1OpenSSL CHANGES 2=============== 3 4This is a high-level summary of the most important changes. 5For a full list of changes, see the [git commit log][log] and 6pick the appropriate release branch. 7 8 [log]: https://github.com/openssl/openssl/commits/ 9 10OpenSSL Releases 11---------------- 12 13 - [OpenSSL 3.1](#openssl-31) 14 - [OpenSSL 3.0](#openssl-30) 15 - [OpenSSL 1.1.1](#openssl-111) 16 - [OpenSSL 1.1.0](#openssl-110) 17 - [OpenSSL 1.0.2](#openssl-102) 18 - [OpenSSL 1.0.1](#openssl-101) 19 - [OpenSSL 1.0.0](#openssl-100) 20 - [OpenSSL 0.9.x](#openssl-09x) 21 22OpenSSL 3.1 23----------- 24 25### Changes between 3.0 and 3.1 [xx XXX xxxx] 26 27 * Major refactor of the libssl record layer 28 29 *Matt Caswell* 30 31 * Added a new BIO_s_dgram_mem() to read/write datagrams to memory 32 33 *Matt Caswell* 34 35 * Add a mac salt length option for the pkcs12 command. 36 37 *Xinping Chen* 38 39 * Add more SRTP protection profiles from RFC8723 and RFC8269. 40 41 *Kijin Kim* 42 43 * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. 44 45 *Daiki Ueno, John Baldwin and Dmitry Podgorny* 46 47 * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where 48 supported and enabled. 49 50 *Todd Short* 51 52 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 53 to the list of ciphersuites providing Perfect Forward Secrecy as 54 required by SECLEVEL >= 3. 55 56 *Dmitry Belyavskiy, Nicola Tuveri* 57 58 * Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. 59 The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the 60 SSL_get0_iana_groups() function-like macro, retrieves the list of 61 supported groups sent by the peer. 62 The function SSL_client_hello_get_extension_order() populates 63 a caller-supplied array with the list of extension types present in the 64 ClientHello, in order of appearance. 65 66 *Phus Lu* 67 68 * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() 69 to make it possible to use empty passphrase strings. 70 71 *Darshan Sen* 72 73 * RNDR and RNDRRS support in provider functions to provide 74 random number generation for Arm CPUs (aarch64). 75 76 *Orr Toledano* 77 78 * s_client and s_server apps now explicitly say when the TLS version 79 does not include the renegotiation mechanism. This avoids confusion 80 between that scenario versus when the TLS version includes secure 81 renegotiation but the peer lacks support for it. 82 83 *Felipe Gasper* 84 85 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. 86 87 *Tomasz Kantecki, Andrey Matyukov* 88 89 * The default SSL/TLS security level has been changed from 1 to 2. RSA, 90 DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys 91 of 160 bits and above and less than 224 bits were previously accepted by 92 default but are now no longer allowed. By default TLS compression was 93 already disabled in previous OpenSSL versions. At security level 2 it cannot 94 be enabled. 95 96 *Matt Caswell* 97 98 * The SSL_CTX_set_cipher_list family functions now accept ciphers using their 99 IANA standard names. 100 101 *Erik Lax* 102 103 * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into 104 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 105 will need to load the legacy crypto provider. 106 107 *Paul Dale* 108 109 * The various OBJ_* functions have been made thread safe. 110 111 *Paul Dale* 112 113 * CCM8 cipher suites in TLS have been downgraded to security level zero 114 because they use a short authentication tag which lowers their strength. 115 116 *Paul Dale* 117 118 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings 119 by default. 120 121 *Dmitry Belyavskiy* 122 123 * Parallel dual-prime 1536/2048-bit modular exponentiation for 124 AVX512_IFMA capable processors. 125 126 *Sergey Kirillov, Andrey Matyukov (Intel Corp)* 127 128 * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`, 129 `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`, 130 `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now 131 marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining 132 `OPENSSL_NO_DEPRECATED_3_1`. 133 134 The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro 135 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function 136 definitions for these functions regardless of whether 137 `OPENSSL_NO_DEPRECATED_3_1` is defined. 138 139 Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these 140 functions regardless of whether they are using them. It is recommended that 141 users transition to the new macro, `DEFINE_LHASH_OF_EX`. 142 143 *Hugo Landau* 144 145 * When generating safe-prime DH parameters set the recommended private key 146 length equivalent to minimum key lengths as in RFC 7919. 147 148 *Tomáš Mráz* 149 150 * Fix and extend certificate handling and the apps `x509`, `verify` etc. 151 such as adding a trace facility for debugging certificate chain building. 152 153 *David von Oheimb* 154 155 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app 156 in particular supporting requests for central key generation, generalized 157 polling, and various types of genm/genp exchanges defined in CMP Updates. 158 159 *David von Oheimb* 160 161 * Fixes and extensions to the HTTP client and to the HTTP server in `apps/` 162 like correcting the TLS and proxy support and adding tracing for debugging. 163 164 *David von Oheimb* 165 166 * Extended the CMS API for handling `CMS_SignedData` and `CMS_EnvelopedData`. 167 168 *David von Oheimb* 169 170 * Fixed and extended `util/check-format.pl` for checking adherence to the 171 coding style <https://www.openssl.org/policies/technical/coding-style.html>. 172 The checks are meanwhile more complete and yield fewer false positives. 173 174 *David von Oheimb* 175 176OpenSSL 3.0 177----------- 178 179For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries 180listed here are only a brief description. 181The migration guide contains more detailed information related to new features, 182breaking changes, and mappings for the large list of deprecated functions. 183 184[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod 185 186### Changes between 3.0.3 and 3.0.4 [21 June 2022] 187 188 * In addition to the c_rehash shell command injection identified in 189 CVE-2022-1292, further bugs where the c_rehash script does not 190 properly sanitise shell metacharacters to prevent command injection have been 191 fixed. 192 193 When the CVE-2022-1292 was fixed it was not discovered that there 194 are other places in the script where the file names of certificates 195 being hashed were possibly passed to a command executed through the shell. 196 197 This script is distributed by some operating systems in a manner where 198 it is automatically executed. On such operating systems, an attacker 199 could execute arbitrary commands with the privileges of the script. 200 201 Use of the c_rehash script is considered obsolete and should be replaced 202 by the OpenSSL rehash command line tool. 203 (CVE-2022-2068) 204 205 *Daniel Fiala, Tomáš Mráz* 206 207 * Case insensitive string comparison no longer uses locales. It has instead 208 been directly implemented. 209 210 *Paul Dale* 211 212### Changes between 3.0.2 and 3.0.3 [3 May 2022] 213 214 * Case insensitive string comparison is reimplemented via new locale-agnostic 215 comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for 216 comparison. The previous implementation had problems when the Turkish locale 217 was used. 218 219 *Dmitry Belyavskiy* 220 221 * Fixed a bug in the c_rehash script which was not properly sanitising shell 222 metacharacters to prevent command injection. This script is distributed by 223 some operating systems in a manner where it is automatically executed. On 224 such operating systems, an attacker could execute arbitrary commands with the 225 privileges of the script. 226 227 Use of the c_rehash script is considered obsolete and should be replaced 228 by the OpenSSL rehash command line tool. 229 (CVE-2022-1292) 230 231 *Tomáš Mráz* 232 233 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer 234 certificate on an OCSP response. The bug caused the function in the case 235 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie 236 response (meaning a successful verification) even in the case where the 237 response signing certificate fails to verify. 238 239 It is anticipated that most users of `OCSP_basic_verify` will not use the 240 OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return 241 a negative value (indicating a fatal error) in the case of a certificate 242 verification failure. The normal expected return value in this case would be 243 0. 244 245 This issue also impacts the command line OpenSSL "ocsp" application. When 246 verifying an ocsp response with the "-no_cert_checks" option the command line 247 application will report that the verification is successful even though it 248 has in fact failed. In this case the incorrect successful response will also 249 be accompanied by error messages showing the failure and contradicting the 250 apparently successful result. 251 ([CVE-2022-1343]) 252 253 *Matt Caswell* 254 255 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the 256 AAD data as the MAC key. This made the MAC key trivially predictable. 257 258 An attacker could exploit this issue by performing a man-in-the-middle attack 259 to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such 260 that the modified data would still pass the MAC integrity check. 261 262 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 263 endpoint will always be rejected by the recipient and the connection will 264 fail at that point. Many application protocols require data to be sent from 265 the client to the server first. Therefore, in such a case, only an OpenSSL 266 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. 267 268 If both endpoints are OpenSSL 3.0 then the attacker could modify data being 269 sent in both directions. In this case both clients and servers could be 270 affected, regardless of the application protocol. 271 272 Note that in the absence of an attacker this bug means that an OpenSSL 3.0 273 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete 274 the handshake when using this ciphersuite. 275 276 The confidentiality of data is not impacted by this issue, i.e. an attacker 277 cannot decrypt data that has been encrypted using this ciphersuite - they can 278 only modify it. 279 280 In order for this attack to work both endpoints must legitimately negotiate 281 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in 282 OpenSSL 3.0, and is not available within the default provider or the default 283 ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been 284 negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the 285 following must have occurred: 286 287 1) OpenSSL must have been compiled with the (non-default) compile time option 288 enable-weak-ssl-ciphers 289 290 2) OpenSSL must have had the legacy provider explicitly loaded (either 291 through application code or via configuration) 292 293 3) The ciphersuite must have been explicitly added to the ciphersuite list 294 295 4) The libssl security level must have been set to 0 (default is 1) 296 297 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 298 299 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any 300 others that both endpoints have in common 301 (CVE-2022-1434) 302 303 *Matt Caswell* 304 305 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory 306 occuppied by the removed hash table entries. 307 308 This function is used when decoding certificates or keys. If a long lived 309 process periodically decodes certificates or keys its memory usage will 310 expand without bounds and the process might be terminated by the operating 311 system causing a denial of service. Also traversing the empty hash table 312 entries will take increasingly more time. 313 314 Typically such long lived processes might be TLS clients or TLS servers 315 configured to accept client certificate authentication. 316 (CVE-2022-1473) 317 318 *Hugo Landau, Aliaksei Levin* 319 320 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report 321 the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other 322 statistics are no longer supported. For compatibility, these statistics are 323 still listed in the output but are now always reported as zero. 324 325 *Hugo Landau* 326 327### Changes between 3.0.1 and 3.0.2 [15 Mar 2022] 328 329 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever 330 for non-prime moduli. 331 332 Internally this function is used when parsing certificates that contain 333 elliptic curve public keys in compressed form or explicit elliptic curve 334 parameters with a base point encoded in compressed form. 335 336 It is possible to trigger the infinite loop by crafting a certificate that 337 has invalid explicit curve parameters. 338 339 Since certificate parsing happens prior to verification of the certificate 340 signature, any process that parses an externally supplied certificate may thus 341 be subject to a denial of service attack. The infinite loop can also be 342 reached when parsing crafted private keys as they can contain explicit 343 elliptic curve parameters. 344 345 Thus vulnerable situations include: 346 347 - TLS clients consuming server certificates 348 - TLS servers consuming client certificates 349 - Hosting providers taking certificates or private keys from customers 350 - Certificate authorities parsing certification requests from subscribers 351 - Anything else which parses ASN.1 elliptic curve parameters 352 353 Also any other applications that use the BN_mod_sqrt() where the attacker 354 can control the parameter values are vulnerable to this DoS issue. 355 ([CVE-2022-0778]) 356 357 *Tomáš Mráz* 358 359 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 360 to the list of ciphersuites providing Perfect Forward Secrecy as 361 required by SECLEVEL >= 3. 362 363 *Dmitry Belyavskiy, Nicola Tuveri* 364 365 * Made the AES constant time code for no-asm configurations 366 optional due to the resulting 95% performance degradation. 367 The AES constant time code can be enabled, for no assembly 368 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME 369 370 *Paul Dale* 371 372 * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty 373 passphrase strings. 374 375 *Darshan Sen* 376 377 * The negative return value handling of the certificate verification callback 378 was reverted. The replacement is to set the verification retry state with 379 the SSL_set_retry_verify() function. 380 381 *Tomáš Mráz* 382 383### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] 384 385 * Fixed invalid handling of X509_verify_cert() internal errors in libssl 386 Internally libssl in OpenSSL calls X509_verify_cert() on the client side to 387 verify a certificate supplied by a server. That function may return a 388 negative return value to indicate an internal error (for example out of 389 memory). Such a negative return value is mishandled by OpenSSL and will cause 390 an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate 391 success and a subsequent call to SSL_get_error() to return the value 392 SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be 393 returned by OpenSSL if the application has previously called 394 SSL_CTX_set_cert_verify_callback(). Since most applications do not do this 395 the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be 396 totally unexpected and applications may not behave correctly as a result. The 397 exact behaviour will depend on the application but it could result in 398 crashes, infinite loops or other similar incorrect responses. 399 400 This issue is made more serious in combination with a separate bug in OpenSSL 401 3.0 that will cause X509_verify_cert() to indicate an internal error when 402 processing a certificate chain. This will occur where a certificate does not 403 include the Subject Alternative Name extension but where a Certificate 404 Authority has enforced name constraints. This issue can occur even with valid 405 chains. 406 ([CVE-2021-4044]) 407 408 *Matt Caswell* 409 410 * Corrected a few file name and file reference bugs in the build, 411 installation and setup scripts, which lead to installation verification 412 failures. Slightly enhanced the installation verification script. 413 414 *Richard Levitte* 415 416 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private 417 keys. 418 419 *Richard Levitte* 420 421 * Fixed PVK encoder to properly query for the passphrase. 422 423 *Tomáš Mráz* 424 425 * Multiple fixes in the OSSL_HTTP API functions. 426 427 *David von Oheimb* 428 429 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the 430 OSSL_PARAM_INTEGER data type and return error on negative numbers 431 used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make 432 OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers. 433 434 *Richard Levitte* 435 436 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex. 437 438 *Tomáš Mráz* 439 440 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD. 441 442 *Allan Jude* 443 444 * Multiple threading fixes. 445 446 *Matt Caswell* 447 448 * Added NULL digest implementation to keep compatibility with 1.1.1 version. 449 450 *Tomáš Mráz* 451 452 * Allow fetching an operation from the provider that owns an unexportable key 453 as a fallback if that is still allowed by the property query. 454 455 *Richard Levitte* 456 457### Changes between 1.1.1 and 3.0.0 [7 Sep 2021] 458 459 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now 460 deprecated. 461 462 *Matt Caswell* 463 464 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the 465 S390X capability vector to zero. This simplifies testing of different code 466 paths on S390X architecture. 467 468 *Patrick Steuer* 469 470 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed 471 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from 472 SP 800-38D". The communication will fail at this point. 473 474 *Paul Dale* 475 476 * The EC_GROUP_clear_free() function is deprecated as there is nothing 477 confidential in EC_GROUP data. 478 479 *Nicola Tuveri* 480 481 * The byte order mark (BOM) character is ignored if encountered at the 482 beginning of a PEM-formatted file. 483 484 *Dmitry Belyavskiy* 485 486 * Added CMS support for the Russian GOST algorithms. 487 488 *Dmitry Belyavskiy* 489 490 * Due to move of the implementation of cryptographic operations 491 to the providers, validation of various operation parameters can 492 be postponed until the actual operation is executed where previously 493 it happened immediately when an operation parameter was set. 494 495 For example when setting an unsupported curve with 496 EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not 497 fail but later keygen operations with the EVP_PKEY_CTX will fail. 498 499 *OpenSSL team members and many third party contributors* 500 501 * The EVP_get_cipherbyname() function will return NULL for algorithms such as 502 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were 503 previously only accessible via low level interfaces. Use EVP_CIPHER_fetch() 504 instead to retrieve these algorithms from a provider. 505 506 *Shane Lontis* 507 508 * On build targets where the multilib postfix is set in the build 509 configuration the libdir directory was changing based on whether 510 the lib directory with the multilib postfix exists on the system 511 or not. This unpredictable behavior was removed and eventual 512 multilib postfix is now always added to the default libdir. Use 513 `--libdir=lib` to override the libdir if adding the postfix is 514 undesirable. 515 516 *Jan Lána* 517 518 * The triple DES key wrap functionality now conforms to RFC 3217 but is 519 no longer interoperable with OpenSSL 1.1.1. 520 521 *Paul Dale* 522 523 * The ERR_GET_FUNC() function was removed. With the loss of meaningful 524 function codes, this function can only cause problems for calling 525 applications. 526 527 *Paul Dale* 528 529 * Add a configurable flag to output date formats as ISO 8601. Does not 530 change the default date format. 531 532 *William Edmisten* 533 534 * Version of MSVC earlier than 1300 could get link warnings, which could 535 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. 536 Support for this flag has been removed. 537 538 *Rich Salz* 539 540 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, 541 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for 542 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG 543 Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set 544 also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. 545 546 *Rich Salz* 547 548 * The signatures of the functions to get and set options on SSL and 549 SSL_CTX objects changed from "unsigned long" to "uint64_t" type. 550 Some source code changes may be required. 551 552 *Rich Salz* 553 554 * The public definitions of conf_method_st and conf_st have been 555 deprecated. They will be made opaque in a future release. 556 557 *Rich Salz and Tomáš Mráz* 558 559 * Client-initiated renegotiation is disabled by default. To allow it, use 560 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION 561 flag, or the "ClientRenegotiation" config parameter as appropriate. 562 563 *Rich Salz* 564 565 * Add "abspath" and "includedir" pragma's to config files, to prevent, 566 or modify relative pathname inclusion. 567 568 *Rich Salz* 569 570 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 571 validated. Please consult the README-FIPS and 572 README-PROVIDERS files, as well as the migration guide. 573 574 *OpenSSL team members and many third party contributors* 575 576 * For the key types DH and DHX the allowed settable parameters are now different. 577 578 *Shane Lontis* 579 580 * The openssl commands that read keys, certificates, and CRLs now 581 automatically detect the PEM or DER format of the input files. 582 583 *David von Oheimb, Richard Levitte, and Tomáš Mráz* 584 585 * Added enhanced PKCS#12 APIs which accept a library context. 586 587 *Jon Spillett* 588 589 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" 590 591 *Matt Caswell* 592 593 * Added support for Kernel TLS (KTLS). 594 595 *Boris Pismenny, John Baldwin and Andrew Gallatin* 596 597 * Support for RFC 5746 secure renegotiation is now required by default for 598 SSL or TLS connections to succeed. 599 600 *Benjamin Kaduk* 601 602 * The signature of the `copy` functional parameter of the 603 EVP_PKEY_meth_set_copy() function has changed so its `src` argument is 604 now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly 605 the signature of the `pub_decode` functional parameter of the 606 EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is 607 now `const X509_PUBKEY *` instead of `X509_PUBKEY *`. 608 609 *David von Oheimb* 610 611 * The error return values from some control calls (ctrl) have changed. 612 613 *Paul Dale* 614 615 * A public key check is now performed during EVP_PKEY_derive_set_peer(). 616 617 *Shane Lontis* 618 619 * Many functions in the EVP_ namespace that are getters of values from 620 implementations or contexts were renamed to include get or get0 in their 621 names. Old names are provided as macro aliases for compatibility and 622 are not deprecated. 623 624 *Tomáš Mráz* 625 626 * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, 627 EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, 628 EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations 629 are deprecated. 630 631 *Tomáš Mráz* 632 633 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for 634 more key types. 635 636 * The output from the command line applications may have minor 637 changes. 638 639 *Paul Dale* 640 641 * The output from numerous "printing" may have minor changes. 642 643 *David von Oheimb* 644 645 * Windows thread synchronization uses read/write primitives (SRWLock) when 646 supported by the OS, otherwise CriticalSection continues to be used. 647 648 *Vincent Drake* 649 650 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to 651 work on read only BIO source/sinks that do not support these functions. 652 This allows piping or redirection of a file BIO using stdin to be buffered 653 into memory. This is used internally in OSSL_DECODER_from_bio(). 654 655 *Shane Lontis* 656 657 * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1 658 this function would return one of the values OSSL_STORE_INFO_NAME, 659 OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or 660 OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported 661 as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now 662 reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications 663 using this function should be amended to handle the changed return value. 664 665 *Richard Levitte* 666 667 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) 668 for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. 669 As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. 670 Correct the semantics of checking the validation chain in case ESSCertID{,v2} 671 contains more than one certificate identifier: This means that all 672 certificates referenced there MUST be part of the validation chain. 673 674 *David von Oheimb* 675 676 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, 677 RC5, DESX and DES have been moved to the legacy provider. 678 679 *Matt Caswell* 680 681 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and 682 RIPEMD-160 have been moved to the legacy provider. 683 684 *Matt Caswell* 685 686 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a 687 provided key. 688 689 *Dmitry Belyavskiy* 690 691 * The deprecated functions EVP_PKEY_get0_RSA(), 692 EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(), 693 EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as 694 well as the similarly named "get1" functions behave differently in 695 OpenSSL 3.0. 696 697 *Matt Caswell* 698 699 * A number of functions handling low-level keys or engines were deprecated 700 including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(), 701 EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and 702 EVP_PKEY_get0_siphash(). 703 704 *Matt Caswell* 705 706 * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into 707 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 708 will need to load the legacy crypto provider. This includes these PBE 709 algorithms which use this KDF: 710 - NID_pbeWithMD2AndDES_CBC 711 - NID_pbeWithMD5AndDES_CBC 712 - NID_pbeWithSHA1AndRC2_CBC 713 - NID_pbeWithMD2AndRC2_CBC 714 - NID_pbeWithMD5AndRC2_CBC 715 - NID_pbeWithSHA1AndDES_CBC 716 717 *Jon Spillett* 718 719 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and 720 BIO_debug_callback() functions. 721 722 *Tomáš Mráz* 723 724 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and 725 EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions. 726 727 *Tomáš Mráz* 728 729 * The RAND_METHOD APIs have been deprecated. 730 731 *Paul Dale* 732 733 * The SRP APIs have been deprecated. 734 735 *Matt Caswell* 736 737 * Add a compile time option to prevent the caching of provider fetched 738 algorithms. This is enabled by including the no-cached-fetch option 739 at configuration time. 740 741 *Paul Dale* 742 743 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration 744 count of PKCS12_DEFAULT_ITER. 745 746 *Tomáš Mráz and Sahana Prasad* 747 748 * The openssl speed command does not use low-level API calls anymore. 749 750 *Tomáš Mráz* 751 752 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA 753 capable processors. 754 755 *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)* 756 757 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. 758 759 *Matt Caswell* 760 761 * Implemented support for fully "pluggable" TLSv1.3 groups. This means that 762 providers may supply their own group implementations (using either the "key 763 exchange" or the "key encapsulation" methods) which will automatically be 764 detected and used by libssl. 765 766 *Matt Caswell, Nicola Tuveri* 767 768 * The undocumented function X509_certificate_type() has been deprecated; 769 770 *Rich Salz* 771 772 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range(). 773 774 *Tomáš Mráz* 775 776 * Removed RSA padding mode for SSLv23 (which was only used for 777 SSLv2). This includes the functions RSA_padding_check_SSLv23() and 778 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated 779 `rsautl` command. 780 781 *Rich Salz* 782 783 * Deprecated the obsolete X9.31 RSA key generation related functions. 784 785 * While a callback function set via `SSL_CTX_set_cert_verify_callback()` 786 is not allowed to return a value > 1, this is no more taken as failure. 787 788 *Viktor Dukhovni and David von Oheimb* 789 790 * Deprecated the obsolete X9.31 RSA key generation related functions 791 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and 792 BN_X931_generate_prime_ex(). 793 794 *Tomáš Mráz* 795 796 * The default key generation method for the regular 2-prime RSA keys was 797 changed to the FIPS 186-4 B.3.6 method. 798 799 *Shane Lontis* 800 801 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. 802 803 *Kurt Roeckx* 804 805 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn(). 806 807 *Rich Salz* 808 809 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and 810 replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*(). 811 812 *Rich Salz, Richard Levitte, and David von Oheimb* 813 814 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`. 815 816 *David von Oheimb* 817 818 * Deprecated `OCSP_parse_url()`. 819 820 *David von Oheimb* 821 822 * Validation of SM2 keys has been separated from the validation of regular EC 823 keys. 824 825 *Nicola Tuveri* 826 827 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck` 828 switches: a validation failure triggers an early exit, returning a failure 829 exit status to the parent process. 830 831 *Nicola Tuveri* 832 833 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() 834 to ignore unknown ciphers. 835 836 *Otto Hollmann* 837 838 * The `-cipher-commands` and `-digest-commands` options 839 of the command line utility `list` have been deprecated. 840 Instead use the `-cipher-algorithms` and `-digest-algorithms` options. 841 842 *Dmitry Belyavskiy* 843 844 * Added convenience functions for generating asymmetric key pairs: 845 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)> 846 and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>. 847 848 *David von Oheimb* 849 850 * All of the low level EC_KEY functions have been deprecated. 851 852 *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz* 853 854 * Deprecated all the libcrypto and libssl error string loading 855 functions. 856 857 *Richard Levitte* 858 859 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as 860 well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been 861 deprecated. 862 863 *Matt Caswell* 864 865 * The `-crypt` option to the `passwd` command line tool has been removed. 866 867 *Paul Dale* 868 869 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands 870 were removed. 871 872 *Rich Salz* 873 874 * Add support for AES Key Wrap inverse ciphers to the EVP layer. 875 876 *Shane Lontis* 877 878 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and 879 EVP_PKEY_get1_tls_encodedpoint(). 880 881 *Matt Caswell* 882 883 * The security callback, which can be customised by application code, supports 884 the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter 885 was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases. 886 887 *Matt Caswell* 888 889 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public 890 interface. Their functionality remains unchanged. 891 892 *Jordan Montgomery* 893 894 * Added new option for 'openssl list', '-providers', which will display the 895 list of loaded providers, their names, version and status. It optionally 896 displays their gettable parameters. 897 898 *Paul Dale* 899 900 * Removed EVP_PKEY_set_alias_type(). 901 902 *Richard Levitte* 903 904 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced 905 `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred. 906 907 *Jeremy Walch* 908 909 * Changed all "STACK" functions to be macros instead of inline functions. Macro 910 parameters are still checked for type safety at compile time via helper 911 inline functions. 912 913 *Matt Caswell* 914 915 * Remove the RAND_DRBG API 916 917 *Paul Dale and Matthias St. Pierre* 918 919 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses 920 as well as actual hostnames. 921 922 *David Woodhouse* 923 924 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 925 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 926 conversely, silently ignore DTLS protocol version bounds when configuring 927 TLS-based contexts. The commands can be repeated to set bounds of both 928 types. The same applies with the corresponding "min_protocol" and 929 "max_protocol" command-line switches, in case some application uses both TLS 930 and DTLS. 931 932 SSL_CTX instances that are created for a fixed protocol version (e.g. 933 `TLSv1_server_method()`) also silently ignore version bounds. Previously 934 attempts to apply bounds to these protocol versions would result in an 935 error. Now only the "version-flexible" SSL_CTX instances are subject to 936 limits in configuration files in command-line options. 937 938 *Viktor Dukhovni* 939 940 * Deprecated the `ENGINE` API. Engines should be replaced with providers 941 going forward. 942 943 *Paul Dale* 944 945 * Reworked the recorded ERR codes to make better space for system errors. 946 To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the 947 given code is a system error (true) or an OpenSSL error (false). 948 949 *Richard Levitte* 950 951 * Reworked the test perl framework to better allow parallel testing. 952 953 *Nicola Tuveri and David von Oheimb* 954 955 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and 956 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. 957 958 *Shane Lontis* 959 960 * 'Configure' has been changed to figure out the configuration target if 961 none is given on the command line. Consequently, the 'config' script is 962 now only a mere wrapper. All documentation is changed to only mention 963 'Configure'. 964 965 *Rich Salz and Richard Levitte* 966 967 * Added a library context `OSSL_LIB_CTX` that applications as well as 968 other libraries can use to form a separate context within which 969 libcrypto operations are performed. 970 971 *Richard Levitte* 972 973 * Added various `_ex` functions to the OpenSSL API that support using 974 a non-default `OSSL_LIB_CTX`. 975 976 *OpenSSL team* 977 978 * Handshake now fails if Extended Master Secret extension is dropped 979 on renegotiation. 980 981 *Tomáš Mráz* 982 983 * Dropped interactive mode from the `openssl` program. 984 985 *Richard Levitte* 986 987 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`. 988 989 *David von Oheimb and Shane Lontis* 990 991 * Deprecated `EC_METHOD_get_field_type()`. 992 993 *Billy Bob Brumley* 994 995 * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(), 996 EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method() 997 EC_GFp_nistp256_method(), and EC_GFp_nistp521_method(). 998 999 *Billy Bob Brumley* 1000 1001 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of(). 1002 1003 *Billy Bob Brumley* 1004 1005 * Add CAdES-BES signature verification support, mostly derived 1006 from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein. 1007 1008 *Filipe Raimundo da Silva* 1009 1010 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. 1011 1012 *Antonio Iacono* 1013 1014 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM 1015 parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). 1016 1017 *Jakub Zelenka* 1018 1019 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). 1020 1021 *Billy Bob Brumley* 1022 1023 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and 1024 EC_KEY_precompute_mult(). 1025 1026 *Billy Bob Brumley* 1027 1028 * Deprecated EC_POINTs_mul(). 1029 1030 *Billy Bob Brumley* 1031 1032 * Removed FIPS_mode() and FIPS_mode_set(). 1033 1034 *Shane Lontis* 1035 1036 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. 1037 1038 *Dmitry Belyavskiy* 1039 1040 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and 1041 EC_POINT_get_Jprojective_coordinates_GFp(). 1042 1043 *Billy Bob Brumley* 1044 1045 * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM 1046 arrays to be more easily constructed via a series of utility functions. 1047 Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using 1048 the various push functions and finally convert to a passable OSSL_PARAM 1049 array using OSSL_PARAM_BLD_to_param(). 1050 1051 *Paul Dale* 1052 1053 * The security strength of SHA1 and MD5 based signatures in TLS has been 1054 reduced. 1055 1056 *Kurt Roeckx* 1057 1058 * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to 1059 contain a provider side internal key. 1060 1061 *Richard Levitte* 1062 1063 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated. 1064 1065 *Richard Levitte* 1066 1067 * Project text documents not yet having a proper file name extension 1068 (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to 1069 `*.md` as far as reasonable, else `*.txt`, for better use with file managers. 1070 1071 *David von Oheimb* 1072 1073 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT) 1074 have been converted to Markdown with the goal to produce documents 1075 which not only look pretty when viewed online in the browser, but 1076 remain well readable inside a plain text editor. 1077 1078 To achieve this goal, a 'minimalistic' Markdown style has been applied 1079 which avoids formatting elements that interfere too much with the 1080 reading flow in the text file. For example, it 1081 1082 * avoids [ATX headings][] and uses [setext headings][] instead 1083 (which works for `<h1>` and `<h2>` headings only). 1084 * avoids [inline links][] and uses [reference links][] instead. 1085 * avoids [fenced code blocks][] and uses [indented code blocks][] instead. 1086 1087 [ATX headings]: https://github.github.com/gfm/#atx-headings 1088 [setext headings]: https://github.github.com/gfm/#setext-headings 1089 [inline links]: https://github.github.com/gfm/#inline-link 1090 [reference links]: https://github.github.com/gfm/#reference-link 1091 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks 1092 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks 1093 1094 *Matthias St. Pierre* 1095 1096 * The test suite is changed to preserve results of each test recipe. 1097 A new directory test-runs/ with subdirectories named like the 1098 test recipes are created in the build tree for this purpose. 1099 1100 *Richard Levitte* 1101 1102 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). 1103 This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. 1104 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points. 1105 1106 *David von Oheimb, Martin Peylo* 1107 1108 * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. 1109 It supports arbitrary request and response content types, GET redirection, 1110 TLS, connections via HTTP(S) proxies, connections and exchange via 1111 user-defined BIOs (allowing implicit connections), persistent connections, 1112 and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details. 1113 The legacy OCSP-focused (and only partly documented) API 1114 is retained for backward compatibility, while most of it is deprecated. 1115 1116 *David von Oheimb* 1117 1118 * Added `util/check-format.pl`, a tool for checking adherence to the 1119 OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>. 1120 The checks performed are incomplete and yield some false positives. 1121 Still the tool should be useful for detecting most typical glitches. 1122 1123 *David von Oheimb* 1124 1125 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended: 1126 If domain name resolution yields multiple IP addresses all of them are tried 1127 after `connect()` failures. 1128 1129 *David von Oheimb* 1130 1131 * All of the low level RSA functions have been deprecated. 1132 1133 *Paul Dale* 1134 1135 * X509 certificates signed using SHA1 are no longer allowed at security 1136 level 1 and above. 1137 1138 *Kurt Roeckx* 1139 1140 * The command line utilities dhparam, dsa, gendsa and dsaparam have been 1141 modified to use PKEY APIs. These commands are now in maintenance mode 1142 and no new features will be added to them. 1143 1144 *Paul Dale* 1145 1146 * The command line utility rsautl has been deprecated. 1147 1148 *Paul Dale* 1149 1150 * The command line utilities genrsa and rsa have been modified to use PKEY 1151 APIs. They now write PKCS#8 keys by default. These commands are now in 1152 maintenance mode and no new features will be added to them. 1153 1154 *Paul Dale* 1155 1156 * All of the low level DH functions have been deprecated. 1157 1158 *Paul Dale and Matt Caswell* 1159 1160 * All of the low level DSA functions have been deprecated. 1161 1162 *Paul Dale* 1163 1164 * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to 1165 automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. 1166 1167 *Richard Levitte* 1168 1169 * Deprecated low level ECDH and ECDSA functions. 1170 1171 *Paul Dale* 1172 1173 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old(). 1174 1175 *Richard Levitte* 1176 1177 * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits() 1178 and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed 1179 a new formulation to include all the things it can be used for, 1180 as well as words of caution. 1181 1182 *Richard Levitte* 1183 1184 * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. 1185 1186 *Paul Dale* 1187 1188 * All of the low level HMAC functions have been deprecated. 1189 1190 *Paul Dale and David von Oheimb* 1191 1192 * Over two thousand fixes were made to the documentation, including: 1193 - Common options (such as -rand/-writerand, TLS version control, etc) 1194 were refactored and point to newly-enhanced descriptions in openssl.pod. 1195 - Added style conformance for all options (with help from Richard Levitte), 1196 documented all reported missing options, added a CI build to check 1197 that all options are documented and that no unimplemented options 1198 are documented. 1199 - Documented some internals, such as all use of environment variables. 1200 - Addressed all internal broken L<> references. 1201 1202 *Rich Salz* 1203 1204 * All of the low level CMAC functions have been deprecated. 1205 1206 *Paul Dale* 1207 1208 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest 1209 functions have been deprecated. 1210 1211 *Paul Dale and David von Oheimb* 1212 1213 * Corrected the documentation of the return values from the `EVP_DigestSign*` 1214 set of functions. The documentation mentioned negative values for some 1215 errors, but this was never the case, so the mention of negative values 1216 was removed. 1217 1218 Code that followed the documentation and thereby check with something 1219 like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed. 1220 1221 *Richard Levitte* 1222 1223 * All of the low level cipher functions have been deprecated. 1224 1225 *Matt Caswell and Paul Dale* 1226 1227 * Removed include/openssl/opensslconf.h.in and replaced it with 1228 include/openssl/configuration.h.in, which differs in not including 1229 <openssl/macros.h>. A short header include/openssl/opensslconf.h 1230 was added to include both. 1231 1232 This allows internal hacks where one might need to modify the set 1233 of configured macros, for example this if deprecated symbols are 1234 still supposed to be available internally: 1235 1236 #include <openssl/configuration.h> 1237 1238 #undef OPENSSL_NO_DEPRECATED 1239 #define OPENSSL_SUPPRESS_DEPRECATED 1240 1241 #include <openssl/macros.h> 1242 1243 This should not be used by applications that use the exported 1244 symbols, as that will lead to linking errors. 1245 1246 *Richard Levitte* 1247 1248 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure 1249 used in exponentiation with 512-bit moduli. No EC algorithms are 1250 affected. Analysis suggests that attacks against 2-prime RSA1024, 1251 3-prime RSA1536, and DSA1024 as a result of this defect would be very 1252 difficult to perform and are not believed likely. Attacks against DH512 1253 are considered just feasible. However, for an attack the target would 1254 have to re-use the DH512 private key, which is not recommended anyway. 1255 Also applications directly using the low-level API BN_mod_exp may be 1256 affected if they use BN_FLG_CONSTTIME. 1257 ([CVE-2019-1551]) 1258 1259 *Andy Polyakov* 1260 1261 * Most memory-debug features have been deprecated, and the functionality 1262 replaced with no-ops. 1263 1264 *Rich Salz* 1265 1266 * Added documentation for the STACK API. 1267 1268 *Rich Salz* 1269 1270 * Introduced a new method type and API, OSSL_ENCODER, to represent 1271 generic encoders. These do the same sort of job that PEM writers 1272 and d2i functions do, but with support for methods supplied by 1273 providers, and the possibility for providers to support other 1274 formats as well. 1275 1276 *Richard Levitte* 1277 1278 * Introduced a new method type and API, OSSL_DECODER, to represent 1279 generic decoders. These do the same sort of job that PEM readers 1280 and i2d functions do, but with support for methods supplied by 1281 providers, and the possibility for providers to support other 1282 formats as well. 1283 1284 *Richard Levitte* 1285 1286 * Added a .pragma directive to the syntax of configuration files, to 1287 allow varying behavior in a supported and predictable manner. 1288 Currently added pragma: 1289 1290 .pragma dollarid:on 1291 1292 This allows dollar signs to be a keyword character unless it's 1293 followed by a opening brace or parenthesis. This is useful for 1294 platforms where dollar signs are commonly used in names, such as 1295 volume names and system directory names on VMS. 1296 1297 *Richard Levitte* 1298 1299 * Added functionality to create an EVP_PKEY from user data. 1300 1301 *Richard Levitte* 1302 1303 * Change the interpretation of the '--api' configuration option to 1304 mean that this is a desired API compatibility level with no 1305 further meaning. The previous interpretation, that this would 1306 also mean to remove all deprecated symbols up to and including 1307 the given version, no requires that 'no-deprecated' is also used 1308 in the configuration. 1309 1310 When building applications, the desired API compatibility level 1311 can be set with the OPENSSL_API_COMPAT macro like before. For 1312 API compatibility version below 3.0, the old style numerical 1313 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. 1314 For version 3.0 and on, the value is expected to be the decimal 1315 value calculated from the major and minor version like this: 1316 1317 MAJOR * 10000 + MINOR * 100 1318 1319 Examples: 1320 1321 -DOPENSSL_API_COMPAT=30000 For 3.0 1322 -DOPENSSL_API_COMPAT=30200 For 3.2 1323 1324 To hide declarations that are deprecated up to and including the 1325 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be 1326 given when building the application as well. 1327 1328 *Richard Levitte* 1329 1330 * Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow 1331 access to certificate and CRL stores via URIs and OSSL_STORE 1332 loaders. 1333 1334 This adds the following functions: 1335 1336 - X509_LOOKUP_store() 1337 - X509_STORE_load_file() 1338 - X509_STORE_load_path() 1339 - X509_STORE_load_store() 1340 - SSL_add_store_cert_subjects_to_stack() 1341 - SSL_CTX_set_default_verify_store() 1342 - SSL_CTX_load_verify_file() 1343 - SSL_CTX_load_verify_dir() 1344 - SSL_CTX_load_verify_store() 1345 1346 *Richard Levitte* 1347 1348 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 1349 The presence of this system service is determined at run-time. 1350 1351 *Richard Levitte* 1352 1353 * Added functionality to create an EVP_PKEY context based on data 1354 for methods from providers. This takes an algorithm name and a 1355 property query string and simply stores them, with the intent 1356 that any operation that uses this context will use those strings 1357 to fetch the needed methods implicitly, thereby making the port 1358 of application written for pre-3.0 OpenSSL easier. 