoid double declaration of COMP_METHOD Reviewed-by: Matt CaswellReviewed-by: Kurt Roeckx Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/1083) Andy Polyakov (16): rand/randfile.c: remove _XOPEN_SOURCE definition. hmac/hmac.c: switch to OPENSSL_cleanse. crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from master. crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds. crypto/sparccpuid.S: limit symbol visibility. aes/asm/bsaes-armv7.pl: fix XTS decrypt test failure. aes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines. doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration. SPARC assembly pack: enforce V8+ ABI constraints. sha/asm/sha1-x86_64.pl: fix crash in SHAEXT code on Windows. ec/ecp_nistz256.c: get is_one on 32-bit platforms right. bn/asm/x86[_64]-mont*.pl: implement slightly alternative page-walking. ec/asm/ecp_nistz256-x86_64.pl: addition to perform stricter reduction. ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. ec/asm/ecp_nistz256-x86_64.pl: /cmovb/cmovc/ as nasm doesn't recognize cmovb. crypto/bn/*: x86[_64] division instruction doesn't handle constants, change constraint from 'g' to 'r'. Cesar Pereida (1): Fix DSA, preserve BN_FLG_CONSTTIME Cristian Stoica (1): remove double initialization of cryptodev engine Cynh (1): Fix SRP client key computation David Benjamin (2): Don't send signature algorithms when client_version is below TLS 1.2. Don't check for malloc failure twice. David Woodhouse (4): Fix SSL_export_keying_material() for DTLS1_BAD_VER Fix ubsan 'left shift of negative value -1' error in satsub64be() Add basic test for Cisco DTLS1_BAD_VER and record replay handling Avoid EVP_PKEY_cmp() crash on EC keys without public component Dirk Feytons (1): Fix build with no-cmac Dmitry Belyavsky (1): Avoid KCI attack for GOST Dr. Matthias St. Pierre (1): RT3925: Remove trailing semi from #define's. Dr. Stephen Henson (50): add documentation Fix double free in d2i_PrivateKey(). Fix name length limit check. Always try to set ASN.1 parameters for CMS. Use default ASN.1 for SEED. Only set CMS parameter when encrypting Tidy up PKCS12_newpass() fix memory leaks. Constify PKCS12_newpass() Only call FIPS_update, FIPS_final in FIPS mode. Typo. Add -signcert to CA.pl usage message. Parameter copy sanity checks. Don't skip leading zeroes in PSK keys. Fix link error. Fix omitted selector handling. Don't indicate errors during initial adb decode. Fix print of ASN.1 BIGNUM type. Check and print out boolean type properly. Support PKCS v2.0 print in pkcs12 utility. Send alert on CKE error. Sanity check in ssl_get_algorithm2(). Clarify digest change in HMAC_Init_ex() Fix OOB read in TS_OBJ_print_bio(). Send alert for bad DH CKE Use newest CRL. Set error if EVP_CipherUpdate fails. Note cipher BIO write errors too. Fix CRL time comparison. Check for overlows and error return from ASN1_object_size() Check for overflows in ASN1_object_size(). include Calculate sequence length properly. Limit status message sisze in ts_get_status_check Check for overflows in i2d_ASN1_SET() Limit recursion depth in old d2i_ASN1_bytes function Leak fixes. Sanity check input length in OPENSSL_uni2asc(). Check for errors in a2d_ASN1_OBJECT() Check for errors in BN_bn2dec() Limit reads in do_b2i_bio() Sanity check ticket length. Avoid overflow in MDC2_Update() Fix memory leak on error. Fix memory leak on error. Fix memory leak on realloc error. update default dependencies Fix small OOB reads. Remove unnecessary check. Use
[openssl-commits] [openssl] OpenSSL_1_0_1u create
