X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=c2a23d1082e5b3248f52d590293a8ede8b1a80c4;hp=45d7596ac18088cd53a271a6a95c168b95db7ae0;hb=2102c53caa616353cdf2c507f9216bf865932816;hpb=038bec784e528ce273169f178c35991fbc3bea92 diff --git a/CHANGES b/CHANGES index 45d7596ac1..c2a23d1082 100644 --- a/CHANGES +++ b/CHANGES @@ -2,39 +2,60 @@ OpenSSL CHANGES _______________ - Changes between 1.0.1f and 1.0.2 [xx XXX xxxx] + Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] - *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): - this fixes a limiation in previous versions of OpenSSL. - [Steve Henson] + *) Add support for the SignedCertificateTimestampList certificate and + OCSP response extensions from RFC6962. + [Rob Stradling] - *) TLS pad extension: draft-agl-tls-padding-02 + *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) + [Bodo Moeller] - Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the - TLS client Hello record length value would otherwise be > 255 and - less that 512 pad with a dummy extension containing zeroes so it - is at least 512 bytes long. + *) Initial support for PowerISA 2.0.7, first implemented in POWER8. + This covers AES, SHA256/512 and GHASH. "Initial" means that most + common cases are optimized and there still is room for further + improvements. Vector Permutation AES for Altivec is also added. + [Andy Polyakov] - To enable it use an unused extension number (for example chrome uses - 35655) using: + *) Add support for little-endian ppc64 Linux target. + [Marcelo Cerri (IBM)] - e.g. -DTLSEXT_TYPE_padding=35655 + *) Initial support for AMRv8 ISA crypto extensions. This covers AES, + SHA1, SHA256 and GHASH. "Initial" means that most common cases + are optimized and there still is room for further improvements. + Both 32- and 64-bit modes are supported. + [Andy Polyakov, Ard Biesheuvel (Linaro)] - Since the extension is ignored the actual number doesn't matter as long - as it doesn't clash with any existing extension. + *) Improved ARMv7 NEON support. + [Andy Polyakov] - This will be updated when the extension gets an official number. + *) Support for SPARC Architecture 2011 crypto extensions, first + implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, + SHA256/512, MD5, GHASH and modular exponentiation. + [Andy Polyakov, David Miller] - [Adam Langley, Steve Henson] + *) Accelerated modular exponentiation for Intel processors, a.k.a. + RSAZ. + [Shay Gueron (Intel Corp)] + + *) Support for new and upcoming Intel processors, including AVX2, + BMI and SHA ISA extensions. This includes additional "stitched" + implementations, AESNI-SHA256 and GCM, and multi-buffer support + for TLS encrypt. + + This work was sponsored by Intel Corp. + [Andy Polyakov] + + *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): + this fixes a limiation in previous versions of OpenSSL. + [Steve Henson] *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, MGF1 digest and OAEP label. [Steve Henson] - *) Add callbacks supporting generation and retrieval of supplemental - data entries. - [Scott Deboy , Trevor Perrin and Ben Laurie] - *) Add EVP support for key wrapping algorithms, to avoid problems with existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap @@ -45,14 +66,6 @@ structure. [Douglas E. Engert, Steve Henson] - *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which - avoids preferring ECDHE-ECDSA ciphers when the client appears to be - Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for - several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug - is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing - 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. - [Rob Stradling, Adam Langley] - *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the difference in days and seconds between two tm or ASN1_TIME structures. [Steve Henson] @@ -241,9 +254,6 @@ *) Support for linux-x32, ILP32 environment in x86_64 framework. [Andy Polyakov] - *) RFC 5878 (TLS Authorization Extensions) support. - [Emilia Kasper, Adam Langley, Ben Laurie (Google)] - *) Experimental multi-implementation support for FIPS capable OpenSSL. When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. @@ -299,6 +309,79 @@ certificates. [Steve Henson] + Changes between 1.0.1g and 1.0.1h [5 Jun 2014] + + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + + *) Harmonize version and its documentation. -f flag is used to display + compilation flags. + [mancha ] + + *) Fix eckey_priv_encode so it immediately returns an error upon a failure + in i2d_ECPrivateKey. + [mancha ] + + *) Fix some double frees. These are not thought to be exploitable. + [mancha ] + + Changes between 1.0.1f and 1.0.1g [7 Apr 2014] + + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley and Bodo Moeller for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + + *) TLS pad extension: draft-agl-tls-padding-03 + + Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the + TLS client Hello record length value would otherwise be > 255 and + less that 512 pad with a dummy extension containing zeroes so it + is at least 512 bytes long. + + [Adam Langley, Steve Henson] + Changes between 1.0.1e and 1.0.1f [6 Jan 2014] *) Fix for TLS record tampering bug. A carefully crafted invalid