1359 1360 *Richard Levitte* 1361 1362 * The undocumented function NCONF_WIN32() has been deprecated; for 1363 conversion details see the HISTORY section of doc/man5/config.pod 1364 1365 *Rich Salz* 1366 1367 * Introduced the new functions EVP_DigestSignInit_ex() and 1368 EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and 1369 EVP_DigestVerifyUpdate() have been converted to functions. See the man 1370 pages for further details. 1371 1372 *Matt Caswell* 1373 1374 * Over two thousand fixes were made to the documentation, including: 1375 adding missing command flags, better style conformance, documentation 1376 of internals, etc. 1377 1378 *Rich Salz, Richard Levitte* 1379 1380 * s390x assembly pack: add hardware-support for P-256, P-384, P-521, 1381 X25519, X448, Ed25519 and Ed448. 1382 1383 *Patrick Steuer* 1384 1385 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 1386 the first value. 1387 1388 *Jon Spillett* 1389 1390 * Deprecated the public definition of `ERR_STATE` as well as the function 1391 `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an 1392 opaque type. 1393 1394 *Richard Levitte* 1395 1396 * Added ERR functionality to give callers access to the stored function 1397 names that have replaced the older function code based functions. 1398 1399 New functions are ERR_peek_error_func(), ERR_peek_last_error_func(), 1400 ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(), 1401 ERR_peek_error_all() and ERR_peek_last_error_all(). 1402 1403 Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(), 1404 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and 1405 ERR_func_error_string(). 1406 1407 *Richard Levitte* 1408 1409 * Extended testing to be verbose for failing tests only. The make variables 1410 VERBOSE_FAILURE or VF can be used to enable this: 1411 1412 $ make VF=1 test # Unix 1413 $ mms /macro=(VF=1) test ! OpenVMS 1414 $ nmake VF=1 test # Windows 1415 1416 *Richard Levitte* 1417 1418 * Added the `-copy_extensions` option to the `x509` command for use with 1419 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, 1420 all extensions in the request are copied to the certificate or vice versa. 1421 1422 *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>* 1423 1424 * Added the `-copy_extensions` option to the `req` command for use with 1425 `-x509`. When given with the `copy` or `copyall` argument, 1426 all extensions in the certification request are copied to the certificate. 1427 1428 *David von Oheimb* 1429 1430 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates 1431 they generate are by default RFC 5280 compliant in the following sense: 1432 There is a subjectKeyIdentifier extension with a hash value of the public key 1433 and for not self-signed certs there is an authorityKeyIdentifier extension 1434 with a keyIdentifier field or issuer information identifying the signing key. 1435 This is done unless some configuration overrides the new default behavior, 1436 such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`. 1437 1438 *David von Oheimb* 1439 1440 * Added several checks to `X509_verify_cert()` according to requirements in 1441 RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set 1442 (which may be done by using the CLI option `-x509_strict`): 1443 * The basicConstraints of CA certificates must be marked critical. 1444 * CA certificates must explicitly include the keyUsage extension. 1445 * If a pathlenConstraint is given the key usage keyCertSign must be allowed. 1446 * The issuer name of any certificate must not be empty. 1447 * The subject name of CA certs, certs with keyUsage crlSign, 1448 and certs without subjectAlternativeName must not be empty. 1449 * If a subjectAlternativeName extension is given it must not be empty. 1450 * The signatureAlgorithm field and the cert signature must be consistent. 1451 * Any given authorityKeyIdentifier and any given subjectKeyIdentifier 1452 must not be marked critical. 1453 * The authorityKeyIdentifier must be given for X.509v3 certs 1454 unless they are self-signed. 1455 * The subjectKeyIdentifier must be given for all X.509v3 CA certs. 1456 1457 *David von Oheimb* 1458 1459 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys 1460 with explicit curve parameters (specifiedCurve) as required by RFC 5480. 1461 1462 *Tomáš Mráz* 1463 1464 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 1465 used even when parsing explicit parameters, when loading a encoded key 1466 or calling `EC_GROUP_new_from_ecpkparameters()`/ 1467 `EC_GROUP_new_from_ecparameters()`. 1468 This prevents bypass of security hardening and performance gains, 1469 especially for curves with specialized EC_METHODs. 1470 By default, if a key encoded with explicit parameters is loaded and later 1471 encoded, the output is still encoded with explicit parameters, even if 1472 internally a "named" EC_GROUP is used for computation. 1473 1474 *Nicola Tuveri* 1475 1476 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 1477 this change, EC_GROUP_set_generator would accept order and/or cofactor as 1478 NULL. After this change, only the cofactor parameter can be NULL. It also 1479 does some minimal sanity checks on the passed order. 1480 ([CVE-2019-1547]) 1481 1482 *Billy Bob Brumley* 1483 1484 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 1485 An attack is simple, if the first CMS_recipientInfo is valid but the 1486 second CMS_recipientInfo is chosen ciphertext. If the second 1487 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 1488 encryption key will be replaced by garbage, and the message cannot be 1489 decoded, but if the RSA decryption fails, the correct encryption key is 1490 used and the recipient will not notice the attack. 1491 As a work around for this potential attack the length of the decrypted 1492 key must be equal to the cipher default key length, in case the 1493 certifiate is not given and all recipientInfo are tried out. 1494 The old behaviour can be re-enabled in the CMS code by setting the 1495 CMS_DEBUG_DECRYPT flag. 1496 1497 *Bernd Edlinger* 1498 1499 * Early start up entropy quality from the DEVRANDOM seed source has been 1500 improved for older Linux systems. The RAND subsystem will wait for 1501 /dev/random to be producing output before seeding from /dev/urandom. 1502 The seeded state is stored for future library initialisations using 1503 a system global shared memory segment. The shared memory identifier 1504 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 1505 the desired value. The default identifier is 114. 1506 1507 *Paul Dale* 1508 1509 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 1510 when primes for RSA keys are computed. 1511 Since we previously always generated primes == 2 (mod 3) for RSA keys, 1512 the 2-prime and 3-prime RSA modules were easy to distinguish, since 1513 `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting 1514 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 1515 This avoids possible fingerprinting of newly generated RSA modules. 1516 1517 *Bernd Edlinger* 1518 1519 * Correct the extended master secret constant on EBCDIC systems. Without this 1520 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 1521 negotiate EMS will fail. Unfortunately this also means that TLS connections 1522 between EBCDIC systems with this fix, and EBCDIC systems without this 1523 fix will fail if they negotiate EMS. 1524 1525 *Matt Caswell* 1526 1527 * Changed the library initialisation so that the config file is now loaded 1528 by default. This was already the case for libssl. It now occurs for both 1529 libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to 1530 `OPENSSL_init_crypto()` to suppress automatic loading of a config file. 1531 1532 *Matt Caswell* 1533 1534 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, 1535 where the former acts as a replacement for `ERR_put_error()`, and the 1536 latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. 1537 `ERR_raise_data()` adds more flexibility by taking a format string and 1538 an arbitrary number of arguments following it, to be processed with 1539 `BIO_snprintf()`. 1540 1541 *Richard Levitte* 1542 1543 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used 1544 to check if a named provider is loaded and available. When called, it 1545 will also activate all fallback providers if such are still present. 1546 1547 *Richard Levitte* 1548 1549 * Enforce a minimum DH modulus size of 512 bits. 1550 1551 *Bernd Edlinger* 1552 1553 * Changed DH parameters to generate the order q subgroup instead of 2q. 1554 Previously generated DH parameters are still accepted by DH_check 1555 but DH_generate_key works around that by clearing bit 0 of the 1556 private key for those. This avoids leaking bit 0 of the private key. 1557 1558 *Bernd Edlinger* 1559 1560 * Significantly reduce secure memory usage by the randomness pools. 1561 1562 *Paul Dale* 1563 1564 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been 1565 deprecated. 1566 1567 *Rich Salz* 1568 1569 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange 1570 algorithms. An implementation of a key exchange algorithm can be obtained 1571 by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be 1572 used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to 1573 the older EVP_PKEY_derive_init() function. See the man pages for the new 1574 functions for further details. 1575 1576 *Matt Caswell* 1577 1578 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. 1579 1580 *Matt Caswell* 1581 1582 * Removed the function names from error messages and deprecated the 1583 xxx_F_xxx define's. 1584 1585 *Richard Levitte* 1586 1587 * Removed NextStep support and the macro OPENSSL_UNISTD 1588 1589 *Rich Salz* 1590 1591 * Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, 1592 OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. 1593 Also removed "export var as function" capability; we do not export 1594 variables, only functions. 1595 1596 *Rich Salz* 1597 1598 * RC5_32_set_key has been changed to return an int type, with 0 indicating 1599 an error and 1 indicating success. In previous versions of OpenSSL this 1600 was a void type. If a key was set longer than the maximum possible this 1601 would crash. 1602 1603 *Matt Caswell* 1604 1605 * Support SM2 signing and verification schemes with X509 certificate. 1606 1607 *Paul Yang* 1608 1609 * Use SHA256 as the default digest for TS query in the `ts` app. 1610 1611 *Tomáš Mráz* 1612 1613 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. 1614 1615 *Shane Lontis* 1616 1617 * Default cipher lists/suites are now available via a function, the 1618 #defines are deprecated. 1619 1620 *Todd Short* 1621 1622 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and 1623 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries 1624 for Windows Store apps easier. Also, the "no-uplink" option has been added. 1625 1626 *Kenji Mouri* 1627 1628 * Join the directories crypto/x509 and crypto/x509v3 1629 1630 *Richard Levitte* 1631 1632 * Added command 'openssl kdf' that uses the EVP_KDF API. 1633 1634 *Shane Lontis* 1635 1636 * Added command 'openssl mac' that uses the EVP_MAC API. 1637 1638 *Shane Lontis* 1639 1640 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such 1641 as default directories. Also added the command 'openssl info' 1642 for scripting purposes. 1643 1644 *Richard Levitte* 1645 1646 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been 1647 deprecated. 1648 1649 *Matt Caswell* 1650 1651 * Add prediction resistance to the DRBG reseeding process. 1652 1653 *Paul Dale* 1654 1655 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as 1656 mandated by IEEE Std 1619-2018. 1657 1658 *Paul Dale* 1659 1660 * Added newline escaping functionality to a filename when using openssl dgst. 1661 This output format is to replicate the output format found in the `*sum` 1662 checksum programs. This aims to preserve backward compatibility. 1663 1664 *Matt Eaton, Richard Levitte, and Paul Dale* 1665 1666 * Removed the heartbeat message in DTLS feature, as it has very 1667 little usage and doesn't seem to fulfill a valuable purpose. 1668 The configuration option is now deprecated. 1669 1670 *Richard Levitte* 1671 1672 * Changed the output of 'openssl {digestname} < file' to display the 1673 digest name in its output. 1674 1675 *Richard Levitte* 1676 1677 * Added a new generic trace API which provides support for enabling 1678 instrumentation through trace output. 1679 1680 *Richard Levitte & Matthias St. Pierre* 1681 1682 * Added build tests for C++. These are generated files that only do one 1683 thing, to include one public OpenSSL head file each. This tests that 1684 the public header files can be usefully included in a C++ application. 1685 1686 This test isn't enabled by default. It can be enabled with the option 1687 'enable-buildtest-c++'. 1688 1689 *Richard Levitte* 1690 1691 * Added KB KDF (EVP_KDF_KB) to EVP_KDF. 1692 1693 *Robbie Harwood* 1694 1695 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF. 1696 1697 *Simo Sorce* 1698 1699 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF. 1700 1701 *Shane Lontis* 1702 1703 * Added KMAC to EVP_MAC. 1704 1705 *Shane Lontis* 1706 1707 * Added property based algorithm implementation selection framework to 1708 the core. 1709 1710 *Paul Dale* 1711 1712 * Added SCA hardening for modular field inversion in EC_GROUP through 1713 a new dedicated field_inv() pointer in EC_METHOD. 1714 This also addresses a leakage affecting conversions from projective 1715 to affine coordinates. 1716 1717 *Billy Bob Brumley, Nicola Tuveri* 1718 1719 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF 1720 implementations. This includes an EVP_PKEY to EVP_KDF bridge for 1721 those algorithms that were already supported through the EVP_PKEY API 1722 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 1723 and scrypt are now wrappers that call EVP_KDF. 1724 1725 *David Makepeace* 1726 1727 * Build devcrypto engine as a dynamic engine. 1728 1729 *Eneas U de Queiroz* 1730 1731 * Add keyed BLAKE2 to EVP_MAC. 1732 1733 *Antoine Salon* 1734 1735 * Fix a bug in the computation of the endpoint-pair shared secret used 1736 by DTLS over SCTP. This breaks interoperability with older versions 1737 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime 1738 switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling 1739 interoperability with such broken implementations. However, enabling 1740 this switch breaks interoperability with correct implementations. 1741 1742 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 1743 re-used X509_PUBKEY object if the second PUBKEY is malformed. 1744 1745 *Bernd Edlinger* 1746 1747 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 1748 1749 *Richard Levitte* 1750 1751 * Changed the license to the Apache License v2.0. 1752 1753 *Richard Levitte* 1754 1755 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. 1756 1757 - Major releases (indicated by incrementing the MAJOR release number) 1758 may introduce incompatible API/ABI changes. 1759 - Minor releases (indicated by incrementing the MINOR release number) 1760 may introduce new features but retain API/ABI compatibility. 1761 - Patch releases (indicated by incrementing the PATCH number) 1762 are intended for bug fixes and other improvements of existing 1763 features only (like improving performance or adding documentation) 1764 and retain API/ABI compatibility. 1765 1766 *Richard Levitte* 1767 1768 * Add support for RFC5297 SIV mode (siv128), including AES-SIV. 1769 1770 *Todd Short* 1771 1772 * Remove the 'dist' target and add a tarball building script. The 1773 'dist' target has fallen out of use, and it shouldn't be 1774 necessary to configure just to create a source distribution. 1775 1776 *Richard Levitte* 1777 1778 * Recreate the OS390-Unix config target. It no longer relies on a 1779 special script like it did for OpenSSL pre-1.1.0. 1780 1781 *Richard Levitte* 1782 1783 * Instead of having the source directories listed in Configure, add 1784 a 'build.info' keyword SUBDIRS to indicate what sub-directories to 1785 look into. 1786 1787 *Richard Levitte* 1788 1789 * Add GMAC to EVP_MAC. 1790 1791 *Paul Dale* 1792 1793 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC. 1794 1795 *Richard Levitte* 1796 1797 * Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC 1798 implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, 1799 to facilitate the continued use of MACs through raw private keys in 1800 functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`. 1801 1802 *Richard Levitte* 1803 1804 * Deprecate ECDH_KDF_X9_62(). 1805 1806 *Antoine Salon* 1807 1808 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for 1809 the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names 1810 are retained for backwards compatibility. 1811 1812 *Antoine Salon* 1813 1814 * AES-XTS mode now enforces that its two keys are different to mitigate 1815 the attacked described in "Efficient Instantiations of Tweakable 1816 Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. 1817 Details of this attack can be obtained from: 1818 <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf> 1819 1820 *Paul Dale* 1821 1822 * Rename the object files, i.e. give them other names than in previous 1823 versions. Their names now include the name of the final product, as 1824 well as its type mnemonic (bin, lib, shlib). 1825 1826 *Richard Levitte* 1827 1828 * Added new option for 'openssl list', '-objects', which will display the 1829 list of built in objects, i.e. OIDs with names. 1830 1831 *Richard Levitte* 1832 1833 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`, 1834 allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to 1835 be set explicitly. 1836 1837 *Chris Novakovic* 1838 1839 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path 1840 improves application performance by removing data copies and providing 1841 applications with zero-copy system calls such as sendfile and splice. 1842 1843 *Boris Pismenny* 1844 1845 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. 1846 1847 *Martin Elshuber* 1848 1849 * `PKCS12_parse` now maintains the order of the parsed certificates 1850 when outputting them via `*ca` (rather than reversing it). 1851 1852 *David von Oheimb* 1853 1854 * Deprecated pthread fork support methods. 1855 1856 *Randall S. Becker* 1857 1858 * Added support for FFDHE key exchange in TLS 1.3. 1859 1860 *Raja Ashok* 1861 1862 * Added a new concept for OpenSSL plugability: providers. This 1863 functionality is designed to replace the ENGINE API and ENGINE 1864 implementations, and to be much more dynamic, allowing provider 1865 authors to introduce new algorithms among other things, as long as 1866 there's an API that supports the algorithm type. 1867 1868 With this concept comes a new core API for interaction between 1869 libcrypto and provider implementations. Public libcrypto functions 1870 that want to use providers do so through this core API. 1871 1872 The main documentation for this core API is found in 1873 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn 1874 refer to other manuals describing the API specific for supported 1875 algorithm types (also called operations). 1876 1877 *The OpenSSL team* 1878 1879OpenSSL 1.1.1 1880------------- 1881 1882### Changes between 1.1.1m and 1.1.1n [xx XXX xxxx] 1883 1884### Changes between 1.1.1l and 1.1.1m [14 Dec 2021] 1885 1886 * Avoid loading of a dynamic engine twice. 1887 1888 *Bernd Edlinger* 1889 1890 * Prioritise DANE TLSA issuer certs over peer certs 1891 1892 *Viktor Dukhovni* 1893 1894 * Fixed random API for MacOS prior to 10.12 1895 1896 These MacOS versions don't support the CommonCrypto APIs 1897 1898 *Lenny Primak* 1899 1900### Changes between 1.1.1k and 1.1.1l [24 Aug 2021] 1901 1902 * Fixed an SM2 Decryption Buffer Overflow. 1903 1904 In order to decrypt SM2 encrypted data an application is expected to 1905 call the API function EVP_PKEY_decrypt(). Typically an application will 1906 call this function twice. The first time, on entry, the "out" parameter 1907 can be NULL and, on exit, the "outlen" parameter is populated with the 1908 buffer size required to hold the decrypted plaintext. The application 1909 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() 1910 again, but this time passing a non-NULL value for the "out" parameter. 1911 1912 A bug in the implementation of the SM2 decryption code means that the 1913 calculation of the buffer size required to hold the plaintext returned 1914 by the first call to EVP_PKEY_decrypt() can be smaller than the actual 1915 size required by the second call. This can lead to a buffer overflow 1916 when EVP_PKEY_decrypt() is called by the application a second time with 1917 a buffer that is too small. 1918 1919 A malicious attacker who is able present SM2 content for decryption to 1920 an application could cause attacker chosen data to overflow the buffer 1921 by up to a maximum of 62 bytes altering the contents of other data held 1922 after the buffer, possibly changing application behaviour or causing 1923 the application to crash. The location of the buffer is application 1924 dependent but is typically heap allocated. 1925 ([CVE-2021-3711]) 1926 1927 *Matt Caswell* 1928 1929 * Fixed various read buffer overruns processing ASN.1 strings 1930 1931 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING 1932 structure which contains a buffer holding the string data and a field 1933 holding the buffer length. This contrasts with normal C strings which 1934 are repesented as a buffer for the string data which is terminated 1935 with a NUL (0) byte. 1936 1937 Although not a strict requirement, ASN.1 strings that are parsed using 1938 OpenSSL's own "d2i" functions (and other similar parsing functions) as 1939 well as any string whose value has been set with the ASN1_STRING_set() 1940 function will additionally NUL terminate the byte array in the 1941 ASN1_STRING structure. 1942 1943 However, it is possible for applications to directly construct valid 1944 ASN1_STRING structures which do not NUL terminate the byte array by 1945 directly setting the "data" and "length" fields in the ASN1_STRING 1946 array. This can also happen by using the ASN1_STRING_set0() function. 1947 1948 Numerous OpenSSL functions that print ASN.1 data have been found to 1949 assume that the ASN1_STRING byte array will be NUL terminated, even 1950 though this is not guaranteed for strings that have been directly 1951 constructed. Where an application requests an ASN.1 structure to be 1952 printed, and where that ASN.1 structure contains ASN1_STRINGs that have 1953 been directly constructed by the application without NUL terminating 1954 the "data" field, then a read buffer overrun can occur. 1955 1956 The same thing can also occur during name constraints processing 1957 of certificates (for example if a certificate has been directly 1958 constructed by the application instead of loading it via the OpenSSL 1959 parsing functions, and the certificate contains non NUL terminated 1960 ASN1_STRING structures). It can also occur in the X509_get1_email(), 1961 X509_REQ_get1_email() and X509_get1_ocsp() functions. 1962 1963 If a malicious actor can cause an application to directly construct an 1964 ASN1_STRING and then process it through one of the affected OpenSSL 1965 functions then this issue could be hit. This might result in a crash 1966 (causing a Denial of Service attack). It could also result in the 1967 disclosure of private memory contents (such as private keys, or 1968 sensitive plaintext). 