*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]
*) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
the 2-prime and 3-prime RSA modules were easy to distinguish, since
N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
This avoids possible fingerprinting of newly generated RSA modules.
[Bernd Edlinger]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]
*) Check that ed25519 and ed448 are allowed by the security level. Previously
signature algorithms not using an MD were not being checked that they were
allowed by the security level.
[Kurt Roeckx]
*) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
was not quite right. The behaviour was not consistent between resumption
and normal handshakes, and also not quite consistent with historical
behaviour. The behaviour in various scenarios has been clarified and
it has been updated to make it match historical behaviour as closely as
possible.
[Matt Caswell]
*) [VMS only] The header files that the VMS compilers include automatically,
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
the C++ compiler doesn't understand. This is a shortcoming in the
compiler, but can be worked around with __cplusplus guards.
C++ applications that use OpenSSL libraries must be compiled using the
qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
functions. Otherwise, only functions with symbols of less than 31
characters can be used, as the linker will not be able to successfully
resolve symbols with longer names.
[Richard Levitte]
*) Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.
Code that followed the documentation and thereby check with something
like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
[Richard Levitte]
*) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
(CVE-2019-1551)
[Andy Polyakov]
*) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
The presence of this system service is determined at run-time.
[Richard Levitte]
*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
[Matt Eaton, Richard Levitte, and Paul Dale]
*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
[Jon Spillett]
- Add GSSAPIAuthentication and related options
- Add KerberosAuthentication and related options
- Bring in the lengthy but useful comment block about
the side-effect of UsePAM with regards to PermitRootLogin.
- Match the case of the UsePAM keyword used in the manual page and code,
to aid case-sensitive grep etc.
- Remove references to obsole UseLogin and UsePrivilegeSeparation keywords.
- Whitespace police
The first matching entry that sets an option "wins." Therefore more
specific matches should be provided before the "Host *" entry that
matches everything. This way options set in the more specific entry will
not be accidentally made ineffective by the match-all entry.
OpenSSH 8.2 was released on 2020-02-14. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures
(i.e. the client and server CASignatureAlgorithms option) and will
use the rsa-sha2-512 signature algorithm by default when the
ssh-keygen(1) CA signs new certificates.
Certificates are at special risk to the aforementioned SHA1
collision vulnerability as an attacker has effectively unlimited
time in which to craft a collision that yields them a valid
certificate, far more than the relatively brief LoginGraceTime
window that they have to forge a host key signature.
The OpenSSH certificate format includes a CA-specified (typically
random) nonce value near the start of the certificate that should
make exploitation of chosen-prefix collisions in this context
challenging, as the attacker does not have full control over the
prefix that actually gets signed. Nonetheless, SHA1 is now a
demonstrably broken algorithm and futher improvements in attacks
are highly likely.
OpenSSH releases prior to 7.2 do not support the newer RSA/SHA2
algorithms and will refuse to accept certificates signed by an
OpenSSH 8.2+ CA using RSA keys unless the unsafe algorithm is
explicitly selected during signing ("ssh-keygen -t ssh-rsa").
Older clients/servers may use another CA key type such as
ssh-ed25519 (supported since OpenSSH 6.5) or one of the
ecdsa-sha2-nistp256/384/521 types (supported since OpenSSH 5.7)
instead if they cannot be upgraded.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): the above removal of "ssh-rsa" from the accepted
CASignatureAlgorithms list.
* ssh(1), sshd(8): this release removes diffie-hellman-group14-sha1
from the default key exchange proposal for both the client and
server.
* ssh-keygen(1): the command-line options related to the generation
and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
* sshd(8): the sshd listener process title visible to ps(1) has
changed to include information about the number of connections that
are currently attempting authentication and the limits configured
by MaxStartups.
* ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one). It needs to be installed
in the expected path, typically under /usr/libexec or similar.
Changes since OpenSSH 8.1
=========================
This release contains some significant new features.
FIDO/U2F Support
----------------
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly authorise
operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will usually
require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any other
supported key in OpenSSH and may be listed in authorized_keys, added
to ssh-agent(1), etc. The only additional stipulation is that the FIDO
token that the key belongs to must be attached when the key is used.
FIDO tokens are most commonly connected via USB but may be attached
via other means such as Bluetooth or NFC. In OpenSSH, communication
with the token is managed via a middleware library, specified by the
SecurityKeyProvider directive in ssh/sshd_config(5) or the
$SSH_SK_PROVIDER environment variable for ssh-keygen(1) and
ssh-add(1). The API for this middleware is documented in the sk-api.h
and PROTOCOL.u2f files in the source distribution.
OpenSSH includes a middleware ("SecurityKeyProvider=internal") with
support for USB tokens. It is automatically enabled in OpenBSD and may
be enabled in portable OpenSSH via the configure flag
--with-security-key-builtin. If the internal middleware is enabled
then it is automatically used by default. This internal middleware
requires that libfido2 (https://github.com/Yubico/libfido2) and its
dependencies be installed. We recommend that packagers of portable
OpenSSH enable the built-in middleware, as it provides the
lowest-friction experience for users.
Note: FIDO/U2F tokens are required to implement the ECDSA-P256
"ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is
less common. Similarly, not all hardware tokens support some of the
optional features such as resident keys.
The protocol-level changes to support FIDO/U2F keys in SSH are
documented in the PROTOCOL.u2f file in the OpenSSH source
distribution.
There are a number of supporting changes to this feature:
* ssh-keygen(1): add a "no-touch-required" option when generating
FIDO-hosted keys, that disables their default behaviour of
requiring a physical touch/tap on the token during authentication.
Note: not all tokens support disabling the touch requirement.
* sshd(8): add a sshd_config PubkeyAuthOptions directive that
collects miscellaneous public key authentication-related options
for sshd(8). At present it supports only a single option
"no-touch-required". This causes sshd to skip its default check for
FIDO/U2F keys that the signature was authorised by a touch or press
event on the token hardware.
* ssh(1), sshd(8), ssh-keygen(1): add a "no-touch-required" option
for authorized_keys and a similar extension for certificates. This
option disables the default requirement that FIDO key signatures
attest that the user touched their key to authorize them, mirroring
the similar PubkeyAuthOptions sshd_config option.
