]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
06aab268 MC |
5 | Changes between 1.0.2 and 1.0.2a [xx XXX xxxx] |
6 | ||
f417997a KR |
7 | *) Removed the export ciphers from the DEFAULT ciphers |
8 | [Kurt Roeckx] | |
06aab268 | 9 | |
4ac03295 | 10 | Changes between 1.0.1l and 1.0.2 [22 Jan 2015] |
0a9f7780 | 11 | |
84d4f99d MC |
12 | *) SRTP Memory Leak. |
13 | ||
14 | A flaw in the DTLS SRTP extension parsing code allows an attacker, who | |
15 | sends a carefully crafted handshake message, to cause OpenSSL to fail | |
16 | to free up to 64k of memory causing a memory leak. This could be | |
17 | exploited in a Denial Of Service attack. This issue affects OpenSSL | |
18 | 1.0.1 server implementations for both SSL/TLS and DTLS regardless of | |
19 | whether SRTP is used or configured. Implementations of OpenSSL that | |
20 | have been compiled with OPENSSL_NO_SRTP defined are not affected. | |
21 | ||
22 | The fix was developed by the OpenSSL team. | |
23 | (CVE-2014-3513) | |
24 | [OpenSSL team] | |
25 | ||
26 | *) Session Ticket Memory Leak. | |
27 | ||
28 | When an OpenSSL SSL/TLS/DTLS server receives a session ticket the | |
29 | integrity of that ticket is first verified. In the event of a session | |
30 | ticket integrity check failing, OpenSSL will fail to free memory | |
31 | causing a memory leak. By sending a large number of invalid session | |
32 | tickets an attacker could exploit this issue in a Denial Of Service | |
33 | attack. | |
34 | (CVE-2014-3567) | |
35 | [Steve Henson] | |
36 | ||
37 | *) Build option no-ssl3 is incomplete. | |
38 | ||
39 | When OpenSSL is configured with "no-ssl3" as a build option, servers | |
40 | could accept and complete a SSL 3.0 handshake, and clients could be | |
41 | configured to send them. | |
42 | (CVE-2014-3568) | |
43 | [Akamai and the OpenSSL team] | |
44 | ||
a46c7052 BM |
45 | *) Add support for TLS_FALLBACK_SCSV. |
46 | Client applications doing fallback retries should call | |
47 | SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). | |
48 | (CVE-2014-3566) | |
49 | [Adam Langley, Bodo Moeller] | |
50 | ||
1cfd7cf3 AP |
51 | *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. |
52 | ARMv5 through ARMv8, as opposite to "locking" it to single one. | |
53 | So far those who have to target multiple plaforms would compromise | |
54 | and argue that binary targeting say ARMv5 would still execute on | |
55 | ARMv8. "Universal" build resolves this compromise by providing | |
56 | near-optimal performance even on newer platforms. | |
57 | [Andy Polyakov] | |
58 | ||
d2a1226b AP |
59 | *) Accelerated NIST P-256 elliptic curve implementation for x86_64 |
60 | (other platforms pending). | |
0ce2dbfb | 61 | [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov] |
d2a1226b | 62 | |
2102c53c DSH |
63 | *) Add support for the SignedCertificateTimestampList certificate and |
64 | OCSP response extensions from RFC6962. | |
65 | [Rob Stradling] | |
66 | ||
d5213519 BM |
67 | *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
68 | for corner cases. (Certain input points at infinity could lead to | |
69 | bogus results, with non-infinity inputs mapped to infinity too.) | |
70 | [Bodo Moeller] | |
71 | ||
0ae6ba18 AP |
72 | *) Initial support for PowerISA 2.0.7, first implemented in POWER8. |
73 | This covers AES, SHA256/512 and GHASH. "Initial" means that most | |
74 | common cases are optimized and there still is room for further | |
75 | improvements. Vector Permutation AES for Altivec is also added. | |
76 | [Andy Polyakov] | |
77 | ||
78 | *) Add support for little-endian ppc64 Linux target. | |
79 | [Marcelo Cerri (IBM)] | |
80 | ||
81 | *) Initial support for AMRv8 ISA crypto extensions. This covers AES, | |
82 | SHA1, SHA256 and GHASH. "Initial" means that most common cases | |
83 | are optimized and there still is room for further improvements. | |
84 | Both 32- and 64-bit modes are supported. | |
85 | [Andy Polyakov, Ard Biesheuvel (Linaro)] | |
86 | ||
87 | *) Improved ARMv7 NEON support. | |
88 | [Andy Polyakov] | |
89 | ||
90 | *) Support for SPARC Architecture 2011 crypto extensions, first | |
91 | implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, | |
92 | SHA256/512, MD5, GHASH and modular exponentiation. | |
93 | [Andy Polyakov, David Miller] | |
94 | ||
95 | *) Accelerated modular exponentiation for Intel processors, a.k.a. | |