1969 ([CVE-2021-3712]) 1970 1971 *Matt Caswell* 1972 1973### Changes between 1.1.1j and 1.1.1k [25 Mar 2021] 1974 1975 * Fixed a problem with verifying a certificate chain when using the 1976 X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of 1977 the certificates present in a certificate chain. It is not set by default. 1978 1979 Starting from OpenSSL version 1.1.1h a check to disallow certificates in 1980 the chain that have explicitly encoded elliptic curve parameters was added 1981 as an additional strict check. 1982 1983 An error in the implementation of this check meant that the result of a 1984 previous check to confirm that certificates in the chain are valid CA 1985 certificates was overwritten. This effectively bypasses the check 1986 that non-CA certificates must not be able to issue other certificates. 1987 1988 If a "purpose" has been configured then there is a subsequent opportunity 1989 for checks that the certificate is a valid CA. All of the named "purpose" 1990 values implemented in libcrypto perform this check. Therefore, where 1991 a purpose is set the certificate chain will still be rejected even when the 1992 strict flag has been used. A purpose is set by default in libssl client and 1993 server certificate verification routines, but it can be overridden or 1994 removed by an application. 1995 1996 In order to be affected, an application must explicitly set the 1997 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose 1998 for the certificate verification or, in the case of TLS client or server 1999 applications, override the default purpose. 2000 ([CVE-2021-3450]) 2001 2002 *Tomáš Mráz* 2003 2004 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously 2005 crafted renegotiation ClientHello message from a client. If a TLSv1.2 2006 renegotiation ClientHello omits the signature_algorithms extension (where it 2007 was present in the initial ClientHello), but includes a 2008 signature_algorithms_cert extension then a NULL pointer dereference will 2009 result, leading to a crash and a denial of service attack. 2010 2011 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled 2012 (which is the default configuration). OpenSSL TLS clients are not impacted by 2013 this issue. 2014 ([CVE-2021-3449]) 2015 2016 *Peter Kästle and Samuel Sapalski* 2017 2018### Changes between 1.1.1i and 1.1.1j [16 Feb 2021] 2019 2020 * Fixed the X509_issuer_and_serial_hash() function. It attempts to 2021 create a unique hash value based on the issuer and serial number data 2022 contained within an X509 certificate. However it was failing to correctly 2023 handle any errors that may occur while parsing the issuer field (which might 2024 occur if the issuer field is maliciously constructed). This may subsequently 2025 result in a NULL pointer deref and a crash leading to a potential denial of 2026 service attack. 2027 ([CVE-2021-23841]) 2028 2029 *Matt Caswell* 2030 2031 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING 2032 padding mode to correctly check for rollback attacks. This is considered a 2033 bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is 2034 CVE-2021-23839. 2035 2036 *Matt Caswell* 2037 2038 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate 2039 functions. Previously they could overflow the output length argument in some 2040 cases where the input length is close to the maximum permissable length for 2041 an integer on the platform. In such cases the return value from the function 2042 call would be 1 (indicating success), but the output length value would be 2043 negative. This could cause applications to behave incorrectly or crash. 2044 ([CVE-2021-23840]) 2045 2046 *Matt Caswell* 2047 2048 * Fixed SRP_Calc_client_key so that it runs in constant time. The previous 2049 implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This 2050 could be exploited in a side channel attack to recover the password. Since 2051 the attack is local host only this is outside of the current OpenSSL 2052 threat model and therefore no CVE is assigned. 2053 2054 Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this 2055 issue. 2056 2057 *Matt Caswell* 2058 2059### Changes between 1.1.1h and 1.1.1i [8 Dec 2020] 2060 2061 * Fixed NULL pointer deref in the GENERAL_NAME_cmp function 2062 This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. 2063 If an attacker can control both items being compared then this could lead 2064 to a possible denial of service attack. OpenSSL itself uses the 2065 GENERAL_NAME_cmp function for two purposes: 2066 1) Comparing CRL distribution point names between an available CRL and a 2067 CRL distribution point embedded in an X509 certificate 2068 2) When verifying that a timestamp response token signer matches the 2069 timestamp authority name (exposed via the API functions 2070 TS_RESP_verify_response and TS_RESP_verify_token) 2071 ([CVE-2020-1971]) 2072 2073 *Matt Caswell* 2074 2075### Changes between 1.1.1g and 1.1.1h [22 Sep 2020] 2076 2077 * Certificates with explicit curve parameters are now disallowed in 2078 verification chains if the X509_V_FLAG_X509_STRICT flag is used. 2079 2080 *Tomáš Mráz* 2081 2082 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 2083 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 2084 conversely, silently ignore DTLS protocol version bounds when configuring 2085 TLS-based contexts. The commands can be repeated to set bounds of both 2086 types. The same applies with the corresponding "min_protocol" and 2087 "max_protocol" command-line switches, in case some application uses both TLS 2088 and DTLS. 2089 2090 SSL_CTX instances that are created for a fixed protocol version (e.g. 2091 TLSv1_server_method()) also silently ignore version bounds. Previously 2092 attempts to apply bounds to these protocol versions would result in an 2093 error. Now only the "version-flexible" SSL_CTX instances are subject to 2094 limits in configuration files in command-line options. 2095 2096 *Viktor Dukhovni* 2097 2098 * Handshake now fails if Extended Master Secret extension is dropped 2099 on renegotiation. 2100 2101 *Tomáš Mráz* 2102 2103 * The Oracle Developer Studio compiler will start reporting deprecated APIs 2104 2105### Changes between 1.1.1f and 1.1.1g [21 Apr 2020] 2106 2107 * Fixed segmentation fault in SSL_check_chain() 2108 Server or client applications that call the SSL_check_chain() function 2109 during or after a TLS 1.3 handshake may crash due to a NULL pointer 2110 dereference as a result of incorrect handling of the 2111 "signature_algorithms_cert" TLS extension. The crash occurs if an invalid 2112 or unrecognised signature algorithm is received from the peer. This could 2113 be exploited by a malicious peer in a Denial of Service attack. 2114 ([CVE-2020-1967]) 2115 2116 *Benjamin Kaduk* 2117 2118 * Added AES consttime code for no-asm configurations 2119 an optional constant time support for AES was added 2120 when building openssl for no-asm. 2121 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME 2122 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME 2123 At this time this feature is by default disabled. 2124 It will be enabled by default in 3.0. 2125 2126 *Bernd Edlinger* 2127 2128### Changes between 1.1.1e and 1.1.1f [31 Mar 2020] 2129 2130 * Revert the change of EOF detection while reading in libssl to avoid 2131 regressions in applications depending on the current way of reporting 2132 the EOF. As the existing method is not fully accurate the change to 2133 reporting the EOF via SSL_ERROR_SSL is kept on the current development 2134 branch and will be present in the 3.0 release. 2135 2136 *Tomáš Mráz* 2137 2138 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 2139 when primes for RSA keys are computed. 2140 Since we previously always generated primes == 2 (mod 3) for RSA keys, 2141 the 2-prime and 3-prime RSA modules were easy to distinguish, since 2142 N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting 2143 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 2144 This avoids possible fingerprinting of newly generated RSA modules. 2145 2146 *Bernd Edlinger* 2147 2148### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] 2149 2150 * Properly detect EOF while reading in libssl. Previously if we hit an EOF 2151 while reading in libssl then we would report an error back to the 2152 application (SSL_ERROR_SYSCALL) but errno would be 0. We now add 2153 an error to the stack (which means we instead return SSL_ERROR_SSL) and 2154 therefore give a hint as to what went wrong. 2155 2156 *Matt Caswell* 2157 2158 * Check that ed25519 and ed448 are allowed by the security level. Previously 2159 signature algorithms not using an MD were not being checked that they were 2160 allowed by the security level. 2161 2162 *Kurt Roeckx* 2163 2164 * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() 2165 was not quite right. The behaviour was not consistent between resumption 2166 and normal handshakes, and also not quite consistent with historical 2167 behaviour. The behaviour in various scenarios has been clarified and 2168 it has been updated to make it match historical behaviour as closely as 2169 possible. 2170 2171 *Matt Caswell* 2172 2173 * *[VMS only]* The header files that the VMS compilers include automatically, 2174 `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas 2175 that the C++ compiler doesn't understand. This is a shortcoming in the 2176 compiler, but can be worked around with `__cplusplus` guards. 2177 2178 C++ applications that use OpenSSL libraries must be compiled using the 2179 qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL 2180 functions. Otherwise, only functions with symbols of less than 31 2181 characters can be used, as the linker will not be able to successfully 2182 resolve symbols with longer names. 2183 2184 *Richard Levitte* 2185 2186 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 2187 The presence of this system service is determined at run-time. 2188 2189 *Richard Levitte* 2190 2191 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 2192 the first value. 2193 2194 *Jon Spillett* 2195 2196### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] 2197 2198 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random 2199 number generator (RNG). This was intended to include protection in the 2200 event of a fork() system call in order to ensure that the parent and child 2201 processes did not share the same RNG state. However this protection was not 2202 being used in the default case. 2203 2204 A partial mitigation for this issue is that the output from a high 2205 precision timer is mixed into the RNG state so the likelihood of a parent 2206 and child process sharing state is significantly reduced. 2207 2208 If an application already calls OPENSSL_init_crypto() explicitly using 2209 OPENSSL_INIT_ATFORK then this problem does not occur at all. 2210 ([CVE-2019-1549]) 2211 2212 *Matthias St. Pierre* 2213 2214 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 2215 used even when parsing explicit parameters, when loading a encoded key 2216 or calling `EC_GROUP_new_from_ecpkparameters()`/ 2217 `EC_GROUP_new_from_ecparameters()`. 2218 This prevents bypass of security hardening and performance gains, 2219 especially for curves with specialized EC_METHODs. 2220 By default, if a key encoded with explicit parameters is loaded and later 2221 encoded, the output is still encoded with explicit parameters, even if 2222 internally a "named" EC_GROUP is used for computation. 2223 2224 *Nicola Tuveri* 2225 2226 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 2227 this change, EC_GROUP_set_generator would accept order and/or cofactor as 2228 NULL. After this change, only the cofactor parameter can be NULL. It also 2229 does some minimal sanity checks on the passed order. 2230 ([CVE-2019-1547]) 2231 2232 *Billy Bob Brumley* 2233 2234 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 2235 An attack is simple, if the first CMS_recipientInfo is valid but the 2236 second CMS_recipientInfo is chosen ciphertext. If the second 2237 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 2238 encryption key will be replaced by garbage, and the message cannot be 2239 decoded, but if the RSA decryption fails, the correct encryption key is 2240 used and the recipient will not notice the attack. 2241 As a work around for this potential attack the length of the decrypted 2242 key must be equal to the cipher default key length, in case the 2243 certifiate is not given and all recipientInfo are tried out. 2244 The old behaviour can be re-enabled in the CMS code by setting the 2245 CMS_DEBUG_DECRYPT flag. 2246 ([CVE-2019-1563]) 2247 2248 *Bernd Edlinger* 2249 2250 * Early start up entropy quality from the DEVRANDOM seed source has been 2251 improved for older Linux systems. The RAND subsystem will wait for 2252 /dev/random to be producing output before seeding from /dev/urandom. 2253 The seeded state is stored for future library initialisations using 2254 a system global shared memory segment. The shared memory identifier 2255 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 2256 the desired value. The default identifier is 114. 2257 2258 *Paul Dale* 2259 2260 * Correct the extended master secret constant on EBCDIC systems. Without this 2261 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 2262 negotiate EMS will fail. Unfortunately this also means that TLS connections 2263 between EBCDIC systems with this fix, and EBCDIC systems without this 2264 fix will fail if they negotiate EMS. 2265 2266 *Matt Caswell* 2267 2268 * Use Windows installation paths in the mingw builds 2269 2270 Mingw isn't a POSIX environment per se, which means that Windows 2271 paths should be used for installation. 2272 ([CVE-2019-1552]) 2273 2274 *Richard Levitte* 2275 2276 * Changed DH_check to accept parameters with order q and 2q subgroups. 2277 With order 2q subgroups the bit 0 of the private key is not secret 2278 but DH_generate_key works around that by clearing bit 0 of the 2279 private key for those. This avoids leaking bit 0 of the private key. 2280 2281 *Bernd Edlinger* 2282 2283 * Significantly reduce secure memory usage by the randomness pools. 2284 2285 *Paul Dale* 2286 2287 * Revert the DEVRANDOM_WAIT feature for Linux systems 2288 2289 The DEVRANDOM_WAIT feature added a select() call to wait for the 2290 /dev/random device to become readable before reading from the 2291 /dev/urandom device. 2292 2293 It turned out that this change had negative side effects on 2294 performance which were not acceptable. After some discussion it 2295 was decided to revert this feature and leave it up to the OS 2296 resp. the platform maintainer to ensure a proper initialization 2297 during early boot time. 2298 2299 *Matthias St. Pierre* 2300 2301### Changes between 1.1.1b and 1.1.1c [28 May 2019] 2302 2303 * Add build tests for C++. These are generated files that only do one 2304 thing, to include one public OpenSSL head file each. This tests that 2305 the public header files can be usefully included in a C++ application. 2306 2307 This test isn't enabled by default. It can be enabled with the option 2308 'enable-buildtest-c++'. 2309 2310 *Richard Levitte* 2311 2312 * Enable SHA3 pre-hashing for ECDSA and DSA. 2313 2314 *Patrick Steuer* 2315 2316 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 2317 This changes the size when using the `genpkey` command when no size is given. 2318 It fixes an omission in earlier changes that changed all RSA, DSA and DH 2319 generation commands to use 2048 bits by default. 2320 2321 *Kurt Roeckx* 2322 2323 * Reorganize the manual pages to consistently have RETURN VALUES, 2324 EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust 2325 util/fix-doc-nits accordingly. 2326 2327 *Paul Yang, Joshua Lock* 2328 2329 * Add the missing accessor EVP_PKEY_get0_engine() 2330 2331 *Matt Caswell* 2332 2333 * Have commands like `s_client` and `s_server` output the signature scheme 2334 along with other cipher suite parameters when debugging. 2335 2336 *Lorinczy Zsigmond* 2337 2338 * Make OPENSSL_config() error agnostic again. 2339 2340 *Richard Levitte* 2341 2342 * Do the error handling in RSA decryption constant time. 2343 2344 *Bernd Edlinger* 2345 2346 * Prevent over long nonces in ChaCha20-Poly1305. 2347 2348 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 2349 for every encryption operation. RFC 7539 specifies that the nonce value 2350 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 2351 and front pads the nonce with 0 bytes if it is less than 12 2352 bytes. However it also incorrectly allows a nonce to be set of up to 16 2353 bytes. In this case only the last 12 bytes are significant and any 2354 additional leading bytes are ignored. 2355 2356 It is a requirement of using this cipher that nonce values are 2357 unique. Messages encrypted using a reused nonce value are susceptible to 2358 serious confidentiality and integrity attacks. If an application changes 2359 the default nonce length to be longer than 12 bytes and then makes a 2360 change to the leading bytes of the nonce expecting the new value to be a 2361 new unique nonce then such an application could inadvertently encrypt 2362 messages with a reused nonce. 2363 2364 Additionally the ignored bytes in a long nonce are not covered by the 2365 integrity guarantee of this cipher. Any application that relies on the 2366 integrity of these ignored leading bytes of a long nonce may be further 2367 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 2368 is safe because no such use sets such a long nonce value. However user 2369 applications that use this cipher directly and set a non-default nonce 2370 length to be longer than 12 bytes may be vulnerable. 2371 2372 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 2373 Greef of Ronomon. 2374 ([CVE-2019-1543]) 2375 2376 *Matt Caswell* 2377 2378 * Add DEVRANDOM_WAIT feature for Linux systems 2379 2380 On older Linux systems where the getrandom() system call is not available, 2381 OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG. 2382 Contrary to getrandom(), the /dev/urandom device will not block during 2383 early boot when the kernel CSPRNG has not been seeded yet. 2384 2385 To mitigate this known weakness, use select() to wait for /dev/random to 2386 become readable before reading from /dev/urandom. 2387 2388 * Ensure that SM2 only uses SM3 as digest algorithm 2389 2390 *Paul Yang* 2391 2392### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] 2393 2394 * Change the info callback signals for the start and end of a post-handshake 2395 message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START 2396 and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get 2397 confused by this and assume that a TLSv1.2 renegotiation has started. This 2398 can break KeyUpdate handling. Instead we no longer signal the start and end 2399 of a post handshake message exchange (although the messages themselves are 2400 still signalled). This could break some applications that were expecting 2401 the old signals. However without this KeyUpdate is not usable for many 2402 applications. 2403 2404 *Matt Caswell* 2405 2406### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] 2407 2408 * Timing vulnerability in DSA signature generation 2409 2410 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 2411 timing side channel attack. An attacker could use variations in the signing 2412 algorithm to recover the private key. 2413 2414 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 2415 ([CVE-2018-0734]) 2416 2417 *Paul Dale* 2418 2419 * Timing vulnerability in ECDSA signature generation 2420 2421 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 2422 timing side channel attack. An attacker could use variations in the signing 2423 algorithm to recover the private key. 2424 2425 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 2426 ([CVE-2018-0735]) 2427 2428 *Paul Dale* 2429 2430 * Fixed the issue that RAND_add()/RAND_seed() silently discards random input 2431 if its length exceeds 4096 bytes. The limit has been raised to a buffer size 2432 of two gigabytes and the error handling improved. 2433 2434 This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been 2435 categorized as a normal bug, not a security issue, because the DRBG reseeds 2436 automatically and is fully functional even without additional randomness 2437 provided by the application. 2438 2439### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] 2440 2441 * Add a new ClientHello callback. Provides a callback interface that gives 2442 the application the ability to adjust the nascent SSL object at the 2443 earliest stage of ClientHello processing, immediately after extensions have 2444 been collected but before they have been processed. In particular, this 2445 callback can adjust the supported TLS versions in response to the contents 2446 of the ClientHello 2447 2448 *Benjamin Kaduk* 2449 2450 * Add SM2 base algorithm support. 2451 2452 *Jack Lloyd* 2453 2454 * s390x assembly pack: add (improved) hardware-support for the following 2455 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb, 2456 aes-cfb/cfb8, aes-ecb. 2457 2458 *Patrick Steuer* 2459 2460 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 2461 parameter is no longer accepted, as it leads to a corrupt table. NULL 2462 pem_str is reserved for alias entries only. 2463 2464 *Richard Levitte* 2465 2466 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 2467 step for prime curves. The new implementation is based on formulae from 2468 differential addition-and-doubling in homogeneous projective coordinates 2469 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant 2470 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves 2471 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified 2472 to work in projective coordinates. 2473 2474 *Billy Bob Brumley, Nicola Tuveri* 2475 2476 * Change generating and checking of primes so that the error rate of not 2477 being prime depends on the intended use based on the size of the input. 2478 For larger primes this will result in more rounds of Miller-Rabin. 2479 The maximal error rate for primes with more than 1080 bits is lowered 2480 to 2^-128. 2481 2482 *Kurt Roeckx, Annie Yousar* 2483 2484 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 2485 2486 *Kurt Roeckx* 2487 2488 * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when 2489 moving between systems, and to avoid confusion when a Windows build is 2490 done with mingw vs with MSVC. For POSIX installs, there's still a 2491 symlink or copy named 'tsget' to avoid that confusion as well. 2492 2493 *Richard Levitte* 2494 2495 * Revert blinding in ECDSA sign and instead make problematic addition 2496 length-invariant. Switch even to fixed-length Montgomery multiplication. 2497 2498 *Andy Polyakov* 2499 2500 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 2501 step for binary curves. The new implementation is based on formulae from 2502 differential addition-and-doubling in mixed Lopez-Dahab projective 2503 coordinates, modified to independently blind the operands. 2504 2505 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 2506 2507 * Add a scaffold to optionally enhance the Montgomery ladder implementation 2508 for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing 2509 EC_METHODs to implement their own specialized "ladder step", to take 2510 advantage of more favorable coordinate systems or more efficient 2511 differential addition-and-doubling algorithms. 2512 2513 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 2514 2515 * Modified the random device based seed sources to keep the relevant 2516 file descriptors open rather than reopening them on each access. 2517 This allows such sources to operate in a chroot() jail without 2518 the associated device nodes being available. This behaviour can be 2519 controlled using RAND_keep_random_devices_open(). 