OpenSSL CHANGES
_______________
- Changes between 1.0.2d and 1.0.2e [xx XXX xxxx]
+ This is a high-level summary of the most important changes.
+ For a full list of changes, see the git commit log; for example,
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
- *) In DSA_generate_parameters_ex, if the provided seed is too short,
- return an error
- [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
+ Changes between 1.0.2m and 1.0.2n [xx XXX xxxx]
- *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
- from RFC4279, RFC4785, RFC5487, RFC5489.
+ *)
- Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
- original RSA_PSK patch.
- [Steve Henson]
+ Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
- *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
- era flag was never set throughout the codebase (only read). Also removed
- SSL3_FLAGS_POP_BUFFER which was only used if
- SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
- [Matt Caswell]
+ *) bn_sqrx8x_internal carry bug on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3736)
+ [Andy Polyakov]
+
+ *) Malformed X.509 IPAddressFamily could cause OOB read
+
+ If an X.509 certificate has a malformed IPAddressFamily extension,
+ OpenSSL could do a one-byte buffer overread. The most likely result
+ would be an erroneous display of the certificate in text format.
- *) Changed the default name options in the "ca", "crl", "req" and "x509"
- to be "oneline" instead of "compat".
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3735)
+ [Rich Salz]
+
+ Changes between 1.0.2k and 1.0.2l [25 May 2017]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
[Richard Levitte]
- *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
- not aware of clients that still exhibit this bug, and the workaround
- hasn't been working properly for a while.
- [Emilia Käsper]
+ Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
- *) The return type of BIO_number_read() and BIO_number_written() as well as
- the corresponding num_read and num_write members in the BIO structure has
- changed from unsigned long to uint64_t. On platforms where an unsigned
- long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
- transferred.
- [Matt Caswell]
+ *) Truncated packet could crash via OOB read
- *) Given the pervasive nature of TLS extensions it is inadvisable to run
- OpenSSL without support for them. It also means that maintaining
- the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
- not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
- [Matt Caswell]
+ If one side of an SSL/TLS path is running on a 32-bit host and a specific
+ cipher is being used, then a truncated packet can cause that host to
+ perform an out-of-bounds read, usually resulting in a crash.
- *) Removed support for the two export grade static DH ciphersuites
- EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
- were newly added (along with a number of other static DH ciphersuites) to
- 1.0.2. However the two export ones have *never* worked since they were
- introduced. It seems strange in any case to be adding new export
- ciphersuites, and given "logjam" it also does not seem correct to fix them.
- [Matt Caswell]
+ This issue was reported to OpenSSL by Robert Święcki of Google.
+ (CVE-2017-3731)
+ [Andy Polyakov]
- *) Version negotiation has been rewritten. In particular SSLv23_method(),
- SSLv23_client_method() and SSLv23_server_method() have been deprecated,
- and turned into macros which simply call the new preferred function names
- TLS_method(), TLS_client_method() and TLS_server_method(). All new code
- should use the new names instead. Also as part of this change the ssl23.h
- header file has been removed.
- [Matt Caswell]
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+ similar to CVE-2015-3193 but must be treated as a separate problem.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3732)
+ [Andy Polyakov]
+
+ *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
- *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
- code and the associated standard is no longer considered fit-for-purpose.
+ *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
[Matt Caswell]
- *) RT2547 was closed. When generating a private key, try to make the
- output file readable only by the owner. This behavior change might
- be noticeable when interacting with other software.
+ Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
- *) Added HTTP GET support to the ocsp command.
- [Rich Salz]
+ *) Missing CRL sanity check
+
+ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
- *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
+ This issue only affects the OpenSSL 1.0.2i
+ (CVE-2016-7052)
[Matt Caswell]
- *) Added support for TLS extended master secret from
- draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
- initial patch which was a great help during development.
- [Steve Henson]
+ Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
- *) All libssl internal structures have been removed from the public header
- files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
- now redundant). Users should not attempt to access internal structures
- directly. Instead they should use the provided API functions.