96 | RSAZ. | |
0ce2dbfb | 97 | [Shay Gueron & Vlad Krasnov (Intel Corp)] |
0ae6ba18 AP |
98 | |
99 | *) Support for new and upcoming Intel processors, including AVX2, | |
100 | BMI and SHA ISA extensions. This includes additional "stitched" | |
101 | implementations, AESNI-SHA256 and GCM, and multi-buffer support | |
102 | for TLS encrypt. | |
103 | ||
104 | This work was sponsored by Intel Corp. | |
105 | [Andy Polyakov] | |
106 | ||
c578fe37 BM |
107 | *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() |
108 | supports both DTLS 1.2 and 1.0 and should use whatever version the peer | |
109 | supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. | |
110 | [Steve Henson] | |
111 | ||
b9fa413a DSH |
112 | *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): |
113 | this fixes a limiation in previous versions of OpenSSL. | |
114 | [Steve Henson] | |
115 | ||
25f93585 DSH |
116 | *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, |
117 | MGF1 digest and OAEP label. | |
118 | [Steve Henson] | |
119 | ||
c6f33865 DSH |
120 | *) Add EVP support for key wrapping algorithms, to avoid problems with |
121 | existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in | |
122 | the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap | |
123 | algorithms and include tests cases. | |
124 | [Steve Henson] | |
125 | ||
7c23127f DSH |
126 | *) Add functions to allocate and set the fields of an ECDSA_METHOD |
127 | structure. | |
128 | [Douglas E. Engert, Steve Henson] | |
129 | ||
904348a4 DSH |
130 | *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the |
131 | difference in days and seconds between two tm or ASN1_TIME structures. | |
132 | [Steve Henson] | |
133 | ||
171c4da5 DSH |
134 | *) Add -rev test option to s_server to just reverse order of characters |
135 | received by client and send back to server. Also prints an abbreviated | |
136 | summary of the connection parameters. | |
137 | [Steve Henson] | |
138 | ||
04611fb0 DSH |
139 | *) New option -brief for s_client and s_server to print out a brief summary |
140 | of connection parameters. | |
141 | [Steve Henson] | |
142 | ||
e27711cf T |
143 | *) Add callbacks for arbitrary TLS extensions. |
144 | [Trevor Perrin <trevp@trevp.net> and Ben Laurie] | |
145 | ||
57912ed3 DSH |
146 | *) New option -crl_download in several openssl utilities to download CRLs |
147 | from CRLDP extension in certificates. | |
148 | [Steve Henson] | |
149 | ||
e318431e DSH |
150 | *) New options -CRL and -CRLform for s_client and s_server for CRLs. |
151 | [Steve Henson] | |
152 | ||
6a10f38d DSH |
153 | *) New function X509_CRL_diff to generate a delta CRL from the difference |
154 | of two full CRLs. Add support to "crl" utility. | |
155 | [Steve Henson] | |
156 | ||
75f53531 DSH |
157 | *) New functions to set lookup_crls function and to retrieve |
158 | X509_STORE from X509_STORE_CTX. | |
159 | [Steve Henson] | |
160 | ||
2aa3ef78 DSH |
161 | *) Print out deprecated issuer and subject unique ID fields in |
162 | certificates. | |
163 | [Steve Henson] | |
164 | ||
5c8d41be DSH |
165 | *) Extend OCSP I/O functions so they can be used for simple general purpose |
166 | HTTP as well as OCSP. New wrapper function which can be used to download | |
167 | CRLs using the OCSP API. | |
168 | [Steve Henson] | |
169 | ||
15387e4c DSH |
170 | *) Delegate command line handling in s_client/s_server to SSL_CONF APIs. |
171 | [Steve Henson] | |
172 | ||
49ef33fa DSH |
173 | *) SSL_CONF* functions. These provide a common framework for application |
174 | configuration using configuration files or command lines. | |
175 | [Steve Henson] | |
176 | ||
bc200e69 DSH |
177 | *) SSL/TLS tracing code. This parses out SSL/TLS records using the |
178 | message callback and prints the results. Needs compile time option | |
179 | "enable-ssl-trace". New options to s_client and s_server to enable | |
180 | tracing. | |
181 | [Steve Henson] | |
182 | ||
78b5d89d | 183 | *) New ctrl and macro to retrieve supported points extensions. |
1b9a59c3 | 184 | Print out extension in s_server and s_client. |
78b5d89d DSH |
185 | [Steve Henson] |
186 | ||
bd9fc1d6 DSH |
187 | *) New functions to retrieve certificate signature and signature |
188 | OID NID. | |
189 | [Steve Henson] | |
190 | ||
1520e6c0 DSH |
191 | *) Add functions to retrieve and manipulate the raw cipherlist sent by a |
192 | client to OpenSSL. | |
