|
|
|
|
|
|
|
|
|
OpenSSL CHANGES
|
|
|
|
|
_______________
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
|
|
|
|
|
|
|
|
|
|
*) Remove support for all 40 and 56 bit ciphers. This includes all the export
|
|
|
|
|
ciphers who are no longer supported and drops support the ephemeral RSA key
|
|
|
|
|
exchange. The LOW ciphers currently doesn't have any ciphers in it.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Make EVP_MD_CTX, EVP_MD and HMAC_CTX opaque. For HMAC_CTX, the
|
|
|
|
|
following constructors and destructors were added:
|
|
|
|
|
|
|
|
|
|
HMAC_CTX *HMAC_CTX_new(void);
|
|
|
|
|
void HMAC_CTX_free(HMAC_CTX *ctx);
|
|
|
|
|
|
|
|
|
|
For EVP_MD, a complete API to create, fill and destroy such
|
|
|
|
|
methods has been added. See EVP_MD_meth_new(3) for
|
|
|
|
|
documentation.
|
|
|
|
|
|
|
|
|
|
Additional changes:
|
|
|
|
|
1) HMAC_CTX_cleanup() and EVP_MD_CTX_cleanup() were removed,
|
|
|
|
|
HMAC_CTX_init() and EVP_MD_CTX_init() should be called instead
|
|
|
|
|
to reinitialise and already created structure. Also,
|
|
|
|
|
HMAC_CTX_init() and EVP_MD_CTX_init() now return 0 for failure
|
|
|
|
|
and 1 for success (they previously had the return type void).
|
|
|
|
|
2) For consistency with the majority of our object creators and
|
|
|
|
|
destructors, EVP_MD_CTX_(create|destroy) were renamed to
|
|
|
|
|
EVP_MD_CTX_(new|free). The old names are retained as macros
|
|
|
|
|
for deprecated builds.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Added ASYNC support. Libcrypto now includes the async sub-library to enable
|
|
|
|
|
cryptographic operations to be performed asynchronously as long as an
|
|
|
|
|
asynchronous capable engine is used. See the ASYNC_start_job() man page for
|
|
|
|
|
further details. Libssl has also had this capability integrated with the
|
|
|
|
|
introduction of the new mode SSL_MODE_ASYNC and associated error
|
|
|
|
|
SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
|
|
|
|
|
pages. This work was developed in partnership with Intel Corp.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
|
|
|
|
|
always enabled now. If you want to disable the support you should
|
|
|
|
|
exclude it using the list of supported ciphers.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
|
|
|
|
|
SSL_{CTX_}set1_curves() which can set a list.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the
|
|
|
|
|
curve you want to support using SSL_{CTX_}set1_curves().
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) State machine rewrite. The state machine code has been significantly
|
|
|
|
|
refactored in order to remove much duplication of code and solve issues
|
|
|
|
|
with the old code (see ssl/statem/README for further details). This change
|
|
|
|
|
does have some associated API changes. Notably the SSL_state() function
|
|
|
|
|
has been removed and replaced by SSL_get_state which now returns an
|
|
|
|
|
"OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
|
|
|
|
|
altogether. The previous handshake states defined in ssl.h and ssl3.h have
|
|
|
|
|
also been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) All instances of the string "ssleay" in the public API were replaced
|
|
|
|
|
with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
|
|
|
|
|
Some error codes related to internal RSA_eay API's were renamed.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) The demo files in crypto/threads were moved to demo/threads.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron and sureware.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) New ASN.1 embed macro.
|
|
|
|
|
|
|
|
|
|
New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
|
|
|
|
|
structure is not allocated: it is part of the parent. That is instead of
|
|
|
|
|
|
|
|
|
|
FOO *x;
|
|
|
|
|
|
|
|
|
|
it must be:
|
|
|
|
|
|
|
|
|
|
FOO x;
|
|
|
|
|
|
|
|
|
|
This reduces memory fragmentation and make it impossible to accidentally
|
|
|
|
|
set a mandatory field to NULL.
|
|
|
|
|
|
|
|
|
|
This currently only works for some fields specifically a SEQUENCE, CHOICE,
|
|
|
|
|
or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
|
|
|
|
|
equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
|
|
|
|
|
SEQUENCE OF.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
|
|
|
|
|
in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
|
|
|
|
|
an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
|
|
|
|
|
DES and RC4 ciphersuites.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
|
|
|
|
|
This changes the decoding behaviour for some invalid messages,
|
|
|
|
|
though the change is mostly in the more lenient direction, and
|
|
|
|
|
legacy behaviour is preserved as much as possible.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Fix no-stdio build.
|
|
|
|
|
[ David Woodhouse <David.Woodhouse@intel.com> and also
|
|
|
|
|
Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
|
|
|
|
|
|
|
|
|
|
*) New testing framework
|
|
|
|
|
The testing framework has been largely rewritten and is now using
|
|
|
|
|
perl and the perl modules Test::Harness and an extended variant of
|
|
|
|
|
Test::More called OpenSSL::Test to do its work. All test scripts in
|
|
|
|
|
test/ have been rewritten into test recipes, and all direct calls to
|
|
|
|
|
executables in test/Makefile have become individual recipes using the
|
|
|
|
|
simplified testing OpenSSL::Test::Simple.
