diff options
-rw-r--r-- | ACKNOWLEDGEMENTS.md | 1 | ||||
-rw-r--r-- | AUTHORS.md | 58 | ||||
-rw-r--r-- | CHANGES.md | 817 | ||||
-rw-r--r-- | CONTRIBUTING.md | 4 | ||||
-rw-r--r-- | INSTALL.md | 312 | ||||
-rw-r--r-- | NEWS.md | 296 | ||||
-rw-r--r-- | README.md | 58 | ||||
-rw-r--r-- | SUPPORT.md | 15 | ||||
-rw-r--r-- | fuzz/README.md | 20 | ||||
-rw-r--r-- | test/README.ssltest.md | 97 |
10 files changed, 781 insertions, 897 deletions
diff --git a/ACKNOWLEDGEMENTS.md b/ACKNOWLEDGEMENTS.md index baf7743c8e..dae83457db 100644 --- a/ACKNOWLEDGEMENTS.md +++ b/ACKNOWLEDGEMENTS.md @@ -3,6 +3,5 @@ Acknowlegements Please see our [Thanks!][] page for the current acknowledgements. - [Thanks!]: https://www.openssl.org/community/thanks.html diff --git a/AUTHORS.md b/AUTHORS.md index e9ff5441b9..af72f43b08 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -7,40 +7,38 @@ since in some cases, their employer may be the copyright holder. To see the full list of contributors, see the revision history in source control. - Groups ------ - * OpenSSL Software Services, Inc. - * OpenSSL Software Foundation, Inc. - + * OpenSSL Software Services, Inc. + * OpenSSL Software Foundation, Inc. Individuals ----------- - * Andy Polyakov - * Ben Laurie - * Ben Kaduk - * Bernd Edlinger - * Bodo Möller - * David Benjamin - * Emilia Käsper - * Eric Young - * Geoff Thorpe - * Holger Reif - * Kurt Roeckx - * Lutz Jänicke - * Mark J. Cox - * Matt Caswell - * Matthias St. Pierre - * Nils Larsch - * Paul Dale - * Paul C. Sutton - * Ralf S. Engelschall - * Rich Salz - * Richard Levitte - * Stephen Henson - * Steve Marquess - * Tim Hudson - * Ulf Möller - * Viktor Dukhovni + * Andy Polyakov + * Ben Laurie + * Ben Kaduk + * Bernd Edlinger + * Bodo Möller + * David Benjamin + * Emilia Käsper + * Eric Young + * Geoff Thorpe + * Holger Reif + * Kurt Roeckx + * Lutz Jänicke + * Mark J. Cox + * Matt Caswell + * Matthias St. Pierre + * Nils Larsch + * Paul Dale + * Paul C. Sutton + * Ralf S. Engelschall + * Rich Salz + * Richard Levitte + * Stephen Henson + * Steve Marquess + * Tim Hudson + * Ulf Möller + * Viktor Dukhovni diff --git a/CHANGES.md b/CHANGES.md index 6da7bcde72..2835322bdf 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,7 +7,6 @@ pick the appropriate release branch. [log]: https://github.com/openssl/openssl/commits/ - OpenSSL Releases ---------------- @@ -22,7 +21,7 @@ OpenSSL Releases OpenSSL 3.0 ----------- -### Changes between 1.1.1 and 3.0 [xx XXX xxxx] ### +### Changes between 1.1.1 and 3.0 [xx XXX xxxx] * Removed FIPS_mode() and FIPS_mode_set(). These functions are legacy API's that are not applicable to the new provider model. Applications should @@ -87,7 +86,6 @@ OpenSSL 3.0 *Matthias St. Pierre* - * The test suite is changed to preserve results of each test recipe. A new directory test-runs/ with subdirectories named like the test recipes are created in the build tree for this purpose. @@ -335,7 +333,7 @@ OpenSSL 3.0 *Paul Dale* - * Corrected the documentation of the return values from the EVP_DigestSign* + * Corrected the documentation of the return values from the `EVP_DigestSign*` set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed. @@ -422,10 +420,10 @@ OpenSSL 3.0 replaced with no-ops. *Rich Salz* - + * Added documentation for the STACK API. OpenSSL only defines the STACK functions where they are used. - + *Rich Salz* * Introduced a new method type and API, OSSL_SERIALIZER, to @@ -589,7 +587,6 @@ OpenSSL 3.0 $ mms /macro=(VF=1) test ! OpenVMS $ nmake VF=1 test # Windows - *Richard Levitte* * For built-in EC curves, ensure an EC_GROUP built from the curve name is @@ -641,7 +638,7 @@ OpenSSL 3.0 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, the 2-prime and 3-prime RSA modules were easy to distinguish, since - N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. This avoids possible fingerprinting of newly generated RSA modules. @@ -692,7 +689,7 @@ OpenSSL 3.0 *Paul Dale* - * {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been + * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been deprecated. *Rich Salz* @@ -807,7 +804,7 @@ OpenSSL 3.0 *Paul Dale* * Added newline escaping functionality to a filename when using openssl dgst. - This output format is to replicate the output format found in the '*sum' + This output format is to replicate the output format found in the `*sum` checksum programs. This aims to preserve backward compatibility. *Matt Eaton, Richard Levitte, and Paul Dale* @@ -967,7 +964,7 @@ OpenSSL 3.0 the attacked described in "Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. Details of this attack can be obtained from: - http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf + <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf> *Paul Dale* @@ -988,14 +985,12 @@ OpenSSL 3.0 *Boris Pismenny* - OpenSSL 1.1.1 ------------- -### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] ### +### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] - -### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] ### +### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] * Properly detect EOF while reading in libssl. Previously if we hit an EOF while reading in libssl then we would report an error back to the @@ -1039,7 +1034,7 @@ OpenSSL 1.1.1 *Richard Levitte* * Added newline escaping functionality to a filename when using openssl dgst. - This output format is to replicate the output format found in the '*sum' + This output format is to replicate the output format found in the `*sum` checksum programs. This aims to preserve backward compatibility. *Matt Eaton, Richard Levitte, and Paul Dale* @@ -1049,7 +1044,7 @@ OpenSSL 1.1.1 *Jon Spillett* -### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] ### +### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the @@ -1154,7 +1149,7 @@ OpenSSL 1.1.1 *Matthias St. Pierre* -### Changes between 1.1.1b and 1.1.1c [28 May 2019] ### +### Changes between 1.1.1b and 1.1.1c [28 May 2019] * Add build tests for C++. These are generated files that only do one thing, to include one public OpenSSL head file each. This tests that @@ -1245,7 +1240,7 @@ OpenSSL 1.1.1 *Paul Yang* -### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] ### +### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] * Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START @@ -1259,7 +1254,7 @@ OpenSSL 1.1.1 *Matt Caswell* -### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] ### +### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] * Timing vulnerability in DSA signature generation @@ -1292,7 +1287,7 @@ OpenSSL 1.1.1 automatically and is fully functional even without additional randomness provided by the application. -### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] ### +### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] * Add a new ClientHello callback. Provides a callback interface that gives the application the ability to adjust the nascent SSL object at the @@ -1562,7 +1557,7 @@ OpenSSL 1.1.1 * Support for TLSv1.3 added. Note that users upgrading from an earlier version of OpenSSL should review their configuration settings to ensure that they are still appropriate for TLSv1.3. For further information see: - https://wiki.openssl.org/index.php/TLS1.3 + <https://wiki.openssl.org/index.php/TLS1.3> *Matt Caswell* @@ -1815,7 +1810,7 @@ OpenSSL 1.1.1 * 'openssl passwd' can now produce SHA256 and SHA512 based output, using the algorithm defined in - https://www.akkadia.org/drepper/SHA-crypt.txt + <https://www.akkadia.org/drepper/SHA-crypt.txt> *Richard Levitte* @@ -1835,8 +1830,7 @@ OpenSSL 1.1.1 OpenSSL 1.1.0 ------------- - -### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] ### +### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key @@ -1882,7 +1876,7 @@ OpenSSL 1.1.0 *Richard Levitte* -### Changes between 1.1.0j and 1.1.0k [28 May 2019] ### +### Changes between 1.1.0j and 1.1.0k [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It @@ -1945,7 +1939,7 @@ OpenSSL 1.1.0 *Richard Levitte* -### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] ### +### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] * Timing vulnerability in DSA signature generation @@ -1975,7 +1969,7 @@ OpenSSL 1.1.0 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* -### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] ### +### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] * Client DoS due to large DH parameter @@ -2060,7 +2054,7 @@ OpenSSL 1.1.0 *Matt Caswell* -### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] ### +### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] * Constructed ASN.1 types with a recursive definition could exceed the stack @@ -2139,7 +2133,7 @@ OpenSSL 1.1.0 *Andy Polyakov* -### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] ### +### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] * bn_sqrx8x_internal carry bug on x86_64 @@ -2174,7 +2168,7 @@ OpenSSL 1.1.0 *Rich Salz* -### Changes between 1.1.0e and 1.1.0f [25 May 2017] ### +### Changes between 1.1.0e and 1.1.0f [25 May 2017] * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'. @@ -2187,7 +2181,7 @@ OpenSSL 1.1.0 *Richard Levitte* -### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] ### +### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] * Encrypt-Then-Mac renegotiation crash @@ -2201,7 +2195,7 @@ OpenSSL 1.1.0 *Matt Caswell* -### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] ### +### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] * Truncated packet could crash via OOB read @@ -2247,11 +2241,11 @@ OpenSSL 1.1.0 *Andy Polyakov* -### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] ### +### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] * ChaCha20/Poly1305 heap-buffer-overflow - TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to + TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. @@ -2303,7 +2297,7 @@ OpenSSL 1.1.0 *Richard Levitte* -### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] ### +### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] * Fix Use After Free for large message sizes @@ -2321,7 +2315,7 @@ OpenSSL 1.1.0 *Matt Caswell* -### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] ### +### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] * OCSP Status Request extension unbounded memory growth @@ -2400,7 +2394,7 @@ OpenSSL 1.1.0 *Andy Polyakov* -### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] ### +### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] * Windows command-line tool supports UTF-8 opt-in option for arguments and console input. Setting OPENSSL_WIN32_UTF8 environment variable @@ -2443,8 +2437,8 @@ OpenSSL 1.1.0 *Joseph Wylie Yandle, Rich Salz* - * The stack and lhash API's were renamed to start with OPENSSL_SK_ - and OPENSSL_LH_, respectively. The old names are available + * The stack and lhash API's were renamed to start with `OPENSSL_SK_` + and `OPENSSL_LH_`, respectively. The old names are available with API compatibility. They new names are now completely documented. *Rich Salz* @@ -2622,12 +2616,12 @@ OpenSSL 1.1.0 *Todd Short* * Changes to the DEFAULT cipherlist: - - Prefer (EC)DHE handshakes over plain RSA. - - Prefer AEAD ciphers over legacy ciphers. - - Prefer ECDSA over RSA when both certificates are available. - - Prefer TLSv1.2 ciphers/PRF. - - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the - default cipherlist. + - Prefer (EC)DHE handshakes over plain RSA. + - Prefer AEAD ciphers over legacy ciphers. + - Prefer ECDSA over RSA when both certificates are available. + - Prefer TLSv1.2 ciphers/PRF. + - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the + default cipherlist. *Emilia Käsper* @@ -2789,8 +2783,8 @@ OpenSSL 1.1.0 * The signature of the session callback configured with SSL_CTX_sess_set_get_cb was changed. The read-only input buffer - was explicitly marked as 'const unsigned char*' instead of - 'unsigned char*'. + was explicitly marked as `const unsigned char*` instead of + `unsigned char*`. *Emilia Käsper* @@ -2822,7 +2816,7 @@ OpenSSL 1.1.0 Makefile. Instead, Configure produces a perl module in configdata.pm which holds most of the config data (in the hash table %config), the target data that comes from the target - configuration in one of the Configurations/*.conf files (in + configuration in one of the `Configurations/*.conf~ files (in %target). *Richard Levitte* @@ -2851,7 +2845,7 @@ OpenSSL 1.1.0 * The GOST engine was out of date and therefore it has been removed. An up to date GOST engine is now being maintained in an external repository. - See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains + See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains support for GOST ciphersuites (these are only activated if a GOST engine is present). @@ -3205,7 +3199,7 @@ OpenSSL 1.1.0 * Added support for OCB mode. OpenSSL has been granted a patent license compatible with the OpenSSL license for use of OCB. Details are available - at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support + at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support for OCB can be removed by calling config with no-ocb. *Matt Caswell* @@ -3244,16 +3238,16 @@ OpenSSL 1.1.0 *Rich Salz* * Clean up OPENSSL_NO_xxx #define's - - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF - - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx - - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC - - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 - - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO - - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY - OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP - OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK - OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY - - Remove MS_STATIC; it's a relic from platforms <32 bits. + - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF + - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx + - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC + - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 + - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO + - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY + OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP + OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK + OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY + - Remove MS_STATIC; it's a relic from platforms <32 bits. *Rich Salz* @@ -3311,7 +3305,7 @@ OpenSSL 1.1.0 * Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: - http://eprint.iacr.org/2014/140 + <http://eprint.iacr.org/2014/140> Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][] @@ -3336,7 +3330,6 @@ OpenSSL 1.1.0 WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. - *Steve Henson* * Add EVP support for key wrapping algorithms, to avoid problems with @@ -3542,7 +3535,7 @@ OpenSSL 1.1.0 *Steve Henson* * Initial, experimental EVP support for AES-GCM. AAD can be input by - setting output buffer to NULL. The *Final function must be + setting output buffer to NULL. The `*Final` function must be called although it will not retrieve any additional data. The tag can be set or retrieved with a ctrl. The IV length is by default 12 bytes (96 bits) but can be set to an alternative value. If the IV @@ -3634,7 +3627,7 @@ OpenSSL 1.1.0 OpenSSL 1.0.2 ------------- -### Changes between 1.0.2s and 1.0.2t [10 Sep 2019] ### +### Changes between 1.0.2s and 1.0.2t [10 Sep 2019] * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key @@ -3680,7 +3673,7 @@ OpenSSL 1.0.2 *Richard Levitte* -### Changes between 1.0.2r and 1.0.2s [28 May 2019] ### +### Changes between 1.0.2r and 1.0.2s [28 May 2019] * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It @@ -3699,7 +3692,7 @@ OpenSSL 1.0.2 *Matthias St. Pierre* -### Changes between 1.0.2q and 1.0.2r [26 Feb 2019] ### +### Changes between 1.0.2q and 1.0.2r [26 Feb 2019] * 0-byte record padding oracle @@ -3728,7 +3721,7 @@ OpenSSL 1.0.2 *Richard Levitte* -### Changes between 1.0.2p and 1.0.2q [20 Nov 2018] ### +### Changes between 1.0.2p and 1.0.2q [20 Nov 2018] * Microarchitecture timing vulnerability in ECC scalar multiplication @@ -3761,7 +3754,7 @@ OpenSSL 1.0.2 *Nicola Tuveri* -### Changes between 1.0.2o and 1.0.2p [14 Aug 2018] ### +### Changes between 1.0.2o and 1.0.2p [14 Aug 2018] * Client DoS due to large DH parameter @@ -3828,7 +3821,7 @@ OpenSSL 1.0.2 *Emilia Käsper* -### Changes between 1.0.2n and 1.0.2o [27 Mar 2018] ### +### Changes between 1.0.2n and 1.0.2o [27 Mar 2018] * Constructed ASN.1 types with a recursive definition could exceed the stack @@ -3844,7 +3837,7 @@ OpenSSL 1.0.2 *Matt Caswell* -### Changes between 1.0.2m and 1.0.2n [7 Dec 2017] ### +### Changes between 1.0.2m and 1.0.2n [7 Dec 2017] * Read/write after SSL object in error state @@ -3891,7 +3884,7 @@ OpenSSL 1.0.2 *Andy Polyakov* -### Changes between 1.0.2l and 1.0.2m [2 Nov 2017] ### +### Changes between 1.0.2l and 1.0.2m [2 Nov 2017] * bn_sqrx8x_internal carry bug on x86_64 @@ -3926,14 +3919,14 @@ OpenSSL 1.0.2 *Rich Salz* -### Changes between 1.0.2k and 1.0.2l [25 May 2017] ### +### Changes between 1.0.2k and 1.0.2l [25 May 2017] * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'. *Richard Levitte* -### Changes between 1.0.2j and 1.0.2k [26 Jan 2017] ### +### Changes between 1.0.2j and 1.0.2k [26 Jan 2017] * Truncated packet could crash via OOB read @@ -3998,7 +3991,7 @@ OpenSSL 1.0.2 *Matt Caswell* -### Changes between 1.0.2i and 1.0.2j [26 Sep 2016] ### +### Changes between 1.0.2i and 1.0.2j [26 Sep 2016] * Missing CRL sanity check @@ -4011,7 +4004,7 @@ OpenSSL 1.0.2 *Matt Caswell* -### Changes between 1.0.2h and 1.0.2i [22 Sep 2016] ### +### Changes between 1.0.2h and 1.0.2i [22 Sep 2016] * OCSP Status Request extension unbounded memory growth @@ -4182,7 +4175,7 @@ OpenSSL 1.0.2 *Stephen Henson* -### Changes between 1.0.2g and 1.0.2h [3 May 2016] ### +### Changes between 1.0.2g and 1.0.2h [3 May 2016] * Prevent padding oracle in AES-NI CBC MAC check @@ -4210,7 +4203,7 @@ OpenSSL 1.0.2 corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by - the PEM_write_bio* family of functions. These are mainly used within the + the `PEM_write_bio*` family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly @@ -4287,7 +4280,7 @@ OpenSSL 1.0.2 *Kurt Roeckx* -### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] ### +### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not @@ -4372,10 +4365,10 @@ OpenSSL 1.0.2 *Matt Caswell* - * Fix memory issues in BIO_*printf functions + * Fix memory issues in `BIO_*printf` functions The internal |fmtstr| function used in processing a "%s" format string in - the BIO_*printf functions could overflow while calculating the length of a + the `BIO_*printf` functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an @@ -4387,7 +4380,7 @@ OpenSSL 1.0.2 The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data - is passed to the BIO_*printf functions. If applications use these functions + is passed to the `BIO_*printf` functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from @@ -4415,7 +4408,7 @@ OpenSSL 1.0.2 This issue was reported to OpenSSL by Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania with more information at - http://cachebleed.info. + <http://cachebleed.info>. [CVE-2016-0702][] *Andy Polyakov* @@ -4427,7 +4420,8 @@ OpenSSL 1.0.2 *Emilia Käsper* -### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] ### +### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] + * DH small subgroups Historically OpenSSL only ever generated DH parameters based on "safe" @@ -4473,7 +4467,7 @@ OpenSSL 1.0.2 *Viktor Dukhovni* -### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] ### +### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] * BN_mod_exp may produce incorrect results on x86_64 @@ -4536,7 +4530,7 @@ OpenSSL 1.0.2 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* -### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] ### +### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] * Alternate chains certificate forgery @@ -4552,7 +4546,7 @@ OpenSSL 1.0.2 *Matt Caswell* -### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] ### +### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] * Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been @@ -4560,7 +4554,7 @@ OpenSSL 1.0.2 *Matt Caswell* -### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] ### +### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] * Malformed ECParameters causes infinite loop @@ -4639,7 +4633,7 @@ OpenSSL 1.0.2 *Emilia Kasper* -### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] ### +### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] * ClientHello sigalgs DoS fix @@ -4815,7 +4809,7 @@ OpenSSL 1.0.2 *Kurt Roeckx* -### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] ### +### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. ARMv5 through ARMv8, as opposite to "locking" it to single one. @@ -4966,7 +4960,7 @@ OpenSSL 1.0.2 *Steve Henson* - * SSL_CONF* functions. These provide a common framework for application + * `SSL_CONF*` functions. These provide a common framework for application configuration using configuration files or command lines. *Steve Henson* @@ -5034,7 +5028,6 @@ OpenSSL 1.0.2 Note: if the CERT based stores are not set then the parent SSL_CTX store is used to retain compatibility with existing behaviour. - *Steve Henson* * New function ssl_set_client_disabled to set a ciphersuite disabled @@ -5210,11 +5203,10 @@ OpenSSL 1.0.2 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and X509_CINF_get_signature were reverted post internal team review. - OpenSSL 1.0.1 ------------- -### Changes between 1.0.1t and 1.0.1u [22 Sep 2016] ### +### Changes between 1.0.1t and 1.0.1u [22 Sep 2016] * OCSP Status Request extension unbounded memory growth @@ -5385,7 +5377,7 @@ OpenSSL 1.0.1 *Stephen Henson* -### Changes between 1.0.1s and 1.0.1t [3 May 2016] ### +### Changes between 1.0.1s and 1.0.1t [3 May 2016] * Prevent padding oracle in AES-NI CBC MAC check @@ -5413,7 +5405,7 @@ OpenSSL 1.0.1 corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by - the PEM_write_bio* family of functions. These are mainly used within the + the `PEM_write_bio*` family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly @@ -5490,7 +5482,7 @@ OpenSSL 1.0.1 *Kurt Roeckx* -### Changes between 1.0.1r and 1.0.1s [1 Mar 2016] ### +### Changes between 1.0.1r and 1.0.1s [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not @@ -5575,10 +5567,10 @@ OpenSSL 1.0.1 *Matt Caswell* - * Fix memory issues in BIO_*printf functions + * Fix memory issues in `BIO_*printf` functions The internal |fmtstr| function used in processing a "%s" format string in - the