https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.1d and 1.1.1e [xx XXX xxxx]
+ Changes between 1.1.1k and 1.1.1l [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
+
+ *) Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
+ of the certificates present in a certificate chain. It is not set by
+ default.
+
+ Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+ the chain that have explicitly encoded elliptic curve parameters was added
+ as an additional strict check.
+
+ An error in the implementation of this check meant that the result of a
+ previous check to confirm that certificates in the chain are valid CA
+ certificates was overwritten. This effectively bypasses the check
+ that non-CA certificates must not be able to issue other certificates.
+
+ If a "purpose" has been configured then there is a subsequent opportunity
+ for checks that the certificate is a valid CA. All of the named "purpose"
+ values implemented in libcrypto perform this check. Therefore, where
+ a purpose is set the certificate chain will still be rejected even when the
+ strict flag has been used. A purpose is set by default in libssl client and
+ server certificate verification routines, but it can be overridden or
+ removed by an application.
+
+ In order to be affected, an application must explicitly set the
+ X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+ for the certificate verification or, in the case of TLS client or server
+ applications, override the default purpose.
+ (CVE-2021-3450)
+ [Tomáš Mráz]
+
+ *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+ crafted renegotiation ClientHello message from a client. If a TLSv1.2
+ renegotiation ClientHello omits the signature_algorithms extension (where
+ it was present in the initial ClientHello), but includes a
+ signature_algorithms_cert extension then a NULL pointer dereference will
+ result, leading to a crash and a denial of service attack.
+
+ A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
+ (which is the default configuration). OpenSSL TLS clients are not impacted
+ by this issue.
+ (CVE-2021-3449)
+ [Peter Kästle and Samuel Sapalski]
+
+ Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+ *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
+ create a unique hash value based on the issuer and serial number data
+ contained within an X509 certificate. However it was failing to correctly
+ handle any errors that may occur while parsing the issuer field (which might
+ occur if the issuer field is maliciously constructed). This may subsequently
+ result in a NULL pointer deref and a crash leading to a potential denial of
+ service attack.
+ (CVE-2021-23841)
+ [Matt Caswell]
+
+ *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks. This is considered a
+ bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+ CVE-2021-23839.
+ [Matt Caswell]
+
+ *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+ functions. Previously they could overflow the output length argument in some
+ cases where the input length is close to the maximum permissable length for
+ an integer on the platform. In such cases the return value from the function
+ call would be 1 (indicating success), but the output length value would be
+ negative. This could cause applications to behave incorrectly or crash.
+ (CVE-2021-23840)
+ [Matt Caswell]
+
+ *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
+ implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
+ could be exploited in a side channel attack to recover the password. Since
+ the attack is local host only this is outside of the current OpenSSL
+ threat model and therefore no CVE is assigned.
+
+ Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
+ issue.
+ [Matt Caswell]
+
+ Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
+
+ *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
+ This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
+ If an attacker can control both items being compared then this could lead
+ to a possible denial of service attack. OpenSSL itself uses the
+ GENERAL_NAME_cmp function for two purposes:
+ 1) Comparing CRL distribution point names between an available CRL and a
+ CRL distribution point embedded in an X509 certificate
+ 2) When verifying that a timestamp response token signer matches the
+ timestamp authority name (exposed via the API functions
+ TS_RESP_verify_response and TS_RESP_verify_token)
+ (CVE-2020-1971)
+ [Matt Caswell]
+
+ *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
+ [Stuart Carnie]
+
+ *) The security callback, which can be customised by application code, supports
+ the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+ in the "other" parameter. In most places this is what is passed. All these
+ places occur server side. However there was one client side call of this
+ security operation and it passed a DH object instead. This is incorrect
+ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+ of the other locations. Therefore this client side call has been changed to
+ pass an EVP_PKEY instead.
+ [Matt Caswell]
+
+ *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
+ when validating a certificate path. This check is restored in 1.1.1i.
+ [David von Oheimb]
+
+ Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+
+ *) Certificates with explicit curve parameters are now disallowed in
+ verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+ [Tomas Mraz]
+
+ *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+ [Viktor Dukhovni]
+
+ *) Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+ [Tomas Mraz]
+
+ *) Accidentally, an expired trusted (root) certificate is not anymore rejected
+ when validating a certificate path.