- [Matt Caswell]
+ *) OCSP Status Request extension unbounded memory growth
- *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
- Access to deprecated functions can be re-enabled by running config with
- "enable-deprecated". In addition applications wishing to use deprecated
- functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
- will, by default, disable some transitive includes that previously existed
- in the header files (e.g. ec.h will no longer, by default, include bn.h)
- [Matt Caswell]
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
- *) Added support for OCB mode. OpenSSL has been granted a patent license
- compatible with the OpenSSL license for use of OCB. Details are available
- at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
- for OCB can be removed by calling config with no-ocb.
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6304)
[Matt Caswell]
- *) SSLv2 support has been removed. It still supports receiving a SSLv2
- compatible client hello.
- [Kurt Roeckx]
-
- *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
- done while fixing the error code for the key-too-small case.
- [Annie Yousar <a.yousar@informatik.hu-berlin.de>]
+ *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+ HIGH to MEDIUM.
- *) CA.sh has been removmed; use CA.pl instead.
+ This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+ Leurent (INRIA)
+ (CVE-2016-2183)
[Rich Salz]
- *) Removed old DES API.
- [Rich Salz]
+ *) OOB write in MDC2_Update()
- *) Remove various unsupported platforms:
- Sony NEWS4
- BEOS and BEOS_R5
- NeXT
- SUNOS
- MPE/iX
- Sinix/ReliantUNIX RM400
- DGUX
- NCR
- Tandem
- Cray
- 16-bit platforms such as WIN16
- [Rich Salz]
+ An overflow can occur in MDC2_Update() either if called directly or
+ through the EVP_DigestUpdate() function using MDC2. If an attacker
+ is able to supply very large amounts of input data after a previous
+ call to EVP_EncryptUpdate() with a partial block then a length check
+ can overflow resulting in a heap corruption.
- *) Clean up OPENSSL_NO_xxx #define's
- Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
- Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
- OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
- OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
- OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
- Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
- OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
- OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
- OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
- Remove MS_STATIC; it's a relic from platforms <32 bits.
- [Rich Salz]
+ The amount of data needed is comparable to SIZE_MAX which is impractical
+ on most platforms.
- *) Cleaned up dead code
- Remove all but one '#ifdef undef' which is to be looked at.
- [Rich Salz]
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6303)
+ [Stephen Henson]
- *) Clean up calling of xxx_free routines.
- Just like free(), fix most of the xxx_free routines to accept
- NULL. Remove the non-null checks from callers. Save much code.
- [Rich Salz]
+ *) Malformed SHA512 ticket DoS
- *) Add secure heap for storage of private keys (when possible).
- Add BIO_s_secmem(), CBIGNUM, etc.
- Contributed by Akamai Technologies under our Corporate CLA.
- [Rich Salz]
+ If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
+ DoS attack where a malformed ticket will result in an OOB read which will
+ ultimately crash.
- *) Experimental support for a new, fast, unbiased prime candidate generator,
- bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
- [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
+ The use of SHA512 in TLS session tickets is comparatively rare as it requires
+ a custom server callback and ticket lookup mechanism.
- *) New output format NSS in the sess_id command line tool. This allows
- exporting the session id and the master key in NSS keylog format.
- [Martin Kaiser <martin@kaiser.cx>]
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6302)
+ [Stephen Henson]
- *) Harmonize version and its documentation. -f flag is used to display
- compilation flags.
- [mancha <mancha1@zoho.com>]
+ *) OOB write in BN_bn2dec()
- *) Fix eckey_priv_encode so it immediately returns an error upon a failure
- in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
- [mancha <mancha1@zoho.com>]
+ The function BN_bn2dec() does not check the return value of BN_div_word().
+ This can cause an OOB write if an application uses this function with an
+ overly large BIGNUM. This could be a problem if an overly large certificate
+ or CRL is printed out from an untrusted source. TLS is not affected because
+ record limits will reject an oversized certificate before it is parsed.
