Skip to content
CHANGES 481 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]
Matt Caswell's avatar
Matt Caswell committed
  *) State machine rewrite. The state machine code has been significantly
     refactored in order to remove much duplication of code and solve issues
     with the old code (see ssl/statem/README for further details). This change
     does have some associated API changes. Notably SSL_get_state/SSL_state now
     returns an "enum HANDSHAKE_STATE" instead of an int. The previous handshake
     states defined in ssl.h and ssl3.h have been redefined to be the nearest
     equivalent HANDSHAKE_STATE value. Not all states have an equivalent value,
     (e.g. SSL_ST_CW_FLUSH). New application code should not use the old
     handshake state values, but should instead use HANDSHAKE_STATE.
     [Matt Caswell]

  *) The demo files in crypto/threads were moved to demo/threads.
     [Rich Salz]

Matt Caswell's avatar
Matt Caswell committed
  *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron and sureware.
     [Matt Caswell]

  *) New ASN.1 embed macro.

     New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
     structure is not allocated: it is part of the parent. That is instead of

     FOO *x;

     it must be:

     FOO x;

     This reduces memory fragmentation and make it impossible to accidentally
     set a mandatory field to NULL.

     This currently only works for some fields specifically a SEQUENCE, CHOICE,
     or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
     equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
     SEQUENCE OF.
     [Steve Henson]

Emilia Kasper's avatar
Emilia Kasper committed
  *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
     [Emilia Käsper]
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed

  *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
     in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
     an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
     DES and RC4 ciphersuites.
     [Matt Caswell]

  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
     This changes the decoding behaviour for some invalid messages,
     though the change is mostly in the more lenient direction, and
     legacy behaviour is preserved as much as possible.
     [Emilia Käsper]
David Woodhouse's avatar
David Woodhouse committed
  *) Fix no-stdio build.
    [ David Woodhouse <David.Woodhouse@intel.com> and also
      Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
Matt Caswell's avatar
Matt Caswell committed

  *) New testing framework
     The testing framework has been largely rewritten and is now using
     perl and the perl modules Test::Harness and an extended variant of
     Test::More called OpenSSL::Test to do its work.  All test scripts in
     test/ have been rewritten into test recipes, and all direct calls to
     executables in test/Makefile have become individual recipes using the
     simplified testing OpenSSL::Test::Simple.

     For documentation on our testing modules, do:

        perldoc test/testlib/OpenSSL/Test/Simple.pm
        perldoc test/testlib/OpenSSL/Test.pm

     [Richard Levitte]

  *) In DSA_generate_parameters_ex, if the provided seed is too short,
     return an error
     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
     from RFC4279, RFC4785, RFC5487, RFC5489.

     Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
     original RSA_PSK patch.
     [Steve Henson]

  *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
     era flag was never set throughout the codebase (only read). Also removed
     SSL3_FLAGS_POP_BUFFER which was only used if
     SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
     [Matt Caswell]

  *) Changed the default name options in the "ca", "crl", "req" and "x509"
     to be "oneline" instead of "compat".
     [Richard Levitte]

  *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
     not aware of clients that still exhibit this bug, and the workaround
     hasn't been working properly for a while.
     [Emilia Käsper]
  *) The return type of BIO_number_read() and BIO_number_written() as well as
     the corresponding num_read and num_write members in the BIO structure has
     changed from unsigned long to uint64_t. On platforms where an unsigned
     long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
     transferred.
     [Matt Caswell]

  *) Given the pervasive nature of TLS extensions it is inadvisable to run
     OpenSSL without support for them. It also means that maintaining
     the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
     not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
     [Matt Caswell]
  *) Removed support for the two export grade static DH ciphersuites
     EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
     were newly added (along with a number of other static DH ciphersuites) to
     1.0.2. However the two export ones have *never* worked since they were
     introduced. It seems strange in any case to be adding new export
     ciphersuites, and given "logjam" it also does not seem correct to fix them.
     [Matt Caswell]

  *) Version negotiation has been rewritten. In particular SSLv23_method(),
     SSLv23_client_method() and SSLv23_server_method() have been deprecated,
     and turned into macros which simply call the new preferred function names
     TLS_method(), TLS_client_method() and TLS_server_method(). All new code
     should use the new names instead. Also as part of this change the ssl23.h
     header file has been removed.
     [Matt Caswell]

  *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
     code and the associated standard is no longer considered fit-for-purpose.
     [Matt Caswell]
  *) RT2547 was closed.  When generating a private key, try to make the
     output file readable only by the owner.  This behavior change might
     be noticeable when interacting with other software.