193 | [Steve Henson] | |
194 | ||
ccf6a19e DSH |
195 | *) New Suite B modes for TLS code. These use and enforce the requirements |
196 | of RFC6460: restrict ciphersuites, only permit Suite B algorithms and | |
197 | only use Suite B curves. The Suite B modes can be set by using the | |
198 | strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. | |
199 | [Steve Henson] | |
200 | ||
ba8bdea7 DSH |
201 | *) New chain verification flags for Suite B levels of security. Check |
202 | algorithms are acceptable when flags are set in X509_verify_cert. | |
203 | [Steve Henson] | |
204 | ||
6660baee DSH |
205 | *) Make tls1_check_chain return a set of flags indicating checks passed |
206 | by a certificate chain. Add additional tests to handle client | |
207 | certificates: checks for matching certificate type and issuer name | |
208 | comparison. | |
209 | [Steve Henson] | |
210 | ||
25d4c925 DSH |
211 | *) If an attempt is made to use a signature algorithm not in the peer |
212 | preference list abort the handshake. If client has no suitable | |
213 | signature algorithms in response to a certificate request do not | |
214 | use the certificate. | |
215 | [Steve Henson] | |
216 | ||
44adfeb6 DSH |
217 | *) If server EC tmp key is not in client preference list abort handshake. |
218 | [Steve Henson] | |
219 | ||
b762acad DSH |
220 | *) Add support for certificate stores in CERT structure. This makes it |
221 | possible to have different stores per SSL structure or one store in | |
222 | the parent SSL_CTX. Include distint stores for certificate chain | |
223 | verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN | |
224 | to build and store a certificate chain in CERT structure: returing | |
225 | an error if the chain cannot be built: this will allow applications | |
226 | to test if a chain is correctly configured. | |
227 | ||
228 | Note: if the CERT based stores are not set then the parent SSL_CTX | |
229 | store is used to retain compatibility with existing behaviour. | |
230 | ||
231 | [Steve Henson] | |
232 | ||
b28fbdfa DSH |
233 | *) New function ssl_set_client_disabled to set a ciphersuite disabled |
234 | mask based on the current session, check mask when sending client | |
235 | hello and checking the requested ciphersuite. | |
236 | [Steve Henson] | |
237 | ||
a897502c DSH |
238 | *) New ctrls to retrieve and set certificate types in a certificate |
239 | request message. Print out received values in s_client. If certificate | |
240 | types is not set with custom values set sensible values based on | |
241 | supported signature algorithms. | |
242 | [Steve Henson] | |
243 | ||
04c32cdd DSH |
244 | *) Support for distinct client and server supported signature algorithms. |
245 | [Steve Henson] | |
246 | ||
623a5e24 DSH |
247 | *) Add certificate callback. If set this is called whenever a certificate |
248 | is required by client or server. An application can decide which | |
249 | certificate chain to present based on arbitrary criteria: for example | |
250 | supported signature algorithms. Add very simple example to s_server. | |
251 | This fixes many of the problems and restrictions of the existing client | |
252 | certificate callback: for example you can now clear an existing | |
253 | certificate and specify the whole chain. | |
254 | [Steve Henson] | |
255 | ||
484f8762 DSH |
256 | *) Add new "valid_flags" field to CERT_PKEY structure which determines what |
257 | the certificate can be used for (if anything). Set valid_flags field | |
258 | in new tls1_check_chain function. Simplify ssl_set_cert_masks which used | |
259 | to have similar checks in it. | |
260 | ||
261 | Add new "cert_flags" field to CERT structure and include a "strict mode". | |
262 | This enforces some TLS certificate requirements (such as only permitting | |
263 | certificate signature algorithms contained in the supported algorithms | |
264 | extension) which some implementations ignore: this option should be used | |
265 | with caution as it could cause interoperability issues. | |
266 | [Steve Henson] | |
267 | ||
c70a1fee DSH |
268 | *) Update and tidy signature algorithm extension processing. Work out |
269 | shared signature algorithms based on preferences and peer algorithms | |
270 | and print them out in s_client and s_server. Abort handshake if no | |
271 | shared signature algorithms. | |
272 | [Steve Henson] | |
