OpenSSL CHANGES
_______________
- Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
+ Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
+
+ *) SRTP Memory Leak.
+
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+ The fix was developed by the OpenSSL team.
+ (CVE-2014-3513)
+ [OpenSSL team]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
+ ARMv5 through ARMv8, as opposite to "locking" it to single one.
+ So far those who have to target multiple plaforms would compromise
+ and argue that binary targeting say ARMv5 would still execute on
+ ARMv8. "Universal" build resolves this compromise by providing
+ near-optimal performance even on newer platforms.
+ [Andy Polyakov]
+
+ *) Accelerated NIST P-256 elliptic curve implementation for x86_64
+ (other platforms pending).
+ [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
+
+ *) Add support for the SignedCertificateTimestampList certificate and
+ OCSP response extensions from RFC6962.
+ [Rob Stradling]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
+ This covers AES, SHA256/512 and GHASH. "Initial" means that most
+ common cases are optimized and there still is room for further
+ improvements. Vector Permutation AES for Altivec is also added.
+ [Andy Polyakov]
+
+ *) Add support for little-endian ppc64 Linux target.
+ [Marcelo Cerri (IBM)]
+
+ *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
+ SHA1, SHA256 and GHASH. "Initial" means that most common cases
+ are optimized and there still is room for further improvements.
+ Both 32- and 64-bit modes are supported.
+ [Andy Polyakov, Ard Biesheuvel (Linaro)]
+
+ *) Improved ARMv7 NEON support.
+ [Andy Polyakov]
+
+ *) Support for SPARC Architecture 2011 crypto extensions, first
+ implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
+ SHA256/512, MD5, GHASH and modular exponentiation.
+ [Andy Polyakov, David Miller]
+
+ *) Accelerated modular exponentiation for Intel processors, a.k.a.
+ RSAZ.
+ [Shay Gueron & Vlad Krasnov (Intel Corp)]
+
+ *) Support for new and upcoming Intel processors, including AVX2,
+ BMI and SHA ISA extensions. This includes additional "stitched"
+ implementations, AESNI-SHA256 and GCM, and multi-buffer support
+ for TLS encrypt.
+
+ This work was sponsored by Intel Corp.
+ [Andy Polyakov]
+
+ *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
+ supports both DTLS 1.2 and 1.0 and should use whatever version the peer
+ supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
+ [Steve Henson]
+
+ *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+ this fixes a limiation in previous versions of OpenSSL.
+ [Steve Henson]
+
+ *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+ MGF1 digest and OAEP label.
+ [Steve Henson]
+
+ *) Add EVP support for key wrapping algorithms, to avoid problems with
+ existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
+ the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
+ algorithms and include tests cases.
+ [Steve Henson]
+
+ *) Add functions to allocate and set the fields of an ECDSA_METHOD
+ structure.
+ [Douglas E. Engert, Steve Henson]
+
+ *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
+ difference in days and seconds between two tm or ASN1_TIME structures.
+ [Steve Henson]
+
+ *) Add -rev test option to s_server to just reverse order of characters
+ received by client and send back to server. Also prints an abbreviated
+ summary of the connection parameters.
+ [Steve Henson]
+
+ *) New option -brief for s_client and s_server to print out a brief summary
+ of connection parameters.
+ [Steve Henson]
+
+ *) Add callbacks for arbitrary TLS extensions.
+ [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
+
+ *) New option -crl_download in several openssl utilities to download CRLs
+ from CRLDP extension in certificates.
+ [Steve Henson]
+
+ *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+ [Steve Henson]
+
+ *) New function X509_CRL_diff to generate a delta CRL from the difference
+ of two full CRLs. Add support to "crl" utility.
+ [Steve Henson]
+
+ *) New functions to set lookup_crls function and to retrieve
+ X509_STORE from X509_STORE_CTX.
+ [Steve Henson]
+
+ *) Print out deprecated issuer and subject unique ID fields in
+ certificates.
+ [Steve Henson]
+
+ *) Extend OCSP I/O functions so they can be used for simple general purpose
+ HTTP as well as OCSP. New wrapper function which can be used to download
+ CRLs using the OCSP API.
+ [Steve Henson]
+
+ *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
+ [Steve Henson]
+
+ *) SSL_CONF* functions. These provide a common framework for application
+ configuration using configuration files or command lines.
+ [Steve Henson]
+
+ *) SSL/TLS tracing code. This parses out SSL/TLS records using the
+ message callback and prints the results. Needs compile time option
+ "enable-ssl-trace". New options to s_client and s_server to enable
+ tracing.
+ [Steve Henson]
+
+ *) New ctrl and macro to retrieve supported points extensions.
+ Print out extension in s_server and s_client.
+ [Steve Henson]
+
+ *) New functions to retrieve certificate signature and signature
+ OID NID.
+ [Steve Henson]
+
+ *) Add functions to retrieve and manipulate the raw cipherlist sent by a
+ client to OpenSSL.
+ [Steve Henson]
+
+ *) New Suite B modes for TLS code. These use and enforce the requirements
+ of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
+ only use Suite B curves. The Suite B modes can be set by using the
+ strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
+ [Steve Henson]
+
+ *) New chain verification flags for Suite B levels of security. Check
+ algorithms are acceptable when flags are set in X509_verify_cert.
+ [Steve Henson]
+
+ *) Make tls1_check_chain return a set of flags indicating checks passed
+ by a certificate chain. Add additional tests to handle client
+ certificates: checks for matching certificate type and issuer name
+ comparison.
+ [Steve Henson]
+
+ *) If an attempt is made to use a signature algorithm not in the peer
+ preference list abort the handshake. If client has no suitable
+ signature algorithms in response to a certificate request do not
+ use the certificate.
+ [Steve Henson]
+
+ *) If server EC tmp key is not in client preference list abort handshake.
+ [Steve Henson]
+
+ *) Add support for certificate stores in CERT structure. This makes it
+ possible to have different stores per SSL structure or one store in
+ the parent SSL_CTX. Include distint stores for certificate chain
+ verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
+ to build and store a certificate chain in CERT structure: returing
+ an error if the chain cannot be built: this will allow applications
+ to test if a chain is correctly configured.
+
+ Note: if the CERT based stores are not set then the parent SSL_CTX
+ store is used to retain compatibility with existing behaviour.
+
+ [Steve Henson]
+
+ *) New function ssl_set_client_disabled to set a ciphersuite disabled
+ mask based on the current session, check mask when sending client
+ hello and checking the requested ciphersuite.
+ [Steve Henson]
+
+ *) New ctrls to retrieve and set certificate types in a certificate
+ request message. Print out received values in s_client. If certificate
+ types is not set with custom values set sensible values based on
+ supported signature algorithms.
+ [Steve Henson]
+
+ *) Support for distinct client and server supported signature algorithms.
+ [Steve Henson]
+
+ *) Add certificate callback. If set this is called whenever a certificate
+ is required by client or server. An application can decide which
+ certificate chain to present based on arbitrary criteria: for example
+ supported signature algorithms. Add very simple example to s_server.
+ This fixes many of the problems and restrictions of the existing client
+ certificate callback: for example you can now clear an existing
+ certificate and specify the whole chain.
+ [Steve Henson]
+
+ *) Add new "valid_flags" field to CERT_PKEY structure which determines what
+ the certificate can be used for (if anything). Set valid_flags field
+ in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
+ to have similar checks in it.
+
+ Add new "cert_flags" field to CERT structure and include a "strict mode".
+ This enforces some TLS certificate requirements (such as only permitting
+ certificate signature algorithms contained in the supported algorithms
+ extension) which some implementations ignore: this option should be used
+ with caution as it could cause interoperability issues.
+ [Steve Henson]
+
+ *) Update and tidy signature algorithm extension processing. Work out
+ shared signature algorithms based on preferences and peer algorithms
+ and print them out in s_client and s_server. Abort handshake if no
+ shared signature algorithms.
+ [Steve Henson]
+
+ *) Add new functions to allow customised supported signature algorithms
+ for SSL and SSL_CTX structures. Add options to s_client and s_server
+ to support them.
+ [Steve Henson]
+
+ *) New function SSL_certs_clear() to delete all references to certificates
+ from an SSL structure. Before this once a certificate had been added
+ it couldn't be removed.
+ [Steve Henson]
+
+ *) Integrate hostname, email address and IP address checking with certificate
+ verification. New verify options supporting checking in opensl utility.
+ [Steve Henson]
+
+ *) Fixes and wildcard matching support to hostname and email checking
+ functions. Add manual page.
+ [Florian Weimer (Red Hat Product Security Team)]
+
+ *) New functions to check a hostname email or IP address against a
+ certificate. Add options x509 utility to print results of checks against
+ a certificate.
+ [Steve Henson]
+
+ *) Fix OCSP checking.
+ [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
+
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust (e.g., -addtrust option to the x509
+ utility) or reject.