* ssh-keygen(1): add support for the writing the FIDO attestation
information that is returned when new keys are generated via the
"-O write-attestation=/path" option. FIDO attestation certificates
may be used to verify that a FIDO key is hosted in trusted
hardware. OpenSSH does not currently make use of this information,
beyond optionally writing it to disk.
FIDO2 resident keys
-------------------
FIDO/U2F OpenSSH keys consist of two parts: a "key handle" part stored
in the private key file on disk, and a per-device private key that is
unique to each FIDO/U2F token and that cannot be exported from the
token hardware. These are combined by the hardware at authentication
time to derive the real key that is used to sign authentication
challenges.
For tokens that are required to move between computers, it can be
cumbersome to have to move the private key file first. To avoid this
requirement, tokens implementing the newer FIDO2 standard support
"resident keys", where it is possible to effectively retrieve the key
handle part of the key from the hardware.
OpenSSH supports this feature, allowing resident keys to be generated
using the ssh-keygen(1) "-O resident" flag. This will produce a
public/private key pair as usual, but it will be possible to retrieve
the private key part from the token later. This may be done using
"ssh-keygen -K", which will download all available resident keys from
the tokens attached to the host and write public/private key files
for them. It is also possible to download and add resident keys
directly to ssh-agent(1) without writing files to the file-system
using "ssh-add -K".
Resident keys are indexed on the token by the application string and
user ID. By default, OpenSSH uses an application string of "ssh:" and
an empty user ID. If multiple resident keys on a single token are
desired then it may be necessary to override one or both of these
defaults using the ssh-keygen(1) "-O application=" or "-O user="
options. Note: OpenSSH will only download and use resident keys whose
application string begins with "ssh:"
Storing both parts of a key on a FIDO token increases the likelihood
of an attacker being able to use a stolen token device. For this
reason, tokens should enforce PIN authentication before allowing
download of keys, and users should set a PIN on their tokens before
creating any resident keys.
Other New Features
------------------
* sshd(8): add an Include sshd_config keyword that allows including
additional configuration files via glob(3) patterns. bz2468
* ssh(1)/sshd(8): make the LE (low effort) DSCP code point available
via the IPQoS directive; bz2986,
* ssh(1): when AddKeysToAgent=yes is set and the key contains no
comment, add the key to the agent with the key's path as the
comment. bz2564
* ssh-keygen(1), ssh-agent(1): expose PKCS#11 key labels and X.509
subjects as key comments, rather than simply listing the PKCS#11
provider library path. PR138
* ssh-keygen(1): allow PEM export of DSA and ECDSA keys; bz3091
* ssh(1), sshd(8): make zlib compile-time optional, available via the
Makefile.inc ZLIB flag on OpenBSD or via the --with-zlib configure
option for OpenSSH portable.
* sshd(8): when clients get denied by MaxStartups, send a
notification prior to the SSH2 protocol banner according to
RFC4253 section 4.2.
* ssh(1), ssh-agent(1): when invoking the $SSH_ASKPASS prompt
program, pass a hint to the program to describe the type of
desired prompt. The possible values are "confirm" (indicating
that a yes/no confirmation dialog with no text entry should be
shown), "none" (to indicate an informational message only), or
blank for the original ssh-askpass behaviour of requesting a
password/phrase.
* ssh(1): allow forwarding a different agent socket to the path
specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to accepting an explicit path or the name of an environment
variable in addition to yes/no.
* ssh-keygen(1): add a new signature operations "find-principals" to
look up the principal associated with a signature from an allowed-
signers file.
* sshd(8): expose the number of currently-authenticating connections
along with the MaxStartups limit in the process title visible to
"ps".
Bugfixes
--------
* sshd(8): make ClientAliveCountMax=0 have sensible semantics: it
will now disable connection killing entirely rather than the
current behaviour of instantly killing the connection after the
first liveness test regardless of success. bz2627
* sshd(8): clarify order of AllowUsers / DenyUsers vs AllowGroups /
DenyGroups in the sshd(8) manual page. bz1690
* sshd(8): better describe HashKnownHosts in the manual page. bz2560
* sshd(8): clarify that that permitopen=/PermitOpen do no name or
address translation in the manual page. bz3099
* sshd(8): allow the UpdateHostKeys feature to function when
multiple known_hosts files are in use. When updating host keys,
ssh will now search subsequent known_hosts files, but will add
updated host keys to the first specified file only. bz2738
* All: replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the
handler preventing races between handlers, and sets SA_RESTART
which should reduce the potential for short read/write operations.
* sftp(1): fix a race condition in the SIGCHILD handler that could
turn in to a kill(-1); bz3084
* sshd(8): fix a case where valid (but extremely large) SSH channel
IDs were being incorrectly rejected. bz3098
* ssh(1): when checking host key fingerprints as answers to new
hostkey prompts, ignore whitespace surrounding the fingerprint
itself.
* All: wait for file descriptors to be readable or writeable during
non-blocking connect, not just readable. Prevents a timeout when
the server doesn't immediately send a banner (e.g. multiplexers
like sslh)
* sshd_config(5): document the sntrup4591761x25519-sha512@tinyssh.org
key exchange algorithm. PR#151
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
number generator (RNG). This was intended to include protection in the
event of a fork() system call in order to ensure that the parent and child
processes did not share the same RNG state. However this protection was not
being used in the default case.
A partial mitigation for this issue is that the output from a high
precision timer is mixed into the RNG state so the likelihood of a parent
and child process sharing state is significantly reduced.
If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.
(CVE-2019-1549)
[Matthias St. Pierre]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems. The RAND subsystem will wait for
/dev/random to be producing output before seeding from /dev/urandom.
The seeded state is stored for future library initialisations using
a system global shared memory segment. The shared memory identifier
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
the desired value. The default identifier is 114.
[Paul Dale]
*) Correct the extended master secret constant on EBCDIC systems. Without this
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
negotiate EMS will fail. Unfortunately this also means that TLS connections
between EBCDIC systems with this fix, and EBCDIC systems without this
fix will fail if they negotiate EMS.
