All Versions
126
Latest Version
Avg Release Cycle
101 days
Latest Release
763 days ago

Changelog History
Page 10

  • v0.9.8.f Changes

    October 19, 2007
    • Fix various bugs:
      • Binary incompatibility of ssl_ctx_st structure
      • DTLS interoperation with non-compliant servers
      • Don't call get_session_cb() without proposed session
      • Fix ia64 assembler code

    Andy Polyakov, Steve Henson

  • v0.9.8.e Changes

    October 11, 2007
    • DTLS Handshake overhaul. There were longstanding issues with OpenSSL DTLS implementation, which were making it impossible for RFC 4347 compliant client to communicate with OpenSSL server. Unfortunately just fixing these incompatibilities would "cut off" pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e server keeps tolerating non RFC compliant syntax. The opposite is not true, 0.9.8f client can not communicate with earlier server. This update even addresses CVE-2007-4995.

    Andy Polyakov

    • Changes to avoid need for function casts in OpenSSL: some compilers (gcc 4.2 and later) reject their use. Kurt Roeckx [email protected], Peter Hartley [email protected], Steve Henson

    • Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically supported.

    If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION.

    The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification.

    If a client or server wishes to disable RFC4507 support then the option SSL_OP_NO_TICKET can be set.

    Add a TLS extension debugging callback to allow the contents of any client or server extensions to be examined.

    This work was sponsored by Google.

    Steve Henson

    • Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now have new members for a host name. The SSL data structure has an additional member SSL_CTX *initial_ctx so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's server_name extension.

    New functions (subject to change):

           SSL_get_servername()
           SSL_get_servername_type()
           SSL_set_SSL_CTX()
    

    New CTRL codes and macros (subject to change):

           SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
                               - SSL_CTX_set_tlsext_servername_callback()
           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
                                    - SSL_CTX_set_tlsext_servername_arg()
           SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
    

    openssl s_client has a new '-servername ...' option.

    openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecognized_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option.

    Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson

    • Add AES and SSE2 assembly language support to VC++ build.

    Steve Henson

    • Mitigate attack on final subtraction in Montgomery reduction.

    Andy Polyakov

    • Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 (which previously caused an internal error).

    Bodo Moeller

    • Squeeze another 10% out of IGE mode when in != out.

    Ben Laurie

    • AES IGE mode speedup.

    Dean Gaudet (Google)

    • Add the Korean symmetric 128-bit cipher SEED (see http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and add SEED ciphersuites from RFC 4162:

         TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
         TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
         TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
         TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
      

    To minimize changes between patchlevels in the OpenSSL 0.9.8 series, SEED remains excluded from compilation unless OpenSSL is configured with 'enable-seed'.

    KISA, Bodo Moeller

    • Mitigate branch prediction attacks, which can be practical if a single processor is shared, allowing a spy process to extract information. For detailed background information, see http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures"). The core of the change are new versions BN_div_no_branch() and BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), respectively, which are slower, but avoid the security-relevant conditional branches. These are automatically called by BN_div() and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one of the input BIGNUMs. Also, BN_is_bit_set() has been changed to remove a conditional branch.

    BN_FLG_CONSTTIME is the new name for the previous BN_FLG_EXP_CONSTTIME flag, since it now affects more than just modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag in the exponent causes BN_mod_exp_mont() to use the alternative implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias.

    Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias.

    BN_BLINDING_new() will now use BN_dup() for the modulus so that the BN_BLINDING structure gets an independent copy of the modulus. This means that the previous BIGNUM *m argument to BN_BLINDING_new() and to BN_BLINDING_create_param() now essentially becomes const BIGNUM *m, although we can't actually change this in the header file before 0.9.9. It allows RSA_setup_blinding() to use BN_with_flags() on the modulus to enable BN_FLG_CONSTTIME.

    Matthew D Wood (Intel Corp)

    • In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, out-of-context reuse was forbidden only if SSL_VERIFY_PEER was set. This did ensure strict client verification, but meant that, with applications using a single external cache for quite different requirements, clients could circumvent ciphersuite restrictions for a given session ID context by starting a session in a different context.

    Bodo Moeller

    • Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites.

    Bodo Moeller

    • Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was not complete and could lead to a possible single byte overflow [CVE-2007-5135][] [Ben Laurie]
  • v0.9.8.d Changes

    February 23, 2007
    • Since AES128 and AES256 (and similarly Camellia128 and Camellia256) share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't (or if Camellia128 is available and Camellia256 isn't).

    Victor Duchovni

    • Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): When a point or a seed is encoded in a BIT STRING, we need to prevent the removal of trailing zero bits to get the proper DER encoding. (By default, crypto/asn1/a_bitstr.c assumes the case of a NamedBitList, for which trailing 0 bits need to be removed.)

    Bodo Moeller

    • Have SSL/TLS server implementation tolerate "mismatched" record protocol version while receiving ClientHello even if the ClientHello is fragmented. (The server can't insist on the particular protocol version it has chosen before the ServerHello message has informed the client about his choice.)

    Bodo Moeller

    • Add RFC 3779 support.

    Rob Austein for ARIN, Ben Laurie

    • Load error codes if they are not already present instead of using a static variable. This allows them to be cleanly unloaded and reloaded. Improve header file function name parsing.

    Steve Henson

    • extend SMTP and IMAP protocol emulation in s_client to use EHLO or CAPABILITY handshake as required by RFCs.

    Goetz Babin-Ebell

  • v0.9.8.c Changes

    September 28, 2006
    • Introduce limits to prevent malicious keys being able to cause a denial of service. [CVE-2006-2940][]

    Steve Henson, Bodo Moeller

    • Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. [CVE-2006-2937][] [Steve Henson]

    • Fix buffer overflow in SSL_get_shared_ciphers() function. [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]

    • Fix SSL client code which could crash if connecting to a malicious SSLv2 server. [CVE-2006-4343][]

    Tavis Ormandy and Will Drewry, Google Security Team

    • Since 0.9.8b, ciphersuite strings naming explicit ciphersuites match only those. Before that, "AES256-SHA" would be interpreted as a pattern and match "AES128-SHA" too (since AES128-SHA got the same strength classification in 0.9.7h) as we currently only have a single AES bit in the ciphersuite description bitmap. That change, however, also applied to ciphersuite strings such as "RC4-MD5" that intentionally matched multiple ciphersuites -- namely, SSL 2.0 ciphersuites in addition to the more common ones from SSL 3.0/TLS 1.0.

    So we change the selection algorithm again: Naming an explicit ciphersuite selects this one ciphersuite, and any other similar ciphersuite (same bitmap) from other protocol versions. Thus, "RC4-MD5" again will properly select both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.

    Since SSL 2.0 does not have any ciphersuites for which the 128/256 bit distinction would be relevant, this works for now. The proper fix will be to use different bits for AES128 and AES256, which would have avoided the problems from the beginning; however, bits are scarce, so we can only do this in a new release (not just a patchlevel) when we can change the SSL_CIPHER definition to split the single 'unsigned long mask' bitmap into multiple values to extend the available space.

    Bodo Moeller

  • v0.9.8.b Changes

    September 05, 2006
    • Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher [CVE-2006-4339][] [Ben Laurie and Google Security Team]

    • Add AES IGE and biIGE modes.

    Ben Laurie

    • Change the Unix randomness entropy gathering to use poll() when possible instead of select(), since the latter has some undesirable limitations.

    Darryl Miles via Richard Levitte and Bodo Moeller

    • Disable "ECCdraft" ciphersuites more thoroughly. Now special treatment in ssl/ssl_ciph.s makes sure that these ciphersuites cannot be implicitly activated as part of, e.g., the "AES" alias. However, please upgrade to OpenSSL 0.9.9[-dev] for non-experimental use of the ECC ciphersuites to get TLS extension support, which is required for curve and point format negotiation to avoid potential handshake problems.

    Bodo Moeller

    • Disable rogue ciphersuites:

      • SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
      • SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
      • SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")

    The latter two were purportedly from draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there.

    Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired.

    Bodo Moeller

    • Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues.

    Bodo Moeller

    To minimize changes between patchlevels in the OpenSSL 0.9.8 series, Camellia remains excluded from compilation unless OpenSSL is configured with 'enable-camellia'.

    NTT

    • Disable the padding bug check when compression is in use. The padding bug check assumes the first packet is of even length, this is not necessarily true if compression is enabled and can result in false positives causing handshake failure. The actual bug test is ancient code so it is hoped that implementations will either have fixed it by now or any which still have the bug do not support compression.

    Steve Henson

  • v0.9.8.a Changes

    May 04, 2006
    • When applying a cipher rule check to see if string match is an explicit cipher suite and only match that one cipher suite if it is.

