OpenSSL 1.1.1o

Changes between 1.1.1n and 1.1.1o [3 May 2022]

Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed.
On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-1292)
[Tomáš Mráz]

OpenSSL 3.0.2

Changes between 3.0.1 and 3.0.2 [15 mar 2022]

Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

• TLS clients consuming server certificates
• TLS servers consuming client certificates
• Hosting providers taking certificates or private keys from customers
• Certificate authorities parsing certification requests from subscribers
• Anything else which parses ASN.1 elliptic curve parameters
• Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. ([CVE-2022-0778])

Tomáš Mráz

Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3.

Dmitry Belyavskiy, Nicola Tuveri

Made the AES constant time code for no-asm configurations optional due to the resulting 95% performance degradation. The AES constant time code can be enabled, for no assembly builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME

Paul Dale

Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty passphrase strings.

Darshan Sen

The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function.

Tomáš Mráz

OpenSSL 1.1.1n

Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

  - TLS clients consuming server certificates
  - TLS servers consuming client certificates
  - Hosting providers taking certificates or private keys from customers
  - Certificate authorities parsing certification requests from subscribers
  - Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. (CVE-2022-0778) [Tomáš Mráz]

Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. [Dmitry Belyavskiy, Nicola Tuveri]

OpenSSL 3.0.1

Changes between 3.0.0 and 3.0.1 [14 dec 2021]

• Fixed invalid handling of X509_verify_cert() internal errors in libssl Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. ([CVE-2021-4044])

• Corrected a few file name and file reference bugs in the build, installation and setup scripts, which lead to installation verification failures. Slightly enhanced the installation verification script.
• Fixed EVP_PKEY_eq() to make it possible to use it with strictly private keys.
• Fixed PVK encoder to properly query for the passphrase.
• Multiple fixes in the OSSL_HTTP API functions.
• Allow sign extension in OSSL_PARAM_allocate_from_text() for the OSSL_PARAM_INTEGER data type and return error on negative numbers used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.
• Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
• Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
• Multiple threading fixes.
• Added NULL digest implementation to keep compatibility with 1.1.1 version.
• Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.

OpenSSL 1.1.1m

Changes between 1.1.1l and 1.1.1m [14 Dec 2021]

• Avoid loading of a dynamic engine twice
• Fixed building on Debian with kfreebsd kernels
• Prioritise DANE TLSA issuer certs over peer certs
• Fixed random API for MacOS prior to 10.12

OpenSSL 3.0.0

OpenSSL 3.0

OpenSSL 1.1.1l

Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]

• Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
• Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)

OpenSSL 1.1.1k

Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]

• Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
• Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client (CVE-2021-3449)

OpenSSL 1.1.1j

Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]

• Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-2384)
• Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks
• Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-2384)
• Fixed SRP_Calc_client_key so that it runs in constant time