X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=2cb84d4507cb0e4784f928d3542dc89b90bd8ad7;hb=5c9261aa07d197a94380e6f5d0e0b9f855924bc4;hp=ff77c1b4b7b9011e5824882831db3a110e30492e;hpb=37857e9b5258da148e5d3699b6acdf8787417eb2;p=oweals%2Fopenssl.git

diff --git a/CHANGES b/CHANGES
index ff77c1b4b7..2cb84d4507 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,131 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
- Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]
+ Changes between 1.1.1c and 1.1.1d [xx XXX xxxx]
+
+  *) Correct the extended master secret constant on EBCDIC systems. Without this
+     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+     negotiate EMS will fail. Unfortunately this also means that TLS connections
+     between EBCDIC systems with this fix, and EBCDIC systems without this
+     fix will fail if they negotiate EMS.
+     [Matt Caswell]
+
+  *) Use Windows installation paths in the mingw builds
+
+     Mingw isn't a POSIX environment per se, which means that Windows
+     paths should be used for installation.
+     (CVE-2019-1552)
+     [Richard Levitte]
+
+  *) Changed DH parameters to generate the order q subgroup instead of 2q.
+     Previously generated DH parameters are still accepted by DH_check
+     but DH_generate_key works around that by clearing bit 0 of the
+     private key for those. This avoids leaking bit 0 of the private key.
+     [Bernd Edlinger]
+
+  *) Significantly reduce secure memory usage by the randomness pools.
+     [Paul Dale]
+
+  *) Revert the DEVRANDOM_WAIT feature for Linux systems
+
+     The DEVRANDOM_WAIT feature added a select() call to wait for the
+     /dev/random device to become readable before reading from the
+     /dev/urandom device.
+
+     It turned out that this change had negative side effects on
+     performance which were not acceptable. After some discussion it
+     was decided to revert this feature and leave it up to the OS
+     resp. the platform maintainer to ensure a proper initialization
+     during early boot time.
+
+ Changes between 1.1.1b and 1.1.1c [28 May 2019]
+
+  *) Add build tests for C++.  These are generated files that only do one
+     thing, to include one public OpenSSL head file each.  This tests that
+     the public header files can be usefully included in a C++ application.
+
+     This test isn't enabled by default.  It can be enabled with the option
+     'enable-buildtest-c++'.
+     [Richard Levitte]
+
+  *) Enable SHA3 pre-hashing for ECDSA and DSA.
+     [Patrick Steuer]
+
+  *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+     This changes the size when using the genpkey app when no size is given. It
+     fixes an omission in earlier changes that changed all RSA, DSA and DH
+     generation apps to use 2048 bits by default.
+     [Kurt Roeckx]
+
+  *) Reorganize the manual pages to consistently have RETURN VALUES,
+     EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
+     util/fix-doc-nits accordingly.
+     [Paul Yang, Joshua Lock]
+
+  *) Add the missing accessor EVP_PKEY_get0_engine()
+     [Matt Caswell]
+
+  *) Have apps like 's_client' and 's_server' output the signature scheme
+     along with other cipher suite parameters when debugging.
+     [Lorinczy Zsigmond]
+
+  *) Make OPENSSL_config() error agnostic again.
+     [Richard Levitte]
+
+  *) Do the error handling in RSA decryption constant time.
+     [Bernd Edlinger]
+
+  *) Prevent over long nonces in ChaCha20-Poly1305.
+
+     ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+     for every encryption operation. RFC 7539 specifies that the nonce value
+     (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+     and front pads the nonce with 0 bytes if it is less than 12
+     bytes. However it also incorrectly allows a nonce to be set of up to 16
+     bytes. In this case only the last 12 bytes are significant and any
+     additional leading bytes are ignored.
+
+     It is a requirement of using this cipher that nonce values are
+     unique. Messages encrypted using a reused nonce value are susceptible to
+     serious confidentiality and integrity attacks. If an application changes
+     the default nonce length to be longer than 12 bytes and then makes a
+     change to the leading bytes of the nonce expecting the new value to be a
+     new unique nonce then such an application could inadvertently encrypt
+     messages with a reused nonce.
+
+     Additionally the ignored bytes in a long nonce are not covered by the
+     integrity guarantee of this cipher. Any application that relies on the
+     integrity of these ignored leading bytes of a long nonce may be further
+     affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
+     is safe because no such use sets such a long nonce value. However user
+     applications that use this cipher directly and set a non-default nonce
+     length to be longer than 12 bytes may be vulnerable.
+
+     This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
+     Greef of Ronomon.
+     (CVE-2019-1543)
+     [Matt Caswell]
+
+  *) Add DEVRANDOM_WAIT feature for Linux systems
+
+     On older Linux systems where the getrandom() system call is not available,
+     OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
+     Contrary to getrandom(), the /dev/urandom device will not block during
+     early boot when the kernel CSPRNG has not been seeded yet.
+
+     To mitigate this known weakness, use select() to wait for /dev/random to
+     become readable before reading from /dev/urandom.
+
+  *) Ensure that SM2 only uses SM3 as digest algorithm
+     [Paul Yang]
+
+ Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
+
+  *) Added SCA hardening for modular field inversion in EC_GROUP through
+     a new dedicated field_inv() pointer in EC_METHOD.
+     This also addresses a leakage affecting conversions from projective
+     to affine coordinates.
+     [Billy Bob Brumley, Nicola Tuveri]
 
   *) Change the info callback signals for the start and end of a post-handshake
      message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
@@ -245,7 +369,7 @@
         SSL_set_ciphersuites()
      [Matt Caswell]
 
-  *) Memory allocation failures consistenly add an error to the error
+  *) Memory allocation failures consistently add an error to the error
      stack.
      [Rich Salz]
 
@@ -6783,7 +6907,7 @@
      reason texts, thereby removing some of the footprint that may not
      be interesting if those errors aren't displayed anyway.
 
-     NOTE: it's still possible for any application or module to have it's
+     NOTE: it's still possible for any application or module to have its
      own set of error texts inserted.  The routines are there, just not
      used by default when no-err is given.
      [Richard Levitte]
@@ -8749,7 +8873,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
 
   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
-     memory from it's contents.  This is done with a counter that will
+     memory from its contents.  This is done with a counter that will
      place alternating values in each byte.  This can be used to solve
      two issues: 1) the removal of calls to memset() by highly optimizing
      compilers, and 2) cleansing with other values than 0, since those can