The annotated tag OpenSSL_1_0_1u has been created at 1883c9e66f488b03bacf2fb634ae0cda438352b1 (tag) tagging 888759a1d38197f29de7227876c3b58fbff8549f (commit) replaces OpenSSL_1_0_1t tagged by Matt Caswell on Thu Sep 22 11:30:27 2016 +0100 - Log - OpenSSL 1.0.1u release tag -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAABAgAGBQJX47LDAAoJENnE0m0OYESREagIAIhmezllxDLm/jxDP+YfrcpO R2sN77jbIR4v+V0O4ox+UI0QCI45YhiQAc9RbhmQzw6vlZk6bpCwRElQREPhZfRG 9zTU8uA7Cdmc6u2u84a//ciKtjcts1QsfT+yVYOM4QjijYNzl5W6/JVNhtCszv2v GaDpcExS8MHsKqLZc8PalLxLRF2aSs9oVQ9K2thVPc4R0wuetsLoEIhxKY9Prc8b PNpXp6QoKvpFFqsI1alZ/PQl6Oj/IpWYch66o2TzhkDqsuHX/qzSfkODhFmxGaps b+mVtdwUMsPc0oWBphvjD81pdJs61/S2gCAEOy+giLDItaRJkg9OL+t5um410Qk= =sOzA -END PGP SIGNATURE- Cesar Pereida (1): Fix DSA, preserve BN_FLG_CONSTTIME David Woodhouse (1): Fix SSL_export_keying_material() for DTLS1_BAD_VER Dmitry Belyavsky (1): Avoid KCI attack for GOST Dr. Stephen Henson (29): add documentation Fix double free in d2i_PrivateKey(). Fix name length limit check. Always try to set ASN.1 parameters for CMS. Use default ASN.1 for SEED. Only set CMS parameter when encrypting Tidy up PKCS12_newpass() fix memory leaks. Constify PKCS12_newpass() Only call FIPS_update, FIPS_final in FIPS mode. Update S/MIME certificates. Fix OOB read in TS_OBJ_print_bio(). Check for overlows and error return from ASN1_object_size() Check for overflows in ASN1_object_size(). include Calculate sequence length properly. Check for overflows in i2d_ASN1_SET() Limit recursion depth in old d2i_ASN1_bytes function Leak fixes. Sanity check input length in OPENSSL_uni2asc(). Check for errors in a2d_ASN1_OBJECT() Check for errors in BN_bn2dec() Limit reads in do_b2i_bio() Sanity check ticket length. Avoid overflow in MDC2_Update() Fix small OOB reads. Remove unnecessary check. Use SSL3_HM_HEADER_LENGTH instead of 4. Make message buffer slightly larger than message. update default dependency options Kazuki Yamaguchi (1): Fix overflow check in BN_bn2dec() Kurt Roeckx (2): Return error when trying to print invalid ASN1 integer Fix off by 1 in ASN1_STRING_set() Matt Caswell (16): Prepare for 1.0.1u-dev Check that the obtained public key is valid Fix error return value in SRP functions Avoid some undefined pointer arithmetic Update CONTRIBUTING More fix DSA, preserve BN_FLG_CONSTTIME Change usage of RAND_pseudo_bytes to RAND_bytes Convert memset calls to OPENSSL_cleanse Fix DTLS unprocessed records bug Fix DTLS replay protection Update function error code Fix DTLS buffered message DoS attack Prevent DTLS Finished message injection Fix OCSP Status Request extension unbounded memory growth Updates CHANGES and NEWS for new release Prepare for 1.0.1u release Rich Salz (3): Recommend GH over RT, per team vote. RT3940: For now, just document the issue. SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM Richard Levitte (4): Check that the subject name in a proxy cert complies to RFC 3820 Fix proxy certificate pathlength verification Allow proxy certs to be present when verifying a chain make update to have PEM_R_HEADER_TOO_LONG defined Viktor Dukhovni (2): Clarify negative return from X509_verify_cert() Ensure verify error is set when X509_verify_cert() fails --- _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 5fe5914d3068128cdc6b08fe72746bb516a30b8a (commit) via ac2c44c6289f9716de4c4beeb284a818eacde517 (commit) via f3e189613fdbe7404bfbbca2caccf5cbd19e2ffc (commit) via d3c9d6e99f075e6fbdab94db00b220cfa08b5c4b (commit) via 63658103d4441924f8dbfc517b99bb54758a98b9 (commit) via 6d32c2ae28952b5c1d7a24968e488532fcadc51a (commit) via f6a7505e64d06f9d41e01b763b684e4e2df34922 (commit) via 7409b0aae569b5ba4476076fbea3226d606c50ba (commit) via 1645f3f4b9f717133ffcaf3398508ed2ddc81374 (commit) via a59ab1c4dd27a4c7c6e88f3c33747532fd144412 (commit) from d8e94b0d8fe412c19bc230593a960b7db73a8e7b (commit) - Log - commit 5fe5914d3068128cdc6b08fe72746bb516a30b8a Author: Matt CaswellDate: Thu Sep 22 11:15:54 2016 +0100 Prepare for 1.1.0b-dev Reviewed-by: Richard Levitte commit ac2c44c6289f9716de4c4beeb284a818eacde517 Author: Matt Caswell Date: Thu Sep 22 11:14:50 2016 +0100 Prepare for 1.1.0a release Reviewed-by: Richard Levitte commit f3e189613fdbe7404bfbbca2caccf5cbd19e2ffc Author: Matt Caswell Date: Wed Sep 21 21:59:49 2016 +0100 Updates CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit d3c9d6e99f075e6fbdab94db00b220cfa08b5c4b Author: Dmitry Belyavsky Date: Mon Sep 19 15:53:35 2016 +0100 Avoid KCI attack for GOST Russian GOST ciphersuites are vulnerable to the KCI attack because they use long-term keys to establish the connection when ssl client authorization is on. This change brings the GOST implementation into line with the latest specs in order to avoid the attack. It should not break backwards compatibility. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell commit 63658103d4441924f8dbfc517b99bb54758a98b9 Author: Matt Caswell Date: Sat Sep 10 21:24:40 2016 +0100 Fix a hang with SSL_peek() If while calling SSL_peek() we read an empty record then we go into an infinite loop, continually trying to read data from the empty record and never making any progress. This could be exploited by a malicious peer in a Denial Of Service attack. CVE-2016-6305 GitHub Issue #1563 Reviewed-by: Rich Salz commit 6d32c2ae28952b5c1d7a24968e488532fcadc51a Author: Matt Caswell Date: Fri Sep 9 10:53:39 2016 +0100 Fix a mem leak in NPN handling If a server sent multiple NPN extensions in a single ClientHello then a mem leak can occur. This will only happen where the client has requested NPN in the first place. It does not occur during renegotiation. Therefore the maximum that could be leaked in a single connection with a malicious server is 64k (the maximum size of the ServerHello extensions section). As this is client side, only occurs if NPN has been requested and does not occur during renegotiation this is unlikely to be exploitable. Issue reported by Shi Lei. Reviewed-by: Rich Salz commit f6a7505e64d06f9d41e01b763b684e4e2df34922 Author: Matt Caswell Date: Tue Sep 13 17:02:03 2016 +0100 Add some more OCSP testing Test that the OCSP callbacks work as expected. Reviewed-by: Rich Salz commit 7409b0aae569b5ba4476076fbea3226d606c50ba Author: Matt Caswell Date: Tue Sep 13 23:26:53 2016 +0100 Add OCSP_RESPID_match() Add a function for testing whether a given OCSP_RESPID matches with a certificate. Reviewed-by: Rich Salz commit 1645f3f4b9f717133ffcaf3398508ed2ddc81374 Author: Matt Caswell Date: Mon Sep 12 17:39:55 2016 +0100 Add the ability to set OCSP_RESPID fields OCSP_RESPID was made opaque in 1.1.0, but no accessors were provided for setting the name/key value for the OCSP_RESPID. Reviewed-by: Rich Salz commit a59ab1c4dd27a4c7c6e88f3c33747532fd144412 Author: Matt Caswell Date: Fri Sep 9 10:08:45 2016 +0100 Fix OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 9d264d11a93413d2724b7c8c873e56b2ddd8c53f (commit) via 32c130160f7dac2cef5d0e30d94b335e4a87104d (commit) via 35aede1cd7411aa404512facfcb22e3859966ef6 (commit) via 92c8d6ae0d741fdca3b72baf627d16908dae64ce (commit) via 38f59bd1f1da9f5ef67044b35af26528e5b183dd (commit) via ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f (commit) from 90d6f35162a9515287e75248e1f880cd1cc92c1f (commit) - Log - commit 9d264d11a93413d2724b7c8c873e56b2ddd8c53f Author: Matt CaswellDate: Thu Sep 22 11:25:49 2016 +0100 Prepare for 1.0.2j-dev Reviewed-by: Richard Levitte commit 32c130160f7dac2cef5d0e30d94b335e4a87104d Author: Matt Caswell Date: Thu Sep 22 11:24:53 2016 +0100 Prepare for 1.0.2i release Reviewed-by: Richard Levitte commit 35aede1cd7411aa404512facfcb22e3859966ef6 Author: Matt Caswell Date: Wed Sep 21 21:59:49 2016 +0100 Updates CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit 92c8d6ae0d741fdca3b72baf627d16908dae64ce Author: Dmitry Belyavsky Date: Mon Sep 19 16:05:53 2016 +0100 Avoid KCI attack for GOST Russian GOST ciphersuites are vulnerable to the KCI attack because they use long-term keys to establish the connection when ssl client authorization is on. This change brings the GOST implementation into line with the latest specs in order to avoid the attack. It should not break backwards compatibility. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte Reviewed-by: Matt Caswell commit 38f59bd1f1da9f5ef67044b35af26528e5b183dd Author: Matt Caswell Date: Fri Sep 9 10:53:39 2016 +0100 Fix a mem leak in NPN handling If a server sent multiple NPN extensions in a single ClientHello then a mem leak can occur. This will only happen where the client has requested NPN in the first place. It does not occur during renegotiation. Therefore the maximum that could be leaked in a single connection with a malicious server is 64k (the maximum size of the ServerHello extensions section). As this is client side, only occurs if NPN has been requested and does not occur during renegotiation this is unlikely to be exploitable. Issue reported by Shi Lei. Reviewed-by: Rich Salz commit ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Author: Matt Caswell Date: Fri Sep 9 10:08:45 2016 +0100 Fix OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. I have also checked other extensions to see if they suffer from a similar problem but I could not find any other issues. CVE-2016-6304 Issue reported by Shi Lei. Reviewed-by: Rich Salz --- Summary of changes: CHANGES | 162 +- NEWS | 16 +- README| 2 +- crypto/opensslv.h | 6 +- openssl.spec | 2 +- ssl/s3_clnt.c | 19 --- ssl/t1_lib.c | 29 +++--- 7 files changed, 201 insertions(+), 35 deletions(-) diff --git a/CHANGES b/CHANGES index 6502fc3..c072379 100644 --- a/CHANGES +++ b/CHANGES @@ -2,14 +2,170 @@ OpenSSL CHANGES ___ - Changes between 1.0.2h and 1.0.2i [xx XXX ] + Changes between 1.0.2i and 1.0.2j [xx XXX ] *) - *) In order to mitigate the SWEET32 attack (CVE-2016-2183), - the DES ciphers were moved from HIGH to MEDIUM. + Changes between 1.0.2h and 1.0.2i [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth + + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp"
[openssl-commits] [openssl] master update
The branch master has been updated via 39c136cc53d7b6fafdd1a0b52c035fd24358e01c (commit) via 41b42807726e340538701021cdc196672330f4db (commit) via b8d243956296458d1782af0d6e7ecfe6deae038a (commit) via c31dbed70c0be1578276367a1ba420ac935d0c68 (commit) via ba881d3b39829d22eede8f69412d187aaab487e9 (commit) via a671b3e64abe782d37c705ae51e93f2013672f9d (commit) via e12c0beb5a652ba0c3a71e633a77fafbb4f86aa4 (commit) via e408c09bbf7c3057bda4b8d20bec1b3a7771c15b (commit) from a449b47c7d8e20efc8cc524ed695a060b11ef889 (commit) - Log - commit 39c136cc53d7b6fafdd1a0b52c035fd24358e01c Author: Matt CaswellDate: Wed Sep 21 21:59:49 2016 +0100 Updates CHANGES and NEWS for new release Reviewed-by: Richard Levitte commit 41b42807726e340538701021cdc196672330f4db Author: Dmitry Belyavsky Date: Mon Sep 19 15:53:35 2016 +0100 Avoid KCI attack for GOST Russian GOST ciphersuites are vulnerable to the KCI attack because they use long-term keys to establish the connection when ssl client authorization is on. This change brings the GOST implementation into line with the latest specs in order to avoid the attack. It should not break backwards compatibility. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell commit b8d243956296458d1782af0d6e7ecfe6deae038a Author: Matt Caswell Date: Sat Sep 10 21:24:40 2016 +0100 Fix a hang with SSL_peek() If while calling SSL_peek() we read an empty record then we go into an infinite loop, continually trying to read data from the empty record and never making any progress. This could be exploited by a malicious peer in a Denial Of Service attack. CVE-2016-6305 GitHub Issue #1563 Reviewed-by: Rich Salz commit c31dbed70c0be1578276367a1ba420ac935d0c68 Author: Matt Caswell Date: Fri Sep 9 10:53:39 2016 +0100 Fix a mem leak in NPN handling If a server sent multiple NPN extensions in a single ClientHello then a mem leak can occur. This will only happen where the client has requested NPN in the first place. It does not occur during renegotiation. Therefore the maximum that could be leaked in a single connection with a malicious server is 64k (the maximum size of the ServerHello extensions section). As this is client side, only occurs if NPN has been requested and does not occur during renegotiation this is unlikely to be exploitable. Issue reported by Shi Lei. Reviewed-by: Rich Salz commit ba881d3b39829d22eede8f69412d187aaab487e9 Author: Matt Caswell Date: Tue Sep 13 17:02:03 2016 +0100 Add some more OCSP testing Test that the OCSP callbacks work as expected. Reviewed-by: Rich Salz commit a671b3e64abe782d37c705ae51e93f2013672f9d Author: Matt Caswell Date: Tue Sep 13 23:26:53 2016 +0100 Add OCSP_RESPID_match() Add a function for testing whether a given OCSP_RESPID matches with a certificate. Reviewed-by: Rich Salz commit e12c0beb5a652ba0c3a71e633a77fafbb4f86aa4 Author: Matt Caswell Date: Mon Sep 12 17:39:55 2016 +0100 Add the ability to set OCSP_RESPID fields OCSP_RESPID was made opaque in 1.1.0, but no accessors were provided for setting the name/key value for the OCSP_RESPID. Reviewed-by: Rich Salz commit e408c09bbf7c3057bda4b8d20bec1b3a7771c15b Author: Matt Caswell Date: Fri Sep 9 10:08:45 2016 +0100 Fix OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. I have also checked other extensions to see if they suffer from a similar problem but I could not find any other issues. CVE-2016-6304 Issue reported by Shi Lei. Reviewed-by: Rich Salz --- Summary of changes: CHANGES | 77 - NEWS| 11 +- crypto/ocsp/ocsp_srv.c | 73 ++-- doc/crypto/OCSP_response_status.pod | 34 +-
[openssl-commits] Passed: openssl/openssl#6141 (OpenSSL_1_1_0-stable - d8e94b0)
Build Update for openssl/openssl - Build: #6141 Status: Passed Duration: 7 minutes and 28 seconds Commit: d8e94b0 (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: Fix error message typo, wrong function code Reviewed-by: Matt Caswell(cherry picked from commit a449b47c7d8e20efc8cc524ed695a060b11ef889) View the changeset: https://github.com/openssl/openssl/compare/2178c52a8bac...d8e94b0d8fe4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161849972 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Errored: openssl/openssl#6141 (OpenSSL_1_1_0-stable - d8e94b0)
Build Update for openssl/openssl - Build: #6141 Status: Errored Duration: 42 minutes and 3 seconds Commit: d8e94b0 (OpenSSL_1_1_0-stable) Author: Richard Levitte Message: Fix error message typo, wrong function code Reviewed-by: Matt Caswell(cherry picked from commit a449b47c7d8e20efc8cc524ed695a060b11ef889) View the changeset: https://github.com/openssl/openssl/compare/2178c52a8bac...d8e94b0d8fe4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161849972 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6140 (master - a449b47)
Build Update for openssl/openssl - Build: #6140 Status: Fixed Duration: 40 minutes and 44 seconds Commit: a449b47 (master) Author: Richard Levitte Message: Fix error message typo, wrong function code Reviewed-by: Matt CaswellView the changeset: https://github.com/openssl/openssl/compare/48c054fec350...a449b47c7d8e View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161849909 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a449b47c7d8e20efc8cc524ed695a060b11ef889 (commit) from 48c054fec3506417b2598837b8062aae7114c200 (commit) - Log - commit a449b47c7d8e20efc8cc524ed695a060b11ef889 Author: Richard LevitteDate: Thu Sep 22 10:15:02 2016 +0200 Fix error message typo, wrong function code Reviewed-by: Matt Caswell --- Summary of changes: ssl/statem/statem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 8bc1feb..5faf6ae 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -549,7 +549,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) (int)s->s3->tmp.message_size + SSL3_HM_HEADER_LENGTH)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); -SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, ERR_R_BUF_LIB); +SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); return SUB_STATE_ERROR; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via d8e94b0d8fe412c19bc230593a960b7db73a8e7b (commit) from 2178c52a8bacfd097a41f3f348fe51d8e4d1873e (commit) - Log - commit d8e94b0d8fe412c19bc230593a960b7db73a8e7b Author: Richard LevitteDate: Thu Sep 22 10:15:02 2016 +0200 Fix error message typo, wrong function code Reviewed-by: Matt Caswell (cherry picked from commit a449b47c7d8e20efc8cc524ed695a060b11ef889) --- Summary of changes: ssl/statem/statem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 8bc1feb..5faf6ae 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -549,7 +549,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) (int)s->s3->tmp.message_size + SSL3_HM_HEADER_LENGTH)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); -SSLerr(SSL_F_TLS_GET_MESSAGE_HEADER, ERR_R_BUF_LIB); +SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB); return SUB_STATE_ERROR; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 90d6f35162a9515287e75248e1f880cd1cc92c1f (commit) from 22646a075e75991b4e8f5d67171e45a6aead5b48 (commit) - Log - commit 90d6f35162a9515287e75248e1f880cd1cc92c1f Author: Richard LevitteDate: Thu Sep 22 10:01:38 2016 +0200 mk1mf.pl: check for no-tls1 here as well Reviewed-by: Matt Caswell --- Summary of changes: util/mk1mf.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 4eded5a..7a3ae11 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -277,6 +277,7 @@ $cflags.=" -DOPENSSL_NO_SOCK" if $no_sock; $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2; $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3; $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext; +$cflags.=" -DOPENSSL_NO_TLS1" if $no_tls1; $cflags.=" -DOPENSSL_NO_SRP" if $no_srp; $cflags.=" -DOPENSSL_NO_CMS" if $no_cms; $cflags.=" -DOPENSSL_NO_ERR" if $no_err; @@ -1205,6 +1206,7 @@ sub read_options "no-ssl3" => \$no_ssl3, "no-ssl3-method" => 0, "no-tlsext" => \$no_tlsext, + "no-tls1" => \$no_tls1, "no-srp" => \$no_srp, "no-cms" => \$no_cms, "no-jpake" => \$no_jpake, _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 2178c52a8bacfd097a41f3f348fe51d8e4d1873e (commit) from db610cb29cd2658c4feb60f4899856f0ac5e9dab (commit) - Log - commit 2178c52a8bacfd097a41f3f348fe51d8e4d1873e Author: Richard LevitteDate: Wed Sep 21 14:44:42 2016 +0200 test/x509aux.c: Fix argv loop There are cases when argc is more trustable than proper argv termination. Since we trust argc in all other test programs, we might as well treat it the same way in this program. Reviewed-by: Matt Caswell (cherry picked from commit 780bbb96bf514f0b4013e9c5725614ba5153c497) --- Summary of changes: test/x509aux.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/test/x509aux.c b/test/x509aux.c index 4f00196..2c20d6d 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -180,7 +180,6 @@ static int test_certs(BIO *fp) int main(int argc, char *argv[]) { BIO *bio_err; -const char *certfile; const char *p; int ret = 1; @@ -197,24 +196,30 @@ int main(int argc, char *argv[]) CRYPTO_set_mem_debug(1); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); -while ((certfile = *++argv) != NULL) { -BIO *f = BIO_new_file(certfile, "r"); +argc--; +argv++; + +while (argc >= 1) { +BIO *f = BIO_new_file(*argv, "r"); int ok; if (f == NULL) { fprintf(stderr, "%s: Error opening cert file: '%s': %s\n", -progname, certfile, strerror(errno)); +progname, *argv, strerror(errno)); EXIT(ret); } ret = !(ok = test_certs(f)); BIO_free(f); if (!ok) { -printf("%s ERROR\n", certfile); +printf("%s ERROR\n", *argv); ret = 1; break; } -printf("%s OK\n", certfile); +printf("%s OK\n", *argv); + +argc--; +argv++; } #ifndef OPENSSL_NO_CRYPTO_MDEBUG _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Broken: openssl/openssl#6129 (master - 48c054f)
