|
7 | 7 | https://github.com/openssl/openssl/commits/ and pick the appropriate |
8 | 8 | release branch. |
9 | 9 |
|
| 10 | + Changes between 1.1.0h and 1.1.0i [14 Aug 2018] |
| 11 | + |
| 12 | + *) Client DoS due to large DH parameter |
| 13 | + |
| 14 | + During key agreement in a TLS handshake using a DH(E) based ciphersuite a |
| 15 | + malicious server can send a very large prime value to the client. This will |
| 16 | + cause the client to spend an unreasonably long period of time generating a |
| 17 | + key for this prime resulting in a hang until the client has finished. This |
| 18 | + could be exploited in a Denial Of Service attack. |
| 19 | + |
| 20 | + This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken |
| 21 | + (CVE-2018-0732) |
| 22 | + [Guido Vranken] |
| 23 | + |
| 24 | + *) Cache timing vulnerability in RSA Key Generation |
| 25 | + |
| 26 | + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to |
| 27 | + a cache timing side channel attack. An attacker with sufficient access to |
| 28 | + mount cache timing attacks during the RSA key generation process could |
| 29 | + recover the private key. |
| 30 | + |
| 31 | + This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera |
| 32 | + Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. |
| 33 | + (CVE-2018-0737) |
| 34 | + [Billy Brumley] |
| 35 | + |
| 36 | + *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str |
| 37 | + parameter is no longer accepted, as it leads to a corrupt table. NULL |
| 38 | + pem_str is reserved for alias entries only. |
| 39 | + [Richard Levitte] |
| 40 | + |
| 41 | + *) Revert blinding in ECDSA sign and instead make problematic addition |
| 42 | + length-invariant. Switch even to fixed-length Montgomery multiplication. |
| 43 | + [Andy Polyakov] |
| 44 | + |
| 45 | + *) Change generating and checking of primes so that the error rate of not |
| 46 | + being prime depends on the intended use based on the size of the input. |
| 47 | + For larger primes this will result in more rounds of Miller-Rabin. |
| 48 | + The maximal error rate for primes with more than 1080 bits is lowered |
| 49 | + to 2^-128. |
| 50 | + [Kurt Roeckx, Annie Yousar] |
| 51 | + |
| 52 | + *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. |
| 53 | + [Kurt Roeckx] |
| 54 | + |
| 55 | + *) Add blinding to ECDSA and DSA signatures to protect against side channel |
| 56 | + attacks discovered by Keegan Ryan (NCC Group). |
| 57 | + [Matt Caswell] |
| 58 | + |
| 59 | + *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we |
| 60 | + now allow empty (zero character) pass phrases. |
| 61 | + [Richard Levitte] |
| 62 | + |
| 63 | + *) Certificate time validation (X509_cmp_time) enforces stricter |
| 64 | + compliance with RFC 5280. Fractional seconds and timezone offsets |
| 65 | + are no longer allowed. |
| 66 | + [Emilia Käsper] |
| 67 | + |
| 68 | + *) Fixed a text canonicalisation bug in CMS |
| 69 | + |
| 70 | + Where a CMS detached signature is used with text content the text goes |
| 71 | + through a canonicalisation process first prior to signing or verifying a |
| 72 | + signature. This process strips trailing space at the end of lines, converts |
| 73 | + line terminators to CRLF and removes additional trailing line terminators |
| 74 | + at the end of a file. A bug in the canonicalisation process meant that |
| 75 | + some characters, such as form-feed, were incorrectly treated as whitespace |
| 76 | + and removed. This is contrary to the specification (RFC5485). This fix |
| 77 | + could mean that detached text data signed with an earlier version of |
| 78 | + OpenSSL 1.1.0 may fail to verify using the fixed version, or text data |
| 79 | + signed with a fixed OpenSSL may fail to verify with an earlier version of |
| 80 | + OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data |
| 81 | + and use the "-binary" flag (for the "cms" command line application) or set |
| 82 | + the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). |
| 83 | + [Matt Caswell] |
| 84 | + |
10 | 85 | Changes between 1.1.0g and 1.1.0h [27 Mar 2018] |
11 | 86 |
|