BIO_*printf functions could overflow while calculating the length of a + the `BIO_*printf` functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an @@ -5590,7 +5582,7 @@ OpenSSL 1.0.1 The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data - is passed to the BIO_*printf functions. If applications use these functions + is passed to the `BIO_*printf` functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from @@ -5618,7 +5610,7 @@ OpenSSL 1.0.1 This issue was reported to OpenSSL by Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania with more information at - http://cachebleed.info. + <http://cachebleed.info>. [CVE-2016-0702][] *Andy Polyakov* @@ -5630,7 +5622,7 @@ OpenSSL 1.0.1 *Emilia Käsper* -### Changes between 1.0.1q and 1.0.1r [28 Jan 2016] ### +### Changes between 1.0.1q and 1.0.1r [28 Jan 2016] * Protection for DH small subgroup attacks @@ -5657,7 +5649,7 @@ OpenSSL 1.0.1 *Kurt Roeckx* -### Changes between 1.0.1p and 1.0.1q [3 Dec 2015] ### +### Changes between 1.0.1p and 1.0.1q [3 Dec 2015] * Certificate verify crash with missing PSS parameter @@ -5700,7 +5692,7 @@ OpenSSL 1.0.1 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* -### Changes between 1.0.1o and 1.0.1p [9 Jul 2015] ### +### Changes between 1.0.1o and 1.0.1p [9 Jul 2015] * Alternate chains certificate forgery @@ -5727,12 +5719,13 @@ OpenSSL 1.0.1 *Stephen Henson* -### Changes between 1.0.1n and 1.0.1o [12 Jun 2015] ### +### Changes between 1.0.1n and 1.0.1o [12 Jun 2015] + * Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored. -### Changes between 1.0.1m and 1.0.1n [11 Jun 2015] ### +### Changes between 1.0.1m and 1.0.1n [11 Jun 2015] * Malformed ECParameters causes infinite loop @@ -5813,7 +5806,7 @@ OpenSSL 1.0.1 *Kurt Roeckx and Emilia Kasper* -### Changes between 1.0.1l and 1.0.1m [19 Mar 2015] ### +### Changes between 1.0.1l and 1.0.1m [19 Mar 2015] * Segmentation fault in ASN1_TYPE_cmp fix @@ -5897,13 +5890,13 @@ OpenSSL 1.0.1 *Kurt Roeckx* -### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] ### +### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] * Build fixes for the Windows and OpenVMS platforms *Matt Caswell and Richard Levitte* -### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] ### +### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer @@ -6045,7 +6038,7 @@ OpenSSL 1.0.1 *Emilia Käsper* -### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] ### +### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] * SRTP Memory Leak. @@ -6098,10 +6091,9 @@ OpenSSL 1.0.1 Note: this is a precautionary measure and no attacks are currently known. - *Steve Henson* -### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] ### +### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the SRP code can be overrun an internal buffer. Add sanity check that @@ -6197,7 +6189,7 @@ OpenSSL 1.0.1 *Bodo Moeller* -### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] ### +### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL @@ -6248,7 +6240,7 @@ OpenSSL 1.0.1 *mancha <mancha1@zoho.com>* -### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] ### +### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] * A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or @@ -6263,7 +6255,7 @@ OpenSSL 1.0.1 * Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: - http://eprint.iacr.org/2014/140 + <http://eprint.iacr.org/2014/140> Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix [CVE-2014-0076][] @@ -6277,10 +6269,9 @@ OpenSSL 1.0.1 less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. - *Adam Langley, Steve Henson* -### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] ### +### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] * Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. @@ -6302,20 +6293,20 @@ OpenSSL 1.0.1 *Rob Stradling, Adam Langley* -### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] ### +### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] * Correct fix for CVE-2013-0169. The original didn't work on AES-NI supporting platforms or when small records were transferred. *Andy Polyakov, Steve Henson* -### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] ### +### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found - at: http://www.isg.rhul.ac.uk/tls/ + at: <http://www.isg.rhul.ac.uk/tls/> Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London @@ -6346,7 +6337,7 @@ OpenSSL 1.0.1 * Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. - See http://rt.openssl.org/Ticket/Display.html?id=2836. + See <http://rt.opens |