|
|
|
|
|
|
|
|
|
|
For documentation on our testing modules, do:
|
|
|
|
|
|
|
|
|
|
perldoc test/testlib/OpenSSL/Test/Simple.pm
|
|
|
|
|
perldoc test/testlib/OpenSSL/Test.pm
|
|
|
|
|
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) In DSA_generate_parameters_ex, if the provided seed is too short,
|
|
|
|
|
return an error
|
|
|
|
|
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
|
|
|
|
|
|
|
|
|
|
*) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
|
|
|
|
|
from RFC4279, RFC4785, RFC5487, RFC5489.
|
|
|
|
|
|
|
|
|
|
Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
|
|
|
|
|
original RSA_PSK patch.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
|
|
|
|
|
era flag was never set throughout the codebase (only read). Also removed
|
|
|
|
|
SSL3_FLAGS_POP_BUFFER which was only used if
|
|
|
|
|
SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Changed the default name options in the "ca", "crl", "req" and "x509"
|
|
|
|
|
to be "oneline" instead of "compat".
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
|
|
|
|
|
not aware of clients that still exhibit this bug, and the workaround
|
|
|
|
|
hasn't been working properly for a while.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) The return type of BIO_number_read() and BIO_number_written() as well as
|
|
|
|
|
the corresponding num_read and num_write members in the BIO structure has
|
|
|
|
|
changed from unsigned long to uint64_t. On platforms where an unsigned
|
|
|
|
|
long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
|
|
|
|
|
transferred.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Given the pervasive nature of TLS extensions it is inadvisable to run
|
|
|
|
|
OpenSSL without support for them. It also means that maintaining
|
|
|
|
|
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
|
|
|
|
|
not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Removed support for the two export grade static DH ciphersuites
|
|
|
|
|
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
|
|
|
|
|
were newly added (along with a number of other static DH ciphersuites) to
|
|
|
|
|
1.0.2. However the two export ones have *never* worked since they were
|
|
|
|
|
introduced. It seems strange in any case to be adding new export
|
|
|
|
|
ciphersuites, and given "logjam" it also does not seem correct to fix them.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Version negotiation has been rewritten. In particular SSLv23_method(),
|
|
|
|
|
SSLv23_client_method() and SSLv23_server_method() have been deprecated,
|
|
|
|
|
and turned into macros which simply call the new preferred function names
|
|
|
|
|
TLS_method(), TLS_client_method() and TLS_server_method(). All new code
|
|
|
|
|
should use the new names instead. Also as part of this change the ssl23.h
|
|
|
|
|
header file has been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
|
|
|
|
|
code and the associated standard is no longer considered fit-for-purpose.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) RT2547 was closed. When generating a private key, try to make the
|
|
|
|
|
output file readable only by the owner. This behavior change might
|
|
|
|
|
be noticeable when interacting with other software.
|
|
|
|
|
|
|
|
|
|
*) Documented all exdata functions. Added CRYPTO_free_ex_index.
|
|
|
|
|
Added a test.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Added HTTP GET support to the ocsp command.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Added support for TLS extended master secret from
|
|
|
|
|
draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
|
|
|
|
|
initial patch which was a great help during development.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) All libssl internal structures have been removed from the public header
|
|
|
|
|
files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
|
|
|
|
|
now redundant). Users should not attempt to access internal structures
|
|
|
|
|
directly. Instead they should use the provided API functions.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
|
|
|
|
|
Access to deprecated functions can be re-enabled by running config with
|
|
|
|
|
"enable-deprecated". In addition applications wishing to use deprecated
|
|
|
|
|
functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
|
|
|
|
|
will, by default, disable some transitive includes that previously existed
|
|
|
|
|
in the header files (e.g. ec.h will no longer, by default, include bn.h)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Added support for OCB mode. OpenSSL has been granted a patent license
|
|
|
|
|
compatible with the OpenSSL license for use of OCB. Details are available
|
|
|
|
|
at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
|
|
|
|
|
for OCB can be removed by calling config with no-ocb.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) SSLv2 support has been removed. It still supports receiving a SSLv2
|
|
|
|
|
compatible client hello.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
|
|
|
|
|
done while fixing the error code for the key-too-small case.