- *) Fix some double frees. These are not thought to be exploitable.
- [mancha <mancha1@zoho.com>]
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-2182)
+ [Stephen Henson]
- *) A missing bounds check in the handling of the TLS heartbeat extension
- can be used to reveal up to 64k of memory to a connected client or
- server.
+ *) OOB read in TS_OBJ_print_bio()
- Thanks for Neel Mehta of Google Security for discovering this bug and to
- Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
- preparing the fix (CVE-2014-0160)
- [Adam Langley, Bodo Moeller]
+ The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
+ the total length the OID text representation would use and not the amount
+ of data written. This will result in OOB reads when large OIDs are
+ presented.
- *) Fix for the attack described in the paper "Recovering OpenSSL
- ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
- by Yuval Yarom and Naomi Benger. Details can be obtained from:
- http://eprint.iacr.org/2014/140
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-2180)
+ [Stephen Henson]
- Thanks to Yuval Yarom and Naomi Benger for discovering this
- flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
- [Yuval Yarom and Naomi Benger]
+ *) Pointer arithmetic undefined behaviour
- *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
- this fixes a limitation in previous versions of OpenSSL.
- [Steve Henson]
+ Avoid some undefined pointer arithmetic
- *) Experimental encrypt-then-mac support.
-
- Experimental support for encrypt then mac from
- draft-gutmann-tls-encrypt-then-mac-02.txt
+ A common idiom in the codebase is to check limits in the following manner:
+ "p + len > limit"
- To enable it set the appropriate extension number (0x42 for the test
- server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
-
- For non-compliant peers (i.e. just about everything) this should have no
- effect.
+ Where "p" points to some malloc'd data of SIZE bytes and
+ limit == p + SIZE
- WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
+ "len" here could be from some externally supplied data (e.g. from a TLS
+ message).
- [Steve Henson]
+ The rules of C pointer arithmetic are such that "p + len" is only well
+ defined where len <= SIZE. Therefore the above idiom is actually
+ undefined behaviour.
- *) Add EVP support for key wrapping algorithms, to avoid problems with
- existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
- the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
- algorithms and include tests cases.
- [Steve Henson]
+ For example this could cause problems if some malloc implementation
+ provides an address for "p" such that "p + len" actually overflows for
+ values of len that are too big and therefore p + len < limit.
- *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
- enveloped data.
- [Steve Henson]
+ This issue was reported to OpenSSL by Guido Vranken
+ (CVE-2016-2177)
+ [Matt Caswell]
- *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
- MGF1 digest and OAEP label.
- [Steve Henson]
+ *) Constant time flag not preserved in DSA signing
+
+ Operations in the DSA signing algorithm should run in constant time in
+ order to avoid side channel attacks. A flaw in the OpenSSL DSA
+ implementation means that a non-constant time codepath is followed for
+ certain operations. This has been demonstrated through a cache-timing
+ attack to be sufficient for an attacker to recover the private DSA key.
+
+ This issue was reported by César Pereida (Aalto University), Billy Brumley
+ (Tampere University of Technology), and Yuval Yarom (The University of
+ Adelaide and NICTA).
+ (CVE-2016-2178)
+ [César Pereida]
+
+ *) DTLS buffered message DoS
+
+ In a DTLS connection where handshake messages are delivered out-of-order
+ those messages that OpenSSL is not yet ready to process will be buffered
+ for later use. Under certain circumstances, a flaw in the logic means that
+ those messages do not get removed from the buffer even though the handshake
+ has been completed. An attacker could force up to approx. 15 messages to
+ remain in the buffer when they are no longer required. These messages will
+ be cleared when the DTLS connection is closed. The default maximum size for
+ a message is 100k. Therefore the attacker could force an additional 1500k
+ to be consumed per connection. By opening many simulataneous connections an
+ attacker could cause a DoS attack through memory exhaustion.