273 | ||
0b362de5 DSH |
274 | *) Add new functions to allow customised supported signature algorithms |
275 | for SSL and SSL_CTX structures. Add options to s_client and s_server | |
276 | to support them. | |
277 | [Steve Henson] | |
278 | ||
d312f7be DSH |
279 | *) New function SSL_certs_clear() to delete all references to certificates |
280 | from an SSL structure. Before this once a certificate had been added | |
281 | it couldn't be removed. | |
282 | [Steve Henson] | |
283 | ||
70cd3c6b DSH |
284 | *) Integrate hostname, email address and IP address checking with certificate |
285 | verification. New verify options supporting checking in opensl utility. | |
286 | [Steve Henson] | |
287 | ||
45da1efc DSH |
288 | *) Fixes and wildcard matching support to hostname and email checking |
289 | functions. Add manual page. | |
290 | [Florian Weimer (Red Hat Product Security Team)] | |
291 | ||
292 | *) New functions to check a hostname email or IP address against a | |
293 | certificate. Add options x509 utility to print results of checks against | |
294 | a certificate. | |
295 | [Steve Henson] | |
296 | ||
d65b8b21 BL |
297 | *) Fix OCSP checking. |
298 | [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] | |
299 | ||
8c149cfd BM |
300 | *) Initial experimental support for explicitly trusted non-root CAs. |
301 | OpenSSL still tries to build a complete chain to a root but if an | |
302 | intermediate CA has a trust setting included that is used. The first | |
303 | setting is used: whether to trust (e.g., -addtrust option to the x509 | |
304 | utility) or reject. | |
305 | [Steve Henson] | |
d65b8b21 | 306 | |
9d2006d8 DSH |
307 | *) Add -trusted_first option which attempts to find certificates in the |
308 | trusted store even if an untrusted chain is also supplied. | |
309 | [Steve Henson] | |
310 | ||
988037fe AP |
311 | *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, |
312 | platform support for Linux and Android. | |
313 | [Andy Polyakov] | |
314 | ||
0e05b51f AP |
315 | *) Support for linux-x32, ILP32 environment in x86_64 framework. |
316 | [Andy Polyakov] | |
317 | ||
1dded7f7 DSH |
318 | *) Experimental multi-implementation support for FIPS capable OpenSSL. |
319 | When in FIPS mode the approved implementations are used as normal, | |
320 | when not in FIPS mode the internal unapproved versions are used instead. | |
321 | This means that the FIPS capable OpenSSL isn't forced to use the | |
322 | (often lower perfomance) FIPS implementations outside FIPS mode. | |
323 | [Steve Henson] | |
324 | ||
c3cb0691 DSH |
325 | *) Transparently support X9.42 DH parameters when calling |
326 | PEM_read_bio_DHparameters. This means existing applications can handle | |
327 | the new parameter format automatically. | |
328 | [Steve Henson] | |
329 | ||
491734eb DSH |
330 | *) Initial experimental support for X9.42 DH parameter format: mainly |
331 | to support use of 'q' parameter for RFC5114 parameters. | |
332 | [Steve Henson] | |
333 | ||
e811eff5 DSH |
334 | *) Add DH parameters from RFC5114 including test data to dhtest. |
335 | [Steve Henson] | |
336 | ||
e46c807e DSH |
337 | *) Support for automatic EC temporary key parameter selection. If enabled |
338 | the most preferred EC parameters are automatically used instead of | |
339 | hardcoded fixed parameters. Now a server just has to call: | |
340 | SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically | |
341 | support ECDH and use the most appropriate parameters. | |
342 | [Steve Henson] | |
343 | ||
6b870763 DSH |
344 | *) Enhance and tidy EC curve and point format TLS extension code. Use |
345 | static structures instead of allocation if default values are used. | |
346 | New ctrls to set curves we wish to support and to retrieve shared curves. | |
347 | Print out shared curves in s_server. New options to s_server and s_client | |
348 | to set list of supported curves. | |
349 | [Steve Henson] | |
350 | ||
55058181 DSH |
351 | *) New ctrls to retrieve supported signature algorithms and |
352 | supported curve values as an array of NIDs. Extend openssl utility | |
353 | to print out received values. | |
354 | [Steve Henson] | |
355 | ||
a068a1d0 DSH |
356 | *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert |
357 | between NIDs and the more common NIST names such as "P-256". Enhance | |
358 | ecparam utility and ECC method to recognise the NIST names for curves. | |