[Matt Caswell]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
(CVE-2019-1552)
[Richard Levitte]
*) Changed DH_check to accept parameters with order q and 2q subgroups.
With order 2q subgroups the bit 0 of the private key is not secret
but DH_generate_key works around that by clearing bit 0 of the
private key for those. This avoids leaking bit 0 of the private key.
[Bernd Edlinger]
*) Significantly reduce secure memory usage by the randomness pools.
[Paul Dale]
*) Revert the DEVRANDOM_WAIT feature for Linux systems
The DEVRANDOM_WAIT feature added a select() call to wait for the
/dev/random device to become readable before reading from the
/dev/urandom device.
It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.
[Matthias St. Pierre]
Bug fixes
PKCS#11 hcrypto back-end
. initialize the p11_module_load function list
. verify that not only is a mechanism present but that its mechanism
info states that it offers the required encryption, decryption or
digest services
krb5:
. Starting with 7.6, Heimdal permitted requesting authenticated
anonymous tickets. However, it did not verify that a KDC in fact
returned an anonymous ticket when one was requested.
. Cease setting the KDCOption reaquest_anonymous flag when issuing
S4UProxy (constrained delegation) TGS requests.
. when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC
certificate.
. set PKINIT_BTMM flag per Apple implementation
. use memset_s() instead of memset()
kdc:
. When generating KRB5SignedPath in the AS, use the reply client name
rather than the one from the request, so validation will work
correctly in the TGS.
. allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used
an enctype with a different checksum. Per [MS-SFU] 2.2.1
PA-FOR-USER the checksum is always HMAC_MD5, and that's what
Windows and MIT clients send.
In Heimdal both the client and kdc use instead the
checksum of the TGT, and therefore work with each other
but Windows and MIT clients fail against Heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based TGT in order to support per-spec clients.
. use memset_s() instead of memset()
. Detect Heimdal 1.0 through 7.6 clients that issue S4UProxy
(constrained delegation) TGS Requests with the request
anonymous flag set. These requests will be treated as
S4UProxy requests and not anonymous requests.
HDB:
. Set SQLite3 backend default page size to 8KB.
. Add hdb_set_sync() method
kadmind:
. disable HDB sync during database load avoiding unnecessary disk i/o.
ipropd:
. disable HDB sync during receive_everything. Doing an fsync
per-record when receiving the complete HDB is a performance
disaster. Among other things, if the HDB is very large, then
one slave receving a full HDB can cause other slaves to timeout
and, if HDB write activity is high enough to cause iprop log
truncation, then also need full syncs, which leads to a cycle of
full syncs for all slaves until HDB write activity drops.
Allowing the iprop log to be larger helps, but improving
receive_everything() performance helps even more.
kinit:
. Anonymous PKINIT tickets discard the realm information used
to locate the issuing AS. Store the issuing realm in the
credentials cache in order to locate a KDC which can renew them.
. Do not leak the result of krb5_cc_get_config() when determining
anonymous PKINIT start realm.
klist:
. Show transited-policy-checked, ok-as-delegate and anonymous
flags when listing credentials.
tests:
. Regenerate certs so that they expire before the 2038 armageddon
so the test suite will pass on 32-bit operating systems until the
underlying issues can be resolved.
Solaris:
. Define _STDC_C11_BCI for memset_s prototype
build tooling:
. Convert from python 2 to python 3
documentation
. rename verify-password to verify-password-quality
. hprop default mode is encrypt
. kadmind "all" permission does not include "get-keys"
. verify-password-quality might not be stateless
Release Notes - Heimdal - Version Heimdal 7.6
Security (#555)
CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum
When the Heimdal KDC checks the checksum that is placed on the
S4U2Self packet by the server to protect the requested principal
against modification, it does not confirm that the checksum
algorithm that protects the user name (principal) in the request
is keyed. This allows a man-in-the-middle attacker who can
intercept the request to the KDC to modify the packet by replacing
the user name (principal) in the request with any desired user
name (principal) that exists in the KDC and replace the checksum
protecting that name with a CRC32 checksum (which requires no
prior knowledge to compute).
This would allow a S4U2Self ticket requested on behalf of user
name (principal) user@EXAMPLE.COM to any service to be changed
to a S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the
PAC of the modified user name (principal).
CVE-2019-12098, client-only:
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key exchange
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Bug fixes
Happy eyeballs: Don't wait for responses from known-unreachable KDCs.
kdc: check return copy_Realm, copy_PrincipalName, copy_EncryptionKey
kinit:
. cleanup temporary ccaches
. see man page for "kinit --anonymous" command line syntax change
kdc: Make anonymous AS-requests more RFC8062-compliant.
Updated expired test certificates
Solaris:
. PKCS#11 hcrypto backend broken since 7.0.1
. Building with Sun Pro C
Features
kuser: support authenticated anonymous AS-REQs in kinit
kdc: support for anonymous TGS-REQs
kgetcred support for anonymous service tickets
Support builds with OpenSSL 1.1.1
Building from source:
Heimdal 7.5
This is a security release of Heimdal
This release patches a remote denial of service
CVE-2017-17439: In Heimdal 7.1 through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm.
Heimdal 7.4
This is a security release of Heimdal.
This release patches a critical vulnerability:
CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/
This is the Heimdal 7.3 security release.
This release addresses CVE-2017-6594. See the NEWS file for details.
Heimdal 7.2
This is the Heimdal 7.2 release.
GCC_NO_FORMAT_TRUNCATION -Wno-format-truncation (GCC 7/8)
GCC_NO_STRINGOP_TRUNCATION -Wno-stringop-truncation (GCC 8)
GCC_NO_STRINGOP_OVERFLOW -Wno-stringop-overflow (GCC 8)
GCC_NO_CAST_FUNCTION_TYPE -Wno-cast-function-type (GCC 8)
use these to turn off warnings for most GCC-8 complaints. many
of these are false positives, most of the real bugs are already
commited, or are yet to come.
we plan to introduce versions of (some?) of these that use the
"-Wno-error=" form, which still displays the warnings but does
not make it an error, and all of the above will be re-considered
as either being "fix me" (warning still displayed) or "warning
is wrong."
