Loweynet
Revisão | 94a0d48d39b620364702622b2a79eb999bdbebc4 (tree) |
---|---|
Hora | 2012-01-25 23:24:59 |
Autor | s_kawamoto <s_kawamoto@user...> |
Commiter | s_kawamoto |
Update OpenSSL to 1.0.0g.
@@ -2,6 +2,73 @@ | ||
2 | 2 | OpenSSL CHANGES |
3 | 3 | _______________ |
4 | 4 | |
5 | + Changes between 1.0.0f and 1.0.0g [18 Jan 2012] | |
6 | + | |
7 | + *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. | |
8 | + Thanks to Antonio Martin, Enterprise Secure Access Research and | |
9 | + Development, Cisco Systems, Inc. for discovering this bug and | |
10 | + preparing a fix. (CVE-2012-0050) | |
11 | + [Antonio Martin] | |
12 | + | |
13 | + Changes between 1.0.0e and 1.0.0f [4 Jan 2012] | |
14 | + | |
15 | + *) Nadhem Alfardan and Kenny Paterson have discovered an extension | |
16 | + of the Vaudenay padding oracle attack on CBC mode encryption | |
17 | + which enables an efficient plaintext recovery attack against | |
18 | + the OpenSSL implementation of DTLS. Their attack exploits timing | |
19 | + differences arising during decryption processing. A research | |
20 | + paper describing this attack can be found at: | |
21 | + http://www.isg.rhul.ac.uk/~kp/dtls.pdf | |
22 | + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information | |
23 | + Security Group at Royal Holloway, University of London | |
24 | + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann | |
25 | + <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> | |
26 | + for preparing the fix. (CVE-2011-4108) | |
27 | + [Robin Seggelmann, Michael Tuexen] | |
28 | + | |
29 | + *) Clear bytes used for block padding of SSL 3.0 records. | |
30 | + (CVE-2011-4576) | |
31 | + [Adam Langley (Google)] | |
32 | + | |
33 | + *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George | |
34 | + Kadianakis <desnacked@gmail.com> for discovering this issue and | |
35 | + Adam Langley for preparing the fix. (CVE-2011-4619) | |
36 | + [Adam Langley (Google)] | |
37 | + | |
38 | + *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) | |
39 | + [Andrey Kulikov <amdeich@gmail.com>] | |
40 | + | |
41 | + *) Prevent malformed RFC3779 data triggering an assertion failure. | |
42 | + Thanks to Andrew Chi, BBN Technologies, for discovering the flaw | |
43 | + and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) | |
44 | + [Rob Austein <sra@hactrn.net>] | |
45 | + | |
46 | + *) Improved PRNG seeding for VOS. | |
47 | + [Paul Green <Paul.Green@stratus.com>] | |
48 | + | |
49 | + *) Fix ssl_ciph.c set-up race. | |
50 | + [Adam Langley (Google)] | |
51 | + | |
52 | + *) Fix spurious failures in ecdsatest.c. | |
53 | + [Emilia Käsper (Google)] | |
54 | + | |
55 | + *) Fix the BIO_f_buffer() implementation (which was mixing different | |
56 | + interpretations of the '..._len' fields). | |
57 | + [Adam Langley (Google)] | |
58 | + | |
59 | + *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than | |
60 | + BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent | |
61 | + threads won't reuse the same blinding coefficients. | |
62 | + | |
63 | + This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING | |
64 | + lock to call BN_BLINDING_invert_ex, and avoids one use of | |
65 | + BN_BLINDING_update for each BN_BLINDING structure (previously, | |
66 | + the last update always remained unused). | |
67 | + [Emilia Käsper (Google)] | |
68 | + | |
69 | + *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. | |
70 | + [Bob Buckholz (Google)] | |
71 | + | |
5 | 72 | Changes between 1.0.0d and 1.0.0e [6 Sep 2011] |
6 | 73 | |
7 | 74 | *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted |
@@ -906,8 +973,67 @@ | ||
906 | 973 | |
907 | 974 | *) Change 'Configure' script to enable Camellia by default. |
908 | 975 | [NTT] |
976 | + | |
977 | + Changes between 0.9.8s and 0.9.8t [18 Jan 2012] | |
978 | + | |
979 | + *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. | |
980 | + Thanks to Antonio Martin, Enterprise Secure Access Research and | |
981 | + Development, Cisco Systems, Inc. for discovering this bug and | |
982 | + preparing a fix. (CVE-2012-0050) | |
983 | + [Antonio Martin] | |
909 | 984 | |
910 | - Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] | |
985 | + Changes between 0.9.8r and 0.9.8s [4 Jan 2012] | |
986 | + | |
987 | + *) Nadhem Alfardan and Kenny Paterson have discovered an extension | |
988 | + of the Vaudenay padding oracle attack on CBC mode encryption | |
989 | + which enables an efficient plaintext recovery attack against | |
990 | + the OpenSSL implementation of DTLS. Their attack exploits timing | |
991 | + differences arising during decryption processing. A research | |
992 | + paper describing this attack can be found at: | |
993 | + http://www.isg.rhul.ac.uk/~kp/dtls.pdf | |
994 | + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information | |
995 | + Security Group at Royal Holloway, University of London | |
996 | + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann | |
997 | + <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> | |
998 | + for preparing the fix. (CVE-2011-4108) | |
999 | + [Robin Seggelmann, Michael Tuexen] | |
1000 | + | |
1001 | + *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) | |
1002 | + [Ben Laurie, Kasper <ekasper@google.com>] | |
1003 | + | |
1004 | + *) Clear bytes used for block padding of SSL 3.0 records. | |
1005 | + (CVE-2011-4576) | |
1006 | + [Adam Langley (Google)] | |
1007 | + | |
1008 | + *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George | |
1009 | + Kadianakis <desnacked@gmail.com> for discovering this issue and | |
1010 | + Adam Langley for preparing the fix. (CVE-2011-4619) | |
1011 | + [Adam Langley (Google)] | |
1012 | + | |
1013 | + *) Prevent malformed RFC3779 data triggering an assertion failure. | |
1014 | + Thanks to Andrew Chi, BBN Technologies, for discovering the flaw | |
1015 | + and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) | |
1016 | + [Rob Austein <sra@hactrn.net>] | |
1017 | + | |
1018 | + *) Fix ssl_ciph.c set-up race. | |
1019 | + [Adam Langley (Google)] | |
1020 | + | |
1021 | + *) Fix spurious failures in ecdsatest.c. | |
1022 | + [Emilia Käsper (Google)] | |
1023 | + | |
1024 | + *) Fix the BIO_f_buffer() implementation (which was mixing different | |
1025 | + interpretations of the '..._len' fields). | |
1026 | + [Adam Langley (Google)] | |
1027 | + | |
1028 | + *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than | |
1029 | + BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent | |
1030 | + threads won't reuse the same blinding coefficients. | |
1031 | + | |
1032 | + This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING | |
1033 | + lock to call BN_BLINDING_invert_ex, and avoids one use of | |
1034 | + BN_BLINDING_update for each BN_BLINDING structure (previously, | |
1035 | + the last update always remained unused). | |
1036 | + [Emilia Käsper (Google)] | |
911 | 1037 | |
912 | 1038 | *) Fix SSL memory handling for (EC)DH ciphersuites, in particular |
913 | 1039 | for multi-threaded use of ECDH. |
@@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions | ||
82 | 82 | * Which is the current version of OpenSSL? |
83 | 83 | |
84 | 84 | The current version is available from <URL: http://www.openssl.org>. |
85 | -OpenSSL 1.0.0e was released on Sep 6th, 2011. | |
85 | +OpenSSL 1.0.0g was released on Jan 18th, 2012. | |
86 | 86 | |
87 | 87 | In addition to the current stable release, you can also access daily |
88 | 88 | snapshots of the OpenSSL development version at <URL: |
@@ -306,6 +306,15 @@ DECLARE_STACK_OF(BIO) | ||
306 | 306 | |
307 | 307 | typedef struct bio_f_buffer_ctx_struct |
308 | 308 | { |
309 | + /* Buffers are setup like this: | |
310 | + * | |
311 | + * <---------------------- size -----------------------> | |
312 | + * +---------------------------------------------------+ | |
313 | + * | consumed | remaining | free space | | |
314 | + * +---------------------------------------------------+ | |
315 | + * <-- off --><------- len -------> | |
316 | + */ | |
317 | + | |
309 | 318 | /* BIO *bio; */ /* this is now in the BIO struct */ |
310 | 319 | int ibuf_size; /* how big is the input buffer */ |
311 | 320 | int obuf_size; /* how big is the output buffer */ |
@@ -193,8 +193,14 @@ extern "C" { | ||
193 | 193 | #endif |
194 | 194 | |
195 | 195 | /* --------------------------------- VOS ----------------------------------- */ |
196 | -#ifdef OPENSSL_SYSNAME_VOS | |
196 | +#if defined(__VOS__) || defined(OPENSSL_SYSNAME_VOS) | |
197 | 197 | # define OPENSSL_SYS_VOS |
198 | +#ifdef __HPPA__ | |
199 | +# define OPENSSL_SYS_VOS_HPPA | |
200 | +#endif | |
201 | +#ifdef __IA32__ | |
202 | +# define OPENSSL_SYS_VOS_IA32 | |
203 | +#endif | |
198 | 204 | #endif |
199 | 205 | |
200 | 206 | /* ------------------------------- VxWorks --------------------------------- */ |
@@ -25,11 +25,11 @@ | ||
25 | 25 | * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for |
26 | 26 | * major minor fix final patch/beta) |
27 | 27 | */ |
28 | -#define OPENSSL_VERSION_NUMBER 0x1000005fL | |
28 | +#define OPENSSL_VERSION_NUMBER 0x1000007fL | |
29 | 29 | #ifdef OPENSSL_FIPS |
30 | -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011" | |
30 | +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g-fips 18 Jan 2012" | |
31 | 31 | #else |
32 | -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011" | |
32 | +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0g 18 Jan 2012" | |
33 | 33 | #endif |
34 | 34 | #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT |
35 | 35 |
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void); | ||
1882 | 1882 | #define SSL_F_SSL3_CALLBACK_CTRL 233 |
1883 | 1883 | #define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 |
1884 | 1884 | #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 |
1885 | +#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 | |
1885 | 1886 | #define SSL_F_SSL3_CLIENT_HELLO 131 |
1886 | 1887 | #define SSL_F_SSL3_CONNECT 132 |
1887 | 1888 | #define SSL_F_SSL3_CTRL 213 |
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void); | ||
2139 | 2140 | #define SSL_R_MISSING_TMP_RSA_KEY 172 |
2140 | 2141 | #define SSL_R_MISSING_TMP_RSA_PKEY 173 |
2141 | 2142 | #define SSL_R_MISSING_VERIFY_MESSAGE 174 |
2143 | +#define SSL_R_MULTIPLE_SGC_RESTARTS 346 | |
2142 | 2144 | #define SSL_R_NON_SSLV2_INITIAL_PACKET 175 |
2143 | 2145 | #define SSL_R_NO_CERTIFICATES_RETURNED 176 |
2144 | 2146 | #define SSL_R_NO_CERTIFICATE_ASSIGNED 177 |
@@ -380,6 +380,17 @@ typedef struct ssl3_buffer_st | ||
380 | 380 | #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 |
381 | 381 | #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 |
382 | 382 | |
383 | +/* SSL3_FLAGS_SGC_RESTART_DONE is set when we | |
384 | + * restart a handshake because of MS SGC and so prevents us | |
385 | + * from restarting the handshake in a loop. It's reset on a | |
386 | + * renegotiation, so effectively limits the client to one restart | |
387 | + * per negotiation. This limits the possibility of a DDoS | |
388 | + * attack where the client handshakes in a loop using SGC to | |
389 | + * restart. Servers which permit renegotiation can still be | |
390 | + * effected, but we can't prevent that. | |
391 | + */ | |
392 | +#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 | |
393 | + | |
383 | 394 | typedef struct ssl3_state_st |
384 | 395 | { |
385 | 396 | long flags; |
@@ -5,6 +5,18 @@ | ||
5 | 5 | This file gives a brief overview of the major changes between each OpenSSL |
6 | 6 | release. For more details please read the CHANGES file. |
7 | 7 | |
8 | + Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g: | |
9 | + | |
10 | + o Fix for DTLS DoS issue CVE-2012-0050 | |
11 | + | |
12 | + Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f: | |
13 | + | |
14 | + o Fix for DTLS plaintext recovery attack CVE-2011-4108 | |
15 | + o Clear block padding bytes of SSL 3.0 records CVE-2011-4576 | |
16 | + o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 | |
17 | + o Check parameters are not NULL in GOST ENGINE CVE-2012-0027 | |
18 | + o Check for malformed RFC3779 data CVE-2011-4577 | |
19 | + | |
8 | 20 | Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e: |
9 | 21 | |
10 | 22 | o Fix for CRL vulnerability issue CVE-2011-3207 |
@@ -1,5 +1,5 @@ | ||
1 | 1 | |
2 | - OpenSSL 1.0.0e 6 Sep 2011 | |
2 | + OpenSSL 1.0.0g 18 Jan 2012 | |
3 | 3 | |
4 | 4 | Copyright (c) 1998-2011 The OpenSSL Project |
5 | 5 | Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson |
@@ -114,11 +114,11 @@ BOOL LoadOpenSSL() | ||
114 | 114 | return FALSE; |
115 | 115 | #ifdef ENABLE_PROCESS_PROTECTION |
116 | 116 | // 同梱するOpenSSLのバージョンに合わせてSHA1ハッシュ値を変更すること |
117 | - // ssleay32.dll 1.0.0e | |
118 | - // libssl32.dll 1.0.0e | |
119 | - RegisterTrustedModuleSHA1Hash("\x4E\xB7\xA0\x22\x14\x4B\x58\x6D\xBC\xF5\x21\x0D\x96\x78\x0D\x79\x7D\x66\xB2\xB0"); | |
120 | - // libeay32.dll 1.0.0e | |
121 | - RegisterTrustedModuleSHA1Hash("\x01\x32\x7A\xAE\x69\x26\xE6\x58\xC7\x63\x22\x1E\x53\x5A\x78\xBC\x61\xC7\xB5\xC1"); | |
117 | + // ssleay32.dll 1.0.0g | |
118 | + // libssl32.dll 1.0.0g | |
119 | + RegisterTrustedModuleSHA1Hash("\x42\x32\x3E\x44\x35\xBC\x98\x6C\x45\xC9\xA2\xB8\x41\xE7\xDA\x7B\x6A\x98\xB2\x28"); | |
120 | + // libeay32.dll 1.0.0g | |
121 | + RegisterTrustedModuleSHA1Hash("\x3F\xC8\x07\x84\xB3\xF0\x71\x4A\x18\x59\x52\x1F\x99\x09\x65\xB9\x49\xA7\x15\x36"); | |
122 | 122 | #endif |
123 | 123 | g_hOpenSSL = LoadLibrary("ssleay32.dll"); |
124 | 124 | // バージョン固定のためlibssl32.dllの読み込みは脆弱性の原因になり得るので廃止 |