  *) Added HTTP GET support to the ocsp command.
     [Rich Salz]

  *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
     [Matt Caswell]
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Added support for TLS extended master secret from
     draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
     initial patch which was a great help during development.
     [Steve Henson]

  *) All libssl internal structures have been removed from the public header
     files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
     now redundant). Users should not attempt to access internal structures
     directly. Instead they should use the provided API functions.
     [Matt Caswell]
Rob Stradling's avatar
Rob Stradling committed

  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
     Access to deprecated functions can be re-enabled by running config with
     "enable-deprecated". In addition applications wishing to use deprecated
     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
     will, by default, disable some transitive includes that previously existed
     in the header files (e.g. ec.h will no longer, by default, include bn.h)
     [Matt Caswell]

Matt Caswell's avatar
Matt Caswell committed
  *) Added support for OCB mode. OpenSSL has been granted a patent license
     compatible with the OpenSSL license for use of OCB. Details are available
     at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
     for OCB can be removed by calling config with no-ocb.
     [Matt Caswell]
  *) SSLv2 support has been removed.  It still supports receiving a SSLv2
     compatible client hello.
     [Kurt Roeckx]

  *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
     done while fixing the error code for the key-too-small case.
     [Annie Yousar <a.yousar@informatik.hu-berlin.de>]

Rich Salz's avatar
Rich Salz committed
  *) CA.sh has been removmed; use CA.pl instead.
     [Rich Salz]

Rich Salz's avatar
Rich Salz committed
  *) Removed old DES API.
     [Rich Salz]

  *) Remove various unsupported platforms:
        Sony NEWS4
        BEOS and BEOS_R5
        NeXT
        SUNOS
        MPE/iX
        Sinix/ReliantUNIX RM400
        DGUX
        NCR
        Tandem
        Cray
        16-bit platforms such as WIN16
  *) Clean up OPENSSL_NO_xxx #define's
        Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
        Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
        OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
        OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
        OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
        Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
        OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
        OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
        OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
        Remove MS_STATIC; it's a relic from platforms <32 bits.
     [Rich Salz]

  *) Cleaned up dead code
        Remove all but one '#ifdef undef' which is to be looked at.
     [Rich Salz]

Rich Salz's avatar
Rich Salz committed
  *) Clean up calling of xxx_free routines.
        Just like free(), fix most of the xxx_free routines to accept
        NULL.  Remove the non-null checks from callers.  Save much code.
     [Rich Salz]

  *) Add secure heap for storage of private keys (when possible).
     Add BIO_s_secmem(), CBIGNUM, etc.
     Contributed by Akamai Technologies under our Corporate CLA.
     [Rich Salz]

Ben Laurie's avatar
Ben Laurie committed
  *) Experimental support for a new, fast, unbiased prime candidate generator,
     bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
     [Felix Laurie von Massenbach <felix@erbridge.co.uk>]

  *) New output format NSS in the sess_id command line tool. This allows
     exporting the session id and the master key in NSS keylog format.
     [Martin Kaiser <martin@kaiser.cx>]

mancha's avatar
mancha committed
  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
     [mancha <mancha1@zoho.com>]

mancha's avatar
mancha committed
  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
mancha's avatar
mancha committed
     [mancha <mancha1@zoho.com>]

Ben Laurie's avatar
Ben Laurie committed
  *) Fix some double frees. These are not thought to be exploitable.
     [mancha <mancha1@zoho.com>]

  *) A missing bounds check in the handling of the TLS heartbeat extension
     can be used to reveal up to 64k of memory to a connected client or
     server.

