-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Ben Herila
committed
Oct 24, 2012
1 parent
de362cd
commit 308a031
Showing
588 changed files
with
72,597 additions
and
53,607 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,48 @@ | |
| OpenSSL CHANGES | ||
| _______________ | ||
|
|
||
| Changes between 1.0.0h and 1.0.0i [19 Apr 2012] | ||
| Changes between 1.0.1b and 1.0.1c [10 May 2012] | ||
|
|
||
| *) Sanity check record length before skipping explicit IV in TLS | ||
| 1.2, 1.1 and DTLS to fix DoS attack. | ||
|
|
||
| Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic | ||
| fuzzing as a service testing platform. | ||
| (CVE-2012-2333) | ||
| [Steve Henson] | ||
|
|
||
| *) Initialise tkeylen properly when encrypting CMS messages. | ||
| Thanks to Solar Designer of Openwall for reporting this issue. | ||
| [Steve Henson] | ||
|
|
||
| *) In FIPS mode don't try to use composite ciphers as they are not | ||
| approved. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 1.0.1a and 1.0.1b [26 Apr 2012] | ||
|
|
||
| *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and | ||
| 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately | ||
| mean any application compiled against OpenSSL 1.0.0 headers setting | ||
| SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng | ||
| TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to | ||
| 0x10000000L Any application which was previously compiled against | ||
| OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 | ||
| will need to be recompiled as a result. Letting be results in | ||
| inability to disable specifically TLS 1.1 and in client context, | ||
| in unlike event, limit maximum offered version to TLS 1.0 [see below]. | ||
| [Steve Henson] | ||
|
|
||
| *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not | ||
| disable just protocol X, but all protocols above X *if* there are | ||
| protocols *below* X still enabled. In more practical terms it means | ||
| that if application wants to disable TLS1.0 in favor of TLS1.1 and | ||
| above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass | ||
| SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to | ||
| client side. | ||
| [Andy Polyakov] | ||
|
|
||
| Changes between 1.0.1 and 1.0.1a [19 Apr 2012] | ||
|
|
||
| *) Check for potentially exploitable overflows in asn1_d2i_read_bio | ||
| BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer | ||
|
|
@@ -13,6 +54,309 @@ | |
| (CVE-2012-2110) | ||
| [Adam Langley (Google), Tavis Ormandy, Google Security Team] | ||
|
|
||
| *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. | ||
| [Adam Langley] | ||
|
|
||
| *) Workarounds for some broken servers that "hang" if a client hello | ||
| record length exceeds 255 bytes. | ||
|
|
||
| 1. Do not use record version number > TLS 1.0 in initial client | ||
| hello: some (but not all) hanging servers will now work. | ||
| 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate | ||
| the number of ciphers sent in the client hello. This should be | ||
| set to an even number, such as 50, for example by passing: | ||
| -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. | ||
| Most broken servers should now work. | ||
| 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable | ||
| TLS 1.2 client support entirely. | ||
| [Steve Henson] | ||
|
|
||
| *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. | ||
| [Andy Polyakov] | ||
|
|
||
| Changes between 1.0.0h and 1.0.1 [14 Mar 2012] | ||
|
|
||
| *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET | ||
| STRING form instead of a DigestInfo. | ||
| [Steve Henson] | ||
|
|
||
| *) The format used for MDC2 RSA signatures is inconsistent between EVP | ||
| and the RSA_sign/RSA_verify functions. This was made more apparent when | ||
| OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular | ||
| those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect | ||
