All Versions
126
Latest Version
Avg Release Cycle
101 days
Latest Release
890 days ago

Changelog History
Page 8

  • v1.0.0.l Changes

    June 05, 2014
    • Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.

    Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. [CVE-2014-0224][]

    KIKUCHI Masashi, Steve Henson

    • Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack.

    Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. [CVE-2014-0221][]

    Imre Rad, Steve Henson

    • Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server.

    Thanks to Jüri Aedla for reporting this issue. [CVE-2014-0195][]

    Jüri Aedla, Steve Henson

    • Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack.

    Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. [CVE-2014-3470][]

    Felix Gröbert, Ivan Fratric, Steve Henson

    • Harmonize version and its documentation. -f flag is used to display compilation flags.

    mancha [email protected]

    • Fix eckey_priv_encode so it immediately returns an error upon a failure in i2d_ECPrivateKey.

    mancha [email protected]

    • Fix some double frees. These are not thought to be exploitable.

    mancha [email protected]

    • Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140

    Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][]

    Yuval Yarom and Naomi Benger

  • v1.0.0.k Changes

    January 06, 2014
    • Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. [CVE-2013-6450][]

    Steve Henson

    • Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.

    Rob Stradling, Adam Langley

  • v1.0.0.j Changes

    February 05, 2013
    • Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

    This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/

    Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and Emilia Käsper for the initial patch. [CVE-2013-0169][]

    Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson

    • Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. [CVE-2013-0166][]

    Steve Henson

    • Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836. (This is a backport)

    Rob Stradling [email protected]

    • Fix possible deadlock when decoding public keys.

    Steve Henson

  • v1.0.0.i Changes

    May 10, 2012

    🚀 [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after OpenSSL 1.0.1.]

    • Sanity check record length before skipping explicit IV in DTLS to fix DoS attack.

    Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. [CVE-2012-2333][]

    Steve Henson

    • Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue.

    Steve Henson

  • v1.0.0.h Changes

    March 14, 2012
    • Add compatibility with old MDC2 signatures which use an ASN1 OCTET STRING form instead of a DigestInfo.

    Steve Henson

    • The format used for MDC2 RSA signatures is inconsistent between EVP and the RSA_sign/RSA_verify functions. This was made more apparent when OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect the correct format in RSA_verify so both forms transparently work.

    Steve Henson

    • Some servers which support TLS 1.0 can choke if we initially indicate support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA encrypted premaster secret. As a workaround use the maximum permitted client version in client hello, this should keep such servers happy and still work with previous versions of OpenSSL.

    Steve Henson

    • Add support for TLS/DTLS heartbeats.

    Robin Seggelmann [email protected]

    • Add support for SCTP.

    Robin Seggelmann [email protected]

    • Improved PRNG seeding for VOS.

    Paul Green [email protected]

    • Extensive assembler packs updates, most notably:

      • x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
      • x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
      • x86_64: bit-sliced AES implementation;
      • ARM: NEON support, contemporary platforms optimizations;
      • s390x: z196 support;
      • *: GHASH and GF(2m) multiplication implementations;

    Andy Polyakov

    • Make TLS-SRP code conformant with RFC 5054 API cleanup (removal of unnecessary code)

    Peter Sylvester [email protected]

    • Add TLS key material exporter from RFC 5705.

    Eric Rescorla

    • Add DTLS-SRTP negotiation from RFC 5764.

    Eric Rescorla

    Adam Langley [email protected] and Ben Laurie

    • Add optional 64-bit optimized implementations of elliptic curves NIST-P224, NIST-P256, NIST-P521, with constant-time single point multiplication on typical inputs. Compiler support for the nonstandard type __uint128_t is required to use this (present in gcc 4.4 and later, for 64-bit builds). Code made available under Apache License version 2.0.

    Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command line to include this in your build of OpenSSL, and run "make depend" (or "make update"). This enables the following EC_METHODs:

           EC_GFp_nistp224_method()
           EC_GFp_nistp256_method()
           EC_GFp_nistp521_method()
    

    EC_GROUP_new_by_curve_name() will automatically use these (while EC_GROUP_new_curve_GFp() currently prefers the more flexible implementations).

    Emilia Käsper, Adam Langley, Bodo Moeller (Google)

    • Use type ossl_ssize_t instead of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public header file e_os2.h as it now appears in public header file cms.h

    Steve Henson

    • New -sigopt option to the ca, req and x509 utilities. Additional signature parameters can be passed using this option and in particular PSS.