|
|
|
|
|
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
|
|
|
|
|
|
|
|
|
|
*) CA.sh has been removmed; use CA.pl instead.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Removed old DES API.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Remove various unsupported platforms:
|
|
|
|
|
Sony NEWS4
|
|
|
|
|
BEOS and BEOS_R5
|
|
|
|
|
NeXT
|
|
|
|
|
SUNOS
|
|
|
|
|
MPE/iX
|
|
|
|
|
Sinix/ReliantUNIX RM400
|
|
|
|
|
DGUX
|
|
|
|
|
NCR
|
|
|
|
|
Tandem
|
|
|
|
|
Cray
|
|
|
|
|
16-bit platforms such as WIN16
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Clean up OPENSSL_NO_xxx #define's
|
|
|
|
|
Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
|
|
|
|
|
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
|
|
|
|
|
OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
|
|
|
|
|
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
|
|
|
|
|
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
|
|
|
|
|
Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
|
|
|
|
|
OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
|
|
|
|
|
OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
|
|
|
|
|
OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
|
|
|
|
|
Remove MS_STATIC; it's a relic from platforms <32 bits.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Cleaned up dead code
|
|
|
|
|
Remove all but one '#ifdef undef' which is to be looked at.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Clean up calling of xxx_free routines.
|
|
|
|
|
Just like free(), fix most of the xxx_free routines to accept
|
|
|
|
|
NULL. Remove the non-null checks from callers. Save much code.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Add secure heap for storage of private keys (when possible).
|
|
|
|
|
Add BIO_s_secmem(), CBIGNUM, etc.
|
|
|
|
|
Contributed by Akamai Technologies under our Corporate CLA.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Experimental support for a new, fast, unbiased prime candidate generator,
|
|
|
|
|
bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
|
|
|
|
|
[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
|
|
|
|
|
|
|
|
|
|
*) New output format NSS in the sess_id command line tool. This allows
|
|
|
|
|
exporting the session id and the master key in NSS keylog format.
|
|
|
|
|
[Martin Kaiser <martin@kaiser.cx>]
|
|
|
|
|
|
|
|
|
|
*) Harmonize version and its documentation. -f flag is used to display
|
|
|
|
|
compilation flags.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
|
|
|
|
|
in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) Fix some double frees. These are not thought to be exploitable.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) A missing bounds check in the handling of the TLS heartbeat extension
|
|
|
|
|
can be used to reveal up to 64k of memory to a connected client or
|
|
|
|
|
server.
|
|
|
|
|
|
|
|
|
|
Thanks for Neel Mehta of Google Security for discovering this bug and to
|
|
|
|
|
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
|
|
|
|
|
preparing the fix (CVE-2014-0160)
|
|
|
|
|
[Adam Langley, Bodo Moeller]
|
|
|
|
|
|
|
|
|
|
*) Fix for the attack described in the paper "Recovering OpenSSL
|
|
|
|
|
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
|
|
|
|
|
by Yuval Yarom and Naomi Benger. Details can be obtained from:
|
|
|
|
|
http://eprint.iacr.org/2014/140
|
|
|
|
|
|
|
|
|
|
Thanks to Yuval Yarom and Naomi Benger for discovering this
|
|
|
|
|
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
|
|
|
|
|
[Yuval Yarom and Naomi Benger]
|
|
|
|
|
|
|
|
|
|
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
|
|
|
|
|
this fixes a limitation in previous versions of OpenSSL.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Experimental encrypt-then-mac support.
|
|
|
|
|
|
|
|
|
|
Experimental support for encrypt then mac from
|
|
|
|
|
draft-gutmann-tls-encrypt-then-mac-02.txt
|
|
|
|
|
|
|
|
|
|
To enable it set the appropriate extension number (0x42 for the test
|
|
|
|
|
server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
|
|
|
|
|
|
|
|
|
|
For non-compliant peers (i.e. just about everything) this should have no
|
|
|
|
|
effect.
|
|
|
|
|
|
|
|
|
|
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
|
|
|
|
|
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add EVP support for key wrapping algorithms, to avoid problems with
|
|
|
|
|
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
|
|
|
|
|
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
|
|
|
|
|
algorithms and include tests cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
|
|
|
|
|
enveloped data.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
|
|
|
|
|
MGF1 digest and OAEP label.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Make openssl verify return errors.
|
|
|
|
|
[Chris Palmer <palmer@google.com> and Ben Laurie]
|
|
|
|
|
|
|
|
|
|
*) New function ASN1_TIME_diff to calculate the difference between two
|
|
|
|
|
ASN1_TIME structures or one structure and the current time.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Update fips_test_suite to support multiple command line options. New
|
|
|
|
|
test to induce all self test errors in sequence and check expected
|
|
|
|
|
failures.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
|
|
|
|
|
sign or verify all in one operation.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add fips_algvs: a multicall fips utility incorporating all the algorithm
|
|
|
|
|
test programs and fips_test_suite. Includes functionality to parse
|
|
|
|
|
the minimal script output of fipsalgest.pl directly.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add authorisation parameter to FIPS_module_mode_set().