     Thanks for Neel Mehta of Google Security for discovering this bug and to
     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
     preparing the fix (CVE-2014-0160)
     [Adam Langley, Bodo Moeller]

  *) Fix for the attack described in the paper "Recovering OpenSSL
     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     by Yuval Yarom and Naomi Benger. Details can be obtained from:
     http://eprint.iacr.org/2014/140

     Thanks to Yuval Yarom and Naomi Benger for discovering this
     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
     [Yuval Yarom and Naomi Benger]

  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limitation in previous versions of OpenSSL.
  *) Experimental encrypt-then-mac support.
    
     Experimental support for encrypt then mac from
     draft-gutmann-tls-encrypt-then-mac-02.txt
     To enable it set the appropriate extension number (0x42 for the test
     server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
     For non-compliant peers (i.e. just about everything) this should have no
     effect.

     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
  *) Add EVP support for key wrapping algorithms, to avoid problems with
     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
     algorithms and include tests cases.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
     enveloped data.
     [Steve Henson]

  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
     MGF1 digest and OAEP label.
     [Steve Henson]

  *) Make openssl verify return errors.
     [Chris Palmer <palmer@google.com> and Ben Laurie]

  *) New function ASN1_TIME_diff to calculate the difference between two
     ASN1_TIME structures or one structure and the current time.
     [Steve Henson]

  *) Update fips_test_suite to support multiple command line options. New
     test to induce all self test errors in sequence and check expected
     failures.
     [Steve Henson]

  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
     sign or verify all in one operation.
     [Steve Henson]

  *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
     test programs and fips_test_suite. Includes functionality to parse
     the minimal script output of fipsalgest.pl directly.
  *) Add authorisation parameter to FIPS_module_mode_set().
     [Steve Henson]

  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
     [Steve Henson]

  *) Use separate DRBG fields for internal and external flags. New function
     FIPS_drbg_health_check() to perform on demand health checking. Add
     generation tests to fips_test_suite with reduced health check interval to 
     demonstrate periodic health checking. Add "nodh" option to
     fips_test_suite to skip very slow DH test.
     [Steve Henson]

  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
     based on NID.
     [Steve Henson]

  *) More extensive health check for DRBG checking many more failure modes.
     New function FIPS_selftest_drbg_all() to handle every possible DRBG
     combination: call this in fips_test_suite.
     [Steve Henson]

  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
     and POST to handle Dual EC cases.
     [Steve Henson]

  *) Add support for canonical generation of DSA parameter 'g'. See 
     FIPS 186-3 A.2.3.

  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
     POST to handle HMAC cases.
     [Steve Henson]

  *) Add functions FIPS_module_version() and FIPS_module_version_text()
     to return numerical and string versions of the FIPS module number.
  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
     outside the validated module in the FIPS capable OpenSSL.
     [Steve Henson]

  *) Minor change to DRBG entropy callback semantics. In some cases
     there is no multiple of the block length between min_len and
     max_len. Allow the callback to return more than max_len bytes
     of entropy but discard any extra: it is the callback's responsibility
     to ensure that the extra data discarded does not impact the
     requested amount of entropy.
     [Steve Henson]

  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
     information in FIPS186-3, SP800-57 and SP800-131A.
     [Steve Henson]

  *) CCM support via EVP. Interface is very similar to GCM case except we
     must supply all data in one chunk (i.e. no update, final) and the
     message length must be supplied if AAD is used. Add algorithm test
     support.
  *) Initial version of POST overhaul. Add POST callback to allow the status
     of POST to be monitored and/or failures induced. Modify fips_test_suite
     to use callback. Always run all selftests even if one fails.
     [Steve Henson]

  *) XTS support including algorithm test driver in the fips_gcmtest program.
     Note: this does increase the maximum key length from 32 to 64 bytes but
     there should be no binary compatibility issues as existing applications
     will never use XTS mode.
     [Steve Henson]

  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
     performs algorithm blocking for unapproved PRNG types. Also do not
     set PRNG type in FIPS_mode_set(): leave this to the application.
     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     the standard OpenSSL PRNG: set additional data to a date time vector.
  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
     This shouldn't present any incompatibility problems because applications
     shouldn't be using these directly and any that are will need to rethink
     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
     [Steve Henson]

  *) Extensive self tests and health checking required by SP800-90 DRBG.
     Remove strength parameter from FIPS_drbg_instantiate and always
     instantiate at maximum supported strength.
     [Steve Henson]

  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
     [Steve Henson]

  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
     [Steve Henson]

  *) New function DH_compute_key_padded() to compute a DH key and pad with
     leading zeroes if needed: this complies with SP800-56A et al.
     [Steve Henson]

  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
     anything, incomplete, subject to change and largely untested at present.
     [Steve Henson]

  *) Modify fipscanisteronly build option to only build the necessary object
     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
     [Steve Henson]

  *) Add experimental option FIPSSYMS to give all symbols in
     fipscanister.o and FIPS or fips prefix. This will avoid
     conflicts with future versions of OpenSSL. Add perl script
     util/fipsas.pl to preprocess assembly language source files
     and rename any affected symbols.
  *) Add selftest checks and algorithm block of non-fips algorithms in
     FIPS mode. Remove DES2 from selftests.
     [Steve Henson]

  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
     return internal method without any ENGINE dependencies. Add new
     tiny fips sign and verify functions.
  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) New build option "fipscanisteronly". This only builds fipscanister.o
     and (currently) associated fips utilities. Uses the file Makefile.fips
     instead of Makefile.org as the prototype.
     [Steve Henson]

  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
     Update fips_gcmtest to use IV generator.
     [Steve Henson]

  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
     setting output buffer to NULL. The *Final function must be
     called although it will not retrieve any additional data. The tag
     can be set or retrieved with a ctrl. The IV length is by default 12
     bytes (96 bits) but can be set to an alternative value. If the IV
     length exceeds the maximum IV length (currently 16 bytes) it cannot be
     set before the key. 
     [Steve Henson]

  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
     underlying do_cipher function handles all cipher semantics itself
     including padding and finalisation. This is useful if (for example)
     an ENGINE cipher handles block padding itself. The behaviour of
     do_cipher is subtly changed if this flag is set: the return value
     is the number of characters written to the output buffer (zero is
     no longer an error code) or a negative error code. Also if the
     input buffer is NULL and length 0 finalisation should be performed.
  *) If a candidate issuer certificate is already part of the constructed
     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
     [Steve Henson]

  *) Improve forward-security support: add functions

       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

     for use by SSL/TLS servers; the callback function will be called whenever a
     new session is created, and gets to decide whether the session may be
     cached to make it resumable (return 0) or not (return 1).  (As by the
     SSL/TLS protocol specifications, the session_id sent by the server will be
     empty to indicate that the session is not resumable; also, the server will
     not generate RFC 4507 (RFC 5077) session tickets.)

     A simple reasonable callback implementation is to return is_forward_secure.
     This parameter will be set to 1 or 0 depending on the ciphersuite selected
     by the SSL/TLS server library, indicating whether it can provide forward
     security.
     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
  *) New -verify_name option in command line utilities to set verification
     parameters by name.
     [Steve Henson]

  *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
     Add CMAC pkey methods.
     [Steve Henson]

  *) Experimental renegotiation in s_server -www mode. If the client 
     browses /reneg connection is renegotiated. If /renegcert it is
     renegotiated requesting a certificate.
     [Steve Henson]

  *) Add an "external" session cache for debugging purposes to s_server. This
     should help trace issues which normally are only apparent in deployed
     multi-process servers.
     [Steve Henson]

  *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
     return value is ignored. NB. The functions RAND_add(), RAND_seed(),
     BIO_set_cipher() and some obscure PEM functions were changed so they
     can now return an error. The RAND changes required a change to the
     RAND_METHOD structure.
     [Steve Henson]