2520 2521 *Paul Dale* 2522 2523 * Numerous side-channel attack mitigations have been applied. This may have 2524 performance impacts for some algorithms for the benefit of improved 2525 security. Specific changes are noted in this change log by their respective 2526 authors. 2527 2528 *Matt Caswell* 2529 2530 * AIX shared library support overhaul. Switch to AIX "natural" way of 2531 handling shared libraries, which means collecting shared objects of 2532 different versions and bitnesses in one common archive. This allows to 2533 mitigate conflict between 1.0 and 1.1 side-by-side installations. It 2534 doesn't affect the way 3rd party applications are linked, only how 2535 multi-version installation is managed. 2536 2537 *Andy Polyakov* 2538 2539 * Make ec_group_do_inverse_ord() more robust and available to other 2540 EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA 2541 mitigations are applied to the fallback BN_mod_inverse(). 2542 When using this function rather than BN_mod_inverse() directly, new 2543 EC cryptosystem implementations are then safer-by-default. 2544 2545 *Billy Bob Brumley* 2546 2547 * Add coordinate blinding for EC_POINT and implement projective 2548 coordinate blinding for generic prime curves as a countermeasure to 2549 chosen point SCA attacks. 2550 2551 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 2552 2553 * Add blinding to ECDSA and DSA signatures to protect against side channel 2554 attacks discovered by Keegan Ryan (NCC Group). 2555 2556 *Matt Caswell* 2557 2558 * Enforce checking in the `pkeyutl` command to ensure that the input 2559 length does not exceed the maximum supported digest length when performing 2560 a sign, verify or verifyrecover operation. 2561 2562 *Matt Caswell* 2563 2564 * SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking 2565 I/O in combination with something like select() or poll() will hang. This 2566 can be turned off again using SSL_CTX_clear_mode(). 2567 Many applications do not properly handle non-application data records, and 2568 TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works 2569 around the problems in those applications, but can also break some. 2570 It's recommended to read the manpages about SSL_read(), SSL_write(), 2571 SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and 2572 SSL_CTX_set_read_ahead() again. 2573 2574 *Kurt Roeckx* 2575 2576 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 2577 now allow empty (zero character) pass phrases. 2578 2579 *Richard Levitte* 2580 2581 * Apply blinding to binary field modular inversion and remove patent 2582 pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation. 2583 2584 *Billy Bob Brumley* 2585 2586 * Deprecate ec2_mult.c and unify scalar multiplication code paths for 2587 binary and prime elliptic curves. 2588 2589 *Billy Bob Brumley* 2590 2591 * Remove ECDSA nonce padding: EC_POINT_mul is now responsible for 2592 constant time fixed point multiplication. 2593 2594 *Billy Bob Brumley* 2595 2596 * Revise elliptic curve scalar multiplication with timing attack 2597 defenses: ec_wNAF_mul redirects to a constant time implementation 2598 when computing fixed point and variable point multiplication (which 2599 in OpenSSL are mostly used with secret scalars in keygen, sign, 2600 ECDH derive operations). 2601 *Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García, 2602 Sohaib ul Hassan* 2603 2604 * Updated CONTRIBUTING 2605 2606 *Rich Salz* 2607 2608 * Updated DRBG / RAND to request nonce and additional low entropy 2609 randomness from the system. 2610 2611 *Matthias St. Pierre* 2612 2613 * Updated 'openssl rehash' to use OpenSSL consistent default. 2614 2615 *Richard Levitte* 2616 2617 * Moved the load of the ssl_conf module to libcrypto, which helps 2618 loading engines that libssl uses before libssl is initialised. 2619 2620 *Matt Caswell* 2621 2622 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA 2623 2624 *Matt Caswell* 2625 2626 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases. 2627 2628 *Ingo Schwarze, Rich Salz* 2629 2630 * Added output of accepting IP address and port for 'openssl s_server' 2631 2632 *Richard Levitte* 2633 2634 * Added a new API for TLSv1.3 ciphersuites: 2635 SSL_CTX_set_ciphersuites() 2636 SSL_set_ciphersuites() 2637 2638 *Matt Caswell* 2639 2640 * Memory allocation failures consistently add an error to the error 2641 stack. 2642 2643 *Rich Salz* 2644 2645 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values 2646 in libcrypto when run as setuid/setgid. 2647 2648 *Bernd Edlinger* 2649 2650 * Load any config file by default when libssl is used. 2651 2652 *Matt Caswell* 2653 2654 * Added new public header file <openssl/rand_drbg.h> and documentation 2655 for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview. 2656 2657 *Matthias St. Pierre* 2658 2659 * QNX support removed (cannot find contributors to get their approval 2660 for the license change). 2661 2662 *Rich Salz* 2663 2664 * TLSv1.3 replay protection for early data has been implemented. See the 2665 SSL_read_early_data() man page for further details. 2666 2667 *Matt Caswell* 2668 2669 * Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite 2670 configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and 2671 below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3. 2672 In order to avoid issues where legacy TLSv1.2 ciphersuite configuration 2673 would otherwise inadvertently disable all TLSv1.3 ciphersuites the 2674 configuration has been separated out. See the ciphers man page or the 2675 SSL_CTX_set_ciphersuites() man page for more information. 2676 2677 *Matt Caswell* 2678 2679 * On POSIX (BSD, Linux, ...) systems the ocsp(1) command running 2680 in responder mode now supports the new "-multi" option, which 2681 spawns the specified number of child processes to handle OCSP 2682 requests. The "-timeout" option now also limits the OCSP 2683 responder's patience to wait to receive the full client request 2684 on a newly accepted connection. Child processes are respawned 2685 as needed, and the CA index file is automatically reloaded 2686 when changed. This makes it possible to run the "ocsp" responder 2687 as a long-running service, making the OpenSSL CA somewhat more 2688 feature-complete. In this mode, most diagnostic messages logged 2689 after entering the event loop are logged via syslog(3) rather than 2690 written to stderr. 2691 2692 *Viktor Dukhovni* 2693 2694 * Added support for X448 and Ed448. Heavily based on original work by 2695 Mike Hamburg. 2696 2697 *Matt Caswell* 2698 2699 * Extend OSSL_STORE with capabilities to search and to narrow the set of 2700 objects loaded. This adds the functions OSSL_STORE_expect() and 2701 OSSL_STORE_find() as well as needed tools to construct searches and 2702 get the search data out of them. 2703 2704 *Richard Levitte* 2705 2706 * Support for TLSv1.3 added. Note that users upgrading from an earlier 2707 version of OpenSSL should review their configuration settings to ensure 2708 that they are still appropriate for TLSv1.3. For further information see: 2709 <https://wiki.openssl.org/index.php/TLS1.3> 2710 2711 *Matt Caswell* 2712 2713 * Grand redesign of the OpenSSL random generator 2714 2715 The default RAND method now utilizes an AES-CTR DRBG according to 2716 NIST standard SP 800-90Ar1. The new random generator is essentially 2717 a port of the default random generator from the OpenSSL FIPS 2.0 2718 object module. It is a hybrid deterministic random bit generator 2719 using an AES-CTR bit stream and which seeds and reseeds itself 2720 automatically using trusted system entropy sources. 2721 2722 Some of its new features are: 2723 - Support for multiple DRBG instances with seed chaining. 2724 - The default RAND method makes use of a DRBG. 2725 - There is a public and private DRBG instance. 2726 - The DRBG instances are fork-safe. 2727 - Keep all global DRBG instances on the secure heap if it is enabled. 2728 - The public and private DRBG instance are per thread for lock free 2729 operation 2730 2731 *Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre* 2732 2733 * Changed Configure so it only says what it does and doesn't dump 2734 so much data. Instead, ./configdata.pm should be used as a script 2735 to display all sorts of configuration data. 2736 2737 *Richard Levitte* 2738 2739 * Added processing of "make variables" to Configure. 2740 2741 *Richard Levitte* 2742 2743 * Added SHA512/224 and SHA512/256 algorithm support. 2744 2745 *Paul Dale* 2746 2747 * The last traces of Netware support, first removed in 1.1.0, have 2748 now been removed. 2749 2750 *Rich Salz* 2751 2752 * Get rid of Makefile.shared, and in the process, make the processing 2753 of certain files (rc.obj, or the .def/.map/.opt files produced from 2754 the ordinal files) more visible and hopefully easier to trace and 2755 debug (or make silent). 2756 2757 *Richard Levitte* 2758 2759 * Make it possible to have environment variable assignments as 2760 arguments to config / Configure. 2761 2762 *Richard Levitte* 2763 2764 * Add multi-prime RSA (RFC 8017) support. 2765 2766 *Paul Yang* 2767 2768 * Add SM3 implemented according to GB/T 32905-2016 2769 *Jack Lloyd <jack.lloyd@ribose.com>,* 2770 *Ronald Tse <ronald.tse@ribose.com>,* 2771 *Erick Borsboom <erick.borsboom@ribose.com>* 2772 2773 * Add 'Maximum Fragment Length' TLS extension negotiation and support 2774 as documented in RFC6066. 2775 Based on a patch from Tomasz Moń 2776 2777 *Filipe Raimundo da Silva* 2778 2779 * Add SM4 implemented according to GB/T 32907-2016. 2780 *Jack Lloyd <jack.lloyd@ribose.com>,* 2781 *Ronald Tse <ronald.tse@ribose.com>,* 2782 *Erick Borsboom <erick.borsboom@ribose.com>* 2783 2784 * Reimplement -newreq-nodes and ERR_error_string_n; the 2785 original author does not agree with the license change. 2786 2787 *Rich Salz* 2788 2789 * Add ARIA AEAD TLS support. 2790 2791 *Jon Spillett* 2792 2793 * Some macro definitions to support VS6 have been removed. Visual 2794 Studio 6 has not worked since 1.1.0 2795 2796 *Rich Salz* 2797 2798 * Add ERR_clear_last_mark(), to allow callers to clear the last mark 2799 without clearing the errors. 2800 2801 *Richard Levitte* 2802 2803 * Add "atfork" functions. If building on a system that without 2804 pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application 2805 requirements. The RAND facility now uses/requires this. 2806 2807 *Rich Salz* 2808 2809 * Add SHA3. 2810 2811 *Andy Polyakov* 2812 2813 * The UI API becomes a permanent and integral part of libcrypto, i.e. 2814 not possible to disable entirely. However, it's still possible to 2815 disable the console reading UI method, UI_OpenSSL() (use UI_null() 2816 as a fallback). 2817 2818 To disable, configure with 'no-ui-console'. 'no-ui' is still 2819 possible to use as an alias. Check at compile time with the 2820 macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still 2821 possible to check and is an alias for OPENSSL_NO_UI_CONSOLE. 2822 2823 *Richard Levitte* 2824 2825 * Add a STORE module, which implements a uniform and URI based reader of 2826 stores that can contain keys, certificates, CRLs and numerous other 2827 objects. The main API is loosely based on a few stdio functions, 2828 and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof, 2829 OSSL_STORE_error and OSSL_STORE_close. 2830 The implementation uses backends called "loaders" to implement arbitrary 2831 URI schemes. There is one built in "loader" for the 'file' scheme. 2832 2833 *Richard Levitte* 2834 2835 * Add devcrypto engine. This has been implemented against cryptodev-linux, 2836 then adjusted to work on FreeBSD 8.4 as well. 2837 Enable by configuring with 'enable-devcryptoeng'. This is done by default 2838 on BSD implementations, as cryptodev.h is assumed to exist on all of them. 2839 2840 *Richard Levitte* 2841 2842 * Module names can prefixed with OSSL_ or OPENSSL_. This affects 2843 util/mkerr.pl, which is adapted to allow those prefixes, leading to 2844 error code calls like this: 2845 2846 OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER); 2847 2848 With this change, we claim the namespaces OSSL and OPENSSL in a manner 2849 that can be encoded in C. For the foreseeable future, this will only 2850 affect new modules. 2851 2852 *Richard Levitte and Tim Hudson* 2853 2854 * Removed BSD cryptodev engine. 2855 2856 *Rich Salz* 2857 2858 * Add a build target 'build_all_generated', to build all generated files 2859 and only that. This can be used to prepare everything that requires 2860 things like perl for a system that lacks perl and then move everything 2861 to that system and do the rest of the build there. 2862 2863 *Richard Levitte* 2864 2865 * In the UI interface, make it possible to duplicate the user data. This 2866 can be used by engines that need to retain the data for a longer time 2867 than just the call where this user data is passed. 2868 2869 *Richard Levitte* 2870 2871 * Ignore the '-named_curve auto' value for compatibility of applications 2872 with OpenSSL 1.0.2. 2873 2874 *Tomáš Mráz <tmraz@fedoraproject.org>* 2875 2876 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 2877 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such 2878 alerts across multiple records (some of which could be empty). In practice 2879 it make no sense to send an empty alert record, or to fragment one. TLSv1.3 2880 prohibits this altogether and other libraries (BoringSSL, NSS) do not 2881 support this at all. Supporting it adds significant complexity to the 2882 record layer, and its removal is unlikely to cause interoperability 2883 issues. 2884 2885 *Matt Caswell* 2886 2887 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed 2888 with Z. These are meant to replace LONG and ZLONG and to be size safe. 2889 The use of LONG and ZLONG is discouraged and scheduled for deprecation 2890 in OpenSSL 1.2.0. 2891 2892 *Richard Levitte* 2893 2894 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string, 2895 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t. 2896 2897 *Richard Levitte, Andy Polyakov* 2898 2899 * Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine() 2900 does for RSA, etc. 2901 2902 *Richard Levitte* 2903 2904 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 2905 platform rather than 'mingw'. 2906 2907 *Richard Levitte* 2908 2909 * The functions X509_STORE_add_cert and X509_STORE_add_crl return 2910 success if they are asked to add an object which already exists 2911 in the store. This change cascades to other functions which load 2912 certificates and CRLs. 2913 2914 *Paul Dale* 2915 2916 * x86_64 assembly pack: annotate code with DWARF CFI directives to 2917 facilitate stack unwinding even from assembly subroutines. 2918 2919 *Andy Polyakov* 2920 2921 * Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN. 2922 Also remove OPENSSL_GLOBAL entirely, as it became a no-op. 2923 2924 *Richard Levitte* 2925 2926 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 2927 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 2928 which is the minimum version we support. 2929 2930 *Richard Levitte* 2931 2932 * Certificate time validation (X509_cmp_time) enforces stricter 2933 compliance with RFC 5280. Fractional seconds and timezone offsets 2934 are no longer allowed. 2935 2936 *Emilia Käsper* 2937 2938 * Add support for ARIA 2939 2940 *Paul Dale* 2941 2942 * s_client will now send the Server Name Indication (SNI) extension by 2943 default unless the new "-noservername" option is used. The server name is 2944 based on the host provided to the "-connect" option unless overridden by 2945 using "-servername". 2946 2947 *Matt Caswell* 2948 2949 * Add support for SipHash 2950 2951 *Todd Short* 2952 2953 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 2954 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 2955 prevent issues where no progress is being made and the peer continually 2956 sends unrecognised record types, using up resources processing them. 2957 2958 *Matt Caswell* 2959 2960 * 'openssl passwd' can now produce SHA256 and SHA512 based output, 2961 using the algorithm defined in 2962 <https://www.akkadia.org/drepper/SHA-crypt.txt> 2963 2964 *Richard Levitte* 2965 2966 * Heartbeat support has been removed; the ABI is changed for now. 2967 2968 *Richard Levitte, Rich Salz* 2969 2970 * Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. 2971 2972 *Emilia Käsper* 2973 2974 * The RSA "null" method, which was partially supported to avoid patent 2975 issues, has been replaced to always returns NULL. 2976 2977 *Rich Salz* 2978 2979OpenSSL 1.1.0 2980------------- 2981 2982### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] 2983 2984 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 2985 used even when parsing explicit parameters, when loading a encoded key 2986 or calling `EC_GROUP_new_from_ecpkparameters()`/ 2987 `EC_GROUP_new_from_ecparameters()`. 2988 This prevents bypass of security hardening and performance gains, 2989 especially for curves with specialized EC_METHODs. 2990 By default, if a key encoded with explicit parameters is loaded and later 2991 encoded, the output is still encoded with explicit parameters, even if 2992 internally a "named" EC_GROUP is used for computation. 2993 2994 *Nicola Tuveri* 2995 2996 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 2997 this change, EC_GROUP_set_generator would accept order and/or cofactor as 2998 NULL. After this change, only the cofactor parameter can be NULL. It also 2999 does some minimal sanity checks on the passed order. 3000 ([CVE-2019-1547]) 3001 3002 *Billy Bob Brumley* 3003 3004 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 3005 An attack is simple, if the first CMS_recipientInfo is valid but the 3006 second CMS_recipientInfo is chosen ciphertext. If the second 3007 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 3008 encryption key will be replaced by garbage, and the message cannot be 3009 decoded, but if the RSA decryption fails, the correct encryption key is 3010 used and the recipient will not notice the attack. 3011 As a work around for this potential attack the length of the decrypted 3012 key must be equal to the cipher default key length, in case the 3013 certifiate is not given and all recipientInfo are tried out. 3014 The old behaviour can be re-enabled in the CMS code by setting the 3015 CMS_DEBUG_DECRYPT flag. 3016 ([CVE-2019-1563]) 3017 3018 *Bernd Edlinger* 3019 3020 * Use Windows installation paths in the mingw builds 3021 3022 Mingw isn't a POSIX environment per se, which means that Windows 3023 paths should be used for installation. 3024 ([CVE-2019-1552]) 3025 3026 *Richard Levitte* 3027 3028### Changes between 1.1.0j and 1.1.0k [28 May 2019] 3029 3030 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 3031 This changes the size when using the `genpkey` command when no size is given. 3032 It fixes an omission in earlier changes that changed all RSA, DSA and DH 3033 generation commands to use 2048 bits by default. 3034 3035 *Kurt Roeckx* 3036 3037 * Prevent over long nonces in ChaCha20-Poly1305. 3038 3039 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 3040 for every encryption operation. RFC 7539 specifies that the nonce value 3041 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 3042 and front pads the nonce with 0 bytes if it is less than 12 3043 bytes. However it also incorrectly allows a nonce to be set of up to 16 3044 bytes. In this case only the last 12 bytes are significant and any 3045 additional leading bytes are ignored. 3046 3047 It is a requirement of using this cipher that nonce values are 3048 unique. Messages encrypted using a reused nonce value are susceptible to 3049 serious confidentiality and integrity attacks. If an application changes 3050 the default nonce length to be longer than 12 bytes and then makes a 3051 change to the leading bytes of the nonce expecting the new value to be a 3052 new unique nonce then such an application could inadvertently encrypt 3053 messages with a reused nonce. 3054 3055 Additionally the ignored bytes in a long nonce are not covered by the 3056 integrity guarantee of this cipher. Any application that relies on the 3057 integrity of these ignored leading bytes of a long nonce may be further 3058 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 3059 is safe because no such use sets such a long nonce value. However user 3060 applications that use this cipher directly and set a non-default nonce 3061 length to be longer than 12 bytes may be vulnerable. 3062 3063 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 3064 Greef of Ronomon. 3065 ([CVE-2019-1543]) 3066 3067 *Matt Caswell* 3068 3069 * Added SCA hardening for modular field inversion in EC_GROUP through 3070 a new dedicated field_inv() pointer in EC_METHOD. 3071 This also addresses a leakage affecting conversions from projective 3072 to affine coordinates. 3073 3074 *Billy Bob Brumley, Nicola Tuveri* 3075 3076 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 3077 re-used X509_PUBKEY object if the second PUBKEY is malformed. 3078 3079 *Bernd Edlinger* 3080 3081 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 3082 3083 *Richard Levitte* 3084 3085 * Remove the 'dist' target and add a tarball building script. The 3086 'dist' target has fallen out of use, and it shouldn't be 3087 necessary to configure just to create a source distribution. 3088 3089 *Richard Levitte* 3090 3091### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] 3092 3093 * Timing vulnerability in DSA signature generation 3094 3095 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 3096 timing side channel attack. An attacker could use variations in the signing 3097 algorithm to recover the private key. 3098 3099 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 3100 ([CVE-2018-0734]) 3101 3102 *Paul Dale* 3103 3104 * Timing vulnerability in ECDSA signature generation 3105 3106 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 3107 timing side channel attack. An attacker could use variations in the signing 3108 algorithm to recover the private key. 3109 3110 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 3111 ([CVE-2018-0735]) 3112 3113 *Paul Dale* 3114 3115 * Add coordinate blinding for EC_POINT and implement projective 3116 coordinate blinding for generic prime curves as a countermeasure to 3117 chosen point SCA attacks. 3118 3119 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 3120 3121### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] 3122 3123 * Client DoS due to large DH parameter 3124 3125 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 3126 malicious server can send a very large prime value to the client. This will 3127 cause the client to spend an unreasonably long period of time generating a 3128 key for this prime resulting in a hang until the client has finished. This 3129 could be exploited in a Denial Of Service attack. 3130 3131 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 3132 ([CVE-2018-0732]) 3133 3134 *Guido Vranken* 3135 3136 * Cache timing vulnerability in RSA Key Generation 3137 3138 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 3139 a cache timing side channel attack. An attacker with sufficient access to 3140 mount cache timing attacks during the RSA key generation process could 3141 recover the private key. 3142 3143 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 3144 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 3145 ([CVE-2018-0737]) 3146 3147 *Billy Brumley* 3148 3149 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 3150 parameter is no longer accepted, as it leads to a corrupt table. NULL 3151 pem_str is reserved for alias entries only. 3152 3153 *Richard Levitte* 3154 3155 * Revert blinding in ECDSA sign and instead make problematic addition 3156 length-invariant. Switch even to fixed-length Montgomery multiplication. 3157 3158 *Andy Polyakov* 3159 3160 * Change generating and checking of primes so that the error rate of not 3161 being prime depends on the intended use based on the size of the input. 