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Use separate DRBG fields for internal and external flags. New function
|
|
|
|
|
FIPS_drbg_health_check() to perform on demand health checking. Add
|
|
|
|
|
generation tests to fips_test_suite with reduced health check interval to
|
|
|
|
|
demonstrate periodic health checking. Add "nodh" option to
|
|
|
|
|
fips_test_suite to skip very slow DH test.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
|
|
|
|
|
based on NID.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) More extensive health check for DRBG checking many more failure modes.
|
|
|
|
|
New function FIPS_selftest_drbg_all() to handle every possible DRBG
|
|
|
|
|
combination: call this in fips_test_suite.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
|
|
|
|
|
and POST to handle Dual EC cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add support for canonical generation of DSA parameter 'g'. See
|
|
|
|
|
FIPS 186-3 A.2.3.
|
|
|
|
|
|
|
|
|
|
*) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
|
|
|
|
|
POST to handle HMAC cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add functions FIPS_module_version() and FIPS_module_version_text()
|
|
|
|
|
to return numerical and string versions of the FIPS module number.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
|
|
|
|
|
FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
|
|
|
|
|
outside the validated module in the FIPS capable OpenSSL.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Minor change to DRBG entropy callback semantics. In some cases
|
|
|
|
|
there is no multiple of the block length between min_len and
|
|
|
|
|
max_len. Allow the callback to return more than max_len bytes
|
|
|
|
|
of entropy but discard any extra: it is the callback's responsibility
|
|
|
|
|
to ensure that the extra data discarded does not impact the
|
|
|
|
|
requested amount of entropy.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add PRNG security strength checks to RSA, DSA and ECDSA using
|
|
|
|
|
information in FIPS186-3, SP800-57 and SP800-131A.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) CCM support via EVP. Interface is very similar to GCM case except we
|
|
|
|
|
must supply all data in one chunk (i.e. no update, final) and the
|
|
|
|
|
message length must be supplied if AAD is used. Add algorithm test
|
|
|
|
|
support.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Initial version of POST overhaul. Add POST callback to allow the status
|
|
|
|
|
of POST to be monitored and/or failures induced. Modify fips_test_suite
|
|
|
|
|
to use callback. Always run all selftests even if one fails.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) XTS support including algorithm test driver in the fips_gcmtest program.
|
|
|
|
|
Note: this does increase the maximum key length from 32 to 64 bytes but
|
|
|
|
|
there should be no binary compatibility issues as existing applications
|
|
|
|
|
will never use XTS mode.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
|
|
|
|
|
to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
|
|
|
|
|
performs algorithm blocking for unapproved PRNG types. Also do not
|
|
|
|
|
set PRNG type in FIPS_mode_set(): leave this to the application.
|
|
|
|
|
Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
|
|
|
|
|
the standard OpenSSL PRNG: set additional data to a date time vector.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
|
|
|
|
|
This shouldn't present any incompatibility problems because applications
|
|
|
|
|
shouldn't be using these directly and any that are will need to rethink
|
|
|
|
|
anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extensive self tests and health checking required by SP800-90 DRBG.
|
|
|
|
|
Remove strength parameter from FIPS_drbg_instantiate and always
|
|
|
|
|
instantiate at maximum supported strength.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New algorithm test program fips_dhvs to handle DH primitives only testing.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New function DH_compute_key_padded() to compute a DH key and pad with
|
|
|
|
|
leading zeroes if needed: this complies with SP800-56A et al.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
|
|
|
|
|
anything, incomplete, subject to change and largely untested at present.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Modify fipscanisteronly build option to only build the necessary object
|
|
|
|
|
files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add experimental option FIPSSYMS to give all symbols in
|
|
|
|
|
fipscanister.o and FIPS or fips prefix. This will avoid
|
|
|
|
|
conflicts with future versions of OpenSSL. Add perl script
|
|
|
|
|
util/fipsas.pl to preprocess assembly language source files
|
|
|
|
|
and rename any affected symbols.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add selftest checks and algorithm block of non-fips algorithms in
|
|
|
|
|
FIPS mode. Remove DES2 from selftests.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
|
|
|
|
|
return internal method without any ENGINE dependencies. Add new
|
|
|
|
|
tiny fips sign and verify functions.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New build option no-ec2m to disable characteristic 2 code.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New build option "fipscanisteronly". This only builds fipscanister.o
|
|
|
|
|
and (currently) associated fips utilities. Uses the file Makefile.fips
|
|
|
|
|
instead of Makefile.org as the prototype.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
|
|
|
|
|
Update fips_gcmtest to use IV generator.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Initial, experimental EVP support for AES-GCM. AAD can be input by
|
|
|
|
|
setting output buffer to NULL. The *Final function must be
|
|
|
|
|
called although it will not retrieve any additional data. The tag
|
|
|
|
|
can be set or retrieved with a ctrl. The IV length is by default 12
|
|
|
|
|
bytes (96 bits) but can be set to an alternative value. If the IV
|
|
|
|
|
length exceeds the maximum IV length (currently 16 bytes) it cannot be
|
|
|
|
|
set before the key.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
|
|
|
|
|
underlying do_cipher function handles all cipher semantics itself
|
|
|
|
|
including padding and finalisation. This is useful if (for example)
|
|
|
|
|
an ENGINE cipher handles block padding itself. The behaviour of
|
|
|
|
|
do_cipher is subtly changed if this flag is set: the return value
|
|
|
|
|
is the number of characters written to the output buffer (zero is
|
|
|
|
|
no longer an error code) or a negative error code. Also if the
|
|
|
|
|
input buffer is NULL and length 0 finalisation should be performed.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) If a candidate issuer certificate is already part of the constructed
|
|
|
|
|
path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Improve forward-security support: add functions
|
|
|
|
|
|
|
|
|
|
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
|
|
|
|
|
void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
|
|
|
|
|
|
|
|
|
|
for use by SSL/TLS servers; the callback function will be called whenever a
|
|
|
|
|
new session is created, and gets to decide whether the session may be
|
|
|
|
|
cached to make it resumable (return 0) or not (return 1). (As by the
|
|
|
|
|
SSL/TLS protocol specifications, the session_id sent by the server will be
|
|
|
|
|
empty to indicate that the session is not resumable; also, the server will
|
|
|
|
|
not generate RFC 4507 (RFC 5077) session tickets.)
|
|
|
|
|
|
|
|
|
|
A simple reasonable callback implementation is to return is_forward_secure.
|
|
|
|
|
This parameter will be set to 1 or 0 depending on the ciphersuite selected
|
|
|
|
|
by the SSL/TLS server library, indicating whether it can provide forward
|
|
|
|
|
security.
|
|
|
|
|
[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
|
|
|
|
|
|
|
|
|
|
*) New -verify_name option in command line utilities to set verification
|
|
|
|
|
parameters by name.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
|
|
|
|
|
Add CMAC pkey methods.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Experimental renegotiation in s_server -www mode. If the client
|
|
|
|
|
browses /reneg connection is renegotiated. If /renegcert it is
|
|
|
|
|
renegotiated requesting a certificate.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add an "external" session cache for debugging purposes to s_server. This
|
|
|
|
|
should help trace issues which normally are only apparent in deployed
|
|
|
|
|
multi-process servers.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
|
|
|
|
|
return value is ignored. NB. The functions RAND_add(), RAND_seed(),
|
|
|
|
|
BIO_set_cipher() and some obscure PEM functions were changed so they
|
|
|
|
|
can now return an error. The RAND changes required a change to the
|
|
|
|
|
RAND_METHOD structure.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
|
|
|
|
|
a gcc attribute to warn if the result of a function is ignored. This
|
|
|
|
|
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
|
|
|
|
|
whose return value is often ignored.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
|
|
|
|
|
|
|
|
|
|
*) BN_mod_exp may produce incorrect results on x86_64
|
|
|
|
|
|
|
|
|
|
There is a carry propagating bug in the x86_64 Montgomery squaring
|
|
|
|
|
procedure. No EC algorithms are affected. Analysis suggests that attacks
|
|
|
|
|
against RSA and DSA as a result of this defect would be very difficult to
|
|
|
|
|
perform and are not believed likely. Attacks against DH are considered just
|
|
|
|
|
feasible (although very difficult) because most of the work necessary to
|
|
|
|
|
deduce information about a private key may be performed offline. The amount
|
|
|
|
|
of resources required for such an attack would be very significant and
|
|
|
|
|
likely only accessible to a limited number of attackers. An attacker would
|
|
|
|
|
additionally need online access to an unpatched system using the target
|
|
|
|
|
private key in a scenario with persistent DH parameters and a private
|
|
|
|
|
key that is shared between multiple clients. For example this can occur by
|
|
|
|
|
default in OpenSSL DHE based SSL/TLS ciphersuites.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Hanno Böck.
|
|
|
|
|
(CVE-2015-3193)
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Certificate verify crash with missing PSS parameter
|
|
|
|
|
|
|
|
|
|
The signature verification routines will crash with a NULL pointer
|
|
|
|
|
dereference if presented with an ASN.1 signature using the RSA PSS
|
|
|
|
|
algorithm and absent mask generation function parameter. Since these
|
|
|
|
|
routines are used to verify certificate signature algorithms this can be
|
|
|
|
|
used to crash any certificate verification operation and exploited in a
|
|
|
|
|
DoS attack. Any application which performs certificate verification is
|
|
|
|
|
vulnerable including OpenSSL clients and servers which enable client
|
|
|
|
|
authentication.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
|
|
|
|
|
(CVE-2015-3194)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) X509_ATTRIBUTE memory leak
|
|
|
|
|
|
|
|
|
|
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
|
|
|
|
|
memory. This structure is used by the PKCS#7 and CMS routines so any
|
|
|
|
|
application which reads PKCS#7 or CMS data from untrusted sources is
|
|
|
|
|
affected. SSL/TLS is not affected.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
|
|
|
|
|
libFuzzer.
|
|
|
|
|
(CVE-2015-3195)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
|
|
|
|
|
This changes the decoding behaviour for some invalid messages,
|
|
|
|
|
though the change is mostly in the more lenient direction, and
|
|
|
|
|
legacy behaviour is preserved as much as possible.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) In DSA_generate_parameters_ex, if the provided seed is too short,
|
|
|
|
|
return an error
|
|
|
|
|
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
|
|
|
|
|
|
|
|
|
|
*) Alternate chains certificate forgery
|
|
|
|
|
|
|
|
|
|
During certificate verfification, OpenSSL will attempt to find an
|
|
|
|
|
alternative certificate chain if the first attempt to build such a chain
|
|
|
|
|
fails. An error in the implementation of this logic can mean that an
|
|
|
|
|
attacker could cause certain checks on untrusted certificates to be
|
|
|
|
|
bypassed, such as the CA flag, enabling them to use a valid leaf
|
|
|
|
|
certificate to act as a CA and "issue" an invalid certificate.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Adam Langley/David Benjamin
|
|
|
|
|
(Google/BoringSSL).
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
|
|
|
|
|
|
|
|
|
|
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
|
|
|
|
|
incompatibility in the handling of HMAC. The previous ABI has now been
|
|
|
|
|
restored.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
|
|
|
|
|
|
|
|
|
|
*) Malformed ECParameters causes infinite loop
|
|
|
|
|
|
|
|
|
|
When processing an ECParameters structure OpenSSL enters an infinite loop
|
|
|
|
|
if the curve specified is over a specially malformed binary polynomial
|
|
|
|
|
field.
|
|
|
|
|
|
|
|
|
|
This can be used to perform denial of service against any
|
|
|
|
|
system which processes public keys, certificate requests or
|
|
|
|
|
certificates. This includes TLS clients and TLS servers with
|
|
|
|
|
client authentication enabled.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Joseph Barr-Pixton.
|
|
|
|
|
(CVE-2015-1788)
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Exploitable out-of-bounds read in X509_cmp_time
|
|
|
|
|
|
|
|
|
|
X509_cmp_time does not properly check the length of the ASN1_TIME
|
|
|
|
|
string and can read a few bytes out of bounds. In addition,
|
|
|
|
|
X509_cmp_time accepts an arbitrary number of fractional seconds in the
|
|
|
|
|
time string.
|
|
|
|
|
|
|
|
|
|
An attacker can use this to craft malformed certificates and CRLs of
|
|
|
|
|
various sizes and potentially cause a segmentation fault, resulting in
|
|
|
|
|
a DoS on applications that verify certificates or CRLs. TLS clients
|
|
|
|
|
that verify CRLs are affected. TLS clients and servers with client
|
|
|
|
|
authentication enabled may be affected if they use custom verification
|
|
|
|
|
callbacks.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Robert Swiecki (Google), and
|
|
|
|
|
independently by Hanno Böck.
|
|
|
|
|
(CVE-2015-1789)
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) PKCS7 crash with missing EnvelopedContent
|
|
|
|
|
|
|
|
|
|
The PKCS#7 parsing code does not handle missing inner EncryptedContent
|
|
|
|
|
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
|
|
|
|
|
with missing content and trigger a NULL pointer dereference on parsing.
|
|
|
|
|
|
|
|
|
|
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
|
|
|
|
|
structures from untrusted sources are affected. OpenSSL clients and
|
|
|
|
|
servers are not affected.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Michal Zalewski (Google).
|
|
|
|
|
(CVE-2015-1790)
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) CMS verify infinite loop with unknown hash function
|
|
|
|
|
|
|
|
|
|
When verifying a signedData message the CMS code can enter an infinite loop
|
|
|
|
|
if presented with an unknown hash function OID. This can be used to perform
|
|
|
|
|
denial of service against any system which verifies signedData messages using
|
|
|
|
|
the CMS code.
|
|
|
|
|
This issue was reported to OpenSSL by Johannes Bauer.
|
|
|
|
|
(CVE-2015-1792)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) Race condition handling NewSessionTicket
|
|
|
|
|
|
|
|
|
|
If a NewSessionTicket is received by a multi-threaded client when attempting to
|
|
|
|
|
reuse a previous ticket then a race condition can occur potentially leading to
|
|
|
|
|
a double free of the ticket data.
|
|
|
|
|
(CVE-2015-1791)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Only support 256-bit or stronger elliptic curves with the
|
|
|
|
|
'ecdh_auto' setting (server) or by default (client). Of supported
|
|
|
|
|
curves, prefer P-256 (both).
|
|
|
|
|
[Emilia Kasper]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
|
|
|
|
|
|
|
|
|
|
*) ClientHello sigalgs DoS fix
|
|
|
|
|
|
|
|
|
|
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
|
|
|
|
|
invalid signature algorithms extension a NULL pointer dereference will
|
|
|
|
|
occur. This can be exploited in a DoS attack against the server.
|
|
|
|
|
|
|
|
|
|
This issue was was reported to OpenSSL by David Ramos of Stanford
|
|
|
|
|
University.
