diff options
Diffstat (limited to 'deps/openssl/openssl/CHANGES')
-rw-r--r-- | deps/openssl/openssl/CHANGES | 473 |
1 files changed, 2 insertions, 471 deletions
diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index ca82ad295d..03e744a049 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -2,434 +2,6 @@ OpenSSL CHANGES _______________ - Changes between 1.0.1d and 1.0.1e [11 Feb 2013] - - *) - - Changes between 1.0.1c and 1.0.1d [5 Feb 2013] - - *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. - - This addresses the flaw in CBC record processing discovered by - Nadhem Alfardan and Kenny Paterson. Details of this attack can be found - at: http://www.isg.rhul.ac.uk/tls/ - - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information - Security Group at Royal Holloway, University of London - (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. - (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] - - *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode - ciphersuites which can be exploited in a denial of service attack. - Thanks go to and to Adam Langley <agl@chromium.org> for discovering - and detecting this bug and to Wolfgang Ettlinger - <wolfgang.ettlinger@gmail.com> for independently discovering this issue. - (CVE-2012-2686) - [Adam Langley] - - *) Return an error when checking OCSP signatures when key is NULL. - This fixes a DoS attack. (CVE-2013-0166) - [Steve Henson] - - *) Make openssl verify return errors. - [Chris Palmer <palmer@google.com> and Ben Laurie] - - *) Call OCSP Stapling callback after ciphersuite has been chosen, so - the right response is stapled. Also change SSL_get_certificate() - so it returns the certificate actually sent. - See http://rt.openssl.org/Ticket/Display.html?id=2836. - [Rob Stradling <rob.stradling@comodo.com>] - - *) Fix possible deadlock when decoding public keys. - [Steve Henson] - - *) Don't use TLS 1.0 record version number in initial client hello - if renegotiating. - [Steve Henson] - - Changes between 1.0.1b and 1.0.1c [10 May 2012] - - *) Sanity check record length before skipping explicit IV in TLS - 1.2, 1.1 and DTLS to fix DoS attack. - - Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic - fuzzing as a service testing platform. - (CVE-2012-2333) - [Steve Henson] - - *) Initialise tkeylen properly when encrypting CMS messages. - Thanks to Solar Designer of Openwall for reporting this issue. - [Steve Henson] - - *) In FIPS mode don't try to use composite ciphers as they are not - approved. - [Steve Henson] - - Changes between 1.0.1a and 1.0.1b [26 Apr 2012] - - *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and - 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately - mean any application compiled against OpenSSL 1.0.0 headers setting - SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng - TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to - 0x10000000L Any application which was previously compiled against - OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 - will need to be recompiled as a result. Letting be results in - inability to disable specifically TLS 1.1 and in client context, - in unlike event, limit maximum offered version to TLS 1.0 [see below]. - [Steve Henson] - - *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not - disable just protocol X, but all protocols above X *if* there are - protocols *below* X still enabled. In more practical terms it means - that if application wants to disable TLS1.0 in favor of TLS1.1 and - above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass - SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to - client side. - [Andy Polyakov] - - Changes between 1.0.1 and 1.0.1a [19 Apr 2012] - - *) Check for potentially exploitable overflows in asn1_d2i_read_bio - BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer - in CRYPTO_realloc_clean. - - Thanks to Tavis Ormandy, Google Security Team, for discovering this - issue and to Adam Langley <agl@chromium.org> for fixing it. - (CVE-2012-2110) - [Adam Langley (Google), Tavis Ormandy, Google Security Team] - - *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. - [Adam Langley] - - *) Workarounds for some broken servers that "hang" if a client hello - record length exceeds 255 bytes. - - 1. Do not use record version number > TLS 1.0 in initial client - hello: some (but not all) hanging servers will now work. - 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate - the number of ciphers sent in the client hello. This should be - set to an even number, such as 50, for example by passing: - -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. - Most broken servers should now work. - 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable - TLS 1.2 client support entirely. - [Steve