3162 For larger primes this will result in more rounds of Miller-Rabin. 3163 The maximal error rate for primes with more than 1080 bits is lowered 3164 to 2^-128. 3165 3166 *Kurt Roeckx, Annie Yousar* 3167 3168 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 3169 3170 *Kurt Roeckx* 3171 3172 * Add blinding to ECDSA and DSA signatures to protect against side channel 3173 attacks discovered by Keegan Ryan (NCC Group). 3174 3175 *Matt Caswell* 3176 3177 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 3178 now allow empty (zero character) pass phrases. 3179 3180 *Richard Levitte* 3181 3182 * Certificate time validation (X509_cmp_time) enforces stricter 3183 compliance with RFC 5280. Fractional seconds and timezone offsets 3184 are no longer allowed. 3185 3186 *Emilia Käsper* 3187 3188 * Fixed a text canonicalisation bug in CMS 3189 3190 Where a CMS detached signature is used with text content the text goes 3191 through a canonicalisation process first prior to signing or verifying a 3192 signature. This process strips trailing space at the end of lines, converts 3193 line terminators to CRLF and removes additional trailing line terminators 3194 at the end of a file. A bug in the canonicalisation process meant that 3195 some characters, such as form-feed, were incorrectly treated as whitespace 3196 and removed. This is contrary to the specification (RFC5485). This fix 3197 could mean that detached text data signed with an earlier version of 3198 OpenSSL 1.1.0 may fail to verify using the fixed version, or text data 3199 signed with a fixed OpenSSL may fail to verify with an earlier version of 3200 OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data 3201 and use the "-binary" flag (for the "cms" command line application) or set 3202 the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). 3203 3204 *Matt Caswell* 3205 3206### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] 3207 3208 * Constructed ASN.1 types with a recursive definition could exceed the stack 3209 3210 Constructed ASN.1 types with a recursive definition (such as can be found 3211 in PKCS7) could eventually exceed the stack given malicious input with 3212 excessive recursion. This could result in a Denial Of Service attack. There 3213 are no such structures used within SSL/TLS that come from untrusted sources 3214 so this is considered safe. 3215 3216 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 3217 project. 3218 ([CVE-2018-0739]) 3219 3220 *Matt Caswell* 3221 3222 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC 3223 3224 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is 3225 effectively reduced to only comparing the least significant bit of each 3226 byte. This allows an attacker to forge messages that would be considered as 3227 authenticated in an amount of tries lower than that guaranteed by the 3228 security claims of the scheme. The module can only be compiled by the 3229 HP-UX assembler, so that only HP-UX PA-RISC targets are affected. 3230 3231 This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg 3232 (IBM). 3233 ([CVE-2018-0733]) 3234 3235 *Andy Polyakov* 3236 3237 * Add a build target 'build_all_generated', to build all generated files 3238 and only that. This can be used to prepare everything that requires 3239 things like perl for a system that lacks perl and then move everything 3240 to that system and do the rest of the build there. 3241 3242 *Richard Levitte* 3243 3244 * Backport SSL_OP_NO_RENGOTIATION 3245 3246 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the 3247 (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity 3248 changes this is no longer possible in 1.1.0. Therefore the new 3249 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to 3250 1.1.0 to provide equivalent functionality. 3251 3252 Note that if an application built against 1.1.0h headers (or above) is run 3253 using an older version of 1.1.0 (prior to 1.1.0h) then the option will be 3254 accepted but nothing will happen, i.e. renegotiation will not be prevented. 3255 3256 *Matt Caswell* 3257 3258 * Removed the OS390-Unix config target. It relied on a script that doesn't 3259 exist. 3260 3261 *Rich Salz* 3262 3263 * rsaz_1024_mul_avx2 overflow bug on x86_64 3264 3265 There is an overflow bug in the AVX2 Montgomery multiplication procedure 3266 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 3267 Analysis suggests that attacks against RSA and DSA as a result of this 3268 defect would be very difficult to perform and are not believed likely. 3269 Attacks against DH1024 are considered just feasible, because most of the 3270 work necessary to deduce information about a private key may be performed 3271 offline. The amount of resources required for such an attack would be 3272 significant. However, for an attack on TLS to be meaningful, the server 3273 would have to share the DH1024 private key among multiple clients, which is 3274 no longer an option since CVE-2016-0701. 3275 3276 This only affects processors that support the AVX2 but not ADX extensions 3277 like Intel Haswell (4th generation). 3278 3279 This issue was reported to OpenSSL by David Benjamin (Google). The issue 3280 was originally found via the OSS-Fuzz project. 3281 ([CVE-2017-3738]) 3282 3283 *Andy Polyakov* 3284 3285### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] 3286 3287 * bn_sqrx8x_internal carry bug on x86_64 3288 3289 There is a carry propagating bug in the x86_64 Montgomery squaring 3290 procedure. No EC algorithms are affected. Analysis suggests that attacks 3291 against RSA and DSA as a result of this defect would be very difficult to 3292 perform and are not believed likely. Attacks against DH are considered just 3293 feasible (although very difficult) because most of the work necessary to 3294 deduce information about a private key may be performed offline. The amount 3295 of resources required for such an attack would be very significant and 3296 likely only accessible to a limited number of attackers. An attacker would 3297 additionally need online access to an unpatched system using the target 3298 private key in a scenario with persistent DH parameters and a private 3299 key that is shared between multiple clients. 3300 3301 This only affects processors that support the BMI1, BMI2 and ADX extensions 3302 like Intel Broadwell (5th generation) and later or AMD Ryzen. 3303 3304 This issue was reported to OpenSSL by the OSS-Fuzz project. 3305 ([CVE-2017-3736]) 3306 3307 *Andy Polyakov* 3308 3309 * Malformed X.509 IPAddressFamily could cause OOB read 3310 3311 If an X.509 certificate has a malformed IPAddressFamily extension, 3312 OpenSSL could do a one-byte buffer overread. The most likely result 3313 would be an erroneous display of the certificate in text format. 3314 3315 This issue was reported to OpenSSL by the OSS-Fuzz project. 3316 ([CVE-2017-3735]) 3317 3318 *Rich Salz* 3319 3320### Changes between 1.1.0e and 1.1.0f [25 May 2017] 3321 3322 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 3323 platform rather than 'mingw'. 3324 3325 *Richard Levitte* 3326 3327 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 3328 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 3329 which is the minimum version we support. 3330 3331 *Richard Levitte* 3332 3333### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] 3334 3335 * Encrypt-Then-Mac renegotiation crash 3336 3337 During a renegotiation handshake if the Encrypt-Then-Mac extension is 3338 negotiated where it was not in the original handshake (or vice-versa) then 3339 this can cause OpenSSL to crash (dependant on ciphersuite). Both clients 3340 and servers are affected. 3341 3342 This issue was reported to OpenSSL by Joe Orton (Red Hat). 3343 ([CVE-2017-3733]) 3344 3345 *Matt Caswell* 3346 3347### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] 3348 3349 * Truncated packet could crash via OOB read 3350 3351 If one side of an SSL/TLS path is running on a 32-bit host and a specific 3352 cipher is being used, then a truncated packet can cause that host to 3353 perform an out-of-bounds read, usually resulting in a crash. 3354 3355 This issue was reported to OpenSSL by Robert Święcki of Google. 3356 ([CVE-2017-3731]) 3357 3358 *Andy Polyakov* 3359 3360 * Bad (EC)DHE parameters cause a client crash 3361 3362 If a malicious server supplies bad parameters for a DHE or ECDHE key 3363 exchange then this can result in the client attempting to dereference a 3364 NULL pointer leading to a client crash. This could be exploited in a Denial 3365 of Service attack. 3366 3367 This issue was reported to OpenSSL by Guido Vranken. 3368 ([CVE-2017-3730]) 3369 3370 *Matt Caswell* 3371 3372 * BN_mod_exp may produce incorrect results on x86_64 3373 3374 There is a carry propagating bug in the x86_64 Montgomery squaring 3375 procedure. No EC algorithms are affected. Analysis suggests that attacks 3376 against RSA and DSA as a result of this defect would be very difficult to 3377 perform and are not believed likely. Attacks against DH are considered just 3378 feasible (although very difficult) because most of the work necessary to 3379 deduce information about a private key may be performed offline. The amount 3380 of resources required for such an attack would be very significant and 3381 likely only accessible to a limited number of attackers. An attacker would 3382 additionally need online access to an unpatched system using the target 3383 private key in a scenario with persistent DH parameters and a private 3384 key that is shared between multiple clients. For example this can occur by 3385 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 3386 similar to CVE-2015-3193 but must be treated as a separate problem. 3387 3388 This issue was reported to OpenSSL by the OSS-Fuzz project. 3389 ([CVE-2017-3732]) 3390 3391 *Andy Polyakov* 3392 3393### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] 3394 3395 * ChaCha20/Poly1305 heap-buffer-overflow 3396 3397 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to 3398 a DoS attack by corrupting larger payloads. This can result in an OpenSSL 3399 crash. This issue is not considered to be exploitable beyond a DoS. 3400 3401 This issue was reported to OpenSSL by Robert Święcki (Google Security Team) 3402 ([CVE-2016-7054]) 3403 3404 *Richard Levitte* 3405 3406 * CMS Null dereference 3407 3408 Applications parsing invalid CMS structures can crash with a NULL pointer 3409 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE 3410 type in OpenSSL 1.1.0 which can result in a NULL value being passed to the 3411 structure callback if an attempt is made to free certain invalid encodings. 3412 Only CHOICE structures using a callback which do not handle NULL value are 3413 affected. 3414 3415 This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. 3416 ([CVE-2016-7053]) 3417 3418 *Stephen Henson* 3419 3420 * Montgomery multiplication may produce incorrect results 3421 3422 There is a carry propagating bug in the Broadwell-specific Montgomery 3423 multiplication procedure that handles input lengths divisible by, but 3424 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 3425 and DH private keys are impossible. This is because the subroutine in 3426 question is not used in operations with the private key itself and an input 3427 of the attacker's direct choice. Otherwise the bug can manifest itself as 3428 transient authentication and key negotiation failures or reproducible 3429 erroneous outcome of public-key operations with specially crafted input. 3430 Among EC algorithms only Brainpool P-512 curves are affected and one 3431 presumably can attack ECDH key negotiation. Impact was not analyzed in 3432 detail, because pre-requisites for attack are considered unlikely. Namely 3433 multiple clients have to choose the curve in question and the server has to 3434 share the private key among them, neither of which is default behaviour. 3435 Even then only clients that chose the curve will be affected. 3436 3437 This issue was publicly reported as transient failures and was not 3438 initially recognized as a security issue. Thanks to Richard Morgan for 3439 providing reproducible case. 3440 ([CVE-2016-7055]) 3441 3442 *Andy Polyakov* 3443 3444 * Removed automatic addition of RPATH in shared libraries and executables, 3445 as this was a remainder from OpenSSL 1.0.x and isn't needed any more. 3446 3447 *Richard Levitte* 3448 3449### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] 3450 3451 * Fix Use After Free for large message sizes 3452 3453 The patch applied to address CVE-2016-6307 resulted in an issue where if a 3454 message larger than approx 16k is received then the underlying buffer to 3455 store the incoming message is reallocated and moved. Unfortunately a 3456 dangling pointer to the old location is left which results in an attempt to 3457 write to the previously freed location. This is likely to result in a 3458 crash, however it could potentially lead to execution of arbitrary code. 3459 3460 This issue only affects OpenSSL 1.1.0a. 3461 3462 This issue was reported to OpenSSL by Robert Święcki. 3463 ([CVE-2016-6309]) 3464 3465 *Matt Caswell* 3466 3467### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] 3468 3469 * OCSP Status Request extension unbounded memory growth 3470 3471 A malicious client can send an excessively large OCSP Status Request 3472 extension. If that client continually requests renegotiation, sending a 3473 large OCSP Status Request extension each time, then there will be unbounded 3474 memory growth on the server. This will eventually lead to a Denial Of 3475 Service attack through memory exhaustion. Servers with a default 3476 configuration are vulnerable even if they do not support OCSP. Builds using 3477 the "no-ocsp" build time option are not affected. 3478 3479 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 3480 ([CVE-2016-6304]) 3481 3482 *Matt Caswell* 3483 3484 * SSL_peek() hang on empty record 3485 3486 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer 3487 sends an empty record. This could be exploited by a malicious peer in a 3488 Denial Of Service attack. 3489 3490 This issue was reported to OpenSSL by Alex Gaynor. 3491 ([CVE-2016-6305]) 3492 3493 *Matt Caswell* 3494 3495 * Excessive allocation of memory in tls_get_message_header() and 3496 dtls1_preprocess_fragment() 3497 3498 A (D)TLS message includes 3 bytes for its length in the header for the 3499 message. This would allow for messages up to 16Mb in length. Messages of 3500 this length are excessive and OpenSSL includes a check to ensure that a 3501 peer is sending reasonably sized messages in order to avoid too much memory 3502 being consumed to service a connection. A flaw in the logic of version 3503 1.1.0 means that memory for the message is allocated too early, prior to 3504 the excessive message length check. Due to way memory is allocated in 3505 OpenSSL this could mean an attacker could force up to 21Mb to be allocated 3506 to service a connection. This could lead to a Denial of Service through 3507 memory exhaustion. However, the excessive message length check still takes 3508 place, and this would cause the connection to immediately fail. Assuming 3509 that the application calls SSL_free() on the failed connection in a timely 3510 manner then the 21Mb of allocated memory will then be immediately freed 3511 again. Therefore the excessive memory allocation will be transitory in 3512 nature. This then means that there is only a security impact if: 3513 3514 1) The application does not call SSL_free() in a timely manner in the event 3515 that the connection fails 3516 or 3517 2) The application is working in a constrained environment where there is 3518 very little free memory 3519 or 3520 3) The attacker initiates multiple connection attempts such that there are 3521 multiple connections in a state where memory has been allocated for the 3522 connection; SSL_free() has not yet been called; and there is insufficient 3523 memory to service the multiple requests. 3524 3525 Except in the instance of (1) above any Denial Of Service is likely to be 3526 transitory because as soon as the connection fails the memory is 3527 subsequently freed again in the SSL_free() call. However there is an 3528 increased risk during this period of application crashes due to the lack of 3529 memory - which would then mean a more serious Denial of Service. 3530 3531 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 3532 (CVE-2016-6307 and CVE-2016-6308) 3533 3534 *Matt Caswell* 3535 3536 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler, 3537 had to be removed. Primary reason is that vendor assembler can't 3538 assemble our modules with -KPIC flag. As result it, assembly 3539 support, was not even available as option. But its lack means 3540 lack of side-channel resistant code, which is incompatible with 3541 security by todays standards. Fortunately gcc is readily available 3542 prepackaged option, which we firmly point at... 3543 3544 *Andy Polyakov* 3545 3546### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] 3547 3548 * Windows command-line tool supports UTF-8 opt-in option for arguments 3549 and console input. Setting OPENSSL_WIN32_UTF8 environment variable 3550 (to any value) allows Windows user to access PKCS#12 file generated 3551 with Windows CryptoAPI and protected with non-ASCII password, as well 3552 as files generated under UTF-8 locale on Linux also protected with 3553 non-ASCII password. 3554 3555 *Andy Polyakov* 3556 3557 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites 3558 have been disabled by default and removed from DEFAULT, just like RC4. 3559 See the RC4 item below to re-enable both. 3560 3561 *Rich Salz* 3562 3563 * The method for finding the storage location for the Windows RAND seed file 3564 has changed. First we check %RANDFILE%. If that is not set then we check 3565 the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If 3566 all else fails we fall back to C:\. 3567 3568 *Matt Caswell* 3569 3570 * The EVP_EncryptUpdate() function has had its return type changed from void 3571 to int. A return of 0 indicates and error while a return of 1 indicates 3572 success. 3573 3574 *Matt Caswell* 3575 3576 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and 3577 DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch 3578 off the constant time implementation for RSA, DSA and DH have been made 3579 no-ops and deprecated. 3580 3581 *Matt Caswell* 3582 3583 * Windows RAND implementation was simplified to only get entropy by 3584 calling CryptGenRandom(). Various other RAND-related tickets 3585 were also closed. 3586 3587 *Joseph Wylie Yandle, Rich Salz* 3588 3589 * The stack and lhash API's were renamed to start with `OPENSSL_SK_` 3590 and `OPENSSL_LH_`, respectively. The old names are available 3591 with API compatibility. They new names are now completely documented. 3592 3593 *Rich Salz* 3594 3595 * Unify TYPE_up_ref(obj) methods signature. 3596 SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(), 3597 X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an 3598 int (instead of void) like all others TYPE_up_ref() methods. 3599 So now these methods also check the return value of CRYPTO_atomic_add(), 3600 and the validity of object reference counter. 3601 3602 *fdasilvayy@gmail.com* 3603 3604 * With Windows Visual Studio builds, the .pdb files are installed 3605 alongside the installed libraries and executables. For a static 3606 library installation, ossl_static.pdb is the associate compiler 3607 generated .pdb file to be used when linking programs. 3608 3609 *Richard Levitte* 3610 3611 * Remove openssl.spec. Packaging files belong with the packagers. 3612 3613 *Richard Levitte* 3614 3615 * Automatic Darwin/OSX configuration has had a refresh, it will now 3616 recognise x86_64 architectures automatically. You can still decide 3617 to build for a different bitness with the environment variable 3618 KERNEL_BITS (can be 32 or 64), for example: 3619 3620 KERNEL_BITS=32 ./config 3621 3622 *Richard Levitte* 3623 3624 * Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, 3625 256 bit AES and HMAC with SHA256. 3626 3627 *Steve Henson* 3628 3629 * Remove support for MIPS o32 ABI on IRIX (and IRIX only). 3630 3631 *Andy Polyakov* 3632 3633 * Triple-DES ciphers have been moved from HIGH to MEDIUM. 3634 3635 *Rich Salz* 3636 3637 * To enable users to have their own config files and build file templates, 3638 Configure looks in the directory indicated by the environment variable 3639 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ 3640 directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical 3641 name and is used as is. 3642 3643 *Richard Levitte* 3644 3645 * The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX, 3646 X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type 3647 X509_CERT_FILE_CTX was removed. 3648 3649 *Rich Salz* 3650 3651 * "shared" builds are now the default. To create only static libraries use 3652 the "no-shared" Configure option. 3653 3654 *Matt Caswell* 3655 3656 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options. 3657 All of these option have not worked for some while and are fundamental 3658 algorithms. 3659 3660 *Matt Caswell* 3661 3662 * Make various cleanup routines no-ops and mark them as deprecated. Most 3663 global cleanup functions are no longer required because they are handled 3664 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages). 3665 Explicitly de-initing can cause problems (e.g. where a library that uses 3666 OpenSSL de-inits, but an application is still using it). The affected 3667 functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(), 3668 EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(), 3669 RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and 3670 COMP_zlib_cleanup(). 3671 3672 *Matt Caswell* 3673 3674 * --strict-warnings no longer enables runtime debugging options 3675 such as REF_DEBUG. Instead, debug options are automatically 3676 enabled with '--debug' builds. 3677 3678 *Andy Polyakov, Emilia Käsper* 3679 3680 * Made DH and DH_METHOD opaque. The structures for managing DH objects 3681 have been moved out of the public header files. New functions for managing 3682 these have been added. 3683 3684 *Matt Caswell* 3685 3686 * Made RSA and RSA_METHOD opaque. The structures for managing RSA 3687 objects have been moved out of the public header files. New 3688 functions for managing these have been added. 3689 3690 *Richard Levitte* 3691 3692 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects 3693 have been moved out of the public header files. New functions for managing 3694 these have been added. 3695 3696 *Matt Caswell* 3697 3698 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been 3699 moved out of the public header files. New functions for managing these 3700 have been added. 3701 3702 *Matt Caswell* 3703 3704 * Removed no-rijndael as a config option. Rijndael is an old name for AES. 3705 3706 *Matt Caswell* 3707 3708 * Removed the mk1mf build scripts. 3709 3710 *Richard Levitte* 3711 3712 * Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so 3713 it is always safe to #include a header now. 3714 3715 *Rich Salz* 3716 3717 * Removed the aged BC-32 config and all its supporting scripts 3718 3719 *Richard Levitte* 3720 3721 * Removed support for Ultrix, Netware, and OS/2. 3722 3723 *Rich Salz* 3724 3725 * Add support for HKDF. 3726 3727 *Alessandro Ghedini* 3728 3729 * Add support for blake2b and blake2s 3730 3731 *Bill Cox* 3732 3733 * Added support for "pipelining". Ciphers that have the 3734 EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple 3735 encryptions/decryptions simultaneously. There are currently no built-in 3736 ciphers with this property but the expectation is that engines will be able 3737 to offer it to significantly improve throughput. Support has been extended 3738 into libssl so that multiple records for a single connection can be 3739 processed in one go (for >=TLS 1.1). 