[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]

  *) Make openssl verify return errors.
     [Chris Palmer <palmer@google.com> and Ben Laurie]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     [Rob Stradling <rob.stradling@comodo.com>]

  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]

  *) Don't use TLS 1.0 record version number in initial client hello
     if renegotiating.
     [Steve Henson]

 Changes between 1.0.1b and 1.0.1c [10 May 2012]

  *) Sanity check record length before skipping explicit IV in TLS
     1.2, 1.1 and DTLS to fix DoS attack.

     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]

  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]

  *) In FIPS mode don't try to use composite ciphers as they are not
     approved.
     [Steve Henson]

 Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]

 Changes between 1.0.1 and 1.0.1a [19 Apr 2012]

  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.

     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]

  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
     [Adam Langley]

  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes.

     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
	the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
	TLS 1.2 client support entirely.
     [Steve Henson]

  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
     [Andy Polyakov]

 Changes between 1.0.0h and 1.0.1  [14 Mar 2012]

  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
     STRING form instead of a DigestInfo.
     [Steve Henson]

  *) The format used for MDC2 RSA signatures is inconsistent between EVP
     and the RSA_sign/RSA_verify functions. This was made more apparent when
     OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
     those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
     the correct format in RSA_verify so both forms transparently work.
     [Steve Henson]

  *) Some servers which support TLS 1.0 can choke if we initially indicate
     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
     encrypted premaster secret. As a workaround use the maximum pemitted
     client version in client hello, this should keep such servers happy
     and still work with previous versions of OpenSSL.
     [Steve Henson]

  *) Add support for TLS/DTLS heartbeats.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Add support for SCTP.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Improved PRNG seeding for VOS.
     [Paul Green <Paul.Green@stratus.com>]

  *) Extensive assembler packs updates, most notably:

	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
	- x86_64:       bit-sliced AES implementation;
	- ARM:          NEON support, contemporary platforms optimizations;
	- s390x:        z196 support;
	- *:            GHASH and GF(2^m) multiplication implementations;

     [Andy Polyakov]

  *) Make TLS-SRP code conformant with RFC 5054 API cleanup
     (removal of unnecessary code)
     [Peter Sylvester <peter.sylvester@edelweb.fr>]

  *) Add TLS key material exporter from RFC 5705.
     [Eric Rescorla]

  *) Add DTLS-SRTP negotiation from RFC 5764.
     [Eric Rescorla]

  *) Add Next Protocol Negotiation,
     http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
     disabled with a no-npn flag to config or Configure. Code donated
     by Google.
     [Adam Langley <agl@google.com> and Ben Laurie]

  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
     NIST-P256, NIST-P521, with constant-time single point multiplication on
     typical inputs. Compiler support for the nonstandard type __uint128_t is
     required to use this (present in gcc 4.4 and later, for 64-bit builds).
     Code made available under Apache License version 2.0.

     Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
     line to include this in your build of OpenSSL, and run "make depend" (or
     "make update"). This enables the following EC_METHODs:

         EC_GFp_nistp224_method()
         EC_GFp_nistp256_method()
         EC_GFp_nistp521_method()

