OpenSSL CHANGES
_______________
- Changes between 1.1.0e and 1.1.0f [xx XXX xxxx]
+ This is a high-level summary of the most important changes.
+ For a full list of changes, see the git commit log; for example,
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
+
+ Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
+
+ *) Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
+ line terminators to CRLF and removes additional trailing line terminators
+ at the end of a file. A bug in the canonicalisation process meant that
+ some characters, such as form-feed, were incorrectly treated as whitespace
+ and removed. This is contrary to the specification (RFC5485). This fix
+ could mean that detached text data signed with an earlier version of
+ OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+ signed with a fixed OpenSSL may fail to verify with an earlier version of
+ OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+ and use the "-binary" flag (for the "cms" command line application) or set
+ the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+ [Matt Caswell]
+
+ Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
+
+ *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+ Constructed ASN.1 types with a recursive definition (such as can be found
+ in PKCS7) could eventually exceed the stack given malicious input with
+ excessive recursion. This could result in a Denial Of Service attack. There
+ are no such structures used within SSL/TLS that come from untrusted sources
+ so this is considered safe.
+
+ This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+ project.
+ (CVE-2018-0739)
+ [Matt Caswell]
+
+ *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
+
+ Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
+ effectively reduced to only comparing the least significant bit of each
+ byte. This allows an attacker to forge messages that would be considered as
+ authenticated in an amount of tries lower than that guaranteed by the
+ security claims of the scheme. The module can only be compiled by the
+ HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
+
+ This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
+ (IBM).
+ (CVE-2018-0733)
+ [Andy Polyakov]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) Backport SSL_OP_NO_RENGOTIATION
+
+ OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
+ (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
+ changes this is no longer possible in 1.1.0. Therefore the new
+ SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
+ 1.1.0 to provide equivalent functionality.
+
+ Note that if an application built against 1.1.0h headers (or above) is run
+ using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
+ accepted but nothing will happen, i.e. renegotiation will not be prevented.
+ [Matt Caswell]
+
+ *) Removed the OS390-Unix config target. It relied on a script that doesn't
+ exist.
+ [Rich Salz]
+
+ *) rsaz_1024_mul_avx2 overflow bug on x86_64
+
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this
+ defect would be very difficult to perform and are not believed likely.
+ Attacks against DH1024 are considered just feasible, because most of the
+ work necessary to deduce information about a private key may be performed
+ offline. The amount of resources required for such an attack would be
+ significant. However, for an attack on TLS to be meaningful, the server
+ would have to share the DH1024 private key among multiple clients, which is
+ no longer an option since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ This issue was reported to OpenSSL by David Benjamin (Google). The issue
+ was originally found via the OSS-Fuzz project.
+ (CVE-2017-3738)
+ [Andy Polyakov]
+
+ Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
+
+ *) bn_sqrx8x_internal carry bug on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3736)
+ [Andy Polyakov]
+
+ *) Malformed X.509 IPAddressFamily could cause OOB read
+
+ If an X.509 certificate has a malformed IPAddressFamily extension,
+ OpenSSL could do a one-byte buffer overread. The most likely result
+ would be an erroneous display of the certificate in text format.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3735)
+ [Rich Salz]
+
+ *) Ignore the '-named_curve auto' value for compatibility of applications
+ with OpenSSL 1.0.2.
+ [Tomas Mraz <tmraz@fedoraproject.org>]
+
+ *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
+ [Emilia Käsper]
+
+ Changes between 1.1.0e and 1.1.0f [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
to work with OPENSSL_NO_SSL_INTERN defined.
[Steve Henson]
- *) Add SRP support.
- [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
+ *) A long standing patch to add support for SRP from EdelWeb (Peter
+ Sylvester and Christophe Renou) was integrated.
+ [Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
+ <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
+ Ben Laurie]
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
[Steve Henson]