    Steve Henson

    • Add RSA PSS signing function. This will generate and set the appropriate AlgorithmIdentifiers for PSS based on those in the corresponding EVP_MD_CTX structure. No application support yet.

    Steve Henson

    • Support for companion algorithm specific ASN1 signing routines. New function ASN1_item_sign_ctx() signs a pre-initialised EVP_MD_CTX structure and sets AlgorithmIdentifiers based on the appropriate parameters.

    Steve Henson

    • Add new algorithm specific ASN1 verification initialisation function to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 handling will be the same no matter what EVP_PKEY_METHOD is used. Add a PSS handler to support verification of PSS signatures: checked against a number of sample certificates.

    Steve Henson

    • Add signature printing for PSS. Add PSS OIDs.

    Steve Henson, Martin Kaiser [email protected]

    • Add algorithm specific signature printing. An individual ASN1 method can now print out signatures instead of the standard hex dump.

    More complex signatures (e.g. PSS) can print out more meaningful information. Include DSA version that prints out the signature parameters r, s.

    Steve Henson

    • Password based recipient info support for CMS library: implementing RFC3211.

    Steve Henson

    • Split password based encryption into PBES2 and PBKDF2 functions. This neatly separates the code into cipher and PBE sections and is required for some algorithms that split PBES2 into separate pieces (such as password based CMS).

    Steve Henson

    • Session-handling fixes:
      • Fix handling of connections that are resuming with a session ID, but also support Session Tickets.
      • Fix a bug that suppressed issuing of a new ticket if the client presented a ticket with an expired session.
      • Try to set the ticket lifetime hint to something reasonable.
      • Make tickets shorter by excluding irrelevant information.
      • On the client side, don't ignore renewed tickets.

    Adam Langley, Bodo Moeller (Google)

    • Fix PSK session representation.

    Bodo Moeller

    • Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.

    This work was sponsored by Intel.

    Andy Polyakov

    • Add GCM support to TLS library. Some custom code is needed to split the IV between the fixed (from PRF) and explicit (from TLS record) portions. This adds all GCM ciphersuites supported by RFC5288 and RFC5289. Generalise some AES* cipherstrings to include GCM and add a special AESGCM string for GCM only.

    Steve Henson

    • Expand range of ctrls for AES GCM. Permit setting invocation field on decrypt and retrieval of invocation field only on encrypt.

    Steve Henson

    • Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. As required by RFC5289 these ciphersuites cannot be used if for versions of TLS earlier than 1.2.

    Steve Henson

    • For FIPS capable OpenSSL interpret a NULL default public key method as unset and return the appropriate default but do not set the default. This means we can return the appropriate method in applications that switch between FIPS and non-FIPS modes.

    Steve Henson

    • Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an ENGINE is used then we cannot handle that in the FIPS module so we keep original code iff non-FIPS operations are allowed.

    Steve Henson

    • Add -attime option to openssl utilities.

    Peter Eckersley [email protected], Ben Laurie and Steve Henson

    • Redirect DSA and DH operations to FIPS module in FIPS mode.

    Steve Henson

    • Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use FIPS EC methods unconditionally for now.

    Steve Henson

    • New build option no-ec2m to disable characteristic 2 code.

    Steve Henson

    • Backport libcrypto audit of return value checking from 1.1.0-dev; not all cases can be covered as some introduce binary incompatibilities.

    Steve Henson

    • Redirect RSA operations to FIPS module including keygen, encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.

    Steve Henson

    • Add similar low level API blocking to ciphers.

    Steve Henson

    • Low level digest APIs are not approved in FIPS mode: any attempt to use these will cause a fatal error. Applications that really want to use them can use the private_* version instead.

    Steve Henson

    • Redirect cipher operations to FIPS module for FIPS builds.

    Steve Henson

    • Redirect digest operations to FIPS module for FIPS builds.

    Steve Henson

    • Update build system to add "fips" flag which will link in fipscanister.o for static and shared library builds embedding a signature if needed.

    Steve Henson

    • Output TLS supported curves in preference order instead of numerical order. This is currently hardcoded for the highest order curves first. This should be configurable so applications can judge speed vs strength.

    Steve Henson

    • Add TLS v1.2 server support for client authentication.

    Steve Henson

    • Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers and enable MD5.

    Steve Henson

    • Functions FIPS_mode_set() and FIPS_mode() which call the underlying FIPS modules versions.

    Steve Henson

    • Add TLS v1.2 client side support for client authentication. Keep cache of handshake records longer as we don't know the hash algorithm to use until after the certificate request message is received.