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html
Security
========
* ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer
overflow bug was found in the private key parsing code for the XMSS
key type. This key type is still experimental and support for it is
not compiled by default. No user-facing autoconf option exists in
portable OpenSSH to enable it. This bug was found by Adam Zabrocki
and reported via SecuriTeam's SSD program.
* ssh(1), sshd(8), ssh-agent(1): add protection for private keys at
rest in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed. This release encrypts private keys
when they are not in use with a symmetric key that is derived from a
relatively large "prekey" consisting of random data (currently 16KB).
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): when acting as a CA and signing certificates with
an RSA key, default to using the rsa-sha2-512 signature algorithm.
Certificates signed by RSA keys will therefore be incompatible
with OpenSSH versions prior to 7.2 unless the default is
overridden (using "ssh-keygen -t ssh-rsa -s ...").
If a specified SPI is not zero, tell the kernel to use the SPI by using
SADB_EXT_SPIRANGE. Otherwise, the kernel picks a random SPI.
It enables to mimic racoon.
Changes between 1.1.1b and 1.1.1c [28 May 2019]
*) Add build tests for C++. These are generated files that only do one
thing, to include one public OpenSSL head file each. This tests that
the public header files can be usefully included in a C++ application.
This test isn't enabled by default. It can be enabled with the option
'enable-buildtest-c++'.
[Richard Levitte]
*) Enable SHA3 pre-hashing for ECDSA and DSA.
[Patrick Steuer]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Reorganize the manual pages to consistently have RETURN VALUES,
EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
util/fix-doc-nits accordingly.
[Paul Yang, Joshua Lock]
*) Add the missing accessor EVP_PKEY_get0_engine()
[Matt Caswell]
*) Have apps like 's_client' and 's_server' output the signature scheme
along with other cipher suite parameters when debugging.
[Lorinczy Zsigmond]
*) Make OPENSSL_config() error agnostic again.
[Richard Levitte]
*) Do the error handling in RSA decryption constant time.
[Bernd Edlinger]
*) Prevent over long nonces in ChaCha20-Poly1305.
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every encryption operation. RFC 7539 specifies that the nonce value
(IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
and front pads the nonce with 0 bytes if it is less than 12
bytes. However it also incorrectly allows a nonce to be set of up to 16
bytes. In this case only the last 12 bytes are significant and any
additional leading bytes are ignored.
It is a requirement of using this cipher that nonce values are
unique. Messages encrypted using a reused nonce value are susceptible to
serious confidentiality and integrity attacks. If an application changes
the default nonce length to be longer than 12 bytes and then makes a
change to the leading bytes of the nonce expecting the new value to be a
new unique nonce then such an application could inadvertently encrypt
messages with a reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
is safe because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
(CVE-2019-1543)
[Matt Caswell]
*) Ensure that SM2 only uses SM3 as digest algorithm
[Paul Yang]
Security
========
This release contains mitigation for a weakness in the scp(1) tool
and protocol (CVE-2019-6111): when copying files from a remote system
to a local directory, scp(1) did not verify that the filenames that
the server sent matched those requested by the client. This could
allow a hostile server to create or clobber unexpected local files
with attacker-controlled content.
This release adds client-side checking that the filenames sent from
the server match the command-line request,
The scp protocol is outdated, inflexible and not readily fixed. We
recommend the use of more modern protocols like sftp and rsync for
file transfer instead.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* scp(1): Relating to the above changes to scp(1); the scp protocol
relies on the remote shell for wildcard expansion, so there is no
infallible way for the client's wildcard matching to perfectly
reflect the server's. If there is a difference between client and
server wildcard expansion, the client may refuse files from the
server. For this reason, we have provided a new "-T" flag to scp
that disables these client-side checks at the risk of
reintroducing the attack described above.
* sshd(8): Remove support for obsolete "host/port" syntax. Slash-
separated host/port was added in 2001 as an alternative to
host:port syntax for the benefit of IPv6 users. These days there
are establised standards for this like [::1]:22 and the slash
syntax is easily mistaken for CIDR notation, which OpenSSH
supports for some things. Remove the slash notation from
ListenAddress and PermitOpen; bz#2335
Changes since OpenSSH 7.9
=========================
This release is focused on new features and internal refactoring.
New Features
------------
* ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens.
* ssh(1), sshd(8): Add experimental quantum-computing resistant
key exchange method, based on a combination of Streamlined NTRU
Prime 4591^761 and X25519.
* ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a
128-bit equivalent symmetric security level.
* ssh(1): Allow "PKCS11Provider=none" to override later instances of
the PKCS11Provider directive in ssh_config; bz#2974
* sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect; bz#2960
* ssh(1): When prompting whether to record a new host key, accept
the key fingerprint as a synonym for "yes". This allows the user
to paste a fingerprint obtained out of band at the prompt and
have the client do the comparison for you.
* ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
* scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
the scp and sftp command-lines.
* ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass
verbose flags though to subprocesses, such as ssh-pkcs11-helper
started from ssh-agent.
* ssh-add(1): Add a "-T" option to allowing testing whether keys in
an agent are usable by performing a signature and a verification.
* sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
that replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks. bz#2067
* sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
they do not follow symlinks.
* sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use
it in decision-making. bz#2741
* sshd(8): Add a ssh_config "Match final" predicate Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled. bz#2906
* sftp(1): Support a prefix of '@' to suppress echo of sftp batch
commands; bz#2926
* ssh-keygen(1): When printing certificate contents using
"ssh-keygen -Lf /path/certificate", include the algorithm that
the CA used to sign the cert.
Bugfixes
--------
* sshd(8): Fix authentication failures when sshd_config contains
"AuthenticationMethods any" inside a Match block that overrides
a more restrictive default.
* sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
is enabled.
* sshd(8): Fix two race conditions related to SIGHUP daemon restart.
Remnant file descriptors in recently-forked child processes could
block the parent sshd's attempt to listen(2) to the configured
addresses. Also, the restarting parent sshd could exit before any
child processes that were awaiting their re-execution state had
completed reading it, leaving them in a fallback path.
