diff options
| author | Tomas Mraz <tomas@openssl.org> | 2023-07-07 09:54:18 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-07-14 13:01:05 +0200 |
| commit | 1e398bec538978b9957e69bf9e12b3c626290bea (patch) | |
| tree | 7282e6e1b92824935b29224de681ad9ad4134b5d | |
| parent | 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc (diff) | |
| download | openssl-1e398bec538978b9957e69bf9e12b3c626290bea.tar.gz | |
Add CHANGES.md and NEWS.md entries for CVE-2023-2975
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21384)
| -rw-r--r-- | CHANGES.md | 21 | ||||
| -rw-r--r-- | NEWS.md | 10 |
2 files changed, 27 insertions, 4 deletions
diff --git a/CHANGES.md b/CHANGES.md index 9c9c259da5..9320b7bb46 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -286,6 +286,26 @@ OpenSSL 3.1 ### Changes between 3.1.1 and 3.1.2 [xx XXX xxxx] + * Do not ignore empty associated data entries with AES-SIV. + + The AES-SIV algorithm allows for authentication of multiple associated + data entries along with the encryption. To authenticate empty data the + application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`) + with NULL pointer as the output buffer and 0 as the input buffer length. + The AES-SIV implementation in OpenSSL just returns success for such call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated. ([CVE-2023-2975]) + + Thanks to Juerg Wullschleger (Google) for discovering the issue. + + The fix changes the authentication tag value and the ciphertext for + applications that use empty associated data entries with AES-SIV. + To decrypt data encrypted with previous versions of OpenSSL the application + has to skip calls to `EVP_DecryptUpdate()` for empty associated data + entries. + + *Tomas Mraz* + * When building with the `enable-fips` option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will @@ -20011,6 +20031,7 @@ ndif <!-- Links --> +[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 @@ -39,10 +39,11 @@ OpenSSL 3.1 ### Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [under development] - * When building with the `enable-fips` option and using the resulting - FIPS provider, TLS 1.2 will, by default, mandate the use of an - extended master secret and the Hash and HMAC DRBGs will not operate - with truncated digests. + * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) + * When building with the `enable-fips` option and using the resulting + FIPS provider, TLS 1.2 will, by default, mandate the use of an + extended master secret and the Hash and HMAC DRBGs will not operate + with truncated digests. ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] @@ -1479,6 +1480,7 @@ OpenSSL 0.9.x <!-- Links --> +[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 |