X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=e8bc44225c3417aa28efa2669e502b3cde538eed;hp=0c25e0bac96589575dde9c2c7a75de81d2e84e95;hb=ed03c46134b1ebfcbee937c74e7f4517893be1fd;hpb=2ab9687479c10c4c4ebfdfcf6d068fe581bd44e4 diff --git a/CHANGES b/CHANGES index 0c25e0bac9..e8bc44225c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,156 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + Changes between 1.0.2f and 1.1.0 [xx XXX xxxx] + + *) Rewrite of BIO networking library. The BIO library lacked consistent + support of IPv6, and adding it required some more extensive + modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, + which hold all types of addresses and chains of address information. + It also introduces a new API, with functions like BIO_socket, + BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. + The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram + have been adapted accordingly. + [Richard Levitte] + + *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without + the leading 0-byte. + [Emilia Käsper] + + *) CRIME protection: disable compression by default, even if OpenSSL is + compiled with zlib enabled. Applications can still enable compression + by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by + using the SSL_CONF library to configure compression. + [Emilia Käsper] + + *) The signature of the session callback configured with + SSL_CTX_sess_set_get_cb was changed. The read-only input buffer + was explicitly marked as 'const unsigned char*' instead of + 'unsigned char*'. + [Emilia Käsper] + + *) Always DPURIFY. Remove the use of uninitialized memory in the + RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. + [Emilia Käsper] + + *) Removed many obsolete configuration items, including + DES_PTR, DES_RISC1, DES_RISC2, DES_INT + MD2_CHAR, MD2_INT, MD2_LONG + BF_PTR, BF_PTR2 + IDEA_SHORT, IDEA_LONG + RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX + [Rich Salz, with advice from Andy Polyakov] + + *) Many BN internals have been moved to an internal header file. + [Rich Salz with help from Andy Polyakov] + + *) Configuration and writing out the results from it has changed. + Files such as Makefile include/openssl/opensslconf.h and are now + produced through general templates, such as Makefile.in and + crypto/opensslconf.h.in and some help from the perl module + Text::Template. + + Also, the center of configuration information is no longer + Makefile. Instead, Configure produces a perl module in + configdata.pm which holds most of the config data (in the hash + table %config), the target data that comes from the target + configuration in one of the Configurations/*.conf files (in + %target). + [Richard Levitte] + + *) To clarify their intended purposes, the Configure options + --prefix and --openssldir change their semantics, and become more + straightforward and less interdependent. + + --prefix shall be used exclusively to give the location INSTALLTOP + where programs, scripts, libraries, include files and manuals are + going to be installed. The default is now /usr/local. + + --openssldir shall be used exclusively to give the default + location OPENSSLDIR where certificates, private keys, CRLs are + managed. This is also where the default openssl.cnf gets + installed. + If the directory given with this option is a relative path, the + values of both the --prefix value and the --openssldir value will + be combined to become OPENSSLDIR. + The default for --openssldir is INSTALLTOP/ssl. + + Anyone who uses --openssldir to specify where OpenSSL is to be + installed MUST change to use --prefix instead. + [Richard Levitte] + + *) The GOST engine was out of date and therefore it has been removed. An up + to date GOST engine is now being maintained in an external repository. + See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains + support for GOST ciphersuites (these are only activated if a GOST engine + is present). + [Matt Caswell] + + *) EGD is no longer supported by default; use enable-egd when + configuring. + [Ben Kaduk and Rich Salz] + + *) The distribution now has Makefile.in files, which are used to + create Makefile's when Configure is run. *Configure must be run + before trying to build now.