generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
f2adbd85ddb86e508efe84a85fb7a01aad4ea47a
openssl/apps
History
Emilia Kasper 380f18ed5f CVE-2016-0798: avoid memory leak in SRP 
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:42:48 +01:00
..
demoCA
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
demoSRP
Missing SRP files.
2011-03-16 11:50:33 +00:00
app_rand.c
Add a no-egd option to disable EGD-related code
2016-01-14 13:02:51 -05:00
apps.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
apps.h
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
asn1pars.c
argv was set but unused
2016-02-20 14:53:53 +01:00
build.info
Rethink the uplink / applink story
2016-02-19 11:06:54 +01:00
ca-cert.srl
Update test server certificate in apps/server.pem (it was expired).
2000-10-16 22:56:10 +00:00
ca-key.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
ca-req.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
ca.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
CA.pl.in
Fix some issues near recent chomp changes.
2016-02-13 02:54:48 -05:00
cert.pem
Import of old SSLeay release: SSLeay 0.9.0b
1998-12-21 10:56:39 +00:00
ciphers.c
Support disabling any or all TLS or DTLS versions
2016-01-19 09:57:15 -05:00
client.pem
Replace expired test server and client certificates with new ones.
2011-12-08 14:44:05 +00:00
cms.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
crl2p7.c
argv was set but unused
2016-02-20 14:53:53 +01:00
crl.c
argv was set but unused
2016-02-20 14:53:53 +01:00
dgst.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
dh1024.pem
Include SKIP DH parameters with OpenSSL.
2000-08-02 09:04:44 +00:00
dh2048.pem
Include SKIP DH parameters with OpenSSL.
2000-08-02 09:04:44 +00:00
dh4096.pem
Include SKIP DH parameters with OpenSSL.
2000-08-02 09:04:44 +00:00
dhparam.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
dsa512.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
dsa1024.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
dsa-ca.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
dsa-pca.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
dsa.c
argv was set but unused
2016-02-20 14:53:53 +01:00
dsap.pem
Import of old SSLeay release: SSLeay 0.9.0b
1998-12-21 10:56:39 +00:00
dsaparam.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
ec.c
argv was set but unused
2016-02-20 14:53:53 +01:00
ecparam.c
argv was set but unused
2016-02-20 14:53:53 +01:00
enc.c
GH681: More command help cleanup
2016-02-18 12:24:44 -05:00
engine.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
errstr.c
Fix errstr error code parsing
2016-02-11 08:53:11 +00:00
gendsa.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
genpkey.c
argv was set but unused
2016-02-20 14:53:53 +01:00
genrsa.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
Makefile.in
Rethink the uplink / applink story
2016-02-19 11:06:54 +01:00
nseq.c
argv was set but unused
2016-02-20 14:53:53 +01:00
ocsp.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
openssl-vms.cnf
Remove outdated legacy crypto options
2016-01-27 19:05:50 -05:00
openssl.c
Remove JPAKE
2016-02-17 09:46:10 -05:00
openssl.cnf
Use better defaults for TSA.
2015-11-20 13:40:53 +00:00
opt.c
Deprecate the -issuer_checks debugging option
2016-02-10 12:34:06 -05:00
passwd.c
Rename some BUF_xxx to OPENSSL_xxx
2015-12-16 16:14:49 -05:00
pca-cert.srl
Update test server certificate in apps/server.pem (it was expired).
2000-10-16 22:56:10 +00:00
pca-key.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
pca-req.pem
Fix verify(1) to report failure when verification fails
2016-01-13 17:55:17 -05:00
pkcs7.c
argv was set but unused
2016-02-20 14:53:53 +01:00
pkcs8.c
argv was set but unused
2016-02-20 14:53:53 +01:00
pkcs12.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
pkey.c
argv was set but unused
2016-02-20 14:53:53 +01:00
pkeyparam.c
argv was set but unused
2016-02-20 14:53:53 +01:00
pkeyutl.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
prime.c
Fix "primarility" typo
2015-11-21 14:37:24 +01:00
privkey.pem
PR: 1644
2009-09-06 15:49:46 +00:00
progs.h
make generate
2016-02-12 04:42:22 +01:00
progs.pl
Generate progs.h from a bunch of files instead of internal knowledge
2016-02-12 04:42:22 +01:00
rand.c
RT4227: Range-check in apps.
2016-01-12 01:00:31 -05:00
rehash.c
Rename some BUF_xxx to OPENSSL_xxx
2015-12-16 16:14:49 -05:00
req.c
GH480: Don't break statements with CPP stuff.
2016-02-24 16:11:39 -05:00
req.pem
Import of old SSLeay release: SSLeay 0.9.0b
1998-12-21 10:56:39 +00:00
rsa8192.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
rsa.c
argv was set but unused
2016-02-20 14:53:53 +01:00
rsautl.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
s512-key.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
s512-req.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
s1024key.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
s1024req.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
s_apps.h
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
s_cb.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
s_client.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
s_server.c
CVE-2016-0798: avoid memory leak in SRP
2016-02-25 15:42:48 +01:00
s_socket.c
Fix typo, reformat comment.
2016-02-24 14:23:21 -05:00
s_time.c
argv was set but unused
2016-02-20 14:53:53 +01:00
server2.pem
Replace expired test server and client certificates with new ones.
2011-12-08 14:44:05 +00:00
server.pem
Replace expired test server and client certificates with new ones.
2011-12-08 14:44:05 +00:00
server.srl
Import of old SSLeay release: SSLeay 0.9.0b
1998-12-21 10:56:39 +00:00
sess_id.c
argv was set but unused
2016-02-20 14:53:53 +01:00
smime.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
speed.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
spkac.c
argv was set but unused
2016-02-20 14:53:53 +01:00
srp.c
Use NON_EMPTY_TRANSLATION_UNIT, consistently.
2016-02-09 20:13:29 -05:00
testCA.pem
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
testdsa.h
Big apps cleanup (option-parsing, etc)
2015-04-24 15:26:15 -04:00
testrsa.h
Remove /* foo.c */ comments
2016-01-26 16:40:43 -05:00
timeouts.h
Remove /* foo.c */ comments
2016-01-26 16:40:43 -05:00
ts.c
argv was set but unused
2016-02-20 14:53:53 +01:00
tsget
PR: 2031
2009-09-07 17:57:18 +00:00
verify.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00
version.c
typo
2016-02-10 19:04:08 +00:00
vms_decc_init.c
Fix some missing or faulty header file inclusions
2015-12-30 14:54:29 +01:00
winrand.c
Big apps cleanup (option-parsing, etc)
2015-04-24 15:26:15 -04:00
x509.c
Remove unused parameters from internal functions
2016-02-22 13:39:44 -05:00