-
OpenSSL CHANGES
===============
[log]: https://github.com/openssl/openssl/commits/
-### Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] ###
+OpenSSL Releases
+----------------
+
+ - [OpenSSL 3.0](#openssl-30)
+ - [OpenSSL 1.1.1](#openssl-111)
+ - [OpenSSL 1.1.0](#openssl-110)
+ - [OpenSSL 1.0.2](#openssl-102)
+ - [OpenSSL 1.0.1](#openssl-101)
+ - [OpenSSL 1.0.0](#openssl-100)
+ - [OpenSSL 0.9.x](#openssl-09x)
+
+OpenSSL 3.0
+-----------
+
+### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+
+ * Removed FIPS_mode() and FIPS_mode_set(). These functions are legacy API's
+ that are not applicable to the new provider model. Applications should
+ instead use EVP_default_properties_is_fips_enabled() and
+ EVP_default_properties_enable_fips().
+
+ *Shane Lontis*
+
+ * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
+ EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely
+ used and applications should instead use the
+ L<EC_POINT_set_affine_coordinates(3)> and
+ L<EC_POINT_get_affine_coordinates(3)> functions.
+
+ *Billy Bob Brumley*
+
+ * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM
+ arrays to be more easily constructed via a series of utility functions.
+ Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
+ the various push functions and finally convert to a passable OSSL_PARAM
+ array using OSSL_PARAM_BLD_to_param().
+
+ *Paul Dale*
+
+ * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
+ EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
+ internal keys, if they correspond to one of those built in types.
+
+ *Richard Levitte*
+
+ * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
+ contain a provider side internal key.
+
+ *Richard Levitte*
+
+ * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
+ They are old functions that we don't use, and that you could disable with
+ the macro NO_ASN1_OLD. This goes all the way back to OpenSSL 0.9.7.
+
+ *Richard Levitte*
+
+ * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
+ have been converted to Markdown with the goal to produce documents
+ which not only look pretty when viewed online in the browser, but
+ remain well readable inside a plain text editor.
+
+ To achieve this goal, a 'minimalistic' Markdown style has been applied
+ which avoids formatting elements that interfere too much with the
+ reading flow in the text file. For example, it
+
+ * avoids [ATX headings][] and uses [setext headings][] instead
+ (which works for `<h1>` and `<h2>` headings only).
+ * avoids [inline links][] and uses [reference links][] instead.
+ * avoids [fenced code blocks][] and uses [indented code blocks][] instead.
+
+ [ATX headings]: https://github.github.com/gfm/#atx-headings
+ [setext headings]: https://github.github.com/gfm/#setext-headings
+ [inline links]: https://github.github.com/gfm/#inline-link
+ [reference links]: https://github.github.com/gfm/#reference-link
+ [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
+ [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
+
+ *Matthias St. Pierre*
+
+ * The test suite is changed to preserve results of each test recipe.
+ A new directory test-runs/ with subdirectories named like the
+ test recipes are created in the build tree for this purpose.
+
+ *Richard Levitte*
+
+ * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
+ This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*.
+ See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
+
+ *David von Oheimb, Martin Peylo*
+
+ * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
+ The legacy OCSP-focused and only partly documented API is retained.
+ See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.
+
+ *David von Oheimb*
+
+ * All of the low level RSA functions have been deprecated including:
+
+ RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
+ RSA_get_version, RSA_get0_engine, RSA_generate_key_ex,
+ RSA_generate_multi_prime_key, RSA_X931_derive_ex, RSA_X931_generate_key_ex,
+ RSA_check_key, RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
+ RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method,
+ RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method,
+ RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify,
+ RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING, RSA_blinding_on,
+ RSA_blinding_off, RSA_setup_blinding, RSA_padding_add_PKCS1_type_1,
+ RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2,
+ RSA_padding_check_PKCS1_type_2, PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP,
+ RSA_padding_check_PKCS1_OAEP, RSA_padding_add_PKCS1_OAEP_mgf1,
+ RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23,
+ RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none,
+ RSA_padding_add_X931, RSA_padding_check_X931, RSA_X931_hash_id,
+ RSA_verify_PKCS1_PSS, RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
+ RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data,
+ RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
+ RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
+ RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_get_pub_enc,
+ RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec,
+ RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec,
+ RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp,
+ RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init,
+ RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish,
+ RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify,
+ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
+ RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_PKEY_encrypt_init(3)>,
+ L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
+ L<EVP_PKEY_decrypt(3)>.
+
+ *Paul Dale*
+
+ * X509 certificates signed using SHA1 are no longer allowed at security
+ level 1 and above.
+ In TLS/SSL the default security level is 1. It can be set either
+ using the cipher string with @SECLEVEL, or calling
+ SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
+ a call to SSL_CTX_use_certificate() will fail if the security level is not
+ lowered first.
+ Outside TLS/SSL, the default security level is -1 (effectively 0). It can
+ be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
+ options of the apps.
+
+ *Kurt Roeckx*
+
+ * The command line utilities dhparam, dsa, gendsa and dsaparam have been
+ modified to use PKEY APIs. These commands are now in maintenance mode
+ and no new features will be added to them.
+
+ *Paul Dale*
+
+ * The command line utility rsautl has been deprecated.
+ Instead use the pkeyutl program.
+
+ *Paul Dale*
+
+ * The command line utilities genrsa and rsa have been modified to use PKEY
+ APIs These commands are now in maintenance mode and no new features will
+ be added to them.
+
+ *Paul Dale*
+
+ * All of the low level DH functions have been deprecated including:
+
+ DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
+ DH_new_method, DH_size, DH_security_bits, DH_get_ex_new_index,
+ DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex,
+ DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
+ DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
+ DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
+ DH_KDF_X9_42, DH_get0_engine, DH_meth_new, DH_meth_free, DH_meth_dup,
+ DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags,
+ DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key,
+ DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key,
+ DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init,
+ DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish,
+ DH_meth_get_generate_params and DH_meth_set_generate_params.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_PKEY_derive_init(3)>
+ and L<EVP_PKEY_derive(3)>.
+
+ *Paul Dale*
+
+ * All of the low level DSA functions have been deprecated including:
+
+ DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
+ DSA_get_default_method, DSA_set_method, DSA_get_method,
+ DSA_new_method, DSA_size, DSA_security_bits, DSA_sign_setup, DSA_sign,
+ DSA_verify, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data,
+ DSA_generate_parameters_ex, DSA_generate_key, DSA_meth_new, DSA_get0_engine,
+ DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name,
+ DSA_meth_get_flags, DSA_meth_set_flags, DSA_meth_get0_app_data,
+ DSA_meth_set0_app_data, DSA_meth_get_sign, DSA_meth_set_sign,
+ DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, DSA_meth_get_verify,
+ DSA_meth_set_verify, DSA_meth_get_mod_exp, DSA_meth_set_mod_exp,
+ DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, DSA_meth_get_init,
+ DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish,
+ DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen and
+ DSA_meth_set_keygen.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
+ L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
+
+ *Paul Dale*
+
+ * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
+ automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
+ This means that applications don't have to look at the curve NID and
+ `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
+ However, they still can, that EVP_PKEY_set_alias_type() call acts as
+ a no-op when the EVP_PKEY is already of the given type.
+
+ Parameter and key generation is also reworked to make it possible
+ to generate EVP_PKEY_SM2 parameters and keys without having to go
+ through EVP_PKEY_EC generation and then change the EVP_PKEY type.
+ However, code that does the latter will still work as before.
+
+ *Richard Levitte*
+
+ * Deprecated low level ECDH and ECDSA functions. These include:
+
+ ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
+ ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
+ ECDSA_size.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use the EVP_PKEY_derive(3),
+ EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
+
+ *Paul Dale*
+
+ * Deprecated the EC_KEY_METHOD functions. These include:
+
+ EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
+ EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
+ EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
+ EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
+ EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and
+ EC_KEY_METHOD_get_verify.
+
+ Instead applications and extension writers should use the OSSL_PROVIDER APIs.
+
+ *Paul Dale*
+
+ * Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
+ and EVP_PKEY_decrypt() instead.
+ Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
+ and EVP_PKEY_encrypt() instead.
+
+ *Richard Levitte*
+
+ * Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
+ and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed
+ a new formulation to include all the things it can be used for,
+ as well as words of caution.
+
+ *Richard Levitte*
+
+ * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
+ Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
+
+ *Paul Dale*
+
+ * All of the low level HMAC functions have been deprecated including:
+
+ HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
+ HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
+ and HMAC_CTX_get_md.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
+ L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ and L<EVP_MAC_final(3)>.
+
+ *Paul Dale*
+
+ * Over two thousand fixes were made to the documentation, including:
+ - Common options (such as -rand/-writerand, TLS version control, etc)
+ were refactored and point to newly-enhanced descriptions in openssl.pod.
+ - Added style conformance for all options (with help from Richard Levitte),
+ documented all reported missing options, added a CI build to check
+ that all options are documented and that no unimplemented options
+ are documented.
+ - Documented some internals, such as all use of environment variables.
+ - Addressed all internal broken L<> references.
+
+ *Rich Salz*
+
+ * All of the low level CMAC functions have been deprecated including:
+
+ CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
+ CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
+ L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ and L<EVP_MAC_final(3)>.
+
+ *Paul Dale*
+
+ * All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
+ SHA384, SHA512 and Whirlpool digest functions have been deprecated.
+ These include:
+
+ MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
+ MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
+ MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
+ RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
+ RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
+ SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
+ SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
+ SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
+ SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
+ WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final.
+
+ Use of these low level functions has been informally discouraged
+ for a long time. Applications should use the EVP_DigestInit_ex(3),
+ EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
+
+ *Paul Dale*
+
+ * Corrected the documentation of the return values from the `EVP_DigestSign*`
+ set of functions. The documentation mentioned negative values for some
+ errors, but this was never the case, so the mention of negative values
+ was removed.
+
+ Code that followed the documentation and thereby check with something
+ like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
+
+ *Richard Levitte*
+
+ * All of the low level cipher functions have been deprecated including:
+
+ AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
+ AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
+ AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
+ AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
+ BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
+ BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
+ Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
+ Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
+ Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
+ CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
+ CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
+ DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
+ DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
+ DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
+ DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
+ DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
+ DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
+ DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
+ DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
+ DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
+ DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
+ IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
+ IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
+ RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
+ RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
+ RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
+ RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
+ SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
+ SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
+
+ Use of these low level functions has been informally discouraged for
+ a long time. Applications should use the high level EVP APIs, e.g.
+ EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+ equivalently named decrypt functions instead.
+
+ *Matt Caswell and Paul Dale*
* Removed include/openssl/opensslconf.h.in and replaced it with
include/openssl/configuration.h.in, which differs in not including
<openssl/macros.h>. A short header include/openssl/opensslconf.h
was added to include both.
-
+
This allows internal hacks where one might need to modify the set
of configured macros, for example this if deprecated symbols are
still supposed to be available internally:
-
+
#include <openssl/configuration.h>
-
+
#undef OPENSSL_NO_DEPRECATED
#define OPENSSL_SUPPRESS_DEPRECATED
-
+
#include <openssl/macros.h>
-
+
This should not be used by applications that use the exported
symbols, as that will lead to linking errors.
+
*Richard Levitte*
-* Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
- used in exponentiation with 512-bit moduli. No EC algorithms are
- affected. Analysis suggests that attacks against 2-prime RSA1024,
- 3-prime RSA1536, and DSA1024 as a result of this defect would be very
- difficult to perform and are not believed likely. Attacks against DH512
- are considered just feasible. However, for an attack the target would
- have to re-use the DH512 private key, which is not recommended anyway.
- Also applications directly using the low level API BN_mod_exp may be
- affected if they use BN_FLG_CONSTTIME.
- (CVE-2019-1551)
- *Andy Polyakov*
+ * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
+ 3-prime RSA1536, and DSA1024 as a result of this defect would be very
+ difficult to perform and are not believed likely. Attacks against DH512
+ are considered just feasible. However, for an attack the target would
+ have to re-use the DH512 private key, which is not recommended anyway.
+ Also applications directly using the low level API BN_mod_exp may be
+ affected if they use BN_FLG_CONSTTIME.
+ [CVE-2019-1551][]
+
+ *Andy Polyakov*
+
+ * Most memory-debug features have been deprecated, and the functionality
+ replaced with no-ops.
+
+ *Rich Salz*
-* Most memory-debug features have been deprecated, and the functionality
- replaced with no-ops.
- *Rich Salz*
+ * Added documentation for the STACK API. OpenSSL only defines the STACK
+ functions where they are used.
-* Most common options (such as -rand/-writerand, TLS version control, etc)
- were refactored and point to newly-enhanced descriptions in openssl.pod
- *Rich Salz*
+ *Rich Salz*
-* Introduced a new method type and API, OSSL_SERIALIZER, to
+ * Introduced a new method type and API, OSSL_SERIALIZER, to
represent generic serializers. An implementation is expected to
be able to serialize an object associated with a given name (such
as an algorithm name for an asymmetric key) into forms given by
$ mms /macro=(VF=1) test ! OpenVMS
$ nmake VF=1 test # Windows
-
*Richard Levitte*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
- (CVE-2019-1547)
+ [CVE-2019-1547][]
*Billy Bob Brumley*
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
the 2-prime and 3-prime RSA modules were easy to distinguish, since
- N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
+ `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting
2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
This avoids possible fingerprinting of newly generated RSA modules.
*Paul Dale*
- * {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been
+ * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
deprecated.
*Rich Salz*
*Paul Dale*
* Added newline escaping functionality to a filename when using openssl dgst.
- This output format is to replicate the output format found in the '*sum'
+ This output format is to replicate the output format found in the `*sum`
checksum programs. This aims to preserve backward compatibility.
*Matt Eaton, Richard Levitte, and Paul Dale*
the attacked described in "Efficient Instantiations of Tweakable
Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
Details of this attack can be obtained from:
- http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+ <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf>
*Paul Dale*
*Boris Pismenny*
-### Changes between 1.1.1a and 1.1.1b [xx XXX xxxx] ###
+OpenSSL 1.1.1
+-------------
- * Change the info callback signals for the start and end of a post-handshake
- message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
- and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
- confused by this and assume that a TLSv1.2 renegotiation has started. This
- can break KeyUpdate handling. Instead we no longer signal the start and end
- of a post handshake message exchange (although the messages themselves are
- still signalled). This could break some applications that were expecting
- the old signals. However without this KeyUpdate is not usable for many
- applications.
+### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx]
+
+### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
+
+ * Properly detect EOF while reading in libssl. Previously if we hit an EOF
+ while reading in libssl then we would report an error back to the
+ application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+ an error to the stack (which means we instead return SSL_ERROR_SSL) and
+ therefore give a hint as to what went wrong.
*Matt Caswell*
-### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] ###
+ * Check that ed25519 and ed448 are allowed by the security level. Previously
+ signature algorithms not using an MD were not being checked that they were
+ allowed by the security level.
- * Timing vulnerability in DSA signature generation
+ *Kurt Roeckx*
- The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
- timing side channel attack. An attacker could use variations in the signing
- algorithm to recover the private key.
+ * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
+ was not quite right. The behaviour was not consistent between resumption
+ and normal handshakes, and also not quite consistent with historical
+ behaviour. The behaviour in various scenarios has been clarified and
+ it has been updated to make it match historical behaviour as closely as
+ possible.
- This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
- (CVE-2018-0734)
+ *Matt Caswell*
- *Paul Dale*
+ * *[VMS only]* The header files that the VMS compilers include automatically,
+ `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas
+ that the C++ compiler doesn't understand. This is a shortcoming in the
+ compiler, but can be worked around with `__cplusplus` guards.
- * Timing vulnerability in ECDSA signature generation
+ C++ applications that use OpenSSL libraries must be compiled using the
+ qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL
+ functions. Otherwise, only functions with symbols of less than 31
+ characters can be used, as the linker will not be able to successfully
+ resolve symbols with longer names.
- The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
- timing side channel attack. An attacker could use variations in the signing
- algorithm to recover the private key.
+ *Richard Levitte*
- This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
- (CVE-2018-0735)
+ * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+ The presence of this system service is determined at run-time.
- *Paul Dale*
+ *Richard Levitte*
- * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
- if its length exceeds 4096 bytes. The limit has been raised to a buffer size
- of two gigabytes and the error handling improved.
+ * Added newline escaping functionality to a filename when using openssl dgst.
+ This output format is to replicate the output format found in the `*sum`
+ checksum programs. This aims to preserve backward compatibility.
- This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
- categorized as a normal bug, not a security issue, because the DRBG reseeds
- automatically and is fully functional even without additional randomness
- provided by the application.
+ *Matt Eaton, Richard Levitte, and Paul Dale*
-### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] ###
+ * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+ the first value.
- * Add a new ClientHello callback. Provides a callback interface that gives
- the application the ability to adjust the nascent SSL object at the
- earliest stage of ClientHello processing, immediately after extensions have
- been collected but before they have been processed. In particular, this
- callback can adjust the supported TLS versions in response to the contents
- of the ClientHello
+ *Jon Spillett*
- *Benjamin Kaduk*
+### Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
- * Add SM2 base algorithm support.
+ * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
+ number generator (RNG). This was intended to include protection in the
+ event of a fork() system call in order to ensure that the parent and child
+ processes did not share the same RNG state. However this protection was not
+ being used in the default case.
- *Jack Lloyd*
+ A partial mitigation for this issue is that the output from a high
+ precision timer is mixed into the RNG state so the likelihood of a parent
+ and child process sharing state is significantly reduced.
- * s390x assembly pack: add (improved) hardware-support for the following
- cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
- aes-cfb/cfb8, aes-ecb.
+ If an application already calls OPENSSL_init_crypto() explicitly using
+ OPENSSL_INIT_ATFORK then this problem does not occur at all.
+ [CVE-2019-1549][]
- *Patrick Steuer*
+ *Matthias St. Pierre*
- * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
- parameter is no longer accepted, as it leads to a corrupt table. NULL
- pem_str is reserved for alias entries only.
+ * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
- *Richard Levitte*
+ *Nicola Tuveri*
- * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
- step for prime curves. The new implementation is based on formulae from
- differential addition-and-doubling in homogeneous projective coordinates
- from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
- against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
- and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
- to work in projective coordinates.
+ * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ [CVE-2019-1547][]
- *Billy Bob Brumley, Nicola Tuveri*
+ *Billy Bob Brumley*
- * Change generating and checking of primes so that the error rate of not
- being prime depends on the intended use based on the size of the input.
- For larger primes this will result in more rounds of Miller-Rabin.
- The maximal error rate for primes with more than 1080 bits is lowered
- to 2^-128.
+ * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [CVE-2019-1563][]
- *Kurt Roeckx, Annie Yousar*
+ *Bernd Edlinger*
- * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ * Early start up entropy quality from the DEVRANDOM seed source has been
+ improved for older Linux systems. The RAND subsystem will wait for
+ /dev/random to be producing output before seeding from /dev/urandom.
+ The seeded state is stored for future library initialisations using
+ a system global shared memory segment. The shared memory identifier
+ can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
+ the desired value. The default identifier is 114.
- *Kurt Roeckx*
+ *Paul Dale*
- * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
- moving between systems, and to avoid confusion when a Windows build is
- done with mingw vs with MSVC. For POSIX installs, there's still a
- symlink or copy named 'tsget' to avoid that confusion as well.
+ * Correct the extended master secret constant on EBCDIC systems. Without this
+ fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+ negotiate EMS will fail. Unfortunately this also means that TLS connections
+ between EBCDIC systems with this fix, and EBCDIC systems without this
+ fix will fail if they negotiate EMS.
+
+ *Matt Caswell*
+
+ * Use Windows installation paths in the mingw builds
+
+ Mingw isn't a POSIX environment per se, which means that Windows
+ paths should be used for installation.
+ [CVE-2019-1552][]
*Richard Levitte*
- * Revert blinding in ECDSA sign and instead make problematic addition
- length-invariant. Switch even to fixed-length Montgomery multiplication.
+ * Changed DH_check to accept parameters with order q and 2q subgroups.
+ With order 2q subgroups the bit 0 of the private key is not secret
+ but DH_generate_key works around that by clearing bit 0 of the
+ private key for those. This avoids leaking bit 0 of the private key.
- *Andy Polyakov*
+ *Bernd Edlinger*
- * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
- step for binary curves. The new implementation is based on formulae from
- differential addition-and-doubling in mixed Lopez-Dahab projective
- coordinates, modified to independently blind the operands.
+ * Significantly reduce secure memory usage by the randomness pools.
- *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
+ *Paul Dale*
- * Add a scaffold to optionally enhance the Montgomery ladder implementation
- for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
- EC_METHODs to implement their own specialized "ladder step", to take
- advantage of more favorable coordinate systems or more efficient
- differential addition-and-doubling algorithms.
+ * Revert the DEVRANDOM_WAIT feature for Linux systems
- *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
+ The DEVRANDOM_WAIT feature added a select() call to wait for the
+ /dev/random device to become readable before reading from the
+ /dev/urandom device.
- * Modified the random device based seed sources to keep the relevant
- file descriptors open rather than reopening them on each access.
+ It turned out that this change had negative side effects on
+ performance which were not acceptable. After some discussion it
+ was decided to revert this feature and leave it up to the OS
+ resp. the platform maintainer to ensure a proper initialization
+ during early boot time.
+
+ *Matthias St. Pierre*
+
+### Changes between 1.1.1b and 1.1.1c [28 May 2019]
+
+ * Add build tests for C++. These are generated files that only do one
+ thing, to include one public OpenSSL head file each. This tests that
+ the public header files can be usefully included in a C++ application.
+
+ This test isn't enabled by default. It can be enabled with the option
+ 'enable-buildtest-c++'.
+
+ *Richard Levitte*
+
+ * Enable SHA3 pre-hashing for ECDSA and DSA.
+
+ *Patrick Steuer*
+
+ * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
+
+ *Kurt Roeckx*
+
+ * Reorganize the manual pages to consistently have RETURN VALUES,
+ EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
+ util/fix-doc-nits accordingly.
+
+ *Paul Yang, Joshua Lock*
+
+ * Add the missing accessor EVP_PKEY_get0_engine()
+
+ *Matt Caswell*
+
+ * Have apps like 's_client' and 's_server' output the signature scheme
+ along with other cipher suite parameters when debugging.
+
+ *Lorinczy Zsigmond*
+
+ * Make OPENSSL_config() error agnostic again.
+
+ *Richard Levitte*
+
+ * Do the error handling in RSA decryption constant time.
+
+ *Bernd Edlinger*
+
+ * Prevent over long nonces in ChaCha20-Poly1305.
+
+ ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+ for every encryption operation. RFC 7539 specifies that the nonce value
+ (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+ and front pads the nonce with 0 bytes if it is less than 12
+ bytes. However it also incorrectly allows a nonce to be set of up to 16
+ bytes. In this case only the last 12 bytes are significant and any
+ additional leading bytes are ignored.
+
+ It is a requirement of using this cipher that nonce values are
+ unique. Messages encrypted using a reused nonce value are susceptible to
+ serious confidentiality and integrity attacks. If an application changes
+ the default nonce length to be longer than 12 bytes and then makes a
+ change to the leading bytes of the nonce expecting the new value to be a
+ new unique nonce then such an application could inadvertently encrypt
+ messages with a reused nonce.
+
+ Additionally the ignored bytes in a long nonce are not covered by the
+ integrity guarantee of this cipher. Any application that relies on the
+ integrity of these ignored leading bytes of a long nonce may be further
+ affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
+ is safe because no such use sets such a long nonce value. However user
+ applications that use this cipher directly and set a non-default nonce
+ length to be longer than 12 bytes may be vulnerable.
+
+ This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
+ Greef of Ronomon.
+ [CVE-2019-1543][]
+
+ *Matt Caswell*
+
+ * Add DEVRANDOM_WAIT feature for Linux systems
+
+ On older Linux systems where the getrandom() system call is not available,
+ OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
+ Contrary to getrandom(), the /dev/urandom device will not block during
+ early boot when the kernel CSPRNG has not been seeded yet.
+
+ To mitigate this known weakness, use select() to wait for /dev/random to
+ become readable before reading from /dev/urandom.
+
+ * Ensure that SM2 only uses SM3 as digest algorithm
+
+ *Paul Yang*
+
+### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
+
+ * Change the info callback signals for the start and end of a post-handshake
+ message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
+ and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
+ confused by this and assume that a TLSv1.2 renegotiation has started. This
+ can break KeyUpdate handling. Instead we no longer signal the start and end
+ of a post handshake message exchange (although the messages themselves are
+ still signalled). This could break some applications that were expecting
+ the old signals. However without this KeyUpdate is not usable for many
+ applications.
+
+ *Matt Caswell*
+
+### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+ * Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ [CVE-2018-0734][]
+
+ *Paul Dale*
+
+ * Timing vulnerability in ECDSA signature generation
+
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+ [CVE-2018-0735][]
+
+ *Paul Dale*
+
+ * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+ if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+ of two gigabytes and the error handling improved.
+
+ This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+ categorized as a normal bug, not a security issue, because the DRBG reseeds
+ automatically and is fully functional even without additional randomness
+ provided by the application.
+
+### Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
+
+ * Add a new ClientHello callback. Provides a callback interface that gives
+ the application the ability to adjust the nascent SSL object at the
+ earliest stage of ClientHello processing, immediately after extensions have
+ been collected but before they have been processed. In particular, this
+ callback can adjust the supported TLS versions in response to the contents
+ of the ClientHello
+
+ *Benjamin Kaduk*
+
+ * Add SM2 base algorithm support.
+
+ *Jack Lloyd*
+
+ * s390x assembly pack: add (improved) hardware-support for the following
+ cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
+ aes-cfb/cfb8, aes-ecb.
+
+ *Patrick Steuer*
+
+ * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+
+ *Richard Levitte*
+
+ * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for prime curves. The new implementation is based on formulae from
+ differential addition-and-doubling in homogeneous projective coordinates
+ from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
+ against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
+ and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
+ to work in projective coordinates.
+
+ *Billy Bob Brumley, Nicola Tuveri*
+
+ * Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+
+ *Kurt Roeckx, Annie Yousar*
+
+ * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+
+ *Kurt Roeckx*
+
+ * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
+ moving between systems, and to avoid confusion when a Windows build is
+ done with mingw vs with MSVC. For POSIX installs, there's still a
+ symlink or copy named 'tsget' to avoid that confusion as well.
+
+ *Richard Levitte*
+
+ * Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+
+ *Andy Polyakov*
+
+ * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for binary curves. The new implementation is based on formulae from
+ differential addition-and-doubling in mixed Lopez-Dahab projective
+ coordinates, modified to independently blind the operands.
+
+ *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
+
+ * Add a scaffold to optionally enhance the Montgomery ladder implementation
+ for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
+ EC_METHODs to implement their own specialized "ladder step", to take
+ advantage of more favorable coordinate systems or more efficient
+ differential addition-and-doubling algorithms.
+
+ *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
+
+ * Modified the random device based seed sources to keep the relevant
+ file descriptors open rather than reopening them on each access.
This allows such sources to operate in a chroot() jail without
the associated device nodes being available. This behaviour can be
controlled using RAND_keep_random_devices_open().
* Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
that they are still appropriate for TLSv1.3. For further information see:
- https://wiki.openssl.org/index.php/TLS1.3
+ <https://wiki.openssl.org/index.php/TLS1.3>
*Matt Caswell*
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
- prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
- record layer, and its removal is unlikely to cause inter-operability
+ record layer, and its removal is unlikely to cause interoperability
issues.
*Matt Caswell*
* 'openssl passwd' can now produce SHA256 and SHA512 based output,
using the algorithm defined in
- https://www.akkadia.org/drepper/SHA-crypt.txt
+ <https://www.akkadia.org/drepper/SHA-crypt.txt>
*Richard Levitte*
*Rich Salz*
+OpenSSL 1.1.0
+-------------
-### Changes between 1.1.0h and 1.1.0i [xx XXX xxxx] ###
+### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
- * Client DoS due to large DH parameter
-
- During key agreement in a TLS handshake using a DH(E) based ciphersuite a
- malicious server can send a very large prime value to the client. This will
- cause the client to spend an unreasonably long period of time generating a
- key for this prime resulting in a hang until the client has finished. This
- could be exploited in a Denial Of Service attack.
+ * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
- This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
- (CVE-2018-0732)
+ *Nicola Tuveri*
- *Guido Vranken*
+ * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ [CVE-2019-1547][]
- * Cache timing vulnerability in RSA Key Generation
+ *Billy Bob Brumley*
- The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
- a cache timing side channel attack. An attacker with sufficient access to
- mount cache timing attacks during the RSA key generation process could
- recover the private key.
+ * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [CVE-2019-1563][]
- This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
- Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
- (CVE-2018-0737)
+ *Bernd Edlinger*
- *Billy Brumley*
+ * Use Windows installation paths in the mingw builds
- * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
- parameter is no longer accepted, as it leads to a corrupt table. NULL
- pem_str is reserved for alias entries only.
+ Mingw isn't a POSIX environment per se, which means that Windows
+ paths should be used for installation.
+ [CVE-2019-1552][]
*Richard Levitte*
- * Revert blinding in ECDSA sign and instead make problematic addition
- length-invariant. Switch even to fixed-length Montgomery multiplication.