* ssh(1): Fix stdout potentially being redirected to /dev/null when
ProxyCommand=- was in use.
* sshd(8): Avoid sending SIGPIPE to child processes if they attempt
to write to stderr after their parent processes have exited;
bz#2071
* ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
and ConnectionAttempts directives - connection attempts after the
first were ignoring the requested timeout; bz#2918
* ssh-keyscan(1): Return a non-zero exit status if no keys were
found; bz#2903
* scp(1): Sanitize scp filenames to allow UTF-8 characters without
terminal control sequences; bz#2434
* sshd(8): Fix confusion between ClientAliveInterval and time-based
RekeyLimit that could cause connections to be incorrectly closed.
bz#2757
* ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
handling at initial token login. The attempt to read the PIN
could be skipped in some cases, particularly on devices with
integrated PIN readers. This would lead to an inability to
retrieve keys from these tokens. bz#2652
* ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
C_SignInit operation. bz#2638
* ssh(1): Improve documentation for ProxyJump/-J, clarifying that
local configuration does not apply to jump hosts.
* ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
public keys, not private.
* ssh(1), sshd(8): be more strict in processing protocol banners,
allowing \r characters only immediately before \n.
* Various: fix a number of memory leaks, including bz#2942 and
bz#2938
* scp(1), sftp(1): fix calculation of initial bandwidth limits.
Account for bytes written before the timer starts and adjust the
schedule on which recalculations are performed. Avoids an initial
burst of traffic and yields more accurate bandwidth limits;
bz#2927
* sshd(8): Only consider the ext-info-c extension during the initial
key eschange. It shouldn't be sent in subsequent ones, but if it
is present we should ignore it. This prevents sshd from sending a
SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929
* ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options
may accept either a bare hostname or a [hostname]:port combo.
bz#2935
* ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936
* sshd(8): Silence error messages when sshd fails to load some of
the default host keys. Failure to load an explicitly-configured
hostkey is still an error, and failure to load any host key is
still fatal. pr/103
* ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
started with ControlPersist; prevents random ProxyCommand output
from interfering with session output.
* ssh(1): The ssh client was keeping a redundant ssh-agent socket
(leftover from authentication) around for the life of the
connection; bz#2912
* sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types
were specified, then authentication would always fail for RSA keys
as the monitor checks only the base key (not the signature
algorithm) type against *AcceptedKeyTypes. bz#2746
* ssh(1): Request correct signature types from ssh-agent when
certificate keys and RSA-SHA2 signatures are in use.
Portability
-----------
* sshd(8): On Cygwin, run as SYSTEM where possible, using S4U for
token creation if it supports MsV1_0 S4U Logon.
* sshd(8): On Cygwin, use custom user/group matching code that
respects the OS' behaviour of case-insensitive matching.
* sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies
the user environment if it's enabled; bz#2937
* sshd(8) Cygwin: Change service name to cygsshd to avoid collision
with Microsoft's OpenSSH port.
* Allow building against OpenSSL -dev (3.x)
* Fix a number of build problems against version configurations and
versions of OpenSSL. Including bz#2931 and bz#2921
* Improve warnings in cygwin service setup. bz#2922
* Remove hardcoded service name in cygwin setup. bz#2922
not 100% sure this is right but my build works now. here's what i did:
% cd crypto/external/bsd/openssl/lib/libcrypto/arch/powerpc
% make regen
after checking that the openssl generator calling code had not change
(but the relevant .pl file had.)
*) Added SCA hardening for modular field inversion in EC_GROUP through
a new dedicated field_inv() pointer in EC_METHOD.
This also addresses a leakage affecting conversions from projective
to affine coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Change the info callback signals for the start and end of a post-handshake
message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
confused by this and assume that a TLSv1.2 renegotiation has started. This
can break KeyUpdate handling. Instead we no longer signal the start and end
of a post handshake message exchange (although the messages themselves are
still signalled). This could break some applications that were expecting
the old signals. However without this KeyUpdate is not usable for many
applications.
[Matt Caswell]
*) Fix a bug in the computation of the endpoint-pair shared secret used
by DTLS over SCTP. This breaks interoperability with older versions
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
interoperability with such broken implementations. However, enabling
this switch breaks interoperability with correct implementations.
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
re-used X509_PUBKEY object if the second PUBKEY is malformed.
[Bernd Edlinger]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
*) Remove the 'dist' target and add a tarball building script. The
'dist' target has fallen out of use, and it shouldn't be
necessary to configure just to create a source distribution.
[Richard Levitte]
- Builds with openssl 1.1.0
- Align code properly so gcc-6 does not complain
- update symbol file.
- drop 02-cflags-errors-unused.patch, -Werror is gone.
- update 03-fix-bool-error-parseStringWithValues.patch, different fix
upstream, does not look right.
tpm-tools (1.3.8.2)
* Add patch 03 to fix FTBFS with gcc-5
* Merge patch 04 to fix FTBFS with clang
Thanks to Alexander <email address hidden> for the patch.
* Bump Standards Version to 3.9.6
- Changes to support OpenSSL 1.1.0
- Removed some warnings for proper builds
- Changes to allow building on OS X
- Fixed memory leaks
- Fixed failure to recognize connections from localhost over IPv6
- Fixed for an exploitable local denial of service in tcsd
* TROUSERS_0_3_13
- Changed exported functions which had a name too common, to avoid collision
- Assessed daemon security using manual techniques and coverit
- Fixed major security bugs and memory leaks
- Added debug support to run tcsd with a different user/group
- Daemon now properly closes sockets before shutting down
* TROUSERS_0_3_12
- Added new network code for RPC, which supports IPv6
- Users of client applications can configure the hostname of the tcsd server
they want to connect through the TSS_TCSD_HOSTNAME env var (only works if
application didn't set a hostname in the context)
- Added disable_ipv4 and disable_ipv6 config options for server
* TROUSERS_0_3_11
- Fix build process for distros
- License was changed from GPL to BSD
- Many bugfixes
- updated man pages
for randomness, and the powerpc code uses mftbu and mftb for access.
The 601 is different than other powerpcs. It doesn't have a time
base register (TBR), but a real time clock (RTC) so it needs to
use different calls like mfrtcu/mfrtcl instead.