  *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
     a gcc attribute to warn if the result of a function is ignored. This
     is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
     whose return value is often ignored. 
     [Steve Henson]
 Changes between 1.0.2c and 1.0.2d [9 Jul 2015]

  *) Alternate chains certificate forgery

     During certificate verfification, OpenSSL will attempt to find an
     alternative certificate chain if the first attempt to build such a chain
     fails. An error in the implementation of this logic can mean that an
     attacker could cause certain checks on untrusted certificates to be
     bypassed, such as the CA flag, enabling them to use a valid leaf
     certificate to act as a CA and "issue" an invalid certificate.

     This issue was reported to OpenSSL by Adam Langley/David Benjamin
     (Google/BoringSSL).
     [Matt Caswell]

 Changes between 1.0.2b and 1.0.2c [12 Jun 2015]

  *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
     incompatibility in the handling of HMAC. The previous ABI has now been
     restored.
     [Matt Caswell]

 Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
Matt Caswell's avatar
Matt Caswell committed
  *) Malformed ECParameters causes infinite loop

     When processing an ECParameters structure OpenSSL enters an infinite loop
     if the curve specified is over a specially malformed binary polynomial
     field.

     This can be used to perform denial of service against any
     system which processes public keys, certificate requests or
     certificates.  This includes TLS clients and TLS servers with
     client authentication enabled.

     This issue was reported to OpenSSL by Joseph Barr-Pixton.
     (CVE-2015-1788)
     [Andy Polyakov]

  *) Exploitable out-of-bounds read in X509_cmp_time

     X509_cmp_time does not properly check the length of the ASN1_TIME
     string and can read a few bytes out of bounds. In addition,
     X509_cmp_time accepts an arbitrary number of fractional seconds in the
     time string.

     An attacker can use this to craft malformed certificates and CRLs of
     various sizes and potentially cause a segmentation fault, resulting in
     a DoS on applications that verify certificates or CRLs. TLS clients
     that verify CRLs are affected. TLS clients and servers with client
     authentication enabled may be affected if they use custom verification
     callbacks.

     This issue was reported to OpenSSL by Robert Swiecki (Google), and
     independently by Hanno Böck.
Matt Caswell's avatar
Matt Caswell committed
     (CVE-2015-1789)
     [Emilia Käsper]
Matt Caswell's avatar
Matt Caswell committed

  *) PKCS7 crash with missing EnvelopedContent

     The PKCS#7 parsing code does not handle missing inner EncryptedContent
     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
     with missing content and trigger a NULL pointer dereference on parsing.

     Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
     structures from untrusted sources are affected. OpenSSL clients and
     servers are not affected.

     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-1790)
     [Emilia Käsper]
Matt Caswell's avatar
Matt Caswell committed

  *) CMS verify infinite loop with unknown hash function

     When verifying a signedData message the CMS code can enter an infinite loop
     if presented with an unknown hash function OID. This can be used to perform
     denial of service against any system which verifies signedData messages using
     the CMS code.
     This issue was reported to OpenSSL by Johannes Bauer.
     (CVE-2015-1792)
     [Stephen Henson]

  *) Race condition handling NewSessionTicket

     If a NewSessionTicket is received by a multi-threaded client when attempting to
     reuse a previous ticket then a race condition can occur potentially leading to
     a double free of the ticket data.
     (CVE-2015-1791)
     [Matt Caswell]

  *) Only support 256-bit or stronger elliptic curves with the
     'ecdh_auto' setting (server) or by default (client). Of supported
     curves, prefer P-256 (both).
     [Emilia Kasper]

 Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
Matt Caswell's avatar
Matt Caswell committed

  *) ClientHello sigalgs DoS fix

     If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
     invalid signature algorithms extension a NULL pointer dereference will
     occur. This can be exploited in a DoS attack against the server.