+### Changes between 1.1.0j and 1.1.0k [28 May 2019]
- *Andy Polyakov*
+ * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
- * Change generating and checking of primes so that the error rate of not
- being prime depends on the intended use based on the size of the input.
- For larger primes this will result in more rounds of Miller-Rabin.
- The maximal error rate for primes with more than 1080 bits is lowered
- to 2^-128.
+ *Kurt Roeckx*
- *Kurt Roeckx, Annie Yousar*
+ * Prevent over long nonces in ChaCha20-Poly1305.
+
+ ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+ for every encryption operation. RFC 7539 specifies that the nonce value
+ (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+ and front pads the nonce with 0 bytes if it is less than 12
+ bytes. However it also incorrectly allows a nonce to be set of up to 16
+ bytes. In this case only the last 12 bytes are significant and any
+ additional leading bytes are ignored.
+
+ It is a requirement of using this cipher that nonce values are
+ unique. Messages encrypted using a reused nonce value are susceptible to
+ serious confidentiality and integrity attacks. If an application changes
+ the default nonce length to be longer than 12 bytes and then makes a
+ change to the leading bytes of the nonce expecting the new value to be a
+ new unique nonce then such an application could inadvertently encrypt
+ messages with a reused nonce.
+
+ Additionally the ignored bytes in a long nonce are not covered by the
+ integrity guarantee of this cipher. Any application that relies on the
+ integrity of these ignored leading bytes of a long nonce may be further
+ affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
+ is safe because no such use sets such a long nonce value. However user
+ applications that use this cipher directly and set a non-default nonce
+ length to be longer than 12 bytes may be vulnerable.
+
+ This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
+ Greef of Ronomon.
+ [CVE-2019-1543][]
- * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ *Matt Caswell*
- *Kurt Roeckx*
+ * Added SCA hardening for modular field inversion in EC_GROUP through
+ a new dedicated field_inv() pointer in EC_METHOD.
+ This also addresses a leakage affecting conversions from projective
+ to affine coordinates.
- * Add blinding to ECDSA and DSA signatures to protect against side channel
- attacks discovered by Keegan Ryan (NCC Group).
+ *Billy Bob Brumley, Nicola Tuveri*
- *Matt Caswell*
+ * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+ re-used X509_PUBKEY object if the second PUBKEY is malformed.
- * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
- now allow empty (zero character) pass phrases.
+ *Bernd Edlinger*
+
+ * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
*Richard Levitte*
- * Certificate time validation (X509_cmp_time) enforces stricter
- compliance with RFC 5280. Fractional seconds and timezone offsets
- are no longer allowed.
+ * Remove the 'dist' target and add a tarball building script. The
+ 'dist' target has fallen out of use, and it shouldn't be
+ necessary to configure just to create a source distribution.
- *Emilia Käsper*
+ *Richard Levitte*
- * Fixed a text canonicalisation bug in CMS
+### Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
- Where a CMS detached signature is used with text content the text goes
- through a canonicalisation process first prior to signing or verifying a
- signature. This process strips trailing space at the end of lines, converts
+ * Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ [CVE-2018-0734][]
+
+ *Paul Dale*
+
+ * Timing vulnerability in ECDSA signature generation
+
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+ [CVE-2018-0735][]
+
+ *Paul Dale*
+
+ * Add coordinate blinding for EC_POINT and implement projective
+ coordinate blinding for generic prime curves as a countermeasure to
+ chosen point SCA attacks.
+
+ *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
+
+### Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
+
+ * Client DoS due to large DH parameter
+
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
+
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ [CVE-2018-0732][]
+
+ *Guido Vranken*
+
+ * Cache timing vulnerability in RSA Key Generation
+
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
+
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ [CVE-2018-0737][]
+
+ *Billy Brumley*
+
+ * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+
+ *Richard Levitte*
+
+ * Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+
+ *Andy Polyakov*
+
+ * Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+
+ *Kurt Roeckx, Annie Yousar*
+
+ * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+
+ *Kurt Roeckx*
+
+ * Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+
+ *Matt Caswell*
+
+ * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+
+ *Richard Levitte*
+
+ * Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+
+ *Emilia Käsper*
+
+ * Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
*Matt Caswell*
-### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] ###
+### Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
* Constructed ASN.1 types with a recursive definition could exceed the stack
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
- (CVE-2018-0739)
+ [CVE-2018-0739][]
*Matt Caswell*
This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
(IBM).
- (CVE-2018-0733)
+ [CVE-2018-0733][]
*Andy Polyakov*
This issue was reported to OpenSSL by David Benjamin (Google). The issue
was originally found via the OSS-Fuzz project.
- (CVE-2017-3738)
+ [CVE-2017-3738][]
*Andy Polyakov*
-### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] ###
+### Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
* bn_sqrx8x_internal carry bug on x86_64
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- (CVE-2017-3736)
+ [CVE-2017-3736][]
*Andy Polyakov*
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- (CVE-2017-3735)
+ [CVE-2017-3735][]
*Rich Salz*
-### Changes between 1.1.0e and 1.1.0f [25 May 2017] ###
+### Changes between 1.1.0e and 1.1.0f [25 May 2017]
* Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
*Richard Levitte*
-### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] ###
+### Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
* Encrypt-Then-Mac renegotiation crash
and servers are affected.
This issue was reported to OpenSSL by Joe Orton (Red Hat).
- (CVE-2017-3733)
+ [CVE-2017-3733][]
*Matt Caswell*
-### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] ###
+### Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
* Truncated packet could crash via OOB read
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
- (CVE-2017-3731)
+ [CVE-2017-3731][]
*Andy Polyakov*
of Service attack.
This issue was reported to OpenSSL by Guido Vranken.
- (CVE-2017-3730)
+ [CVE-2017-3730][]
*Matt Caswell*
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- (CVE-2017-3732)
+ [CVE-2017-3732][]
*Andy Polyakov*
-### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] ###
+### Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
* ChaCha20/Poly1305 heap-buffer-overflow
- TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
a DoS attack by corrupting larger payloads. This can result in an OpenSSL
crash. This issue is not considered to be exploitable beyond a DoS.
This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
- (CVE-2016-7054)
+ [CVE-2016-7054][]
*Richard Levitte*
affected.
This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
- (CVE-2016-7053)
+ [CVE-2016-7053][]
*Stephen Henson*
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
- (CVE-2016-7055)
+ [CVE-2016-7055][]
*Andy Polyakov*
*Richard Levitte*
-### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] ###
+### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
* Fix Use After Free for large message sizes
This issue only affects OpenSSL 1.1.0a.
This issue was reported to OpenSSL by Robert Święcki.
- (CVE-2016-6309)
+ [CVE-2016-6309][]
*Matt Caswell*
-### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] ###
+### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
* OCSP Status Request extension unbounded memory growth
the "no-ocsp" build time option are not affected.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-6304)
+ [CVE-2016-6304][]
*Matt Caswell*
Denial Of Service attack.
This issue was reported to OpenSSL by Alex Gaynor.
- (CVE-2016-6305)
+ [CVE-2016-6305][]
*Matt Caswell*
*Andy Polyakov*
-### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] ###
+### Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
* Windows command-line tool supports UTF-8 opt-in option for arguments
and console input. Setting OPENSSL_WIN32_UTF8 environment variable
*Andy Polyakov*
- * To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
+ * To mitigate the SWEET32 attack [CVE-2016-2183][], 3DES cipher suites
have been disabled by default and removed from DEFAULT, just like RC4.
See the RC4 item below to re-enable both.
*Joseph Wylie Yandle, Rich Salz*
- * The stack and lhash API's were renamed to start with OPENSSL_SK_
- and OPENSSL_LH_, respectively. The old names are available
+ * The stack and lhash API's were renamed to start with `OPENSSL_SK_`
+ and `OPENSSL_LH_`, respectively. The old names are available
with API compatibility. They new names are now completely documented.
*Rich Salz*
*Todd Short*
* Changes to the DEFAULT cipherlist:
- - Prefer (EC)DHE handshakes over plain RSA.
- - Prefer AEAD ciphers over legacy ciphers.
- - Prefer ECDSA over RSA when both certificates are available.
- - Prefer TLSv1.2 ciphers/PRF.
- - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
- default cipherlist.
+ - Prefer (EC)DHE handshakes over plain RSA.
+ - Prefer AEAD ciphers over legacy ciphers.
+ - Prefer ECDSA over RSA when both certificates are available.
+ - Prefer TLSv1.2 ciphers/PRF.
+ - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+ default cipherlist.
*Emilia Käsper*
* Deprecate SRP_VBASE_get_by_user.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
- In order to fix an unavoidable memory leak (CVE-2016-0798),
+ In order to fix an unavoidable memory leak [CVE-2016-0798][],
SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
seed, even if the seed is configured.
* The signature of the session callback configured with
SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
- was explicitly marked as 'const unsigned char*' instead of
- 'unsigned char*'.
+ was explicitly marked as `const unsigned char*` instead of
+ `unsigned char*`.
*Emilia Käsper*
Makefile. Instead, Configure produces a perl module in
configdata.pm which holds most of the config data (in the hash
table %config), the target data that comes from the target
- configuration in one of the Configurations/*.conf files (in
+ configuration in one of the `Configurations/*.conf~ files (in
%target).
*Richard Levitte*
* The GOST engine was out of date and therefore it has been removed. An up
to date GOST engine is now being maintained in an external repository.
- See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+ See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains
support for GOST ciphersuites (these are only activated if a GOST engine
is present).
* Added support for OCB mode. OpenSSL has been granted a patent license
compatible with the OpenSSL license for use of OCB. Details are available
- at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
+ at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
for OCB can be removed by calling config with no-ocb.
*Matt Caswell*
*Rich Salz*
* Clean up OPENSSL_NO_xxx #define's
- - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
- - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
- - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
- - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
- - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
- - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
- OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
- OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
- OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
- - Remove MS_STATIC; it's a relic from platforms <32 bits.
+ - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
+ - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
+ - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
+ - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
+ - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
+ - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
+ OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
+ OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
+ OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
+ - Remove MS_STATIC; it's a relic from platforms <32 bits.
*Rich Salz*
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
- preparing the fix (CVE-2014-0160)
+ preparing the fix [CVE-2014-0160][]
*Adam Langley, Bodo Moeller*
* Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
- http://eprint.iacr.org/2014/140
+ <http://eprint.iacr.org/2014/140>
Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
*Yuval Yarom and Naomi Benger*
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
-
*Steve Henson*
* Add EVP support for key wrapping algorithms, to avoid problems with
*Steve Henson*
* Initial, experimental EVP support for AES-GCM. AAD can be input by
- setting output buffer to NULL. The *Final function must be
+ setting output buffer to NULL. The `*Final` function must be
called although it will not retrieve any additional data. The tag
can be set or retrieved with a ctrl. The IV length is by default 12
bytes (96 bits) but can be set to an alternative value. If the IV
*Steve Henson*
- * New macro __owur for "OpenSSL Warn Unused Result". This makes use of
+ * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of
a gcc attribute to warn if the result of a function is ignored. This
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
whose return value is often ignored.
*Rob Percival <robpercival@google.com>*
-### Changes between 1.0.2g and 1.0.2h [3 May 2016] ###
+OpenSSL 1.0.2
+-------------
- * Prevent padding oracle in AES-NI CBC MAC check
-
- A MITM attacker can use a padding oracle attack to decrypt traffic
- when the connection uses an AES CBC cipher and the server support
- AES-NI.
+### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
- This issue was introduced as part of the fix for Lucky 13 padding
- attack (CVE-2013-0169). The padding check was rewritten to be in
- constant time by making sure that always the same bytes are read and
- compared against either the MAC or padding bytes. But it no longer
- checked that there was enough data to have both the MAC and padding
- bytes.
+ * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
- This issue was reported by Juraj Somorovsky using TLS-Attacker.
- (CVE-2016-2107)
+ *Nicola Tuveri*
- *Kurt Roeckx*
+ * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ [CVE-2019-1547][]
- * Fix EVP_EncodeUpdate overflow
+ *Billy Bob Brumley*
- An overflow can occur in the EVP_EncodeUpdate() function which is used for
- Base64 encoding of binary data. If an attacker is able to supply very large
- amounts of input data then a length check can overflow resulting in a heap
- corruption.
+ * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [CVE-2019-1563][]
- Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
- the PEM_write_bio* family of functions. These are mainly used within the
- OpenSSL command line applications, so any application which processes data
- from an untrusted source and outputs it as a PEM file should be considered
- vulnerable to this issue. User applications that call these APIs directly
- with large amounts of untrusted data may also be vulnerable.
+ *Bernd Edlinger*
- This issue was reported by Guido Vranken.
- (CVE-2016-2105)
+ * Document issue with installation paths in diverse Windows builds
- *Matt Caswell*
+ '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
+ binaries and run-time config file.
+ [CVE-2019-1552][]
- * Fix EVP_EncryptUpdate overflow
+ *Richard Levitte*
- An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
- is able to supply very large amounts of input data after a previous call to
- EVP_EncryptUpdate() with a partial block then a length check can overflow
- resulting in a heap corruption. Following an analysis of all OpenSSL
- internal usage of the EVP_EncryptUpdate() function all usage is one of two
- forms. The first form is where the EVP_EncryptUpdate() call is known to be
- the first called function after an EVP_EncryptInit(), and therefore that
- specific call must be safe. The second form is where the length passed to
- EVP_EncryptUpdate() can be seen from the code to be some small value and
- therefore there is no possibility of an overflow. Since all instances are
- one of these two forms, it is believed that there can be no overflows in
- internal code due to this problem. It should be noted that
- EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
- Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
- of these calls have also been analysed too and it is believed there are no
- instances in internal usage where an overflow could occur.
+### Changes between 1.0.2r and 1.0.2s [28 May 2019]
- This issue was reported by Guido Vranken.
- (CVE-2016-2106)
+ * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
- *Matt Caswell*
+ *Kurt Roeckx*
- * Prevent ASN.1 BIO excessive memory allocation
+ * Add FIPS support for Android Arm 64-bit
- When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
- a short invalid encoding can cause allocation of large amounts of memory
- potentially consuming excessive resources or exhausting memory.
+ Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
+ Module in Version 2.0.10. For some reason, the corresponding target
+ 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
+ built with FIPS support on Android Arm 64-bit. This omission has been
+ fixed.
- Any application parsing untrusted data through d2i BIO functions is
- affected. The memory based functions such as d2i_X509() are *not* affected.
- Since the memory based functions are used by the TLS library, TLS
- applications are not affected.
+ *Matthias St. Pierre*
- This issue was reported by Brian Carpenter.
- (CVE-2016-2109)
+### Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
- *Stephen Henson*
+ * 0-byte record padding oracle
- * EBCDIC overread
+ If an application encounters a fatal protocol error and then calls
+ SSL_shutdown() twice (once to send a close_notify, and once to receive one)
+ then OpenSSL can respond differently to the calling application if a 0 byte
+ record is received with invalid padding compared to if a 0 byte record is
+ received with an invalid MAC. If the application then behaves differently
+ based on that in a way that is detectable to the remote peer, then this
+ amounts to a padding oracle that could be used to decrypt data.
- ASN1 Strings that are over 1024 bytes can cause an overread in applications
- using the X509_NAME_oneline() function on EBCDIC systems. This could result
- in arbitrary stack data being returned in the buffer.
+ In order for this to be exploitable "non-stitched" ciphersuites must be in
+ use. Stitched ciphersuites are optimised implementations of certain
+ commonly used ciphersuites. Also the application must call SSL_shutdown()
+ twice even if a protocol error has occurred (applications should not do
+ this but some do anyway).
- This issue was reported by Guido Vranken.
- (CVE-2016-2176)
+ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
+ Aviram, with additional investigation by Steven Collison and Andrew
+ Hourselt. It was reported to OpenSSL on 10th December 2018.
+ [CVE-2019-1559][]
*Matt Caswell*
- * Modify behavior of ALPN to invoke callback after SNI/servername
- callback, such that updates to the SSL_CTX affect ALPN.
+ * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
- *Todd Short*
+ *Richard Levitte*
- * Remove LOW from the DEFAULT cipher list. This removes singles DES from the
- default.
+### Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
- *Kurt Roeckx*
+ * Microarchitecture timing vulnerability in ECC scalar multiplication
- * Only remove the SSLv2 methods with the no-ssl2-method option. When the
- methods are enabled and ssl2 is disabled the methods return NULL.
+ OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
+ shown to be vulnerable to a microarchitecture timing side channel attack.
+ An attacker with sufficient access to mount local timing attacks during
+ ECDSA signature generation could recover the private key.
- *Kurt Roeckx*
+ This issue was reported to OpenSSL on 26th October 2018 by Alejandro
+ Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
+ Nicola Tuveri.
+ [CVE-2018-5407][]
-### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] ###
+ *Billy Brumley*
-* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
- Builds that are not configured with "enable-weak-ssl-ciphers" will not
- provide any "EXPORT" or "LOW" strength ciphers.
+ * Timing vulnerability in DSA signature generation
- *Viktor Dukhovni*
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
-* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
- is by default disabled at build-time. Builds that are not configured with
- "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
- users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
- will need to explicitly call either of:
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ [CVE-2018-0734][]
- SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
- or
- SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+ *Paul Dale*
- as appropriate. Even if either of those is used, or the application
- explicitly uses the version-specific SSLv2_method() or its client and
- server variants, SSLv2 ciphers vulnerable to exhaustive search key
- recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
- ciphers, and SSLv2 56-bit DES are no longer available.
- (CVE-2016-0800)
+ * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
+ Module, accidentally introduced while backporting security fixes from the
+ development branch and hindering the use of ECC in FIPS mode.
- *Viktor Dukhovni*
+ *Nicola Tuveri*
- * Fix a double-free in DSA code
+### Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
- A double free bug was discovered when OpenSSL parses malformed DSA private
- keys and could lead to a DoS attack or memory corruption for applications
- that receive DSA private keys from untrusted sources. This scenario is
- considered rare.
+ * Client DoS due to large DH parameter
- This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
- libFuzzer.
- (CVE-2016-0705)
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
- *Stephen Henson*
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ [CVE-2018-0732][]
- * Disable SRP fake user seed to address a server memory leak.
+ *Guido Vranken*
- Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+ * Cache timing vulnerability in RSA Key Generation
- SRP_VBASE_get_by_user had inconsistent memory management behaviour.
- In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
- was changed to ignore the "fake user" SRP seed, even if the seed
- is configured.
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
- Users should use SRP_VBASE_get1_by_user instead. Note that in
- SRP_VBASE_get1_by_user, caller must free the returned value. Note
- also that even though configuring the SRP seed attempts to hide
- invalid usernames by continuing the handshake with fake
- credentials, this behaviour is not constant time and no strong
- guarantees are made that the handshake is indistinguishable from
- that of a valid user.
- (CVE-2016-0798)
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ [CVE-2018-0737][]
- *Emilia Käsper*
+ *Billy Brumley*
- * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+ * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
- In the BN_hex2bn function the number of hex digits is calculated using an
- int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
- large values of |i| this can result in |bn_expand| not allocating any
- memory because |i * 4| is negative. This can leave the internal BIGNUM data
- field as NULL leading to a subsequent NULL ptr deref. For very large values
- of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
- In this case memory is allocated to the internal BIGNUM data field, but it
- is insufficiently sized leading to heap corruption. A similar issue exists
- in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
- is ever called by user applications with very large untrusted hex/dec data.
- This is anticipated to be a rare occurrence.
+ *Richard Levitte*
- All OpenSSL internal usage of these functions use data that is not expected
- to be untrusted, e.g. config file data or application command line
- arguments. If user developed applications generate config file data based
- on untrusted data then it is possible that this could also lead to security
- consequences. This is also anticipated to be rare.
+ * Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
- This issue was reported to OpenSSL by Guido Vranken.
- (CVE-2016-0797)
+ *Andy Polyakov*
- *Matt Caswell*
+ * Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
- * Fix memory issues in BIO_*printf functions
+ *Kurt Roeckx, Annie Yousar*
- The internal |fmtstr| function used in processing a "%s" format string in
- the BIO_*printf functions could overflow while calculating the length of a
- string and cause an OOB read when printing very long strings.
+ * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
- Additionally the internal |doapr_outch| function can attempt to write to an
- OOB memory location (at an offset from the NULL pointer) in the event of a
- memory allocation failure. In 1.0.2 and below this could be caused where
- the size of a buffer to be allocated is greater than INT_MAX. E.g. this
- could be in processing a very long "%s" format string. Memory leaks can
- also occur.
+ *Kurt Roeckx*
- The first issue may mask the second issue dependent on compiler behaviour.
- These problems could enable attacks where large amounts of untrusted data
- is passed to the BIO_*printf functions. If applications use these functions
- in this way then they could be vulnerable. OpenSSL itself uses these
- functions when printing out human-readable dumps of ASN.1 data. Therefore
- applications that print this data could be vulnerable if the data is from
- untrusted sources. OpenSSL command line applications could also be
- vulnerable where they print out ASN.1 data, or if untrusted data is passed
- as command line arguments.
+ * Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
- Libssl is not considered directly vulnerable. Additionally certificates etc
- received via remote connections via libssl are also unlikely to be able to
- trigger these issues because of message size limits enforced within libssl.
+ *Matt Caswell*
- This issue was reported to OpenSSL Guido Vranken.
- (CVE-2016-0799)
+ * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
- *Matt Caswell*
+ *Richard Levitte*
- * Side channel attack on modular exponentiation
+ * Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
- A side-channel attack was found which makes use of cache-bank conflicts on
- the Intel Sandy-Bridge microarchitecture which could lead to the recovery
- of RSA keys. The ability to exploit this issue is limited as it relies on
- an attacker who has control of code in a thread running on the same
- hyper-threaded core as the victim thread which is performing decryptions.
+ *Emilia Käsper*
- This issue was reported to OpenSSL by Yuval Yarom, The University of
- Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
- Nadia Heninger, University of Pennsylvania with more information at
- http://cachebleed.info.
- (CVE-2016-0702)
+### Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
- *Andy Polyakov*
+ * Constructed ASN.1 types with a recursive definition could exceed the stack
- * Change the req app to generate a 2048-bit RSA/DSA key by default,
- if no keysize is specified with default_bits. This fixes an
- omission in an earlier change that changed all RSA/DSA key generation
- apps to use 2048 bits by default.
+ Constructed ASN.1 types with a recursive definition (such as can be found
+ in PKCS7) could eventually exceed the stack given malicious input with
+ excessive recursion. This could result in a Denial Of Service attack. There
+ are no such structures used within SSL/TLS that come from untrusted sources
+ so this is considered safe.
- *Emilia Käsper*
+ This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+ project.
+ [CVE-2018-0739][]
-### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] ###
- * DH small subgroups
+ *Matt Caswell*
- Historically OpenSSL only ever generated DH parameters based on "safe"
- primes. More recently (in version 1.0.2) support was provided for
- generating X9.42 style parameter files such as those required for RFC 5114
- support. The primes used in such files may not be "safe". Where an
- application is using DH configured with parameters based on primes that are
- not "safe" then an attacker could use this fact to find a peer's private
- DH exponent. This attack requires that the attacker complete multiple
- handshakes in which the peer uses the same private DH exponent. For example
- this could be used to discover a TLS server's private DH exponent if it's
- reusing the private DH exponent or it's using a static DH ciphersuite.
+### Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
- OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
- TLS. It is not on by default. If the option is not set then the server
- reuses the same private DH exponent for the life of the server process and
- would be vulnerable to this attack. It is believed that many popular
- applications do set this option and would therefore not be at risk.
+ * Read/write after SSL object in error state
- The fix for this issue adds an additional check where a "q" parameter is
- available (as is the case in X9.42 based parameters). This detects the
- only known attack, and is the only possible defense for static DH
- ciphersuites. This could have some performance impact.
+ OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
+ mechanism. The intent was that if a fatal error occurred during a handshake
+ then OpenSSL would move into the error state and would immediately fail if
+ you attempted to continue the handshake. This works as designed for the
+ explicit handshake functions (SSL_do_handshake(), SSL_accept() and
+ SSL_connect()), however due to a bug it does not work correctly if
+ SSL_read() or SSL_write() is called directly. In that scenario, if the
+ handshake fails then a fatal error will be returned in the initial function
+ call. If SSL_read()/SSL_write() is subsequently called by the application
+ for the same SSL object then it will succeed and the data is passed without
+ being decrypted/encrypted directly from the SSL/TLS record layer.
- Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
- default and cannot be disabled. This could have some performance impact.
+ In order to exploit this issue an application bug would have to be present
+ that resulted in a call to SSL_read()/SSL_write() being issued after having
+ already received a fatal error.
- This issue was reported to OpenSSL by Antonio Sanso (Adobe).
- (CVE-2016-0701)
+ This issue was reported to OpenSSL by David Benjamin (Google).
+ [CVE-2017-3737][]
*Matt Caswell*
- * SSLv2 doesn't block disabled ciphers
+ * rsaz_1024_mul_avx2 overflow bug on x86_64
- A malicious client can negotiate SSLv2 ciphers that have been disabled on
- the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
- been disabled, provided that the SSLv2 protocol was not also disabled via
- SSL_OP_NO_SSLv2.
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this
+ defect would be very difficult to perform and are not believed likely.
+ Attacks against DH1024 are considered just feasible, because most of the
+ work necessary to deduce information about a private key may be performed
+ offline. The amount of resources required for such an attack would be
+ significant. However, for an attack on TLS to be meaningful, the server
+ would have to share the DH1024 private key among multiple clients, which is
+ no longer an option since CVE-2016-0701.
- This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
- and Sebastian Schinzel.
- (CVE-2015-3197)
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
- *Viktor Dukhovni*
+ This issue was reported to OpenSSL by David Benjamin (Google). The issue
+ was originally found via the OSS-Fuzz project.
+ [CVE-2017-3738][]
+
+ *Andy Polyakov*
-### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] ###
+### Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
- * BN_mod_exp may produce incorrect results on x86_64
+ * bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
- key that is shared between multiple clients. For example this can occur by
- default in OpenSSL DHE based SSL/TLS ciphersuites.
+ key that is shared between multiple clients.
- This issue was reported to OpenSSL by Hanno Böck.
- (CVE-2015-3193)
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ [CVE-2017-3736][]
*Andy Polyakov*
- * Certificate verify crash with missing PSS parameter
+ * Malformed X.509 IPAddressFamily could cause OOB read
- The signature verification routines will crash with a NULL pointer
- dereference if presented with an ASN.1 signature using the RSA PSS
- algorithm and absent mask generation function parameter. Since these
- routines are used to verify certificate signature algorithms this can be
- used to crash any certificate verification operation and exploited in a
- DoS attack. Any application which performs certificate verification is
- vulnerable including OpenSSL clients and servers which enable client
- authentication.
+ If an X.509 certificate has a malformed IPAddressFamily extension,
+ OpenSSL could do a one-byte buffer overread. The most likely result
+ would be an erroneous display of the certificate in text format.
- This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
- (CVE-2015-3194)
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ [CVE-2017-3735][]
- *Stephen Henson*
+ *Rich Salz*
- * X509_ATTRIBUTE memory leak
+### Changes between 1.0.2k and 1.0.2l [25 May 2017]
- When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
- memory. This structure is used by the PKCS#7 and CMS routines so any
- application which reads PKCS#7 or CMS data from untrusted sources is
- affected. SSL/TLS is not affected.
+ * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
- This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
- libFuzzer.
- (CVE-2015-3195)
+ *Richard Levitte*
- *Stephen Henson*
+### Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
- * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
- This changes the decoding behaviour for some invalid messages,
- though the change is mostly in the more lenient direction, and
- legacy behaviour is preserved as much as possible.
+ * Truncated packet could crash via OOB read
- *Emilia Käsper*
+ If one side of an SSL/TLS path is running on a 32-bit host and a specific
+ cipher is being used, then a truncated packet can cause that host to
+ perform an out-of-bounds read, usually resulting in a crash.
- * In DSA_generate_parameters_ex, if the provided seed is too short,
- return an error
+ This issue was reported to OpenSSL by Robert Święcki of Google.
+ [CVE-2017-3731][]
- *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
+ *Andy Polyakov*
-### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] ###
+ * BN_mod_exp may produce incorrect results on x86_64
- * Alternate chains certificate forgery
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+ similar to CVE-2015-3193 but must be treated as a separate problem.
- During certificate verification, OpenSSL will attempt to find an
- alternative certificate chain if the first attempt to build such a chain
- fails. An error in the implementation of this logic can mean that an
- attacker could cause certain checks on untrusted certificates to be
- bypassed, such as the CA flag, enabling them to use a valid leaf
- certificate to act as a CA and "issue" an invalid certificate.
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ [CVE-2017-3732][]
- This issue was reported to OpenSSL by Adam Langley/David Benjamin
- (Google/BoringSSL).
+ *Andy Polyakov*
- *Matt Caswell*
+ * Montgomery multiplication may produce incorrect results
-### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] ###
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
- * Fix HMAC ABI incompatibility. The previous version introduced an ABI
- incompatibility in the handling of HMAC. The previous ABI has now been
- restored.
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ [CVE-2016-7055][]
+
+ *Andy Polyakov*
+
+ * OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
*Matt Caswell*
-### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] ###
+### Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
- * Malformed ECParameters causes infinite loop
+ * Missing CRL sanity check
- When processing an ECParameters structure OpenSSL enters an infinite loop
- if the curve specified is over a specially malformed binary polynomial
- field.
+ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
- This can be used to perform denial of service against any
- system which processes public keys, certificate requests or
- certificates. This includes TLS clients and TLS servers with
- client authentication enabled.
-
- This issue was reported to OpenSSL by Joseph Barr-Pixton.
- (CVE-2015-1788)
+ This issue only affects the OpenSSL 1.0.2i
+ [CVE-2016-7052][]
- *Andy Polyakov*
+ *Matt Caswell*
- * Exploitable out-of-bounds read in X509_cmp_time
+### Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
- X509_cmp_time does not properly check the length of the ASN1_TIME
- string and can read a few bytes out of bounds. In addition,
- X509_cmp_time accepts an arbitrary number of fractional seconds in the
- time string.
+ * OCSP Status Request extension unbounded memory growth
- An attacker can use this to craft malformed certificates and CRLs of
- various sizes and potentially cause a segmentation fault, resulting in
- a DoS on applications that verify certificates or CRLs. TLS clients
- that verify CRLs are affected. TLS clients and servers with client
- authentication enabled may be affected if they use custom verification
- callbacks.
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
- This issue was reported to OpenSSL by Robert Swiecki (Google), and
- independently by Hanno Böck.
- (CVE-2015-1789)
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6304][]
- *Emilia Käsper*
+ *Matt Caswell*
- * PKCS7 crash with missing EnvelopedContent
+ * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+ HIGH to MEDIUM.
- The PKCS#7 parsing code does not handle missing inner EncryptedContent
- correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
- with missing content and trigger a NULL pointer dereference on parsing.
+ This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+ Leurent (INRIA)
+ [CVE-2016-2183][]
- Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
- structures from untrusted sources are affected. OpenSSL clients and
- servers are not affected.
+ *Rich Salz*
- This issue was reported to OpenSSL by Michal Zalewski (Google).
- (CVE-2015-1790)
+ * OOB write in MDC2_Update()
- *Emilia Käsper*
+ An overflow can occur in MDC2_Update() either if called directly or
+ through the EVP_DigestUpdate() function using MDC2. If an attacker
+ is able to supply very large amounts of input data after a previous
+ call to EVP_EncryptUpdate() with a partial block then a length check
+ can overflow resulting in a heap corruption.
- * CMS verify infinite loop with unknown hash function
+ The amount of data needed is comparable to SIZE_MAX which is impractical
+ on most platforms.
- When verifying a signedData message the CMS code can enter an infinite loop
- if presented with an unknown hash function OID. This can be used to perform
- denial of service against any system which verifies signedData messages using
- the CMS code.
- This issue was reported to OpenSSL by Johannes Bauer.
- (CVE-2015-1792)
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6303][]
*Stephen Henson*
- * Race condition handling NewSessionTicket
+ * Malformed SHA512 ticket DoS
- If a NewSessionTicket is received by a multi-threaded client when attempting to
- reuse a previous ticket then a race condition can occur potentially leading to
- a double free of the ticket data.
- (CVE-2015-1791)
+ If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
+ DoS attack where a malformed ticket will result in an OOB read which will
+ ultimately crash.
- *Matt Caswell*
+ The use of SHA512 in TLS session tickets is comparatively rare as it requires
+ a custom server callback and ticket lookup mechanism.
- * Only support 256-bit or stronger elliptic curves with the
- 'ecdh_auto' setting (server) or by default (client). Of supported
- curves, prefer P-256 (both).
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6302][]
- *Emilia Kasper*
+ *Stephen Henson*
-### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] ###
+ * OOB write in BN_bn2dec()
- * ClientHello sigalgs DoS fix
+ The function BN_bn2dec() does not check the return value of BN_div_word().
+ This can cause an OOB write if an application uses this function with an
+ overly large BIGNUM. This could be a problem if an overly large certificate
+ or CRL is printed out from an untrusted source. TLS is not affected because
+ record limits will reject an oversized certificate before it is parsed.
- If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
- invalid signature algorithms extension a NULL pointer dereference will
- occur. This can be exploited in a DoS attack against the server.
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-2182][]
- This issue was was reported to OpenSSL by David Ramos of Stanford
- University.
- (CVE-2015-0291)
+ *Stephen Henson*
- *Stephen Henson and Matt Caswell*
+ * OOB read in TS_OBJ_print_bio()
- * Multiblock corrupted pointer fix
+ The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
+ the total length the OID text representation would use and not the amount
+ of data written. This will result in OOB reads when large OIDs are
+ presented.
- OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
- feature only applies on 64 bit x86 architecture platforms that support AES
- NI instructions. A defect in the implementation of "multiblock" can cause
- OpenSSL's internal write buffer to become incorrectly set to NULL when
- using non-blocking IO. Typically, when the user application is using a
- socket BIO for writing, this will only result in a failed connection.
- However if some other BIO is used then it is likely that a segmentation
- fault will be triggered, thus enabling a potential DoS attack.
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-2180][]
- This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
- (CVE-2015-0290)
+ *Stephen Henson*
- *Matt Caswell*
+ * Pointer arithmetic undefined behaviour
- * Segmentation fault in DTLSv1_listen fix
+ Avoid some undefined pointer arithmetic
- The DTLSv1_listen function is intended to be stateless and processes the
- initial ClientHello from many peers. It is common for user code to loop
- over the call to DTLSv1_listen until a valid ClientHello is received with
- an associated cookie. A defect in the implementation of DTLSv1_listen means
- that state is preserved in the SSL object from one invocation to the next
- that can lead to a segmentation fault. Errors processing the initial
- ClientHello can trigger this scenario. An example of such an error could be
- that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
- server.
+ A common idiom in the codebase is to check limits in the following manner:
+ "p + len > limit"
- This issue was reported to OpenSSL by Per Allansson.
- (CVE-2015-0207)
+ Where "p" points to some malloc'd data of SIZE bytes and
+ limit == p + SIZE
- *Matt Caswell*
+ "len" here could be from some externally supplied data (e.g. from a TLS
+ message).
- * Segmentation fault in ASN1_TYPE_cmp fix
+ The rules of C pointer arithmetic are such that "p + len" is only well
+ defined where len <= SIZE. Therefore the above idiom is actually
+ undefined behaviour.
- The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
- made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
- certificate signature algorithm consistency this can be used to crash any
- certificate verification operation and exploited in a DoS attack. Any
- application which performs certificate verification is vulnerable including
- OpenSSL clients and servers which enable client authentication.
- (CVE-2015-0286)
+ For example this could cause problems if some malloc implementation
+ provides an address for "p" such that "p + len" actually overflows for
+ values of len that are too big and therefore p + len < limit.
- *Stephen Henson*
+ This issue was reported to OpenSSL by Guido Vranken
+ [CVE-2016-2177][]
- * Segmentation fault for invalid PSS parameters fix
+ *Matt Caswell*
- The signature verification routines will crash with a NULL pointer
- dereference if presented with an ASN.1 signature using the RSA PSS
- algorithm and invalid parameters. Since these routines are used to verify
- certificate signature algorithms this can be used to crash any
- certificate verification operation and exploited in a DoS attack. Any
- application which performs certificate verification is vulnerable including
- OpenSSL clients and servers which enable client authentication.
+ * Constant time flag not preserved in DSA signing
- This issue was was reported to OpenSSL by Brian Carpenter.
- (CVE-2015-0208)
+ Operations in the DSA signing algorithm should run in constant time in
+ order to avoid side channel attacks. A flaw in the OpenSSL DSA
+ implementation means that a non-constant time codepath is followed for
+ certain operations. This has been demonstrated through a cache-timing
+ attack to be sufficient for an attacker to recover the private DSA key.
- *Stephen Henson*
+ This issue was reported by César Pereida (Aalto University), Billy Brumley
+ (Tampere University of Technology), and Yuval Yarom (The University of
+ Adelaide and NICTA).
+ [CVE-2016-2178][]
- * ASN.1 structure reuse memory corruption fix
+ *César Pereida*
- Reusing a structure in ASN.1 parsing may allow an attacker to cause
- memory corruption via an invalid write. Such reuse is and has been
- strongly discouraged and is believed to be rare.
+ * DTLS buffered message DoS
- Applications that parse structures containing CHOICE or ANY DEFINED BY
- components may be affected. Certificate parsing (d2i_X509 and related
- functions) are however not affected. OpenSSL clients and servers are
- not affected.
- (CVE-2015-0287)
+ In a DTLS connection where handshake messages are delivered out-of-order
+ those messages that OpenSSL is not yet ready to process will be buffered
+ for later use. Under certain circumstances, a flaw in the logic means that
+ those messages do not get removed from the buffer even though the handshake
+ has been completed. An attacker could force up to approx. 15 messages to
+ remain in the buffer when they are no longer required. These messages will
+ be cleared when the DTLS connection is closed. The default maximum size for
+ a message is 100k. Therefore the attacker could force an additional 1500k
+ to be consumed per connection. By opening many simulataneous connections an
+ attacker could cause a DoS attack through memory exhaustion.
- *Stephen Henson*
+ This issue was reported to OpenSSL by Quan Luo.
+ [CVE-2016-2179][]
- * PKCS7 NULL pointer dereferences fix
+ *Matt Caswell*
- The PKCS#7 parsing code does not handle missing outer ContentInfo
- correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
- missing content and trigger a NULL pointer dereference on parsing.
+ * DTLS replay protection DoS
- Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
- otherwise parse PKCS#7 structures from untrusted sources are
- affected. OpenSSL clients and servers are not affected.
+ A flaw in the DTLS replay attack protection mechanism means that records
+ that arrive for future epochs update the replay protection "window" before
+ the MAC for the record has been validated. This could be exploited by an
+ attacker by sending a record for the next epoch (which does not have to
+ decrypt or have a valid MAC), with a very large sequence number. This means
+ that all subsequent legitimate packets are dropped causing a denial of
+ service for a specific DTLS connection.
- This issue was reported to OpenSSL by Michal Zalewski (Google).
- (CVE-2015-0289)
+ This issue was reported to OpenSSL by the OCAP audit team.
+ [CVE-2016-2181][]
- *Emilia Käsper*
+ *Matt Caswell*
- * DoS via reachable assert in SSLv2 servers fix
+ * Certificate message OOB reads
- A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
- servers that both support SSLv2 and enable export cipher suites by sending
- a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+ In OpenSSL 1.0.2 and earlier some missing message length checks can result
+ in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
+ theoretical DoS risk but this has not been observed in practice on common
+ platforms.
- This issue was discovered by Sean Burford (Google) and Emilia Käsper
- (OpenSSL development team).
- (CVE-2015-0293)
+ The messages affected are client certificate, client certificate request
+ and server certificate. As a result the attack can only be performed
+ against a client or a server which enables client authentication.
- *Emilia Käsper*
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6306][]
- * Empty CKE with client auth and DHE fix
+ *Stephen Henson*
- If client auth is used then a server can seg fault in the event of a DHE
- ciphersuite being selected and a zero length ClientKeyExchange message
- being sent by the client. This could be exploited in a DoS attack.
- (CVE-2015-1787)
+### Changes between 1.0.2g and 1.0.2h [3 May 2016]
- *Matt Caswell*
+ * Prevent padding oracle in AES-NI CBC MAC check
- * Handshake with unseeded PRNG fix
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
- Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
- with an unseeded PRNG. The conditions are:
- - The client is on a platform where the PRNG has not been seeded
- automatically, and the user has not seeded manually
- - A protocol specific client method version has been used (i.e. not
- SSL_client_methodv23)
- - A ciphersuite is used that does not require additional random data from
- the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack [CVE-2013-0169][]. The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
- If the handshake succeeds then the client random that has been used will
- have been generated from a PRNG with insufficient entropy and therefore the
- output may be predictable.
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ [CVE-2016-2107][]
- For example using the following command with an unseeded openssl will
- succeed on an unpatched platform:
+ *Kurt Roeckx*
- openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
- (CVE-2015-0285)
+ * Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
+ the `PEM_write_bio*` family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2105][]
*Matt Caswell*
- * Use After Free following d2i_ECPrivatekey error fix
+ * Fix EVP_EncryptUpdate overflow
- A malformed EC private key file consumed via the d2i_ECPrivateKey function
- could cause a use after free condition. This, in turn, could cause a double
- free in several private key parsing functions (such as d2i_PrivateKey
- or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
- for applications that receive EC private keys from untrusted
- sources. This scenario is considered rare.
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
- This issue was discovered by the BoringSSL project and fixed in their
- commit 517073cd4b.
- (CVE-2015-0209)
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2106][]
*Matt Caswell*
- * X509_to_X509_REQ NULL pointer deref fix
+ * Prevent ASN.1 BIO excessive memory allocation
- The function X509_to_X509_REQ will crash with a NULL pointer dereference if
- the certificate key is invalid. This function is rarely used in practice.
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can cause allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
- This issue was discovered by Brian Carpenter.
- (CVE-2015-0288)
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ [CVE-2016-2109][]
*Stephen Henson*
- * Removed the export ciphers from the DEFAULT ciphers
+ * EBCDIC overread
- *Kurt Roeckx*
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
-### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ###
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2176][]
- * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
- ARMv5 through ARMv8, as opposite to "locking" it to single one.
- So far those who have to target multiple platforms would compromise
- and argue that binary targeting say ARMv5 would still execute on
- ARMv8. "Universal" build resolves this compromise by providing
- near-optimal performance even on newer platforms.
+ *Matt Caswell*
- *Andy Polyakov*
+ * Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
- * Accelerated NIST P-256 elliptic curve implementation for x86_64
- (other platforms pending).
+ *Todd Short*
- *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov*
+ * Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
- * Add support for the SignedCertificateTimestampList certificate and
- OCSP response extensions from RFC6962.
+ *Kurt Roeckx*
- *Rob Stradling*
+ * Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
- * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
- for corner cases. (Certain input points at infinity could lead to
- bogus results, with non-infinity inputs mapped to infinity too.)
+ *Kurt Roeckx*
- *Bodo Moeller*
+### Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
- * Initial support for PowerISA 2.0.7, first implemented in POWER8.
- This covers AES, SHA256/512 and GHASH. "Initial" means that most
- common cases are optimized and there still is room for further
- improvements. Vector Permutation AES for Altivec is also added.
+* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+ Builds that are not configured with "enable-weak-ssl-ciphers" will not
+ provide any "EXPORT" or "LOW" strength ciphers.
+
+ *Viktor Dukhovni*
+
+* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
+ is by default disabled at build-time. Builds that are not configured with
+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+ will need to explicitly call either of:
+
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+ or
+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+ as appropriate. Even if either of those is used, or the application
+ explicitly uses the version-specific SSLv2_method() or its client and
+ server variants, SSLv2 ciphers vulnerable to exhaustive search key
+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
+ ciphers, and SSLv2 56-bit DES are no longer available.
+ [CVE-2016-0800][]
+
+ *Viktor Dukhovni*
+
+ * Fix a double-free in DSA code
+
+ A double free bug was discovered when OpenSSL parses malformed DSA private
+ keys and could lead to a DoS attack or memory corruption for applications
+ that receive DSA private keys from untrusted sources. This scenario is
+ considered rare.
+
+ This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+ libFuzzer.
+ [CVE-2016-0705][]
+
+ *Stephen Henson*
+
+ * Disable SRP fake user seed to address a server memory leak.
+
+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+ was changed to ignore the "fake user" SRP seed, even if the seed
+ is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ [CVE-2016-0798][]
+
+ *Emilia Käsper*
+
+ * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+ In the BN_hex2bn function the number of hex digits is calculated using an
+ int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+ large values of |i| this can result in |bn_expand| not allocating any
+ memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ field as NULL leading to a subsequent NULL ptr deref. For very large values
+ of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ In this case memory is allocated to the internal BIGNUM data field, but it
+ is insufficiently sized leading to heap corruption. A similar issue exists
+ in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+ is ever called by user applications with very large untrusted hex/dec data.
+ This is anticipated to be a rare occurrence.
+
+ All OpenSSL internal usage of these functions use data that is not expected
+ to be untrusted, e.g. config file data or application command line
+ arguments. If user developed applications generate config file data based
+ on untrusted data then it is possible that this could also lead to security
+ consequences. This is also anticipated to be rare.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ [CVE-2016-0797][]
+
+ *Matt Caswell*
+
+ * Fix memory issues in `BIO_*printf` functions
+
+ The internal |fmtstr| function used in processing a "%s" format string in
+ the `BIO_*printf` functions could overflow while calculating the length of a
+ string and cause an OOB read when printing very long strings.
+
+ Additionally the internal |doapr_outch| function can attempt to write to an
+ OOB memory location (at an offset from the NULL pointer) in the event of a
+ memory allocation failure. In 1.0.2 and below this could be caused where
+ the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+ could be in processing a very long "%s" format string. Memory leaks can
+ also occur.
+
+ The first issue may mask the second issue dependent on compiler behaviour.
+ These problems could enable attacks where large amounts of untrusted data
+ is passed to the `BIO_*printf` functions. If applications use these functions
+ in this way then they could be vulnerable. OpenSSL itself uses these
+ functions when printing out human-readable dumps of ASN.1 data. Therefore
+ applications that print this data could be vulnerable if the data is from
+ untrusted sources. OpenSSL command line applications could also be
+ vulnerable where they print out ASN.1 data, or if untrusted data is passed
+ as command line arguments.
+
+ Libssl is not considered directly vulnerable. Additionally certificates etc
+ received via remote connections via libssl are also unlikely to be able to
+ trigger these issues because of message size limits enforced within libssl.
+
+ This issue was reported to OpenSSL Guido Vranken.
+ [CVE-2016-0799][]
+
+ *Matt Caswell*
+
+ * Side channel attack on modular exponentiation
+
+ A side-channel attack was found which makes use of cache-bank conflicts on
+ the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+ of RSA keys. The ability to exploit this issue is limited as it relies on
+ an attacker who has control of code in a thread running on the same
+ hyper-threaded core as the victim thread which is performing decryptions.
+
+ This issue was reported to OpenSSL by Yuval Yarom, The University of
+ Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+ Nadia Heninger, University of Pennsylvania with more information at
+ <http://cachebleed.info>.
+ [CVE-2016-0702][]
*Andy Polyakov*
- * Add support for little-endian ppc64 Linux target.
+ * Change the req app to generate a 2048-bit RSA/DSA key by default,
+ if no keysize is specified with default_bits. This fixes an
+ omission in an earlier change that changed all RSA/DSA key generation
+ apps to use 2048 bits by default.
- *Marcelo Cerri (IBM)*
+ *Emilia Käsper*
- * Initial support for AMRv8 ISA crypto extensions. This covers AES,
- SHA1, SHA256 and GHASH. "Initial" means that most common cases
- are optimized and there still is room for further improvements.
- Both 32- and 64-bit modes are supported.
+### Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
- *Andy Polyakov, Ard Biesheuvel (Linaro)*
+ * DH small subgroups
- * Improved ARMv7 NEON support.
+ Historically OpenSSL only ever generated DH parameters based on "safe"
+ primes. More recently (in version 1.0.2) support was provided for
+ generating X9.42 style parameter files such as those required for RFC 5114
+ support. The primes used in such files may not be "safe". Where an
+ application is using DH configured with parameters based on primes that are
+ not "safe" then an attacker could use this fact to find a peer's private
+ DH exponent. This attack requires that the attacker complete multiple
+ handshakes in which the peer uses the same private DH exponent. For example
+ this could be used to discover a TLS server's private DH exponent if it's
+ reusing the private DH exponent or it's using a static DH ciphersuite.
+
+ OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+ TLS. It is not on by default. If the option is not set then the server
+ reuses the same private DH exponent for the life of the server process and
+ would be vulnerable to this attack. It is believed that many popular
+ applications do set this option and would therefore not be at risk.
+
+ The fix for this issue adds an additional check where a "q" parameter is
+ available (as is the case in X9.42 based parameters). This detects the
+ only known attack, and is the only possible defense for static DH
+ ciphersuites. This could have some performance impact.
+
+ Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+ default and cannot be disabled. This could have some performance impact.
+
+ This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+ [CVE-2016-0701][]
+
+ *Matt Caswell*
+
+ * SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ [CVE-2015-3197][]
+
+ *Viktor Dukhovni*
+
+### Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
+
+ * BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites.
+
+ This issue was reported to OpenSSL by Hanno Böck.
+ [CVE-2015-3193][]
*Andy Polyakov*
- * Support for SPARC Architecture 2011 crypto extensions, first
- implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
- SHA256/512, MD5, GHASH and modular exponentiation.
+ * Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ [CVE-2015-3194][]
+
+ *Stephen Henson*
+
+ * X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ [CVE-2015-3195][]
+
+ *Stephen Henson*
+
+ * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+
+ *Emilia Käsper*
+
+ * In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+
+ *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
+
+### Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
+
+ * Alternate chains certificate forgery
+
+ During certificate verification, OpenSSL will attempt to find an
+ alternative certificate chain if the first attempt to build such a chain
+ fails. An error in the implementation of this logic can mean that an
+ attacker could cause certain checks on untrusted certificates to be
+ bypassed, such as the CA flag, enabling them to use a valid leaf
+ certificate to act as a CA and "issue" an invalid certificate.
+
+ This issue was reported to OpenSSL by Adam Langley/David Benjamin
+ (Google/BoringSSL).
+
+ *Matt Caswell*
+
+### Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
+
+ * Fix HMAC ABI incompatibility. The previous version introduced an ABI
+ incompatibility in the handling of HMAC. The previous ABI has now been
+ restored.
+
+ *Matt Caswell*
+
+### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
+
+ * Malformed ECParameters causes infinite loop
+
+ When processing an ECParameters structure OpenSSL enters an infinite loop
+ if the curve specified is over a specially malformed binary polynomial
+ field.
+
+ This can be used to perform denial of service against any
+ system which processes public keys, certificate requests or
+ certificates. This includes TLS clients and TLS servers with
+ client authentication enabled.
+
+ This issue was reported to OpenSSL by Joseph Barr-Pixton.
+ [CVE-2015-1788][]
+
+ *Andy Polyakov*
+
+ * Exploitable out-of-bounds read in X509_cmp_time
+
+ X509_cmp_time does not properly check the length of the ASN1_TIME
+ string and can read a few bytes out of bounds. In addition,
+ X509_cmp_time accepts an arbitrary number of fractional seconds in the
+ time string.
+
+ An attacker can use this to craft malformed certificates and CRLs of
+ various sizes and potentially cause a segmentation fault, resulting in
+ a DoS on applications that verify certificates or CRLs. TLS clients
+ that verify CRLs are affected. TLS clients and servers with client
+ authentication enabled may be affected if they use custom verification
+ callbacks.
+
+ This issue was reported to OpenSSL by Robert Swiecki (Google), and
+ independently by Hanno Böck.
+ [CVE-2015-1789][]
+
+ *Emilia Käsper*
+
+ * PKCS7 crash with missing EnvelopedContent
+
+ The PKCS#7 parsing code does not handle missing inner EncryptedContent
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+ with missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+ structures from untrusted sources are affected. OpenSSL clients and
+ servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-1790][]
+
+ *Emilia Käsper*
+
+ * CMS verify infinite loop with unknown hash function
+
+ When verifying a signedData message the CMS code can enter an infinite loop
+ if presented with an unknown hash function OID. This can be used to perform
+ denial of service against any system which verifies signedData messages using
+ the CMS code.
+ This issue was reported to OpenSSL by Johannes Bauer.
+ [CVE-2015-1792][]
+
+ *Stephen Henson*
+
+ * Race condition handling NewSessionTicket
+
+ If a NewSessionTicket is received by a multi-threaded client when attempting to
+ reuse a previous ticket then a race condition can occur potentially leading to
+ a double free of the ticket data.
+ [CVE-2015-1791][]
+
+ *Matt Caswell*
+
+ * Only support 256-bit or stronger elliptic curves with the
+ 'ecdh_auto' setting (server) or by default (client). Of supported
+ curves, prefer P-256 (both).
+
+ *Emilia Kasper*
+
+### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
+
+ * ClientHello sigalgs DoS fix
+
+ If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
+ invalid signature algorithms extension a NULL pointer dereference will
+ occur. This can be exploited in a DoS attack against the server.
+
+ This issue was was reported to OpenSSL by David Ramos of Stanford
+ University.
+ [CVE-2015-0291][]
+
+ *Stephen Henson and Matt Caswell*
+
+ * Multiblock corrupted pointer fix
+
+ OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
+ feature only applies on 64 bit x86 architecture platforms that support AES
+ NI instructions. A defect in the implementation of "multiblock" can cause
+ OpenSSL's internal write buffer to become incorrectly set to NULL when
+ using non-blocking IO. Typically, when the user application is using a
+ socket BIO for writing, this will only result in a failed connection.
+ However if some other BIO is used then it is likely that a segmentation
+ fault will be triggered, thus enabling a potential DoS attack.
+
+ This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
+ [CVE-2015-0290][]
+
+ *Matt Caswell*
+
+ * Segmentation fault in DTLSv1_listen fix
+
+ The DTLSv1_listen function is intended to be stateless and processes the
+ initial ClientHello from many peers. It is common for user code to loop
+ over the call to DTLSv1_listen until a valid ClientHello is received with
+ an associated cookie. A defect in the implementation of DTLSv1_listen means
+ that state is preserved in the SSL object from one invocation to the next
+ that can lead to a segmentation fault. Errors processing the initial
+ ClientHello can trigger this scenario. An example of such an error could be
+ that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
+ server.
+
+ This issue was reported to OpenSSL by Per Allansson.
+ [CVE-2015-0207][]
+
+ *Matt Caswell*
+
+ * Segmentation fault in ASN1_TYPE_cmp fix
+
+ The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+ made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+ certificate signature algorithm consistency this can be used to crash any
+ certificate verification operation and exploited in a DoS attack. Any
+ application which performs certificate verification is vulnerable including
+ OpenSSL clients and servers which enable client authentication.
+ [CVE-2015-0286][]
+
+ *Stephen Henson*
+
+ * Segmentation fault for invalid PSS parameters fix
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and invalid parameters. Since these routines are used to verify
+ certificate signature algorithms this can be used to crash any
+ certificate verification operation and exploited in a DoS attack. Any
+ application which performs certificate verification is vulnerable including
+ OpenSSL clients and servers which enable client authentication.
+
+ This issue was was reported to OpenSSL by Brian Carpenter.
+ [CVE-2015-0208][]
+
+ *Stephen Henson*
+
+ * ASN.1 structure reuse memory corruption fix
+
+ Reusing a structure in ASN.1 parsing may allow an attacker to cause
+ memory corruption via an invalid write. Such reuse is and has been
+ strongly discouraged and is believed to be rare.
+
+ Applications that parse structures containing CHOICE or ANY DEFINED BY
+ components may be affected. Certificate parsing (d2i_X509 and related
+ functions) are however not affected. OpenSSL clients and servers are
+ not affected.
+ [CVE-2015-0287][]
+
+ *Stephen Henson*
+
+ * PKCS7 NULL pointer dereferences fix
+
+ The PKCS#7 parsing code does not handle missing outer ContentInfo
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+ missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+ otherwise parse PKCS#7 structures from untrusted sources are
+ affected. OpenSSL clients and servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-0289][]
+
+ *Emilia Käsper*
+
+ * DoS via reachable assert in SSLv2 servers fix
+
+ A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+ servers that both support SSLv2 and enable export cipher suites by sending
+ a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
+ (OpenSSL development team).
+ [CVE-2015-0293][]
+
+ *Emilia Käsper*
+
+ * Empty CKE with client auth and DHE fix
+
+ If client auth is used then a server can seg fault in the event of a DHE
+ ciphersuite being selected and a zero length ClientKeyExchange message
+ being sent by the client. This could be exploited in a DoS attack.
+ [CVE-2015-1787][]
+
+ *Matt Caswell*
+
+ * Handshake with unseeded PRNG fix
+
+ Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
+ with an unseeded PRNG. The conditions are:
+ - The client is on a platform where the PRNG has not been seeded
+ automatically, and the user has not seeded manually
+ - A protocol specific client method version has been used (i.e. not
+ SSL_client_methodv23)
+ - A ciphersuite is used that does not require additional random data from
+ the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
+
+ If the handshake succeeds then the client random that has been used will
+ have been generated from a PRNG with insufficient entropy and therefore the
+ output may be predictable.
+
+ For example using the following command with an unseeded openssl will
+ succeed on an unpatched platform:
+
+ openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
+ [CVE-2015-0285][]
+
+ *Matt Caswell*
+
+ * Use After Free following d2i_ECPrivatekey error fix
+
+ A malformed EC private key file consumed via the d2i_ECPrivateKey function
+ could cause a use after free condition. This, in turn, could cause a double
+ free in several private key parsing functions (such as d2i_PrivateKey
+ or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+ for applications that receive EC private keys from untrusted
+ sources. This scenario is considered rare.
+
+ This issue was discovered by the BoringSSL project and fixed in their
+ commit 517073cd4b.
+ [CVE-2015-0209][]
+
+ *Matt Caswell*
+
+ * X509_to_X509_REQ NULL pointer deref fix
+
+ The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+ the certificate key is invalid. This function is rarely used in practice.
+
+ This issue was discovered by Brian Carpenter.
