Commits · 684400ce192dac51df3d3e92b61830a6ef90be3e · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Jan 05, 2015

Fix various certificate fingerprint issues. · 684400ce

Dr. Stephen Henson authored Dec 20, 2014



By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

684400ce

Dec 28, 2014

RT3548: Remove unsupported platforms · 32dfde10

Rich Salz authored Dec 28, 2014



This commit removes DG-UX.
It also flushes out some left-behinds in config.
And regenerates TABLE from Configure (hadn't been done in awhile).

Reviewed-by: Richard Levitte <levitte@openssl.org>

32dfde10

Dec 25, 2014

RT3548: unsupported platforms · 6c23ca0c

Rich Salz authored Dec 25, 2014



This commit removes Sinix/ReliantUNIX RM400
(And a missed piece of BEOS fluff)

Reviewed-by: Richard Levitte <levitte@openssl.org>

6c23ca0c

Dec 22, 2014

RT3548: Remove unsupported platforms. · 5ad4fdce
Rich Salz authored Dec 22, 2014
```
This commit removes MPE/iX

Reviewed-by: Andy Polyakov <appro@openssl.org>
```
5ad4fdce

RT3548: Remvoe unsupported platforms · f2319414

Rich Salz authored Dec 21, 2014



This commit removes SunOS (a sentimental favorite of mine).

Reviewed-by: Richard Levitte <levitte@openssl.org>

f2319414

Dec 20, 2014

RT3548: Remove outdated platforms · e03b2987

Rich Salz authored Dec 19, 2014



This commit removes all mention of NeXT and NextStep.

Reviewed-by: Richard Levitte <levitte@openssl.org>

e03b2987

Dec 18, 2014
- Update CHANGES for deprecated updates · bd2bd374
  Matt Caswell authored Dec 17, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  bd2bd374
- RT3548: Remove some obsolete platforms · 59ff1ce0
  Rich Salz authored Dec 18, 2014
```
This commit removes Sony NEWS4

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  59ff1ce0
Dec 17, 2014
- RT3548: Remove some obsolete platforms · b317819b
  Rich Salz authored Dec 17, 2014
```
This commit removes BEOS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
```
  b317819b
Dec 08, 2014
- Add CHANGES entry for OCB · 0c1bd7f0
  Matt Caswell authored Dec 08, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
  0c1bd7f0
Dec 04, 2014
- Update changes to indicate that SSLv2 support has been removed · 12478cc4
  Kurt Roeckx authored Dec 04, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
  12478cc4
Nov 20, 2014

RT2679: Fix error if keysize too short · c56a50b2

Annie Yousar authored Sep 08, 2014



In keygen, return KEY_SIZE_TOO_SMALL not INVALID_KEYBITS.

** I also increased the minimum from 256 to 512, which is now
documented in CHANGES file. **

Reviewed-by: Matt Caswell <matt@openssl.org>

c56a50b2

Do not resume a session if the negotiated protocol version does not match · 9e189b9d

David Benjamin authored Nov 20, 2014


the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

9e189b9d

Clean up CHANGES · 31832e8f
Emilia Kasper authored Nov 20, 2014
```
Reviewed-by: Matt Caswell <matt@openssl.org>
```
31832e8f

Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset · e94a6c0e

Emilia Kasper authored Nov 19, 2014


once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>

e94a6c0e

Always require an advertised NewSessionTicket message. · de2c7504

Emilia Kasper authored Nov 19, 2014



The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>

de2c7504

Oct 28, 2014

Tighten session ticket handling · d663df23

Emilia Kasper authored Oct 28, 2014



Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

d663df23

Oct 27, 2014
- Add missing CHANGES interval [1.0.1h, 1.0.1i] · 49b0dfc5
  Emilia Kasper authored Oct 27, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  49b0dfc5
- Sync CHANGES · 18a2d293
  Emilia Kasper authored Oct 27, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  18a2d293
Oct 22, 2014
- Add missing credit. · 9f4bd9d5
  Andy Polyakov authored Oct 22, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  9f4bd9d5
Oct 15, 2014
- Updates CHANGES file · 53afbe12
  Matt Caswell authored Oct 15, 2014
```
Reviewed-by: Bodo Möller <bodo@openssl.org>
```
  53afbe12
- Support TLS_FALLBACK_SCSV. · cf6da053
  Bodo Moeller authored Oct 15, 2014
```
Reviewed-by: Stephen Henson <steve@openssl.org>
```
  cf6da053
Oct 02, 2014
- DTLS 1.2 support has been added to 1.0.2. · 429a25b9
  Bodo Moeller authored Oct 02, 2014
```
Reviewed-by: Rich Salz <rsalz@openssl.org>
```
  429a25b9
Sep 29, 2014

Add additional explanation to CHANGES entry. · 7c477625
Dr. Stephen Henson authored Sep 29, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
```
7c477625