+
+ This issue was reported to OpenSSL by Quan Luo.
+ (CVE-2016-2179)
+ [Matt Caswell]
- *) Make openssl verify return errors.
- [Chris Palmer <palmer@google.com> and Ben Laurie]
+ *) DTLS replay protection DoS
- *) New function ASN1_TIME_diff to calculate the difference between two
- ASN1_TIME structures or one structure and the current time.
- [Steve Henson]
+ A flaw in the DTLS replay attack protection mechanism means that records
+ that arrive for future epochs update the replay protection "window" before
+ the MAC for the record has been validated. This could be exploited by an
+ attacker by sending a record for the next epoch (which does not have to
+ decrypt or have a valid MAC), with a very large sequence number. This means
+ that all subsequent legitimate packets are dropped causing a denial of
+ service for a specific DTLS connection.
- *) Update fips_test_suite to support multiple command line options. New
- test to induce all self test errors in sequence and check expected
- failures.
- [Steve Henson]
+ This issue was reported to OpenSSL by the OCAP audit team.
+ (CVE-2016-2181)
+ [Matt Caswell]
- *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
- sign or verify all in one operation.
- [Steve Henson]
+ *) Certificate message OOB reads
- *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
- test programs and fips_test_suite. Includes functionality to parse
- the minimal script output of fipsalgest.pl directly.
- [Steve Henson]
+ In OpenSSL 1.0.2 and earlier some missing message length checks can result
+ in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
+ theoretical DoS risk but this has not been observed in practice on common
+ platforms.
- *) Add authorisation parameter to FIPS_module_mode_set().
- [Steve Henson]
+ The messages affected are client certificate, client certificate request
+ and server certificate. As a result the attack can only be performed
+ against a client or a server which enables client authentication.
- *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
- [Steve Henson]
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6306)
+ [Stephen Henson]
- *) Use separate DRBG fields for internal and external flags. New function
- FIPS_drbg_health_check() to perform on demand health checking. Add
- generation tests to fips_test_suite with reduced health check interval to
- demonstrate periodic health checking. Add "nodh" option to
- fips_test_suite to skip very slow DH test.
- [Steve Henson]
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
- *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
- based on NID.
- [Steve Henson]
+ *) Prevent padding oracle in AES-NI CBC MAC check
- *) More extensive health check for DRBG checking many more failure modes.
- New function FIPS_selftest_drbg_all() to handle every possible DRBG
- combination: call this in fips_test_suite.
- [Steve Henson]
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
- *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
- and POST to handle Dual EC cases.
- [Steve Henson]
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
- *) Add support for canonical generation of DSA parameter 'g'. See
- FIPS 186-3 A.2.3.
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
- *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
- POST to handle HMAC cases.
- [Steve Henson]
+ *) Fix EVP_EncodeUpdate overflow
- *) Add functions FIPS_module_version() and FIPS_module_version_text()
- to return numerical and string versions of the FIPS module number.
- [Steve Henson]
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
- *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
- FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
- outside the validated module in the FIPS capable OpenSSL.
- [Steve Henson]
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
- *) Minor change to DRBG entropy callback semantics. In some cases
- there is no multiple of the block length between min_len and
- max_len. Allow the callback to return more than max_len bytes
- of entropy but discard any extra: it is the callback's responsibility
- to ensure that the extra data discarded does not impact the
- requested amount of entropy.
- [Steve Henson]
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
- *) Add PRNG security strength checks to RSA, DSA and ECDSA using
- information in FIPS186-3, SP800-57 and SP800-131A.
- [Steve Henson]
+ *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
- *) CCM support via EVP. Interface is very similar to GCM case except we
- must supply all data in one chunk (i.e. no update, final) and the
- message length must be supplied if AAD is used. Add algorithm test
- support.
- [Steve Henson]
+ *) Prevent ASN.1 BIO excessive memory allocation
- *) Initial version of POST overhaul. Add POST callback to allow the status
- of POST to be monitored and/or failures induced. Modify fips_test_suite
- to use callback. Always run all selftests even if one fails.
- [Steve Henson]
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
- *) XTS support including algorithm test driver in the fips_gcmtest program.
- Note: this does increase the maximum key length from 32 to 64 bytes but
- there should be no binary compatibility issues as existing applications
- will never use XTS mode.
- [Steve Henson]
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
- *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
- to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
- performs algorithm blocking for unapproved PRNG types. Also do not
- set PRNG type in FIPS_mode_set(): leave this to the application.
- Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
- the standard OpenSSL PRNG: set additional data to a date time vector.
- [Steve Henson]
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
- *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
- This shouldn't present any incompatibility problems because applications
- shouldn't be using these directly and any that are will need to rethink
- anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
- [Steve Henson]
+ *) EBCDIC overread
- *) Extensive self tests and health checking required by SP800-90 DRBG.
- Remove strength parameter from FIPS_drbg_instantiate and always
- instantiate at maximum supported strength.
- [Steve Henson]
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
- *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
- [Steve Henson]
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
- *) New algorithm test program fips_dhvs to handle DH primitives only testing.
- [Steve Henson]
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
- *) New function DH_compute_key_padded() to compute a DH key and pad with
- leading zeroes if needed: this complies with SP800-56A et al.
- [Steve Henson]
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
- *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
- anything, incomplete, subject to change and largely untested at present.
- [Steve Henson]
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
- *) Modify fipscanisteronly build option to only build the necessary object
- files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
- [Steve Henson]
+ Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
+
+ * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+ Builds that are not configured with "enable-weak-ssl-ciphers" will not
+ provide any "EXPORT" or "LOW" strength ciphers.
+ [Viktor Dukhovni]
+
+ * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
+ is by default disabled at build-time. Builds that are not configured with
+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+ will need to explicitly call either of:
+
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+ or
+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+ as appropriate. Even if either of those is used, or the application
+ explicitly uses the version-specific SSLv2_method() or its client and
+ server variants, SSLv2 ciphers vulnerable to exhaustive search key
+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
+ ciphers, and SSLv2 56-bit DES are no longer available.
+ (CVE-2016-0800)
+ [Viktor Dukhovni]
+
+ *) Fix a double-free in DSA code
+
+ A double free bug was discovered when OpenSSL parses malformed DSA private
+ keys and could lead to a DoS attack or memory corruption for applications
+ that receive DSA private keys from untrusted sources. This scenario is
+ considered rare.
+
+ This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2016-0705)
+ [Stephen Henson]
- *) Add experimental option FIPSSYMS to give all symbols in
- fipscanister.o and FIPS or fips prefix. This will avoid
- conflicts with future versions of OpenSSL. Add perl script
- util/fipsas.pl to preprocess assembly language source files
- and rename any affected symbols.
- [Steve Henson]
+ *) Disable SRP fake user seed to address a server memory leak.
- *) Add selftest checks and algorithm block of non-fips algorithms in
- FIPS mode. Remove DES2 from selftests.
- [Steve Henson]
+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
- *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
- return internal method without any ENGINE dependencies. Add new
- tiny fips sign and verify functions.
- [Steve Henson]
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+ was changed to ignore the "fake user" SRP seed, even if the seed
+ is configured.
- *) New build option no-ec2m to disable characteristic 2 code.
- [Steve Henson]
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ (CVE-2016-0798)
+ [Emilia Käsper]
- *) New build option "fipscanisteronly". This only builds fipscanister.o
- and (currently) associated fips utilities. Uses the file Makefile.fips
- instead of Makefile.org as the prototype.