| the correct format in RSA_verify so both forms transparently work. | ||
| [Steve Henson] | ||
|
|
||
| *) Some servers which support TLS 1.0 can choke if we initially indicate | ||
| support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA | ||
| encrypted premaster secret. As a workaround use the maximum pemitted | ||
| client version in client hello, this should keep such servers happy | ||
| and still work with previous versions of OpenSSL. | ||
| [Steve Henson] | ||
|
|
||
| *) Add support for TLS/DTLS heartbeats. | ||
| [Robin Seggelmann <[email protected]>] | ||
|
|
||
| *) Add support for SCTP. | ||
| [Robin Seggelmann <[email protected]>] | ||
|
|
||
| *) Improved PRNG seeding for VOS. | ||
| [Paul Green <[email protected]>] | ||
|
|
||
| *) Extensive assembler packs updates, most notably: | ||
|
|
||
| - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; | ||
| - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); | ||
| - x86_64: bit-sliced AES implementation; | ||
| - ARM: NEON support, contemporary platforms optimizations; | ||
| - s390x: z196 support; | ||
| - *: GHASH and GF(2^m) multiplication implementations; | ||
|
|
||
| [Andy Polyakov] | ||
|
|
||
| *) Make TLS-SRP code conformant with RFC 5054 API cleanup | ||
| (removal of unnecessary code) | ||
| [Peter Sylvester <[email protected]>] | ||
|
|
||
| *) Add TLS key material exporter from RFC 5705. | ||
| [Eric Rescorla] | ||
|
|
||
| *) Add DTLS-SRTP negotiation from RFC 5764. | ||
| [Eric Rescorla] | ||
|
|
||
| *) Add Next Protocol Negotiation, | ||
| http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | ||
| disabled with a no-npn flag to config or Configure. Code donated | ||
| by Google. | ||
| [Adam Langley <[email protected]> and Ben Laurie] | ||
|
|
||
| *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, | ||
| NIST-P256, NIST-P521, with constant-time single point multiplication on | ||
| typical inputs. Compiler support for the nonstandard type __uint128_t is | ||
| required to use this (present in gcc 4.4 and later, for 64-bit builds). | ||
| Code made available under Apache License version 2.0. | ||
|
|
||
| Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command | ||
| line to include this in your build of OpenSSL, and run "make depend" (or | ||
| "make update"). This enables the following EC_METHODs: | ||
|
|
||
| EC_GFp_nistp224_method() | ||
| EC_GFp_nistp256_method() | ||
| EC_GFp_nistp521_method() | ||
|
|
||
| EC_GROUP_new_by_curve_name() will automatically use these (while | ||
| EC_GROUP_new_curve_GFp() currently prefers the more flexible | ||
| implementations). | ||
| [Emilia K�sper, Adam Langley, Bodo Moeller (Google)] | ||
|
|
||
| *) Use type ossl_ssize_t instad of ssize_t which isn't available on | ||
| all platforms. Move ssize_t definition from e_os.h to the public | ||
| header file e_os2.h as it now appears in public header file cms.h | ||
| [Steve Henson] | ||
|
|
||
| *) New -sigopt option to the ca, req and x509 utilities. Additional | ||
| signature parameters can be passed using this option and in | ||
| particular PSS. | ||
| [Steve Henson] | ||
|
|
||
| *) Add RSA PSS signing function. This will generate and set the | ||
| appropriate AlgorithmIdentifiers for PSS based on those in the | ||
| corresponding EVP_MD_CTX structure. No application support yet. | ||
| [Steve Henson] | ||
|
|
||
| *) Support for companion algorithm specific ASN1 signing routines. | ||
| New function ASN1_item_sign_ctx() signs a pre-initialised | ||
| EVP_MD_CTX structure and sets AlgorithmIdentifiers based on | ||
| the appropriate parameters. | ||
| [Steve Henson] | ||
|
|
||
| *) Add new algorithm specific ASN1 verification initialisation function | ||
| to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 | ||
| handling will be the same no matter what EVP_PKEY_METHOD is used. | ||
| Add a PSS handler to support verification of PSS signatures: checked | ||
| against a number of sample certificates. | ||
