OpenSSL CHANGES
_______________
- Changes between 1.0.2e and 1.1.0 [xx XXX xxxx]
+ Changes between 1.0.2h and 1.1.0 [xx XXX 2016]
+
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
+
+ *) Windows RAND implementation was simplified to only get entropy by
+ calling CryptGenRandom(). Various other RAND-related tickets
+ were also closed.
+ [Joseph Wylie Yandle, Rich Salz]
+
+ *) The stack and lhash API's were renamed to start with OPENSSL_SK_
+ and OPENSSL_LH_, respectively. The old names are available
+ with API compatibility. They new names are now completely documented.
+ [Rich Salz]
+
+ *) Unify TYPE_up_ref(obj) methods signature.
+ SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
+ X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
+ int (instead of void) like all others TYPE_up_ref() methods.
+ So now these methods also check the return value of CRYPTO_atomic_add(),
+ and the validity of object reference counter.
+ [fdasilvayy@gmail.com]
+
+ *) With Windows Visual Studio builds, the .pdb files are installed
+ alongside the installed libraries and executables. For a static
+ library installation, ossl_static.pdb is the associate compiler
+ generated .pdb file to be used when linking programs.
+ [Richard Levitte]
+
+ *) Remove openssl.spec. Packaging files belong with the packagers.
+ [Richard Levitte]
+
+ *) Automatic Darwin/OSX configuration has had a refresh, it will now
+ recognise x86_64 architectures automatically. You can still decide
+ to build for a different bitness with the environment variable
+ KERNEL_BITS (can be 32 or 64), for example:
+
+ KERNEL_BITS=32 ./config
+
+ [Richard Levitte]
+
+ *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+ 256 bit AES and HMAC with SHA256.
+ [Steve Henson]
+
+ *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
+ [Andy Polyakov]
+
+ *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
+ [Rich Salz]
+
+ *) To enable users to have their own config files and build file templates,
+ Configure looks in the directory indicated by the environment variable
+ OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
+ directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
+ name and is used as is.
+ [Richard Levitte]
+
+ *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
+ X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
+ X509_CERT_FILE_CTX was removed.
+ [Rich Salz]
+
+ *) "shared" builds are now the default. To create only static libraries use
+ the "no-shared" Configure option.
+ [Matt Caswell]
+
+ *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
+ All of these option have not worked for some while and are fundamental
+ algorithms.
+ [Matt Caswell]
+
+ *) Make various cleanup routines no-ops and mark them as deprecated. Most
+ global cleanup functions are no longer required because they are handled
+ via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
+ Explicitly de-initing can cause problems (e.g. where a library that uses
+ OpenSSL de-inits, but an application is still using it). The affected
+ functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
+ EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
+ RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
+ COMP_zlib_cleanup().
+ [Matt Caswell]
+
+ *) --strict-warnings no longer enables runtime debugging options
+ such as REF_DEBUG. Instead, debug options are automatically
+ enabled with '--debug' builds.
+ [Andy Polyakov, Emilia Käsper]
+
+ *) Made DH and DH_METHOD opaque. The structures for managing DH objects
+ have been moved out of the public header files. New functions for managing
+ these have been added.
+ [Matt Caswell]
+
+ *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
+ objects have been moved out of the public header files. New
+ functions for managing these have been added.
+ [Richard Levitte]
+
+ *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
+ have been moved out of the public header files. New functions for managing
+ these have been added.
+ [Matt Caswell]
+
+ *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
+ moved out of the public header files. New functions for managing these
+ have been added.
+ [Matt Caswell]
+
+ *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
+ [Matt Caswell]
+
+ *) Removed the mk1mf build scripts.
+ [Richard Levitte]
+
+ *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
+ it is always safe to #include a header now.
+ [Rich Salz]
+
+ *) Removed the aged BC-32 config and all its supporting scripts
+ [Richard Levitte]
+
+ *) Removed support for Ultrix, Netware, and OS/2.
+ [Rich Salz]
+
+ *) Add support for HKDF.
+ [Alessandro Ghedini]
+
+ *) Add support for blake2b and blake2s
+ [Bill Cox]
+
+ *) Added support for "pipelining". Ciphers that have the
+ EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
+ encryptions/decryptions simultaneously. There are currently no built-in
+ ciphers with this property but the expectation is that engines will be able
+ to offer it to significantly improve throughput. Support has been extended
+ into libssl so that multiple records for a single connection can be
+ processed in one go (for >=TLS 1.1).
