X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=41926e9db09b5557173e2e9249317542a20021e4;hp=084ddbdd26bfa9b32a689e03270adefcbff76d7a;hb=317be63875e59efa34be0075eaff3c033ef6969f;hpb=d5b33a518f9833d0550f61656a57f46c48bef926 diff --git a/CHANGES b/CHANGES index 084ddbdd26..41926e9db0 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,204 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + Changes between 1.0.2f and 1.1.0 [xx XXX xxxx] + + *) Add X25519 support. + Integrate support for X25519 into EC library. This includes support + for public and private key encoding using the format documented in + draft-josefsson-pkix-newcurves-01: specifically X25519 uses the + OID from that draft, encodes public keys using little endian + format in the ECPoint structure and private keys using + little endian form in the privateKey field of the ECPrivateKey + structure. TLS support complies with draft-ietf-tls-rfc4492bis-06 + and uses X25519(29). + + Note: the current version supports key generation, public and + private key encoding and ECDH key agreement using the EC API. + Low level point operations such as EC_POINT_add(), EC_POINT_mul() + are NOT supported. + [Steve Henson] + + *) Deprecate SRP_VBASE_get_by_user. + SRP_VBASE_get_by_user had inconsistent memory management behaviour. + In order to fix an unavoidable memory leak (CVE-2016-0798), + SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP + seed, even if the seed is configured. + + Users should use SRP_VBASE_get1_by_user instead. Note that in + SRP_VBASE_get1_by_user, caller must free the returned value. Note + also that even though configuring the SRP seed attempts to hide + invalid usernames by continuing the handshake with fake + credentials, this behaviour is not constant time and no strong + guarantees are made that the handshake is indistinguishable from + that of a valid user. + [Emilia Käsper] + + *) Configuration change; it's now possible to build dynamic engines + without having to build shared libraries and vice versa. This + only applies to the engines in engines/, those in crypto/engine/ + will always be built into libcrypto (i.e. "static"). + + Building dynamic engines is enabled by default; to disable, use + the configuration option "disable-dynamic-engine". + + The only requirements for building dynamic engines are the + presence of the DSO module and building with position independent + code, so they will also automatically be disabled if configuring + with "disable-dso" or "disable-pic". + + The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE + are also taken away from openssl/opensslconf.h, as they are + irrelevant. + [Richard Levitte] + + *) Configuration change; if there is a known flag to compile + position independent code, it will always be applied on the + libcrypto and libssl object files, and never on the application + object files. This means other libraries that use routines from + libcrypto / libssl can be made into shared libraries regardless + of how OpenSSL was configured. + + If this isn't desirable, the configuration options "disable-pic" + or "no-pic" can be used to disable the use of PIC. This will + also disable building shared libraries and dynamic engines. + [Richard Levitte] + + *) Removed JPAKE code. It was experimental and has no wide use. + [Rich Salz] + + *) The INSTALL_PREFIX Makefile variable has been renamed to + DESTDIR. That makes for less confusion on what this variable + is for. Also, the configuration option --install_prefix is + removed. + [Richard Levitte] + + *) Heartbeat for TLS has been removed and is disabled by default + for DTLS; configure with enable-heartbeats. Code that uses the + old #define's might need to be updated. + [Emilia Käsper, Rich Salz] + + *) Rename REF_CHECK to REF_DEBUG. + [Rich Salz] + + *) New "unified" build system + + The "unified" build system is aimed to be a common system for all + platforms we support. With it comes new support for VMS. + + This system builds supports building in a different directory tree + than the source tree. It produces one Makefile (for unix family + or lookalikes), or one descrip.mms (for VMS). + + The source of information to make the Makefile / descrip.mms is + small files called 'build.info', holding the necessary + information for each directory with source to compile, and a + template in Configurations, like unix-Makefile.tmpl or + descrip.mms.tmpl. + + We rely heavily on the perl module Text::Template. + [Richard Levitte] + + *) Added support for auto-initialisation and de-initialisation of the library. + OpenSSL no longer requires explicit init or deinit routines to be called, + except in certain circumstances. See the OPENSSL_init_crypto() and + OPENSSL_init_ssl() man pages for further information. + [Matt Caswell] + + *) The arguments to the DTLSv1_listen function have changed. Specifically the + "peer" argument is now expected to be a BIO_ADDR object. + + *) Rewrite of BIO networking library. The BIO library lacked consistent + support of IPv6, and adding it required some more extensive + modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, + which hold all types of addresses and chains of address information. + It also introduces a new API, with functions like BIO_socket, + BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. + The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram + have been adapted accordingly. + [Richard Levitte] + + *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without + the leading 0-byte. + [Emilia Käsper] + + *) CRIME protection: disable compression by default, even if OpenSSL is + compiled with zlib enabled. Applications can still enable compression + by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by + using the SSL_CONF library to configure compression. + [Emilia Käsper] + + *) The signature of the session callback configured with + SSL_CTX_sess_set_get_cb was changed. The read-only input buffer + was explicitly marked as 'const unsigned char*' instead of + 'unsigned char*'. + [Emilia Käsper] + + *) Always DPURIFY. Remove the use of uninitialized memory in the + RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. + [Emilia Käsper] + + *) Removed many obsolete configuration items, including + DES_PTR, DES_RISC1, DES_RISC2, DES_INT + MD2_CHAR, MD2_INT, MD2_LONG + BF_PTR, BF_PTR2 + IDEA_SHORT, IDEA_LONG + RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX + [Rich Salz, with advice from Andy Polyakov] + + *) Many BN internals have been moved to an internal header file. + [Rich Salz with help from Andy Polyakov] + + *) Configuration and writing out the results from it has changed. + Files such as Makefile include/openssl/opensslconf.h and are now + produced through general templates, such as Makefile.in and + crypto/opensslconf.h.in and some help from the perl module + Text::Template. + + Also, the center of configuration information is no longer + Makefile. Instead, Configure produces a perl module in + configdata.pm which holds most of the config data (in the hash + table %config), the target data that comes from the target + configuration in one of the Configurations/*.conf files (in + %target). + [Richard Levitte] + + *) To clarify their intended purposes, the Configure options + --prefix and --openssldir change their semantics, and become more + straightforward and less interdependent. + + --prefix shall be used exclusively to give the location INSTALLTOP + where programs, scripts, libraries, include files and manuals are + going to be installed. The default is now /usr/local. + + --openssldir shall be used exclusively to give the default + location OPENSSLDIR where certificates, private keys, CRLs are + managed. This is also where the default openssl.cnf gets + installed. + If the directory given with this option is a relative path, the + values of both the --prefix value and the --openssldir value will + be combined to become OPENSSLDIR. + The default for --openssldir is INSTALLTOP/ssl. + + Anyone who uses --openssldir to specify where OpenSSL is to be + installed MUST change to use --prefix instead. + [Richard Levitte] + + *) The GOST engine was out of date and therefore it has been removed. An up + to date GOST engine is now being maintained in an external repository. + See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains + support for GOST ciphersuites (these are only activated if a GOST engine + is present). + [Matt Caswell] + + *) EGD is no longer supported by default; use enable-egd when + configuring. + [Ben Kaduk and Rich Salz] + + *) The distribution now has Makefile.in files, which are used to + create Makefile's when Configure is run. *Configure must be run + before trying to build now.* + [Rich Salz] *) The return value for SSL_CIPHER_description() for error conditions has changed. @@ -142,7 +339,7 @@ [Rich Salz] *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, - and sureware. + sureware and ubsec. [Matt Caswell, Rich Salz] *) New ASN.1 embed macro. @@ -661,6 +858,50 @@ whose return value is often ignored. [Steve Henson] + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] + *) DH small subgroups + + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in + TLS. It is not on by default. If the option is not set then the server + reuses the same private DH exponent for the life of the server process and + would be vulnerable to this attack. It is believed that many popular + applications do set this option and would therefore not be at risk. + + The fix for this issue adds an additional check where a "q" parameter is + available (as is the case in X9.42 based parameters). This detects the + only known attack, and is the only possible defense for static DH + ciphersuites. This could have some performance impact. + + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by + default and cannot be disabled. This could have some performance impact. + + This issue was reported to OpenSSL by Antonio Sanso (Adobe). + (CVE-2016-0701) + [Matt Caswell] + + *) SSLv2 doesn't block disabled ciphers + + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 @@ -2611,7 +2852,7 @@ *) New option -sigopt to dgst utility. Update dgst to use EVP_Digest{Sign,Verify}*. These two changes make it possible to use - alternative signing paramaters such as X9.31 or PSS in the dgst + alternative signing parameters such as X9.31 or PSS in the dgst utility. [Steve Henson] @@ -3818,7 +4059,7 @@ unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on + *) Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] @@ -4833,7 +5074,7 @@ unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on + *) Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] @@ -4938,7 +5179,7 @@ *) Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, - they must be explicitely allowed in run-time. See + they must be explicitly allowed in run-time. See docs/HOWTO/proxy_certificates.txt for further information. [Richard Levitte] @@ -7515,7 +7756,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't reveal whether illegal block cipher padding was found or a MAC - verification error occured. (Neither SSLerr() codes nor alerts + verification error occurred. (Neither SSLerr() codes nor alerts are directly visible to potential attackers, but the information may leak via logfiles.) @@ -9922,7 +10163,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Bugfix: ssl23_get_client_hello did not work properly when called in state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, - but a retry condition occured while trying to read the rest. + but a retry condition occurred while trying to read the rest. [Bodo Moeller] *) The PKCS7_ENC_CONTENT_new() function was setting the content type as