@@ -28,12 +28,169 @@ breaking changes, and mappings for the large list of deprecated functions.
2828
2929[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
3030
31- ### Changes between 3.0.5 and 3.0.5 +quic [5 Jul 2022]
31+ ### Changes between 3.0.7 and 3.0.7 +quic [1 Nov 2022]
3232
3333 * Add QUIC API support from BoringSSL.
3434
3535 *Todd Short*
3636
37+ ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
38+
39+ * Fixed two buffer overflows in punycode decoding functions.
40+
41+ A buffer overrun can be triggered in X.509 certificate verification,
42+ specifically in name constraint checking. Note that this occurs after
43+ certificate chain signature verification and requires either a CA to
44+ have signed the malicious certificate or for the application to continue
45+ certificate verification despite failure to construct a path to a trusted
46+ issuer.
47+
48+ In a TLS client, this can be triggered by connecting to a malicious
49+ server. In a TLS server, this can be triggered if the server requests
50+ client authentication and a malicious client connects.
51+
52+ An attacker can craft a malicious email address to overflow
53+ an arbitrary number of bytes containing the `.` character (decimal 46)
54+ on the stack. This buffer overflow could result in a crash (causing a
55+ denial of service).
56+ ([CVE-2022-3786])
57+
58+ An attacker can craft a malicious email address to overflow four
59+ attacker-controlled bytes on the stack. This buffer overflow could
60+ result in a crash (causing a denial of service) or potentially remote code
61+ execution depending on stack layout for any given platform/compiler.
62+ ([CVE-2022-3602])
63+
64+ *Paul Dale*
65+
66+ * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
67+ parameters in OpenSSL code.
68+ Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
69+ OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
70+ Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
71+ Using these invalid names may cause algorithms to use slower methods
72+ that ignore the CRT parameters.
73+
74+ *Shane Lontis*
75+
76+ * Fixed a regression introduced in 3.0.6 version raising errors on some stack
77+ operations.
78+
79+ *Tomáš Mráz*
80+
81+ * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
82+ data to be signed before signing the certificate.
83+
84+ *Gibeom Gwon*
85+
86+ * Added RIPEMD160 to the default provider.
87+
88+ *Paul Dale*
89+
90+ * Ensured that the key share group sent or accepted for the key exchange
91+ is allowed for the protocol version.
92+
93+ *Matt Caswell*
94+
95+ ### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
96+
97+ * OpenSSL supports creating a custom cipher via the legacy
98+ EVP_CIPHER_meth_new() function and associated function calls. This function
99+ was deprecated in OpenSSL 3.0 and application authors are instead encouraged
100+ to use the new provider mechanism in order to implement custom ciphers.
101+
102+ OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers
103+ passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
104+ EVP_CipherInit_ex2() functions (as well as other similarly named encryption
105+ and decryption initialisation functions). Instead of using the custom cipher
106+ directly it incorrectly tries to fetch an equivalent cipher from the
107+ available providers. An equivalent cipher is found based on the NID passed to
108+ EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a
109+ given cipher. However it is possible for an application to incorrectly pass
110+ NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef
111+ is used in this way the OpenSSL encryption/decryption initialisation function
112+ will match the NULL cipher as being equivalent and will fetch this from the
113+ available providers. This will succeed if the default provider has been
114+ loaded (or if a third party provider has been loaded that offers this
115+ cipher). Using the NULL cipher means that the plaintext is emitted as the
116+ ciphertext.
117+
118+ Applications are only affected by this issue if they call
119+ EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
120+ encryption/decryption initialisation function. Applications that only use
121+ SSL/TLS are not impacted by this issue.
122+ ([CVE-2022-3358])
123+
124+ *Matt Caswell*
125+
126+ * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures
127+ on MacOS 10.11
128+
129+ *Richard Levitte*
130+
131+ * Fixed the linux-mips64 Configure target which was missing the
132+ SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
133+ platform.
134+
135+ *Adam Joseph*
136+
137+ * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a
138+ ticket
139+
140+ *Matt Caswell*
141+
142+ * Correctly handle a retransmitted ClientHello in DTLS
143+
144+ *Matt Caswell*
145+
146+ * Fixed detection of ktls support in cross-compile environment on Linux
147+
148+ *Tomas Mraz*
149+
150+ * Fixed some regressions and test failures when running the 3.0.0 FIPS provider
151+ against 3.0.x
152+
153+ *Paul Dale*
154+
155+ * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
156+ report correct results in some cases
157+
158+ *Matt Caswell*
159+
160+ * Fix UWP builds by defining VirtualLock
161+
162+ *Charles Milette*
163+
164+ * For known safe primes use the minimum key length according to RFC 7919.
165+ Longer private key sizes unnecessarily raise the cycles needed to compute the
166+ shared secret without any increase of the real security. This fixes a
167+ regression from 1.1.1 where these shorter keys were generated for the known
168+ safe primes.
169+
170+ *Tomas Mraz*
171+
172+ * Added the loongarch64 target
173+
174+ *Shi Pujin*
175+
176+ * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were
177+ only passed to the FIPS provider and not to the default or legacy provider.
178+
179+ *Juergen Christ*
180+
181+ * Fixed reported performance degradation on aarch64. Restored the
182+ implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
183+ 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
184+ reportedly 2-17% slower and the silicon errata only affects 32bit targets.
185+ The new algorithm is still used for 32 bit targets.
186+
187+ *Bernd Edlinger*
188+
189+ * Added a missing header for memcmp that caused compilation failure on some
190+ platforms
191+
192+ *Gregor Jasny*
193+
37194### Changes between 3.0.4 and 3.0.5 [5 Jul 2022]
38195
39196 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
0 commit comments