+ [Matt Caswell]
+
+ *) Added the AFALG engine. This is an async capable engine which is able to
+ offload work to the Linux kernel. In this initial version it only supports
+ AES128-CBC. The kernel must be version 4.1.0 or greater.
+ [Catriona Lucey]
+
+ *) OpenSSL now uses a new threading API. It is no longer necessary to
+ set locking callbacks to use OpenSSL in a multi-threaded environment. There
+ are two supported threading models: pthreads and windows threads. It is
+ also possible to configure OpenSSL at compile time for "no-threads". The
+ old threading API should no longer be used. The functions have been
+ replaced with "no-op" compatibility macros.
+ [Alessandro Ghedini, Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Add SSL_CIPHER queries for authentication and key-exchange.
+ [Todd Short]
+
+ *) Changes to the DEFAULT cipherlist:
+ - Prefer (EC)DHE handshakes over plain RSA.
+ - Prefer AEAD ciphers over legacy ciphers.
+ - Prefer ECDSA over RSA when both certificates are available.
+ - Prefer TLSv1.2 ciphers/PRF.
+ - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+ default cipherlist.
+ [Emilia Käsper]
+
+ *) Change the ECC default curve list to be this, in order: x25519,
+ secp256r1, secp521r1, secp384r1.
+ [Rich Salz]
+
+ *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+ disabled by default. They can be re-enabled using the
+ enable-weak-ssl-ciphers option to Configure.
+ [Matt Caswell]
+
+ *) If the server has ALPN configured, but supports no protocols that the
+ client advertises, send a fatal "no_application_protocol" alert.
+ This behaviour is SHALL in RFC 7301, though it isn't universally
+ implemented by other servers.
+ [Emilia Käsper]
+
+ *) Add X25519 support.
+ Integrate support for X25519 into EC library. This includes support
+ for public and private key encoding using the format documented in
+ draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
+ OID from that draft, encodes public keys using little endian
+ format in the ECPoint structure and private keys using
+ little endian form in the privateKey field of the ECPrivateKey
+ structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
+ and uses X25519(29).
+
+ Note: the current version supports key generation, public and
+ private key encoding and ECDH key agreement using the EC API.
+ Low level point operations such as EC_POINT_add(), EC_POINT_mul()
+ are NOT supported.
+ [Steve Henson]
+
+ *) Deprecate SRP_VBASE_get_by_user.
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak (CVE-2016-0798),
+ SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+ seed, even if the seed is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ [Emilia Käsper]
+
+ *) Configuration change; it's now possible to build dynamic engines
+ without having to build shared libraries and vice versa. This
+ only applies to the engines in engines/, those in crypto/engine/
+ will always be built into libcrypto (i.e. "static").
+
+ Building dynamic engines is enabled by default; to disable, use
+ the configuration option "disable-dynamic-engine".
+
+ The only requirements for building dynamic engines are the
+ presence of the DSO module and building with position independent
+ code, so they will also automatically be disabled if configuring
+ with "disable-dso" or "disable-pic".
+
+ The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
+ are also taken away from openssl/opensslconf.h, as they are
+ irrelevant.
+ [Richard Levitte]
+
+ *) Configuration change; if there is a known flag to compile
+ position independent code, it will always be applied on the
+ libcrypto and libssl object files, and never on the application
+ object files. This means other libraries that use routines from
+ libcrypto / libssl can be made into shared libraries regardless
+ of how OpenSSL was configured.
+
+ If this isn't desirable, the configuration options "disable-pic"
+ or "no-pic" can be used to disable the use of PIC. This will
+ also disable building shared libraries and dynamic engines.
+ [Richard Levitte]
+
+ *) Removed JPAKE code. It was experimental and has no wide use.
+ [Rich Salz]
+
+ *) The INSTALL_PREFIX Makefile variable has been renamed to
+ DESTDIR. That makes for less confusion on what this variable
+ is for. Also, the configuration option --install_prefix is
+ removed.
+ [Richard Levitte]
+
+ *) Heartbeat for TLS has been removed and is disabled by default
+ for DTLS; configure with enable-heartbeats. Code that uses the
+ old #define's might need to be updated.