| [Steve Henson] | ||
|
|
||
| *) Add signature printing for PSS. Add PSS OIDs. | ||
| [Steve Henson, Martin Kaiser <[email protected]>] | ||
|
|
||
| *) Add algorithm specific signature printing. An individual ASN1 method | ||
| can now print out signatures instead of the standard hex dump. | ||
|
|
||
| More complex signatures (e.g. PSS) can print out more meaningful | ||
| information. Include DSA version that prints out the signature | ||
| parameters r, s. | ||
| [Steve Henson] | ||
|
|
||
| *) Password based recipient info support for CMS library: implementing | ||
| RFC3211. | ||
| [Steve Henson] | ||
|
|
||
| *) Split password based encryption into PBES2 and PBKDF2 functions. This | ||
| neatly separates the code into cipher and PBE sections and is required | ||
| for some algorithms that split PBES2 into separate pieces (such as | ||
| password based CMS). | ||
| [Steve Henson] | ||
|
|
||
| *) Session-handling fixes: | ||
| - Fix handling of connections that are resuming with a session ID, | ||
| but also support Session Tickets. | ||
| - Fix a bug that suppressed issuing of a new ticket if the client | ||
| presented a ticket with an expired session. | ||
| - Try to set the ticket lifetime hint to something reasonable. | ||
| - Make tickets shorter by excluding irrelevant information. | ||
| - On the client side, don't ignore renewed tickets. | ||
| [Adam Langley, Bodo Moeller (Google)] | ||
|
|
||
| *) Fix PSK session representation. | ||
| [Bodo Moeller] | ||
|
|
||
| *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. | ||
|
|
||
| This work was sponsored by Intel. | ||
| [Andy Polyakov] | ||
|
|
||
| *) Add GCM support to TLS library. Some custom code is needed to split | ||
| the IV between the fixed (from PRF) and explicit (from TLS record) | ||
| portions. This adds all GCM ciphersuites supported by RFC5288 and | ||
| RFC5289. Generalise some AES* cipherstrings to inlclude GCM and | ||
| add a special AESGCM string for GCM only. | ||
| [Steve Henson] | ||
|
|
||
| *) Expand range of ctrls for AES GCM. Permit setting invocation | ||
| field on decrypt and retrieval of invocation field only on encrypt. | ||
| [Steve Henson] | ||
|
|
||
| *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. | ||
| As required by RFC5289 these ciphersuites cannot be used if for | ||
| versions of TLS earlier than 1.2. | ||
| [Steve Henson] | ||
|
|
||
| *) For FIPS capable OpenSSL interpret a NULL default public key method | ||
| as unset and return the appopriate default but do *not* set the default. | ||
| This means we can return the appopriate method in applications that | ||
| swicth between FIPS and non-FIPS modes. | ||
| [Steve Henson] | ||
|
|
||
| *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an | ||
| ENGINE is used then we cannot handle that in the FIPS module so we | ||
| keep original code iff non-FIPS operations are allowed. | ||
| [Steve Henson] | ||
|
|
||
| *) Add -attime option to openssl utilities. | ||
| [Peter Eckersley <[email protected]>, Ben Laurie and Steve Henson] | ||
|
|
||
| *) Redirect DSA and DH operations to FIPS module in FIPS mode. | ||
| [Steve Henson] | ||
|
|
||
| *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use | ||
| FIPS EC methods unconditionally for now. | ||
| [Steve Henson] | ||
|
|
||
| *) New build option no-ec2m to disable characteristic 2 code. | ||
| [Steve Henson] | ||
|
|
||
| *) Backport libcrypto audit of return value checking from 1.1.0-dev; not | ||
| all cases can be covered as some introduce binary incompatibilities. | ||
| [Steve Henson] | ||
|
|
||
| *) Redirect RSA operations to FIPS module including keygen, | ||
| encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. | ||
| [Steve Henson] | ||
|
|
||
| *) Add similar low level API blocking to ciphers. | ||
| [Steve Henson] | ||
|
|
||
| *) Low level digest APIs are not approved in FIPS mode: any attempt | ||