+ [CVE-2015-0288][]
+
+ *Stephen Henson*
+
+ * Removed the export ciphers from the DEFAULT ciphers
+
+ *Kurt Roeckx*
+
+### Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
+
+ * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
+ ARMv5 through ARMv8, as opposite to "locking" it to single one.
+ So far those who have to target multiple platforms would compromise
+ and argue that binary targeting say ARMv5 would still execute on
+ ARMv8. "Universal" build resolves this compromise by providing
+ near-optimal performance even on newer platforms.
+
+ *Andy Polyakov*
+
+ * Accelerated NIST P-256 elliptic curve implementation for x86_64
+ (other platforms pending).
+
+ *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov*
+
+ * Add support for the SignedCertificateTimestampList certificate and
+ OCSP response extensions from RFC6962.
+
+ *Rob Stradling*
+
+ * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+
+ *Bodo Moeller*
+
+ * Initial support for PowerISA 2.0.7, first implemented in POWER8.
+ This covers AES, SHA256/512 and GHASH. "Initial" means that most
+ common cases are optimized and there still is room for further
+ improvements. Vector Permutation AES for Altivec is also added.
+
+ *Andy Polyakov*
+
+ * Add support for little-endian ppc64 Linux target.
+
+ *Marcelo Cerri (IBM)*
+
+ * Initial support for AMRv8 ISA crypto extensions. This covers AES,
+ SHA1, SHA256 and GHASH. "Initial" means that most common cases
+ are optimized and there still is room for further improvements.
+ Both 32- and 64-bit modes are supported.
+
+ *Andy Polyakov, Ard Biesheuvel (Linaro)*
+
+ * Improved ARMv7 NEON support.
+
+ *Andy Polyakov*
+
+ * Support for SPARC Architecture 2011 crypto extensions, first
+ implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
+ SHA256/512, MD5, GHASH and modular exponentiation.
+
+ *Andy Polyakov, David Miller*
+
+ * Accelerated modular exponentiation for Intel processors, a.k.a.
+ RSAZ.
+
+ *Shay Gueron & Vlad Krasnov (Intel Corp)*
+
+ * Support for new and upcoming Intel processors, including AVX2,
+ BMI and SHA ISA extensions. This includes additional "stitched"
+ implementations, AESNI-SHA256 and GCM, and multi-buffer support
+ for TLS encrypt.
+
+ This work was sponsored by Intel Corp.
+
+ *Andy Polyakov*
+
+ * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
+ supports both DTLS 1.2 and 1.0 and should use whatever version the peer
+ supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
+
+ *Steve Henson*
+
+ * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+ this fixes a limitation in previous versions of OpenSSL.
+
+ *Steve Henson*
+
+ * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+ MGF1 digest and OAEP label.
+
+ *Steve Henson*
+
+ * Add EVP support for key wrapping algorithms, to avoid problems with
+ existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
+ the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
+ algorithms and include tests cases.
+
+ *Steve Henson*
+
+ * Add functions to allocate and set the fields of an ECDSA_METHOD
+ structure.
+
+ *Douglas E. Engert, Steve Henson*
+
+ * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
+ difference in days and seconds between two tm or ASN1_TIME structures.
+
+ *Steve Henson*
+
+ * Add -rev test option to s_server to just reverse order of characters
+ received by client and send back to server. Also prints an abbreviated
+ summary of the connection parameters.
+
+ *Steve Henson*
+
+ * New option -brief for s_client and s_server to print out a brief summary
+ of connection parameters.
+
+ *Steve Henson*
+
+ * Add callbacks for arbitrary TLS extensions.
+
+ *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
+
+ * New option -crl_download in several openssl utilities to download CRLs
+ from CRLDP extension in certificates.
+
+ *Steve Henson*
+
+ * New options -CRL and -CRLform for s_client and s_server for CRLs.
+
+ *Steve Henson*
+
+ * New function X509_CRL_diff to generate a delta CRL from the difference
+ of two full CRLs. Add support to "crl" utility.
+
+ *Steve Henson*
+
+ * New functions to set lookup_crls function and to retrieve
+ X509_STORE from X509_STORE_CTX.
+
+ *Steve Henson*
+
+ * Print out deprecated issuer and subject unique ID fields in
+ certificates.
+
+ *Steve Henson*
+
+ * Extend OCSP I/O functions so they can be used for simple general purpose
+ HTTP as well as OCSP. New wrapper function which can be used to download
+ CRLs using the OCSP API.
+
+ *Steve Henson*
+
+ * Delegate command line handling in s_client/s_server to SSL_CONF APIs.
+
+ *Steve Henson*
+
+ * `SSL_CONF*` functions. These provide a common framework for application
+ configuration using configuration files or command lines.
+
+ *Steve Henson*
+
+ * SSL/TLS tracing code. This parses out SSL/TLS records using the
+ message callback and prints the results. Needs compile time option
+ "enable-ssl-trace". New options to s_client and s_server to enable
+ tracing.
+
+ *Steve Henson*
+
+ * New ctrl and macro to retrieve supported points extensions.
+ Print out extension in s_server and s_client.
+
+ *Steve Henson*
+
+ * New functions to retrieve certificate signature and signature
+ OID NID.
+
+ *Steve Henson*
+
+ * Add functions to retrieve and manipulate the raw cipherlist sent by a
+ client to OpenSSL.
+
+ *Steve Henson*
+
+ * New Suite B modes for TLS code. These use and enforce the requirements
+ of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
+ only use Suite B curves. The Suite B modes can be set by using the
+ strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
+
+ *Steve Henson*
+
+ * New chain verification flags for Suite B levels of security. Check
+ algorithms are acceptable when flags are set in X509_verify_cert.
+
+ *Steve Henson*
+
+ * Make tls1_check_chain return a set of flags indicating checks passed
+ by a certificate chain. Add additional tests to handle client
+ certificates: checks for matching certificate type and issuer name
+ comparison.
+
+ *Steve Henson*
+
+ * If an attempt is made to use a signature algorithm not in the peer
+ preference list abort the handshake. If client has no suitable
+ signature algorithms in response to a certificate request do not
+ use the certificate.
+
+ *Steve Henson*
+
+ * If server EC tmp key is not in client preference list abort handshake.
+
+ *Steve Henson*
+
+ * Add support for certificate stores in CERT structure. This makes it
+ possible to have different stores per SSL structure or one store in
+ the parent SSL_CTX. Include distinct stores for certificate chain
+ verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
+ to build and store a certificate chain in CERT structure: returning
+ an error if the chain cannot be built: this will allow applications
+ to test if a chain is correctly configured.
+
+ Note: if the CERT based stores are not set then the parent SSL_CTX
+ store is used to retain compatibility with existing behaviour.
+
+ *Steve Henson*
+
+ * New function ssl_set_client_disabled to set a ciphersuite disabled
+ mask based on the current session, check mask when sending client
+ hello and checking the requested ciphersuite.
+
+ *Steve Henson*
+
+ * New ctrls to retrieve and set certificate types in a certificate
+ request message. Print out received values in s_client. If certificate
+ types is not set with custom values set sensible values based on
+ supported signature algorithms.
+
+ *Steve Henson*
+
+ * Support for distinct client and server supported signature algorithms.
+
+ *Steve Henson*
+
+ * Add certificate callback. If set this is called whenever a certificate
+ is required by client or server. An application can decide which
+ certificate chain to present based on arbitrary criteria: for example
+ supported signature algorithms. Add very simple example to s_server.
+ This fixes many of the problems and restrictions of the existing client
+ certificate callback: for example you can now clear an existing
+ certificate and specify the whole chain.
+
+ *Steve Henson*
+
+ * Add new "valid_flags" field to CERT_PKEY structure which determines what
+ the certificate can be used for (if anything). Set valid_flags field
+ in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
+ to have similar checks in it.
+
+ Add new "cert_flags" field to CERT structure and include a "strict mode".
+ This enforces some TLS certificate requirements (such as only permitting
+ certificate signature algorithms contained in the supported algorithms
+ extension) which some implementations ignore: this option should be used
+ with caution as it could cause interoperability issues.
+
+ *Steve Henson*
+
+ * Update and tidy signature algorithm extension processing. Work out
+ shared signature algorithms based on preferences and peer algorithms
+ and print them out in s_client and s_server. Abort handshake if no
+ shared signature algorithms.
+
+ *Steve Henson*
+
+ * Add new functions to allow customised supported signature algorithms
+ for SSL and SSL_CTX structures. Add options to s_client and s_server
+ to support them.
+
+ *Steve Henson*
+
+ * New function SSL_certs_clear() to delete all references to certificates
+ from an SSL structure. Before this once a certificate had been added
+ it couldn't be removed.
+
+ *Steve Henson*
+
+ * Integrate hostname, email address and IP address checking with certificate
+ verification. New verify options supporting checking in openssl utility.
+
+ *Steve Henson*
+
+ * Fixes and wildcard matching support to hostname and email checking
+ functions. Add manual page.
+
+ *Florian Weimer (Red Hat Product Security Team)*
+
+ * New functions to check a hostname email or IP address against a
+ certificate. Add options x509 utility to print results of checks against
+ a certificate.
+
+ *Steve Henson*
+
+ * Fix OCSP checking.
+
+ *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
+
+ * Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust (e.g., -addtrust option to the x509
+ utility) or reject.
+
+ *Steve Henson*
+
+ * Add -trusted_first option which attempts to find certificates in the
+ trusted store even if an untrusted chain is also supplied.
+
+ *Steve Henson*
+
+ * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
+ platform support for Linux and Android.
+
+ *Andy Polyakov*
+
+ * Support for linux-x32, ILP32 environment in x86_64 framework.
+
+ *Andy Polyakov*
+
+ * Experimental multi-implementation support for FIPS capable OpenSSL.
+ When in FIPS mode the approved implementations are used as normal,
+ when not in FIPS mode the internal unapproved versions are used instead.
+ This means that the FIPS capable OpenSSL isn't forced to use the
+ (often lower performance) FIPS implementations outside FIPS mode.
+
+ *Steve Henson*
+
+ * Transparently support X9.42 DH parameters when calling
+ PEM_read_bio_DHparameters. This means existing applications can handle
+ the new parameter format automatically.
+
+ *Steve Henson*
+
+ * Initial experimental support for X9.42 DH parameter format: mainly
+ to support use of 'q' parameter for RFC5114 parameters.
+
+ *Steve Henson*
+
+ * Add DH parameters from RFC5114 including test data to dhtest.
+
+ *Steve Henson*
+
+ * Support for automatic EC temporary key parameter selection. If enabled
+ the most preferred EC parameters are automatically used instead of
+ hardcoded fixed parameters. Now a server just has to call:
+ SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
+ support ECDH and use the most appropriate parameters.
+
+ *Steve Henson*
+
+ * Enhance and tidy EC curve and point format TLS extension code. Use
+ static structures instead of allocation if default values are used.
+ New ctrls to set curves we wish to support and to retrieve shared curves.
+ Print out shared curves in s_server. New options to s_server and s_client
+ to set list of supported curves.
+
+ *Steve Henson*
+
+ * New ctrls to retrieve supported signature algorithms and
+ supported curve values as an array of NIDs. Extend openssl utility
+ to print out received values.
+
+ *Steve Henson*
+
+ * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
+ between NIDs and the more common NIST names such as "P-256". Enhance
+ ecparam utility and ECC method to recognise the NIST names for curves.
+
+ *Steve Henson*
+
+ * Enhance SSL/TLS certificate chain handling to support different
+ chains for each certificate instead of one chain in the parent SSL_CTX.
+
+ *Steve Henson*
+
+ * Support for fixed DH ciphersuite client authentication: where both
+ server and client use DH certificates with common parameters.
+
+ *Steve Henson*
+
+ * Support for fixed DH ciphersuites: those requiring DH server
+ certificates.
+
+ *Steve Henson*
+
+ * New function i2d_re_X509_tbs for re-encoding the TBS portion of
+ the certificate.
+ Note: Related 1.0.2-beta specific macros X509_get_cert_info,
+ X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
+ X509_CINF_get_signature were reverted post internal team review.
+
+OpenSSL 1.0.1
+-------------
+
+### Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
+
+ * OCSP Status Request extension unbounded memory growth
+
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6304][]
+
+ *Matt Caswell*
+
+ * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+ HIGH to MEDIUM.
+
+ This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+ Leurent (INRIA)
+ [CVE-2016-2183][]
+
+ *Rich Salz*
+
+ * OOB write in MDC2_Update()
+
+ An overflow can occur in MDC2_Update() either if called directly or
+ through the EVP_DigestUpdate() function using MDC2. If an attacker
+ is able to supply very large amounts of input data after a previous
+ call to EVP_EncryptUpdate() with a partial block then a length check
+ can overflow resulting in a heap corruption.
+
+ The amount of data needed is comparable to SIZE_MAX which is impractical
+ on most platforms.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6303][]
+
+ *Stephen Henson*
+
+ * Malformed SHA512 ticket DoS
+
+ If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
+ DoS attack where a malformed ticket will result in an OOB read which will
+ ultimately crash.
+
+ The use of SHA512 in TLS session tickets is comparatively rare as it requires
+ a custom server callback and ticket lookup mechanism.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6302][]
+
+ *Stephen Henson*
+
+ * OOB write in BN_bn2dec()
+
+ The function BN_bn2dec() does not check the return value of BN_div_word().
+ This can cause an OOB write if an application uses this function with an
+ overly large BIGNUM. This could be a problem if an overly large certificate
+ or CRL is printed out from an untrusted source. TLS is not affected because
+ record limits will reject an oversized certificate before it is parsed.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-2182][]
+
+ *Stephen Henson*
+
+ * OOB read in TS_OBJ_print_bio()
+
+ The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
+ the total length the OID text representation would use and not the amount
+ of data written. This will result in OOB reads when large OIDs are
+ presented.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-2180][]
+
+ *Stephen Henson*
+
+ * Pointer arithmetic undefined behaviour
+
+ Avoid some undefined pointer arithmetic
+
+ A common idiom in the codebase is to check limits in the following manner:
+ "p + len > limit"
+
+ Where "p" points to some malloc'd data of SIZE bytes and
+ limit == p + SIZE
+
+ "len" here could be from some externally supplied data (e.g. from a TLS
+ message).
+
+ The rules of C pointer arithmetic are such that "p + len" is only well
+ defined where len <= SIZE. Therefore the above idiom is actually
+ undefined behaviour.
+
+ For example this could cause problems if some malloc implementation
+ provides an address for "p" such that "p + len" actually overflows for
+ values of len that are too big and therefore p + len < limit.
+
+ This issue was reported to OpenSSL by Guido Vranken
+ [CVE-2016-2177][]
+
+ *Matt Caswell*
+
+ * Constant time flag not preserved in DSA signing
+
+ Operations in the DSA signing algorithm should run in constant time in
+ order to avoid side channel attacks. A flaw in the OpenSSL DSA
+ implementation means that a non-constant time codepath is followed for
+ certain operations. This has been demonstrated through a cache-timing
+ attack to be sufficient for an attacker to recover the private DSA key.
+
+ This issue was reported by César Pereida (Aalto University), Billy Brumley
+ (Tampere University of Technology), and Yuval Yarom (The University of
+ Adelaide and NICTA).
+ [CVE-2016-2178][]
+
+ *César Pereida*
+
+ * DTLS buffered message DoS
+
+ In a DTLS connection where handshake messages are delivered out-of-order
+ those messages that OpenSSL is not yet ready to process will be buffered
+ for later use. Under certain circumstances, a flaw in the logic means that
+ those messages do not get removed from the buffer even though the handshake
+ has been completed. An attacker could force up to approx. 15 messages to
+ remain in the buffer when they are no longer required. These messages will
+ be cleared when the DTLS connection is closed. The default maximum size for
+ a message is 100k. Therefore the attacker could force an additional 1500k
+ to be consumed per connection. By opening many simulataneous connections an
+ attacker could cause a DoS attack through memory exhaustion.
+
+ This issue was reported to OpenSSL by Quan Luo.
+ [CVE-2016-2179][]
+
+ *Matt Caswell*
+
+ * DTLS replay protection DoS
+
+ A flaw in the DTLS replay attack protection mechanism means that records
+ that arrive for future epochs update the replay protection "window" before
+ the MAC for the record has been validated. This could be exploited by an
+ attacker by sending a record for the next epoch (which does not have to
+ decrypt or have a valid MAC), with a very large sequence number. This means
+ that all subsequent legitimate packets are dropped causing a denial of
+ service for a specific DTLS connection.
+
+ This issue was reported to OpenSSL by the OCAP audit team.
+ [CVE-2016-2181][]
+
+ *Matt Caswell*
+
+ * Certificate message OOB reads
+
+ In OpenSSL 1.0.2 and earlier some missing message length checks can result
+ in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
+ theoretical DoS risk but this has not been observed in practice on common
+ platforms.
+
+ The messages affected are client certificate, client certificate request
+ and server certificate. As a result the attack can only be performed
+ against a client or a server which enables client authentication.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ [CVE-2016-6306][]
+
+ *Stephen Henson*
+
+### Changes between 1.0.1s and 1.0.1t [3 May 2016]
+
+ * Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack [CVE-2013-0169][]. The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ [CVE-2016-2107][]
+
+ *Kurt Roeckx*
+
+ * Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the `PEM_write_bio*` family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2105][]
+
+ *Matt Caswell*
+
+ * Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2106][]
+
+ *Matt Caswell*
+
+ * Prevent ASN.1 BIO excessive memory allocation
+
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ [CVE-2016-2109][]
+
+ *Stephen Henson*
+
+ * EBCDIC overread
+
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+
+ This issue was reported by Guido Vranken.
+ [CVE-2016-2176][]
+
+ *Matt Caswell*
+
+ * Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+
+ *Todd Short*
+
+ * Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+
+ *Kurt Roeckx*
+
+ * Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+
+ *Kurt Roeckx*
+
+### Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
+
+* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+ Builds that are not configured with "enable-weak-ssl-ciphers" will not
+ provide any "EXPORT" or "LOW" strength ciphers.
+
+ *Viktor Dukhovni*
+
+* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
+ is by default disabled at build-time. Builds that are not configured with
+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+ will need to explicitly call either of:
+
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+ or
+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+ as appropriate. Even if either of those is used, or the application
+ explicitly uses the version-specific SSLv2_method() or its client and
+ server variants, SSLv2 ciphers vulnerable to exhaustive search key
+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
+ ciphers, and SSLv2 56-bit DES are no longer available.
+ [CVE-2016-0800][]
+
+ *Viktor Dukhovni*
+
+ * Fix a double-free in DSA code
+
+ A double free bug was discovered when OpenSSL parses malformed DSA private
+ keys and could lead to a DoS attack or memory corruption for applications
+ that receive DSA private keys from untrusted sources. This scenario is
+ considered rare.
+
+ This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+ libFuzzer.
+ [CVE-2016-0705][]
+
+ *Stephen Henson*
+
+ * Disable SRP fake user seed to address a server memory leak.
+
+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+ was changed to ignore the "fake user" SRP seed, even if the seed
+ is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ [CVE-2016-0798][]
+
+ *Emilia Käsper*
+
+ * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+ In the BN_hex2bn function the number of hex digits is calculated using an
+ int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+ large values of |i| this can result in |bn_expand| not allocating any
+ memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ field as NULL leading to a subsequent NULL ptr deref. For very large values
+ of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ In this case memory is allocated to the internal BIGNUM data field, but it
+ is insufficiently sized leading to heap corruption. A similar issue exists
+ in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+ is ever called by user applications with very large untrusted hex/dec data.
+ This is anticipated to be a rare occurrence.
+
+ All OpenSSL internal usage of these functions use data that is not expected
+ to be untrusted, e.g. config file data or application command line
+ arguments. If user developed applications generate config file data based
+ on untrusted data then it is possible that this could also lead to security
+ consequences. This is also anticipated to be rare.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ [CVE-2016-0797][]
+
+ *Matt Caswell*
+
+ * Fix memory issues in `BIO_*printf` functions
+
+ The internal |fmtstr| function used in processing a "%s" format string in
+ the `BIO_*printf` functions could overflow while calculating the length of a
+ string and cause an OOB read when printing very long strings.
+
+ Additionally the internal |doapr_outch| function can attempt to write to an
+ OOB memory location (at an offset from the NULL pointer) in the event of a
+ memory allocation failure. In 1.0.2 and below this could be caused where
+ the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+ could be in processing a very long "%s" format string. Memory leaks can
+ also occur.
+
+ The first issue may mask the second issue dependent on compiler behaviour.
+ These problems could enable attacks where large amounts of untrusted data
+ is passed to the `BIO_*printf` functions. If applications use these functions
+ in this way then they could be vulnerable. OpenSSL itself uses these
+ functions when printing out human-readable dumps of ASN.1 data. Therefore
+ applications that print this data could be vulnerable if the data is from
+ untrusted sources. OpenSSL command line applications could also be
+ vulnerable where they print out ASN.1 data, or if untrusted data is passed
+ as command line arguments.
+
+ Libssl is not considered directly vulnerable. Additionally certificates etc
+ received via remote connections via libssl are also unlikely to be able to
+ trigger these issues because of message size limits enforced within libssl.
+
+ This issue was reported to OpenSSL Guido Vranken.
+ [CVE-2016-0799][]
+
+ *Matt Caswell*
+
+ * Side channel attack on modular exponentiation
+
+ A side-channel attack was found which makes use of cache-bank conflicts on
+ the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+ of RSA keys. The ability to exploit this issue is limited as it relies on
+ an attacker who has control of code in a thread running on the same
+ hyper-threaded core as the victim thread which is performing decryptions.
+
+ This issue was reported to OpenSSL by Yuval Yarom, The University of
+ Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+ Nadia Heninger, University of Pennsylvania with more information at
+ <http://cachebleed.info>.
+ [CVE-2016-0702][]
+
+ *Andy Polyakov*
+
+ * Change the req app to generate a 2048-bit RSA/DSA key by default,
+ if no keysize is specified with default_bits. This fixes an
+ omission in an earlier change that changed all RSA/DSA key generation
+ apps to use 2048 bits by default.
+
+ *Emilia Käsper*
+
+### Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+ * Protection for DH small subgroup attacks
+
+ As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+ switched on by default and cannot be disabled. This could have some
+ performance impact.
+
+ *Matt Caswell*
+
+ * SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ [CVE-2015-3197][]
+
+ *Viktor Dukhovni*
+
+ * Reject DH handshakes with parameters shorter than 1024 bits.
+
+ *Kurt Roeckx*
+
+### Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
+
+ * Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ [CVE-2015-3194][]
+
+ *Stephen Henson*
+
+ * X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ [CVE-2015-3195][]
+
+ *Stephen Henson*
+
+ * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+
+ *Emilia Käsper*
+
+ * In DSA_generate_parameters_ex, if the provided seed is too short,
+ use a random seed, as already documented.
+
+ *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
+
+### Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
+
+ * Alternate chains certificate forgery
+
+ During certificate verfification, OpenSSL will attempt to find an
+ alternative certificate chain if the first attempt to build such a chain
+ fails. An error in the implementation of this logic can mean that an
+ attacker could cause certain checks on untrusted certificates to be
+ bypassed, such as the CA flag, enabling them to use a valid leaf
+ certificate to act as a CA and "issue" an invalid certificate.
+
+ This issue was reported to OpenSSL by Adam Langley/David Benjamin
+ (Google/BoringSSL).
+ [CVE-2015-1793][]
+
+ *Matt Caswell*
+
+ * Race condition handling PSK identify hint
+
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ [CVE-2015-3196][]
+
+ *Stephen Henson*
+
+### Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
+
+ * Fix HMAC ABI incompatibility. The previous version introduced an ABI
+ incompatibility in the handling of HMAC. The previous ABI has now been
+ restored.
+
+### Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
+
+ * Malformed ECParameters causes infinite loop
+
+ When processing an ECParameters structure OpenSSL enters an infinite loop
+ if the curve specified is over a specially malformed binary polynomial
+ field.
+
+ This can be used to perform denial of service against any
+ system which processes public keys, certificate requests or
+ certificates. This includes TLS clients and TLS servers with
+ client authentication enabled.
+
+ This issue was reported to OpenSSL by Joseph Barr-Pixton.
+ [CVE-2015-1788][]
+
+ *Andy Polyakov*
+
+ * Exploitable out-of-bounds read in X509_cmp_time
+
+ X509_cmp_time does not properly check the length of the ASN1_TIME
+ string and can read a few bytes out of bounds. In addition,
+ X509_cmp_time accepts an arbitrary number of fractional seconds in the
+ time string.
+
+ An attacker can use this to craft malformed certificates and CRLs of
+ various sizes and potentially cause a segmentation fault, resulting in
+ a DoS on applications that verify certificates or CRLs. TLS clients
+ that verify CRLs are affected. TLS clients and servers with client
+ authentication enabled may be affected if they use custom verification
+ callbacks.
+
+ This issue was reported to OpenSSL by Robert Swiecki (Google), and
+ independently by Hanno Böck.
+ [CVE-2015-1789][]
+
+ *Emilia Käsper*
+
+ * PKCS7 crash with missing EnvelopedContent
+
+ The PKCS#7 parsing code does not handle missing inner EncryptedContent
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+ with missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+ structures from untrusted sources are affected. OpenSSL clients and
+ servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-1790][]
+
+ *Emilia Käsper*
+
+ * CMS verify infinite loop with unknown hash function
+
+ When verifying a signedData message the CMS code can enter an infinite loop
+ if presented with an unknown hash function OID. This can be used to perform
+ denial of service against any system which verifies signedData messages using
+ the CMS code.
+ This issue was reported to OpenSSL by Johannes Bauer.
+ [CVE-2015-1792][]
+
+ *Stephen Henson*
+
+ * Race condition handling NewSessionTicket
+
+ If a NewSessionTicket is received by a multi-threaded client when attempting to
+ reuse a previous ticket then a race condition can occur potentially leading to
+ a double free of the ticket data.
+ [CVE-2015-1791][]
+
+ *Matt Caswell*
+
+ * Reject DH handshakes with parameters shorter than 768 bits.
+
+ *Kurt Roeckx and Emilia Kasper*
+
+ * dhparam: generate 2048-bit parameters by default.
+
+ *Kurt Roeckx and Emilia Kasper*
+
+### Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
+
+ * Segmentation fault in ASN1_TYPE_cmp fix
+
+ The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+ made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+ certificate signature algorithm consistency this can be used to crash any
+ certificate verification operation and exploited in a DoS attack. Any
+ application which performs certificate verification is vulnerable including
+ OpenSSL clients and servers which enable client authentication.
+ [CVE-2015-0286][]
+
+ *Stephen Henson*
+
+ * ASN.1 structure reuse memory corruption fix
+
+ Reusing a structure in ASN.1 parsing may allow an attacker to cause
+ memory corruption via an invalid write. Such reuse is and has been
+ strongly discouraged and is believed to be rare.
+
+ Applications that parse structures containing CHOICE or ANY DEFINED BY
+ components may be affected. Certificate parsing (d2i_X509 and related
+ functions) are however not affected. OpenSSL clients and servers are
+ not affected.
+ [CVE-2015-0287][]
+
+ *Stephen Henson*
+
+ * PKCS7 NULL pointer dereferences fix
+
+ The PKCS#7 parsing code does not handle missing outer ContentInfo
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+ missing content and trigger a NULL pointer dereference on parsing.
+
+ Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+ otherwise parse PKCS#7 structures from untrusted sources are
+ affected. OpenSSL clients and servers are not affected.
+
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-0289][]
+
+ *Emilia Käsper*
+
+ * DoS via reachable assert in SSLv2 servers fix
+
+ A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+ servers that both support SSLv2 and enable export cipher suites by sending
+ a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
+ (OpenSSL development team).
+ [CVE-2015-0293][]
+
+ *Emilia Käsper*
+
+ * Use After Free following d2i_ECPrivatekey error fix
+
+ A malformed EC private key file consumed via the d2i_ECPrivateKey function
+ could cause a use after free condition. This, in turn, could cause a double
+ free in several private key parsing functions (such as d2i_PrivateKey
+ or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+ for applications that receive EC private keys from untrusted
+ sources. This scenario is considered rare.
+
+ This issue was discovered by the BoringSSL project and fixed in their
+ commit 517073cd4b.
+ [CVE-2015-0209][]
+
+ *Matt Caswell*
+
+ * X509_to_X509_REQ NULL pointer deref fix
+
+ The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+ the certificate key is invalid. This function is rarely used in practice.
+
+ This issue was discovered by Brian Carpenter.
+ [CVE-2015-0288][]
+
+ *Stephen Henson*
+
+ * Removed the export ciphers from the DEFAULT ciphers
+
+ *Kurt Roeckx*
+
+### Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+ * Build fixes for the Windows and OpenVMS platforms
+
+ *Matt Caswell and Richard Levitte*
+
+### Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+ * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ [CVE-2014-3571][]
+
+ *Steve Henson*
+
+ * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+ dtls1_buffer_record function under certain conditions. In particular this
+ could occur if an attacker sent repeated DTLS records with the same
+ sequence number but for the next epoch. The memory leak could be exploited
+ by an attacker in a Denial of Service attack through memory exhaustion.
+ Thanks to Chris Mueller for reporting this issue.