+ [Emilia Käsper, Rich Salz]
+
+ *) Rename REF_CHECK to REF_DEBUG.
+ [Rich Salz]
+
+ *) New "unified" build system
+
+ The "unified" build system is aimed to be a common system for all
+ platforms we support. With it comes new support for VMS.
+
+ This system builds supports building in a different directory tree
+ than the source tree. It produces one Makefile (for unix family
+ or lookalikes), or one descrip.mms (for VMS).
+
+ The source of information to make the Makefile / descrip.mms is
+ small files called 'build.info', holding the necessary
+ information for each directory with source to compile, and a
+ template in Configurations, like unix-Makefile.tmpl or
+ descrip.mms.tmpl.
+
+ We rely heavily on the perl module Text::Template.
+ [Richard Levitte]
+
+ *) Added support for auto-initialisation and de-initialisation of the library.
+ OpenSSL no longer requires explicit init or deinit routines to be called,
+ except in certain circumstances. See the OPENSSL_init_crypto() and
+ OPENSSL_init_ssl() man pages for further information.
+ [Matt Caswell]
+
+ *) The arguments to the DTLSv1_listen function have changed. Specifically the
+ "peer" argument is now expected to be a BIO_ADDR object.
+
+ *) Rewrite of BIO networking library. The BIO library lacked consistent
+ support of IPv6, and adding it required some more extensive
+ modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
+ which hold all types of addresses and chains of address information.
+ It also introduces a new API, with functions like BIO_socket,
+ BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
+ The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
+ have been adapted accordingly.
+ [Richard Levitte]
+
+ *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+ the leading 0-byte.
+ [Emilia Käsper]
+
+ *) CRIME protection: disable compression by default, even if OpenSSL is
+ compiled with zlib enabled. Applications can still enable compression
+ by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
+ using the SSL_CONF library to configure compression.
+ [Emilia Käsper]
+
+ *) The signature of the session callback configured with
+ SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
+ was explicitly marked as 'const unsigned char*' instead of
+ 'unsigned char*'.
+ [Emilia Käsper]
+
+ *) Always DPURIFY. Remove the use of uninitialized memory in the
+ RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
+ [Emilia Käsper]
+
+ *) Removed many obsolete configuration items, including
+ DES_PTR, DES_RISC1, DES_RISC2, DES_INT
+ MD2_CHAR, MD2_INT, MD2_LONG
+ BF_PTR, BF_PTR2
+ IDEA_SHORT, IDEA_LONG
+ RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
+ [Rich Salz, with advice from Andy Polyakov]
+
+ *) Many BN internals have been moved to an internal header file.
+ [Rich Salz with help from Andy Polyakov]
+
+ *) Configuration and writing out the results from it has changed.
+ Files such as Makefile include/openssl/opensslconf.h and are now
+ produced through general templates, such as Makefile.in and
+ crypto/opensslconf.h.in and some help from the perl module
+ Text::Template.
+
+ Also, the center of configuration information is no longer
+ Makefile. Instead, Configure produces a perl module in
+ configdata.pm which holds most of the config data (in the hash
+ table %config), the target data that comes from the target
+ configuration in one of the Configurations/*.conf files (in
+ %target).
+ [Richard Levitte]
+
+ *) To clarify their intended purposes, the Configure options
+ --prefix and --openssldir change their semantics, and become more
+ straightforward and less interdependent.
+
+ --prefix shall be used exclusively to give the location INSTALLTOP
+ where programs, scripts, libraries, include files and manuals are
+ going to be installed. The default is now /usr/local.
+
+ --openssldir shall be used exclusively to give the default
+ location OPENSSLDIR where certificates, private keys, CRLs are
+ managed. This is also where the default openssl.cnf gets
+ installed.
+ If the directory given with this option is a relative path, the
+ values of both the --prefix value and the --openssldir value will
+ be combined to become OPENSSLDIR.
+ The default for --openssldir is INSTALLTOP/ssl.
+
+ Anyone who uses --openssldir to specify where OpenSSL is to be
+ installed MUST change to use --prefix instead.
+ [Richard Levitte]
+
+ *) The GOST engine was out of date and therefore it has been removed. An up
+ to date GOST engine is now being maintained in an external repository.