+ [David von Oheimb]
+
+ *) The Oracle Developer Studio compiler will start reporting deprecated APIs
+
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ *) Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ (CVE-2020-1967)
+ [Benjamin Kaduk]
+
+ *) Added AES consttime code for no-asm configurations
+ an optional constant time support for AES was added
+ when building openssl for no-asm.
+ Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+ At this time this feature is by default disabled.
+ It will be enabled by default in 3.0.
+ [Bernd Edlinger]
+
+ Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
+
+ *) Revert the change of EOF detection while reading in libssl to avoid
+ regressions in applications depending on the current way of reporting
+ the EOF. As the existing method is not fully accurate the change to
+ reporting the EOF via SSL_ERROR_SSL is kept on the current development
+ branch and will be present in the 3.0 release.
+ [Tomas Mraz]
+
+ *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
+ when primes for RSA keys are computed.
+ Since we previously always generated primes == 2 (mod 3) for RSA keys,
+ the 2-prime and 3-prime RSA modules were easy to distinguish, since
+ N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
+ 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
+ This avoids possible fingerprinting of newly generated RSA modules.
+ [Bernd Edlinger]
+
+ Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
+ *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
+ while reading in libssl then we would report an error back to the
+ application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+ an error to the stack (which means we instead return SSL_ERROR_SSL) and
+ therefore give a hint as to what went wrong.
+ [Matt Caswell]
+
+ *) Check that ed25519 and ed448 are allowed by the security level. Previously
+ signature algorithms not using an MD were not being checked that they were
+ allowed by the security level.
+ [Kurt Roeckx]
+
+ *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
+ was not quite right. The behaviour was not consistent between resumption
+ and normal handshakes, and also not quite consistent with historical
+ behaviour. The behaviour in various scenarios has been clarified and
+ it has been updated to make it match historical behaviour as closely as
+ possible.
+ [Matt Caswell]
+
+ *) [VMS only] The header files that the VMS compilers include automatically,
+ __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
+ the C++ compiler doesn't understand. This is a shortcoming in the
+ compiler, but can be worked around with __cplusplus guards.
+
+ C++ applications that use OpenSSL libraries must be compiled using the
+ qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
+ functions. Otherwise, only functions with symbols of less than 31
+ characters can be used, as the linker will not be able to successfully
+ resolve symbols with longer names.
+ [Richard Levitte]
+
+ *) Corrected the documentation of the return values from the EVP_DigestSign*
+ set of functions. The documentation mentioned negative values for some
+ errors, but this was never the case, so the mention of negative values
+ was removed.
+
+ Code that followed the documentation and thereby check with something
+ like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
+ [Richard Levitte]
+
+ *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
+ 3-prime RSA1536, and DSA1024 as a result of this defect would be very
+ difficult to perform and are not believed likely. Attacks against DH512
+ are considered just feasible. However, for an attack the target would
+ have to re-use the DH512 private key, which is not recommended anyway.
+ Also applications directly using the low level API BN_mod_exp may be
+ affected if they use BN_FLG_CONSTTIME.
+ (CVE-2019-1551)
+ [Andy Polyakov]
+
+ *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+ The presence of this system service is determined at run-time.
+ [Richard Levitte]
*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
- prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
- record layer, and its removal is unlikely to cause inter-operability
+ record layer, and its removal is unlikely to cause interoperability
issues.
[Matt Caswell]
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
- *) Use type ossl_ssize_t instad of ssize_t which isn't available on
+ *) Use type ossl_ssize_t instead of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
*) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
- parsed, outputed or printed in text form. Not complete yet:
+ parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]
[Andy Polyakov]
*) Modified SSL library such that the verify_callback that has been set
- specificly for an SSL object with SSL_set_verify() is actually being
+ specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
as other interfaces in OpenSSL, like the BIO interface.
NCONF_dump_* dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
- arguments as the old CONF_* functions wth the exception of the
+ arguments as the old CONF_* functions with the exception of the
first that must be a `CONF *' instead of a `LHASH *'.
- To make it easer to use the new classes with the old CONF_* functions,
+ To make it easier to use the new classes with the old CONF_* functions,
the function CONF_set_default_method is provided.
[Richard Levitte]
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
- translating function codes into names. The old 'ASN1 error code imbedded
+ translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
- Configure script everytime: One now can use ``perl Configure
+ Configure script every time: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value
projects / openssl.git / blobdiff