     This issue was was reported to OpenSSL by David Ramos of Stanford
     University.
     (CVE-2015-0291)
     [Stephen Henson and Matt Caswell]

  *) Multiblock corrupted pointer fix

     OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
     feature only applies on 64 bit x86 architecture platforms that support AES
     NI instructions. A defect in the implementation of "multiblock" can cause
     OpenSSL's internal write buffer to become incorrectly set to NULL when
     using non-blocking IO. Typically, when the user application is using a
     socket BIO for writing, this will only result in a failed connection.
     However if some other BIO is used then it is likely that a segmentation
     fault will be triggered, thus enabling a potential DoS attack.

     This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
     (CVE-2015-0290)
     [Matt Caswell]

  *) Segmentation fault in DTLSv1_listen fix

     The DTLSv1_listen function is intended to be stateless and processes the
     initial ClientHello from many peers. It is common for user code to loop
     over the call to DTLSv1_listen until a valid ClientHello is received with
     an associated cookie. A defect in the implementation of DTLSv1_listen means
     that state is preserved in the SSL object from one invocation to the next
     that can lead to a segmentation fault. Errors processing the initial
     ClientHello can trigger this scenario. An example of such an error could be
     that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
     server.

     This issue was reported to OpenSSL by Per Allansson.
     (CVE-2015-0207)
     [Matt Caswell]

  *) Segmentation fault in ASN1_TYPE_cmp fix

     The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
     made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
     certificate signature algorithm consistency this can be used to crash any
     certificate verification operation and exploited in a DoS attack. Any
     application which performs certificate verification is vulnerable including
     OpenSSL clients and servers which enable client authentication.
     (CVE-2015-0286)
     [Stephen Henson]

  *) Segmentation fault for invalid PSS parameters fix

     The signature verification routines will crash with a NULL pointer
     dereference if presented with an ASN.1 signature using the RSA PSS
     algorithm and invalid parameters. Since these routines are used to verify
     certificate signature algorithms this can be used to crash any
     certificate verification operation and exploited in a DoS attack. Any
     application which performs certificate verification is vulnerable including
     OpenSSL clients and servers which enable client authentication.

     This issue was was reported to OpenSSL by Brian Carpenter.
     (CVE-2015-0208)
     [Stephen Henson]

  *) ASN.1 structure reuse memory corruption fix

     Reusing a structure in ASN.1 parsing may allow an attacker to cause
     memory corruption via an invalid write. Such reuse is and has been
     strongly discouraged and is believed to be rare.

     Applications that parse structures containing CHOICE or ANY DEFINED BY
     components may be affected. Certificate parsing (d2i_X509 and related
     functions) are however not affected. OpenSSL clients and servers are
     not affected.
     (CVE-2015-0287)
     [Stephen Henson]

  *) PKCS7 NULL pointer dereferences fix

     The PKCS#7 parsing code does not handle missing outer ContentInfo
     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
     missing content and trigger a NULL pointer dereference on parsing.

     Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
     otherwise parse PKCS#7 structures from untrusted sources are
     affected. OpenSSL clients and servers are not affected.

     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-0289)
     [Emilia Käsper]
Matt Caswell's avatar
Matt Caswell committed

  *) DoS via reachable assert in SSLv2 servers fix

     A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
     servers that both support SSLv2 and enable export cipher suites by sending
     a specially crafted SSLv2 CLIENT-MASTER-KEY message.

     This issue was discovered by Sean Burford (Google) and Emilia Käsper
Matt Caswell's avatar
Matt Caswell committed
     (OpenSSL development team).
     (CVE-2015-0293)
     [Emilia Käsper]
Matt Caswell's avatar
Matt Caswell committed

  *) Empty CKE with client auth and DHE fix

     If client auth is used then a server can seg fault in the event of a DHE
     ciphersuite being selected and a zero length ClientKeyExchange message
     being sent by the client. This could be exploited in a DoS attack.
     (CVE-2015-1787)
     [Matt Caswell]

  *) Handshake with unseeded PRNG fix

     Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
     with an unseeded PRNG. The conditions are:
     - The client is on a platform where the PRNG has not been seeded
     automatically, and the user has not seeded manually
     - A protocol specific client method version has been used (i.e. not
     SSL_client_methodv23)
     - A ciphersuite is used that does not require additional random data from
     the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).

