Skip to content
CHANGES 561 KiB
Newer Older
 OpenSSL CHANGES
 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

Matt Caswell's avatar
Matt Caswell committed
 Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]

  *) Added SCA hardening for modular field inversion in EC_GROUP through
     a new dedicated field_inv() pointer in EC_METHOD.
     This also addresses a leakage affecting conversions from projective
     to affine coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change the info callback signals for the start and end of a post-handshake
     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
     confused by this and assume that a TLSv1.2 renegotiation has started. This
     can break KeyUpdate handling. Instead we no longer signal the start and end
     of a post handshake message exchange (although the messages themselves are
     still signalled). This could break some applications that were expecting
     the old signals. However without this KeyUpdate is not usable for many
     applications.
     [Matt Caswell]

  *) Fix a bug in the computation of the endpoint-pair shared secret used
     by DTLS over SCTP. This breaks interoperability with older versions
     of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
     switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
     interoperability with such broken implementations. However, enabling
     this switch breaks interoperability with correct implementations.

  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
     re-used X509_PUBKEY object if the second PUBKEY is malformed.
     [Bernd Edlinger]

  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
     [Richard Levitte]

  *) Remove the 'dist' target and add a tarball building script.  The
     'dist' target has fallen out of use, and it shouldn't be
     necessary to configure just to create a source distribution.
     [Richard Levitte]
Matt Caswell's avatar
Matt Caswell committed
 Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
  *) Timing vulnerability in DSA signature generation

     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
     (CVE-2018-0734)
     [Paul Dale]

  *) Timing vulnerability in ECDSA signature generation

     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
     (CVE-2018-0735)
     [Paul Dale]

  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.
     [Antoine Salon]

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
     categorized as a normal bug, not a security issue, because the DRBG reseeds
     automatically and is fully functional even without additional randomness
     provided by the application.

Matt Caswell's avatar
Matt Caswell committed
 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
  *) Add a new ClientHello callback. Provides a callback interface that gives
     the application the ability to adjust the nascent SSL object at the
     earliest stage of ClientHello processing, immediately after extensions have
     been collected but before they have been processed. In particular, this
     callback can adjust the supported TLS versions in response to the contents
     of the ClientHello
     [Benjamin Kaduk]

  *) Add SM2 base algorithm support.
     [Jack Lloyd]

  *) s390x assembly pack: add (improved) hardware-support for the following
     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
     aes-cfb/cfb8, aes-ecb.
     [Patrick Steuer]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

Billy Brumley's avatar
Billy Brumley committed
  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for prime curves. The new implementation is based on formulae from
     differential addition-and-doubling in homogeneous projective coordinates
     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
     to work in projective coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
     moving between systems, and to avoid confusion when a Windows build is
     done with mingw vs with MSVC.  For POSIX installs, there's still a
     symlink or copy named 'tsget' to avoid that confusion as well.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
Billy Brumley's avatar
Billy Brumley committed
     step for binary curves. The new implementation is based on formulae from
     differential addition-and-doubling in mixed Lopez-Dahab projective
     coordinates, modified to independently blind the operands.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
     EC_METHODs to implement their own specialized "ladder step", to take
     advantage of more favorable coordinate systems or more efficient
     differential addition-and-doubling algorithms.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

  *) Numerous side-channel attack mitigations have been applied. This may have
     performance impacts for some algorithms for the benefit of improved
     security. Specific changes are noted in this change log by their respective
     authors.
     [Matt Caswell]

  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

Nicola Tuveri's avatar
Nicola Tuveri committed
  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]
  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]
Loading full blame...