- [Steve Henson]
+ *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+ In the BN_hex2bn function the number of hex digits is calculated using an
+ int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+ large values of |i| this can result in |bn_expand| not allocating any
+ memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ field as NULL leading to a subsequent NULL ptr deref. For very large values
+ of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ In this case memory is allocated to the internal BIGNUM data field, but it
+ is insufficiently sized leading to heap corruption. A similar issue exists
+ in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+ is ever called by user applications with very large untrusted hex/dec data.
+ This is anticipated to be a rare occurrence.
+
+ All OpenSSL internal usage of these functions use data that is not expected
+ to be untrusted, e.g. config file data or application command line
+ arguments. If user developed applications generate config file data based
+ on untrusted data then it is possible that this could also lead to security
+ consequences. This is also anticipated to be rare.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ (CVE-2016-0797)
+ [Matt Caswell]
- *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
- Update fips_gcmtest to use IV generator.
- [Steve Henson]
+ *) Fix memory issues in BIO_*printf functions
+
+ The internal |fmtstr| function used in processing a "%s" format string in
+ the BIO_*printf functions could overflow while calculating the length of a
+ string and cause an OOB read when printing very long strings.
+
+ Additionally the internal |doapr_outch| function can attempt to write to an
+ OOB memory location (at an offset from the NULL pointer) in the event of a
+ memory allocation failure. In 1.0.2 and below this could be caused where
+ the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+ could be in processing a very long "%s" format string. Memory leaks can
+ also occur.
+
+ The first issue may mask the second issue dependent on compiler behaviour.
+ These problems could enable attacks where large amounts of untrusted data
+ is passed to the BIO_*printf functions. If applications use these functions
+ in this way then they could be vulnerable. OpenSSL itself uses these
+ functions when printing out human-readable dumps of ASN.1 data. Therefore
+ applications that print this data could be vulnerable if the data is from
+ untrusted sources. OpenSSL command line applications could also be
+ vulnerable where they print out ASN.1 data, or if untrusted data is passed
+ as command line arguments.
+
+ Libssl is not considered directly vulnerable. Additionally certificates etc
+ received via remote connections via libssl are also unlikely to be able to
+ trigger these issues because of message size limits enforced within libssl.
+
+ This issue was reported to OpenSSL Guido Vranken.
+ (CVE-2016-0799)
+ [Matt Caswell]
- *) Initial, experimental EVP support for AES-GCM. AAD can be input by
- setting output buffer to NULL. The *Final function must be
- called although it will not retrieve any additional data. The tag
- can be set or retrieved with a ctrl. The IV length is by default 12
- bytes (96 bits) but can be set to an alternative value. If the IV
- length exceeds the maximum IV length (currently 16 bytes) it cannot be
- set before the key.
- [Steve Henson]
+ *) Side channel attack on modular exponentiation
- *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
- underlying do_cipher function handles all cipher semantics itself
- including padding and finalisation. This is useful if (for example)
- an ENGINE cipher handles block padding itself. The behaviour of
- do_cipher is subtly changed if this flag is set: the return value
- is the number of characters written to the output buffer (zero is
- no longer an error code) or a negative error code. Also if the
- input buffer is NULL and length 0 finalisation should be performed.
- [Steve Henson]
+ A side-channel attack was found which makes use of cache-bank conflicts on
+ the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+ of RSA keys. The ability to exploit this issue is limited as it relies on
+ an attacker who has control of code in a thread running on the same
+ hyper-threaded core as the victim thread which is performing decryptions.
- *) If a candidate issuer certificate is already part of the constructed
- path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
- [Steve Henson]
+ This issue was reported to OpenSSL by Yuval Yarom, The University of
+ Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+ Nadia Heninger, University of Pennsylvania with more information at
+ http://cachebleed.info.
+ (CVE-2016-0702)
+ [Andy Polyakov]
- *) Improve forward-security support: add functions
+ *) Change the req app to generate a 2048-bit RSA/DSA key by default,
+ if no keysize is specified with default_bits. This fixes an
+ omission in an earlier change that changed all RSA/DSA key generation
+ apps to use 2048 bits by default.