359 | [Steve Henson] | |
360 | ||
37b16c84 DSH |
361 | *) Enhance SSL/TLS certificate chain handling to support different |
362 | chains for each certificate instead of one chain in the parent SSL_CTX. | |
363 | [Steve Henson] | |
364 | ||
c523eb98 DSH |
365 | *) Support for fixed DH ciphersuite client authentication: where both |
366 | server and client use DH certificates with common parameters. | |
367 | [Steve Henson] | |
368 | ||
0ffa4997 DSH |
369 | *) Support for fixed DH ciphersuites: those requiring DH server |
370 | certificates. | |
371 | [Steve Henson] | |
b9115239 | 372 | |
e9128d94 EK |
373 | *) New function i2d_re_X509_tbs for re-encoding the TBS portion of |
374 | the certificate. | |
375 | Note: Related 1.0.2-beta specific macros X509_get_cert_info, | |
376 | X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and | |
377 | X509_CINF_get_signature were reverted post internal team review. | |
378 | ||
ba7e998d MC |
379 | Changes between 1.0.1k and 1.0.1l [15 Jan 2015] |
380 | ||
381 | *) Build fixes for the Windows and OpenVMS platforms | |
382 | [Matt Caswell and Richard Levitte] | |
383 | ||
384 | Changes between 1.0.1j and 1.0.1k [8 Jan 2015] | |
4c75f4e5 | 385 | |
4aaf1e49 DSH |
386 | *) Abort handshake if server key exchange message is omitted for ephemeral |
387 | ECDH ciphersuites. | |
388 | ||
a936ba11 DSH |
389 | Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
390 | reporting this issue. | |
4aaf1e49 DSH |
391 | (CVE-2014-3572) |
392 | [Steve Henson] | |
393 | ||
4b4c1fcc DSH |
394 | *) Remove non-export ephemeral RSA code on client and server. This code |
395 | violated the TLS standard by allowing the use of temporary RSA keys in | |
396 | non-export ciphersuites and could be used by a server to effectively | |
397 | downgrade the RSA key length used to a value smaller than the server | |
a936ba11 DSH |
398 | certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
399 | INRIA or reporting this issue. | |
4b4c1fcc DSH |
400 | (CVE-2015-0204) |
401 | [Steve Henson] | |
402 | ||
d9b277e0 AL |
403 | *) Ensure that the session ID context of an SSL is updated when its |
404 | SSL_CTX is updated via SSL_set_SSL_CTX. | |
405 | ||
406 | The session ID context is typically set from the parent SSL_CTX, | |
407 | and can vary with the CTX. | |
408 | [Adam Langley] | |
409 | ||
85cfc188 DSH |
410 | *) Fix various certificate fingerprint issues. |
411 | ||
412 | By using non-DER or invalid encodings outside the signed portion of a | |
413 | certificate the fingerprint can be changed without breaking the signature. | |
414 | Although no details of the signed portion of the certificate can be changed | |
415 | this can cause problems with some applications: e.g. those using the | |
416 | certificate fingerprint for blacklists. | |
417 | ||
418 | 1. Reject signatures with non zero unused bits. | |
419 | ||
420 | If the BIT STRING containing the signature has non zero unused bits reject | |
421 | the signature. All current signature algorithms require zero unused bits. | |
422 | ||
423 | 2. Check certificate algorithm consistency. | |
424 | ||
425 | Check the AlgorithmIdentifier inside TBS matches the one in the | |
426 | certificate signature. NB: this will result in signature failure | |
427 | errors for some broken certificates. | |
428 | ||
429 | Thanks to Konrad Kraszewski from Google for reporting this issue. | |
430 | ||
431 | 3. Check DSA/ECDSA signatures use DER. | |
432 | ||
433 | Reencode DSA/ECDSA signatures and compare with the original received | |
434 | signature. Return an error if there is a mismatch. | |
435 | ||
436 | This will reject various cases including garbage after signature | |
437 | (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
438 | program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
439 | (negative or with leading zeroes). | |
440 | ||
441 | Further analysis was conducted and fixes were developed by Stephen Henson | |
442 | of the OpenSSL core team. | |
443 | ||
444 | (CVE-2014-8275) | |
445 | [Steve Henson] | |
446 | ||
03d14f58 DB |
447 | *) Do not resume sessions on the server if the negotiated protocol |
448 | version does not match the session's version. Resuming with a different | |
449 | version, while not strictly forbidden by the RFC, is of questionable | |
450 | sanity and breaks all known clients. | |
451 |