+ See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+ support for GOST ciphersuites (these are only activated if a GOST engine
+ is present).
+ [Matt Caswell]
+
+ *) EGD is no longer supported by default; use enable-egd when
+ configuring.
+ [Ben Kaduk and Rich Salz]
+
+ *) The distribution now has Makefile.in files, which are used to
+ create Makefile's when Configure is run. *Configure must be run
+ before trying to build now.*
+ [Rich Salz]
+
+ *) The return value for SSL_CIPHER_description() for error conditions
+ has changed.
+ [Rich Salz]
+
+ *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+ Obtaining and performing DNSSEC validation of TLSA records is
+ the application's responsibility. The application provides
+ the TLSA records of its choice to OpenSSL, and these are then
+ used to authenticate the peer.
+
+ The TLSA records need not even come from DNS. They can, for
+ example, be used to implement local end-entity certificate or
+ trust-anchor "pinning", where the "pin" data takes the form
+ of TLSA records, which can augment or replace verification
+ based on the usual WebPKI public certification authorities.
+ [Viktor Dukhovni]
+
+ *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
+ continues to support deprecated interfaces in default builds.
+ However, applications are strongly advised to compile their
+ source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+ the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+ or the 1.1.0 releases.
+
+ In environments in which all applications have been ported to
+ not use any deprecated interfaces OpenSSL's Configure script
+ should be used with the --api=1.1.0 option to entirely remove
+ support for the deprecated features from the library and
+ unconditionally disable them in the installed headers.
+ Essentially the same effect can be achieved with the "no-deprecated"
+ argument to Configure, except that this will always restrict
+ the build to just the latest API, rather than a fixed API
+ version.
+
+ As applications are ported to future revisions of the API,
+ they should update their compile-time OPENSSL_API_COMPAT define
+ accordingly, but in most cases should be able to continue to
+ compile with later releases.
+
+ The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+ 0x10000000L and 0x00908000L, respectively. However those
+ versions did not support the OPENSSL_API_COMPAT feature, and
+ so applications are not typically tested for explicit support
+ of just the undeprecated features of either release.
+ [Viktor Dukhovni]
+
+ *) Add support for setting the minimum and maximum supported protocol.
+ It can bet set via the SSL_set_min_proto_version() and
+ SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
+ MaxProtcol. It's recommended to use the new APIs to disable
+ protocols instead of disabling individual protocols using
+ SSL_set_options() or SSL_CONF's Protocol. This change also
+ removes support for disabling TLS 1.2 in the OpenSSL TLS
+ client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
+ [Kurt Roeckx]
*) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
[Andy Polyakov]
exchange. The LOW ciphers currently doesn't have any ciphers in it.
[Kurt Roeckx]
- *) Make EVP_MD_CTX, EVP_MD and HMAC_CTX opaque. For HMAC_CTX, the
- following constructors and destructors were added:
+ *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
+ opaque. For HMAC_CTX, the following constructors and destructors
+ were added:
HMAC_CTX *HMAC_CTX_new(void);
void HMAC_CTX_free(HMAC_CTX *ctx);
- For EVP_MD, a complete API to create, fill and destroy such
- methods has been added. See EVP_MD_meth_new(3) for
- documentation.
+ For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
+ destroy such methods has been added. See EVP_MD_meth_new(3) and
+ EVP_CIPHER_meth_new(3) for documentation.
Additional changes:
- 1) HMAC_CTX_cleanup() and EVP_MD_CTX_cleanup() were removed,
- HMAC_CTX_init() and EVP_MD_CTX_init() should be called instead
- to reinitialise and already created structure. Also,
- HMAC_CTX_init() and EVP_MD_CTX_init() now return 0 for failure
- and 1 for success (they previously had the return type void).
+ 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
+ HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
+ EVP_MD_CTX_reset() should be called instead to reinitialise
+ an already created structure.
2) For consistency with the majority of our object creators and
destructors, EVP_MD_CTX_(create|destroy) were renamed to
EVP_MD_CTX_(new|free). The old names are retained as macros
[Rich Salz]
*) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
- and sureware.
+ sureware and ubsec.
[Matt Caswell, Rich Salz]
*) New ASN.1 embed macro.
[Richard Levitte]
+ *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
+ are used; the latter aborts on memory leaks (usually checked on exit).
+ Some undocumented "set malloc, etc., hooks" functions were removed
+ and others were changed. All are now documented.
+ [Rich Salz]
+
*) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
whose return value is often ignored.
[Steve Henson]
+ *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+ These allow SCTs (signed certificate timestamps) to be requested and
+ validated when establishing a connection.
+ [Rob Percival <robpercival@google.com>]
+
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
+
+ *) Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+
+ *) Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+
+ *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
+
+ *) Prevent ASN.1 BIO excessive memory allocation
+
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can cause allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
+
+ *) EBCDIC overread
+
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
+
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
+ Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
+
+ * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+ Builds that are not configured with "enable-weak-ssl-ciphers" will not
+ provide any "EXPORT" or "LOW" strength ciphers.
+ [Viktor Dukhovni]
+
+ * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
+ is by default disabled at build-time. Builds that are not configured with
+ "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
+ users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+ will need to explicitly call either of:
+
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+ or
+ SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+
+ as appropriate. Even if either of those is used, or the application
+ explicitly uses the version-specific SSLv2_method() or its client and
+ server variants, SSLv2 ciphers vulnerable to exhaustive search key
+ recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
+ ciphers, and SSLv2 56-bit DES are no longer available.
+ (CVE-2016-0800)
+ [Viktor Dukhovni]
+
+ *) Fix a double-free in DSA code
+
+ A double free bug was discovered when OpenSSL parses malformed DSA private
+ keys and could lead to a DoS attack or memory corruption for applications
+ that receive DSA private keys from untrusted sources. This scenario is
+ considered rare.
+
+ This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2016-0705)
+ [Stephen Henson]
+
+ *) Disable SRP fake user seed to address a server memory leak.
+
+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
+ was changed to ignore the "fake user" SRP seed, even if the seed
+ is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ (CVE-2016-0798)
+ [Emilia Käsper]
+
+ *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+
+ In the BN_hex2bn function the number of hex digits is calculated using an
+ int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
+ large values of |i| this can result in |bn_expand| not allocating any
+ memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ field as NULL leading to a subsequent NULL ptr deref. For very large values
+ of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ In this case memory is allocated to the internal BIGNUM data field, but it
+ is insufficiently sized leading to heap corruption. A similar issue exists
+ in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
+ is ever called by user applications with very large untrusted hex/dec data.
+ This is anticipated to be a rare occurrence.
+
+ All OpenSSL internal usage of these functions use data that is not expected
+ to be untrusted, e.g. config file data or application command line
+ arguments. If user developed applications generate config file data based
+ on untrusted data then it is possible that this could also lead to security
+ consequences. This is also anticipated to be rare.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ (CVE-2016-0797)
+ [Matt Caswell]
+
+ *) Fix memory issues in BIO_*printf functions
+
+ The internal |fmtstr| function used in processing a "%s" format string in
+ the BIO_*printf functions could overflow while calculating the length of a
+ string and cause an OOB read when printing very long strings.
+
+ Additionally the internal |doapr_outch| function can attempt to write to an
+ OOB memory location (at an offset from the NULL pointer) in the event of a
+ memory allocation failure. In 1.0.2 and below this could be caused where
+ the size of a buffer to be allocated is greater than INT_MAX. E.g. this
+ could be in processing a very long "%s" format string. Memory leaks can
+ also occur.
+
+ The first issue may mask the second issue dependent on compiler behaviour.
+ These problems could enable attacks where large amounts of untrusted data
+ is passed to the BIO_*printf functions. If applications use these functions
+ in this way then they could be vulnerable. OpenSSL itself uses these
+ functions when printing out human-readable dumps of ASN.1 data. Therefore
+ applications that print this data could be vulnerable if the data is from
+ untrusted sources. OpenSSL command line applications could also be
+ vulnerable where they print out ASN.1 data, or if untrusted data is passed
+ as command line arguments.
+
+ Libssl is not considered directly vulnerable. Additionally certificates etc
+ received via remote connections via libssl are also unlikely to be able to
+ trigger these issues because of message size limits enforced within libssl.
+
+ This issue was reported to OpenSSL Guido Vranken.
+ (CVE-2016-0799)
+ [Matt Caswell]
+
+ *) Side channel attack on modular exponentiation
+
+ A side-channel attack was found which makes use of cache-bank conflicts on
+ the Intel Sandy-Bridge microarchitecture which could lead to the recovery
+ of RSA keys. The ability to exploit this issue is limited as it relies on
+ an attacker who has control of code in a thread running on the same
+ hyper-threaded core as the victim thread which is performing decryptions.
+
+ This issue was reported to OpenSSL by Yuval Yarom, The University of
+ Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
+ Nadia Heninger, University of Pennsylvania with more information at
+ http://cachebleed.info.
+ (CVE-2016-0702)
+ [Andy Polyakov]
+
+ *) Change the req app to generate a 2048-bit RSA/DSA key by default,
+ if no keysize is specified with default_bits. This fixes an
+ omission in an earlier change that changed all RSA/DSA key generation
+ apps to use 2048 bits by default.
+ [Emilia Käsper]
+
+ Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
+ *) DH small subgroups
+
+ Historically OpenSSL only ever generated DH parameters based on "safe"
+ primes. More recently (in version 1.0.2) support was provided for
+ generating X9.42 style parameter files such as those required for RFC 5114
+ support. The primes used in such files may not be "safe". Where an
+ application is using DH configured with parameters based on primes that are
+ not "safe" then an attacker could use this fact to find a peer's private
+ DH exponent. This attack requires that the attacker complete multiple
+ handshakes in which the peer uses the same private DH exponent. For example
+ this could be used to discover a TLS server's private DH exponent if it's
+ reusing the private DH exponent or it's using a static DH ciphersuite.
+
+ OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+ TLS. It is not on by default. If the option is not set then the server
+ reuses the same private DH exponent for the life of the server process and
+ would be vulnerable to this attack. It is believed that many popular
+ applications do set this option and would therefore not be at risk.
+
+ The fix for this issue adds an additional check where a "q" parameter is
+ available (as is the case in X9.42 based parameters). This detects the
+ only known attack, and is the only possible defense for static DH
+ ciphersuites. This could have some performance impact.
+
+ Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+ default and cannot be disabled. This could have some performance impact.
+
+ This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+ (CVE-2016-0701)
+ [Matt Caswell]
+
+ *) SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ (CVE-2015-3197)
+ [Viktor Dukhovni]
+
Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
*) BN_mod_exp may produce incorrect results on x86_64
*) Alternate chains certificate forgery
- During certificate verfification, OpenSSL will attempt to find an
+ During certificate verification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
ARMv5 through ARMv8, as opposite to "locking" it to single one.
- So far those who have to target multiple plaforms would compromise
+ So far those who have to target multiple platforms would compromise
and argue that binary targeting say ARMv5 would still execute on
ARMv8. "Universal" build resolves this compromise by providing
near-optimal performance even on newer platforms.
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
- this fixes a limiation in previous versions of OpenSSL.
+ this fixes a limitation in previous versions of OpenSSL.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
*) Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
- the parent SSL_CTX. Include distint stores for certificate chain
+ the parent SSL_CTX. Include distinct stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
- verification. New verify options supporting checking in opensl utility.
+ verification. New verify options supporting checking in openssl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
*) New option -sigopt to dgst utility. Update dgst to use
EVP_Digest{Sign,Verify}*. These two changes make it possible to use
- alternative signing paramaters such as X9.31 or PSS in the dgst
+ alternative signing parameters such as X9.31 or PSS in the dgst
utility.
[Steve Henson]
unofficial, and the ID has long expired.
[Bodo Moeller]
- *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ *) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
unofficial, and the ID has long expired.
[Bodo Moeller]
- *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ *) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
*) Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
- they must be explicitely allowed in run-time. See
+ they must be explicitly allowed in run-time. See
docs/HOWTO/proxy_certificates.txt for further information.
[Richard Levitte]
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
reveal whether illegal block cipher padding was found or a MAC
- verification error occured. (Neither SSLerr() codes nor alerts
+ verification error occurred. (Neither SSLerr() codes nor alerts
are directly visible to potential attackers, but the information
may leak via logfiles.)
*) Bugfix: ssl23_get_client_hello did not work properly when called in
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
- but a retry condition occured while trying to read the rest.
+ but a retry condition occurred while trying to read the rest.
[Bodo Moeller]
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as