+ [CVE-2015-0206][]
+
+ *Matt Caswell*
+
+ * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ [CVE-2014-3569][]
+
+ *Kurt Roeckx*
+
+ * Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ [CVE-2014-3572][]
+
+ *Steve Henson*
+
+ * Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ [CVE-2015-0204][]
+
+ *Steve Henson*
+
+ * Fixed issue where DH client certificates are accepted without verification.
+ An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. This effectively allows a client to
+ authenticate without the use of a private key. This only affects servers
+ which trust a client certificate authority which issues certificates
+ containing DH keys: these are extremely rare and hardly ever encountered.
+ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+ this issue.
+ [CVE-2015-0205][]
+
+ *Steve Henson*
+
+ * Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+
+ *Adam Langley*
+
+ * Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Re-encode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
- *Andy Polyakov, David Miller*
+ [CVE-2014-8275][]
- * Accelerated modular exponentiation for Intel processors, a.k.a.
- RSAZ.
+ *Steve Henson*
- *Shay Gueron & Vlad Krasnov (Intel Corp)*
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ [CVE-2014-3570][]
- * Support for new and upcoming Intel processors, including AVX2,
- BMI and SHA ISA extensions. This includes additional "stitched"
- implementations, AESNI-SHA256 and GCM, and multi-buffer support
- for TLS encrypt.
+ *Andy Polyakov*
- This work was sponsored by Intel Corp.
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
- *Andy Polyakov*
+ *David Benjamin, Emilia Käsper*
- * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
- supports both DTLS 1.2 and 1.0 and should use whatever version the peer
- supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
- *Steve Henson*
+ *Emilia Käsper*
- * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
- this fixes a limitation in previous versions of OpenSSL.
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
- *Steve Henson*
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
- * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
- MGF1 digest and OAEP label.
+ *Emilia Käsper*
- *Steve Henson*
+### Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
- * Add EVP support for key wrapping algorithms, to avoid problems with
- existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
- the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
- algorithms and include tests cases.
+ * SRTP Memory Leak.
- *Steve Henson*
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
- * Add functions to allocate and set the fields of an ECDSA_METHOD
- structure.
+ The fix was developed by the OpenSSL team.
+ [CVE-2014-3513][]
- *Douglas E. Engert, Steve Henson*
+ *OpenSSL team*
- * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
- difference in days and seconds between two tm or ASN1_TIME structures.
+ * Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ [CVE-2014-3567][]
*Steve Henson*
- * Add -rev test option to s_server to just reverse order of characters
- received by client and send back to server. Also prints an abbreviated
- summary of the connection parameters.
+ * Build option no-ssl3 is incomplete.
- *Steve Henson*
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ [CVE-2014-3568][]
- * New option -brief for s_client and s_server to print out a brief summary
- of connection parameters.
+ *Akamai and the OpenSSL team*
- *Steve Henson*
+ * Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ [CVE-2014-3566][]
- * Add callbacks for arbitrary TLS extensions.
+ *Adam Langley, Bodo Moeller*
- *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
+ * Add additional DigestInfo checks.
- * New option -crl_download in several openssl utilities to download CRLs
- from CRLDP extension in certificates.
+ Re-encode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
*Steve Henson*
- * New options -CRL and -CRLform for s_client and s_server for CRLs.
+### Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
- *Steve Henson*
+ * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+ SRP code can be overrun an internal buffer. Add sanity check that
+ g, A, B < N to SRP code.
- * New function X509_CRL_diff to generate a delta CRL from the difference
- of two full CRLs. Add support to "crl" utility.
+ Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
+ Group for discovering this issue.
+ [CVE-2014-3512][]
*Steve Henson*
- * New functions to set lookup_crls function and to retrieve
- X509_STORE from X509_STORE_CTX.
+ * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+ TLS 1.0 instead of higher protocol versions when the ClientHello message
+ is badly fragmented. This allows a man-in-the-middle attacker to force a
+ downgrade to TLS 1.0 even if both the server and the client support a
+ higher protocol version, by modifying the client's TLS records.
- *Steve Henson*
+ Thanks to David Benjamin and Adam Langley (Google) for discovering and
+ researching this issue.
+ [CVE-2014-3511][]
- * Print out deprecated issuer and subject unique ID fields in
- certificates.
+ *David Benjamin*
- *Steve Henson*
+ * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
- * Extend OCSP I/O functions so they can be used for simple general purpose
- HTTP as well as OCSP. New wrapper function which can be used to download
- CRLs using the OCSP API.
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ [CVE-2014-3510][]
- *Steve Henson*
+ *Emilia Käsper*
- * Delegate command line handling in s_client/s_server to SSL_CONF APIs.
+ * By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ [CVE-2014-3507][]
- *Steve Henson*
+ *Adam Langley*
- * SSL_CONF* functions. These provide a common framework for application
- configuration using configuration files or command lines.
+ * An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ [CVE-2014-3506][]
- *Steve Henson*
+ *Adam Langley*
- * SSL/TLS tracing code. This parses out SSL/TLS records using the
- message callback and prints the results. Needs compile time option
- "enable-ssl-trace". New options to s_client and s_server to enable
- tracing.
+ * An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ [CVE-2014-3505][]
- *Steve Henson*
+ *Adam Langley*
- * New ctrl and macro to retrieve supported points extensions.
- Print out extension in s_server and s_client.
+ * If a multithreaded client connects to a malicious server using a resumed
+ session and the server sends an ec point format extension it could write
+ up to 255 bytes to freed memory.
- *Steve Henson*
+ Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
+ issue.
+ [CVE-2014-3509][]
- * New functions to retrieve certificate signature and signature
- OID NID.
+ *Gabor Tyukasz*
- *Steve Henson*
+ * A malicious server can crash an OpenSSL client with a null pointer
+ dereference (read) by specifying an SRP ciphersuite even though it was not
+ properly negotiated with the client. This can be exploited through a
+ Denial of Service attack.
- * Add functions to retrieve and manipulate the raw cipherlist sent by a
- client to OpenSSL.
+ Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+ discovering and researching this issue.
+ [CVE-2014-5139][]
*Steve Henson*
- * New Suite B modes for TLS code. These use and enforce the requirements
- of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
- only use Suite B curves. The Suite B modes can be set by using the
- strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
+ * A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
- *Steve Henson*
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ [CVE-2014-3508][]
- * New chain verification flags for Suite B levels of security. Check
- algorithms are acceptable when flags are set in X509_verify_cert.
+ *Emilia Käsper, and Steve Henson*
- *Steve Henson*
+ * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
- * Make tls1_check_chain return a set of flags indicating checks passed
- by a certificate chain. Add additional tests to handle client
- certificates: checks for matching certificate type and issuer name
- comparison.
+ *Bodo Moeller*
- *Steve Henson*
+### Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
- * If an attempt is made to use a signature algorithm not in the peer
- preference list abort the handshake. If client has no suitable
- signature algorithms in response to a certificate request do not
- use the certificate.
+ * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
- *Steve Henson*
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. [CVE-2014-0224][]
- * If server EC tmp key is not in client preference list abort handshake.
+ *KIKUCHI Masashi, Steve Henson*
- *Steve Henson*
+ * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
- * Add support for certificate stores in CERT structure. This makes it
- possible to have different stores per SSL structure or one store in
- the parent SSL_CTX. Include distinct stores for certificate chain
- verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
- to build and store a certificate chain in CERT structure: returning
- an error if the chain cannot be built: this will allow applications
- to test if a chain is correctly configured.
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ [CVE-2014-0221][]
- Note: if the CERT based stores are not set then the parent SSL_CTX
- store is used to retain compatibility with existing behaviour.
+ *Imre Rad, Steve Henson*
+ * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
- *Steve Henson*
+ Thanks to Jüri Aedla for reporting this issue. [CVE-2014-0195][]
- * New function ssl_set_client_disabled to set a ciphersuite disabled
- mask based on the current session, check mask when sending client
- hello and checking the requested ciphersuite.
+ *Jüri Aedla, Steve Henson*
- *Steve Henson*
+ * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
- * New ctrls to retrieve and set certificate types in a certificate
- request message. Print out received values in s_client. If certificate
- types is not set with custom values set sensible values based on
- supported signature algorithms.
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. [CVE-2014-3470][]
- *Steve Henson*
+ *Felix Gröbert, Ivan Fratric, Steve Henson*
- * Support for distinct client and server supported signature algorithms.
+ * Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
- *Steve Henson*
+ *mancha <mancha1@zoho.com>*
+
+ * Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
- * Add certificate callback. If set this is called whenever a certificate
- is required by client or server. An application can decide which
- certificate chain to present based on arbitrary criteria: for example
- supported signature algorithms. Add very simple example to s_server.
- This fixes many of the problems and restrictions of the existing client
- certificate callback: for example you can now clear an existing
- certificate and specify the whole chain.
+ *mancha <mancha1@zoho.com>*
- *Steve Henson*
+ * Fix some double frees. These are not thought to be exploitable.
- * Add new "valid_flags" field to CERT_PKEY structure which determines what
- the certificate can be used for (if anything). Set valid_flags field
- in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
- to have similar checks in it.
+ *mancha <mancha1@zoho.com>*
- Add new "cert_flags" field to CERT structure and include a "strict mode".
- This enforces some TLS certificate requirements (such as only permitting
- certificate signature algorithms contained in the supported algorithms
- extension) which some implementations ignore: this option should be used
- with caution as it could cause interoperability issues.
+### Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
- *Steve Henson*
+ * A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
- * Update and tidy signature algorithm extension processing. Work out
- shared signature algorithms based on preferences and peer algorithms
- and print them out in s_client and s_server. Abort handshake if no
- shared signature algorithms.
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix [CVE-2014-0160][]
- *Steve Henson*
+ *Adam Langley, Bodo Moeller*
- * Add new functions to allow customised supported signature algorithms
- for SSL and SSL_CTX structures. Add options to s_client and s_server
- to support them.
+ * Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ <http://eprint.iacr.org/2014/140>
- *Steve Henson*
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
- * New function SSL_certs_clear() to delete all references to certificates
- from an SSL structure. Before this once a certificate had been added
- it couldn't be removed.
+ *Yuval Yarom and Naomi Benger*
- *Steve Henson*
+ * TLS pad extension: draft-agl-tls-padding-03
- * Integrate hostname, email address and IP address checking with certificate
- verification. New verify options supporting checking in openssl utility.
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
- *Steve Henson*
+ *Adam Langley, Steve Henson*
- * Fixes and wildcard matching support to hostname and email checking
- functions. Add manual page.
+### Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
- *Florian Weimer (Red Hat Product Security Team)*
+ * Fix for TLS record tampering bug. A carefully crafted invalid
+ handshake could crash OpenSSL with a NULL pointer exception.
+ Thanks to Anton Johansson for reporting this issues.
+ [CVE-2013-4353][]
- * New functions to check a hostname email or IP address against a
- certificate. Add options x509 utility to print results of checks against
- a certificate.
+ * Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. [CVE-2013-6450][]
*Steve Henson*
- * Fix OCSP checking.
+ * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
- *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
+ *Rob Stradling, Adam Langley*
- * Initial experimental support for explicitly trusted non-root CAs.
- OpenSSL still tries to build a complete chain to a root but if an
- intermediate CA has a trust setting included that is used. The first
- setting is used: whether to trust (e.g., -addtrust option to the x509
- utility) or reject.
+### Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
- *Steve Henson*
+ * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+ supporting platforms or when small records were transferred.
- * Add -trusted_first option which attempts to find certificates in the
- trusted store even if an untrusted chain is also supplied.
+ *Andy Polyakov, Steve Henson*
- *Steve Henson*
+### Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
- * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
- platform support for Linux and Android.
+ * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
- *Andy Polyakov*
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: <http://www.isg.rhul.ac.uk/tls/>
- * Support for linux-x32, ILP32 environment in x86_64 framework.
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ [CVE-2013-0169][]
- *Andy Polyakov*
+ *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
- * Experimental multi-implementation support for FIPS capable OpenSSL.
- When in FIPS mode the approved implementations are used as normal,
- when not in FIPS mode the internal unapproved versions are used instead.
- This means that the FIPS capable OpenSSL isn't forced to use the
- (often lower performance) FIPS implementations outside FIPS mode.
+ * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
+ ciphersuites which can be exploited in a denial of service attack.
+ Thanks go to and to Adam Langley <agl@chromium.org> for discovering
+ and detecting this bug and to Wolfgang Ettlinger
+ <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
+ [CVE-2012-2686][]
- *Steve Henson*
+ *Adam Langley*
- * Transparently support X9.42 DH parameters when calling
- PEM_read_bio_DHparameters. This means existing applications can handle
- the new parameter format automatically.
+ * Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. [CVE-2013-0166][]
*Steve Henson*
- * Initial experimental support for X9.42 DH parameter format: mainly
- to support use of 'q' parameter for RFC5114 parameters.
+ * Make openssl verify return errors.
- *Steve Henson*
+ *Chris Palmer <palmer@google.com> and Ben Laurie*
- * Add DH parameters from RFC5114 including test data to dhtest.
+ * Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
- *Steve Henson*
+ *Rob Stradling <rob.stradling@comodo.com>*
- * Support for automatic EC temporary key parameter selection. If enabled
- the most preferred EC parameters are automatically used instead of
- hardcoded fixed parameters. Now a server just has to call:
- SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
- support ECDH and use the most appropriate parameters.
+ * Fix possible deadlock when decoding public keys.
*Steve Henson*
- * Enhance and tidy EC curve and point format TLS extension code. Use
- static structures instead of allocation if default values are used.
- New ctrls to set curves we wish to support and to retrieve shared curves.
- Print out shared curves in s_server. New options to s_server and s_client
- to set list of supported curves.
+ * Don't use TLS 1.0 record version number in initial client hello
+ if renegotiating.
*Steve Henson*
- * New ctrls to retrieve supported signature algorithms and
- supported curve values as an array of NIDs. Extend openssl utility
- to print out received values.
+### Changes between 1.0.1b and 1.0.1c [10 May 2012]
- *Steve Henson*
+ * Sanity check record length before skipping explicit IV in TLS
+ 1.2, 1.1 and DTLS to fix DoS attack.
- * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
- between NIDs and the more common NIST names such as "P-256". Enhance
- ecparam utility and ECC method to recognise the NIST names for curves.
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ [CVE-2012-2333][]
*Steve Henson*
- * Enhance SSL/TLS certificate chain handling to support different
- chains for each certificate instead of one chain in the parent SSL_CTX.
+ * Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
*Steve Henson*
- * Support for fixed DH ciphersuite client authentication: where both
- server and client use DH certificates with common parameters.
+ * In FIPS mode don't try to use composite ciphers as they are not
+ approved.
*Steve Henson*
- * Support for fixed DH ciphersuites: those requiring DH server
- certificates.
+### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
+
+ * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
+ 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
+ mean any application compiled against OpenSSL 1.0.0 headers setting
+ SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
+ TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
+ 0x10000000L Any application which was previously compiled against
+ OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
+ will need to be recompiled as a result. Letting be results in
+ inability to disable specifically TLS 1.1 and in client context,
+ in unlike event, limit maximum offered version to TLS 1.0 [see below].
*Steve Henson*
- * New function i2d_re_X509_tbs for re-encoding the TBS portion of
- the certificate.
- Note: Related 1.0.2-beta specific macros X509_get_cert_info,
- X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
- X509_CINF_get_signature were reverted post internal team review.
+ * In order to ensure interoperability SSL_OP_NO_protocolX does not
+ disable just protocol X, but all protocols above X *if* there are
+ protocols *below* X still enabled. In more practical terms it means
+ that if application wants to disable TLS1.0 in favor of TLS1.1 and
+ above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
+ SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
+ client side.
-### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] ###
+ *Andy Polyakov*
- * Build fixes for the Windows and OpenVMS platforms
+### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
- *Matt Caswell and Richard Levitte*
+ * Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
-### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] ###
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ [CVE-2012-2110][]
- * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
- message can cause a segmentation fault in OpenSSL due to a NULL pointer
- dereference. This could lead to a Denial Of Service attack. Thanks to
- Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
- (CVE-2014-3571)
+ *Adam Langley (Google), Tavis Ormandy, Google Security Team*
- *Steve Henson*
+ * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
- * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
- dtls1_buffer_record function under certain conditions. In particular this
- could occur if an attacker sent repeated DTLS records with the same
- sequence number but for the next epoch. The memory leak could be exploited
- by an attacker in a Denial of Service attack through memory exhaustion.
- Thanks to Chris Mueller for reporting this issue.
- (CVE-2015-0206)
+ *Adam Langley*
- *Matt Caswell*
+ * Workarounds for some broken servers that "hang" if a client hello
+ record length exceeds 255 bytes.
- * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
- built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
- method would be set to NULL which could later result in a NULL pointer
- dereference. Thanks to Frank Schmirler for reporting this issue.
- (CVE-2014-3569)
+ 1. Do not use record version number > TLS 1.0 in initial client
+ hello: some (but not all) hanging servers will now work.
+ 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+ the number of ciphers sent in the client hello. This should be
+ set to an even number, such as 50, for example by passing:
+ -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+ Most broken servers should now work.
+ 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+ TLS 1.2 client support entirely.
- *Kurt Roeckx*
+ *Steve Henson*
- * Abort handshake if server key exchange message is omitted for ephemeral
- ECDH ciphersuites.
+ * Fix SEGV in Vector Permutation AES module observed in OpenSSH.
- Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
- reporting this issue.
- (CVE-2014-3572)
+ *Andy Polyakov*
+
+### Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
+
+ * Add compatibility with old MDC2 signatures which use an ASN1 OCTET
+ STRING form instead of a DigestInfo.
*Steve Henson*
- * Remove non-export ephemeral RSA code on client and server. This code
- violated the TLS standard by allowing the use of temporary RSA keys in
- non-export ciphersuites and could be used by a server to effectively
- downgrade the RSA key length used to a value smaller than the server
- certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
- INRIA or reporting this issue.
- (CVE-2015-0204)
+ * The format used for MDC2 RSA signatures is inconsistent between EVP
+ and the RSA_sign/RSA_verify functions. This was made more apparent when
+ OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
+ those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
+ the correct format in RSA_verify so both forms transparently work.
*Steve Henson*
- * Fixed issue where DH client certificates are accepted without verification.
- An OpenSSL server will accept a DH certificate for client authentication
- without the certificate verify message. This effectively allows a client to
- authenticate without the use of a private key. This only affects servers
- which trust a client certificate authority which issues certificates
- containing DH keys: these are extremely rare and hardly ever encountered.
- Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
- this issue.
- (CVE-2015-0205)
+ * Some servers which support TLS 1.0 can choke if we initially indicate
+ support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
+ encrypted premaster secret. As a workaround use the maximum permitted
+ client version in client hello, this should keep such servers happy
+ and still work with previous versions of OpenSSL.
*Steve Henson*
- * Ensure that the session ID context of an SSL is updated when its
- SSL_CTX is updated via SSL_set_SSL_CTX.
-
- The session ID context is typically set from the parent SSL_CTX,
- and can vary with the CTX.
+ * Add support for TLS/DTLS heartbeats.
- *Adam Langley*
+ *Robin Seggelmann <seggelmann@fh-muenster.de>*
- * Fix various certificate fingerprint issues.
+ * Add support for SCTP.
- By using non-DER or invalid encodings outside the signed portion of a
- certificate the fingerprint can be changed without breaking the signature.
- Although no details of the signed portion of the certificate can be changed
- this can cause problems with some applications: e.g. those using the
- certificate fingerprint for blacklists.
+ *Robin Seggelmann <seggelmann@fh-muenster.de>*
- 1. Reject signatures with non zero unused bits.
+ * Improved PRNG seeding for VOS.
- If the BIT STRING containing the signature has non zero unused bits reject
- the signature. All current signature algorithms require zero unused bits.
+ *Paul Green <Paul.Green@stratus.com>*
- 2. Check certificate algorithm consistency.
+ * Extensive assembler packs updates, most notably:
- Check the AlgorithmIdentifier inside TBS matches the one in the
- certificate signature. NB: this will result in signature failure
- errors for some broken certificates.
+ - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
+ - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
+ - x86_64: bit-sliced AES implementation;
+ - ARM: NEON support, contemporary platforms optimizations;
+ - s390x: z196 support;
+ - `*`: GHASH and GF(2^m) multiplication implementations;
- Thanks to Konrad Kraszewski from Google for reporting this issue.
+ *Andy Polyakov*
- 3. Check DSA/ECDSA signatures use DER.
+ * Make TLS-SRP code conformant with RFC 5054 API cleanup
+ (removal of unnecessary code)
- Re-encode DSA/ECDSA signatures and compare with the original received
- signature. Return an error if there is a mismatch.
+ *Peter Sylvester <peter.sylvester@edelweb.fr>*
- This will reject various cases including garbage after signature
- (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
- program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
- (negative or with leading zeroes).
+ * Add TLS key material exporter from RFC 5705.
- Further analysis was conducted and fixes were developed by Stephen Henson
- of the OpenSSL core team.
+ *Eric Rescorla*
- (CVE-2014-8275)
+ * Add DTLS-SRTP negotiation from RFC 5764.
- *Steve Henson*
+ *Eric Rescorla*
- *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
- results on some platforms, including x86_64. This bug occurs at random
- with a very low probability, and is not known to be exploitable in any
- way, though its exact impact is difficult to determine. Thanks to Pieter
- Wuille (Blockstream) who reported this issue and also suggested an initial
- fix. Further analysis was conducted by the OpenSSL development team and
- Adam Langley of Google. The final fix was developed by Andy Polyakov of
- the OpenSSL core team.
- (CVE-2014-3570)
+ * Add Next Protocol Negotiation,
+ <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
+ disabled with a no-npn flag to config or Configure. Code donated
+ by Google.
- *Andy Polyakov*
+ *Adam Langley <agl@google.com> and Ben Laurie*
- *) Do not resume sessions on the server if the negotiated protocol
- version does not match the session's version. Resuming with a different
- version, while not strictly forbidden by the RFC, is of questionable
- sanity and breaks all known clients.
+ * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
+ NIST-P256, NIST-P521, with constant-time single point multiplication on
+ typical inputs. Compiler support for the nonstandard type `__uint128_t` is
+ required to use this (present in gcc 4.4 and later, for 64-bit builds).
+ Code made available under Apache License version 2.0.
- *David Benjamin, Emilia Käsper*
+ Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
+ line to include this in your build of OpenSSL, and run "make depend" (or
+ "make update"). This enables the following EC_METHODs:
- *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
- early CCS messages during renegotiation. (Note that because
- renegotiation is encrypted, this early CCS was not exploitable.)
+ EC_GFp_nistp224_method()
+ EC_GFp_nistp256_method()
+ EC_GFp_nistp521_method()
- *Emilia Käsper*
+ EC_GROUP_new_by_curve_name() will automatically use these (while
+ EC_GROUP_new_curve_GFp() currently prefers the more flexible
+ implementations).
- *) Tighten client-side session ticket handling during renegotiation:
- ensure that the client only accepts a session ticket if the server sends
- the extension anew in the ServerHello. Previously, a TLS client would
- reuse the old extension state and thus accept a session ticket if one was
- announced in the initial ServerHello.
+ *Emilia Käsper, Adam Langley, Bodo Moeller (Google)*
- Similarly, ensure that the client requires a session ticket if one
- was advertised in the ServerHello. Previously, a TLS client would
- ignore a missing NewSessionTicket message.
+ * Use type ossl_ssize_t instead of ssize_t which isn't available on
+ all platforms. Move ssize_t definition from e_os.h to the public
+ header file e_os2.h as it now appears in public header file cms.h
- *Emilia Käsper*
+ *Steve Henson*
-### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] ###
+ * New -sigopt option to the ca, req and x509 utilities. Additional
+ signature parameters can be passed using this option and in
+ particular PSS.
- * SRTP Memory Leak.
+ *Steve Henson*
- A flaw in the DTLS SRTP extension parsing code allows an attacker, who
- sends a carefully crafted handshake message, to cause OpenSSL to fail
- to free up to 64k of memory causing a memory leak. This could be
- exploited in a Denial Of Service attack. This issue affects OpenSSL
- 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
- whether SRTP is used or configured. Implementations of OpenSSL that
- have been compiled with OPENSSL_NO_SRTP defined are not affected.
+ * Add RSA PSS signing function. This will generate and set the
+ appropriate AlgorithmIdentifiers for PSS based on those in the
+ corresponding EVP_MD_CTX structure. No application support yet.
- The fix was developed by the OpenSSL team.
- (CVE-2014-3513)
+ *Steve Henson*
- *OpenSSL team*
+ * Support for companion algorithm specific ASN1 signing routines.
+ New function ASN1_item_sign_ctx() signs a pre-initialised
+ EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
+ the appropriate parameters.
- * Session Ticket Memory Leak.
+ *Steve Henson*
- When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
- integrity of that ticket is first verified. In the event of a session
- ticket integrity check failing, OpenSSL will fail to free memory
- causing a memory leak. By sending a large number of invalid session
- tickets an attacker could exploit this issue in a Denial Of Service
- attack.
- (CVE-2014-3567)
+ * Add new algorithm specific ASN1 verification initialisation function
+ to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
+ handling will be the same no matter what EVP_PKEY_METHOD is used.
+ Add a PSS handler to support verification of PSS signatures: checked
+ against a number of sample certificates.
*Steve Henson*
- * Build option no-ssl3 is incomplete.
-
- When OpenSSL is configured with "no-ssl3" as a build option, servers
- could accept and complete a SSL 3.0 handshake, and clients could be
- configured to send them.
- (CVE-2014-3568)
+ * Add signature printing for PSS. Add PSS OIDs.
- *Akamai and the OpenSSL team*
+ *Steve Henson, Martin Kaiser <lists@kaiser.cx>*
- * Add support for TLS_FALLBACK_SCSV.
- Client applications doing fallback retries should call
- SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
- (CVE-2014-3566)
+ * Add algorithm specific signature printing. An individual ASN1 method
+ can now print out signatures instead of the standard hex dump.
- *Adam Langley, Bodo Moeller*
+ More complex signatures (e.g. PSS) can print out more meaningful
+ information. Include DSA version that prints out the signature
+ parameters r, s.
- * Add additional DigestInfo checks.
+ *Steve Henson*
- Re-encode DigestInto in DER and check against the original when
- verifying RSA signature: this will reject any improperly encoded
- DigestInfo structures.
+ * Password based recipient info support for CMS library: implementing
+ RFC3211.
- Note: this is a precautionary measure and no attacks are currently known.
+ *Steve Henson*
+ * Split password based encryption into PBES2 and PBKDF2 functions. This
+ neatly separates the code into cipher and PBE sections and is required
+ for some algorithms that split PBES2 into separate pieces (such as
+ password based CMS).
*Steve Henson*
-### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] ###
+ * Session-handling fixes:
+ - Fix handling of connections that are resuming with a session ID,
+ but also support Session Tickets.
+ - Fix a bug that suppressed issuing of a new ticket if the client
+ presented a ticket with an expired session.
+ - Try to set the ticket lifetime hint to something reasonable.
+ - Make tickets shorter by excluding irrelevant information.
+ - On the client side, don't ignore renewed tickets.
+
+ *Adam Langley, Bodo Moeller (Google)*
- * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
- SRP code can be overrun an internal buffer. Add sanity check that
- g, A, B < N to SRP code.
+ * Fix PSK session representation.
- Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
- Group for discovering this issue.
- (CVE-2014-3512)
+ *Bodo Moeller*
+
+ * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
+
+ This work was sponsored by Intel.
+
+ *Andy Polyakov*
+
+ * Add GCM support to TLS library. Some custom code is needed to split
+ the IV between the fixed (from PRF) and explicit (from TLS record)
+ portions. This adds all GCM ciphersuites supported by RFC5288 and
+ RFC5289. Generalise some `AES*` cipherstrings to include GCM and
+ add a special AESGCM string for GCM only.
*Steve Henson*
- * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
- TLS 1.0 instead of higher protocol versions when the ClientHello message
- is badly fragmented. This allows a man-in-the-middle attacker to force a
- downgrade to TLS 1.0 even if both the server and the client support a
- higher protocol version, by modifying the client's TLS records.
+ * Expand range of ctrls for AES GCM. Permit setting invocation
+ field on decrypt and retrieval of invocation field only on encrypt.
- Thanks to David Benjamin and Adam Langley (Google) for discovering and
- researching this issue.
- (CVE-2014-3511)
+ *Steve Henson*
- *David Benjamin*
+ * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
+ As required by RFC5289 these ciphersuites cannot be used if for
+ versions of TLS earlier than 1.2.
- * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
- to a denial of service attack. A malicious server can crash the client
- with a null pointer dereference (read) by specifying an anonymous (EC)DH
- ciphersuite and sending carefully crafted handshake messages.
+ *Steve Henson*
- Thanks to Felix Gröbert (Google) for discovering and researching this
- issue.
- (CVE-2014-3510)
+ * For FIPS capable OpenSSL interpret a NULL default public key method
+ as unset and return the appropriate default but do *not* set the default.
+ This means we can return the appropriate method in applications that
+ switch between FIPS and non-FIPS modes.
- *Emilia Käsper*
+ *Steve Henson*
- * By sending carefully crafted DTLS packets an attacker could cause openssl
- to leak memory. This can be exploited through a Denial of Service attack.
- Thanks to Adam Langley for discovering and researching this issue.
- (CVE-2014-3507)
+ * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
+ ENGINE is used then we cannot handle that in the FIPS module so we
+ keep original code iff non-FIPS operations are allowed.