+ [Steve Henson]
+
+ *) Add -trusted_first option which attempts to find certificates in the
+ trusted store even if an untrusted chain is also supplied.
+ [Steve Henson]
+
+ *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
+ platform support for Linux and Android.
+ [Andy Polyakov]
+
+ *) Support for linux-x32, ILP32 environment in x86_64 framework.
+ [Andy Polyakov]
+
+ *) Experimental multi-implementation support for FIPS capable OpenSSL.
+ When in FIPS mode the approved implementations are used as normal,
+ when not in FIPS mode the internal unapproved versions are used instead.
+ This means that the FIPS capable OpenSSL isn't forced to use the
+ (often lower perfomance) FIPS implementations outside FIPS mode.
+ [Steve Henson]
*) Transparently support X9.42 DH parameters when calling
PEM_read_bio_DHparameters. This means existing applications can handle
certificates.
[Steve Henson]
- Changes between 1.0.1b and 1.0.1c [xx XXX xxxx]
+ *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
+ the certificate.
+ Note: Related 1.0.2-beta specific macros X509_get_cert_info,
+ X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
+ X509_CINF_get_signature were reverted post internal team review.
+
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+ *) Build fixes for the Windows and OpenVMS platforms
+ [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
+ [David Benjamin, Emilia Käsper]
+
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
+ [Emilia Käsper]
+
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
+
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
+ [Emilia Käsper]
+
+ Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
+
+ *) SRTP Memory Leak.
+
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+ The fix was developed by the OpenSSL team.
+ (CVE-2014-3513)
+ [OpenSSL team]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
+
+ *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+ SRP code can be overrun an internal buffer. Add sanity check that
+ g, A, B < N to SRP code.
+
+ Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
+ Group for discovering this issue.
+ (CVE-2014-3512)
+ [Steve Henson]
+
+ *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+ TLS 1.0 instead of higher protocol versions when the ClientHello message
+ is badly fragmented. This allows a man-in-the-middle attacker to force a
+ downgrade to TLS 1.0 even if both the server and the client support a
+ higher protocol version, by modifying the client's TLS records.
+
+ Thanks to David Benjamin and Adam Langley (Google) for discovering and
+ researching this issue.
+ (CVE-2014-3511)
+ [David Benjamin]
+
+ *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+ to a denial of service attack. A malicious server can crash the client
+ with a null pointer dereference (read) by specifying an anonymous (EC)DH
+ ciphersuite and sending carefully crafted handshake messages.
+
+ Thanks to Felix Gröbert (Google) for discovering and researching this
+ issue.
+ (CVE-2014-3510)
+ [Emilia Käsper]
+
+ *) By sending carefully crafted DTLS packets an attacker could cause openssl
+ to leak memory. This can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3507)
+ [Adam Langley]
+
+ *) An attacker can force openssl to consume large amounts of memory whilst
+ processing DTLS handshake messages. This can be exploited through a
+ Denial of Service attack.
+ Thanks to Adam Langley for discovering and researching this issue.
+ (CVE-2014-3506)
+ [Adam Langley]
+
+ *) An attacker can force an error condition which causes openssl to crash
+ whilst processing DTLS packets due to memory being freed twice. This
+ can be exploited through a Denial of Service attack.
+ Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
+ this issue.
+ (CVE-2014-3505)
+ [Adam Langley]
+
+ *) If a multithreaded client connects to a malicious server using a resumed
+ session and the server sends an ec point format extension it could write
+ up to 255 bytes to freed memory.
+
+ Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
+ issue.
+ (CVE-2014-3509)
+ [Gabor Tyukasz]
+
+ *) A malicious server can crash an OpenSSL client with a null pointer
+ dereference (read) by specifying an SRP ciphersuite even though it was not
+ properly negotiated with the client. This can be exploited through a
+ Denial of Service attack.
+
+ Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+ discovering and researching this issue.
+ (CVE-2014-5139)
+ [Steve Henson]
+
+ *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
+ X509_name_oneline, X509_name_print_ex et al. to leak some information
+ from the stack. Applications may be affected if they echo pretty printing
+ output to the attacker.
+
+ Thanks to Ivan Fratric (Google) for discovering this issue.
+ (CVE-2014-3508)
+ [Emilia Käsper, and Steve Henson]
+
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ Changes between 1.0.1i and 1.0.1j [xx XXX xxxx]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+ *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+ handshake can force the use of weak keying material in OpenSSL
+ SSL/TLS clients and servers.
