diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-07-07 09:54:18 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-07-14 13:02:27 +0200 |
commit | 3b9e2c776556e36f68b80bbb116581b7f18ca9ce (patch) | |
tree | 91304229eab39da41c31b304a47ce942fcacc37f /CHANGES.md | |
parent | 76214c4a8f3374b786811fdfeda3d98690f8faf4 (diff) |
Add CHANGES.md and NEWS.md entries for CVE-2023-2975
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)
(cherry picked from commit 1e398bec538978b9957e69bf9e12b3c626290bea)
Diffstat (limited to 'CHANGES.md')
-rw-r--r-- | CHANGES.md | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md index 84f35c7dc4..c63551d92a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,6 +24,26 @@ OpenSSL 3.1 ### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx] + * Do not ignore empty associated data entries with AES-SIV. + + The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`) + with NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated. ([CVE-2023-2975]) + + Thanks to Juerg Wullschleger (Google) for discovering the issue. + + The fix changes the authentication tag value and the ciphertext for + applications that use empty associated data entries with AES-SIV. + To decrypt data encrypted with previous versions of OpenSSL the application + has to skip calls to `EVP_DecryptUpdate()` for empty associated data + entries. + + *Tomas Mraz* + * When building with the `enable-fips` option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will @@ -19776,6 +19796,7 @@ ndif <!-- Links --> +[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 |