]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
d08d0c12 | 5 | Changes between 0.9.7l and 0.9.7m [23 Feb 2007] |
6b131d9c | 6 | |
9a3a58e1 DSH |
7 | *) Cleanse PEM buffers before freeing them since they may contain |
8 | sensitive data. | |
9 | [Benjamin Bennett <ben@psc.edu>] | |
10 | ||
3bd95a14 BM |
11 | *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
12 | a ciphersuite string such as "DEFAULT:RSA" cannot enable | |
13 | authentication-only ciphersuites. | |
14 | [Bodo Moeller] | |
15 | ||
d875a212 BM |
16 | *) Since AES128 and AES256 share a single mask bit in the logic of |
17 | ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a | |
18 | kludge to work properly if AES128 is available and AES256 isn't. | |
19 | [Victor Duchovni] | |
20 | ||
eee04c54 DSH |
21 | *) Expand security boundary to match 1.1.1 module. |
22 | [Steve Henson] | |
23 | ||
18051aa8 DSH |
24 | *) Remove redundant features: hash file source, editing of test vectors |
25 | modify fipsld to use external fips_premain.c signature. | |
26 | [Steve Henson] | |
27 | ||
d107905b DSH |
28 | *) New perl script mkfipsscr.pl to create shell scripts or batch files to |
29 | run algorithm test programs. | |
30 | [Steve Henson] | |
31 | ||
7c4dd3fe DSH |
32 | *) Make algorithm test programs more tolerant of whitespace. |
33 | [Steve Henson] | |
34 | ||
9dc705a2 BM |
35 | *) Have SSL/TLS server implementation tolerate "mismatched" record |
36 | protocol version while receiving ClientHello even if the | |
37 | ClientHello is fragmented. (The server can't insist on the | |
38 | particular protocol version it has chosen before the ServerHello | |
39 | message has informed the client about his choice.) | |
40 | [Bodo Moeller] | |
41 | ||
f6cdaa96 DSH |
42 | *) Load error codes if they are not already present instead of using a |
43 | static variable. This allows them to be cleanly unloaded and reloaded. | |
44 | [Steve Henson] | |
45 | ||
c830c1a2 | 46 | Changes between 0.9.7k and 0.9.7l [28 Sep 2006] |
60bee5d4 | 47 | |
b2139664 MC |
48 | *) Introduce limits to prevent malicious keys being able to |
49 | cause a denial of service. (CVE-2006-2940) | |
50 | [Steve Henson, Bodo Moeller] | |
51 | ||
52 | *) Fix ASN.1 parsing of certain invalid structures that can result | |
53 | in a denial of service. (CVE-2006-2937) [Steve Henson] | |
54 | ||
55 | *) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
56 | (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
57 | ||
58 | *) Fix SSL client code which could crash if connecting to a | |
59 | malicious SSLv2 server. (CVE-2006-4343) | |
60 | [Tavis Ormandy and Will Drewry, Google Security Team] | |
61 | ||
ea43804b BM |
62 | *) Change ciphersuite string processing so that an explicit |
63 | ciphersuite selects this one ciphersuite (so that "AES256-SHA" | |
64 | will no longer include "AES128-SHA"), and any other similar | |
65 | ciphersuite (same bitmap) from *other* protocol versions (so that | |
66 | "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the | |
67 | SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining | |
68 | changes from 0.9.8b and 0.9.8d. | |
69 | [Bodo Moeller] | |
70 | ||
975a7a48 | 71 | Changes between 0.9.7j and 0.9.7k [05 Sep 2006] |
a6fb8a82 | 72 | |
ffa04072 MC |
73 | *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
74 | (CVE-2006-4339) [Ben Laurie and Google Security Team] | |
75 | ||
bdd00f8c RL |
76 | *) Change the Unix randomness entropy gathering to use poll() when |
77 | possible instead of select(), since the latter has some | |
78 | undesirable limitations. | |
81edd235 | 79 | [Darryl Miles via Richard Levitte and Bodo Moeller] |
bdd00f8c | 80 | |
c098e8b6 BM |
81 | *) Disable rogue ciphersuites: |
82 | ||
83 | - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
84 | - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
85 | - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
86 | ||
87 | The latter two were purportedly from | |
88 | draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
89 | appear there. | |
90 | ||
91 | Also deactive the remaining ciphersuites from | |
92 | draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as | |
93 | unofficial, and the ID has long expired. | |
94 | [Bodo Moeller] | |
95 | ||
019a63f9 BM |
96 | *) Fix RSA blinding Heisenbug (problems sometimes occured on |
97 | dual-core machines) and other potential thread-safety issues. | |
98 | [Bodo Moeller] | |
a6fb8a82 | 99 | |
d26d2361 | 100 | Changes between 0.9.7i and 0.9.7j [04 May 2006] |
2f4d5c65 | 101 | |
309d74c8 DSH |
102 | *) Adapt fipsld and the build system to link against the validated FIPS |
103 | module in FIPS mode. | |
104 | [Steve Henson] | |
105 | ||
106 | *) Fixes for VC++ 2005 build under Windows. | |
107 | [Steve Henson] | |
108 | ||
a5319427 DSH |
109 | *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make |
110 | from a Windows bash shell such as MSYS. It is autodetected from the | |
111 | "config" script when run from a VC++ environment. Modify standard VC++ | |
112 | build to use fipscanister.o from the GNU make build. | |
113 | [Steve Henson] | |
114 | ||
deab8d93 RL |
115 | Changes between 0.9.7h and 0.9.7i [14 Oct 2005] |
116 | ||
117 | *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. | |
118 | The value now differs depending on if you build for FIPS or not. | |
119 | BEWARE! A program linked with a shared FIPSed libcrypto can't be | |
120 | safely run with a non-FIPSed libcrypto, as it may crash because of | |
121 | the difference induced by this change. | |
122 | [Andy Polyakov] | |
49a305e7 | 123 | |
a40916cb MC |
124 | Changes between 0.9.7g and 0.9.7h [11 Oct 2005] |
125 | ||
126 | *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
127 | (part of SSL_OP_ALL). This option used to disable the | |
128 | countermeasure against man-in-the-middle protocol-version | |
129 | rollback in the SSL 2.0 server implementation, which is a bad | |
7606bb65 | 130 | idea. (CVE-2005-2969) |
a40916cb MC |
131 | |
132 | [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
133 | for Information Security, National Institute of Advanced Industrial | |
134 | Science and Technology [AIST], Japan)] | |
d060fc9f | 135 | |
0c7b0671 | 136 | *) Minimal support for X9.31 signatures and PSS padding modes. This is |
e96fad9d | 137 | mainly for FIPS compliance and not fully integrated at this stage. |
0c7b0671 DSH |
138 | [Steve Henson] |
139 | ||
44a28774 BM |
140 | *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform |
141 | the exponentiation using a fixed-length exponent. (Otherwise, | |
142 | the information leaked through timing could expose the secret key | |
143 | after many signatures; cf. Bleichenbacher's attack on DSA with | |
144 | biased k.) | |
145 | [Bodo Moeller] | |
146 | ||
ecb1445c | 147 | *) Make a new fixed-window mod_exp implementation the default for |
fd86c390 BM |
148 | RSA, DSA, and DH private-key operations so that the sequence of |
149 | squares and multiplies and the memory access pattern are | |
150 | independent of the particular secret key. This will mitigate | |
151 | cache-timing and potential related attacks. | |
ecb1445c BM |
152 | |
153 | BN_mod_exp_mont_consttime() is the new exponentiation implementation, | |
154 | and this is automatically used by BN_mod_exp_mont() if the new flag | |
155 | BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH | |
156 | will use this BN flag for private exponents unless the flag | |
157 | RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or | |
158 | DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. | |
159 | ||
160 | [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] | |
161 | ||
00c1c6cb BM |
162 | *) Change the client implementation for SSLv23_method() and |
163 | SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 | |
164 | Client Hello message format if the SSL_OP_NO_SSLv2 option is set. | |
165 | (Previously, the SSL 2.0 backwards compatible Client Hello | |
166 | message format would be used even with SSL_OP_NO_SSLv2.) | |
167 | [Bodo Moeller] | |
168 | ||
73f3c281 DSH |
169 | *) Add support for smime-type MIME parameter in S/MIME messages which some |
170 | clients need. | |
171 | [Steve Henson] | |
172 | ||
4ed56cba DSH |
173 | *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in |
174 | a threadsafe manner. Modify rsa code to use new function and add calls | |
175 | to dsa and dh code (which had race conditions before). | |
176 | [Steve Henson] | |
177 | ||
96534114 DSH |
178 | *) Include the fixed error library code in the C error file definitions |
179 | instead of fixing them up at runtime. This keeps the error code | |
180 | structures constant. | |
181 | [Steve Henson] | |
d060fc9f | 182 | |
22e5a793 | 183 | Changes between 0.9.7f and 0.9.7g [11 Apr 2005] |
da26bcb5 | 184 | |
a40916cb MC |
185 | [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after |
186 | OpenSSL 0.9.8.] | |
187 | ||
c710c7b3 DSH |
188 | *) Fixes for newer kerberos headers. NB: the casts are needed because |
189 | the 'length' field is signed on one version and unsigned on another | |
190 | with no (?) obvious way to tell the difference, without these VC++ | |
191 | complains. Also the "definition" of FAR (blank) is no longer included | |
192 | nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up | |
193 | some needed definitions. | |
194 | [Steve Henson] | |
195 | ||
4cf8f936 UM |
196 | *) Undo Cygwin change. |
197 |