+
+ Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+ researching this issue. (CVE-2014-0224)
+ [KIKUCHI Masashi, Steve Henson]
+
+ *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+ OpenSSL DTLS client the code can be made to recurse eventually crashing
+ in a DoS attack.
+
+ Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+ (CVE-2014-0221)
+ [Imre Rad, Steve Henson]
+
+ *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+ be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+ client or server. This is potentially exploitable to run arbitrary
+ code on a vulnerable client or server.
+
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
+
+ *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+ are subject to a denial of service attack.
+
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ this issue. (CVE-2014-3470)
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+ *) Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix some double frees. These are not thought to be exploitable.
+ [mancha <mancha1@zoho.com>]
+
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) TLS pad extension: draft-agl-tls-padding-03
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ [Adam Langley, Steve Henson]
+
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+ *) Fix for TLS record tampering bug. A carefully crafted invalid
+ handshake could crash OpenSSL with a NULL pointer exception.
+ Thanks to Anton Johansson for reporting this issues.
+ (CVE-2013-4353)
+
+ *) Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. (CVE-2013-6450)
+ [Steve Henson]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
+ Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
+
+ *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+ supporting platforms or when small records were transferred.
+ [Andy Polyakov, Steve Henson]
+
+ Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
+ ciphersuites which can be exploited in a denial of service attack.
+ Thanks go to and to Adam Langley <agl@chromium.org> for discovering
+ and detecting this bug and to Wolfgang Ettlinger
+ <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
+ (CVE-2012-2686)
+ [Adam Langley]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Make openssl verify return errors.
+ [Chris Palmer <palmer@google.com> and Ben Laurie]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ *) Don't use TLS 1.0 record version number in initial client hello
+ if renegotiating.
+ [Steve Henson]
+
+ Changes between 1.0.1b and 1.0.1c [10 May 2012]
*) Sanity check record length before skipping explicit IV in TLS
- 1.2, 1.1 and DTLS to avoid DoS attack.
+ 1.2, 1.1 and DTLS to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
[Adam Langley]
*) Workarounds for some broken servers that "hang" if a client hello
- record length exceeds 255 bytes:
-
+ record length exceeds 255 bytes.
+
1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
- the number of ciphers sent in the client hello. This should be
+ the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
- TLS 1.2 client support entirely.
+ TLS 1.2 client support entirely.
[Steve Henson]
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+ [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+ OpenSSL 1.0.1.]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
*) Change 'Configure' script to enable Camellia by default.
[NTT]
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+ This addresses the flaw in CBC record processing discovered by
+ Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+ at: http://www.isg.rhul.ac.uk/tls/
+
+ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+ Security Group at Royal Holloway, University of London
+ (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+ Emilia Käsper for the initial patch.
+ (CVE-2013-0169)
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
+ *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+ the right response is stapled. Also change SSL_get_certificate()
+ so it returns the certificate actually sent.
+ See http://rt.openssl.org/Ticket/Display.html?id=2836.
+ (This is a backport)
+ [Rob Stradling <rob.stradling@comodo.com>]
+
+ *) Fix possible deadlock when decoding public keys.
+ [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+ *) Sanity check record length before skipping explicit IV in DTLS
+ to fix DoS attack.
+
+ Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+ fuzzing as a service testing platform.
+ (CVE-2012-2333)
+ [Steve Henson]
+
+ *) Initialise tkeylen properly when encrypting CMS messages.
+ Thanks to Solar Designer of Openwall for reporting this issue.
+ [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+ *) The fix for CVE-2012-2110 did not take into account that the
+ 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+ int in OpenSSL 0.9.8, making it still vulnerable. Fix by
+ rejecting negative len parameter. (CVE-2012-2131)
+ [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+ *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+ BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+ in CRYPTO_realloc_clean.
+
+ Thanks to Tavis Ormandy, Google Security Team, for discovering this
+ issue and to Adam Langley <agl@chromium.org> for fixing it.
+ (CVE-2012-2110)
+ [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+ *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+ in CMS and PKCS7 code. When RSA decryption fails use a random key for
+ content decryption and always return the same error. Note: this attack
+ needs on average 2^20 messages so it only affects automated senders. The
+ old behaviour can be reenabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+ an MMA defence is not necessary.
+ Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+ this issue. (CVE-2012-0884)
+ [Steve Henson]
+
+ *) Fix CVE-2011-4619: make sure we really are receiving a
+ client hello before rejecting multiple SGC restarts. Thanks to
+ Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+ [Steve Henson]
+
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
-
+
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
projects / openssl.git / blobdiff