     If the handshake succeeds then the client random that has been used will
     have been generated from a PRNG with insufficient entropy and therefore the
     output may be predictable.

     For example using the following command with an unseeded openssl will
     succeed on an unpatched platform:

     openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
     (CVE-2015-0285)
     [Matt Caswell]

  *) Use After Free following d2i_ECPrivatekey error fix

     A malformed EC private key file consumed via the d2i_ECPrivateKey function
     could cause a use after free condition. This, in turn, could cause a double
     free in several private key parsing functions (such as d2i_PrivateKey
     or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
     for applications that receive EC private keys from untrusted
     sources. This scenario is considered rare.

     This issue was discovered by the BoringSSL project and fixed in their
     commit 517073cd4b.
     (CVE-2015-0209)
     [Matt Caswell]

  *) X509_to_X509_REQ NULL pointer deref fix

     The function X509_to_X509_REQ will crash with a NULL pointer dereference if
     the certificate key is invalid. This function is rarely used in practice.

     This issue was discovered by Brian Carpenter.
     (CVE-2015-0288)
     [Stephen Henson]

  *) Removed the export ciphers from the DEFAULT ciphers
     [Kurt Roeckx]

 Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
  *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
     ARMv5 through ARMv8, as opposite to "locking" it to single one.
     So far those who have to target multiple plaforms would compromise
     and argue that binary targeting say ARMv5 would still execute on
     ARMv8. "Universal" build resolves this compromise by providing
     near-optimal performance even on newer platforms.
     [Andy Polyakov]

  *) Accelerated NIST P-256 elliptic curve implementation for x86_64
     (other platforms pending).
Andy Polyakov's avatar
Andy Polyakov committed
     [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
  *) Add support for the SignedCertificateTimestampList certificate and
     OCSP response extensions from RFC6962.
     [Rob Stradling]

  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
     for corner cases. (Certain input points at infinity could lead to
     bogus results, with non-infinity inputs mapped to infinity too.)
     [Bodo Moeller]

  *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
     This covers AES, SHA256/512 and GHASH. "Initial" means that most
     common cases are optimized and there still is room for further
     improvements. Vector Permutation AES for Altivec is also added.
     [Andy Polyakov]

  *) Add support for little-endian ppc64 Linux target.
     [Marcelo Cerri (IBM)]

  *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
     SHA1, SHA256 and GHASH. "Initial" means that most common cases
     are optimized and there still is room for further improvements.
     Both 32- and 64-bit modes are supported.
     [Andy Polyakov, Ard Biesheuvel (Linaro)]

  *) Improved ARMv7 NEON support.
     [Andy Polyakov]

  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]

  *) Accelerated modular exponentiation for Intel processors, a.k.a.
     RSAZ.
Andy Polyakov's avatar
Andy Polyakov committed
     [Shay Gueron & Vlad Krasnov (Intel Corp)]

  *) Support for new and upcoming Intel processors, including AVX2,
     BMI and SHA ISA extensions. This includes additional "stitched"
     implementations, AESNI-SHA256 and GCM, and multi-buffer support
     for TLS encrypt.

     This work was sponsored by Intel Corp.
     [Andy Polyakov]

  *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
     supports both DTLS 1.2 and 1.0 and should use whatever version the peer
     supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
     [Steve Henson]

  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limiation in previous versions of OpenSSL.
     [Steve Henson]

  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
     MGF1 digest and OAEP label.
     [Steve Henson]

  *) Add EVP support for key wrapping algorithms, to avoid problems with
     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
     algorithms and include tests cases.
     [Steve Henson]
  *) Add functions to allocate and set the fields of an ECDSA_METHOD
     structure.
     [Douglas E. Engert, Steve Henson]

  *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
     difference in days and seconds between two tm or ASN1_TIME structures.
     [Steve Henson]

  *) Add -rev test option to s_server to just reverse order of characters
     received by client and send back to server. Also prints an abbreviated
     summary of the connection parameters.
     [Steve Henson]