1. sets needs to be fixed
2. need to decide if I am going to add engine.so.MAJOR or use engine.so
like OpenSSL wants
3. padlock is MD (x86) needs asm to be added, and conditionally built
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
are retained for backwards compatibility.
[Antoine Salon]
*) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
if its length exceeds 4096 bytes. The limit has been raised to a buffer size
of two gigabytes and the error handling improved.
This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
categorized as a normal bug, not a security issue, because the DRBG reseeds
automatically and is fully functional even without additional randomness
provided by the application.
The code already knows how to handle it, but it assumes anyone who uses
GCC or clang might resolve the getauxval function to something eventually.
The only time we will expose getauxval is if a package tries to substitute
getauxval too, and then code will start having mysterious failures.
getauxval is purely a linux function (as far as I can see), so limit it to
that.
PR pkg/53387, PR port-arm/53386
Current racoon code cannot detect duplicate last fragments as it uses
the fragment flag instead of the fragment number.
The code does not consider that the IKE payload fragments might not be
received in the correct order. In this case, packet complete detection
will again fail and VPN clients abandoned from VPN service.
Nevertheless, clients still can add fragments to the fragment queue and
fill it up to the possible 255 fragments. Only duplicates are detected,
but not the fragments with a number greater than the last fragment
number.
The last fragment number is kept in the Phase 1 handler
after fragment queue deletion, which may lead to error notifications
after succesful reassembly of the IKE phase 1 message.
In general, the 2017's CVE fix added laconic and difficult to understand
failure notifications, which do not much help for analysis, why a VPN
client was blocked by racoon server.
This patch fixes the code and aligns it to Microsoft/Cisco IKE
fragmentation specification. It provides error logging which is in line
with above specification and adds some debug info to the logs to better
support analysis VPN client blackballing.
XXX: pullup-8
fragment list check.
While the fix in https://launchpad.net/~rdratlos/+archive/ubuntu/racoon
- if (i > last_frag) /* It is complete */
+ if (i >= last_frag) /* It is complete */
has the correct behavior, it violates the test for successful
completion of the invariant of the loop:
for (i = 1; i <= last_frag; i++) {
if (!check_fragment_index())
break;
}
if (i > last_frag)
return ok;
It is better to move the check for NULL in the loop earlier, so that
the final iteration is done and the test is kept the same. It makes
the code easier to understand and preserves the original intent.
XXX: pullup-8
_______________
This is a high-level summary of the most important changes.
For a full list of changes, see the git commit log; for example,
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
*) Add a new ClientHello callback. Provides a callback interface that gives
the application the ability to adjust the nascent SSL object at the
earliest stage of ClientHello processing, immediately after extensions have
been collected but before they have been processed. In particular, this
callback can adjust the supported TLS versions in response to the contents
of the ClientHello
[Benjamin Kaduk]
*) Add SM2 base algorithm support.
[Jack Lloyd]
*) s390x assembly pack: add (improved) hardware-support for the following
cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
aes-cfb/cfb8, aes-ecb.
[Patrick Steuer]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
step for prime curves. The new implementation is based on formulae from
differential addition-and-doubling in homogeneous projective coordinates
from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
to work in projective coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
*) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
moving between systems, and to avoid confusion when a Windows build is
done with mingw vs with MSVC. For POSIX installs, there's still a
symlink or copy named 'tsget' to avoid that confusion as well.
[Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
step for binary curves. The new implementation is based on formulae from
differential addition-and-doubling in mixed Lopez-Dahab projective
coordinates, modified to independently blind the operands.
[Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Add a scaffold to optionally enhance the Montgomery ladder implementation
for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
EC_METHODs to implement their own specialized "ladder step", to take
advantage of more favorable coordinate systems or more efficient
differential addition-and-doubling algorithms.
[Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Modified the random device based seed sources to keep the relevant
file descriptors open rather than reopening them on each access.
This allows such sources to operate in a chroot() jail without
the associated device nodes being available. This behaviour can be
controlled using RAND_keep_random_devices_open().
[Paul Dale]
*) Numerous side-channel attack mitigations have been applied. This may have
performance impacts for some algorithms for the benefit of improved
security. Specific changes are noted in this change log by their respective
authors.
[Matt Caswell]
*) AIX shared library support overhaul. Switch to AIX "natural" way of
handling shared libraries, which means collecting shared objects of
different versions and bitnesses in one common archive. This allows to
mitigate conflict between 1.0 and 1.1 side-by-side installations. It
doesn't affect the way 3rd party applications are linked, only how
multi-version installation is managed.
[Andy Polyakov]
*) Make ec_group_do_inverse_ord() more robust and available to other
EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
mitigations are applied to the fallback BN_mod_inverse().
When using this function rather than BN_mod_inverse() directly, new
EC cryptosystem implementations are then safer-by-default.
[Billy Bob Brumley]
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
[Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
*) Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
*) Enforce checking in the pkeyutl command line app to ensure that the input
length does not exceed the maximum supported digest length when performing
a sign, verify or verifyrecover operation.
[Matt Caswell]
*) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
I/O in combination with something like select() or poll() will hang. This
can be turned off again using SSL_CTX_clear_mode().
Many applications do not properly handle non-application data records, and
TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
around the problems in those applications, but can also break some.
It's recommended to read the manpages about SSL_read(), SSL_write(),
SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
SSL_CTX_set_read_ahead() again.
[Kurt Roeckx]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
*) Apply blinding to binary field modular inversion and remove patent
pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
[Billy Bob Brumley]
*) Deprecate ec2_mult.c and unify scalar multiplication code paths for
binary and prime elliptic curves.
[Billy Bob Brumley]
*) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
constant time fixed point multiplication.
[Billy Bob Brumley]
*) Revise elliptic curve scalar multiplication with timing attack
defenses: ec_wNAF_mul redirects to a constant time implementation
when computing fixed point and variable point multiplication (which
in OpenSSL are mostly used with secret scalars in keygen, sign,
ECDH derive operations).
[Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
Sohaib ul Hassan]
*) Updated CONTRIBUTING
[Rich Salz]
*) Updated DRBG / RAND to request nonce and additional low entropy
randomness from the system.