Henson] - - *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. - [Andy Polyakov] - - Changes between 1.0.0h and 1.0.1 [14 Mar 2012] - - *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET - STRING form instead of a DigestInfo. - [Steve Henson] - - *) The format used for MDC2 RSA signatures is inconsistent between EVP - and the RSA_sign/RSA_verify functions. This was made more apparent when - OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular - those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect - the correct format in RSA_verify so both forms transparently work. - [Steve Henson] - - *) Some servers which support TLS 1.0 can choke if we initially indicate - support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA - encrypted premaster secret. As a workaround use the maximum pemitted - client version in client hello, this should keep such servers happy - and still work with previous versions of OpenSSL. - [Steve Henson] - - *) Add support for TLS/DTLS heartbeats. - [Robin Seggelmann <seggelmann@fh-muenster.de>] - - *) Add support for SCTP. - [Robin Seggelmann <seggelmann@fh-muenster.de>] - - *) Improved PRNG seeding for VOS. - [Paul Green <Paul.Green@stratus.com>] - - *) Extensive assembler packs updates, most notably: - - - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; - - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); - - x86_64: bit-sliced AES implementation; - - ARM: NEON support, contemporary platforms optimizations; - - s390x: z196 support; - - *: GHASH and GF(2^m) multiplication implementations; - - [Andy Polyakov] - - *) Make TLS-SRP code conformant with RFC 5054 API cleanup - (removal of unnecessary code) - [Peter Sylvester <peter.sylvester@edelweb.fr>] - - *) Add TLS key material exporter from RFC 5705. - [Eric Rescorla] - - *) Add DTLS-SRTP negotiation from RFC 5764. - [Eric Rescorla] - - *) Add Next Protocol Negotiation, - http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be - disabled with a no-npn flag to config or Configure. Code donated - by Google. - [Adam Langley <agl@google.com> and Ben Laurie] - - *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, - NIST-P256, NIST-P521, with constant-time single point multiplication on - typical inputs. Compiler support for the nonstandard type __uint128_t is - required to use this (present in gcc 4.4 and later, for 64-bit builds). - Code made available under Apache License version 2.0. - - Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command - line to include this in your build of OpenSSL, and run "make depend" (or - "make update"). This enables the following EC_METHODs: - - EC_GFp_nistp224_method() - EC_GFp_nistp256_method() - EC_GFp_nistp521_method() - - EC_GROUP_new_by_curve_name() will automatically use these (while - EC_GROUP_new_curve_GFp() currently prefers the more flexible - implementations). - [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] - - *) Use type ossl_ssize_t instad of ssize_t which isn't available on - all platforms. Move ssize_t definition from e_os.h to the public - header file e_os2.h as it now appears in public header file cms.h - [Steve Henson] - - *) New -sigopt option to the ca, req and x509 utilities. Additional - signature parameters can be passed using this option and in - particular PSS. - [Steve Henson] - - *) Add RSA PSS signing function. This will generate and set the - appropriate AlgorithmIdentifiers for PSS based on those in the - corresponding EVP_MD_CTX structure. No application support yet. - [Steve Henson] - - *) Support for companion algorithm specific ASN1 signing routines. - New function ASN1_item_sign_ctx() signs a pre-initialised - EVP_MD_CTX structure and sets AlgorithmIdentifiers based on - the appropriate parameters. - [Steve Henson] - - *) Add new algorithm specific ASN1 verification initialisation function - to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 - handling will be the same no matter what EVP_PKEY_METHOD is used. - Add a PSS handler to support verification of PSS signatures: checked - against a number of sample certificates. - [Steve Henson] - - *) Add signature printing for PSS. Add PSS OIDs. - [Steve Henson, Martin Kaiser <lists@kaiser.cx>] - - *) Add algorithm specific signature printing. An individual ASN1 method - can now print out signatures instead of the standard hex dump. - - More complex signatures (e.g. PSS) can print out more meaningful - information. Include DSA version that prints out the signature - parameters r, s. - [Steve Henson] - - *) Password based recipient info support for CMS library: implementing - RFC3211. - [Steve Henson] - - *) Split password based encryption into PBES2 and PBKDF2 functions. This - neatly separates the code into cipher and PBE sections and is required - for some algorithms that split PBES2 into