     EC_GROUP_new_by_curve_name() will automatically use these (while
     EC_GROUP_new_curve_GFp() currently prefers the more flexible
     implementations).
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
d9c34505 DSH	5	Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
d9c34505 DSH	6
5bb6d965 BL	7	*) Make openssl verify return errors.
	8	[Chris Palmer <palmer@google.com> and Ben Laurie]
	9
70d91d60 BL	10	*) Call OCSP Stapling callback after ciphersuite has been chosen, so
	11	the right response is stapled. Also change SSL_get_certificate()
	12	so it returns the certificate actually sent.
	13	See http://rt.openssl.org/Ticket/Display.html?id=2836.
	14	[Rob Stradling <rob.stradling@comodo.com>]
	15
eeca72f7 DSH	16	*) Fix possible deadlock when decoding public keys.
	17	[Steve Henson]
	18
6e164e5c DSH	19	*) Don't use TLS 1.0 record version number in initial client hello
	20	if renegotiating.
	21	[Steve Henson]
d9c34505	22
f9885acc	23	Changes between 1.0.1b and 1.0.1c [10 May 2012]
c940e070	24
d414a5a0 DSH	25	*) Sanity check record length before skipping explicit IV in TLS
	26	1.2, 1.1 and DTLS to fix DoS attack.
	27
	28	Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
	29	fuzzing as a service testing platform.
	30	(CVE-2012-2333)
	31	[Steve Henson]
	32
5b9d0995 DSH	33	*) Initialise tkeylen properly when encrypting CMS messages.
	34	Thanks to Solar Designer of Openwall for reporting this issue.
	35	[Steve Henson]
	36
c76b7a1a DSH	37	*) In FIPS mode don't try to use composite ciphers as they are not
	38	approved.
	39	[Steve Henson]
c940e070	40
effa47b8	41	Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
e7d2a371	42
6791060e	43	*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
502dfeb8 DSH	44	1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
	45	mean any application compiled against OpenSSL 1.0.0 headers setting
	46	SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
6791060e	47	TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
502dfeb8 DSH	48	0x10000000L Any application which was previously compiled against
502dfeb8 DSH	49	OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
6791060e AP	50	will need to be recompiled as a result. Letting be results in
	51	inability to disable specifically TLS 1.1 and in client context,
	52	in unlike event, limit maximum offered version to TLS 1.0 [see below].
502dfeb8 DSH	53	[Steve Henson]
502dfeb8 DSH	54
5bbed295 AP	55	*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
	56	disable just protocol X, but all protocols above X if there are
	57	protocols below X still enabled. In more practical terms it means
	58	that if application wants to disable TLS1.0 in favor of TLS1.1 and
	59	above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
748628ce AP	60	SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2. This applies to
748628ce AP	61	client side.
5bbed295	62	[Andy Polyakov]
e7d2a371	63
531c6fc8	64	Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
e733dea3	65
8d5505d0 DSH	66	*) Check for potentially exploitable overflows in asn1_d2i_read_bio
	67	BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
	68	in CRYPTO_realloc_clean.
	69
	70	Thanks to Tavis Ormandy, Google Security Team, for discovering this
	71	issue and to Adam Langley <agl@chromium.org> for fixing it.
	72	(CVE-2012-2110)
	73	[Adam Langley (Google), Tavis Ormandy, Google Security Team]
	74
4d936ace BM	75	*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
	76	[Adam Langley]
	77
89bd25eb DSH	78	*) Workarounds for some broken servers that "hang" if a client hello
	79	record length exceeds 255 bytes.
	80
	81	1. Do not use record version number > TLS 1.0 in initial client
	82	hello: some (but not all) hanging servers will now work.
	83	2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
	84	the number of ciphers sent in the client hello. This should be
	85	set to an even number, such as 50, for example by passing:
	86	-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
	87	Most broken servers should now work.
	88	3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
	89	TLS 1.2 client support entirely.
502dfeb8	90	[Steve Henson]
d2f950c9 AP	91
	92	*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
	93	[Andy Polyakov]
	94
f3dcae15	95	Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
9472baae	96
0cd7a032 DSH	97	*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
	98	STRING form instead of a DigestInfo.
	99	[Steve Henson]
	100
16b7c81d DSH	101	*) The format used for MDC2 RSA signatures is inconsistent between EVP
	102	and the RSA_sign/RSA_verify functions. This was made more apparent when
	103	OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
	104	those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
	105	the correct format in RSA_verify so both forms transparently work.
	106	[Steve Henson]
	107
fc6800d1 DSH	108	*) Some servers which support TLS 1.0 can choke if we initially indicate
	109	support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
	110	encrypted premaster secret. As a workaround use the maximum pemitted
	111	client version in client hello, this should keep such servers happy
	112	and still work with previous versions of OpenSSL.
	113	[Steve Henson]
	114
bd6941cf DSH	115	*) Add support for TLS/DTLS heartbeats.
	116	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	117
6e750fcb DSH	118	*) Add support for SCTP.
	119	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	120
62308f3f DSH	121	*) Improved PRNG seeding for VOS.
	122	[Paul Green <Paul.Green@stratus.com>]
	123
cecafcce AP	124	*) Extensive assembler packs updates, most notably:
	125
	126	- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
	127	- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
	128	- x86_64: bit-sliced AES implementation;
	129	- ARM: NEON support, contemporary platforms optimizations;
	130	- s390x: z196 support;
	131	- *: GHASH and GF(2^m) multiplication implementations;
	132
	133	[Andy Polyakov]
	134
ca0efb75 DSH	135	*) Make TLS-SRP code conformant with RFC 5054 API cleanup
	136	(removal of unnecessary code)
	137	[Peter Sylvester <peter.sylvester@edelweb.fr>]
	138
b1d74291 BL	139	*) Add TLS key material exporter from RFC 5705.
	140	[Eric Rescorla]
	141
060a38a2 BL	142	*) Add DTLS-SRTP negotiation from RFC 5764.
	143	[Eric Rescorla]
	144
e2809bfb BL	145	*) Add Next Protocol Negotiation,
	146	http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
	147	disabled with a no-npn flag to config or Configure. Code donated
	148	by Google.
	149	[Adam Langley <agl@google.com> and Ben Laurie]
	150
9c37519b BM	151	*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
	152	NIST-P256, NIST-P521, with constant-time single point multiplication on
	153	typical inputs. Compiler support for the nonstandard type __uint128_t is
3d520f7c BM	154	required to use this (present in gcc 4.4 and later, for 64-bit builds).
3d520f7c BM	155	Code made available under Apache License version 2.0.
9c37519b	156
3d520f7c BM	157	Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
	158	line to include this in your build of OpenSSL, and run "make depend" (or
	159	"make update"). This enables the following EC_METHODs:
9c37519b BM	160
	161	EC_GFp_nistp224_method()
	162	EC_GFp_nistp256_method()
	163	EC_GFp_nistp521_method()
	164
	165	EC_GROUP_new_by_curve_name() will automatically use these (while
	166	EC_GROUP_new_curve_GFp() currently prefers the more flexible
	167	implementations).
	168