Build Update for openssl/openssl - Build: #6129 Status: Broken Duration: 45 minutes and 42 seconds Commit: 48c054f (master) Author: Matt Caswell Message: Excessive allocation of memory in dtls1_preprocess_fragment() This issue is very similar to CVE-2016-6307 described in the previous commit. The underlying defect is different but the security analysis and impacts are the same except that it impacts DTLS. A DTLS message includes 3 bytes for its length in the header for the message. This would allow for messages up to 16Mb in length. Messages of this length are excessive and OpenSSL includes a check to ensure that a peer is sending reasonably sized messages in order to avoid too much memory being consumed to service a connection. A flaw in the logic of version 1.1.0 means that memory for the message is allocated too early, prior to the excessive message length check. Due to way memory is allocated in OpenSSL this could mean an attacker could force up to 21Mb to be allocated to service a connection. This could lead to a Denial of Service through memory exhaustion. However, the excessive message length check still takes place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed conneciton in a timely manner then the 21Mb of allocated memory will then be immediately freed again. Therefore the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event that the connection fails or 2) The application is working in a constrained environment where there is very little free memory or 3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection; SSL_free() has not yet been called; and there is insufficient memory to service the multiple requests. Except in the instance of (1) above any Denial Of Service is likely to be transitory because as soon as the connection fails the memory is subsequently freed again in the SSL_free() call. However there is an increased risk during this period of application crashes due to the lack of memory - which would then mean a more serious Denial of Service. This issue does not affect TLS users. Issue was reported by Shi Lei (Gear Team, Qihoo 360 Inc.). CVE-2016-6308 Reviewed-by: Richard LevitteView the changeset: https://github.com/openssl/openssl/compare/41bff723c678...48c054fec350 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161730913 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6128 (OpenSSL_1_1_0-stable - f757ce2)
Build Update for openssl/openssl - Build: #6128 Status: Fixed Duration: 43 minutes and 39 seconds Commit: f757ce2 (OpenSSL_1_1_0-stable) Author: Andy Polyakov Message: Configure: clarify and refine -static. Reviewed-by: Richard Levitte(cherry picked from commit 047d97afd97520eae268f6d8a36fbf9a0239a994) View the changeset: https://github.com/openssl/openssl/compare/1fdeda4cc994...f757ce2a3df9 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161728954 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6127 (OpenSSL_1_1_0-stable - 1fdeda4)
Build Update for openssl/openssl - Build: #6127 Status: Fixed Duration: 39 minutes and 12 seconds Commit: 1fdeda4 (OpenSSL_1_1_0-stable) Author: Matt Caswell Message: Don't leak on an OPENSSL_realloc() failure If OPENSSL_sk_insert() calls OPENSSL_realloc() and it fails, it was leaking the originally allocated memory. Reviewed-by: Rich Salz(cherry picked from commit 41bff723c6784cc846054a4fd4add6dbec8c2c64) View the changeset: https://github.com/openssl/openssl/compare/6915f39e68f0...1fdeda4cc994 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161726513 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6125 (OpenSSL_1_1_0-stable - 6915f39)
Build Update for openssl/openssl - Build: #6125 Status: Fixed Duration: 49 minutes and 45 seconds Commit: 6915f39 (OpenSSL_1_1_0-stable) Author: Matt Caswell Message: Don't allow too many consecutive warning alerts Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those warning alerts. Implement a count so that we abort the connection if we receive too many. Issue reported by Shi Lei. Reviewed-by: Rich Salz(cherry picked from commit af58be768ebb690f78530f796e92b8ae5c9a4401) View the changeset: https://github.com/openssl/openssl/compare/e7498968e229...6915f39e68f0 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/161724382 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits