./security/openssl, Secure Socket Layer and cryptographic library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.0.2knb1, Package name: openssl-1.0.2knb1, Maintainer: pkgsrc-users

The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library. The
project is managed by a worldwide community of volunteers
that use the Internet to communicate, plan, and develop the
OpenSSL toolkit and its related documentation.


Required to build:
[devel/p5-Perl4-CoreLibs] [pkgtools/cwrappers]

Package options: idea, md2, mdc2, threads

Master sites:

SHA1: 5f26a624479c51847ebd2f22bb9f84b3b44dcb44
RMD160: 56b70831e49f83987ec14b3878d0d693f9a7d862
Filesize: 5184.801 KB

Version history: (Expand)

CVS history: (Expand)

   2017-09-22 23:02:43 by Tim Zingelman | Files touched by this commit (3)
Log message:
openssl: fix for CVE-2017-3735
   2017-08-05 13:06:29 by Benny Siegert | Files touched by this commit (1)
Log message:
Overhaul the platform selector logic, so that the right value is selected
for powerpc64 on Darwin. Fix for PR pkg/52114.
   2017-01-26 17:31:57 by Jonathan Perkin | Files touched by this commit (3) | Package updated
Log message:
Update security/openssl to 1.0.2k.

Changes between 1.0.2j and 1.0.2k [26 Jan 2017]

  *) Truncated packet could crash via OOB read

     If one side of an SSL/TLS path is running on a 32-bit host and a specific
     cipher is being used, then a truncated packet can cause that host to
     perform an out-of-bounds read, usually resulting in a crash.

     This issue was reported to OpenSSL by Robert Święcki of Google.
     [Andy Polyakov]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients. For example this can occur by
     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
     similar to CVE-2015-3193 but must be treated as a separate problem.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     [Andy Polyakov]

  *) Montgomery multiplication may produce incorrect results

     There is a carry propagating bug in the Broadwell-specific Montgomery
     multiplication procedure that handles input lengths divisible by, but
     longer than 256 bits. Analysis suggests that attacks against RSA, DSA
     and DH private keys are impossible. This is because the subroutine in
     question is not used in operations with the private key itself and an input
     of the attacker's direct choice. Otherwise the bug can manifest itself as
     transient authentication and key negotiation failures or reproducible
     erroneous outcome of public-key operations with specially crafted input.
     Among EC algorithms only Brainpool P-512 curves are affected and one
     presumably can attack ECDH key negotiation. Impact was not analyzed in
     detail, because pre-requisites for attack are considered unlikely. Namely
     multiple clients have to choose the curve in question and the server has to
     share the private key among them, neither of which is default behaviour.
     Even then only clients that chose the curve will be affected.

     This issue was publicly reported as transient failures and was not
     initially recognized as a security issue. Thanks to Richard Morgan for
     providing reproducible case.
     [Andy Polyakov]

  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     prevent issues where no progress is being made and the peer continually
     sends unrecognised record types, using up resources processing them.
     [Matt Caswell]
   2016-12-06 19:18:54 by John Marino | Files touched by this commit (1)
Log message:
security/openssl: USE_TOOLS+= makedepend

=> Bootstrap dependency digest>=20010302: found digest-20160304
===> Building for openssl-1.0.2jnb1
making depend in crypto...
gmake[1]: Entering directory \ 
../util/domd: makedepend: not found
   2016-11-02 14:10:31 by Maya Rashish | Files touched by this commit (2)
Log message:
openssl: do not assume MIPS ABI on linux

Helps build on debian mipseb (which uses o32 abi and not n32), but build
still doesn't complete.
   2016-10-03 13:55:12 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
Remove incorrect comment and resulting weird license.

idea and mdc2 patents expired, so enable them by default.
rc5 looks like it might be expired as well, but I didn't find
anything relevant on that topic, so I left it alone.

   2016-09-26 14:27:56 by Jonathan Perkin | Files touched by this commit (2) | Package updated
Log message:
Update security/openssl to 1.0.2j.

 Changes between 1.0.2i and 1.0.2j [26 Sep 2016]

  *) Missing CRL sanity check

     A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
     but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
     CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.

     This issue only affects the OpenSSL 1.0.2i
     [Matt Caswell]
   2016-09-22 14:28:55 by Jonathan Perkin | Files touched by this commit (4) | Package updated
Log message:
Update security/openssl to 1.0.2i.

 Changes between 1.0.2h and 1.0.2i [22 Sep 2016]

  *) OCSP Status Request extension unbounded memory growth

     A malicious client can send an excessively large OCSP Status Request
     extension. If that client continually requests renegotiation, sending a
     large OCSP Status Request extension each time, then there will be unbounded
     memory growth on the server. This will eventually lead to a Denial Of
     Service attack through memory exhaustion. Servers with a default
     configuration are vulnerable even if they do not support OCSP. Builds using
     the "no-ocsp" build time option are not affected.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Matt Caswell]

  *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
     HIGH to MEDIUM.

     This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
     Leurent (INRIA)
     [Rich Salz]

  *) OOB write in MDC2_Update()

     An overflow can occur in MDC2_Update() either if called directly or
     through the EVP_DigestUpdate() function using MDC2. If an attacker
     is able to supply very large amounts of input data after a previous
     call to EVP_EncryptUpdate() with a partial block then a length check
     can overflow resulting in a heap corruption.

     The amount of data needed is comparable to SIZE_MAX which is impractical
     on most platforms.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Stephen Henson]

  *) Malformed SHA512 ticket DoS

     If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
     DoS attack where a malformed ticket will result in an OOB read which will
     ultimately crash.

     The use of SHA512 in TLS session tickets is comparatively rare as it requires
     a custom server callback and ticket lookup mechanism.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Stephen Henson]

  *) OOB write in BN_bn2dec()

     The function BN_bn2dec() does not check the return value of BN_div_word().
     This can cause an OOB write if an application uses this function with an
     overly large BIGNUM. This could be a problem if an overly large certificate
     or CRL is printed out from an untrusted source. TLS is not affected because
     record limits will reject an oversized certificate before it is parsed.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Stephen Henson]

  *) OOB read in TS_OBJ_print_bio()

     The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
     the total length the OID text representation would use and not the amount
     of data written. This will result in OOB reads when large OIDs are

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Stephen Henson]

  *) Pointer arithmetic undefined behaviour

     Avoid some undefined pointer arithmetic

     A common idiom in the codebase is to check limits in the following manner:
     "p + len > limit"

     Where "p" points to some malloc'd data of SIZE bytes and
     limit == p + SIZE

     "len" here could be from some externally supplied data (e.g. from \ 

     The rules of C pointer arithmetic are such that "p + len" is only well
     defined where len <= SIZE. Therefore the above idiom is actually
     undefined behaviour.

     For example this could cause problems if some malloc implementation
     provides an address for "p" such that "p + len" \ 
actually overflows for
     values of len that are too big and therefore p + len < limit.

     This issue was reported to OpenSSL by Guido Vranken
     [Matt Caswell]

  *) Constant time flag not preserved in DSA signing

     Operations in the DSA signing algorithm should run in constant time in
     order to avoid side channel attacks. A flaw in the OpenSSL DSA
     implementation means that a non-constant time codepath is followed for
     certain operations. This has been demonstrated through a cache-timing
     attack to be sufficient for an attacker to recover the private DSA key.

     This issue was reported by César Pereida (Aalto University), Billy Brumley
     (Tampere University of Technology), and Yuval Yarom (The University of
     Adelaide and NICTA).
     [César Pereida]

  *) DTLS buffered message DoS

     In a DTLS connection where handshake messages are delivered out-of-order
     those messages that OpenSSL is not yet ready to process will be buffered
     for later use. Under certain circumstances, a flaw in the logic means that
     those messages do not get removed from the buffer even though the handshake
     has been completed. An attacker could force up to approx. 15 messages to
     remain in the buffer when they are no longer required. These messages will
     be cleared when the DTLS connection is closed. The default maximum size for
     a message is 100k. Therefore the attacker could force an additional 1500k
     to be consumed per connection. By opening many simulataneous connections an
     attacker could cause a DoS attack through memory exhaustion.

     This issue was reported to OpenSSL by Quan Luo.
     [Matt Caswell]

  *) DTLS replay protection DoS

     A flaw in the DTLS replay attack protection mechanism means that records
     that arrive for future epochs update the replay protection \ 
"window" before
     the MAC for the record has been validated. This could be exploited by an
     attacker by sending a record for the next epoch (which does not have to
     decrypt or have a valid MAC), with a very large sequence number. This means
     that all subsequent legitimate packets are dropped causing a denial of
     service for a specific DTLS connection.

     This issue was reported to OpenSSL by the OCAP audit team.
     [Matt Caswell]

  *) Certificate message OOB reads

     In OpenSSL 1.0.2 and earlier some missing message length checks can result
     in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
     theoretical DoS risk but this has not been observed in practice on common

     The messages affected are client certificate, client certificate request
     and server certificate. As a result the attack can only be performed
     against a client or a server which enables client authentication.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     [Stephen Henson]