    Steve Henson

    • Initial TLS v1.2 client support. Add a default signature algorithms extension including all the algorithms we support. Parse new signature format in client key exchange. Relax some ECC signing restrictions for TLS v1.2 as indicated in RFC5246.

    Steve Henson

    • Add server support for TLS v1.2 signature algorithms extension. Switch to new signature format when needed using client digest preference. All server ciphersuites should now work correctly in TLS v1.2. No client support yet and no support for client certificates.

    Steve Henson

    • Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based ciphersuites. At present only RSA key exchange ciphersuites work with TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods and version checking.

    Steve Henson

    • New option OPENSSL_NO_SSL_INTERN. If an application can be compiled with this defined it will not be affected by any changes to ssl internal structures. Add several utility functions to allow openssl application to work with OPENSSL_NO_SSL_INTERN defined.

    Steve Henson

    • A long standing patch to add support for SRP from EdelWeb (Peter Sylvester and Christophe Renou) was integrated. Christophe Renou [email protected], Peter Sylvester [email protected], Tom Wu [email protected], and Ben Laurie

    • Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.

    Steve Henson

    • Permit abbreviated handshakes when renegotiating using the function SSL_renegotiate_abbreviated().

    Robin Seggelmann [email protected]

    • Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(), so some implementations get used automatically instead of needing explicit application support.

    Steve Henson

    • Add support for TLS key exporter as described in RFC5705.

    Robin Seggelmann [email protected], Steve Henson

    • Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only a few changes are required:

      Add SSL_OP_NO_TLSv1_1 flag. Add TLSv1_1 methods. Update version checking logic to handle version 1.1. Add explicit IV handling (ported from DTLS code). Add command line options to s_client/s_server.

    Steve Henson

    OpenSSL 1.0.0

  • v1.0.0.g Changes

    March 12, 2012
    • Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness in CMS and PKCS7 code. When RSA decryption fails use a random key for content decryption and always return the same error. Note: this attack needs on average 220 messages so it only affects automated senders. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where an MMA defence is not necessary. Thanks to Ivan Nestlerode [email protected] for discovering this issue. [CVE-2012-0884][]

    Steve Henson

    • Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to Ivan Nestlerode [email protected] for discovering this bug.

    Steve Henson

  • v1.0.0.f Changes

    January 18, 2012
    • Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. [CVE-2012-0050][]

    Antonio Martin

  • v1.0.0.e Changes

    January 04, 2012
    • Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann [email protected] and Michael Tuexen [email protected] for preparing the fix. [CVE-2011-4108][]

    Robin Seggelmann, Michael Tuexen

    • Clear bytes used for block padding of SSL 3.0 records. [CVE-2011-4576][]

    Adam Langley (Google)

    • Only allow one SGC handshake restart for SSL/TLS. Thanks to George Kadianakis [email protected] for discovering this issue and Adam Langley for preparing the fix. [CVE-2011-4619][]

    Adam Langley (Google)

    • Check parameters are not NULL in GOST ENGINE. [CVE-2012-0027][]

    Andrey Kulikov [email protected]

    • Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein [email protected] for fixing it. [CVE-2011-4577][]

    Rob Austein [email protected]

    • Improved PRNG seeding for VOS.

    Paul Green [email protected]

    • Fix ssl_ciph.c set-up race.

    Adam Langley (Google)

    • Fix spurious failures in ecdsatest.c.

    Emilia Käsper (Google)

    • Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields).

    Adam Langley (Google)

    • Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients.

    This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused).

    Emilia Käsper (Google)

    • In ssl3_clear, preserve s3->init_extra along with s3->rbuf.

    Bob Buckholz (Google)

  • v1.0.0.d Changes

    September 06, 2011
    • Fix bug where CRLs with nextUpdate in the past are sometimes accepted by initialising X509_STORE_CTX properly. [CVE-2011-3207][]

    Kaspar Brand [email protected]

    • Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [CVE-2011-3210][]

    Adam Langley (Google)

    • Fix x509_name_ex_d2i memory leak on bad inputs.

    Bodo Moeller

    • Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check signature public key algorithm by using OID xref utilities instead. Before this you could only use some ECC ciphersuites with SHA1 only.

    Steve Henson

    Billy Bob Brumley and Nicola Tuveri

  • v1.0.0.c Changes

    February 08, 2011
    • Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014

    Neel Mehta, Adam Langley, Bodo Moeller (Google)

    • Fix bug in string printing code: if any escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous.

    Steve Henson