+ [Emilia Käsper]
- void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
- void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
+ Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
+
+ *) DH small subgroups
+
+ Historically OpenSSL only ever generated DH parameters based on "safe"
+ primes. More recently (in version 1.0.2) support was provided for
+ generating X9.42 style parameter files such as those required for RFC 5114
+ support. The primes used in such files may not be "safe". Where an
+ application is using DH configured with parameters based on primes that are
+ not "safe" then an attacker could use this fact to find a peer's private
+ DH exponent. This attack requires that the attacker complete multiple
+ handshakes in which the peer uses the same private DH exponent. For example
+ this could be used to discover a TLS server's private DH exponent if it's
+ reusing the private DH exponent or it's using a static DH ciphersuite.
+
+ OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+ TLS. It is not on by default. If the option is not set then the server
+ reuses the same private DH exponent for the life of the server process and
+ would be vulnerable to this attack. It is believed that many popular
+ applications do set this option and would therefore not be at risk.
+
+ The fix for this issue adds an additional check where a "q" parameter is
+ available (as is the case in X9.42 based parameters). This detects the
+ only known attack, and is the only possible defense for static DH
+ ciphersuites. This could have some performance impact.
+
+ Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+ default and cannot be disabled. This could have some performance impact.
+
+ This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+ (CVE-2016-0701)
+ [Matt Caswell]
- for use by SSL/TLS servers; the callback function will be called whenever a
- new session is created, and gets to decide whether the session may be
- cached to make it resumable (return 0) or not (return 1). (As by the
- SSL/TLS protocol specifications, the session_id sent by the server will be
- empty to indicate that the session is not resumable; also, the server will
- not generate RFC 4507 (RFC 5077) session tickets.)
+ *) SSLv2 doesn't block disabled ciphers
- A simple reasonable callback implementation is to return is_forward_secure.
- This parameter will be set to 1 or 0 depending on the ciphersuite selected
- by the SSL/TLS server library, indicating whether it can provide forward
- security.
- [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
- *) New -verify_name option in command line utilities to set verification
- parameters by name.
- [Steve Henson]
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ (CVE-2015-3197)
+ [Viktor Dukhovni]
- *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
- Add CMAC pkey methods.
- [Steve Henson]
+ *) Reject DH handshakes with parameters shorter than 1024 bits.
+ [Kurt Roeckx]
- *) Experimental renegotiation in s_server -www mode. If the client
- browses /reneg connection is renegotiated. If /renegcert it is
- renegotiated requesting a certificate.
- [Steve Henson]
+ Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
+
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites.
+
+ This issue was reported to OpenSSL by Hanno Böck.
+ (CVE-2015-3193)
+ [Andy Polyakov]
- *) Add an "external" session cache for debugging purposes to s_server. This
- should help trace issues which normally are only apparent in deployed
- multi-process servers.
- [Steve Henson]
+ *) Certificate verify crash with missing PSS parameter
- *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
- return value is ignored. NB. The functions RAND_add(), RAND_seed(),
- BIO_set_cipher() and some obscure PEM functions were changed so they
- can now return an error. The RAND changes required a change to the
- RAND_METHOD structure.
- [Steve Henson]
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ (CVE-2015-3194)
+ [Stephen Henson]
- *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
- a gcc attribute to warn if the result of a function is ignored. This
- is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
- whose return value is often ignored.
- [Steve Henson]
->>>>>>> f00a10b... GH367: Fix dsa keygen for too-short seed
+ *) X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2015-3195)
+ [Stephen Henson]
+
+ *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+ [Emilia Käsper]
+
+ *) In DSA_generate_parameters_ex, if the provided seed is too short,
+ use a random seed, as already documented.
+ [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
+ (CVE-2015-1793)
[Matt Caswell]
+ *) Race condition handling PSK identify hint
+
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ (CVE-2015-3196)
+ [Stephen Henson]
+
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI