X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=b71b8503eae70acec15d2e9c00044be3e6b07ac3;hp=4f8fff514364fae61ccd289c53789d21badb7050;hb=b59147070021ef2838e47c5c29331f6816b73f65;hpb=502bed22a940598bad27555d2b5c5c27a1f2edf1 diff --git a/CHANGES b/CHANGES index 4f8fff5143..b71b8503ea 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,242 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2f and 1.1.0 [xx XXX xxxx] + Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + + *) --strict-warnings no longer enables runtime debugging options + such as REF_DEBUG. Instead, debug options are automatically + enabled with '--debug' builds. + [Andy Polyakov, Emilia Käsper] + + *) Made DH and DH_METHOD opaque. The structures for managing DH objects + have been moved out of the public header files. New functions for managing + these have been added. + [Matt Caswell] + + *) Made RSA and RSA_METHOD opaque. The structures for managing RSA + objects have been moved out of the public header files. New + functions for managing these have been added. + [Richard Levitte] + + *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects + have been moved out of the public header files. New functions for managing + these have been added. + [Matt Caswell] + + *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been + moved out of the public header files. New functions for managing these + have been added. + [Matt Caswell] + + *) Removed no-rijndael as a config option. Rijndael is an old name for AES. + [Matt Caswell] + + *) Removed the mk1mf build scripts. + [Richard Levitte] + + *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so + it is always safe to #include a header now. + [Rich Salz] + + *) Removed the aged BC-32 config and all its supporting scripts + [Richard Levitte] + + *) Removed support for Ultrix, Netware, and OS/2. + [Rich Salz] + + *) Add support for HKDF. + [Alessandro Ghedini] + + *) Add support for blake2b and blake2s + [Bill Cox] + + *) Added support for "pipelining". Ciphers that have the + EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple + encryptions/decryptions simultaneously. There are currently no built-in + ciphers with this property but the expectation is that engines will be able + to offer it to significantly improve throughput. Support has been extended + into libssl so that multiple records for a single connection can be + processed in one go (for >=TLS 1.1). + [Matt Caswell] + + *) Added the AFALG engine. This is an async capable engine which is able to + offload work to the Linux kernel. In this initial version it only supports + AES128-CBC. The kernel must be version 4.1.0 or greater. + [Catriona Lucey] + + *) OpenSSL now uses a new threading API. It is no longer necessary to + set locking callbacks to use OpenSSL in a multi-threaded environment. There + are two supported threading models: pthreads and windows threads. It is + also possible to configure OpenSSL at compile time for "no-threads". The + old threading API should no longer be used. The functions have been + replaced with "no-op" compatibility macros. + [Alessandro Ghedini, Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Add SSL_CIPHER queries for authentication and key-exchange. + [Todd Short] + + *) Changes to the DEFAULT cipherlist: + - Prefer (EC)DHE handshakes over plain RSA. + - Prefer AEAD ciphers over legacy ciphers. + - Prefer ECDSA over RSA when both certificates are available. + - Prefer TLSv1.2 ciphers/PRF. + - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the + default cipherlist. + [Emilia Käsper] + + *) Change the ECC default curve list to be this, in order: x25519, + secp256r1, secp521r1, secp384r1. + [Rich Salz] + + *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are + disabled by default. They can be re-enabled using the + enable-weak-ssl-ciphers option to Configure. + [Matt Caswell] + + *) If the server has ALPN configured, but supports no protocols that the + client advertises, send a fatal "no_application_protocol" alert. + This behaviour is SHALL in RFC 7301, though it isn't universally + implemented by other servers. + [Emilia Käsper] + + *) Add X25519 support. + Integrate support for X25519 into EC library. This includes support + for public and private key encoding using the format documented in + draft-josefsson-pkix-newcurves-01: specifically X25519 uses the + OID from that draft, encodes public keys using little endian + format in the ECPoint structure and private keys using + little endian form in the privateKey field of the ECPrivateKey + structure. TLS support complies with draft-ietf-tls-rfc4492bis-06 + and uses X25519(29). + + Note: the current version supports