[Matthias St. Pierre]
*) Updated 'openssl rehash' to use OpenSSL consistent default.
[Richard Levitte]
*) Moved the load of the ssl_conf module to libcrypto, which helps
loading engines that libssl uses before libssl is initialised.
[Matt Caswell]
*) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
[Matt Caswell]
*) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
[Ingo Schwarze, Rich Salz]
*) Added output of accepting IP address and port for 'openssl s_server'
[Richard Levitte]
*) Added a new API for TLSv1.3 ciphersuites:
SSL_CTX_set_ciphersuites()
SSL_set_ciphersuites()
[Matt Caswell]
*) Memory allocation failures consistenly add an error to the error
stack.
[Rich Salz]
*) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
in libcrypto when run as setuid/setgid.
[Bernd Edlinger]
*) Load any config file by default when libssl is used.
[Matt Caswell]
*) Added new public header file <openssl/rand_drbg.h> and documentation
for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
[Matthias St. Pierre]
*) QNX support removed (cannot find contributors to get their approval
for the license change).
[Rich Salz]
*) TLSv1.3 replay protection for early data has been implemented. See the
SSL_read_early_data() man page for further details.
[Matt Caswell]
*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
configuration has been separated out. See the ciphers man page or the
SSL_CTX_set_ciphersuites() man page for more information.
[Matt Caswell]
*) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
in responder mode now supports the new "-multi" option, which
spawns the specified number of child processes to handle OCSP
requests. The "-timeout" option now also limits the OCSP
responder's patience to wait to receive the full client request
on a newly accepted connection. Child processes are respawned
as needed, and the CA index file is automatically reloaded
when changed. This makes it possible to run the "ocsp" responder
as a long-running service, making the OpenSSL CA somewhat more
feature-complete. In this mode, most diagnostic messages logged
after entering the event loop are logged via syslog(3) rather than
written to stderr.
[Viktor Dukhovni]
*) Added support for X448 and Ed448. Heavily based on original work by
Mike Hamburg.
[Matt Caswell]
*) Extend OSSL_STORE with capabilities to search and to narrow the set of
objects loaded. This adds the functions OSSL_STORE_expect() and
OSSL_STORE_find() as well as needed tools to construct searches and
get the search data out of them.
[Richard Levitte]
*) Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
that they are still appropriate for TLSv1.3. For further information see:
https://wiki.openssl.org/index.php/TLS1.3
[Matt Caswell]
*) Grand redesign of the OpenSSL random generator
The default RAND method now utilizes an AES-CTR DRBG according to
NIST standard SP 800-90Ar1. The new random generator is essentially
a port of the default random generator from the OpenSSL FIPS 2.0
object module. It is a hybrid deterministic random bit generator
using an AES-CTR bit stream and which seeds and reseeds itself
automatically using trusted system entropy sources.
Some of its new features are:
o Support for multiple DRBG instances with seed chaining.
o The default RAND method makes use of a DRBG.
o There is a public and private DRBG instance.
o The DRBG instances are fork-safe.
o Keep all global DRBG instances on the secure heap if it is enabled.
o The public and private DRBG instance are per thread for lock free
operation
[Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
*) Changed Configure so it only says what it does and doesn't dump
so much data. Instead, ./configdata.pm should be used as a script
to display all sorts of configuration data.
[Richard Levitte]
*) Added processing of "make variables" to Configure.
[Richard Levitte]
*) Added SHA512/224 and SHA512/256 algorithm support.
[Paul Dale]
*) The last traces of Netware support, first removed in 1.1.0, have
now been removed.
[Rich Salz]
*) Get rid of Makefile.shared, and in the process, make the processing
of certain files (rc.obj, or the .def/.map/.opt files produced from
the ordinal files) more visible and hopefully easier to trace and
debug (or make silent).
[Richard Levitte]
*) Make it possible to have environment variable assignments as
arguments to config / Configure.
[Richard Levitte]
*) Add multi-prime RSA (RFC 8017) support.
[Paul Yang]
*) Add SM3 implemented according to GB/T 32905-2016
[ Jack Lloyd <jack.lloyd@ribose.com>,
Ronald Tse <ronald.tse@ribose.com>,
Erick Borsboom <erick.borsboom@ribose.com> ]
*) Add 'Maximum Fragment Length' TLS extension negotiation and support
as documented in RFC6066.
Based on a patch from Tomasz Moń
[Filipe Raimundo da Silva]
*) Add SM4 implemented according to GB/T 32907-2016.
[ Jack Lloyd <jack.lloyd@ribose.com>,
Ronald Tse <ronald.tse@ribose.com>,
Erick Borsboom <erick.borsboom@ribose.com> ]
*) Reimplement -newreq-nodes and ERR_error_string_n; the
original author does not agree with the license change.
[Rich Salz]
*) Add ARIA AEAD TLS support.
[Jon Spillett]
*) Some macro definitions to support VS6 have been removed. Visual
Studio 6 has not worked since 1.1.0
[Rich Salz]
*) Add ERR_clear_last_mark(), to allow callers to clear the last mark
without clearing the errors.
[Richard Levitte]
*) Add "atfork" functions. If building on a system that without
pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
requirements. The RAND facility now uses/requires this.
[Rich Salz]
*) Add SHA3.
[Andy Polyakov]
*) The UI API becomes a permanent and integral part of libcrypto, i.e.
not possible to disable entirely. However, it's still possible to
disable the console reading UI method, UI_OpenSSL() (use UI_null()
as a fallback).
To disable, configure with 'no-ui-console'. 'no-ui' is still
possible to use as an alias. Check at compile time with the
macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still
possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
[Richard Levitte]
*) Add a STORE module, which implements a uniform and URI based reader of
stores that can contain keys, certificates, CRLs and numerous other
objects. The main API is loosely based on a few stdio functions,
and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
OSSL_STORE_error and OSSL_STORE_close.
The implementation uses backends called "loaders" to implement arbitrary
URI schemes. There is one built in "loader" for the 'file' scheme.