3740 3741 *Matt Caswell* 3742 3743 * Added the AFALG engine. This is an async capable engine which is able to 3744 offload work to the Linux kernel. In this initial version it only supports 3745 AES128-CBC. The kernel must be version 4.1.0 or greater. 3746 3747 *Catriona Lucey* 3748 3749 * OpenSSL now uses a new threading API. It is no longer necessary to 3750 set locking callbacks to use OpenSSL in a multi-threaded environment. There 3751 are two supported threading models: pthreads and windows threads. It is 3752 also possible to configure OpenSSL at compile time for "no-threads". The 3753 old threading API should no longer be used. The functions have been 3754 replaced with "no-op" compatibility macros. 3755 3756 *Alessandro Ghedini, Matt Caswell* 3757 3758 * Modify behavior of ALPN to invoke callback after SNI/servername 3759 callback, such that updates to the SSL_CTX affect ALPN. 3760 3761 *Todd Short* 3762 3763 * Add SSL_CIPHER queries for authentication and key-exchange. 3764 3765 *Todd Short* 3766 3767 * Changes to the DEFAULT cipherlist: 3768 - Prefer (EC)DHE handshakes over plain RSA. 3769 - Prefer AEAD ciphers over legacy ciphers. 3770 - Prefer ECDSA over RSA when both certificates are available. 3771 - Prefer TLSv1.2 ciphers/PRF. 3772 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the 3773 default cipherlist. 3774 3775 *Emilia Käsper* 3776 3777 * Change the ECC default curve list to be this, in order: x25519, 3778 secp256r1, secp521r1, secp384r1. 3779 3780 *Rich Salz* 3781 3782 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are 3783 disabled by default. They can be re-enabled using the 3784 enable-weak-ssl-ciphers option to Configure. 3785 3786 *Matt Caswell* 3787 3788 * If the server has ALPN configured, but supports no protocols that the 3789 client advertises, send a fatal "no_application_protocol" alert. 3790 This behaviour is SHALL in RFC 7301, though it isn't universally 3791 implemented by other servers. 3792 3793 *Emilia Käsper* 3794 3795 * Add X25519 support. 3796 Add ASN.1 and EVP_PKEY methods for X25519. This includes support 3797 for public and private key encoding using the format documented in 3798 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports 3799 key generation and key derivation. 3800 3801 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses 3802 X25519(29). 3803 3804 *Steve Henson* 3805 3806 * Deprecate SRP_VBASE_get_by_user. 3807 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 3808 In order to fix an unavoidable memory leak ([CVE-2016-0798]), 3809 SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP 3810 seed, even if the seed is configured. 3811 3812 Users should use SRP_VBASE_get1_by_user instead. Note that in 3813 SRP_VBASE_get1_by_user, caller must free the returned value. Note 3814 also that even though configuring the SRP seed attempts to hide 3815 invalid usernames by continuing the handshake with fake 3816 credentials, this behaviour is not constant time and no strong 3817 guarantees are made that the handshake is indistinguishable from 3818 that of a valid user. 3819 3820 *Emilia Käsper* 3821 3822 * Configuration change; it's now possible to build dynamic engines 3823 without having to build shared libraries and vice versa. This 3824 only applies to the engines in `engines/`, those in `crypto/engine/` 3825 will always be built into libcrypto (i.e. "static"). 3826 3827 Building dynamic engines is enabled by default; to disable, use 3828 the configuration option "disable-dynamic-engine". 3829 3830 The only requirements for building dynamic engines are the 3831 presence of the DSO module and building with position independent 3832 code, so they will also automatically be disabled if configuring 3833 with "disable-dso" or "disable-pic". 3834 3835 The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE 3836 are also taken away from openssl/opensslconf.h, as they are 3837 irrelevant. 3838 3839 *Richard Levitte* 3840 3841 * Configuration change; if there is a known flag to compile 3842 position independent code, it will always be applied on the 3843 libcrypto and libssl object files, and never on the application 3844 object files. This means other libraries that use routines from 3845 libcrypto / libssl can be made into shared libraries regardless 3846 of how OpenSSL was configured. 3847 3848 If this isn't desirable, the configuration options "disable-pic" 3849 or "no-pic" can be used to disable the use of PIC. This will 3850 also disable building shared libraries and dynamic engines. 3851 3852 *Richard Levitte* 3853 3854 * Removed JPAKE code. It was experimental and has no wide use. 3855 3856 *Rich Salz* 3857 3858 * The INSTALL_PREFIX Makefile variable has been renamed to 3859 DESTDIR. That makes for less confusion on what this variable 3860 is for. Also, the configuration option --install_prefix is 3861 removed. 3862 3863 *Richard Levitte* 3864 3865 * Heartbeat for TLS has been removed and is disabled by default 3866 for DTLS; configure with enable-heartbeats. Code that uses the 3867 old #define's might need to be updated. 3868 3869 *Emilia Käsper, Rich Salz* 3870 3871 * Rename REF_CHECK to REF_DEBUG. 3872 3873 *Rich Salz* 3874 3875 * New "unified" build system 3876 3877 The "unified" build system is aimed to be a common system for all 3878 platforms we support. With it comes new support for VMS. 3879 3880 This system builds supports building in a different directory tree 3881 than the source tree. It produces one Makefile (for unix family 3882 or lookalikes), or one descrip.mms (for VMS). 3883 3884 The source of information to make the Makefile / descrip.mms is 3885 small files called 'build.info', holding the necessary 3886 information for each directory with source to compile, and a 3887 template in Configurations, like unix-Makefile.tmpl or 3888 descrip.mms.tmpl. 3889 3890 With this change, the library names were also renamed on Windows 3891 and on VMS. They now have names that are closer to the standard 3892 on Unix, and include the major version number, and in certain 3893 cases, the architecture they are built for. See "Notes on shared 3894 libraries" in INSTALL. 3895 3896 We rely heavily on the perl module Text::Template. 3897 3898 *Richard Levitte* 3899 3900 * Added support for auto-initialisation and de-initialisation of the library. 3901 OpenSSL no longer requires explicit init or deinit routines to be called, 3902 except in certain circumstances. See the OPENSSL_init_crypto() and 3903 OPENSSL_init_ssl() man pages for further information. 3904 3905 *Matt Caswell* 3906 3907 * The arguments to the DTLSv1_listen function have changed. Specifically the 3908 "peer" argument is now expected to be a BIO_ADDR object. 3909 3910 * Rewrite of BIO networking library. The BIO library lacked consistent 3911 support of IPv6, and adding it required some more extensive 3912 modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, 3913 which hold all types of addresses and chains of address information. 3914 It also introduces a new API, with functions like BIO_socket, 3915 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. 3916 The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram 3917 have been adapted accordingly. 3918 3919 *Richard Levitte* 3920 3921 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without 3922 the leading 0-byte. 3923 3924 *Emilia Käsper* 3925 3926 * CRIME protection: disable compression by default, even if OpenSSL is 3927 compiled with zlib enabled. Applications can still enable compression 3928 by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by 3929 using the SSL_CONF library to configure compression. 3930 3931 *Emilia Käsper* 3932 3933 * The signature of the session callback configured with 3934 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer 3935 was explicitly marked as `const unsigned char*` instead of 3936 `unsigned char*`. 3937 3938 *Emilia Käsper* 3939 3940 * Always DPURIFY. Remove the use of uninitialized memory in the 3941 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. 3942 3943 *Emilia Käsper* 3944 3945 * Removed many obsolete configuration items, including 3946 DES_PTR, DES_RISC1, DES_RISC2, DES_INT 3947 MD2_CHAR, MD2_INT, MD2_LONG 3948 BF_PTR, BF_PTR2 3949 IDEA_SHORT, IDEA_LONG 3950 RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX 3951 3952 *Rich Salz, with advice from Andy Polyakov* 3953 3954 * Many BN internals have been moved to an internal header file. 3955 3956 *Rich Salz with help from Andy Polyakov* 3957 3958 * Configuration and writing out the results from it has changed. 3959 Files such as Makefile include/openssl/opensslconf.h and are now 3960 produced through general templates, such as Makefile.in and 3961 crypto/opensslconf.h.in and some help from the perl module 3962 Text::Template. 3963 3964 Also, the center of configuration information is no longer 3965 Makefile. Instead, Configure produces a perl module in 3966 configdata.pm which holds most of the config data (in the hash 3967 table %config), the target data that comes from the target 3968 configuration in one of the `Configurations/*.conf` files (in 3969 %target). 3970 3971 *Richard Levitte* 3972 3973 * To clarify their intended purposes, the Configure options 3974 --prefix and --openssldir change their semantics, and become more 3975 straightforward and less interdependent. 3976 3977 --prefix shall be used exclusively to give the location INSTALLTOP 3978 where programs, scripts, libraries, include files and manuals are 3979 going to be installed. The default is now /usr/local. 3980 3981 --openssldir shall be used exclusively to give the default 3982 location OPENSSLDIR where certificates, private keys, CRLs are 3983 managed. This is also where the default openssl.cnf gets 3984 installed. 3985 If the directory given with this option is a relative path, the 3986 values of both the --prefix value and the --openssldir value will 3987 be combined to become OPENSSLDIR. 3988 The default for --openssldir is INSTALLTOP/ssl. 3989 3990 Anyone who uses --openssldir to specify where OpenSSL is to be 3991 installed MUST change to use --prefix instead. 3992 3993 *Richard Levitte* 3994 3995 * The GOST engine was out of date and therefore it has been removed. An up 3996 to date GOST engine is now being maintained in an external repository. 3997 See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains 3998 support for GOST ciphersuites (these are only activated if a GOST engine 3999 is present). 4000 4001 *Matt Caswell* 4002 4003 * EGD is no longer supported by default; use enable-egd when 4004 configuring. 4005 4006 *Ben Kaduk and Rich Salz* 4007 4008 * The distribution now has Makefile.in files, which are used to 4009 create Makefile's when Configure is run. *Configure must be run 4010 before trying to build now.* 4011 4012 *Rich Salz* 4013 4014 * The return value for SSL_CIPHER_description() for error conditions 4015 has changed. 4016 4017 *Rich Salz* 4018 4019 * Support for RFC6698/RFC7671 DANE TLSA peer authentication. 4020 4021 Obtaining and performing DNSSEC validation of TLSA records is 4022 the application's responsibility. The application provides 4023 the TLSA records of its choice to OpenSSL, and these are then 4024 used to authenticate the peer. 4025 4026 The TLSA records need not even come from DNS. They can, for 4027 example, be used to implement local end-entity certificate or 4028 trust-anchor "pinning", where the "pin" data takes the form 4029 of TLSA records, which can augment or replace verification 4030 based on the usual WebPKI public certification authorities. 4031 4032 *Viktor Dukhovni* 4033 4034 * Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL 4035 continues to support deprecated interfaces in default builds. 4036 However, applications are strongly advised to compile their 4037 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides 4038 the declarations of all interfaces deprecated in 0.9.8, 1.0.0 4039 or the 1.1.0 releases. 4040 4041 In environments in which all applications have been ported to 4042 not use any deprecated interfaces OpenSSL's Configure script 4043 should be used with the --api=1.1.0 option to entirely remove 4044 support for the deprecated features from the library and 4045 unconditionally disable them in the installed headers. 4046 Essentially the same effect can be achieved with the "no-deprecated" 4047 argument to Configure, except that this will always restrict 4048 the build to just the latest API, rather than a fixed API 4049 version. 4050 4051 As applications are ported to future revisions of the API, 4052 they should update their compile-time OPENSSL_API_COMPAT define 4053 accordingly, but in most cases should be able to continue to 4054 compile with later releases. 4055 4056 The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are 4057 0x10000000L and 0x00908000L, respectively. However those 4058 versions did not support the OPENSSL_API_COMPAT feature, and 4059 so applications are not typically tested for explicit support 4060 of just the undeprecated features of either release. 4061 4062 *Viktor Dukhovni* 4063 4064 * Add support for setting the minimum and maximum supported protocol. 4065 It can bet set via the SSL_set_min_proto_version() and 4066 SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and 4067 MaxProtocol. It's recommended to use the new APIs to disable 4068 protocols instead of disabling individual protocols using 4069 SSL_set_options() or SSL_CONF's Protocol. This change also 4070 removes support for disabling TLS 1.2 in the OpenSSL TLS 4071 client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. 4072 4073 *Kurt Roeckx* 4074 4075 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl. 4076 4077 *Andy Polyakov* 4078 4079 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD 4080 and integrates ECDSA and ECDH functionality into EC. Implementations can 4081 now redirect key generation and no longer need to convert to or from 4082 ECDSA_SIG format. 4083 4084 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just 4085 include the ec.h header file instead. 4086 4087 *Steve Henson* 4088 4089 * Remove support for all 40 and 56 bit ciphers. This includes all the export 4090 ciphers who are no longer supported and drops support the ephemeral RSA key 4091 exchange. The LOW ciphers currently doesn't have any ciphers in it. 4092 4093 *Kurt Roeckx* 4094 4095 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX 4096 opaque. For HMAC_CTX, the following constructors and destructors 4097 were added: 4098 4099 HMAC_CTX *HMAC_CTX_new(void); 4100 void HMAC_CTX_free(HMAC_CTX *ctx); 4101 4102 For EVP_MD and EVP_CIPHER, complete APIs to create, fill and 4103 destroy such methods has been added. See EVP_MD_meth_new(3) and 4104 EVP_CIPHER_meth_new(3) for documentation. 4105 4106 Additional changes: 4107 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and 4108 `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and 4109 `EVP_MD_CTX_reset()` should be called instead to reinitialise 4110 an already created structure. 4111 2) For consistency with the majority of our object creators and 4112 destructors, `EVP_MD_CTX_(create|destroy)` were renamed to 4113 `EVP_MD_CTX_(new|free)`. The old names are retained as macros 4114 for deprecated builds. 4115 4116 *Richard Levitte* 4117 4118 * Added ASYNC support. Libcrypto now includes the async sub-library to enable 4119 cryptographic operations to be performed asynchronously as long as an 4120 asynchronous capable engine is used. See the ASYNC_start_job() man page for 4121 further details. Libssl has also had this capability integrated with the 4122 introduction of the new mode SSL_MODE_ASYNC and associated error 4123 SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man 4124 pages. This work was developed in partnership with Intel Corp. 4125 4126 *Matt Caswell* 4127 4128 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is 4129 always enabled now. If you want to disable the support you should 4130 exclude it using the list of supported ciphers. This also means that the 4131 "-no_ecdhe" option has been removed from s_server. 4132 4133 *Kurt Roeckx* 4134 4135 * SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls 4136 SSL_{CTX_}set1_curves() which can set a list. 4137 4138 *Kurt Roeckx* 4139 4140 * Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the 4141 curve you want to support using SSL_{CTX_}set1_curves(). 4142 4143 *Kurt Roeckx* 4144 4145 * State machine rewrite. The state machine code has been significantly 4146 refactored in order to remove much duplication of code and solve issues 4147 with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for 4148 further details). This change does have some associated API changes. 4149 Notably the SSL_state() function has been removed and replaced by 4150 SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int. 4151 SSL_set_state() has been removed altogether. The previous handshake states 4152 defined in ssl.h and ssl3.h have also been removed. 4153 4154 *Matt Caswell* 4155 4156 * All instances of the string "ssleay" in the public API were replaced 4157 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's) 4158 Some error codes related to internal RSA_eay API's were renamed. 4159 4160 *Rich Salz* 4161 4162 * The demo files in crypto/threads were moved to demo/threads. 4163 4164 *Rich Salz* 4165 4166 * Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, 4167 sureware and ubsec. 4168 4169 *Matt Caswell, Rich Salz* 4170 4171 * New ASN.1 embed macro. 4172 4173 New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the 4174 structure is not allocated: it is part of the parent. That is instead of 4175 4176 FOO *x; 4177 4178 it must be: 4179 4180 FOO x; 4181 4182 This reduces memory fragmentation and make it impossible to accidentally 4183 set a mandatory field to NULL. 4184 4185 This currently only works for some fields specifically a SEQUENCE, CHOICE, 4186 or ASN1_STRING type which is part of a parent SEQUENCE. Since it is 4187 equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or 4188 SEQUENCE OF. 4189 4190 *Steve Henson* 4191 4192 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled. 4193 4194 *Emilia Käsper* 4195 4196 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although 4197 in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also 4198 an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add 4199 DES and RC4 ciphersuites. 4200 4201 *Matt Caswell* 4202 4203 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 4204 This changes the decoding behaviour for some invalid messages, 4205 though the change is mostly in the more lenient direction, and 4206 legacy behaviour is preserved as much as possible. 4207 4208 *Emilia Käsper* 4209 4210 * Fix no-stdio build. 4211 *David Woodhouse <David.Woodhouse@intel.com> and also* 4212 *Ivan Nestlerode <ivan.nestlerode@sonos.com>* 4213 4214 * New testing framework 4215 The testing framework has been largely rewritten and is now using 4216 perl and the perl modules Test::Harness and an extended variant of 4217 Test::More called OpenSSL::Test to do its work. All test scripts in 4218 test/ have been rewritten into test recipes, and all direct calls to 4219 executables in test/Makefile have become individual recipes using the 4220 simplified testing OpenSSL::Test::Simple. 4221 4222 For documentation on our testing modules, do: 4223 4224 perldoc test/testlib/OpenSSL/Test/Simple.pm 4225 perldoc test/testlib/OpenSSL/Test.pm 4226 4227 *Richard Levitte* 4228 4229 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT 4230 are used; the latter aborts on memory leaks (usually checked on exit). 4231 Some undocumented "set malloc, etc., hooks" functions were removed 4232 and others were changed. All are now documented. 4233 4234 *Rich Salz* 4235 4236 * In DSA_generate_parameters_ex, if the provided seed is too short, 4237 return an error 4238 4239 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 4240 4241 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites 4242 from RFC4279, RFC4785, RFC5487, RFC5489. 4243 4244 Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the 4245 original RSA_PSK patch. 4246 4247 *Steve Henson* 4248 4249 * Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay 4250 era flag was never set throughout the codebase (only read). Also removed 4251 SSL3_FLAGS_POP_BUFFER which was only used if 4252 SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. 4253 4254 *Matt Caswell* 4255 4256 * Changed the default name options in the "ca", "crl", "req" and "x509" 4257 to be "oneline" instead of "compat". 4258 4259 *Richard Levitte* 4260 4261 * Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're 4262 not aware of clients that still exhibit this bug, and the workaround 4263 hasn't been working properly for a while. 4264 4265 *Emilia Käsper* 4266 4267 * The return type of BIO_number_read() and BIO_number_written() as well as 4268 the corresponding num_read and num_write members in the BIO structure has 4269 changed from unsigned long to uint64_t. On platforms where an unsigned 4270 long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is 4271 transferred. 4272 4273 *Matt Caswell* 4274 4275 * Given the pervasive nature of TLS extensions it is inadvisable to run 4276 OpenSSL without support for them. It also means that maintaining 4277 the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably 4278 not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. 4279 4280 *Matt Caswell* 4281 4282 * Removed support for the two export grade static DH ciphersuites 4283 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites 4284 were newly added (along with a number of other static DH ciphersuites) to 4285 1.0.2. However the two export ones have *never* worked since they were 4286 introduced. It seems strange in any case to be adding new export 4287 ciphersuites, and given "logjam" it also does not seem correct to fix them. 4288 4289 *Matt Caswell* 4290 4291 * Version negotiation has been rewritten. In particular SSLv23_method(), 4292 SSLv23_client_method() and SSLv23_server_method() have been deprecated, 4293 and turned into macros which simply call the new preferred function names 4294 TLS_method(), TLS_client_method() and TLS_server_method(). All new code 4295 should use the new names instead. Also as part of this change the ssl23.h 4296 header file has been removed. 4297 4298 *Matt Caswell* 4299 4300 * Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This 4301 code and the associated standard is no longer considered fit-for-purpose. 4302 4303 *Matt Caswell* 4304 4305 * RT2547 was closed. When generating a private key, try to make the 4306 output file readable only by the owner. This behavior change might 4307 be noticeable when interacting with other software. 4308 4309 * Documented all exdata functions. Added CRYPTO_free_ex_index. 4310 Added a test. 4311 4312 *Rich Salz* 4313 4314 * Added HTTP GET support to the ocsp command. 4315 4316 *Rich Salz* 4317 4318 * Changed default digest for the dgst and enc commands from MD5 to 4319 sha256 4320 4321 *Rich Salz* 4322 4323 * RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. 4324 4325 *Matt Caswell* 4326 4327 * Added support for TLS extended master secret from 4328 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an 4329 initial patch which was a great help during development. 4330 4331 *Steve Henson* 4332 4333 * All libssl internal structures have been removed from the public header 4334 files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is 4335 now redundant). Users should not attempt to access internal structures 4336 directly. Instead they should use the provided API functions. 