    Steve Henson

    • Link in manifests for VC++ if needed.

    Austin Ziegler [email protected]

    • Update support for ECC-based TLS ciphersuites according to draft-ietf-tls-ecc-12.txt with proposed changes (but without TLS extensions, which are supported starting with the 0.9.9 branch, not in the OpenSSL 0.9.8 branch).

    Douglas Stebila

    • New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support opaque EVP_CIPHER_CTX handling.

    Steve Henson

    • Fixes and enhancements to zlib compression code. We now only use "zlib1.dll" and use the default __cdecl calling convention on Win32 to conform with the standards mentioned here: http://www.zlib.net/DLL_FAQ.txt Static zlib linking now works on Windows and the new --with-zlib-include --with-zlib-lib options to Configure can be used to supply the location of the headers and library. Gracefully handle case where zlib library can't be loaded.

    Steve Henson

    • Several fixes and enhancements to the OID generation code. The old code sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't handle numbers larger than ULONG_MAX, truncated printing and had a non standard OBJ_obj2txt() behaviour.

    Steve Henson

    • Add support for building of engines under engine/ as shared libraries under VC++ build system.

    Steve Henson

    • Corrected the numerous bugs in the Win32 path splitter in DSO. Hopefully, we will not see any false combination of paths any more.

    Richard Levitte

  • v0.9.7.l Changes

    February 23, 2007
    • Cleanse PEM buffers before freeing them since they may contain sensitive data.

    Benjamin Bennett [email protected]

    • Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites.

    Bodo Moeller

    • Since AES128 and AES256 share a single mask bit in the logic of ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a kludge to work properly if AES128 is available and AES256 isn't.

    Victor Duchovni

    • Expand security boundary to match 1.1.1 module.

    Steve Henson

    • Remove redundant features: hash file source, editing of test vectors modify fipsld to use external fips_premain.c signature.

    Steve Henson

    • New perl script mkfipsscr.pl to create shell scripts or batch files to run algorithm test programs.

    Steve Henson

    • Make algorithm test programs more tolerant of whitespace.

    Steve Henson

    • Have SSL/TLS server implementation tolerate "mismatched" record protocol version while receiving ClientHello even if the ClientHello is fragmented. (The server can't insist on the particular protocol version it has chosen before the ServerHello message has informed the client about his choice.)

    Bodo Moeller

    • Load error codes if they are not already present instead of using a static variable. This allows them to be cleanly unloaded and reloaded.

    Steve Henson

  • v0.9.7.k Changes

    September 28, 2006
    • Introduce limits to prevent malicious keys being able to cause a denial of service. [CVE-2006-2940][]

    Steve Henson, Bodo Moeller

    • Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. [CVE-2006-2937][] [Steve Henson]

    • Fix buffer overflow in SSL_get_shared_ciphers() function. [CVE-2006-3738][] [Tavis Ormandy and Will Drewry, Google Security Team]

    • Fix SSL client code which could crash if connecting to a malicious SSLv2 server. [CVE-2006-4343][]

    Tavis Ormandy and Will Drewry, Google Security Team

    • Change ciphersuite string processing so that an explicit ciphersuite selects this one ciphersuite (so that "AES256-SHA" will no longer include "AES128-SHA"), and any other similar ciphersuite (same bitmap) from other protocol versions (so that "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining changes from 0.9.8b and 0.9.8d.

    Bodo Moeller

  • v0.9.7.j Changes

    September 05, 2006
    • Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher [CVE-2006-4339][] [Ben Laurie and Google Security Team]

    • Change the Unix randomness entropy gathering to use poll() when possible instead of select(), since the latter has some undesirable limitations.

    Darryl Miles via Richard Levitte and Bodo Moeller

    • Disable rogue ciphersuites:

      • SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
      • SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
      • SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")

    The latter two were purportedly from draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there.

    Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired.

    Bodo Moeller

    • Fix RSA blinding Heisenbug (problems sometimes occurred on dual-core machines) and other potential thread-safety issues.

    Bodo Moeller

  • v0.9.7.i Changes

    May 04, 2006
    • Adapt fipsld and the build system to link against the validated FIPS module in FIPS mode.

    Steve Henson

    • Fixes for VC++ 2005 build under Windows.

    Steve Henson

    • Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make from a Windows bash shell such as MSYS. It is autodetected from the "config" script when run from a VC++ environment. Modify standard VC++ build to use fipscanister.o from the GNU make build.

    Steve Henson