OpenSSL CHANGES
_______________
- Changes between 1.0.x and 1.1.0 [xx XXX xxxx]
+ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
- *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
- avoids preferring ECDHE-ECDSA ciphers when the client appears to be
- Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
- several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
- is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
- 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
- [Rob Stradling, Adam Langley]
+ *) Experimental support for a new, fast, unbiased prime candidate generator,
+ bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
+ [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
+
+ *) New output format NSS in the sess_id command line tool. This allows
+ exporting the session id and the master key in NSS keylog format.
+ [Martin Kaiser <martin@kaiser.cx>]
+
+ *) Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix some double frees. These are not thought to be exploitable.
+ [mancha <mancha1@zoho.com>]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+ this fixes a limiation in previous versions of OpenSSL.
+ [Steve Henson]
*) Experimental encrypt-then-mac support.
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt
- To enable it set the appropriate extension number (0x10 for the test
- server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10
+ To enable it set the appropriate extension number (0x42 for the test
+ server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
For non-compliant peers (i.e. just about everything) this should have no
effect.
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
- NOTE: unfortunately the test server value (0x10) clashes with the draft
- ALPN extension. Until this is resolved the only way to check against the
- test server is to temporarily change the ALPN extension value (ugh!).
-
[Steve Henson]
- *) Add callbacks supporting generation and retrieval of supplemental
- data entries.
- [Scott Deboy <sdeboy@apache.org>, Trevor Perrin and Ben Laurie]
-
*) Add EVP support for key wrapping algorithms, to avoid problems with
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
security.
[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
- *) Initial experimental support for explicitly trusted non-root CAs.
- OpenSSL still tries to build a complete chain to a root but if an
- intermediate CA has a trust setting included that is used. The first
- setting is used: whether to trust or reject.
- [Steve Henson]
-
*) New -verify_name option in command line utilities to set verification
parameters by name.
[Steve Henson]
Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]
+ *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+ for corner cases. (Certain input points at infinity could lead to
+ bogus results, with non-infinity inputs mapped to infinity too.)
+ [Bodo Moeller]
+
+ *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
+ This covers AES, SHA256/512 and GHASH. "Initial" means that most
+ common cases are optimized and there still is room for further
+ improvements. Vector Permutation AES for Altivec is also added.
+ [Andy Polyakov]
+
+ *) Add support for little-endian ppc64 Linux target.
+ [Marcelo Cerri (IBM)]
+
+ *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
+ SHA1, SHA256 and GHASH. "Initial" means that most common cases
+ are optimized and there still is room for further improvements.
+ Both 32- and 64-bit modes are supported.
+ [Andy Polyakov, Ard Biesheuvel (Linaro)]
+
+ *) Improved ARMv7 NEON support.
+ [Andy Polyakov]
+
+ *) Support for SPARC Architecture 2011 crypto extensions, first
+ implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
+ SHA256/512, MD5, GHASH and modular exponentiation.
+ [Andy Polyakov, David Miller]
+
+ *) Accelerated modular exponentiation for Intel processors, a.k.a.
+ RSAZ.
+ [Shay Gueron (Intel Corp)]
+
+ *) Support for new and upcoming Intel processors, including AVX2,
+ BMI and SHA ISA extensions. This includes additional "stitched"
+ implementations, AESNI-SHA256 and GCM, and multi-buffer support
+ for TLS encrypt.
+
+ This work was sponsored by Intel Corp.
+ [Andy Polyakov]
+
+ *) Keep original DTLS digest and encryption contexts in retransmission
+ structures so we can use the previous session parameters if they need
+ to be resent. (CVE-2013-6450)
+ [Steve Henson]
+
+ *) TLS pad extension: draft-agl-tls-padding-03
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ [Adam Langley, Steve Henson]
+
+ *) Add functions to allocate and set the fields of an ECDSA_METHOD
+ structure.
+ [Douglas E. Engert, Steve Henson]
+
+ *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+ avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+ Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
+ several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
+ is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+ 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+ [Rob Stradling, Adam Langley]
+
*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
difference in days and seconds between two tm or ASN1_TIME structures.
[Steve Henson]
*) Fix OCSP checking.
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
- *) Backport support for partial chain verification: if an intermediate
- certificate is explicitly trusted (using -addtrust option to x509
- utility for example) the verification is sucessful even if the chain
- is not complete.
- The OCSP checking fix depends on this backport.
- [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust (e.g., -addtrust option to the x509
+ utility) or reject.
+ [Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
*) Support for linux-x32, ILP32 environment in x86_64 framework.
[Andy Polyakov]
- *) RFC 5878 (TLS Authorization Extensions) support.
- [Emilia Kasper, Adam Langley, Ben Laurie (Google)]
-
*) Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
+ *) Return an error when checking OCSP signatures when key is NULL.
+ This fixes a DoS attack. (CVE-2013-0166)
+ [Steve Henson]
+
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
projects / thirdparty / openssl.git / blobdiff