Skip to content
CHANGES 524 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 1.1.0a and 1.1.1 [xx XXX xxxx]
  *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
     using the algorithm defined in
     https://www.akkadia.org/drepper/SHA-crypt.txt
     [Richard Levitte]

 Changes between 1.1.0a and 1.1.0b [26 Sep 2016]

  *) Fix Use After Free for large message sizes

     The patch applied to address CVE-2016-6307 resulted in an issue where if a
     message larger than approx 16k is received then the underlying buffer to
     store the incoming message is reallocated and moved. Unfortunately a
     dangling pointer to the old location is left which results in an attempt to
     write to the previously freed location. This is likely to result in a
     crash, however it could potentially lead to execution of arbitrary code.

     This issue only affects OpenSSL 1.1.0a.

     This issue was reported to OpenSSL by Robert Święcki.
     (CVE-2016-6309)
     [Matt Caswell]

 Changes between 1.1.0 and 1.1.0a [22 Sep 2016]

  *) OCSP Status Request extension unbounded memory growth

     A malicious client can send an excessively large OCSP Status Request
     extension. If that client continually requests renegotiation, sending a
     large OCSP Status Request extension each time, then there will be unbounded
     memory growth on the server. This will eventually lead to a Denial Of
     Service attack through memory exhaustion. Servers with a default
     configuration are vulnerable even if they do not support OCSP. Builds using
     the "no-ocsp" build time option are not affected.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     (CVE-2016-6304)
     [Matt Caswell]

  *) SSL_peek() hang on empty record

     OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
     sends an empty record. This could be exploited by a malicious peer in a
     Denial Of Service attack.

     This issue was reported to OpenSSL by Alex Gaynor.
     (CVE-2016-6305)
     [Matt Caswell]

  *) Excessive allocation of memory in tls_get_message_header() and
     dtls1_preprocess_fragment()

     A (D)TLS message includes 3 bytes for its length in the header for the
     message. This would allow for messages up to 16Mb in length. Messages of
     this length are excessive and OpenSSL includes a check to ensure that a
     peer is sending reasonably sized messages in order to avoid too much memory
     being consumed to service a connection. A flaw in the logic of version
     1.1.0 means that memory for the message is allocated too early, prior to
     the excessive message length check. Due to way memory is allocated in
     OpenSSL this could mean an attacker could force up to 21Mb to be allocated
     to service a connection. This could lead to a Denial of Service through
     memory exhaustion. However, the excessive message length check still takes
     place, and this would cause the connection to immediately fail. Assuming
     that the application calls SSL_free() on the failed conneciton in a timely
     manner then the 21Mb of allocated memory will then be immediately freed
     again. Therefore the excessive memory allocation will be transitory in
     nature. This then means that there is only a security impact if:

     1) The application does not call SSL_free() in a timely manner in the event
     that the connection fails
     or
     2) The application is working in a constrained environment where there is
     very little free memory
     or
     3) The attacker initiates multiple connection attempts such that there are
     multiple connections in a state where memory has been allocated for the
     connection; SSL_free() has not yet been called; and there is insufficient
     memory to service the multiple requests.

     Except in the instance of (1) above any Denial Of Service is likely to be
     transitory because as soon as the connection fails the memory is
     subsequently freed again in the SSL_free() call. However there is an
     increased risk during this period of application crashes due to the lack of
     memory - which would then mean a more serious Denial of Service.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     (CVE-2016-6307 and CVE-2016-6308)
     [Matt Caswell]

  *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
     had to be removed. Primary reason is that vendor assembler can't
     assemble our modules with -KPIC flag. As result it, assembly
     support, was not even available as option. But its lack means
     lack of side-channel resistant code, which is incompatible with
     security by todays standards. Fortunately gcc is readily available
     prepackaged option, which we firmly point at...
     [Andy Polyakov]

 Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
  *) Windows command-line tool supports UTF-8 opt-in option for arguments
     and console input. Setting OPENSSL_WIN32_UTF8 environment variable
     (to any value) allows Windows user to access PKCS#12 file generated
     with Windows CryptoAPI and protected with non-ASCII password, as well
     as files generated under UTF-8 locale on Linux also protected with
     non-ASCII password.
     [Andy Polyakov]

  *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
     have been disabled by default and removed from DEFAULT, just like RC4.
     See the RC4 item below to re-enable both.
  *) The method for finding the storage location for the Windows RAND seed file
     has changed. First we check %RANDFILE%. If that is not set then we check
     the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
     all else fails we fall back to C:\.
  *) The EVP_EncryptUpdate() function has had its return type changed from void
     to int. A return of 0 indicates and error while a return of 1 indicates
     success.
     [Matt Caswell]

  *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
     DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
     off the constant time implementation for RSA, DSA and DH have been made
     no-ops and deprecated.
     [Matt Caswell]

Rich Salz's avatar
Rich Salz committed
  *) Windows RAND implementation was simplified to only get entropy by
     calling CryptGenRandom(). Various other RAND-related tickets
     were also closed.
     [Joseph Wylie Yandle, Rich Salz]

  *) The stack and lhash API's were renamed to start with OPENSSL_SK_
     and OPENSSL_LH_, respectively.  The old names are available
     with API compatibility.  They new names are now completely documented.
     [Rich Salz]

  *) Unify TYPE_up_ref(obj) methods signature.
     SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
     X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
     int (instead of void) like all others TYPE_up_ref() methods.
     So now these methods also check the return value of CRYPTO_atomic_add(),
     and the validity of object reference counter.
     [fdasilvayy@gmail.com]
  *) With Windows Visual Studio builds, the .pdb files are installed
     alongside the installed libraries and executables.  For a static
     library installation, ossl_static.pdb is the associate compiler
     generated .pdb file to be used when linking programs.
     [Richard Levitte]

Richard Levitte's avatar
Richard Levitte committed
  *) Remove openssl.spec.  Packaging files belong with the packagers.
     [Richard Levitte]

  *) Automatic Darwin/OSX configuration has had a refresh, it will now
     recognise x86_64 architectures automatically.  You can still decide
     to build for a different bitness with the environment variable
     KERNEL_BITS (can be 32 or 64), for example:

         KERNEL_BITS=32 ./config

     [Richard Levitte]

  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
     256 bit AES and HMAC with SHA256.
     [Steve Henson]

Andy Polyakov's avatar
Andy Polyakov committed
  *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
     [Andy Polyakov]

Rich Salz's avatar
Rich Salz committed
  *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
Rich Salz's avatar
Rich Salz committed
     [Rich Salz]
  *) To enable users to have their own config files and build file templates,
     Configure looks in the directory indicated by the environment variable
     OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
     directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
     name and is used as is.
     [Richard Levitte]

  *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
     X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
     X509_CERT_FILE_CTX was removed.
     [Rich Salz]

  *) "shared" builds are now the default. To create only static libraries use
     the "no-shared" Configure option.
     [Matt Caswell]

  *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
Loading full blame...