X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=1853586c37f21862198b22c6ab39a38fe1cd2a46;hp=797c02118c11938899035b19b58ce9ae72034c1c;hb=280b1f1ad12131defcd986676a8fc9717aaa601b;hpb=a4339ea3ba045b7da038148f0d48ce25f2996971 diff --git a/CHANGES b/CHANGES index 797c02118c..1853586c37 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,43 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) Experimental support for a new, fast, unbiased prime candidate generator, + bn_probable_prime_dh_coprime(). Not currently used by any prime generator. + [Felix Laurie von Massenbach ] + + *) New output format NSS in the sess_id command line tool. This allows + exporting the session id and the master key in NSS keylog format. + [Martin Kaiser ] + + *) Harmonize version and its documentation. -f flag is used to display + compilation flags. + [mancha ] + + *) Fix eckey_priv_encode so it immediately returns an error upon a failure + in i2d_ECPrivateKey. + [mancha ] + + *) Fix some double frees. These are not thought to be exploitable. + [mancha ] + + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley and Bodo Moeller for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. [Steve Henson] @@ -23,10 +60,6 @@ [Steve Henson] - *) Add callbacks supporting generation and retrieval of supplemental - data entries. - [Scott Deboy , Trevor Perrin and Ben Laurie] - *) Add EVP support for key wrapping algorithms, to avoid problems with existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap @@ -275,44 +308,66 @@ whose return value is often ignored. [Steve Henson] - Changes between 1.0.1e and 1.0.2 [xx XXX xxxx] + Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] - *) Keep original DTLS digest and encryption contexts in retransmission - structures so we can use the previous session parameters if they need - to be resent. (CVE-2013-6450) - [Steve Henson] + *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) + [Bodo Moeller] - *) TLS pad extension: draft-agl-tls-padding-02 + *) Initial support for PowerISA 2.0.7, first implemented in POWER8. + This covers AES, SHA256/512 and GHASH. "Initial" means that most + common cases are optimized and there still is room for further + improvements. Vector Permutation AES for Altivec is also added. + [Andy Polyakov] - Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the - TLS client Hello record length value would otherwise be > 255 and - less that 512 pad with a dummy extension containing zeroes so it - is at least 512 bytes long. + *) Add support for little-endian ppc64 Linux target. + [Marcelo Cerri (IBM)] - To enable it use an unused extension number (for example chrome uses - 35655) using: + *) Initial support for AMRv8 ISA crypto extensions. This covers AES, + SHA1, SHA256 and GHASH. "Initial" means that most common cases + are optimized and there still is room for further improvements. + Both 32- and 64-bit modes are supported. + [Andy Polyakov, Ard Biesheuvel (Linaro)] - e.g. -DTLSEXT_TYPE_padding=35655 + *) Improved ARMv7 NEON support. + [Andy Polyakov] - Since the extension is ignored the actual number doesn't matter as long - as it doesn't clash with any existing extension. + *) Support for SPARC Architecture 2011 crypto extensions, first + implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, + SHA256/512, MD5, GHASH and modular exponentiation. + [Andy Polyakov, David Miller] - This will be updated when the extension gets an official number. + *) Accelerated modular exponentiation for Intel processors, a.k.a. + RSAZ. + [Shay Gueron (Intel Corp)] - [Adam Langley, Steve Henson] + *) Support for new and upcoming Intel processors, including AVX2, + BMI and SHA ISA extensions. This includes additional "stitched" + implementations, AESNI-SHA256 and GCM, and multi-buffer support + for TLS encrypt. + + This work was sponsored by Intel Corp. + [Andy Polyakov] + + *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): + this fixes a limiation in previous versions of OpenSSL. + [Steve Henson] + + *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, + MGF1 digest and OAEP label. + [Steve Henson] + + *) Add EVP support for key wrapping algorithms, to avoid problems with + existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in + the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap + algorithms and include tests cases. + [Steve Henson] *) Add functions to allocate and set the fields of an ECDSA_METHOD structure. [Douglas E. Engert, Steve Henson] - *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which - avoids preferring ECDHE-ECDSA ciphers when the client appears to be - Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for - several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug - is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing - 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. - [Rob Stradling, Adam Langley] - *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the difference in days and seconds between two tm or ASN1_TIME structures. [Steve Henson] @@ -501,9 +556,6 @@ *) Support for linux-x32, ILP32 environment in x86_64 framework. [Andy Polyakov] - *) RFC 5878 (TLS Authorization Extensions) support. - [Emilia Kasper, Adam Langley, Ben Laurie (Google)] - *) Experimental multi-implementation support for FIPS capable OpenSSL. When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. @@ -559,6 +611,99 @@ certificates. [Steve Henson] + Changes between 1.0.1g and 1.0.1h [5 Jun 2014] + + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + + *) Harmonize version and its documentation. -f flag is used to display + compilation flags. + [mancha ] + + *) Fix eckey_priv_encode so it immediately returns an error upon a failure + in i2d_ECPrivateKey. + [mancha ] + + *) Fix some double frees. These are not thought to be exploitable. + [mancha ] + + Changes between 1.0.1f and 1.0.1g [7 Apr 2014] + + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley and Bodo Moeller for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + + *) TLS pad extension: draft-agl-tls-padding-03 + + Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the + TLS client Hello record length value would otherwise be > 255 and + less that 512 pad with a dummy extension containing zeroes so it + is at least 512 bytes long. + + [Adam Langley, Steve Henson] + + Changes between 1.0.1e and 1.0.1f [6 Jan 2014] + + *) Fix for TLS record tampering bug. A carefully crafted invalid + handshake could crash OpenSSL with a NULL pointer exception. + Thanks to Anton Johansson for reporting this issues. + (CVE-2013-4353) + + *) Keep original DTLS digest and encryption contexts in retransmission + structures so we can use the previous session parameters if they need + to be resent. (CVE-2013-6450) + [Steve Henson] + + *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which + avoids preferring ECDHE-ECDSA ciphers when the client appears to be + Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for + several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug + is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing + 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. + [Rob Stradling, Adam Langley] + Changes between 1.0.1d and 1.0.1e [11 Feb 2013] *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI