]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
6b131d9c MC |
5 | Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] |
6 | ||
9dc705a2 BM |
7 | *) Have SSL/TLS server implementation tolerate "mismatched" record |
8 | protocol version while receiving ClientHello even if the | |
9 | ClientHello is fragmented. (The server can't insist on the | |
10 | particular protocol version it has chosen before the ServerHello | |
11 | message has informed the client about his choice.) | |
12 | [Bodo Moeller] | |
13 | ||
f6cdaa96 DSH |
14 | *) Load error codes if they are not already present instead of using a |
15 | static variable. This allows them to be cleanly unloaded and reloaded. | |
16 | [Steve Henson] | |
17 | ||
c830c1a2 | 18 | Changes between 0.9.7k and 0.9.7l [28 Sep 2006] |
60bee5d4 | 19 | |
b2139664 MC |
20 | *) Introduce limits to prevent malicious keys being able to |
21 | cause a denial of service. (CVE-2006-2940) | |
22 | [Steve Henson, Bodo Moeller] | |
23 | ||
24 | *) Fix ASN.1 parsing of certain invalid structures that can result | |
25 | in a denial of service. (CVE-2006-2937) [Steve Henson] | |
26 | ||
27 | *) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
28 | (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
29 | ||
30 | *) Fix SSL client code which could crash if connecting to a | |
31 | malicious SSLv2 server. (CVE-2006-4343) | |
32 | [Tavis Ormandy and Will Drewry, Google Security Team] | |
33 | ||
ea43804b BM |
34 | *) Change ciphersuite string processing so that an explicit |
35 | ciphersuite selects this one ciphersuite (so that "AES256-SHA" | |
36 | will no longer include "AES128-SHA"), and any other similar | |
37 | ciphersuite (same bitmap) from *other* protocol versions (so that | |
38 | "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the | |
39 | SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining | |
40 | changes from 0.9.8b and 0.9.8d. | |
41 | [Bodo Moeller] | |
42 | ||
975a7a48 | 43 | Changes between 0.9.7j and 0.9.7k [05 Sep 2006] |
a6fb8a82 | 44 | |
ffa04072 MC |
45 | *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
46 | (CVE-2006-4339) [Ben Laurie and Google Security Team] | |
47 | ||
bdd00f8c RL |
48 | *) Change the Unix randomness entropy gathering to use poll() when |
49 | possible instead of select(), since the latter has some | |
50 | undesirable limitations. | |
81edd235 | 51 | [Darryl Miles via Richard Levitte and Bodo Moeller] |
bdd00f8c | 52 | |
c098e8b6 BM |
53 | *) Disable rogue ciphersuites: |
54 | ||
55 | - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
56 | - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
57 | - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
58 | ||
59 | The latter two were purportedly from | |
60 | draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
61 | appear there. | |
62 | ||
63 | Also deactive the remaining ciphersuites from | |
64 | draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as | |
65 | unofficial, and the ID has long expired. | |
66 | [Bodo Moeller] | |
67 | ||
019a63f9 BM |
68 | *) Fix RSA blinding Heisenbug (problems sometimes occured on |
69 | dual-core machines) and other potential thread-safety issues. | |
70 | [Bodo Moeller] | |
a6fb8a82 | 71 | |
d26d2361 | 72 | Changes between 0.9.7i and 0.9.7j [04 May 2006] |
2f4d5c65 | 73 | |
309d74c8 DSH |
74 | *) Adapt fipsld and the build system to link against the validated FIPS |
75 | module in FIPS mode. | |
76 | [Steve Henson] | |
77 | ||
78 | *) Fixes for VC++ 2005 build under Windows. | |
79 | [Steve Henson] | |
80 | ||
a5319427 DSH |
81 | *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make |
82 | from a Windows bash shell such as MSYS. It is autodetected from the | |
83 | "config" script when run from a VC++ environment. Modify standard VC++ | |
84 | build to use fipscanister.o from the GNU make build. | |
85 | [Steve Henson] | |
86 | ||
deab8d93 RL |
87 | Changes between 0.9.7h and 0.9.7i [14 Oct 2005] |
88 | ||
89 | *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. | |
90 | The value now differs depending on if you build for FIPS or not. | |
91 | BEWARE! A program linked with a shared FIPSed libcrypto can't be | |
92 | safely run with a non-FIPSed libcrypto, as it may crash because of | |
93 | the difference induced by this change. | |
94 | [Andy Polyakov] | |
49a305e7 | 95 | |
a40916cb MC |
96 | Changes between 0.9.7g and 0.9.7h [11 Oct 2005] |
97 | ||
98 | *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
99 | (part of SSL_OP_ALL). This option used to disable the | |
100 | countermeasure against man-in-the-middle protocol-version | |
101 | rollback in the SSL 2.0 server implementation, which is a bad | |
7606bb65 | 102 | idea. (CVE-2005-2969) |
a40916cb MC |
103 | |
104 | [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
105 | for Information Security, National Institute of Advanced Industrial | |
106 | Science and Technology [AIST], Japan)] | |
d060fc9f | 107 | |
0c7b0671 | 108 | *) Minimal support for X9.31 signatures and PSS padding modes. This is |
e96fad9d | 109 | mainly for FIPS compliance and not fully integrated at this stage. |
0c7b0671 DSH |
110 | [Steve Henson] |
111 | ||
44a28774 BM |
112 | *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform |
113 | the exponentiation using a fixed-length exponent. (Otherwise, | |
114 | the information leaked through timing could expose the secret key | |
115 | after many signatures; cf. Bleichenbacher's attack on DSA with | |
116 | biased k.) | |
117 | [Bodo Moeller] | |
118 | ||
ecb1445c | 119 | *) Make a new fixed-window mod_exp implementation the default for |
fd86c390 BM |
120 | RSA, DSA, and DH private-key operations so that the sequence of |
121 | squares and multiplies and the memory access pattern are | |
122 | independent of the particular secret key. This will mitigate | |
123 | cache-timing and potential related attacks. | |
ecb1445c BM |
124 | |
125 | BN_mod_exp_mont_consttime() is the new exponentiation implementation, | |
126 | and this is automatically used by BN_mod_exp_mont() if the new flag | |
127 | BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH | |
128 | will use this BN flag for private exponents unless the flag | |
129 | RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or | |
130 | DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. | |
131 | ||
132 | [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] | |
133 | ||
00c1c6cb BM |
134 | *) Change the client implementation for SSLv23_method() and |
135 | SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 | |
136 | Client Hello message format if the SSL_OP_NO_SSLv2 option is set. | |
137 | (Previously, the SSL 2.0 backwards compatible Client Hello | |
138 | message format would be used even with SSL_OP_NO_SSLv2.) | |
139 | [Bodo Moeller] | |
140 | ||
73f3c281 DSH |
141 | *) Add support for smime-type MIME parameter in S/MIME messages which some |
142 | clients need. | |
143 | [Steve Henson] | |
144 | ||
4ed56cba DSH |
145 | *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in |
146 | a threadsafe manner. Modify rsa code to use new function and add calls | |
147 | to dsa and dh code (which had race conditions before). | |
148 | [Steve Henson] | |
149 | ||
96534114 DSH |
150 | *) Include the fixed error library code in the C error file definitions |
151 | instead of fixing them up at runtime. This keeps the error code | |
152 | structures constant. | |
153 | [Steve Henson] | |
d060fc9f | 154 | |
22e5a793 | 155 | Changes between 0.9.7f and 0.9.7g [11 Apr 2005] |
da26bcb5 | 156 | |
a40916cb MC |
157 | [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after |
158 | OpenSSL 0.9.8.] | |
159 | ||
c710c7b3 DSH |
160 | *) Fixes for newer kerberos headers. NB: the casts are needed because |
161 | the 'length' field is signed on one version and unsigned on another | |
162 | with no (?) obvious way to tell the difference, without these VC++ | |
163 | complains. Also the "definition" of FAR (blank) is no longer included | |
164 | nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up | |
165 | some needed definitions. | |
166 | [Steve Henson] | |
167 | ||
4cf8f936 UM |
168 | *) Undo Cygwin change. |
169 |