separate pieces (such as - password based CMS). - [Steve Henson] - - *) Session-handling fixes: - - Fix handling of connections that are resuming with a session ID, - but also support Session Tickets. - - Fix a bug that suppressed issuing of a new ticket if the client - presented a ticket with an expired session. - - Try to set the ticket lifetime hint to something reasonable. - - Make tickets shorter by excluding irrelevant information. - - On the client side, don't ignore renewed tickets. - [Adam Langley, Bodo Moeller (Google)] - - *) Fix PSK session representation. - [Bodo Moeller] - - *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. - - This work was sponsored by Intel. - [Andy Polyakov] - - *) Add GCM support to TLS library. Some custom code is needed to split - the IV between the fixed (from PRF) and explicit (from TLS record) - portions. This adds all GCM ciphersuites supported by RFC5288 and - RFC5289. Generalise some AES* cipherstrings to inlclude GCM and - add a special AESGCM string for GCM only. - [Steve Henson] - - *) Expand range of ctrls for AES GCM. Permit setting invocation - field on decrypt and retrieval of invocation field only on encrypt. - [Steve Henson] - - *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. - As required by RFC5289 these ciphersuites cannot be used if for - versions of TLS earlier than 1.2. - [Steve Henson] - - *) For FIPS capable OpenSSL interpret a NULL default public key method - as unset and return the appopriate default but do *not* set the default. - This means we can return the appopriate method in applications that - swicth between FIPS and non-FIPS modes. - [Steve Henson] - - *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an - ENGINE is used then we cannot handle that in the FIPS module so we - keep original code iff non-FIPS operations are allowed. - [Steve Henson] - - *) Add -attime option to openssl utilities. - [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson] - - *) Redirect DSA and DH operations to FIPS module in FIPS mode. - [Steve Henson] - - *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use - FIPS EC methods unconditionally for now. - [Steve Henson] - - *) New build option no-ec2m to disable characteristic 2 code. - [Steve Henson] - - *) Backport libcrypto audit of return value checking from 1.1.0-dev; not - all cases can be covered as some introduce binary incompatibilities. - [Steve Henson] - - *) Redirect RSA operations to FIPS module including keygen, - encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. - [Steve Henson] - - *) Add similar low level API blocking to ciphers. - [Steve Henson] - - *) Low level digest APIs are not approved in FIPS mode: any attempt - to use these will cause a fatal error. Applications that *really* want - to use them can use the private_* version instead. - [Steve Henson] - - *) Redirect cipher operations to FIPS module for FIPS builds. - [Steve Henson] - - *) Redirect digest operations to FIPS module for FIPS builds. - [Steve Henson] - - *) Update build system to add "fips" flag which will link in fipscanister.o - for static and shared library builds embedding a signature if needed. - [Steve Henson] - - *) Output TLS supported curves in preference order instead of numerical - order. This is currently hardcoded for the highest order curves first. - This should be configurable so applications can judge speed vs strength. - [Steve Henson] - - *) Add TLS v1.2 server support for client authentication. - [Steve Henson] - - *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers - and enable MD5. - [Steve Henson] - - *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying - FIPS modules versions. - [Steve Henson] - - *) Add TLS v1.2 client side support for client authentication. Keep cache - of handshake records longer as we don't know the hash algorithm to use - until after the certificate request message is received. - [Steve Henson] - - *) Initial TLS v1.2 client support. Add a default signature algorithms - extension including all the algorithms we support. Parse new signature - format in client key exchange. Relax some ECC signing restrictions for - TLS v1.2 as indicated in RFC5246. - [Steve Henson] - - *) Add server support for TLS v1.2 signature algorithms extension. Switch - to new signature format when needed using client digest preference. - All server ciphersuites should now work correctly in TLS v1.2. No client - support yet and no support for client certificates. - [Steve Henson] - - *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch - to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based - ciphersuites. At present only RSA key exchange ciphersuites work with - TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete - SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods - and version checking. - [Steve Henson] - - *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled - with this defined it will not be affected by any changes to ssl internal - structures. Add several utility functions to allow openssl application - to work with OPENSSL_NO_SSL_INTERN defined. - [Steve Henson] - - *) Add SRP support. - [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie] - - *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. - [Steve Henson] - - *) Permit abbreviated handshakes when renegotiating using the function - SSL_renegotiate_abbreviated(). - [Robin Seggelmann <seggelmann@fh-muenster.de>] - - *) Add call to ENGINE_register_all_complete() to - ENGINE_load_builtin_engines(), so some implementations get used - automatically instead of needing explicit application support. - [Steve Henson] - - *) Add support for TLS key exporter as described in RFC5705. - [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] - - *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only - a few changes are required: - - Add SSL_OP_NO_TLSv1_1 flag. - Add TLSv1_1 methods. - Update version checking logic to handle version 1.1. - Add explicit IV handling (ported from DTLS code). - Add command line options to s_client/s_server. - [Steve Henson] - - Changes between 1.0.0g and 1.0.0h [12 Mar 2012] - - *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness - in CMS and PKCS7 code. When RSA decryption fails use a random key for - content decryption and always return the same error. Note: this attack - needs on average 2^20 messages so it only affects automated senders. The - old behaviour can be reenabled in the CMS code by setting the - CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where - an MMA defence is not necessary. - Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering - this issue. (CVE-2012-0884) - [Steve Henson] - - *) Fix CVE-2011-4619: make sure we really are receiving a - client hello before rejecting multiple SGC restarts. Thanks to - Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. - [Steve Henson] - - Changes between 1.0.0f and 1.0.0g [18 Jan 2012] - - *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. - Thanks to Antonio Martin, Enterprise Secure Access Research and - Development, Cisco Systems, Inc. for discovering this bug and - preparing a fix. (CVE-2012-0050) - [Antonio Martin] - Changes between 1.0.0e and 1.0.0f [4 Jan 2012] *) Nadhem Alfardan and Kenny Paterson have discovered an extension @@ -450,9 +22,7 @@ (CVE-2011-4576) [Adam Langley (Google)] - *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George - Kadianakis <desnacked@gmail.com> for discovering this issue and - Adam Langley for preparing the fix. (CVE-2011-4619) + *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) [Adam Langley (Google)] *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) @@ -1393,47 +963,8 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] - - Changes between 0.9.8s and 0.9.8t [18 Jan 2012] - - *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. - Thanks to Antonio Martin, Enterprise Secure Access Research and - Development, Cisco Systems, Inc. for discovering this bug and - preparing a fix. (CVE-2012-0050) - [Antonio Martin] - Changes between 0.9.8r and 0.9.8s [4 Jan 2012] - - *) Nadhem Alfardan and Kenny Paterson have discovered an extension - of the Vaudenay padding oracle attack on CBC mode encryption - which enables an efficient plaintext recovery attack against - the OpenSSL implementation of DTLS. Their attack exploits timing - differences arising during decryption processing. A research - paper describing this attack can be found at: - http://www.isg.rhul.ac.uk/~kp/dtls.pdf - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information - Security Group at Royal Holloway, University of London - (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann - <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> - for preparing the fix. (CVE-2011-4108) - [Robin Seggelmann, Michael Tuexen] - - *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) - [Ben Laurie, Kasper <ekasper@google.com>] - - *) Clear bytes used for block padding of SSL 3.0 records. - (CVE-2011-4576) - [Adam Langley (Google)] - - *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George - Kadianakis <desnacked@gmail.com> for discovering this issue and - Adam Langley for preparing the fix. (CVE-2011-4619) - [Adam Langley (Google)] - - *) Prevent malformed RFC3779 data triggering an assertion failure. - Thanks to Andrew Chi, BBN Technologies, for discovering the flaw - and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) - [Rob Austein <sra@hactrn.net>] + Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] *) Fix ssl_ciph.c set-up race. [Adam Langley (Google)] |