key generation, public and + private key encoding and ECDH key agreement using the EC API. + Low level point operations such as EC_POINT_add(), EC_POINT_mul() + are NOT supported. + [Steve Henson] + + *) Deprecate SRP_VBASE_get_by_user. + SRP_VBASE_get_by_user had inconsistent memory management behaviour. + In order to fix an unavoidable memory leak (CVE-2016-0798), + SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP + seed, even if the seed is configured. + + Users should use SRP_VBASE_get1_by_user instead. Note that in + SRP_VBASE_get1_by_user, caller must free the returned value. Note + also that even though configuring the SRP seed attempts to hide + invalid usernames by continuing the handshake with fake + credentials, this behaviour is not constant time and no strong + guarantees are made that the handshake is indistinguishable from + that of a valid user. + [Emilia Käsper] + + *) Configuration change; it's now possible to build dynamic engines + without having to build shared libraries and vice versa. This + only applies to the engines in engines/, those in crypto/engine/ + will always be built into libcrypto (i.e. "static"). + + Building dynamic engines is enabled by default; to disable, use + the configuration option "disable-dynamic-engine". + + The only requirements for building dynamic engines are the + presence of the DSO module and building with position independent + code, so they will also automatically be disabled if configuring + with "disable-dso" or "disable-pic". + + The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE + are also taken away from openssl/opensslconf.h, as they are + irrelevant. + [Richard Levitte] + + *) Configuration change; if there is a known flag to compile + position independent code, it will always be applied on the + libcrypto and libssl object files, and never on the application + object files. This means other libraries that use routines from + libcrypto / libssl can be made into shared libraries regardless + of how OpenSSL was configured. + + If this isn't desirable, the configuration options "disable-pic" + or "no-pic" can be used to disable the use of PIC. This will + also disable building shared libraries and dynamic engines. + [Richard Levitte] + + *) Removed JPAKE code. It was experimental and has no wide use. + [Rich Salz] + + *) The INSTALL_PREFIX Makefile variable has been renamed to + DESTDIR. That makes for less confusion on what this variable + is for. Also, the configuration option --install_prefix is + removed. + [Richard Levitte] + + *) Heartbeat for TLS has been removed and is disabled by default + for DTLS; configure with enable-heartbeats. Code that uses the + old #define's might need to be updated. + [Emilia Käsper, Rich Salz] + + *) Rename REF_CHECK to REF_DEBUG. + [Rich Salz] + + *) New "unified" build system + + The "unified" build system is aimed to be a common system for all + platforms we support. With it comes new support for VMS. + + This system builds supports building in a different directory tree + than the source tree. It produces one Makefile (for unix family + or lookalikes), or one descrip.mms (for VMS). + + The source of information to make the Makefile / descrip.mms is + small files called 'build.info', holding the necessary + information for each directory with source to compile, and a + template in Configurations, like unix-Makefile.tmpl or + descrip.mms.tmpl. + + We rely heavily on the perl module Text::Template. + [Richard Levitte] + + *) Added support for auto-initialisation and de-initialisation of the library. + OpenSSL no longer requires explicit init or deinit routines to be called, + except in certain circumstances. See the OPENSSL_init_crypto() and + OPENSSL_init_ssl() man pages for further information. + [Matt Caswell] + + *) The arguments to the DTLSv1_listen function have changed. Specifically the + "peer" argument is now expected to be a BIO_ADDR object. + + *) Rewrite of BIO networking library. The BIO library lacked consistent + support of IPv6, and adding it required some more extensive + modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, + which hold all types of addresses and chains of address information. + It also introduces a new API, with functions like BIO_socket, + BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. + The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram + have been adapted accordingly. + [Richard Levitte] + + *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without + the leading 0-byte. + [Emilia Käsper] + + *) CRIME protection: disable compression by default, even if OpenSSL is + compiled with zlib enabled. Applications can still enable compression + by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by + using the SSL_CONF library to configure compression. + [Emilia Käsper] + + *) The signature of the session callback configured with + SSL_CTX_sess_set_get_cb was changed. The read-only input buffer + was explicitly marked as 'const unsigned char*' instead of + 'unsigned char*'. + [Emilia Käsper] + + *) Always DPURIFY. Remove the use of uninitialized memory in the + RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. + [Emilia Käsper] *) Removed many obsolete configuration items, including DES_PTR, DES_RISC1, DES_RISC2, DES_INT @@ -12,6 +247,9 @@ RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX [Rich Salz, with advice from Andy Polyakov] + *) Many BN internals have been moved to an internal header file. + [Rich Salz with help from Andy Polyakov] + *) Configuration and writing out the results from it has changed. Files such as Makefile include/openssl/opensslconf.h and are now produced through general templates, such as Makefile.in and @@ -201,7 +439,7 @@ [Rich Salz] *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, - and sureware. + sureware and ubsec. [Matt Caswell, Rich Salz] *) New ASN.1 embed macro. @@ -720,6 +958,143 @@ whose return value is often ignored. [Steve Henson] + *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. + These allow SCTs (signed certificate timestamps) to be requested and + validated when establishing a connection. + [Rob Percival ] + + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] + + * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. + Builds that are not configured with "enable-weak-ssl-ciphers" will not + provide any "EXPORT" or "LOW" strength ciphers. + [Viktor Dukhovni] + + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 + is by default disabled at build-time. Builds that are not configured with + "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, + users who want to negotiate SSLv2 via the version-flexible SSLv23_method() + will need to explicitly call either of: + + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); + or + SSL_clear_options(ssl, SSL_OP_NO_SSLv2); + + as appropriate. Even if either of those is used, or the application + explicitly uses the version-specific SSLv2_method() or its client and + server variants, SSLv2 ciphers vulnerable to exhaustive search key + recovery have been removed. Specifically, the SSLv2 40-bit EXPORT + ciphers, and SSLv2 56-bit DES are no longer available. + (CVE-2016-0800) + [Viktor Dukhovni] + + *) Fix a double-free in DSA code + + A double free bug was discovered when OpenSSL parses malformed DSA private + keys and could lead to a DoS attack or memory corruption for applications + that receive DSA private keys from untrusted sources. This scenario is + considered rare. + + This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using + libFuzzer. + (CVE-2016-0705) + [Stephen Henson] + + *) Disable SRP fake user seed to address a server memory leak. + + Add a new method SRP_VBASE_get1_by_user that handles the seed properly. + + SRP_VBASE_get_by_user had inconsistent memory management behaviour. + In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user + was changed to ignore the "fake user" SRP seed, even if the seed + is configured. + + Users should use SRP_VBASE_get1_by_user instead. Note that in + SRP_VBASE_get1_by_user, caller must free the returned value. Note + also that even though configuring the SRP seed attempts to hide + invalid usernames by continuing the handshake with fake + credentials, this behaviour is not constant time and no strong + guarantees are made that the handshake is indistinguishable from + that of a valid user. + (CVE-2016-0798) + [Emilia Käsper] + + *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + + In the BN_hex2bn function the number of hex digits is calculated using an + int value |i|. Later |bn_expand| is called with a value of |i * 4|. For + large values of |i| this can result in |bn_expand| not allocating any + memory because |i * 4| is negative. This can leave the internal BIGNUM data + field as NULL leading to a subsequent NULL ptr deref. For very large values + of |i|, the calculation |i * 4| could be a positive value smaller than |i|. + In this case memory is allocated to the internal BIGNUM data field, but it + is insufficiently sized leading to heap corruption. A similar issue exists + in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn + is ever called by user applications with very large untrusted hex/dec data. + This is anticipated to be a rare occurrence. + + All OpenSSL internal usage of these functions use data that is not expected + to be untrusted, e.g. config file data or application command line + arguments. If user developed applications generate config file data based + on untrusted data then it is possible that this could also lead to security + consequences. This is also anticipated to be rare. + + This issue was reported to OpenSSL by Guido Vranken. + (CVE-2016-0797) + [Matt Caswell] + + *) Fix memory issues in BIO_*printf functions + + The internal |fmtstr| function used in processing a "%s" format string in + the BIO_*printf functions could overflow while calculating the length of a + string and cause an OOB read when printing very long strings. + + Additionally the internal |doapr_outch| function can attempt to write to an + OOB memory location (at an offset from the NULL pointer) in the event of a + memory allocation failure. In 1.0.2 and below this could be caused where + the size of a buffer to be allocated is greater than INT_MAX. E.g. this + could be in processing a very long "%s" format string. Memory leaks can + also occur. + + The first issue may mask the second issue dependent on compiler behaviour. + These problems could enable attacks where large amounts of untrusted data + is passed to the BIO_*printf functions. If applications use these functions + in this way then they could be vulnerable. OpenSSL itself uses these + functions when printing out human-readable dumps of ASN.1 data. Therefore + applications that print this data could be vulnerable if the data is from + untrusted sources. OpenSSL command line applications could also be + vulnerable where they print out ASN.1 data, or if untrusted data is passed + as command line arguments. + + Libssl is not considered directly vulnerable. Additionally certificates etc + received via remote connections via libssl are also unlikely to be able to + trigger these issues because of message size limits enforced within libssl. + + This issue was reported to OpenSSL Guido Vranken. + (CVE-2016-0799) + [Matt Caswell] + + *) Side channel attack on modular exponentiation + + A side-channel attack was found which makes use of cache-bank conflicts on + the Intel Sandy-Bridge microarchitecture which could lead to the recovery + of RSA keys. The ability to exploit this issue is limited as it relies on + an attacker who has control of code in a thread running on the same + hyper-threaded core as the victim thread which is performing decryptions. + + This issue was reported to OpenSSL by Yuval Yarom, The University of + Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and + Nadia Heninger, University of Pennsylvania with more information at + http://cachebleed.info. + (CVE-2016-0702) + [Andy Polyakov] + + *) Change the req app to generate a 2048-bit RSA/DSA key by default, + if no keysize is specified with default_bits. This fixes an + omission in an earlier change that changed all RSA/DSA key generation + apps to use 2048 bits by default. + [Emilia Käsper] + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] *) DH small subgroups @@ -2714,7 +3089,7 @@ *) New option -sigopt to dgst utility. Update dgst to use EVP_Digest{Sign,Verify}*. These two changes make it possible to use - alternative signing paramaters such as X9.31 or PSS in the dgst + alternative signing parameters such as X9.31 or PSS in the dgst utility. [Steve Henson] @@ -3921,7 +4296,7 @@ unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on + *) Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] @@ -4936,7 +5311,7 @@ unofficial, and the ID has long expired. [Bodo Moeller] - *) Fix RSA blinding Heisenbug (problems sometimes occured on + *) Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues. [Bodo Moeller] @@ -5041,7 +5416,7 @@ *) Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, - they must be explicitely allowed in run-time. See + they must be explicitly allowed in run-time. See docs/HOWTO/proxy_certificates.txt for further information. [Richard Levitte] @@ -7618,7 +7993,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't reveal whether illegal block cipher padding was found or a MAC - verification error occured. (Neither SSLerr() codes nor alerts + verification error occurred. (Neither SSLerr() codes nor alerts are directly visible to potential attackers, but the information may leak via logfiles.) @@ -10025,7 +10400,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Bugfix: ssl23_get_client_hello did not work properly when called in state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, - but a retry condition occured while trying to read the rest. + but a retry condition occurred while trying to read the rest. [Bodo Moeller] *) The PKCS7_ENC_CONTENT_new() function was setting the content type as