* + [Rich Salz] + + *) The return value for SSL_CIPHER_description() for error conditions + has changed. + [Rich Salz] + + *) Support for RFC6698/RFC7671 DANE TLSA peer authentication. + + Obtaining and performing DNSSEC validation of TLSA records is + the application's responsibility. The application provides + the TLSA records of its choice to OpenSSL, and these are then + used to authenticate the peer. + + The TLSA records need not even come from DNS. They can, for + example, be used to implement local end-entity certificate or + trust-anchor "pinning", where the "pin" data takes the form + of TLSA records, which can augment or replace verification + based on the usual WebPKI public certification authorities. + [Viktor Dukhovni] + + *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL + continues to support deprecated interfaces in default builds. + However, applications are strongly advised to compile their + source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides + the declarations of all interfaces deprecated in 0.9.8, 1.0.0 + or the 1.1.0 releases. + + In environments in which all applications have been ported to + not use any deprecated interfaces OpenSSL's Configure script + should be used with the --api=1.1.0 option to entirely remove + support for the deprecated features from the library and + unconditionally disable them in the installed headers. + Essentially the same effect can be achieved with the "no-deprecated" + argument to Configure, except that this will always restrict + the build to just the latest API, rather than a fixed API + version. + + As applications are ported to future revisions of the API, + they should update their compile-time OPENSSL_API_COMPAT define + accordingly, but in most cases should be able to continue to + compile with later releases. + + The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are + 0x10000000L and 0x00908000L, respectively. However those + versions did not support the OPENSSL_API_COMPAT feature, and + so applications are not typically tested for explicit support + of just the undeprecated features of either release. + [Viktor Dukhovni] + + *) Add support for setting the minimum and maximum supported protocol. + It can bet set via the SSL_set_min_proto_version() and + SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and + MaxProtcol. It's recommended to use the new APIs to disable + protocols instead of disabling individual protocols using + SSL_set_options() or SSL_CONF's Protocol. This change also + removes support for disabling TLS 1.2 in the OpenSSL TLS + client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. + [Kurt Roeckx] *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl. [Andy Polyakov] @@ -21,22 +170,22 @@ exchange. The LOW ciphers currently doesn't have any ciphers in it. [Kurt Roeckx] - *) Make EVP_MD_CTX, EVP_MD and HMAC_CTX opaque. For HMAC_CTX, the - following constructors and destructors were added: + *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX + opaque. For HMAC_CTX, the following constructors and destructors + were added: HMAC_CTX *HMAC_CTX_new(void); void HMAC_CTX_free(HMAC_CTX *ctx); - For EVP_MD, a complete API to create, fill and destroy such - methods has been added. See EVP_MD_meth_new(3) for - documentation. + For EVP_MD and EVP_CIPHER, complete APIs to create, fill and + destroy such methods has been added. See EVP_MD_meth_new(3) and + EVP_CIPHER_meth_new(3) for documentation. Additional changes: - 1) HMAC_CTX_cleanup() and EVP_MD_CTX_cleanup() were removed, - HMAC_CTX_init() and EVP_MD_CTX_init() should be called instead - to reinitialise and already created structure. Also, - HMAC_CTX_init() and EVP_MD_CTX_init() now return 0 for failure - and 1 for success (they previously had the return type void). + 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and + HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and + EVP_MD_CTX_reset() should be called instead to reinitialise + an already created structure. 2) For consistency with the majority of our object creators and destructors, EVP_MD_CTX_(create|destroy) were renamed to EVP_MD_CTX_(new|free). The old names are retained as macros @@ -142,6 +291,12 @@ [Richard Levitte] + *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT + are used; the latter aborts on memory leaks (usually checked on exit). + Some undocumented "set malloc, etc., hooks" functions were removed + and others were changed. All are now documented. + [Rich Salz] + *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen ] @@ -598,6 +753,50 @@ whose return value is often ignored. [Steve Henson] + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] + *) DH small subgroups + + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in + TLS. It is not on by default. If the option is not set then the server + reuses the same private DH exponent for the life of the server process and + would be vulnerable to this attack. It is believed that many popular + applications do set this option and would therefore not be at risk. + + The fix for this issue adds an additional check where a "q" parameter is + available (as is the case in X9.42 based parameters). This detects the + only known attack, and is the only possible defense for static DH + ciphersuites. This could have some performance impact. + + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by + default and cannot be disabled. This could have some performance impact. + + This issue was reported to OpenSSL by Antonio Sanso (Adobe). + (CVE-2016-0701) + [Matt Caswell] + + *) SSLv2 doesn't block disabled ciphers + + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64