- *Adam Langley*
+ *Steve Henson*
- * An attacker can force openssl to consume large amounts of memory whilst
- processing DTLS handshake messages. This can be exploited through a
- Denial of Service attack.
- Thanks to Adam Langley for discovering and researching this issue.
- (CVE-2014-3506)
+ * Add -attime option to openssl utilities.
- *Adam Langley*
+ *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
- * An attacker can force an error condition which causes openssl to crash
- whilst processing DTLS packets due to memory being freed twice. This
- can be exploited through a Denial of Service attack.
- Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
- this issue.
- (CVE-2014-3505)
+ * Redirect DSA and DH operations to FIPS module in FIPS mode.
- *Adam Langley*
+ *Steve Henson*
- * If a multithreaded client connects to a malicious server using a resumed
- session and the server sends an ec point format extension it could write
- up to 255 bytes to freed memory.
+ * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
+ FIPS EC methods unconditionally for now.
- Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
- issue.
- (CVE-2014-3509)
+ *Steve Henson*
- *Gabor Tyukasz*
+ * New build option no-ec2m to disable characteristic 2 code.
- * A malicious server can crash an OpenSSL client with a null pointer
- dereference (read) by specifying an SRP ciphersuite even though it was not
- properly negotiated with the client. This can be exploited through a
- Denial of Service attack.
+ *Steve Henson*
- Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
- discovering and researching this issue.
- (CVE-2014-5139)
+ * Backport libcrypto audit of return value checking from 1.1.0-dev; not
+ all cases can be covered as some introduce binary incompatibilities.
*Steve Henson*
- * A flaw in OBJ_obj2txt may cause pretty printing functions such as
- X509_name_oneline, X509_name_print_ex et al. to leak some information
- from the stack. Applications may be affected if they echo pretty printing
- output to the attacker.
-
- Thanks to Ivan Fratric (Google) for discovering this issue.
- (CVE-2014-3508)
-
- *Emilia Käsper, and Steve Henson*
+ * Redirect RSA operations to FIPS module including keygen,
+ encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
- * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
- for corner cases. (Certain input points at infinity could lead to
- bogus results, with non-infinity inputs mapped to infinity too.)
+ *Steve Henson*
- *Bodo Moeller*
+ * Add similar low level API blocking to ciphers.
-### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] ###
+ *Steve Henson*
- * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
- handshake can force the use of weak keying material in OpenSSL
- SSL/TLS clients and servers.
+ * Low level digest APIs are not approved in FIPS mode: any attempt
+ to use these will cause a fatal error. Applications that *really* want
+ to use them can use the `private_*` version instead.
- Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
- researching this issue. (CVE-2014-0224)
+ *Steve Henson*
- *KIKUCHI Masashi, Steve Henson*
+ * Redirect cipher operations to FIPS module for FIPS builds.
- * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
- OpenSSL DTLS client the code can be made to recurse eventually crashing
- in a DoS attack.
+ *Steve Henson*
- Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
- (CVE-2014-0221)
+ * Redirect digest operations to FIPS module for FIPS builds.
- *Imre Rad, Steve Henson*
+ *Steve Henson*
- * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
- be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
- client or server. This is potentially exploitable to run arbitrary
- code on a vulnerable client or server.
+ * Update build system to add "fips" flag which will link in fipscanister.o
+ for static and shared library builds embedding a signature if needed.
- Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ *Steve Henson*
- *Jüri Aedla, Steve Henson*
+ * Output TLS supported curves in preference order instead of numerical
+ order. This is currently hardcoded for the highest order curves first.
+ This should be configurable so applications can judge speed vs strength.
- * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
- are subject to a denial of service attack.
+ *Steve Henson*
- Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
- this issue. (CVE-2014-3470)
+ * Add TLS v1.2 server support for client authentication.
- *Felix Gröbert, Ivan Fratric, Steve Henson*
+ *Steve Henson*
- * Harmonize version and its documentation. -f flag is used to display
- compilation flags.
+ * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
+ and enable MD5.
- *mancha <mancha1@zoho.com>*
+ *Steve Henson*
- * Fix eckey_priv_encode so it immediately returns an error upon a failure
- in i2d_ECPrivateKey.
+ * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
+ FIPS modules versions.
- *mancha <mancha1@zoho.com>*
+ *Steve Henson*
- * Fix some double frees. These are not thought to be exploitable.
+ * Add TLS v1.2 client side support for client authentication. Keep cache
+ of handshake records longer as we don't know the hash algorithm to use
+ until after the certificate request message is received.
- *mancha <mancha1@zoho.com>*
+ *Steve Henson*
-### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] ###
+ * Initial TLS v1.2 client support. Add a default signature algorithms
+ extension including all the algorithms we support. Parse new signature
+ format in client key exchange. Relax some ECC signing restrictions for
+ TLS v1.2 as indicated in RFC5246.
- * A missing bounds check in the handling of the TLS heartbeat extension
- can be used to reveal up to 64k of memory to a connected client or
- server.
+ *Steve Henson*
- Thanks for Neel Mehta of Google Security for discovering this bug and to
- Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
- preparing the fix (CVE-2014-0160)
+ * Add server support for TLS v1.2 signature algorithms extension. Switch
+ to new signature format when needed using client digest preference.
+ All server ciphersuites should now work correctly in TLS v1.2. No client
+ support yet and no support for client certificates.
- *Adam Langley, Bodo Moeller*
+ *Steve Henson*
- * Fix for the attack described in the paper "Recovering OpenSSL
- ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
- by Yuval Yarom and Naomi Benger. Details can be obtained from:
- http://eprint.iacr.org/2014/140
+ * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
+ to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
+ ciphersuites. At present only RSA key exchange ciphersuites work with
+ TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
+ SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
+ and version checking.
- Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ *Steve Henson*
- *Yuval Yarom and Naomi Benger*
+ * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
+ with this defined it will not be affected by any changes to ssl internal
+ structures. Add several utility functions to allow openssl application
+ to work with OPENSSL_NO_SSL_INTERN defined.
- * TLS pad extension: draft-agl-tls-padding-03
+ *Steve Henson*
- Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
- TLS client Hello record length value would otherwise be > 255 and
- less that 512 pad with a dummy extension containing zeroes so it
- is at least 512 bytes long.
+ * A long standing patch to add support for SRP from EdelWeb (Peter
+ Sylvester and Christophe Renou) was integrated.
+ *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
+ <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
+ Ben Laurie*
+ * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
- *Adam Langley, Steve Henson*
+ *Steve Henson*
-### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] ###
+ * Permit abbreviated handshakes when renegotiating using the function
+ SSL_renegotiate_abbreviated().
- * Fix for TLS record tampering bug. A carefully crafted invalid
- handshake could crash OpenSSL with a NULL pointer exception.
- Thanks to Anton Johansson for reporting this issues.
- (CVE-2013-4353)
+ *Robin Seggelmann <seggelmann@fh-muenster.de>*
- * Keep original DTLS digest and encryption contexts in retransmission
- structures so we can use the previous session parameters if they need
- to be resent. (CVE-2013-6450)
+ * Add call to ENGINE_register_all_complete() to
+ ENGINE_load_builtin_engines(), so some implementations get used
+ automatically instead of needing explicit application support.
*Steve Henson*
- * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
- avoids preferring ECDHE-ECDSA ciphers when the client appears to be
- Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
- several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
- is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
- 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ * Add support for TLS key exporter as described in RFC5705.
- *Rob Stradling, Adam Langley*
+ *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
-### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] ###
+ * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
+ a few changes are required:
- * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
- supporting platforms or when small records were transferred.
+ Add SSL_OP_NO_TLSv1_1 flag.
+ Add TLSv1_1 methods.
+ Update version checking logic to handle version 1.1.
+ Add explicit IV handling (ported from DTLS code).
+ Add command line options to s_client/s_server.
- *Andy Polyakov, Steve Henson*
+ *Steve Henson*
-### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] ###
+OpenSSL 1.0.0
+-------------
- * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+### Changes between 1.0.0s and 1.0.0t [3 Dec 2015]
- This addresses the flaw in CBC record processing discovered by
- Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
- at: http://www.isg.rhul.ac.uk/tls/
+ * X509_ATTRIBUTE memory leak
- Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
- Security Group at Royal Holloway, University of London
- (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
- Emilia Käsper for the initial patch.
- (CVE-2013-0169)
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
- *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ [CVE-2015-3195][]
- * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
- ciphersuites which can be exploited in a denial of service attack.
- Thanks go to and to Adam Langley <agl@chromium.org> for discovering
- and detecting this bug and to Wolfgang Ettlinger
- <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
- (CVE-2012-2686)
+ *Stephen Henson*
- *Adam Langley*
+ * Race condition handling PSK identify hint
- * Return an error when checking OCSP signatures when key is NULL.
- This fixes a DoS attack. (CVE-2013-0166)
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ [CVE-2015-3196][]
- *Steve Henson*
+ *Stephen Henson*
- * Make openssl verify return errors.
+### Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
- *Chris Palmer <palmer@google.com> and Ben Laurie*
+ * Malformed ECParameters causes infinite loop
- * Call OCSP Stapling callback after ciphersuite has been chosen, so
- the right response is stapled. Also change SSL_get_certificate()
- so it returns the certificate actually sent.
- See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ When processing an ECParameters structure OpenSSL enters an infinite loop
+ if the curve specified is over a specially malformed binary polynomial
+ field.
- *Rob Stradling <rob.stradling@comodo.com>*
+ This can be used to perform denial of service against any
+ system which processes public keys, certificate requests or
+ certificates. This includes TLS clients and TLS servers with
+ client authentication enabled.
- * Fix possible deadlock when decoding public keys.
+ This issue was reported to OpenSSL by Joseph Barr-Pixton.
+ [CVE-2015-1788][]
- *Steve Henson*
+ *Andy Polyakov*
- * Don't use TLS 1.0 record version number in initial client hello
- if renegotiating.
+ * Exploitable out-of-bounds read in X509_cmp_time
- *Steve Henson*
+ X509_cmp_time does not properly check the length of the ASN1_TIME
+ string and can read a few bytes out of bounds. In addition,
+ X509_cmp_time accepts an arbitrary number of fractional seconds in the
+ time string.
-### Changes between 1.0.1b and 1.0.1c [10 May 2012] ###
+ An attacker can use this to craft malformed certificates and CRLs of
+ various sizes and potentially cause a segmentation fault, resulting in
+ a DoS on applications that verify certificates or CRLs. TLS clients
+ that verify CRLs are affected. TLS clients and servers with client
+ authentication enabled may be affected if they use custom verification
+ callbacks.
- * Sanity check record length before skipping explicit IV in TLS
- 1.2, 1.1 and DTLS to fix DoS attack.
+ This issue was reported to OpenSSL by Robert Swiecki (Google), and
+ independently by Hanno Böck.
+ [CVE-2015-1789][]
- Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
- fuzzing as a service testing platform.
- (CVE-2012-2333)
+ *Emilia Käsper*
- *Steve Henson*
+ * PKCS7 crash with missing EnvelopedContent
- * Initialise tkeylen properly when encrypting CMS messages.
- Thanks to Solar Designer of Openwall for reporting this issue.
+ The PKCS#7 parsing code does not handle missing inner EncryptedContent
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
+ with missing content and trigger a NULL pointer dereference on parsing.
- *Steve Henson*
+ Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
+ structures from untrusted sources are affected. OpenSSL clients and
+ servers are not affected.
- * In FIPS mode don't try to use composite ciphers as they are not
- approved.
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-1790][]
- *Steve Henson*
+ *Emilia Käsper*
-### Changes between 1.0.1a and 1.0.1b [26 Apr 2012] ###
+ * CMS verify infinite loop with unknown hash function
- * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
- 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
- mean any application compiled against OpenSSL 1.0.0 headers setting
- SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
- TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
- 0x10000000L Any application which was previously compiled against
- OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
- will need to be recompiled as a result. Letting be results in
- inability to disable specifically TLS 1.1 and in client context,
- in unlike event, limit maximum offered version to TLS 1.0 [see below].
+ When verifying a signedData message the CMS code can enter an infinite loop
+ if presented with an unknown hash function OID. This can be used to perform
+ denial of service against any system which verifies signedData messages using
+ the CMS code.
+ This issue was reported to OpenSSL by Johannes Bauer.
+ [CVE-2015-1792][]
- *Steve Henson*
+ *Stephen Henson*
- * In order to ensure interoperability SSL_OP_NO_protocolX does not
- disable just protocol X, but all protocols above X *if* there are
- protocols *below* X still enabled. In more practical terms it means
- that if application wants to disable TLS1.0 in favor of TLS1.1 and
- above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
- SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
- client side.
+ * Race condition handling NewSessionTicket
+
+ If a NewSessionTicket is received by a multi-threaded client when attempting to
+ reuse a previous ticket then a race condition can occur potentially leading to
+ a double free of the ticket data.
+ [CVE-2015-1791][]
- *Andy Polyakov*
+ *Matt Caswell*
-### Changes between 1.0.1 and 1.0.1a [19 Apr 2012] ###
+### Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
- * Check for potentially exploitable overflows in asn1_d2i_read_bio
- BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
- in CRYPTO_realloc_clean.
+ * Segmentation fault in ASN1_TYPE_cmp fix
- Thanks to Tavis Ormandy, Google Security Team, for discovering this
- issue and to Adam Langley <agl@chromium.org> for fixing it.
- (CVE-2012-2110)
+ The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+ made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+ certificate signature algorithm consistency this can be used to crash any
+ certificate verification operation and exploited in a DoS attack. Any
+ application which performs certificate verification is vulnerable including
+ OpenSSL clients and servers which enable client authentication.
+ [CVE-2015-0286][]
- *Adam Langley (Google), Tavis Ormandy, Google Security Team*
+ *Stephen Henson*
- * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+ * ASN.1 structure reuse memory corruption fix
- *Adam Langley*
+ Reusing a structure in ASN.1 parsing may allow an attacker to cause
+ memory corruption via an invalid write. Such reuse is and has been
+ strongly discouraged and is believed to be rare.
- * Workarounds for some broken servers that "hang" if a client hello
- record length exceeds 255 bytes.
+ Applications that parse structures containing CHOICE or ANY DEFINED BY
+ components may be affected. Certificate parsing (d2i_X509 and related
+ functions) are however not affected. OpenSSL clients and servers are
+ not affected.
+ [CVE-2015-0287][]
- 1. Do not use record version number > TLS 1.0 in initial client
- hello: some (but not all) hanging servers will now work.
- 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
- the number of ciphers sent in the client hello. This should be
- set to an even number, such as 50, for example by passing:
- -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
- Most broken servers should now work.
- 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
- TLS 1.2 client support entirely.
+ *Stephen Henson*
- *Steve Henson*
+ * PKCS7 NULL pointer dereferences fix
- * Fix SEGV in Vector Permutation AES module observed in OpenSSH.
+ The PKCS#7 parsing code does not handle missing outer ContentInfo
+ correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+ missing content and trigger a NULL pointer dereference on parsing.
- *Andy Polyakov*
+ Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+ otherwise parse PKCS#7 structures from untrusted sources are
+ affected. OpenSSL clients and servers are not affected.
-### Changes between 1.0.0h and 1.0.1 [14 Mar 2012] ###
+ This issue was reported to OpenSSL by Michal Zalewski (Google).
+ [CVE-2015-0289][]
- * Add compatibility with old MDC2 signatures which use an ASN1 OCTET
- STRING form instead of a DigestInfo.
+ *Emilia Käsper*
- *Steve Henson*
+ * DoS via reachable assert in SSLv2 servers fix
- * The format used for MDC2 RSA signatures is inconsistent between EVP
- and the RSA_sign/RSA_verify functions. This was made more apparent when
- OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
- those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
- the correct format in RSA_verify so both forms transparently work.
+ A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+ servers that both support SSLv2 and enable export cipher suites by sending
+ a specially crafted SSLv2 CLIENT-MASTER-KEY message.
- *Steve Henson*
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
+ (OpenSSL development team).
+ [CVE-2015-0293][]
- * Some servers which support TLS 1.0 can choke if we initially indicate
- support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
- encrypted premaster secret. As a workaround use the maximum permitted
- client version in client hello, this should keep such servers happy
- and still work with previous versions of OpenSSL.
+ *Emilia Käsper*
- *Steve Henson*
+ * Use After Free following d2i_ECPrivatekey error fix
- * Add support for TLS/DTLS heartbeats.
+ A malformed EC private key file consumed via the d2i_ECPrivateKey function
+ could cause a use after free condition. This, in turn, could cause a double
+ free in several private key parsing functions (such as d2i_PrivateKey
+ or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+ for applications that receive EC private keys from untrusted
+ sources. This scenario is considered rare.
- *Robin Seggelmann <seggelmann@fh-muenster.de>*
+ This issue was discovered by the BoringSSL project and fixed in their
+ commit 517073cd4b.
+ [CVE-2015-0209][]
- * Add support for SCTP.
+ *Matt Caswell*
- *Robin Seggelmann <seggelmann@fh-muenster.de>*
+ * X509_to_X509_REQ NULL pointer deref fix
- * Improved PRNG seeding for VOS.
+ The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+ the certificate key is invalid. This function is rarely used in practice.
- *Paul Green <Paul.Green@stratus.com>*
+ This issue was discovered by Brian Carpenter.
+ [CVE-2015-0288][]
- * Extensive assembler packs updates, most notably:
+ *Stephen Henson*
- - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
- - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
- - x86_64: bit-sliced AES implementation;
- - ARM: NEON support, contemporary platforms optimizations;
- - s390x: z196 support;
- - *: GHASH and GF(2^m) multiplication implementations;
+ * Removed the export ciphers from the DEFAULT ciphers
- *Andy Polyakov*
+ *Kurt Roeckx*
- * Make TLS-SRP code conformant with RFC 5054 API cleanup
- (removal of unnecessary code)
+### Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
- *Peter Sylvester <peter.sylvester@edelweb.fr>*
+ * Build fixes for the Windows and OpenVMS platforms
- * Add TLS key material exporter from RFC 5705.
+ *Matt Caswell and Richard Levitte*
- *Eric Rescorla*
+### Changes between 1.0.0o and 1.0.0p [8 Jan 2015]
- * Add DTLS-SRTP negotiation from RFC 5764.
+ * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ [CVE-2014-3571][]
- *Eric Rescorla*
+ *Steve Henson*
- * Add Next Protocol Negotiation,
- http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
- disabled with a no-npn flag to config or Configure. Code donated
- by Google.
+ * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+ dtls1_buffer_record function under certain conditions. In particular this
+ could occur if an attacker sent repeated DTLS records with the same
+ sequence number but for the next epoch. The memory leak could be exploited
+ by an attacker in a Denial of Service attack through memory exhaustion.
+ Thanks to Chris Mueller for reporting this issue.
+ [CVE-2015-0206][]
- *Adam Langley <agl@google.com> and Ben Laurie*
+ *Matt Caswell*
- * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
- NIST-P256, NIST-P521, with constant-time single point multiplication on
- typical inputs. Compiler support for the nonstandard type __uint128_t is
- required to use this (present in gcc 4.4 and later, for 64-bit builds).
- Code made available under Apache License version 2.0.
+ * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ [CVE-2014-3569][]
- Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
- line to include this in your build of OpenSSL, and run "make depend" (or
- "make update"). This enables the following EC_METHODs:
+ *Kurt Roeckx*
- EC_GFp_nistp224_method()
- EC_GFp_nistp256_method()
- EC_GFp_nistp521_method()
+ * Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
- EC_GROUP_new_by_curve_name() will automatically use these (while
- EC_GROUP_new_curve_GFp() currently prefers the more flexible
- implementations).
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ [CVE-2014-3572][]
- *Emilia Käsper, Adam Langley, Bodo Moeller (Google)*
+ *Steve Henson*
- * Use type ossl_ssize_t instad of ssize_t which isn't available on
- all platforms. Move ssize_t definition from e_os.h to the public
- header file e_os2.h as it now appears in public header file cms.h
+ * Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ [CVE-2015-0204][]
*Steve Henson*
- * New -sigopt option to the ca, req and x509 utilities. Additional
- signature parameters can be passed using this option and in
- particular PSS.
+ * Fixed issue where DH client certificates are accepted without verification.
+ An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. This effectively allows a client to
+ authenticate without the use of a private key. This only affects servers
+ which trust a client certificate authority which issues certificates
+ containing DH keys: these are extremely rare and hardly ever encountered.
+ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+ this issue.
+ [CVE-2015-0205][]
*Steve Henson*
- * Add RSA PSS signing function. This will generate and set the
- appropriate AlgorithmIdentifiers for PSS based on those in the
- corresponding EVP_MD_CTX structure. No application support yet.
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ [CVE-2014-3570][]
- *Steve Henson*
+ *Andy Polyakov*
- * Support for companion algorithm specific ASN1 signing routines.
- New function ASN1_item_sign_ctx() signs a pre-initialised
- EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
- the appropriate parameters.
+ *) Fix various certificate fingerprint issues.
- *Steve Henson*
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
- * Add new algorithm specific ASN1 verification initialisation function
- to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
- handling will be the same no matter what EVP_PKEY_METHOD is used.
- Add a PSS handler to support verification of PSS signatures: checked
- against a number of sample certificates.
+ 1. Reject signatures with non zero unused bits.
- *Steve Henson*
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
- * Add signature printing for PSS. Add PSS OIDs.
+ 2. Check certificate algorithm consistency.
- *Steve Henson, Martin Kaiser <lists@kaiser.cx>*
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
- * Add algorithm specific signature printing. An individual ASN1 method
- can now print out signatures instead of the standard hex dump.
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
- More complex signatures (e.g. PSS) can print out more meaningful
- information. Include DSA version that prints out the signature
- parameters r, s.
+ 3. Check DSA/ECDSA signatures use DER.
- *Steve Henson*
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
- * Password based recipient info support for CMS library: implementing
- RFC3211.
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ [CVE-2014-8275][]
*Steve Henson*
- * Split password based encryption into PBES2 and PBKDF2 functions. This
- neatly separates the code into cipher and PBE sections and is required
- for some algorithms that split PBES2 into separate pieces (such as
- password based CMS).
+### Changes between 1.0.0n and 1.0.0o [15 Oct 2014]
+
+ * Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ [CVE-2014-3567][]
*Steve Henson*
- * Session-handling fixes:
- - Fix handling of connections that are resuming with a session ID,
- but also support Session Tickets.
- - Fix a bug that suppressed issuing of a new ticket if the client
- presented a ticket with an expired session.
- - Try to set the ticket lifetime hint to something reasonable.
- - Make tickets shorter by excluding irrelevant information.
- - On the client side, don't ignore renewed tickets.
+ * Build option no-ssl3 is incomplete.
- *Adam Langley, Bodo Moeller (Google)*
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ [CVE-2014-3568][]
+
+ *Akamai and the OpenSSL team*
+
+ * Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ [CVE-2014-3566][]
+
+ *Adam Langley, Bodo Moeller*
- * Fix PSK session representation.
+ * Add additional DigestInfo checks.
- *Bodo Moeller*
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
- * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
+ Note: this is a precautionary measure and no attacks are currently known.
- This work was sponsored by Intel.
+ *Steve Henson*
- *Andy Polyakov*
+### Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
- * Add GCM support to TLS library. Some custom code is needed to split
- the IV between the fixed (from PRF) and explicit (from TLS record)
- portions. This adds all GCM ciphersuites supported by RFC5288 and
- RFC5289. Generalise some AES* cipherstrings to include GCM and
- add a special AESGCM string for GCM only.
+ * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
- *Steve Henson*
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ [CVE-2014-3510][]
- * Expand range of ctrls for AES GCM. Permit setting invocation
- field on decrypt and retrieval of invocation field only on encrypt.
+ *Emilia Käsper*
- *Steve Henson*
+ * By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ [CVE-2014-3507][]
- * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
- As required by RFC5289 these ciphersuites cannot be used if for
- versions of TLS earlier than 1.2.
+ *Adam Langley*
- *Steve Henson*
+ * An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ [CVE-2014-3506][]
- * For FIPS capable OpenSSL interpret a NULL default public key method
- as unset and return the appropriate default but do *not* set the default.
- This means we can return the appropriate method in applications that
- switch between FIPS and non-FIPS modes.
+ *Adam Langley*
- *Steve Henson*
+ * An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ [CVE-2014-3505][]
- * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
- ENGINE is used then we cannot handle that in the FIPS module so we
- keep original code iff non-FIPS operations are allowed.
+ *Adam Langley*
- *Steve Henson*
+ * If a multithreaded client connects to a malicious server using a resumed
+ session and the server sends an ec point format extension it could write
+ up to 255 bytes to freed memory.
- * Add -attime option to openssl utilities.
+ Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
+ issue.
+ [CVE-2014-3509][]
- *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
+ *Gabor Tyukasz*
- * Redirect DSA and DH operations to FIPS module in FIPS mode.
+ * A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
- *Steve Henson*
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ [CVE-2014-3508][]
- * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
- FIPS EC methods unconditionally for now.
+ *Emilia Käsper, and Steve Henson*
- *Steve Henson*
+ * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
- * New build option no-ec2m to disable characteristic 2 code.
+ *Bodo Moeller*
- *Steve Henson*
+### Changes between 1.0.0l and 1.0.0m [5 Jun 2014]
- * Backport libcrypto audit of return value checking from 1.1.0-dev; not
- all cases can be covered as some introduce binary incompatibilities.
+ * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
- *Steve Henson*
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. [CVE-2014-0224][]
- * Redirect RSA operations to FIPS module including keygen,
- encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
+ *KIKUCHI Masashi, Steve Henson*
- *Steve Henson*
+ * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
- * Add similar low level API blocking to ciphers.
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ [CVE-2014-0221][]
- *Steve Henson*
+ *Imre Rad, Steve Henson*
- * Low level digest APIs are not approved in FIPS mode: any attempt
- to use these will cause a fatal error. Applications that *really* want
- to use them can use the private_* version instead.
+ * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
- *Steve Henson*
+ Thanks to Jüri Aedla for reporting this issue. [CVE-2014-0195][]
- * Redirect cipher operations to FIPS module for FIPS builds.
+ *Jüri Aedla, Steve Henson*
- *Steve Henson*
+ * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
- * Redirect digest operations to FIPS module for FIPS builds.
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. [CVE-2014-3470][]
- *Steve Henson*
+ *Felix Gröbert, Ivan Fratric, Steve Henson*
- * Update build system to add "fips" flag which will link in fipscanister.o
- for static and shared library builds embedding a signature if needed.
+ * Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
- *Steve Henson*
+ *mancha <mancha1@zoho.com>*
- * Output TLS supported curves in preference order instead of numerical
- order. This is currently hardcoded for the highest order curves first.
- This should be configurable so applications can judge speed vs strength.
+ * Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
- *Steve Henson*
+ *mancha <mancha1@zoho.com>*
- * Add TLS v1.2 server support for client authentication.
+ * Fix some double frees. These are not thought to be exploitable.
- *Steve Henson*
+ *mancha <mancha1@zoho.com>*
- * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
- and enable MD5.
+ * Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ <http://eprint.iacr.org/2014/140>
- *Steve Henson*
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]
- * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
- FIPS modules versions.
+ *Yuval Yarom and Naomi Benger*
- *Steve Henson*
+### Changes between 1.0.0k and 1.0.0l [6 Jan 2014]
- * Add TLS v1.2 client side support for client authentication. Keep cache
- of handshake records longer as we don't know the hash algorithm to use
- until after the certificate request message is received.
+ * Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. [CVE-2013-6450][]
*Steve Henson*
- * Initial TLS v1.2 client support. Add a default signature algorithms
- extension including all the algorithms we support. Parse new signature
- format in client key exchange. Relax some ECC signing restrictions for
- TLS v1.2 as indicated in RFC5246.
+ * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
- *Steve Henson*
+ *Rob Stradling, Adam Langley*
- * Add server support for TLS v1.2 signature algorithms extension. Switch
- to new signature format when needed using client digest preference.
- All server ciphersuites should now work correctly in TLS v1.2. No client
- support yet and no support for client certificates.
+### Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
- *Steve Henson*
+ * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
- * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
- to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
- ciphersuites. At present only RSA key exchange ciphersuites work with
- TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
- SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
- and version checking.
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: <http://www.isg.rhul.ac.uk/tls/>
- *Steve Henson*
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ [CVE-2013-0169][]
- * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
- with this defined it will not be affected by any changes to ssl internal
- structures. Add several utility functions to allow openssl application
- to work with OPENSSL_NO_SSL_INTERN defined.
+ *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
+
+ * Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. [CVE-2013-0166][]
*Steve Henson*
- * A long standing patch to add support for SRP from EdelWeb (Peter
- Sylvester and Christophe Renou) was integrated.
- *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
- <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
- Ben Laurie*
+ * Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
+ (This is a backport)
- * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
+ *Rob Stradling <rob.stradling@comodo.com>*
+
+ * Fix possible deadlock when decoding public keys.
*Steve Henson*
- * Permit abbreviated handshakes when renegotiating using the function
- SSL_renegotiate_abbreviated().
+### Changes between 1.0.0i and 1.0.0j [10 May 2012]
- *Robin Seggelmann <seggelmann@fh-muenster.de>*
+[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+OpenSSL 1.0.1.]
- * Add call to ENGINE_register_all_complete() to
- ENGINE_load_builtin_engines(), so some implementations get used
- automatically instead of needing explicit application support.
+ * Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ [CVE-2012-2333][]
*Steve Henson*
- * Add support for TLS key exporter as described in RFC5705.
+ * Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
- *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
+ *Steve Henson*
- * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
- a few changes are required:
+### Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
- Add SSL_OP_NO_TLSv1_1 flag.
- Add TLSv1_1 methods.
- Update version checking logic to handle version 1.1.
- Add explicit IV handling (ported from DTLS code).
- Add command line options to s_client/s_server.
+ * Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
- *Steve Henson*
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ [CVE-2012-2110][]
+
+ *Adam Langley (Google), Tavis Ormandy, Google Security Team*
-### Changes between 1.0.0g and 1.0.0h [12 Mar 2012] ###
+### Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
* Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
- this issue. (CVE-2012-0884)
+ this issue. [CVE-2012-0884][]
*Steve Henson*
*Steve Henson*
-### Changes between 1.0.0f and 1.0.0g [18 Jan 2012] ###
+### Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
* Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
- preparing a fix. (CVE-2012-0050)
+ preparing a fix. [CVE-2012-0050][]
*Antonio Martin*
-### Changes between 1.0.0e and 1.0.0f [4 Jan 2012] ###
+### Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
* Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
- http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+ <http://www.isg.rhul.ac.uk/~kp/dtls.pdf>
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
- for preparing the fix. (CVE-2011-4108)
+ for preparing the fix. [CVE-2011-4108][]
*Robin Seggelmann, Michael Tuexen*
* Clear bytes used for block padding of SSL 3.0 records.
- (CVE-2011-4576)
+ [CVE-2011-4576][]
*Adam Langley (Google)*
* Only allow one SGC handshake restart for SSL/TLS. Thanks to George
Kadianakis <desnacked@gmail.com> for discovering this issue and
- Adam Langley for preparing the fix. (CVE-2011-4619)
+ Adam Langley for preparing the fix. [CVE-2011-4619][]
*Adam Langley (Google)*
- * Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
+ * Check parameters are not NULL in GOST ENGINE. [CVE-2012-0027][]
*Andrey Kulikov <amdeich@gmail.com>*
* Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
- and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+ and Rob Austein <sra@hactrn.net> for fixing it. [CVE-2011-4577][]
*Rob Austein <sra@hactrn.net>*
*Emilia Käsper (Google)*
* Fix the BIO_f_buffer() implementation (which was mixing different
- interpretations of the '..._len' fields).
+ interpretations of the `..._len` fields).
*Adam Langley (Google)*
*Bob Buckholz (Google)*
-### Changes between 1.0.0d and 1.0.0e [6 Sep 2011] ###
+### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
* Fix bug where CRLs with nextUpdate in the past are sometimes accepted
- by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ by initialising X509_STORE_CTX properly. [CVE-2011-3207][]
*Kaspar Brand <ossl@velox.ch>*
* Fix SSL memory handling for (EC)DH ciphersuites, in particular
- for multi-threaded use of ECDH. (CVE-2011-3210)
+ for multi-threaded use of ECDH. [CVE-2011-3210][]
*Adam Langley (Google)*
* Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
-
- http://eprint.iacr.org/2011/232.pdf
-
+ <http://eprint.iacr.org/2011/232.pdf>
*Billy Bob Brumley and Nicola Tuveri*
-### Changes between 1.0.0c and 1.0.0d [8 Feb 2011] ###
+### Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
* Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
*Steve Henson*
-### Changes between 1.0.0b and 1.0.0c [2 Dec 2010] ###
+### Changes between 1.0.0b and 1.0.0c [2 Dec 2010]
* Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
*Ben Laurie*
-### Changes between 1.0.0a and 1.0.0b [16 Nov 2010] ###
+### Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
* Fix extension code to avoid race conditions which can result in a buffer
overrun vulnerability: resumed sessions must not be modified as they can
*Steve Henson*
-### Changes between 1.0.0 and 1.0.0a [01 Jun 2010] ###
+### Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
* Check return value of int_rsa_verify in pkey_rsa_verifyrecover
- (CVE-2010-1633)
+ [CVE-2010-1633][]
*Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
-### Changes between 0.9.8n and 1.0.0 [29 Mar 2010] ###
+### Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
* Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
context. The operation can be customised via the ctrl mechanism in
* Add "missing" function EVP_MD_flags() (without this the only way to
retrieve a digest flags is by accessing the structure directly. Update
- EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
+ `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
or cipher is registered as in the "from" argument. Print out all
registered digests in the dgst usage message instead of manually
attempting to work them out.
and this works for ENGINE based algorithms too.
-
*Steve Henson*
* Update Gost ENGINE to support parameter files.
* New function OPENSSL_gmtime_adj() to add a specific number of days and
seconds to a tm structure directly, instead of going through OS
specific date routines. This avoids any issues with OS routines such
- as the year 2038 bug. New *_adj() functions for ASN1 time structures
+ as the year 2038 bug. New `*_adj()` functions for ASN1 time structures
and X509_time_adj_ex() to cover the extended range. The existing
X509_time_adj() is still usable and will no longer have any date issues.
SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
for applications that need to enforce opaque PRF input.
-
*Bodo Moeller*
* Update ssl code to support digests other than SHA1+MD5 for handshake
MAC.
-
*Victor B. Wagner <vitus@cryptocom.ru>*
* Add RFC4507 support to OpenSSL. This includes the corrections in
*Steve Henson*
* Experimental support for use of HMAC via EVP_PKEY interface. This
- allows HMAC to be handled via the EVP_DigestSign*() interface. The
+ allows HMAC to be handled via the `EVP_DigestSign*()` interface. The
EVP_PKEY "key" in this case is the HMAC key, potentially allowing
ENGINE support for HMAC keys which are unextractable. New -mac and
-macopt options to dgst utility.
*Steve Henson*
* New option -sigopt to dgst utility. Update dgst to use
- EVP_Digest{Sign,Verify}*. These two changes make it possible to use
+ `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use
alternative signing parameters such as X9.31 or PSS in the dgst
utility.
AECDH - anonymous ECDH
EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
-
*Bodo Moeller*
* Add additional S/MIME capabilities for AES and GOST ciphers if supported.
*Steve Henson*
- * New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of
- EVP_{Sign,Verify}* which allow an application to customise the signature
+ * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of
+ `EVP_{Sign,Verify}*` which allow an application to customise the signature
process.
*Steve Henson*
*Steve Henson*
* Add functions for main EVP_PKEY_method operations. The undocumented
- functions EVP_PKEY_{encrypt,decrypt} have been renamed to
- EVP_PKEY_{encrypt,decrypt}_old.
+ functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to
+ `EVP_PKEY_{encrypt,decrypt}_old`.
*Steve Henson*
SSL_get_psk_identity
SSL_use_psk_identity_hint
-
*Mika Kousa and Pasi Eronen of Nokia Corporation*
* Add RFC 3161 compliant time stamp request creation, response generation
* Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
have new members for a host name. The SSL data structure has an
- additional member SSL_CTX *initial_ctx so that new sessions can be
+ additional member `SSL_CTX *initial_ctx` so that new sessions can be
stored in that context to allow for session resumption, even after the
SSL has been switched to a new SSL_CTX in reaction to a client's
server_name extension.
default is a warning; it becomes fatal with the '-servername_fatal'
option.
-
*Peter Sylvester, Remy Allais, Christophe Renou*
* Whirlpool hash implementation is added.
*NTT*
-### Changes between 0.9.8m and 0.9.8n [24 Mar 2010] ###
+OpenSSL 0.9.x
+-------------
+
+### Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
* When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
- protection is active. (CVE-2010-0740)
+ protection is active. [CVE-2010-0740][]
*Bodo Moeller, Adam Langley <agl@chromium.org>*
*Tomas Hoger <thoger@redhat.com>*
-### Changes between 0.9.8l and 0.9.8m [25 Feb 2010] ###
+### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
- * Always check bn_wexpand() return values for failure. (CVE-2009-3245)
+ * Always check bn_wexpand() return values for failure. [CVE-2009-3245][]
*Martin Olsson, Neel Mehta*
left. Additionally every future message was buffered, even if the
sequence number made no sense and would be part of another handshake.
So only messages with sequence numbers less than 10 in advance will be
- buffered. (CVE-2009-1378)
+ buffered. [CVE-2009-1378][]
*Robin Seggelmann, discovered by Daniel Mentz*
a DOS attack with sending records with future epochs until there is no
memory left. This patch adds the pqueue_size() function to determine
the size of a buffer and limits the record buffer to 100 entries.
- (CVE-2009-1377)
+ [CVE-2009-1377][]
*Robin Seggelmann, discovered by Daniel Mentz*
* Keep a copy of frag->msg_header.frag_len so it can be used after the
- parent structure is freed. (CVE-2009-1379)
+ parent structure is freed. [CVE-2009-1379][]
*Daniel Mentz*
*Darryl Miles <darryl-mailinglists@netbauds.net>*
- * Add 2.5.4.* OIDs
+ * Add `2.5.4.*` OIDs
*Ilya O. <vrghost@gmail.com>*
-### Changes between 0.9.8k and 0.9.8l [5 Nov 2009] ###
+### Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
* Disable renegotiation completely - this fixes a severe security
- problem (CVE-2009-3555) at the cost of breaking all
+ problem [CVE-2009-3555][] at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
*Ben Laurie*
-### Changes between 0.9.8j and 0.9.8k [25 Mar 2009] ###
+### Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
* Don't set val to NULL when freeing up structures, it is freed up by
- underlying code. If sizeof(void *) > sizeof(long) this can result in
- zeroing past the valid field. (CVE-2009-0789)
+ underlying code. If `sizeof(void *) > sizeof(long)` this can result in
+ zeroing past the valid field. [CVE-2009-0789][]
*Paolo Ganci <Paolo.Ganci@AdNovum.CH>*
* Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
- appear to verify correctly. (CVE-2009-0591)
+ appear to verify correctly. [CVE-2009-0591][]
*Ivan Nestlerode <inestlerode@us.ibm.com>*
* Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
- a legal length. (CVE-2009-0590)
+ a legal length. [CVE-2009-0590][]
*Steve Henson*
*Ben Laurie*
-### Changes between 0.9.8i and 0.9.8j [07 Jan 2009] ###
+### Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
* Properly check EVP_VerifyFinal() and similar return values
- (CVE-2008-5077).
+ [CVE-2008-5077][].
*Ben Laurie, Bodo Moeller, Google Security Team*
*Bodo Moeller*
-### Changes between 0.9.8h and 0.9.8i [15 Sep 2008] ###
+### Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
* Fix NULL pointer dereference if a DTLS server received
- ChangeCipherSpec as first record (CVE-2009-1386).
+ ChangeCipherSpec as first record [CVE-2009-1386][].
*PR #1679*
* Fix a state transition in s3_srvr.c and d1_srvr.c
- (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
+ (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`).
*Nagendra Modadugu*
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
-
*Bodo Moeller; problem pointed out by Marius Schilder*
* Various precautionary measures:
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
-
*Neel Mehta, Bodo Moeller*
* Allow engines to be "soft loaded" - i.e. optionally don't die if
*Steve Henson*
-### Changes between 0.9.8g and 0.9.8h [28 May 2008] ###
+### Changes between 0.9.8g and 0.9.8h [28 May 2008]
* Fix flaw if 'Server Key exchange message' is omitted from a TLS
handshake which could lead to a client crash as found using the
- Codenomicon TLS test suite (CVE-2008-1672)
+ Codenomicon TLS test suite [CVE-2008-1672][]
*Steve Henson, Mark Cox*
* Fix double free in TLS server name extensions which could lead to
- a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
+ a remote crash found by Codenomicon TLS test suite [CVE-2008-0891][]
*Joe Orton*
anyway, in this constellation we activate additional code
backported from 0.9.9-dev for further performance improvements,
namely BN_from_montgomery_word. (To enable this otherwise,
- e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
-
+ e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
*Andy Polyakov (backport partially by Bodo Moeller)*
*Steve Henson*
-### Changes between 0.9.8f and 0.9.8g [19 Oct 2007] ###
+### Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
* Fix various bugs:
+ Binary incompatibility of ssl_ctx_st structure
*Andy Polyakov, Steve Henson*
-### Changes between 0.9.8e and 0.9.8f [11 Oct 2007] ###
+### Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
* DTLS Handshake overhaul. There were longstanding issues with
OpenSSL DTLS implementation, which were making it impossible for
* Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
have new members for a host name. The SSL data structure has an
- additional member SSL_CTX *initial_ctx so that new sessions can be
+ additional member `SSL_CTX *initial_ctx` so that new sessions can be
stored in that context to allow for session resumption, even after the
SSL has been switched to a new SSL_CTX in reaction to a client's
server_name extension.
default is a warning; it becomes fatal with the '-servername_fatal'
option.
-
*Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson*
* Add AES and SSE2 assembly language support to VC++ build.
*Dean Gaudet (Google)*
* Add the Korean symmetric 128-bit cipher SEED (see
- http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
+ <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and
add SEED ciphersuites from RFC 4162:
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
* Mitigate branch prediction attacks, which can be practical if a
single processor is shared, allowing a spy process to extract
information. For detailed background information, see
- http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
+ <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron,
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
and Necessary Software Countermeasures"). The core of the change
are new versions BN_div_no_branch() and
BN_BLINDING_new() will now use BN_dup() for the modulus so that
the BN_BLINDING structure gets an independent copy of the
- modulus. This means that the previous "BIGNUM *m" argument to
+ modulus. This means that the previous `BIGNUM *m` argument to
BN_BLINDING_new() and to BN_BLINDING_create_param() now
- essentially becomes "const BIGNUM *m", although we can't actually
+ essentially becomes `const BIGNUM *m`, although we can't actually
change this in the header file before 0.9.9. It allows
RSA_setup_blinding() to use BN_with_flags() on the modulus to
enable BN_FLG_CONSTTIME.
-
*Matthew D Wood (Intel Corp)*
* In the SSL/TLS server implementation, be strict about session ID
* Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
not complete and could lead to a possible single byte overflow
- (CVE-2007-5135) [Ben Laurie]
+ [CVE-2007-5135][] [Ben Laurie]
-### Changes between 0.9.8d and 0.9.8e [23 Feb 2007] ###
+### Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
* Since AES128 and AES256 (and similarly Camellia128 and
Camellia256) share a single mask bit in the logic of
*Goetz Babin-Ebell*
-### Changes between 0.9.8c and 0.9.8d [28 Sep 2006] ###
+### Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
* Introduce limits to prevent malicious keys being able to
- cause a denial of service. (CVE-2006-2940)
+ cause a denial of service. [CVE-2006-2940][]
*Steve Henson, Bodo Moeller*
* Fix ASN.1 parsing of certain invalid structures that can result
- in a denial of service. (CVE-2006-2937) [Steve Henson]
+ in a denial of service. [CVE-2006-2937][] [Steve Henson]
* Fix buffer overflow in SSL_get_shared_ciphers() function.
- (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
+ [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]
* Fix SSL client code which could crash if connecting to a
- malicious SSLv2 server. (CVE-2006-4343)
+ malicious SSLv2 server. [CVE-2006-4343][]
*Tavis Ormandy and Will Drewry, Google Security Team*
definition to split the single 'unsigned long mask' bitmap into
multiple values to extend the available space.
-
*Bodo Moeller*
-### Changes between 0.9.8b and 0.9.8c [05 Sep 2006] ###
+### Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
* Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
- (CVE-2006-4339) [Ben Laurie and Google Security Team]
+ [CVE-2006-4339][] [Ben Laurie and Google Security Team]
* Add AES IGE and biIGE modes.
* Disable rogue ciphersuites:
- - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
The latter two were purportedly from
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
* Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
versions), which is now available for royalty-free use
- (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+ (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>).
Also, add Camellia TLS ciphersuites from RFC 4132.
To minimize changes between patchlevels in the OpenSSL 0.9.8
*Steve Henson*
-### Changes between 0.9.8a and 0.9.8b [04 May 2006] ###
+### Changes between 0.9.8a and 0.9.8b [04 May 2006]
* When applying a cipher rule check to see if string match is an explicit
cipher suite and only match that one cipher suite if it is.
*Steve Henson*
* Fixes and enhancements to zlib compression code. We now only use
- "zlib1.dll" and use the default __cdecl calling convention on Win32
+ "zlib1.dll" and use the default `__cdecl` calling convention on Win32
to conform with the standards mentioned here:
- http://www.zlib.net/DLL_FAQ.txt
+ <http://www.zlib.net/DLL_FAQ.txt>
Static zlib linking now works on Windows and the new --with-zlib-include
--with-zlib-lib options to Configure can be used to supply the location
of the headers and library. Gracefully handle case where zlib library
*Richard Levitte*
-### Changes between 0.9.8 and 0.9.8a [11 Oct 2005] ###
+### Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
* Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
- idea. (CVE-2005-2969)
+ idea. [CVE-2005-2969][]
*Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
- Science and Technology [AIST*, Japan)]
+ Science and Technology [AIST], Japan)*
* Add two function to clear and return the verify parameter flags.
*Steve Henson*
-### Changes between 0.9.7h and 0.9.8 [05 Jul 2005] ###
+### Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
OpenSSL 0.9.8.]
fee for non-commercial use. As before, "no-idea" can be used to
avoid this algorithm.)
-
*Bodo Moeller*
* Add processing of proxy certificates (see RFC 3820). This work was
The blank line is mandatory.
-
*Steve Henson*
* New arguments -certform, -keyform and -pass for s_client and s_server
*Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov*
- * Deprecate BN_[get|set]_params() functions (they were ignored internally).
+ * Deprecate `BN_[get|set]_params()` functions (they were ignored internally).
*Geoff Thorpe*
to clean up those corresponding objects before destroying the hash table
(and losing the object pointers). So some over-zealous constifications in
LHASH have been relaxed so that lh_insert() does not take (nor store) the
- objects as "const" and the lh_doall[_arg] callback wrappers are not
+ objects as "const" and the `lh_doall[_arg]` callback wrappers are not
prototyped to have "const" restrictions on the object pointers they are
given (and so aren't required to cast them away any more).
* The tmdiff.h API was so ugly and minimal that our own timing utility
(speed) prefers to use its own implementation. The two implementations
haven't been consolidated as yet (volunteers?) but the tmdiff API has had
- its object type properly exposed (MS_TM) instead of casting to/from "char
- *". This may still change yet if someone realises MS_TM and "ms_time_***"
+ its object type properly exposed (MS_TM) instead of casting to/from
+ `char *`. This may still change yet if someone realises MS_TM and
+ `ms_time_***`
aren't necessarily the greatest nomenclatures - but this is what was used
internally to the implementation so I've used that for now.
* Change the "progress" mechanism used in key-generation and
primality testing to functions that take a new BN_GENCB pointer in
- place of callback/argument pairs. The new API functions have "_ex"
+ place of callback/argument pairs. The new API functions have `_ex`
postfixes and the older functions are reimplemented as wrappers for
the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
declarations of the old functions to help (graceful) attempts to
* Add named elliptic curves over binary fields from X9.62, SECG,
and WAP/WTLS; add OIDs that were still missing.
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* Extend the EC library for elliptic curves over binary fields
(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
As binary polynomials are represented as BIGNUMs, various members
of the EC_GROUP and EC_POINT data structures can be shared
between the implementations for prime fields and binary fields;
- the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
- are essentially identical to their ..._GFp counterparts.
- (For simplicity, the '..._GFp' prefix has been dropped from
+ the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m)
+ are essentially identical to their `..._GFp` counterparts.
+ (For simplicity, the `..._GFp` prefix has been dropped from
various internal method names.)
An internal 'field_div' method (similar to 'field_mul' and
'field_sqr') has been added; this is used only for binary fields.
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
through methods ('mul', 'precompute_mult').
and 'ec_wNAF_precomputed_mult') remain the default if these
methods are undefined.
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* New function EC_GROUP_get_degree, which is defined through
EC_METHOD. For curves over prime fields, this returns the bit
length of the modulus.
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* New functions EC_GROUP_dup, EC_POINT_dup.
(These simply call ..._new and ..._copy).
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
Polynomials are represented as BIGNUMs (where the sign bit is not
if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
copyright notice in crypto/bn/bn_gf2m.c before enabling it).
- *Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)*
+ *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
* Add new error code 'ERR_R_DISABLED' that can be used when some
functionality is disabled at compile-time.
*Richard Levitte*
-### Changes between 0.9.7l and 0.9.7m [23 Feb 2007] ###
+### Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
* Cleanse PEM buffers before freeing them since they may contain
sensitive data.
*Steve Henson*
-### Changes between 0.9.7k and 0.9.7l [28 Sep 2006] ###
+### Changes between 0.9.7k and 0.9.7l [28 Sep 2006]
* Introduce limits to prevent malicious keys being able to
- cause a denial of service. (CVE-2006-2940)
+ cause a denial of service. [CVE-2006-2940][]
*Steve Henson, Bodo Moeller*
* Fix ASN.1 parsing of certain invalid structures that can result
- in a denial of service. (CVE-2006-2937) [Steve Henson]
+ in a denial of service. [CVE-2006-2937][] [Steve Henson]
* Fix buffer overflow in SSL_get_shared_ciphers() function.
- (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
+ [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]
* Fix SSL client code which could crash if connecting to a
- malicious SSLv2 server. (CVE-2006-4343)
+ malicious SSLv2 server. [CVE-2006-4343][]
*Tavis Ormandy and Will Drewry, Google Security Team*
*Bodo Moeller*
-### Changes between 0.9.7j and 0.9.7k [05 Sep 2006] ###
+### Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
* Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
- (CVE-2006-4339) [Ben Laurie and Google Security Team]
+ [CVE-2006-4339][] [Ben Laurie and Google Security Team]
* Change the Unix randomness entropy gathering to use poll() when
possible instead of select(), since the latter has some
* Disable rogue ciphersuites:
- - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
The latter two were purportedly from
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
*Bodo Moeller*
-### Changes between 0.9.7i and 0.9.7j [04 May 2006] ###
+### Changes between 0.9.7i and 0.9.7j [04 May 2006]
* Adapt fipsld and the build system to link against the validated FIPS
module in FIPS mode.
*Steve Henson*
-### Changes between 0.9.7h and 0.9.7i [14 Oct 2005] ###
+### Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
* Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
The value now differs depending on if you build for FIPS or not.
*Andy Polyakov*
-### Changes between 0.9.7g and 0.9.7h [11 Oct 2005] ###
+### Changes between 0.9.7g and 0.9.7h [11 Oct 2005]
* Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
- idea. (CVE-2005-2969)
+ idea. [CVE-2005-2969][]
*Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
- Science and Technology [AIST*, Japan)]
+ Science and Technology [AIST, Japan)]*
* Minimal support for X9.31 signatures and PSS padding modes. This is
mainly for FIPS compliance and not fully integrated at this stage.
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
-
*Matthew D Wood (Intel Corp), with some changes by Bodo Moeller*
* Change the client implementation for SSLv23_method() and
*Steve Henson*
-### Changes between 0.9.7f and 0.9.7g [11 Apr 2005] ###
+### Changes between 0.9.7f and 0.9.7g [11 Apr 2005]
[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
OpenSSL 0.9.8.]
*Richard Levitte*
-### Changes between 0.9.7e and 0.9.7f [22 Mar 2005] ###
+### Changes between 0.9.7e and 0.9.7f [22 Mar 2005]
* Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
server and client random values. Previously
side effect always do the following basic checks on extensions,
not just when there's an associated purpose to the check:
- - if there is an unhandled critical extension (unless the user
- has chosen to ignore this fault)
- - if the path length has been exceeded (if one is set at all)
- - that certain extensions fit the associated purpose (if one has
- been given)
+ - if there is an unhandled critical extension (unless the user
+ has chosen to ignore this fault)
+ - if the path length has been exceeded (if one is set at all)
+ - that certain extensions fit the associated purpose (if one has
+ been given)
*Richard Levitte*
-### Changes between 0.9.7d and 0.9.7e [25 Oct 2004] ###
+### Changes between 0.9.7d and 0.9.7e [25 Oct 2004]
* Avoid a race condition when CRLs are checked in a multi threaded
environment. This would happen due to the reordering of the revoked
*Steve Henson*
-### Changes between 0.9.7c and 0.9.7d [17 Mar 2004] ###
+### Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
* Fix null-pointer assignment in do_change_cipher_spec() revealed
- by using the Codenomicon TLS Test Tool (CVE-2004-0079)
+ by using the Codenomicon TLS Test Tool [CVE-2004-0079][]
*Joe Orton, Steve Henson*
* Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
- (CVE-2004-0112)
+ [CVE-2004-0112][]
*Joe Orton, Steve Henson*
*Steve Henson*
-### Changes between 0.9.7b and 0.9.7c [30 Sep 2003] ###
+### Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
* Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
- Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
+ Free up ASN1_TYPE correctly if ANY type is invalid [CVE-2003-0545][].
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
-
*Steve Henson*
* New -ignore_err option in ocsp application to stop the server
*Steve Henson*
-### Changes between 0.9.7a and 0.9.7b [10 Apr 2003] ###
+### Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
* Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
*Ulf Moeller*
-### Changes between 0.9.7 and 0.9.7a [19 Feb 2003] ###
+### Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
* In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
- between bad padding and a MAC verification error. (CVE-2003-0078)
+ between bad padding and a MAC verification error. [CVE-2003-0078][]
*Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
*Richard Levitte & Kris Kennaway <kris@obsecurity.org>*
-### Changes between 0.9.6h and 0.9.7 [31 Dec 2002] ###
+### Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
OpenSSL 0.9.7.]
Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized master key in Kerberos-enabled versions.
- (CVE-2002-0657)
+ [CVE-2002-0657][]
*Ben Laurie (CHATS)*
* Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
allows existing EVP_CIPHER_CTX structures to be reused after
- calling EVP_*Final(). This behaviour is used by encryption
+ calling `EVP_*Final()`. This behaviour is used by encryption
BIOs and some applications. This has the side effect that
applications must explicitly clean up cipher contexts with
EVP_CIPHER_CTX_cleanup() or they will leak memory.
*Massimiliano Pala madwolf@openca.org*
- * Change all functions with names starting with des_ to be starting
- with DES_ instead. Add wrappers that are compatible with libdes,
- but are named _ossl_old_des_*. Finally, add macros that map the
- des_* symbols to the corresponding _ossl_old_des_* if libdes
+ * Change all functions with names starting with `des_` to be starting
+ with `DES_` instead. Add wrappers that are compatible with libdes,
+ but are named `_ossl_old_des_*`. Finally, add macros that map the
+ `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes
compatibility is desired. If OpenSSL 0.9.6c compatibility is
- desired, the des_* symbols will be mapped to DES_*, with one
+ desired, the `des_*` symbols will be mapped to `DES_*`, with one
exception.
Since we provide two compatibility mappings, the user needs to
won't work.
NOTE: This is a major break of an old API into a new one. Software
- authors are encouraged to switch to the DES_ style functions. Some
+ authors are encouraged to switch to the `DES_` style functions. Some
time in the future, des_old.h and the libdes compatibility functions
will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
default), and then completely removed.
deal more passive and at run-time, operations deal directly with
RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
dereferencing through an ENGINE pointer any more. Also, the ENGINE
- functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
+ functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
they were not being used by the framework as there is no concept of a
BIGNUM_METHOD and they could not be generalised to the new
'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
*Steve Henson*
* Change mkdef.pl to sort symbols that get the same entry number,
- and make sure the automatically generated functions ERR_load_*
+ and make sure the automatically generated functions `ERR_load_*`
become part of libeay.num as well.
*Richard Levitte*
*Steve Henson*
* Make maximum certificate chain size accepted from the peer application
- settable (SSL*_get/set_max_cert_list()), as proposed by
+ settable (`SSL*_get/set_max_cert_list()`), as proposed by
"Douglas E. Engert" <deengert@anl.gov>.
*Lutz Jaenicke*
*Geoff Thorpe*
- * Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
+ * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
reference counts. This performs normal REF_PRINT/REF_CHECK macros on
the operation, and provides a more encapsulated way for external code
(crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
EVP_DigestFinal(&md, out, NULL);
EVP_MD_CTX_cleanup(&md); /* new function call */
-
*Ben Laurie*
* Make DES key schedule conform to the usual scheme, as well as
*Ben Laurie*
- * Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
- correct _ecb suffix.
+ * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the
+ correct `_ecb suffix`.
*Ben Laurie*
*Richard Levitte*
* Changes to Kerberos SSL for RFC 2712 compliance:
- 1. Implemented real KerberosWrapper, instead of just using
- KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
- 2. Implemented optional authenticator field of KerberosWrapper.
+ 1. Implemented real KerberosWrapper, instead of just using
+ KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
+ 2. Implemented optional authenticator field of KerberosWrapper.
Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
and authenticator structs; see crypto/krb5/.
Generalized Kerberos calls to support multiple Kerberos libraries.
- *Vern Staats <staatsvr@asc.hpc.mil>,
- Jeffrey Altman <jaltman@columbia.edu>
- via Richard Levitte*
+ *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu>
+ via Richard Levitte*
* Cause 'openssl speed' to use fully hard-coded DSA keys as it
already does with RSA. testdsa.h now has 'priv_key/pub_key'
*Bodo Moeller*
- * Modify EVP_Digest*() routines so they now return values. Although the
+ * Modify `EVP_Digest*()` routines so they now return values. Although the
internal software routines can never fail additional hardware versions
might.
* Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
- with "OPENSSL_" to avoid conflicts with other packages and by making
+ with `OPENSSL_` to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.
Additionally, it is now possible to define configuration/platform-
specific names (called "system identities"). In the C code, these
- are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another
- macro with the name beginning with "OPENSSL_SYS_", which is determined
- from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
+ are prefixed with `OPENSSL_SYSNAME_`. e_os2.h will create another
+ macro with the name beginning with `OPENSSL_SYS_`, which is determined
+ from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
what is available.
*Richard Levitte*
* Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
skipped when using openssl x509 multiple times on a single input file,
- e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
+ e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
*Bodo Moeller*
* New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
- parsed, outputed or printed in text form. Not complete yet:
+ parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
*Steve Henson*
* New subcommands for 'openssl ca':
- 'openssl ca -status <serial>' prints the status of the cert with
+ `openssl ca -status <serial>` prints the status of the cert with
the given serial number (according to the index file).
- 'openssl ca -updatedb' updates the expiry status of certificates
+ `openssl ca -updatedb` updates the expiry status of certificates
in the index file.
*Massimiliano Pala <madwolf@comune.modena.it>*
* Allowing defining memory allocation callbacks that will be given
file name and line number information in additional arguments
- (a const char* and an int). The basic functionality remains, as
+ (a `const char*` and an int). The basic functionality remains, as
well as the original possibility to just replace malloc(),
realloc() and free() by functions that do not know about these
additional arguments. To register and find out the current
CRYPTO_get_locked_mem_ex_functions
These work the same way as CRYPTO_set_mem_functions and friends.
- CRYPTO_get_[locked_]mem_functions now writes 0 where such an
+ `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an
extended allocation function is enabled.
- Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
+ Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where
a conventional allocation function is enabled.
*Richard Levitte, Bodo Moeller*
* New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
replace the old function pointer based I/O routines. Change most of
- the *_d2i_bio() and *_d2i_fp() functions to use these.
+ the `*_d2i_bio()` and `*_d2i_fp()` functions to use these.
*Steve Henson*
* Added Kerberos Cipher Suites to be used with TLS, as written in
RFC 2712.
*Veers Staats <staatsvr@asc.hpc.mil>,
- Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte*
+ Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte*
* Reformat the FAQ so the different questions and answers can be divided
in sections depending on the subject.
*Bodo Moeller*
- * Move BN_mod_... functions into new file crypto/bn/bn_mod.c
+ * Move `BN_mod_...` functions into new file crypto/bn/bn_mod.c
(except for exponentiation, which stays in crypto/bn/bn_exp.c,
and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
and add new functions:
* NCONF changes.
NCONF_get_number() has no error checking at all. As a replacement,
- NCONF_get_number_e() is defined (_e for "error checking") and is
+ NCONF_get_number_e() is defined (`_e` for "error checking") and is
promoted strongly. The old NCONF_get_number is kept around for
binary backward compatibility.
Make it possible for methods to load from something other than a BIO,
*Richard Levitte*
-### Changes between 0.9.6l and 0.9.6m [17 Mar 2004] ###
+### Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
* Fix null-pointer assignment in do_change_cipher_spec() revealed
- by using the Codenomicon TLS Test Tool (CVE-2004-0079)
+ by using the Codenomicon TLS Test Tool [CVE-2004-0079][]
*Joe Orton, Steve Henson*
-### Changes between 0.9.6k and 0.9.6l [04 Nov 2003] ###
+### Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
* Fix additional bug revealed by the NISCC test suite:
Stop bug triggering large recursion when presented with
- certain ASN.1 tags (CVE-2003-0851)
+ certain ASN.1 tags [CVE-2003-0851][]
*Steve Henson*
-### Changes between 0.9.6j and 0.9.6k [30 Sep 2003] ###
+### Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
* Fix various bugs revealed by running the NISCC test suite:
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
-
*Steve Henson*
* In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
*Richard Levitte*
-### Changes between 0.9.6i and 0.9.6j [10 Apr 2003] ###
+### Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
* Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
*Bodo Moeller*
-### Changes between 0.9.6h and 0.9.6i [19 Feb 2003] ###
+### Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
* In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
- between bad padding and a MAC verification error. (CVE-2003-0078)
+ between bad padding and a MAC verification error. [CVE-2003-0078][]
*Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)*
-### Changes between 0.9.6g and 0.9.6h [5 Dec 2002] ###
+### Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
* New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from its contents. This is done with a counter that will
*Steve Henson*
-### Changes between 0.9.6f and 0.9.6g [9 Aug 2002] ###
+### Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
* [In 0.9.6g-engine release:]
- Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
+ Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`).
*Lynn Gazis <lgazis@rainbow.com>*
-### Changes between 0.9.6e and 0.9.6f [8 Aug 2002] ###
+### Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
* Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
*Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
- Alon Kantor <alonk@checkpoint.com> (and others),
- Steve Henson*
+ Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson*
* Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
*Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller*
-### Changes between 0.9.6d and 0.9.6e [30 Jul 2002] ###
+### Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
* Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
* Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
- supplied buffer. (CVE-2002-0659)
+ supplied buffer. [CVE-2002-0659][]
*Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
*Ben Laurie (CHATS)*
* Various temporary buffers to hold ASCII versions of integers were
- too small for 64 bit platforms. (CVE-2002-0655)
- *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
+ too small for 64 bit platforms. [CVE-2002-0655][]
+ *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
* Remote buffer overflow in SSL3 protocol - an attacker could
- supply an oversized session ID to a client. (CVE-2002-0656)
+ supply an oversized session ID to a client. [CVE-2002-0656][]
- [Ben Laurie (CHATS)*
+ *Ben Laurie (CHATS)*
* Remote buffer overflow in SSL2 protocol - an attacker could
- supply an oversized client master key. (CVE-2002-0656)
+ supply an oversized client master key. [CVE-2002-0656][]
*Ben Laurie (CHATS)*
-### Changes between 0.9.6c and 0.9.6d [9 May 2002] ###
+### Changes between 0.9.6c and 0.9.6d [9 May 2002]
* Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
encoded as NULL) with id-dsa-with-sha1.
*Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller*
- * Check various X509_...() return values in apps/req.c.
+ * Check various `X509_...()` return values in apps/req.c.
*Nils Larsch <nla@trustcenter.de>*
*D P Chang <dpc@qualys.com>*
-### Changes between 0.9.6b and 0.9.6c [21 dec 2001] ###
+### Changes between 0.9.6b and 0.9.6c [21 dec 2001]
* Fix BN_rand_range bug pointed out by Dominikus Scherkl
<Dominikus.Scherkl@biodata.com>. (The previous implementation
- worked incorrectly for those cases where range = 10..._2 and
- 3*range is two bits longer than range.)
+ worked incorrectly for those cases where range = `10..._2` and
+ `3*range` is two bits longer than range.)
*Bodo Moeller*
instead. BIO_gethostbyname() does not know what timeouts are
appropriate, so entries would stay in cache even when they have
become invalid.
- *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
+ *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>*
* Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
faced with a pathologically small ClientHello fragment that does
messages are never sent like this, but this change gives us
strictly correct behaviour at least for TLS.
- [Bodo Moeller*
+ *Bodo Moeller*
* Fix SSL handshake functions and SSL_clear() such that SSL_clear()
never resets s->method to s->ctx->method when called from within
*Lutz Jaenicke*
- * Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
+ * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`.
*Lutz Jaenicke*
*Andy Polyakov*
* Modified SSL library such that the verify_callback that has been set
- specificly for an SSL object with SSL_set_verify() is actually being
+ specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
*Richard Levitte*
-### Changes between 0.9.6a and 0.9.6b [9 Jul 2001] ###
+### Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
* Change ssleay_rand_bytes (crypto/rand/md_rand.c)
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
*Bodo Moeller*
- * Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
+ * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is
used: it isn't thread safe and the add_lock_callback should handle
that itself.
*Bodo Moeller*
-### Changes between 0.9.6 and 0.9.6a [5 Apr 2001] ###
+### Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
* Fix a couple of memory leaks in PKCS7_dataDecode()
* Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
On the Importance of Eliminating Errors in Cryptographic
Computations, J. Cryptology 14 (2001) 2, 101-119,
- http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
+ <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>).
*Ulf Moeller*
*Bodo Moeller*
- * Replace rdtsc with _emit statements for VC++ version 5.
+ * Replace rdtsc with `_emit` statements for VC++ version 5.
*Jeremy Cooper <jeremy@baymoo.org>*
* Fix CPU detection on Irix 6.x.
*Kurt Hockenbury <khockenb@stevens-tech.edu> and
- "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
+ "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
* Fix X509_NAME bug which produced incorrect encoding if X509_NAME
was empty.
*Ulf Moeller, Bodo Moeller*
- * In the NCONF_...-based implementations for CONF_... queries
+ * In the `NCONF_...`-based implementations for `CONF_...` queries
(crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
a temporary CONF structure with the data component set to NULL
(which gives segmentation faults in lh_retrieve).
*Bodo Moeller; problem reported by Eric Day <eday@concentric.net>*
- * In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
- obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+ * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c),
+ obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
(RSA objects have a reference count access to which is protected
by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
*Lutz Jaenicke*
-### Changes between 0.9.5a and 0.9.6 [24 Sep 2000] ###
+### Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
* In ssl23_get_client_hello, generate an error message when faced
with an initial SSL 3.0/TLS record that is too small to contain the
*Ben Laurie*
- * Add a few more EBCDIC conditionals that make `req' and `x509'
+ * Add a few more EBCDIC conditionals that make `req` and `x509`
work better on such systems.
*Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
*Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
* A demo state-machine implementation was sponsored by
- Nuron (http://www.nuron.com/) and is now available in
+ Nuron (<http://www.nuron.com/>) and is now available in
demos/state_machine.
*Ben Laurie*
and as before, if none of those prefixes are present at the
beginning of the string, LOG_ERR is chosen.
- On Win32, the LOG_* levels are mapped according to this:
+ On Win32, the `LOG_*` levels are mapped according to this:
LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
LOG_WARNING => EVENTLOG_WARNING_TYPE
LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
-
*Richard Levitte*
* Made it possible to reconfigure with just the configuration
*Steve Henson*
- * crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
- not read locks (CRYPTO_r_[un]lock).
+ * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`),
+ not read locks (`CRYPTO_r_[un]lock`).
*Bodo Moeller*
*Steve Henson*
- * New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
+ * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT
STRING types. These convert content octets to and from the
underlying type. The actual tag and length octets are
already assumed to have been read in and checked. These
* Reorganisation of the stack code. The macros are now all
collected in safestack.h . Each macro is defined in terms of
- a "stack macro" of the form SKM_<name>(type, a, b). The
+ a "stack macro" of the form `SKM_<name>(type, a, b)`. The
DEBUG_SAFESTACK is now handled in terms of function casts,
this has the advantage of retaining type safety without the
use of additional functions. If DEBUG_SAFESTACK is not defined
*Bodo Moeller*
- * Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
+ * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5
(meaning that now 2^5 values will be precomputed, which is only 4 KB
plus overhead for 1024 bit moduli).
This makes exponentiations about 0.5 % faster for 1024 bit
also involved a cleanup of sorts in safestack.h to more correctly
map type-safe stack functions onto their plain stack counterparts.
This work has also resulted in a variety of "const"ifications of
- lots of the code, especially "_cmp" operations which should normally
+ lots of the code, especially `_cmp` operations which should normally
be prototyped with "const" parameters anyway.
*Geoff Thorpe*
*Bodo Moeller*
- * Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
+ * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag;
i.e. non-zero for export ciphersuites, zero otherwise.
Previous versions had this flag inverted, inconsistent with
rsa_tmp_cb (..._TMP_RSA_CB).
* CONF library reworked to become more general. A new CONF
configuration file reader "class" is implemented as well as a
- new functions (NCONF_*, for "New CONF") to handle it. The now
- old CONF_* functions are still there, but are reimplemented to
+ new functions (`NCONF_*`, for "New CONF") to handle it. The now
+ old `CONF_*` functions are still there, but are reimplemented to
work in terms of the new functions. Also, a set of functions
to handle the internal storage of the configuration data is
provided to make it easier to write new configuration file
reader "classes" (I can definitely see something reading a
- configuration file in XML format, for example), called _CONF_*,
+ configuration file in XML format, for example), called `_CONF_*`,
or "the configuration storage API"...
The new configuration file reading functions are:
NCONF_default and NCONF_WIN32 are method (or "class") choosers,
NCONF_new creates a new CONF object. This works in the same way
as other interfaces in OpenSSL, like the BIO interface.
- NCONF_dump_* dump the internal storage of the configuration file,
+ `NCONF_dump_*` dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
- arguments as the old CONF_* functions wth the exception of the
- first that must be a `CONF *' instead of a `LHASH *'.
+ arguments as the old `CONF_*` functions with the exception of the
+ first that must be a `CONF *` instead of a `LHASH *`.
- To make it easer to use the new classes with the old CONF_* functions,
+ To make it easier to use the new classes with the old `CONF_*` functions,
the function CONF_set_default_method is provided.
*Richard Levitte*
*Geoff Thorpe, with contributions from Richard Levitte*
-### Changes between 0.9.5 and 0.9.5a [1 Apr 2000] ###
+### Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
* Make sure _lrotl and _lrotr are only used with MSVC.
* des_quad_cksum() byte order bug fix.
*Ulf Möller, using the problem description in krb4-0.9.7, where
- the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>*
+ the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>*
* Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
discouraged.
*Lutz Behnke <behnke@trustcenter.de>*
-### Changes between 0.9.4 and 0.9.5 [28 Feb 2000] ###
+### Changes between 0.9.4 and 0.9.5 [28 Feb 2000]
* PKCS7_encrypt() was adding text MIME headers twice because they
were added manually and by SMIME_crlf_copy().
* Change names of new functions to the new get1/get0 naming
convention: After 'get1', the caller owns a reference count
- and has to call ..._free; 'get0' returns a pointer to some
+ and has to call `..._free`; 'get0' returns a pointer to some
data structure without incrementing reference counters.
(Some of the existing 'get' functions increment a reference
counter, some don't.)
* Fix potential buffer overrun problem in BIO_printf().
*Ulf Möller, using public domain code by Patrick Powell; problem
- pointed out by David Sacerdote <das33@cornell.edu>*
+ pointed out by David Sacerdote <das33@cornell.edu>*
* Support EGD <http://www.lothar.com/tech/crypto/>. New functions
RAND_egd() and RAND_status(). In the command line application,
*Steve Henson*
- * ..._ctrl functions now have corresponding ..._callback_ctrl functions
- where the 'void *' argument is replaced by a function pointer argument.
- Previously 'void *' was abused to point to functions, which works on
+ * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions
+ where the `void *` argument is replaced by a function pointer argument.
+ Previously `void *` was abused to point to functions, which works on
many platforms, but is not correct. As these functions are usually
called by macros defined in OpenSSL header files, most source code
should work without changes.
*Richard Levitte*
- * <openssl/opensslconf.h> (which is created by Configure) now contains
+ * `<openssl/opensslconf.h>` (which is created by Configure) now contains
sections with information on -D... compiler switches used for
compiling the library so that applications can see them. To enable
- one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
+ one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
must be defined. E.g.,
#define OPENSSL_ALGORITHM_DEFINES
#include <openssl/opensslconf.h>
- defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
+ defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc.
*Richard Levitte, Ulf and Bodo Möller*
*Andy Polyakov*
* Bug fix for BN_div() when the first words of num and divisor are
- equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
+ equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
*Ulf Möller*
*Ulf Möller*
- * Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
+ * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and
include a #define from the old name to the new. The original intent
was that statically linked binaries could for example just call
SSLeay_add_all_ciphers() to just add ciphers to the table and not
*Martin Kraemer <Martin.Kraemer@Mch.SNI.De>*
* Source code cleanups: use const where appropriate, eliminate casts,
- use void * instead of char * in lhash.
+ use `void *` instead of `char *` in lhash.
*Ulf Möller*
*Ulf Möller, Bodo Möller*
* Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
- used (char *) instead of (void *) and had casts all over the place.
+ used `char *` instead of `void *` and had casts all over the place.
*Steve Henson*
*Steve Henson*
* Changes to X509_ATTRIBUTE utilities. These have been renamed from
- X509_*() to X509at_*() on the grounds that they don't handle X509
+ `X509_*()` to `X509at_*()` on the grounds that they don't handle X509
structures and behave in an analogous way to the X509v3 functions:
they shouldn't be called directly but wrapper functions should be used
instead.
* Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
- NO_RSA in ssl/s2*.c.
+ NO_RSA in `ssl/s2*.c`.
*Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller*
There are two big advantages in doing things this way. The extensions
can be looked up immediately and no longer need to be "added" using
X509V3_add_standard_extensions(): this function now does nothing.
- *Side note: I get *lots* of email saying the extension code doesn't
- work because people forget to call this function*
+ Side note: I get *lots* of email saying the extension code doesn't
+ work because people forget to call this function.
Also no dynamic allocation is done unless new extensions are added:
so if we don't add custom extensions there is no need to call
X509V3_EXT_cleanup().
it clearly returns an error if you try to read the wrong kind of key.
Added a -pubkey option to the 'x509' utility to output the public key.
- Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
- (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
- EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
- that do the same as the EVP_PKEY_assign_*() except they up the
+ Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()`
+ (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add
+ `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`)
+ that do the same as the `EVP_PKEY_assign_*()` except they up the
reference count of the added key (they don't "swallow" the
supplied key).
*Steve Henson*
- * Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).
+ * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`).
The problem was that one of the replacement routines had not been working
since SSLeay releases. For now the offending routine has been replaced
with non-optimised assembler. Even so, this now gives around 95%
*Steve Henson*
* Add function equivalents to the various macros in asn1.h. The old
- macros are retained with an M_ prefix. Code inside the library can
- use the M_ macros. External code (including the openssl utility)
+ macros are retained with an `M_` prefix. Code inside the library can
+ use the `M_` macros. External code (including the openssl utility)
should *NOT* in order to be "shared library friendly".
*Steve Henson*
*Steve Henson*
- * New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search
+ * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search
for, obtain and decode and extension and obtain its critical flag.
This allows all the necessary extension code to be handled in a
single function call.
usual with these problems it takes *ages* to find and the fix is
trivial: move one line.
- *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) *
+ *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)*
* Ugly workaround to get s_client and s_server working under Windows. The
old code wouldn't work because it needed to select() on sockets and the
*Bodo Moeller*
-### Changes between 0.9.3a and 0.9.4 [09 Aug 1999] ###
+### Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
* Install libRSAglue.a when OpenSSL is built with RSAref.
*Ralf S. Engelschall*
- * A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
+ * A few more `#ifndef NO_FP_API / #endif` pairs for consistency.
*Andrija Antonijevic <TheAntony2@bigfoot.com>*
For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
much faster than DH_generate_parameters (which creates parameters
- where p = 2*q + 1), and also the smaller q makes DH computations
+ where `p = 2*q + 1`), and also the smaller q makes DH computations
much more efficient (160-bit exponentiation instead of 1024-bit
exponentiation); so this provides a convenient way to support DHE
ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of
to
....(char *buf, int size, int rwflag, void *userdata);
so that applications can pass data to their callbacks:
- The PEM[_ASN1]_{read,write}... functions and macros now take an
+ The `PEM[_ASN1]_{read,write}...` functions and macros now take an
additional void * argument, which is just handed through whenever
the password callback is called.
1. Casts to avoid "loss of data" warnings in p5_crpt2.c
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
comparison" warnings.
- 3. Add sk_<TYPE>_sort to DEF file generator and do make update.
+ 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update.
*Steve Henson*
store the length when it is first determined and use it later, rather
than trying to keep track of where data is copied and updating it to
point to the end.
- *Steve Henson, reported by Brien Wheeler
- <bwheeler@authentica-security.com>*
+ *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
* Add a new function PKCS7_signatureVerify. This allows the verification
of a PKCS#7 signature but with the signing certificate passed to the
*Steve Henson*
- * Complete the PEM_* macros with DECLARE_PEM versions to replace the
+ * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the
function prototypes in pem.h, also change util/mkdef.pl to add the
necessary function names.
*Steve Henson*
* Fix determination of Perl interpreter: A perl or perl5
- _directory_ in $PATH was also accepted as the interpreter.
+ *directory* in $PATH was also accepted as the interpreter.
*Ralf S. Engelschall*
*Bodo Moeller*
-f 0
* DES CBC did not update the IV. Weird.
*Ben Laurie*
*Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
- * Make callbacks for key generation use void * instead of char *.
+ * Make callbacks for key generation use `void *` instead of `char *`.
*Ben Laurie*
*Bodo Moeller*
-
-### Changes between 0.9.3 and 0.9.3a [29 May 1999] ###
+### Changes between 0.9.3 and 0.9.3a [29 May 1999]
* New configuration variant "sco5-gcc".
*Richard Levitte*
-
-### Changes between 0.9.2b and 0.9.3 [24 May 1999] ###
+### Changes between 0.9.2b and 0.9.3 [24 May 1999]
* Bignum library bug fix. IRIX 6 passes "make test" now!
This also avoids the problems with SC4.2 and unpatched SC5.
*Steve Henson*
* Make SSL library a little more fool-proof by not requiring any longer
- that SSL_set_{accept,connect}_state be called before
- SSL_{accept,connect} may be used (SSL_set_..._state is omitted
+ that `SSL_set_{accept,connect}_state` be called before
+ `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted
in many applications because usually everything *appeared* to work as
intended anyway -- now it really works as intended).
*Ulf Möller*
- * Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
+ * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
- -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+
+ -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
*Ralf S. Engelschall*
* Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
copying pointers. The cert_st handling is changed by this in
various ways (and thus what used to be known as ctx->default_cert
- is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
+ is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
any longer when s->cert does not give us what we need).
ssl_cert_instantiate becomes obsolete by this change.
As soon as we've got the new code right (possibly it already is?),
Note that using the SSL API in certain dirty ways now will result
in different behaviour than observed with earlier library versions:
- Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
+ Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx)
does not influence s as it used to.
In order to clean up things more thoroughly, inside SSL_SESSION
*Anonymous*
- * Add missing sk_<type>_unshift() function to safestack.h
+ * Add missing `sk_<type>_unshift()` function to safestack.h
*Ralf S. Engelschall*
*Niels Poppe <niels@netbox.org>*
- * New Configure option no-<cipher> (rsa, idea, rc5, ...).
+ * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
*Ulf Möller*
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
- translating function codes into names. The old 'ASN1 error code imbedded
+ translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
*Steve Henson*
- * Change #include filenames from <foo.h> to <openssl/foo.h>.
+ * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`.
*Bodo Moeller*
*Ben Laurie*
- * Add `openssl ca -revoke <certfile>' facility which revokes a certificate
- specified in <certfile> by updating the entry in the index.txt file.
+ * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
+ specified in `<certfile>` by updating the entry in the index.txt file.
This way one no longer has to edit the index.txt file manually for
revoking a certificate. The -revoke option does the gory details now.
*Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall*
- * Fix `openssl crl -noout -text' combination where `-noout' killed the
- `-text' option at all and this way the `-noout -text' combination was
- inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.
+ * Fix `openssl crl -noout -text` combination where `-noout` killed the
+ `-text` option at all and this way the `-noout -text` combination was
+ inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`.
*Ralf S. Engelschall*
*Ralf S. Engelschall*
- * Bugfix: In test/testenc, don't test "openssl <cipher>" for
+ * Bugfix: In test/testenc, don't test `openssl <cipher>` for
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
all available ciphers including rc5, which was forgotten until now.
In order to let the testing shell script know which algorithms
are available, a new (up to now undocumented) command
- "openssl list-cipher-commands" is used.
+ `openssl list-cipher-commands` is used.
*Bodo Moeller*
*Soren S. Jorvang <soren@t.dk>*
-
-### Changes between 0.9.1c and 0.9.2b [22 Mar 1999] ###
+### Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
* Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
doesn't work when the session is reused. Coming soon!
* Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
- Configure script everytime: One now can use ``perl Configure
- <id>:<details>'', i.e. platform ids are allowed to have details appended
+ Configure script every time: One now can use
+ `perl Configure <id>:<details>`,
+ i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
- pre-configured entry in Configure's %table under key <id> with value
- <details> and ``perl Configure <id>'' is called. So, when you want to
+ pre-configured entry in Configure's %table under key `<id>` with value
+ `<details>` and `perl Configure <id>` is called. So, when you want to
perform a quick test-compile under FreeBSD 3.1 with pgcc and without
- assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"''
+ assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
now, which overrides the FreeBSD-elf entry on-the-fly.
*Ralf S. Engelschall*
*Steve Henson*
- * Added the new `Includes OpenSSL Cryptography Software' button as
+ * Added the new 'Includes OpenSSL Cryptography Software' button as
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
button and can be used by applications based on OpenSSL to show the
relationship to the OpenSSL project.
* Experiment with doxygen documentation. Currently only partially applied to
ssl/ssl_lib.c.
- See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
+ See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with
openssl.doxy as the configuration file.
*Ben Laurie*
*Richard Levitte <levitte@stacken.kth.se>*
- * Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c
+ * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c
*Richard Levitte <levitte@stacken.kth.se>*
* Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
- from `int' to `unsigned int' because it's a length and initialized by
- EVP_DigestFinal() which expects an `unsigned int *'.
+ from `int` to `unsigned int` because it is a length and initialized by
+ EVP_DigestFinal() which expects an `unsigned int *`.
*Richard Levitte <levitte@stacken.kth.se>*
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
against Bleichbacher's attack on RSA.
*Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
- Ben Laurie*
+ Ben Laurie*
* Updates to the new SSL compression code
*Steve Henson*
- * Overhauled the Perl interface (perl/*):
+ * Overhauled the Perl interface:
- ported BN stuff to OpenSSL's different BN library
- made the perl/ source tree CVS-aware
- renamed the package from SSLeay to OpenSSL (the files still contain
*Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
- * Make sure `make rehash' target really finds the `openssl' program.
+ * Make sure `make rehash` target really finds the `openssl` program.
*Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
*Alan Batie <batie@aahz.jf.intel.com>*
- * Fixed ms/32all.bat script: `no_asm' -> `no-asm'
+ * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
*Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
*Steve Henson*
- * Make _all_ *_free functions accept a NULL pointer.
+ * Make *all* `*_free` functions accept a NULL pointer.
*Frans Heymans <fheymans@isaserver.be>*
*Steve Henson and Ben Laurie*
- * First cut of a cleanup for apps/. First the `ssleay' program is now named
- `openssl' and second, the shortcut symlinks for the `openssl <command>'
+ * First cut of a cleanup for apps/. First the `ssleay` program is now named
+ `openssl` and second, the shortcut symlinks for the `openssl <command>`
are no longer created. This way we have a single and consistent command
- line interface `openssl <command>', similar to `cvs <command>'.
+ line interface `openssl <command>`, similar to `cvs <command>`.
*Ralf S. Engelschall, Paul Sutton and Ben Laurie*
*Ben Laurie*
-
-### Changes between 0.9.1b and 0.9.1c [23-Dec-1998] ###
+### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
* Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
changed SSLeay to OpenSSL in version strings.
*Andrew Cooke / Interrader Ldt., Ralf S. Engelschall*
- * Fixed nasty rehash problem under `make -f Makefile.ssl links'
+ * Fixed nasty rehash problem under `make -f Makefile.ssl links`
when "ssleay" is still not found.
*Ralf S. Engelschall*
*The OpenSSL Project*
-
-### Changes between 0.9.0b and 0.9.1b [not released] ###
+### Changes between 0.9.0b and 0.9.1b [not released]
* Updated a few CA certificates under certs/
bytes sent in the client random.
*Edward Bishop <ebishop@spyglass.com>*
+
+<!-- Links -->
+
+[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
+[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
+[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
+[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
+[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
+[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
+[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
+[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
+[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
+[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
+[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
+[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
+[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
+[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
+[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
+[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
+[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
+[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
+[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
+[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
+[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
+[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
+[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
+[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
+[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
+[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
+[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
+[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
+[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
+[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
+[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
+[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
+[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
+[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
+[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
+[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
+[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
+[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
+[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
+[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
+[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
+[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
+[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
+[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
+[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
+[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
+[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
+[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
+[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
+[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
+[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
+[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
+[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
+[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
+[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
+[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
+[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
+[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
+[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
+[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
+[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
+[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
+[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
+[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
+[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
+[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
+[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
+[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
+[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
+[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
+[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
+[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
+[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
+[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
+[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
+[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
+[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
+[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
+[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
+[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
+[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
+[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
+[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
+[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
+[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
+[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
+[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
+[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
+[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
+[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
+[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
+[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
+[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
+[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
+[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
+[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
+[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
+[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
+[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
+[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
+[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
+[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
+[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
+[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
+[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
+[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
+[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
+[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
+[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
+[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
+[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
+[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
+[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
+[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
+[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
+[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
+[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
+[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
+[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
+[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
+[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
+[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
+[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
+[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
+[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
+[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
+[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
+[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
+[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
+[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
+[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
+[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
+[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
+[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
+[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
+[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
+[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
+[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
+[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
+[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
+[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
+[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
+[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
+[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
+[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
+[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
+[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
+[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
+[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
+[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
+[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
+[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
+[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
+[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
+[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
+[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
+[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
+[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
+[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
+[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
projects / openssl.git / blobdiff