From a40398a15ea9c218f4a6db8fef2b925ca4d39451 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 14 Mar 2022 16:39:43 +0000 Subject: [PATCH] Update CHANGES/NEWS for new release Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell --- CHANGES.md | 43 ++++++++++++++++++++++++++++++++++++++++++- NEWS.md | 5 +++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index eb6174966f..a343db2d50 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -114,7 +114,43 @@ breaking changes, and mappings for the large list of deprecated functions. [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod -### Changes between 3.0.1 and 3.0.2 [xx XXX xxxx] +### Changes between 3.0.1 and 3.0.2 [15 mar 2022] + + * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli. + + Internally this function is used when parsing certificates that contain + elliptic curve public keys in compressed form or explicit elliptic curve + parameters with a base point encoded in compressed form. + + It is possible to trigger the infinite loop by crafting a certificate that + has invalid explicit curve parameters. + + Since certificate parsing happens prior to verification of the certificate + signature, any process that parses an externally supplied certificate may thus + be subject to a denial of service attack. The infinite loop can also be + reached when parsing crafted private keys as they can contain explicit + elliptic curve parameters. + + Thus vulnerable situations include: + + - TLS clients consuming server certificates + - TLS servers consuming client certificates + - Hosting providers taking certificates or private keys from customers + - Certificate authorities parsing certification requests from subscribers + - Anything else which parses ASN.1 elliptic curve parameters + + Also any other applications that use the BN_mod_sqrt() where the attacker + can control the parameter values are vulnerable to this DoS issue. + ([CVE-2022-0778]) + + *Tomáš Mráz* + + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + + *Dmitry Belyavskiy, Nicola Tuveri* * Made the AES constant time code for no-asm configurations optional due to the resulting 95% performance degradation. @@ -123,6 +159,11 @@ breaking changes, and mappings for the large list of deprecated functions. *Paul Dale* + * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty + passphrase strings. + + *Darshan Sen* + * The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function. diff --git a/NEWS.md b/NEWS.md index 9129f1c9f4..99e8c715d3 100644 --- a/NEWS.md +++ b/NEWS.md @@ -29,6 +29,11 @@ OpenSSL 3.1 OpenSSL 3.0 ----------- +### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 + + * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever + for non-prime moduli ([CVE-2022-0778]) + ### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 * Fixed invalid handling of X509_verify_cert() internal errors in libssl