|
|
|
|
|
(CVE-2015-0291)
|
|
|
|
|
[Stephen Henson and Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Multiblock corrupted pointer fix
|
|
|
|
|
|
|
|
|
|
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
|
|
|
|
|
feature only applies on 64 bit x86 architecture platforms that support AES
|
|
|
|
|
NI instructions. A defect in the implementation of "multiblock" can cause
|
|
|
|
|
OpenSSL's internal write buffer to become incorrectly set to NULL when
|
|
|
|
|
using non-blocking IO. Typically, when the user application is using a
|
|
|
|
|
socket BIO for writing, this will only result in a failed connection.
|
|
|
|
|
However if some other BIO is used then it is likely that a segmentation
|
|
|
|
|
fault will be triggered, thus enabling a potential DoS attack.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
|
|
|
|
|
(CVE-2015-0290)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Segmentation fault in DTLSv1_listen fix
|
|
|
|
|
|
|
|
|
|
The DTLSv1_listen function is intended to be stateless and processes the
|
|
|
|
|
initial ClientHello from many peers. It is common for user code to loop
|
|
|
|
|
over the call to DTLSv1_listen until a valid ClientHello is received with
|
|
|
|
|
an associated cookie. A defect in the implementation of DTLSv1_listen means
|
|
|
|
|
that state is preserved in the SSL object from one invocation to the next
|
|
|
|
|
that can lead to a segmentation fault. Errors processing the initial
|
|
|
|
|
ClientHello can trigger this scenario. An example of such an error could be
|
|
|
|
|
that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
|
|
|
|
|
server.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Per Allansson.
|
|
|
|
|
(CVE-2015-0207)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Segmentation fault in ASN1_TYPE_cmp fix
|
|
|
|
|
|
|
|
|
|
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
|
|
|
|
|
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
|
|
|
|
|
certificate signature algorithm consistency this can be used to crash any
|
|
|
|
|
certificate verification operation and exploited in a DoS attack. Any
|
|
|
|
|
application which performs certificate verification is vulnerable including
|
|
|
|
|
OpenSSL clients and servers which enable client authentication.
|
|
|
|
|
(CVE-2015-0286)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) Segmentation fault for invalid PSS parameters fix
|
|
|
|
|
|
|
|
|
|
The signature verification routines will crash with a NULL pointer
|
|
|
|
|
dereference if presented with an ASN.1 signature using the RSA PSS
|
|
|
|
|
algorithm and invalid parameters. Since these routines are used to verify
|
|
|
|
|
certificate signature algorithms this can be used to crash any
|
|
|
|
|
certificate verification operation and exploited in a DoS attack. Any
|
|
|
|
|
application which performs certificate verification is vulnerable including
|
|
|
|
|
OpenSSL clients and servers which enable client authentication.
|
|
|
|
|
|
|
|
|
|
This issue was was reported to OpenSSL by Brian Carpenter.
|
|
|
|
|
(CVE-2015-0208)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) ASN.1 structure reuse memory corruption fix
|
|
|
|
|
|
|
|
|
|
Reusing a structure in ASN.1 parsing may allow an attacker to cause
|
|
|
|
|
memory corruption via an invalid write. Such reuse is and has been
|
|
|
|
|
strongly discouraged and is believed to be rare.
|
|
|
|
|
|
|
|
|
|
Applications that parse structures containing CHOICE or ANY DEFINED BY
|
|
|
|
|
components may be affected. Certificate parsing (d2i_X509 and related
|
|
|
|
|
functions) are however not affected. OpenSSL clients and servers are
|
|
|
|
|
not affected.
|
|
|
|
|
(CVE-2015-0287)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) PKCS7 NULL pointer dereferences fix
|
|
|
|
|
|
|
|
|
|
The PKCS#7 parsing code does not handle missing outer ContentInfo
|
|
|
|
|
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
|
|
|
|
|
missing content and trigger a NULL pointer dereference on parsing.
|
|
|
|
|
|
|
|
|
|
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
|
|
|
|
|
otherwise parse PKCS#7 structures from untrusted sources are
|
|
|
|
|
affected. OpenSSL clients and servers are not affected.
|
|
|
|
|
|
|
|
|
|
This issue was reported to OpenSSL by Michal Zalewski (Google).
|
|
|
|
|
(CVE-2015-0289)
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) DoS via reachable assert in SSLv2 servers fix
|
|
|
|
|
|
|
|
|
|
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
|
|
|
|
|
servers that both support SSLv2 and enable export cipher suites by sending
|
|
|
|
|
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
|
|
|
|
|
|
|
|
|
|
This issue was discovered by Sean Burford (Google) and Emilia Käsper
|
|
|
|
|
(OpenSSL development team).
|
|
|
|
|
(CVE-2015-0293)
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Empty CKE with client auth and DHE fix
|
|
|
|
|
|
|
|
|
|
If client auth is used then a server can seg fault in the event of a DHE
|
|
|
|
|
ciphersuite being selected and a zero length ClientKeyExchange message
|
|
|
|
|
being sent by the client. This could be exploited in a DoS attack.