12 | 87 | *) Constructed ASN.1 types with a recursive definition could exceed the stack |
|
1144 | 1219 | [Steve Henson] |
1145 | 1220 |
|
1146 | 1221 | *) Experimental encrypt-then-mac support. |
1147 | | - |
| 1222 | + |
1148 | 1223 | Experimental support for encrypt then mac from |
1149 | 1224 | draft-gutmann-tls-encrypt-then-mac-02.txt |
1150 | 1225 |
|
1151 | 1226 | To enable it set the appropriate extension number (0x42 for the test |
1152 | 1227 | server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 |
1153 | | - |
| 1228 | + |
1154 | 1229 | For non-compliant peers (i.e. just about everything) this should have no |
1155 | 1230 | effect. |
1156 | 1231 |
|
|
1201 | 1276 |
|
1202 | 1277 | *) Use separate DRBG fields for internal and external flags. New function |
1203 | 1278 | FIPS_drbg_health_check() to perform on demand health checking. Add |
1204 | | - generation tests to fips_test_suite with reduced health check interval to |
| 1279 | + generation tests to fips_test_suite with reduced health check interval to |
1205 | 1280 | demonstrate periodic health checking. Add "nodh" option to |
1206 | 1281 | fips_test_suite to skip very slow DH test. |
1207 | 1282 | [Steve Henson] |
|
1215 | 1290 | combination: call this in fips_test_suite. |
1216 | 1291 | [Steve Henson] |
1217 | 1292 |
|
1218 | | - *) Add support for canonical generation of DSA parameter 'g'. See |
| 1293 | + *) Add support for canonical generation of DSA parameter 'g'. See |
1219 | 1294 | FIPS 186-3 A.2.3. |
1220 | 1295 |
|
1221 | 1296 | *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and |
|
1239 | 1314 | requested amount of entropy. |
1240 | 1315 | [Steve Henson] |
1241 | 1316 |
|
1242 | | - *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
| 1317 | + *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
1243 | 1318 | information in FIPS186-3, SP800-57 and SP800-131A. |
1244 | 1319 | [Steve Henson] |
1245 | 1320 |
|
|
1331 | 1406 | can be set or retrieved with a ctrl. The IV length is by default 12 |
1332 | 1407 | bytes (96 bits) but can be set to an alternative value. If the IV |
1333 | 1408 | length exceeds the maximum IV length (currently 16 bytes) it cannot be |
1334 | | - set before the key. |
| 1409 | + set before the key. |
1335 | 1410 | [Steve Henson] |
1336 | 1411 |
|
1337 | 1412 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
|
1374 | 1449 | Add CMAC pkey methods. |
1375 | 1450 | [Steve Henson] |
1376 | 1451 |
|
1377 | | - *) Experimental renegotiation in s_server -www mode. If the client |
| 1452 | + *) Experimental renegotiation in s_server -www mode. If the client |
1378 | 1453 | browses /reneg connection is renegotiated. If /renegcert it is |
1379 | 1454 | renegotiated requesting a certificate. |
1380 | 1455 | [Steve Henson] |
|
1394 | 1469 | *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of |
1395 | 1470 | a gcc attribute to warn if the result of a function is ignored. This |
1396 | 1471 | is enable if DEBUG_UNUSED is set. Add to several functions in evp.h |
1397 | | - whose return value is often ignored. |
| 1472 | + whose return value is often ignored. |
1398 | 1473 | [Steve Henson] |
1399 | 1474 |
|
1400 | 1475 | *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. |
|
3628 | 3703 |
|
3629 | 3704 | *) New option -sigopt to dgst utility. Update dgst to use |
3630 | 3705 | EVP_Digest{Sign,Verify}*. These two changes make it possible to use |
3631 | | - alternative signing parameters such as X9.31 or PSS in the dgst |
| 3706 | + alternative signing parameters such as X9.31 or PSS in the dgst |
3632 | 3707 | utility. |
3633 | 3708 | [Steve Henson] |
3634 | 3709 |
|
@@ -12379,7 +12454,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
12379 | 12454 | *) Fixed sk_insert which never worked properly. |
12380 | 12455 | [Steve Henson] |
12381 | 12456 |
|
12382 | | - *) Fix ASN1 macros so they can handle indefinite length constructed |
| 12457 | + *) Fix ASN1 macros so they can handle indefinite length constructed |
12383 | 12458 | EXPLICIT tags. Some non standard certificates use these: they can now |
12384 | 12459 | be read in. |
12385 | 12460 | [Steve Henson] |
|
0 commit comments