OpenSSL 3.4.0

OpenSSL 3.4

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]

OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.

This release incorporates the following potentially significant or incompatible changes:

• Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics
• Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys
• The X25519 and X448 key exchange implementation in the FIPS provider is unapproved and has fips=no property.
• SHAKE-128 and SHAKE-256 implementations have no default digest length anymore. That means these algorithms cannot be used with EVP_DigestFinal/_ex() unless the xoflen param is set before.
• Setting config_diagnostics=1 in the config file will cause errors to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error in the ssl module configuration.
• An empty renegotiate extension will be used in TLS client hellos instead of the empty renegotiation SCSV, for all connections with a minimum TLS version > 1.0.
• Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and SSL_CTX_flush_sessions() functions in favor of their respective _ex functions which are Y2038-safe on platforms with Y2038-safe time_t

This release adds the following new features:

• Support for directly fetched composite signature algorithms such as RSA-SHA2-256 including new API functions
• FIPS indicators support in the FIPS provider and various updates of the FIPS provider required for future FIPS 140-3 validations
• Implementation of RFC 9579 (PBMAC1) in PKCS#12
• An optional additional random seed source RNG JITTER using a statically linked jitterentropy library
• New options -not_before and -not_after for explicit setting start and end dates of certificates created with the req and x509 apps
• Support for integrity-only cipher suites TLS_SHA256_SHA256 and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
• Support for requesting CRL in CMP
• Support for additional X.509v3 extensions related to Attribute Certificates
• Initial Attribute Certificate (RFC 5755) support
• Possibility to customize ECC groups initialization to use precomputed values to save CPU time and use of this feature by the P-256 implementation

OpenSSL 3.3.1

OpenSSL 3.3.1 is now available, including bug and security fixes: please download and upgrade!

Changes between 3.3.0 and 3.3.1 [4 Jun 2024]

• Fixed potential use after free after SSL_free_buffers() is called.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741])

Matt Caswell

• Fixed an issue where checking excessively long DSA keys or parameters may be very slow.

Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603])

Tomáš Mráz

OpenSSL 3.3.0

Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024]

OpenSSL 3.3.0 is a feature release adding significant new functionality to OpenSSL.

This release adds the following new features:

• Support for qlog for tracing QUIC connections has been added

• Added APIs to allow configuring the negotiated idle timeout for QUIC connections, and to allow determining the number of additional streams that can currently be created for a QUIC connection.

• Added APIs to allow disabling implicit QUIC event processing for QUIC SSL objects

• Added APIs to allow querying the size and utilisation of a QUIC stream's write buffer

• New API SSL_write_ex2, which can be used to send an end-of-stream (FIN) condition in an optimised way when using QUIC.

• Limited support for polling of QUIC connection and stream objects in a non-blocking manner.

• Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.

• Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter.

• The BLAKE2s hash algorithm matches BLAKE2b's support for configurable output length.

• The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested

• Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() using time_t which is Y2038 safe on 32 bit systems when 64 bit time is enabled

• Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms config options and the respective calls to SSL[_CTX]_set1_sigalgs() and SSL[_CTX]_set1_client_sigalgs() that start with ? character are ignored and the configuration will still be used.

• Added -set_issuer and -set_subject options to openssl x509 to override the Issuer and Subject when creating a certificate. The -subj option now is an alias for -set_subject.

• Added several new features of CMPv3 defined in RFC 9480 and RFC 9483

• New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available.

• New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.

• Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications.

This release incorporates the following potentially significant or incompatible changes:

• Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100

• Optimized AES-CTR for ARM Neoverse V1 and V2

• Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems similar to M1/M2.

• Various optimizations for cryptographic routines using RISC-V vector crypto extensions

• Added assembly implementation for md5 on loongarch64

• Accept longer context for TLS 1.2 exporters

• The activate and soft_load configuration settings for providers in openssl.cnf have been updated to require a value of [1|yes|true|on] (in lower or UPPER case) to enable the setting. Conversely a value of [0|no|false|off] will disable the setting.

• In openssl speed, changed the default hash function used with hmac from md5 to sha256.

• The -verify option to the openssl crl and openssl req will make the program exit with 1 on failure.

• The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.

• OPENSSL_sk_push() and sk__push() functions now return 0 instead of -1 if called with a NULL stack argument.

• New limit on HTTP response headers is introduced to HTTP client. The default limit is set to 256 header lines.

This release incorporates the following bug fixes and mitigations:

• The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its exhausted.

A more detailed list of changes in this release can be found in the CHANGES.md file.

Users interested in using the new QUIC functionality are encouraged to read the README file for QUIC, which provides links to relevant documentation and example code.

As always, bug reports and issues relating to OpenSSL can be filed on our issue tracker.

OpenSSL 3.1.2

OpenSSL 3.1.2 is now available, including bug and security fixes

Changes between 3.1.1 and 3.1.2 [1 Aug 2023]

• Fix excessive time spent checking DH q parameter value.

  The function DH_check() performs various checks on DH parameters. After
  fixing CVE-2023-3446 it was discovered that a large q parameter value can
  also trigger an overly long computation during some of these checks.
  A correct q value, if present, cannot be larger than the modulus p
  parameter, thus it is unnecessary to perform these checks if q is larger
  than p.

  If DH_check() is called with such q parameter value,
  DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
  intensive checks are skipped.

  ([CVE-2023-3817])

  Tomáš Mráz

• Fix DH_check() excessive time with over sized modulus.

  The function DH_check() performs various checks on DH parameters. One of
  those checks confirms that the modulus ("p" parameter) is not too large.
  Trying to use a very large modulus is slow and OpenSSL will not normally use
  a modulus which is over 10,000 bits in length.

  However the DH_check() function checks numerous aspects of the key or
  parameters that have been supplied. Some of those checks use the supplied
  modulus value even if it has already been found to be too large.

  A new limit has been added to DH_check of 32,768 bits. Supplying a
  key/parameters with a modulus over this size will simply cause DH_check() to
  fail.

  ([CVE-2023-3446])

  Matt Caswell

• Do not ignore empty associated data entries with AES-SIV.

  The AES-SIV algorithm allows for authentication of multiple associated
  data entries along with the encryption. To authenticate empty data the
  application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate())
  with NULL pointer as the output buffer and 0 as the input buffer length.
  The AES-SIV implementation in OpenSSL just returns success for such call
  instead of performing the associated data authentication operation.
  The empty data thus will not be authenticated. ([CVE-2023-2975])

  Thanks to Juerg Wullschleger (Google) for discovering the issue.

  The fix changes the authentication tag value and the ciphertext for
  applications that use empty associated data entries with AES-SIV.
  To decrypt data encrypted with previous versions of OpenSSL the application
  has to skip calls to EVP_DecryptUpdate() for empty associated data
  entries.

  Tomáš Mráz

• When building with the enable-fips option and using the resulting
  FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
  master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
  not operate with truncated digests (FIPS 140-3 IG G.R).

  Paul Dale

OpenSSL 1.1.1v

OpenSSL 1.1.1v is now available, including bug and security fixes

Changes between 1.1.1u and 1.1.1v [1 Aug 2023]

• Fix excessive time spent checking DH q parameter value.

  The function DH_check() performs various checks on DH parameters. After
  fixing CVE-2023-3446 it was discovered that a large q parameter value can
  also trigger an overly long computation during some of these checks.
  A correct q value, if present, cannot be larger than the modulus p
  parameter, thus it is unnecessary to perform these checks if q is larger
  than p.

  If DH_check() is called with such q parameter value,
  DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
  intensive checks are skipped.

  (CVE-2023-3817)
  [Tomáš Mráz]

• Fix DH_check() excessive time with over sized modulus

  The function DH_check() performs various checks on DH parameters. One of
  those checks confirms that the modulus ("p" parameter) is not too large.
  Trying to use a very large modulus is slow and OpenSSL will not normally use
  a modulus which is over 10,000 bits in length.

  However the DH_check() function checks numerous aspects of the key or
  parameters that have been supplied. Some of those checks use the supplied
  modulus value even if it has already been found to be too large.

  A new limit has been added to DH_check of 32,768 bits. Supplying a
  key/parameters with a modulus over this size will simply cause DH_check()
  to fail.
  (CVE-2023-3446)
  [Matt Caswell]

OpenSSL 3.1.1

Changes between 3.1.0 and 3.1.1 [30 May 2023]

• Mitigate for the time it takes for OBJ_obj2txt to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. ([CVE-2023-2650])

To mitigitate this, OBJ_obj2txt() will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise.

The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub- identifier may have is 2^32-1 (4294967295 decimal).

For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes.

Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

Richard Levitte

• Multiple algorithm implementation fixes for ARM BE platforms.

  Liu-ErMeng

• Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility.

  Paul Dale

• Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. ([CVE-2023-1255])

  Nevine Ebeid

• Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
  The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 3.0.7. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels.
  The fix was developed by Bernd Edlinger with testing support by Hubert Kario.

  Bernd Edlinger

• Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
  The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'.

  Paul Dale

• Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466])

  Tomáš Mráz

• Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. ([CVE-2023-0465])

  Matt Caswell

• Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. ([CVE-2023-0464])

  Paul Dale

OpenSSL 1.1.1u

Changes between 1.1.1t and 1.1.1u [30 May 2023]

• Mitigate for the time it takes for OBJ_obj2txt to translate gigantic OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier. (CVE-2023-2650)

To mitigitate this, OBJ_obj2txt() will only translate an OBJECT IDENTIFIER to canonical numeric text form if the size of that OBJECT IDENTIFIER is 586 bytes or less, and fail otherwise.

The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at most 128 sub-identifiers, and that the maximum value that each sub-identifier may have is 2^32-1 (4294967295 decimal).

For each byte of every sub-identifier, only the 7 lower bits are part of the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with these restrictions may occupy is 32 * 128 / 7, which is approximately 586 bytes.

Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

[Richard Levitte]

• Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).

The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case compared to 1.1.1s. The new fix uses existing constant time code paths, and restores the previous performance level while fully eliminating all existing timing side channels.
The fix was developed by Bernd Edlinger with testing support by Hubert Kario.
[Bernd Edlinger]

• Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466)
  [Tomas Mraz]

• Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465)
  [Matt Caswell]

• Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464)
  [Paul Dale]

OpenSSL 3.1.0

Changes between 3.0 and 3.1.0 [14 Mar 2023]

• Add FIPS provider configuration option to enforce the Extended Master Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can optionally be supplied to 'openssl fipsinstall'.
  Shane Lontis

• The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the "fips=yes" property query must be used for all algorithm fetches to ensure FIPS compliance.
  The algorithms that are included but not approved are Triple DES ECB, Triple DES CBC and EdDSA.
  Paul Dale

• Added support for KMAC in KBKDF.
  Shane Lontis

• RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64).
  Orr Toledano

• s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it.
  Felipe Gasper

• AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
  Tomasz Kantecki, Andrey Matyukov

• The various OBJ_* functions have been made thread safe.
  Paul Dale

• Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors.
  Sergey Kirillov, Andrey Matyukov (Intel Corp)

• The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining OPENSSL_NO_DEPRECATED_3_1.
  The macro DEFINE_LHASH_OF is now deprecated in favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding type-specific function definitions for these functions regardless of whether OPENSSL_NO_DEPRECATED_3_1 is defined.
  Users of DEFINE_LHASH_OF may start receiving deprecation warnings for these functions regardless of whether they are using them. It is recommended that users transition to the new macro, DEFINE_LHASH_OF_EX.
  Hugo Landau

• When generating safe-prime DH parameters set the recommended private key length equivalent to minimum key lengths as in RFC 7919.
  Tomáš Mráz

• Change the default salt length for PKCS#1 RSASSA-PSS signatures to the maximum size that is smaller or equal to the digest length to comply with FIPS 186-4 section 5. This is implemented by a new option OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the rsa_pss_saltlen parameter, which is now the default. Signature verification is not affected by this change and continues to work as before.
  Clemens Lang

OpenSSL 3.0.8

Changes between 3.0.7 and 3.0.8 [7 Feb 2023]

• Fixed NULL dereference during PKCS7 data verification.

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. ([CVE-2023-0401])

PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. Tomáš Mráz

• Fixed X.400 address type confusion in X.509 GeneralName.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. ([CVE-2023-0286])
Hugo Landau

• Fixed NULL dereference validating DSA public key.

An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack.

The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.
([CVE-2023-0217])
Shane Lontis, Tomáš Mráz

• Fixed Invalid pointer dereference in d2i_PKCS7 functions.

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. ([CVE-2023-0216])
Tomáš Mráz

• Fixed Use-after-free following BIO_new_NDEF.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. ([CVE-2023-0215])
Viktor Dukhovni, Matt Caswell

• Fixed Double free after calling PEM_read_bio_ex.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. ([CVE-2022-4450]) Kurt Roeckx, Matt Caswell

• Fixed Timing Oracle in RSA Decryption.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. ([CVE-2022-4304]) Dmitry Belyavsky, Hubert Kario

• Fixed X.509 Name Constraints Read Buffer Overflow.

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. The read buffer overrun might result in a crash which could lead to a denial of service attack. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. ([CVE-2022-4203]) Viktor Dukhovni

• Fixed X.509 Policy Constraints Double Locking security issue.

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. ([CVE-2022-3996]) Paul Dale

• Our provider implementations of OSSL_FUNC_KEYMGMT_EXPORT and OSSL_FUNC_KEYMGMT_GET_PARAMS for EC and SM2 keys now honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set (and default to POINT_CONVERSION_UNCOMPRESSED) when exporting OSSL_PKEY_PARAM_PUB_KEY, instead of unconditionally using POINT_CONVERSION_COMPRESSED as in previous 3.x releases.
  For symmetry, our implementation of EVP_PKEY_ASN1_METHOD->export_to for legacy EC and SM2 keys is also changed similarly to honor the equivalent conversion format flag as specified in the underlying EC_KEY object being exported to a provider, when this function is called through EVP_PKEY_export(). Nicola Tuveri

OpenSSL 1.1.1t

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

• Fixed X.400 address type confusion in X.509 GeneralName.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286)

This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau]

• Fixed Use-after-free following BIO_new_NDEF.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell]

• Fixed Double free after calling PEM_read_bio_ex.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell]

• Fixed Timing Oracle in RSA Decryption.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario]

Full Changelog: 1.1.1s...1.1.1t