|
|
|
|
|
(CVE-2015-1787)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Handshake with unseeded PRNG fix
|
|
|
|
|
|
|
|
|
|
Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
|
|
|
|
|
with an unseeded PRNG. The conditions are:
|
|
|
|
|
- The client is on a platform where the PRNG has not been seeded
|
|
|
|
|
automatically, and the user has not seeded manually
|
|
|
|
|
- A protocol specific client method version has been used (i.e. not
|
|
|
|
|
SSL_client_methodv23)
|
|
|
|
|
- A ciphersuite is used that does not require additional random data from
|
|
|
|
|
the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
|
|
|
|
|
|
|
|
|
|
If the handshake succeeds then the client random that has been used will
|
|
|
|
|
have been generated from a PRNG with insufficient entropy and therefore the
|
|
|
|
|
output may be predictable.
|
|
|
|
|
|
|
|
|
|
For example using the following command with an unseeded openssl will
|
|
|
|
|
succeed on an unpatched platform:
|
|
|
|
|
|
|
|
|
|
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
|
|
|
|
|
(CVE-2015-0285)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Use After Free following d2i_ECPrivatekey error fix
|
|
|
|
|
|
|
|
|
|
A malformed EC private key file consumed via the d2i_ECPrivateKey function
|
|
|
|
|
could cause a use after free condition. This, in turn, could cause a double
|
|
|
|
|
free in several private key parsing functions (such as d2i_PrivateKey
|
|
|
|
|
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
|
|
|
|
|
for applications that receive EC private keys from untrusted
|
|
|
|
|
sources. This scenario is considered rare.
|
|
|
|
|
|
|
|
|
|
This issue was discovered by the BoringSSL project and fixed in their
|
|
|
|
|
commit 517073cd4b.
|
|
|
|
|
(CVE-2015-0209)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) X509_to_X509_REQ NULL pointer deref fix
|
|
|
|
|
|
|
|
|
|
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
|
|
|
|
|
the certificate key is invalid. This function is rarely used in practice.
|
|
|
|
|
|
|
|
|
|
This issue was discovered by Brian Carpenter.
|
|
|
|
|
(CVE-2015-0288)
|
|
|
|
|
[Stephen Henson]
|
|
|
|
|
|
|
|
|
|
*) Removed the export ciphers from the DEFAULT ciphers
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
|
|
|
|
|
|
|
|
|
|
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
|
|
|
|
|
ARMv5 through ARMv8, as opposite to "locking" it to single one.
|
|
|
|
|
So far those who have to target multiple plaforms would compromise
|
|
|
|
|
and argue that binary targeting say ARMv5 would still execute on
|
|
|
|
|
ARMv8. "Universal" build resolves this compromise by providing
|
|
|
|
|
near-optimal performance even on newer platforms.
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Accelerated NIST P-256 elliptic curve implementation for x86_64
|
|
|
|
|
(other platforms pending).
|
|
|
|
|
[Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Add support for the SignedCertificateTimestampList certificate and
|
|
|
|
|
OCSP response extensions from RFC6962.
|
|
|
|
|
[Rob Stradling]
|
|
|
|
|
|
|
|
|
|
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
|
|
|
|
|
for corner cases. (Certain input points at infinity could lead to
|
|
|
|
|
bogus results, with non-infinity inputs mapped to infinity too.)
|
|
|
|
|
[Bodo Moeller]
|
|
|
|
|
|
|
|
|
|
*) Initial support for PowerISA 2.0.7, first implemented in POWER8.
|
|
|
|
|
This covers AES, SHA256/512 and GHASH. "Initial" means that most
|
|
|
|
|
common cases are optimized and there still is room for further
|
|
|
|
|
improvements. Vector Permutation AES for Altivec is also added.
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Add support for little-endian ppc64 Linux target.
|
|
|
|
|
[Marcelo Cerri (IBM)]
|
|
|
|
|
|
|
|
|
|
*) Initial support for AMRv8 ISA crypto extensions. This covers AES,
|
|
|
|
|
SHA1, SHA256 and GHASH. "Initial" means that most common cases
|
|
|
|
|
are optimized and there still is room for further improvements.
|
|
|
|
|
Both 32- and 64-bit modes are supported.
|
|
|
|
|
[Andy Polyakov, Ard Biesheuvel (Linaro)]
|
|
|
|
|
|
|
|
|
|
*) Improved ARMv7 NEON support.
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Support for SPARC Architecture 2011 crypto extensions, first
|
|
|
|
|
implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
|
|
|
|
|
SHA256/512, MD5, GHASH and modular exponentiation.
|
|
|
|
|
[Andy Polyakov, David Miller]
|
|
|
|
|
|
|
|
|
|
*) Accelerated modular exponentiation for Intel processors, a.k.a.
|
|
|
|
|
RSAZ.
|