  *) New option -brief for s_client and s_server to print out a brief summary
     of connection parameters.
     [Steve Henson]

  *) Add callbacks for arbitrary TLS extensions.
     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

  *) New option -crl_download in several openssl utilities to download CRLs
     from CRLDP extension in certificates.
     [Steve Henson]

  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
     [Steve Henson]

  *) New function X509_CRL_diff to generate a delta CRL from the difference
     of two full CRLs. Add support to "crl" utility.
     [Steve Henson]

  *) New functions to set lookup_crls function and to retrieve
     X509_STORE from X509_STORE_CTX.
     [Steve Henson]

  *) Print out deprecated issuer and subject unique ID fields in
     certificates.
     [Steve Henson]

  *) Extend OCSP I/O functions so they can be used for simple general purpose
     HTTP as well as OCSP. New wrapper function which can be used to download
     CRLs using the OCSP API.
     [Steve Henson]

  *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
     [Steve Henson]

  *) SSL_CONF* functions. These provide a common framework for application
     configuration using configuration files or command lines.
     [Steve Henson]

  *) SSL/TLS tracing code. This parses out SSL/TLS records using the
     message callback and prints the results. Needs compile time option
     "enable-ssl-trace". New options to s_client and s_server to enable
     tracing.
     [Steve Henson]

  *) New ctrl and macro to retrieve supported points extensions.
     Print out extension in s_server and s_client.
     [Steve Henson]

  *) New functions to retrieve certificate signature and signature
     OID NID.
     [Steve Henson]

  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
     client to OpenSSL.
     [Steve Henson]

  *) New Suite B modes for TLS code. These use and enforce the requirements
     of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
     only use Suite B curves. The Suite B modes can be set by using the
     strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
     [Steve Henson]

  *) New chain verification flags for Suite B levels of security. Check
     algorithms are acceptable when flags are set in X509_verify_cert.
     [Steve Henson]

  *) Make tls1_check_chain return a set of flags indicating checks passed
     by a certificate chain. Add additional tests to handle client
     certificates: checks for matching certificate type and issuer name
     comparison.
     [Steve Henson]

  *) If an attempt is made to use a signature algorithm not in the peer
     preference list abort the handshake. If client has no suitable
     signature algorithms in response to a certificate request do not
     use the certificate.
     [Steve Henson]

  *) If server EC tmp key is not in client preference list abort handshake.
     [Steve Henson]

  *) Add support for certificate stores in CERT structure. This makes it
     possible to have different stores per SSL structure or one store in
     the parent SSL_CTX. Include distint stores for certificate chain
     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
     to build and store a certificate chain in CERT structure: returing
     an error if the chain cannot be built: this will allow applications
     to test if a chain is correctly configured.

     Note: if the CERT based stores are not set then the parent SSL_CTX
     store is used to retain compatibility with existing behaviour.

     [Steve Henson]

  *) New function ssl_set_client_disabled to set a ciphersuite disabled
     mask based on the current session, check mask when sending client
     hello and checking the requested ciphersuite.
     [Steve Henson]

  *) New ctrls to retrieve and set certificate types in a certificate
     request message. Print out received values in s_client. If certificate
     types is not set with custom values set sensible values based on
     supported signature algorithms.
     [Steve Henson]

  *) Support for distinct client and server supported signature algorithms.
     [Steve Henson]

  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example
     supported signature algorithms. Add very simple example to s_server.
     This fixes many of the problems and restrictions of the existing client
     certificate callback: for example you can now clear an existing
     certificate and specify the whole chain.
     [Steve Henson]

  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
     the certificate can be used for (if anything). Set valid_flags field 
     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
     to have similar checks in it.

     Add new "cert_flags" field to CERT structure and include a "strict mode".
     This enforces some TLS certificate requirements (such as only permitting
     certificate signature algorithms contained in the supported algorithms
     extension) which some implementations ignore: this option should be used
     with caution as it could cause interoperability issues.
     [Steve Henson]