Loading CHANGES +115 −15 Original line number Diff line number Diff line Loading @@ -308,7 +308,7 @@ whose return value is often ignored. [Steve Henson] Changes between 1.0.1e and 1.0.2 [xx XXX xxxx] Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to Loading Loading @@ -350,19 +350,30 @@ This work was sponsored by Intel Corp. [Andy Polyakov] *) Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha <mancha1@zoho.com>] *) TLS pad extension: draft-agl-tls-padding-03 *) Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey. [mancha <mancha1@zoho.com>] Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. *) Fix some double frees. These are not thought to be exploitable. [mancha <mancha1@zoho.com>] [Adam Langley, Steve Henson] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. [Steve Henson] *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, MGF1 digest and OAEP label. [Steve Henson] *) Add EVP support for key wrapping algorithms, to avoid problems with existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap algorithms and include tests cases. [Steve Henson] *) Add functions to allocate and set the fields of an ECDSA_METHOD structure. Loading Loading @@ -619,6 +630,99 @@ certificates. [Steve Henson] Changes between 1.0.1g and 1.0.1h [5 Jun 2014] *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. (CVE-2014-0224) [KIKUCHI Masashi, Steve Henson] *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. (CVE-2014-0221) [Imre Rad, Steve Henson] *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) [Jüri Aedla, Steve Henson] *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. (CVE-2014-3470) [Felix Gröbert, Ivan Fratric, Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha <mancha1@zoho.com>] *) Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey. [mancha <mancha1@zoho.com>] *) Fix some double frees. These are not thought to be exploitable. [mancha <mancha1@zoho.com>] Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] Changes between 1.0.1e and 1.0.1f [6 Jan 2014] *) Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. Thanks to Anton Johansson for reporting this issues. (CVE-2013-4353) *) Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. [Rob Stradling, Adam Langley] Changes between 1.0.1d and 1.0.1e [11 Feb 2013] *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI Loading Loading @@ -2089,10 +2193,6 @@ This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. Loading Loading
CHANGES +115 −15 Original line number Diff line number Diff line Loading @@ -308,7 +308,7 @@ whose return value is often ignored. [Steve Henson] Changes between 1.0.1e and 1.0.2 [xx XXX xxxx] Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to Loading Loading @@ -350,19 +350,30 @@ This work was sponsored by Intel Corp. [Andy Polyakov] *) Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha <mancha1@zoho.com>] *) TLS pad extension: draft-agl-tls-padding-03 *) Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey. [mancha <mancha1@zoho.com>] Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. *) Fix some double frees. These are not thought to be exploitable. [mancha <mancha1@zoho.com>] [Adam Langley, Steve Henson] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. [Steve Henson] *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, MGF1 digest and OAEP label. [Steve Henson] *) Add EVP support for key wrapping algorithms, to avoid problems with existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap algorithms and include tests cases. [Steve Henson] *) Add functions to allocate and set the fields of an ECDSA_METHOD structure. Loading Loading @@ -619,6 +630,99 @@ certificates. [Steve Henson] Changes between 1.0.1g and 1.0.1h [5 Jun 2014] *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. (CVE-2014-0224) [KIKUCHI Masashi, Steve Henson] *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. (CVE-2014-0221) [Imre Rad, Steve Henson] *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) [Jüri Aedla, Steve Henson] *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. (CVE-2014-3470) [Felix Gröbert, Ivan Fratric, Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha <mancha1@zoho.com>] *) Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey. [mancha <mancha1@zoho.com>] *) Fix some double frees. These are not thought to be exploitable. [mancha <mancha1@zoho.com>] Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] Changes between 1.0.1e and 1.0.1f [6 Jan 2014] *) Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. Thanks to Anton Johansson for reporting this issues. (CVE-2013-4353) *) Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. [Rob Stradling, Adam Langley] Changes between 1.0.1d and 1.0.1e [11 Feb 2013] *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI Loading Loading @@ -2089,10 +2193,6 @@ This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. Loading
