diff options
| author | Tomas Mraz <tomas@openssl.org> | 2023-07-07 09:54:18 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-07-14 13:02:27 +0200 |
| commit | 3b9e2c776556e36f68b80bbb116581b7f18ca9ce (patch) | |
| tree | 91304229eab39da41c31b304a47ce942fcacc37f | |
| parent | 76214c4a8f3374b786811fdfeda3d98690f8faf4 (diff) | |
Add CHANGES.md and NEWS.md entries for CVE-2023-2975
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)
(cherry picked from commit 1e398bec538978b9957e69bf9e12b3c626290bea)
| -rw-r--r-- | CHANGES.md | 21 | ||||
| -rw-r--r-- | NEWS.md | 10 |
2 files changed, 27 insertions, 4 deletions
diff --git a/CHANGES.md b/CHANGES.md index 84f35c7dc4..c63551d92a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,26 @@ OpenSSL 3.1 ### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx] + * Do not ignore empty associated data entries with AES-SIV. + + The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`) + with NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated. ([CVE-2023-2975]) + + Thanks to Juerg Wullschleger (Google) for discovering the issue. + + The fix changes the authentication tag value and the ciphertext for + applications that use empty associated data entries with AES-SIV. + To decrypt data encrypted with previous versions of OpenSSL the application + has to skip calls to `EVP_DecryptUpdate()` for empty associated data + entries. + + *Tomas Mraz* + * When building with the `enable-fips` option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will @@ -19776,6 +19796,7 @@ ndif <!-- Links --> +[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 @@ -21,10 +21,11 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development] - * When building with the `enable-fips` option and using the resulting - FIPS provider, TLS 1.2 will, by default, mandate the use of an - extended master secret and the Hash and HMAC DRBGs will not operate - with truncated digests. + * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) + * When building with the `enable-fips` option and using the resulting + FIPS provider, TLS 1.2 will, by default, mandate the use of an + extended master secret and the Hash and HMAC DRBGs will not operate + with truncated digests. ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] @@ -1461,6 +1462,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 |