Add additional DigestInfo checks. · 1cfd255c

Dr. Stephen Henson authored Sep 25, 2014



Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>

1cfd255c

Sep 23, 2014
- Note i2d_re_X509_tbs and related changes in CHANGES · 5f85f64f
  Emilia Kasper authored Sep 23, 2014
```
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9128d94)
```
  5f85f64f
- CHANGES: mention ECP_NISTZ256. · 507efe73
  Andy Polyakov authored Sep 23, 2014
```
Reviewed-by: Bodo Moeller <bodo@openssl.org>
```
  507efe73
Sep 05, 2014
- Add CHANGES entry for SCT viewer code. · b2774f6e
  Dr. Stephen Henson authored Sep 05, 2014
```
Reviewed-by: Emilia Käsper <emilia@openssl.org>
```
  b2774f6e
Aug 15, 2014

RT3268: Fix spelling errors in CHANGES file. · 14e96192

Claus Assmann authored Aug 15, 2014



Fix a bunch of typo's and speling (sic) errors in the CHANGES file.

Reviewed-by: Tim Hudson <tjh@cryptsoft.com>

14e96192

Aug 01, 2014
- Sync with clean-up 1.0.2 CHANGES file. · bac67407
  Bodo Moeller authored Aug 01, 2014
```
(If a change is already present in 1.0.1f or 1.0.1h,
don't list it again under changes between 1.0.1h and 1.0.2.)
```
  bac67407
- Sync with current 1.0.2 CHANGES file. · 38c65481
  Bodo Moeller authored Aug 01, 2014
  
  38c65481
- Simplify and fix ec_GFp_simple_points_make_affine · 0fe73d6c
  Bodo Moeller authored Aug 01, 2014
```
(which didn't always handle value 0 correctly).

Reviewed-by:  <emilia@openssl.org>
```
  0fe73d6c
Jul 22, 2014
- CHANGES: mention new platforms. · 7a2b5450
  Andy Polyakov authored Jul 22, 2014
```
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
```
  7a2b5450
Jul 04, 2014
- Remove all RFC5878 code. · b948ee27
  Dr. Stephen Henson authored Jul 04, 2014
```
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
```
  b948ee27
Jun 01, 2014
- Credit to Felix. · 5fc3a5fe
  Ben Laurie authored Jun 01, 2014
```
Closes #116.
```
  5fc3a5fe
May 23, 2014
- Add an NSS output format to sess_id to export to export the session id and the... · 189ae368
  Martin Kaiser authored May 24, 2014
```
Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352
```
  189ae368
Apr 26, 2014

Fix version documentation. · 8acb9538

mancha authored Apr 25, 2014

Specify -f is for compilation flags. Add -d to synopsis section.

Closes #77.

8acb9538

Fix eckey_priv_encode() · e14f14d3

mancha authored Apr 24, 2014

Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.

e14f14d3

Apr 22, 2014
- Fix double frees. · 4ba5e63b
  Ben Laurie authored Apr 22, 2014
  
  4ba5e63b
Apr 07, 2014

Add heartbeat extension bounds check. · 731f4314

Dr. Stephen Henson authored Apr 06, 2014

A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
(cherry picked from commit 96db9023)

731f4314