| to use these will cause a fatal error. Applications that *really* want | ||
| to use them can use the private_* version instead. | ||
| [Steve Henson] | ||
|
|
||
| *) Redirect cipher operations to FIPS module for FIPS builds. | ||
| [Steve Henson] | ||
|
|
||
| *) Redirect digest operations to FIPS module for FIPS builds. | ||
| [Steve Henson] | ||
|
|
||
| *) Update build system to add "fips" flag which will link in fipscanister.o | ||
| for static and shared library builds embedding a signature if needed. | ||
| [Steve Henson] | ||
|
|
||
| *) Output TLS supported curves in preference order instead of numerical | ||
| order. This is currently hardcoded for the highest order curves first. | ||
| This should be configurable so applications can judge speed vs strength. | ||
| [Steve Henson] | ||
|
|
||
| *) Add TLS v1.2 server support for client authentication. | ||
| [Steve Henson] | ||
|
|
||
| *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers | ||
| and enable MD5. | ||
| [Steve Henson] | ||
|
|
||
| *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying | ||
| FIPS modules versions. | ||
| [Steve Henson] | ||
|
|
||
| *) Add TLS v1.2 client side support for client authentication. Keep cache | ||
| of handshake records longer as we don't know the hash algorithm to use | ||
| until after the certificate request message is received. | ||
| [Steve Henson] | ||
|
|
||
| *) Initial TLS v1.2 client support. Add a default signature algorithms | ||
| extension including all the algorithms we support. Parse new signature | ||
| format in client key exchange. Relax some ECC signing restrictions for | ||
| TLS v1.2 as indicated in RFC5246. | ||
| [Steve Henson] | ||
|
|
||
| *) Add server support for TLS v1.2 signature algorithms extension. Switch | ||
| to new signature format when needed using client digest preference. | ||
| All server ciphersuites should now work correctly in TLS v1.2. No client | ||
| support yet and no support for client certificates. | ||
| [Steve Henson] | ||
|
|
||
| *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch | ||
| to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based | ||
| ciphersuites. At present only RSA key exchange ciphersuites work with | ||
| TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete | ||
| SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods | ||
| and version checking. | ||
| [Steve Henson] | ||
|
|
||
| *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled | ||
| with this defined it will not be affected by any changes to ssl internal | ||
| structures. Add several utility functions to allow openssl application | ||
| to work with OPENSSL_NO_SSL_INTERN defined. | ||
| [Steve Henson] | ||
|
|
||
| *) Add SRP support. | ||
| [Tom Wu <[email protected]> and Ben Laurie] | ||
|
|
||
| *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. | ||
| [Steve Henson] | ||
|
|
||
| *) Permit abbreviated handshakes when renegotiating using the function | ||
| SSL_renegotiate_abbreviated(). | ||
| [Robin Seggelmann <[email protected]>] | ||
|
|
||
| *) Add call to ENGINE_register_all_complete() to | ||
| ENGINE_load_builtin_engines(), so some implementations get used | ||
| automatically instead of needing explicit application support. | ||
| [Steve Henson] | ||
|
|
||
| *) Add support for TLS key exporter as described in RFC5705. | ||
| [Robin Seggelmann <[email protected]>, Steve Henson] | ||
|
|
||
| *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only | ||
| a few changes are required: | ||
|
|
||
| Add SSL_OP_NO_TLSv1_1 flag. | ||
| Add TLSv1_1 methods. | ||
| Update version checking logic to handle version 1.1. | ||
| Add explicit IV handling (ported from DTLS code). | ||
| Add command line options to s_client/s_server. | ||
| [Steve Henson] | ||
|
|
||
| Changes between 1.0.0g and 1.0.0h [12 Mar 2012] | ||
|
|
||
| *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness | ||
|
|
||
Oops, something went wrong.