|
7 | 7 | https://github.com/openssl/openssl/commits/ and pick the appropriate |
8 | 8 | release branch. |
9 | 9 |
|
| 10 | + Changes between 1.1.1b and 1.1.1c [28 May 2019] |
| 11 | + |
| 12 | + *) Add build tests for C++. These are generated files that only do one |
| 13 | + thing, to include one public OpenSSL head file each. This tests that |
| 14 | + the public header files can be usefully included in a C++ application. |
| 15 | + |
| 16 | + This test isn't enabled by default. It can be enabled with the option |
| 17 | + 'enable-buildtest-c++'. |
| 18 | + [Richard Levitte] |
| 19 | + |
| 20 | + *) Enable SHA3 pre-hashing for ECDSA and DSA. |
| 21 | + [Patrick Steuer] |
| 22 | + |
| 23 | + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. |
| 24 | + This changes the size when using the genpkey app when no size is given. It |
| 25 | + fixes an omission in earlier changes that changed all RSA, DSA and DH |
| 26 | + generation apps to use 2048 bits by default. |
| 27 | + [Kurt Roeckx] |
| 28 | + |
| 29 | + *) Reorganize the manual pages to consistently have RETURN VALUES, |
| 30 | + EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust |
| 31 | + util/fix-doc-nits accordingly. |
| 32 | + [Paul Yang, Joshua Lock] |
| 33 | + |
| 34 | + *) Add the missing accessor EVP_PKEY_get0_engine() |
| 35 | + [Matt Caswell] |
| 36 | + |
| 37 | + *) Have apps like 's_client' and 's_server' output the signature scheme |
| 38 | + along with other cipher suite parameters when debugging. |
| 39 | + [Lorinczy Zsigmond] |
| 40 | + |
| 41 | + *) Make OPENSSL_config() error agnostic again. |
| 42 | + [Richard Levitte] |
| 43 | + |
| 44 | + *) Do the error handling in RSA decryption constant time. |
| 45 | + [Bernd Edlinger] |
| 46 | + |
| 47 | + *) Prevent over long nonces in ChaCha20-Poly1305. |
| 48 | + |
| 49 | + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input |
| 50 | + for every encryption operation. RFC 7539 specifies that the nonce value |
| 51 | + (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length |
| 52 | + and front pads the nonce with 0 bytes if it is less than 12 |
| 53 | + bytes. However it also incorrectly allows a nonce to be set of up to 16 |
| 54 | + bytes. In this case only the last 12 bytes are significant and any |
| 55 | + additional leading bytes are ignored. |
| 56 | + |
| 57 | + It is a requirement of using this cipher that nonce values are |
| 58 | + unique. Messages encrypted using a reused nonce value are susceptible to |
| 59 | + serious confidentiality and integrity attacks. If an application changes |
| 60 | + the default nonce length to be longer than 12 bytes and then makes a |
| 61 | + change to the leading bytes of the nonce expecting the new value to be a |
| 62 | + new unique nonce then such an application could inadvertently encrypt |
| 63 | + messages with a reused nonce. |
| 64 | + |
| 65 | + Additionally the ignored bytes in a long nonce are not covered by the |
| 66 | + integrity guarantee of this cipher. Any application that relies on the |
| 67 | + integrity of these ignored leading bytes of a long nonce may be further |
| 68 | + affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, |
| 69 | + is safe because no such use sets such a long nonce value. However user |
| 70 | + applications that use this cipher directly and set a non-default nonce |
| 71 | + length to be longer than 12 bytes may be vulnerable. |
| 72 | + |
| 73 | + This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk |
| 74 | + Greef of Ronomon. |
| 75 | + (CVE-2019-1543) |
| 76 | + [Matt Caswell] |
| 77 | + |
| 78 | + *) Ensure that SM2 only uses SM3 as digest algorithm |
| 79 | + [Paul Yang] |
| 80 | + |
10 | 81 | Changes between 1.1.1a and 1.1.1b [26 Feb 2019] |
11 | 82 |
|
12 | 83 | *) Added SCA hardening for modular field inversion in EC_GROUP through |
|
0 commit comments