[Richard Levitte]
*) Add devcrypto engine. This has been implemented against cryptodev-linux,
then adjusted to work on FreeBSD 8.4 as well.
Enable by configuring with 'enable-devcryptoeng'. This is done by default
on BSD implementations, as cryptodev.h is assumed to exist on all of them.
[Richard Levitte]
*) Module names can prefixed with OSSL_ or OPENSSL_. This affects
util/mkerr.pl, which is adapted to allow those prefixes, leading to
error code calls like this:
OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
With this change, we claim the namespaces OSSL and OPENSSL in a manner
that can be encoded in C. For the foreseeable future, this will only
affect new modules.
[Richard Levitte and Tim Hudson]
*) Removed BSD cryptodev engine.
[Rich Salz]
*) Add a build target 'build_all_generated', to build all generated files
and only that. This can be used to prepare everything that requires
things like perl for a system that lacks perl and then move everything
to that system and do the rest of the build there.
[Richard Levitte]
*) In the UI interface, make it possible to duplicate the user data. This
can be used by engines that need to retain the data for a longer time
than just the call where this user data is passed.
[Richard Levitte]
*) Ignore the '-named_curve auto' value for compatibility of applications
with OpenSSL 1.0.2.
[Tomas Mraz <tmraz@fedoraproject.org>]
*) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
prohibts this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
record layer, and its removal is unlikely to cause inter-operability
issues.
[Matt Caswell]
*) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
with Z. These are meant to replace LONG and ZLONG and to be size safe.
The use of LONG and ZLONG is discouraged and scheduled for deprecation
in OpenSSL 1.2.0.
[Richard Levitte]
*) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
[Richard Levitte, Andy Polyakov]
*) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
does for RSA, etc.
[Richard Levitte]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
*) The functions X509_STORE_add_cert and X509_STORE_add_crl return
success if they are asked to add an object which already exists
in the store. This change cascades to other functions which load
certificates and CRLs.
[Paul Dale]
*) x86_64 assembly pack: annotate code with DWARF CFI directives to
facilitate stack unwinding even from assembly subroutines.
[Andy Polyakov]
*) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
[Richard Levitte]
*) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
which is the minimum version we support.
[Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
*) Add support for ARIA
[Paul Dale]
*) s_client will now send the Server Name Indication (SNI) extension by
default unless the new "-noservername" option is used. The server name is
based on the host provided to the "-connect" option unless overridden by
using "-servername".
[Matt Caswell]
*) Add support for SipHash
[Todd Short]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
*) 'openssl passwd' can now produce SHA256 and SHA512 based output,
using the algorithm defined in
https://www.akkadia.org/drepper/SHA-crypt.txt
[Richard Levitte]
*) Heartbeat support has been removed; the ABI is changed for now.
[Richard Levitte, Rich Salz]
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]
*) The RSA "null" method, which was partially supported to avoid patent
issues, has been replaced to always returns NULL.
[Rich Salz]
================================
This release includes a number of changes that may affect existing
configurations:
* ssh-keygen(1): write OpenSSH format private keys by default
instead of using OpenSSL's PEM format. The OpenSSH format,
supported in OpenSSH releases since 2014 and described in the
PROTOCOL.key file in the source distribution, offers substantially
better protection against offline password guessing and supports
key comments in private keys. If necessary, it is possible to write
old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments
when generating or updating a key.
* sshd(8): remove internal support for S/Key multiple factor
authentication. S/Key may still be used via PAM or BSD auth.
* ssh(1): remove vestigal support for running ssh(1) as setuid. This
used to be required for hostbased authentication and the (long
gone) rhosts-style authentication, but has not been necessary for
a long time. Attempting to execute ssh as a setuid binary, or with
uid != effective uid will now yield a fatal error at runtime.
* sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar
HostbasedAcceptedKeyTypes options have changed. These now specify
signature algorithms that are accepted for their respective
authentication mechanism, where previously they specified accepted
key types. This distinction matters when using the RSA/SHA2
signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their
certificate counterparts. Configurations that override these
options but omit these algorithm names may cause unexpected
authentication failures (no action is required for configurations
that accept the default for these options).
* sshd(8): the precedence of session environment variables has
changed. ~/.ssh/environment and environment="..." options in
authorized_keys files can no longer override SSH_* variables set
implicitly by sshd.
* ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed.
They will now use DSCP AF21 for interactive traffic and CS1 for
bulk. For a detailed rationale, please see the commit message:
https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284
*) Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
*) Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
*) Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
*) Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
*) Fixed a text canonicalisation bug in CMS
Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
[Matt Caswell]
the most cursory analysis shows that the var ("eg") is not (cannot
be) used unitialialised, just gcc is too dumb to work it out.
In this case, the code could be rewritten easily enough to
appease even gcc, but that would cause unnecessary code churn,
and some minor duplication, so just put up with the nonsense init...
Do not change the signedness bit with a left shift operation.
Cast to unsigned integer to prevent this.
sha2.c:79:16, left shift of 154 by 24 places cannot be represented in type 'int'
Detected with micro-UBSan in the user mode.
Do not change the signedness bit with a left shift operation.
Cast to unsigned integer to prevent this.
pgpsum.c:187:18, left shift of 130 by 24 places cannot be represented in type 'int'
Detected with micro-UBSan in the user mode.
rk_getpwuid_r() returns a pointer pwd->pw_dir to a buffer pwbuf[].
It's not safe to store another a copy of pwd->pw_dir in outter scope and
use it out of the scope where there exists pwbuf[].
This fixes a problem reported by ASan under MKSANITIZER.
Nobody should be using XMSS host keys without an explicit decision,
because they're qualitatively different from all other types of host
keys in that they require keeping state.
This also eliminates a harmless but confusing warning that began
after we stopped generating XMSS keys by default.
what's going on.
We have now become "upstream", and most of the ipsec-tools development is
done in NetBSD's CVS. However, many distributions still take their
tarballs from SourceForge (which is defunct, and not maintained).
programs there; make all Makefiles that use bsd.hostprog.mk include it.
Namely turn off MKREPRO and don't make lint, man pages, info files etc.
Remove the Makefile.inc files that contained these same settings, and
remove the settings from Makefile.host
christos