4337 4338 *Matt Caswell* 4339 4340 * config has been changed so that by default OPENSSL_NO_DEPRECATED is used. 4341 Access to deprecated functions can be re-enabled by running config with 4342 "enable-deprecated". In addition applications wishing to use deprecated 4343 functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour 4344 will, by default, disable some transitive includes that previously existed 4345 in the header files (e.g. ec.h will no longer, by default, include bn.h) 4346 4347 *Matt Caswell* 4348 4349 * Added support for OCB mode. OpenSSL has been granted a patent license 4350 compatible with the OpenSSL license for use of OCB. Details are available 4351 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support 4352 for OCB can be removed by calling config with no-ocb. 4353 4354 *Matt Caswell* 4355 4356 * SSLv2 support has been removed. It still supports receiving a SSLv2 4357 compatible client hello. 4358 4359 *Kurt Roeckx* 4360 4361 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], 4362 done while fixing the error code for the key-too-small case. 4363 4364 *Annie Yousar <a.yousar@informatik.hu-berlin.de>* 4365 4366 * CA.sh has been removed; use CA.pl instead. 4367 4368 *Rich Salz* 4369 4370 * Removed old DES API. 4371 4372 *Rich Salz* 4373 4374 * Remove various unsupported platforms: 4375 Sony NEWS4 4376 BEOS and BEOS_R5 4377 NeXT 4378 SUNOS 4379 MPE/iX 4380 Sinix/ReliantUNIX RM400 4381 DGUX 4382 NCR 4383 Tandem 4384 Cray 4385 16-bit platforms such as WIN16 4386 4387 *Rich Salz* 4388 4389 * Clean up OPENSSL_NO_xxx #define's 4390 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF 4391 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx 4392 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC 4393 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 4394 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO 4395 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY 4396 OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP 4397 OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK 4398 OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY 4399 - Remove MS_STATIC; it's a relic from platforms <32 bits. 4400 4401 *Rich Salz* 4402 4403 * Cleaned up dead code 4404 Remove all but one '#ifdef undef' which is to be looked at. 4405 4406 *Rich Salz* 4407 4408 * Clean up calling of xxx_free routines. 4409 Just like free(), fix most of the xxx_free routines to accept 4410 NULL. Remove the non-null checks from callers. Save much code. 4411 4412 *Rich Salz* 4413 4414 * Add secure heap for storage of private keys (when possible). 4415 Add BIO_s_secmem(), CBIGNUM, etc. 4416 Contributed by Akamai Technologies under our Corporate CLA. 4417 4418 *Rich Salz* 4419 4420 * Experimental support for a new, fast, unbiased prime candidate generator, 4421 bn_probable_prime_dh_coprime(). Not currently used by any prime generator. 4422 4423 *Felix Laurie von Massenbach <felix@erbridge.co.uk>* 4424 4425 * New output format NSS in the sess_id command line tool. This allows 4426 exporting the session id and the master key in NSS keylog format. 4427 4428 *Martin Kaiser <martin@kaiser.cx>* 4429 4430 * Harmonize version and its documentation. -f flag is used to display 4431 compilation flags. 4432 4433 *mancha <mancha1@zoho.com>* 4434 4435 * Fix eckey_priv_encode so it immediately returns an error upon a failure 4436 in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. 4437 4438 *mancha <mancha1@zoho.com>* 4439 4440 * Fix some double frees. These are not thought to be exploitable. 4441 4442 *mancha <mancha1@zoho.com>* 4443 4444 * A missing bounds check in the handling of the TLS heartbeat extension 4445 can be used to reveal up to 64k of memory to a connected client or 4446 server. 4447 4448 Thanks for Neel Mehta of Google Security for discovering this bug and to 4449 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 4450 preparing the fix ([CVE-2014-0160]) 4451 4452 *Adam Langley, Bodo Moeller* 4453 4454 * Fix for the attack described in the paper "Recovering OpenSSL 4455 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 4456 by Yuval Yarom and Naomi Benger. Details can be obtained from: 4457 <http://eprint.iacr.org/2014/140> 4458 4459 Thanks to Yuval Yarom and Naomi Benger for discovering this 4460 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 4461 4462 *Yuval Yarom and Naomi Benger* 4463 4464 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 4465 this fixes a limitation in previous versions of OpenSSL. 4466 4467 *Steve Henson* 4468 4469 * Experimental encrypt-then-mac support. 4470 4471 Experimental support for encrypt then mac from 4472 draft-gutmann-tls-encrypt-then-mac-02.txt 4473 4474 To enable it set the appropriate extension number (0x42 for the test 4475 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 4476 4477 For non-compliant peers (i.e. just about everything) this should have no 4478 effect. 4479 4480 WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. 4481 4482 *Steve Henson* 4483 4484 * Add EVP support for key wrapping algorithms, to avoid problems with 4485 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 4486 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 4487 algorithms and include tests cases. 4488 4489 *Steve Henson* 4490 4491 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for 4492 enveloped data. 4493 4494 *Steve Henson* 4495 4496 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 4497 MGF1 digest and OAEP label. 4498 4499 *Steve Henson* 4500 4501 * Make openssl verify return errors. 4502 4503 *Chris Palmer <palmer@google.com> and Ben Laurie* 4504 4505 * New function ASN1_TIME_diff to calculate the difference between two 4506 ASN1_TIME structures or one structure and the current time. 4507 4508 *Steve Henson* 4509 4510 * Update fips_test_suite to support multiple command line options. New 4511 test to induce all self test errors in sequence and check expected 4512 failures. 4513 4514 *Steve Henson* 4515 4516 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and 4517 sign or verify all in one operation. 4518 4519 *Steve Henson* 4520 4521 * Add fips_algvs: a multicall fips utility incorporating all the algorithm 4522 test programs and fips_test_suite. Includes functionality to parse 4523 the minimal script output of fipsalgest.pl directly. 4524 4525 *Steve Henson* 4526 4527 * Add authorisation parameter to FIPS_module_mode_set(). 4528 4529 *Steve Henson* 4530 4531 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. 4532 4533 *Steve Henson* 4534 4535 * Use separate DRBG fields for internal and external flags. New function 4536 FIPS_drbg_health_check() to perform on demand health checking. Add 4537 generation tests to fips_test_suite with reduced health check interval to 4538 demonstrate periodic health checking. Add "nodh" option to 4539 fips_test_suite to skip very slow DH test. 4540 4541 *Steve Henson* 4542 4543 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers 4544 based on NID. 4545 4546 *Steve Henson* 4547 4548 * More extensive health check for DRBG checking many more failure modes. 4549 New function FIPS_selftest_drbg_all() to handle every possible DRBG 4550 combination: call this in fips_test_suite. 4551 4552 *Steve Henson* 4553 4554 * Add support for canonical generation of DSA parameter 'g'. See 4555 FIPS 186-3 A.2.3. 4556 4557 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and 4558 POST to handle HMAC cases. 4559 4560 *Steve Henson* 4561 4562 * Add functions FIPS_module_version() and FIPS_module_version_text() 4563 to return numerical and string versions of the FIPS module number. 4564 4565 *Steve Henson* 4566 4567 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and 4568 FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented 4569 outside the validated module in the FIPS capable OpenSSL. 4570 4571 *Steve Henson* 4572 4573 * Minor change to DRBG entropy callback semantics. In some cases 4574 there is no multiple of the block length between min_len and 4575 max_len. Allow the callback to return more than max_len bytes 4576 of entropy but discard any extra: it is the callback's responsibility 4577 to ensure that the extra data discarded does not impact the 4578 requested amount of entropy. 4579 4580 *Steve Henson* 4581 4582 * Add PRNG security strength checks to RSA, DSA and ECDSA using 4583 information in FIPS186-3, SP800-57 and SP800-131A. 4584 4585 *Steve Henson* 4586 4587 * CCM support via EVP. Interface is very similar to GCM case except we 4588 must supply all data in one chunk (i.e. no update, final) and the 4589 message length must be supplied if AAD is used. Add algorithm test 4590 support. 4591 4592 *Steve Henson* 4593 4594 * Initial version of POST overhaul. Add POST callback to allow the status 4595 of POST to be monitored and/or failures induced. Modify fips_test_suite 4596 to use callback. Always run all selftests even if one fails. 4597 4598 *Steve Henson* 4599 4600 * XTS support including algorithm test driver in the fips_gcmtest program. 4601 Note: this does increase the maximum key length from 32 to 64 bytes but 4602 there should be no binary compatibility issues as existing applications 4603 will never use XTS mode. 4604 4605 *Steve Henson* 4606 4607 * Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies 4608 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also 4609 performs algorithm blocking for unapproved PRNG types. Also do not 4610 set PRNG type in FIPS_mode_set(): leave this to the application. 4611 Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with 4612 the standard OpenSSL PRNG: set additional data to a date time vector. 4613 4614 *Steve Henson* 4615 4616 * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`. 4617 This shouldn't present any incompatibility problems because applications 4618 shouldn't be using these directly and any that are will need to rethink 4619 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 4620 4621 *Steve Henson* 4622 4623 * Extensive self tests and health checking required by SP800-90 DRBG. 4624 Remove strength parameter from FIPS_drbg_instantiate and always 4625 instantiate at maximum supported strength. 4626 4627 *Steve Henson* 4628 4629 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing. 4630 4631 *Steve Henson* 4632 4633 * New algorithm test program fips_dhvs to handle DH primitives only testing. 4634 4635 *Steve Henson* 4636 4637 * New function DH_compute_key_padded() to compute a DH key and pad with 4638 leading zeroes if needed: this complies with SP800-56A et al. 4639 4640 *Steve Henson* 4641 4642 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by 4643 anything, incomplete, subject to change and largely untested at present. 4644 4645 *Steve Henson* 4646 4647 * Modify fipscanisteronly build option to only build the necessary object 4648 files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. 4649 4650 *Steve Henson* 4651 4652 * Add experimental option FIPSSYMS to give all symbols in 4653 fipscanister.o and FIPS or fips prefix. This will avoid 4654 conflicts with future versions of OpenSSL. Add perl script 4655 util/fipsas.pl to preprocess assembly language source files 4656 and rename any affected symbols. 4657 4658 *Steve Henson* 4659 4660 * Add selftest checks and algorithm block of non-fips algorithms in 4661 FIPS mode. Remove DES2 from selftests. 4662 4663 *Steve Henson* 4664 4665 * Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just 4666 return internal method without any ENGINE dependencies. Add new 4667 tiny fips sign and verify functions. 4668 4669 *Steve Henson* 4670 4671 * New build option no-ec2m to disable characteristic 2 code. 4672 4673 *Steve Henson* 4674 4675 * New build option "fipscanisteronly". This only builds fipscanister.o 4676 and (currently) associated fips utilities. Uses the file Makefile.fips 4677 instead of Makefile.org as the prototype. 4678 4679 *Steve Henson* 4680 4681 * Add some FIPS mode restrictions to GCM. Add internal IV generator. 4682 Update fips_gcmtest to use IV generator. 4683 4684 *Steve Henson* 4685 4686 * Initial, experimental EVP support for AES-GCM. AAD can be input by 4687 setting output buffer to NULL. The `*Final` function must be 4688 called although it will not retrieve any additional data. The tag 4689 can be set or retrieved with a ctrl. The IV length is by default 12 4690 bytes (96 bits) but can be set to an alternative value. If the IV 4691 length exceeds the maximum IV length (currently 16 bytes) it cannot be 4692 set before the key. 4693 4694 *Steve Henson* 4695 4696 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the 4697 underlying do_cipher function handles all cipher semantics itself 4698 including padding and finalisation. This is useful if (for example) 4699 an ENGINE cipher handles block padding itself. The behaviour of 4700 do_cipher is subtly changed if this flag is set: the return value 4701 is the number of characters written to the output buffer (zero is 4702 no longer an error code) or a negative error code. Also if the 4703 input buffer is NULL and length 0 finalisation should be performed. 4704 4705 *Steve Henson* 4706 4707 * If a candidate issuer certificate is already part of the constructed 4708 path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. 4709 4710 *Steve Henson* 4711 4712 * Improve forward-security support: add functions 4713 4714 void SSL_CTX_set_not_resumable_session_callback( 4715 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) 4716 void SSL_set_not_resumable_session_callback( 4717 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) 4718 4719 for use by SSL/TLS servers; the callback function will be called whenever a 4720 new session is created, and gets to decide whether the session may be 4721 cached to make it resumable (return 0) or not (return 1). (As by the 4722 SSL/TLS protocol specifications, the session_id sent by the server will be 4723 empty to indicate that the session is not resumable; also, the server will 4724 not generate RFC 4507 (RFC 5077) session tickets.) 4725 4726 A simple reasonable callback implementation is to return is_forward_secure. 4727 This parameter will be set to 1 or 0 depending on the ciphersuite selected 4728 by the SSL/TLS server library, indicating whether it can provide forward 4729 security. 4730 4731 *Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)* 4732 4733 * New -verify_name option in command line utilities to set verification 4734 parameters by name. 4735 4736 *Steve Henson* 4737 4738 * Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. 4739 Add CMAC pkey methods. 4740 4741 *Steve Henson* 4742 4743 * Experimental renegotiation in s_server -www mode. If the client 4744 browses /reneg connection is renegotiated. If /renegcert it is 4745 renegotiated requesting a certificate. 4746 4747 *Steve Henson* 4748 4749 * Add an "external" session cache for debugging purposes to s_server. This 4750 should help trace issues which normally are only apparent in deployed 4751 multi-process servers. 4752 4753 *Steve Henson* 4754 4755 * Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where 4756 return value is ignored. NB. The functions RAND_add(), RAND_seed(), 4757 BIO_set_cipher() and some obscure PEM functions were changed so they 4758 can now return an error. The RAND changes required a change to the 4759 RAND_METHOD structure. 4760 4761 *Steve Henson* 4762 4763 * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of 4764 a gcc attribute to warn if the result of a function is ignored. This 4765 is enable if DEBUG_UNUSED is set. Add to several functions in evp.h 4766 whose return value is often ignored. 4767 4768 *Steve Henson* 4769 4770 * New -noct, -requestct, -requirect and -ctlogfile options for s_client. 4771 These allow SCTs (signed certificate timestamps) to be requested and 4772 validated when establishing a connection. 4773 4774 *Rob Percival <robpercival@google.com>* 4775 4776OpenSSL 1.0.2 4777------------- 4778 4779### Changes between 1.0.2s and 1.0.2t [10 Sep 2019] 4780 4781 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 4782 used even when parsing explicit parameters, when loading a encoded key 4783 or calling `EC_GROUP_new_from_ecpkparameters()`/ 4784 `EC_GROUP_new_from_ecparameters()`. 4785 This prevents bypass of security hardening and performance gains, 4786 especially for curves with specialized EC_METHODs. 4787 By default, if a key encoded with explicit parameters is loaded and later 4788 encoded, the output is still encoded with explicit parameters, even if 4789 internally a "named" EC_GROUP is used for computation. 4790 4791 *Nicola Tuveri* 4792 4793 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 4794 this change, EC_GROUP_set_generator would accept order and/or cofactor as 4795 NULL. After this change, only the cofactor parameter can be NULL. It also 4796 does some minimal sanity checks on the passed order. 4797 ([CVE-2019-1547]) 4798 4799 *Billy Bob Brumley* 4800 4801 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 4802 An attack is simple, if the first CMS_recipientInfo is valid but the 4803 second CMS_recipientInfo is chosen ciphertext. If the second 4804 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 4805 encryption key will be replaced by garbage, and the message cannot be 4806 decoded, but if the RSA decryption fails, the correct encryption key is 4807 used and the recipient will not notice the attack. 4808 As a work around for this potential attack the length of the decrypted 4809 key must be equal to the cipher default key length, in case the 4810 certifiate is not given and all recipientInfo are tried out. 4811 The old behaviour can be re-enabled in the CMS code by setting the 4812 CMS_DEBUG_DECRYPT flag. 4813 ([CVE-2019-1563]) 4814 4815 *Bernd Edlinger* 4816 4817 * Document issue with installation paths in diverse Windows builds 4818 4819 '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL 4820 binaries and run-time config file. 4821 ([CVE-2019-1552]) 4822 4823 *Richard Levitte* 4824 4825### Changes between 1.0.2r and 1.0.2s [28 May 2019] 4826 4827 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 4828 This changes the size when using the `genpkey` command when no size is given. 4829 It fixes an omission in earlier changes that changed all RSA, DSA and DH 4830 generation commands to use 2048 bits by default. 4831 4832 *Kurt Roeckx* 4833 4834 * Add FIPS support for Android Arm 64-bit 4835 4836 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object 4837 Module in Version 2.0.10. For some reason, the corresponding target 4838 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be 4839 built with FIPS support on Android Arm 64-bit. This omission has been 4840 fixed. 4841 4842 *Matthias St. Pierre* 4843 4844### Changes between 1.0.2q and 1.0.2r [26 Feb 2019] 4845 4846 * 0-byte record padding oracle 4847 4848 If an application encounters a fatal protocol error and then calls 4849 SSL_shutdown() twice (once to send a close_notify, and once to receive one) 4850 then OpenSSL can respond differently to the calling application if a 0 byte 4851 record is received with invalid padding compared to if a 0 byte record is 4852 received with an invalid MAC. If the application then behaves differently 4853 based on that in a way that is detectable to the remote peer, then this 4854 amounts to a padding oracle that could be used to decrypt data. 4855 4856 In order for this to be exploitable "non-stitched" ciphersuites must be in 4857 use. Stitched ciphersuites are optimised implementations of certain 4858 commonly used ciphersuites. Also the application must call SSL_shutdown() 4859 twice even if a protocol error has occurred (applications should not do 4860 this but some do anyway). 4861 4862 This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod 4863 Aviram, with additional investigation by Steven Collison and Andrew 4864 Hourselt. It was reported to OpenSSL on 10th December 2018. 4865 ([CVE-2019-1559]) 4866 4867 *Matt Caswell* 4868 4869 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 4870 4871 *Richard Levitte* 4872 4873### Changes between 1.0.2p and 1.0.2q [20 Nov 2018] 4874 4875 * Microarchitecture timing vulnerability in ECC scalar multiplication 4876 4877 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been 4878 shown to be vulnerable to a microarchitecture timing side channel attack. 4879 An attacker with sufficient access to mount local timing attacks during 4880 ECDSA signature generation could recover the private key. 4881 4882 This issue was reported to OpenSSL on 26th October 2018 by Alejandro 4883 Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and 4884 Nicola Tuveri. 4885 ([CVE-2018-5407]) 4886 4887 *Billy Brumley* 4888 4889 * Timing vulnerability in DSA signature generation 4890 4891 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 4892 timing side channel attack. An attacker could use variations in the signing 4893 algorithm to recover the private key. 4894 4895 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 4896 ([CVE-2018-0734]) 4897 4898 *Paul Dale* 4899 4900 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object 4901 Module, accidentally introduced while backporting security fixes from the 4902 development branch and hindering the use of ECC in FIPS mode. 4903 4904 *Nicola Tuveri* 4905 4906### Changes between 1.0.2o and 1.0.2p [14 Aug 2018] 4907 4908 * Client DoS due to large DH parameter 4909 4910 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 4911 malicious server can send a very large prime value to the client. This will 4912 cause the client to spend an unreasonably long period of time generating a 4913 key for this prime resulting in a hang until the client has finished. This 4914 could be exploited in a Denial Of Service attack. 4915 4916 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 4917 ([CVE-2018-0732]) 4918 4919 *Guido Vranken* 4920 4921 * Cache timing vulnerability in RSA Key Generation 4922 4923 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 4924 a cache timing side channel attack. An attacker with sufficient access to 4925 mount cache timing attacks during the RSA key generation process could 4926 recover the private key. 4927 4928 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 4929 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 4930 ([CVE-2018-0737]) 4931 4932 *Billy Brumley* 4933 4934 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 4935 parameter is no longer accepted, as it leads to a corrupt table. NULL 4936 pem_str is reserved for alias entries only. 4937 4938 *Richard Levitte* 4939 4940 * Revert blinding in ECDSA sign and instead make problematic addition 4941 length-invariant. Switch even to fixed-length Montgomery multiplication. 4942 4943 *Andy Polyakov* 4944 4945 * Change generating and checking of primes so that the error rate of not 4946 being prime depends on the intended use based on the size of the input. 4947 For larger primes this will result in more rounds of Miller-Rabin. 4948 The maximal error rate for primes with more than 1080 bits is lowered 4949 to 2^-128. 4950 4951 *Kurt Roeckx, Annie Yousar* 4952 4953 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 4954 4955 *Kurt Roeckx* 4956 4957 * Add blinding to ECDSA and DSA signatures to protect against side channel 4958 attacks discovered by Keegan Ryan (NCC Group). 4959 4960 *Matt Caswell* 4961 4962 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 4963 now allow empty (zero character) pass phrases. 4964 4965 *Richard Levitte* 4966 4967 * Certificate time validation (X509_cmp_time) enforces stricter 4968 compliance with RFC 5280. Fractional seconds and timezone offsets 4969 are no longer allowed. 4970 4971 *Emilia Käsper* 4972 4973### Changes between 1.0.2n and 1.0.2o [27 Mar 2018] 4974 4975 * Constructed ASN.1 types with a recursive definition could exceed the stack 4976 4977 Constructed ASN.1 types with a recursive definition (such as can be found 4978 in PKCS7) could eventually exceed the stack given malicious input with 4979 excessive recursion. This could result in a Denial Of Service attack. There 4980 are no such structures used within SSL/TLS that come from untrusted sources 4981 so this is considered safe. 4982 4983 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 4984 project. 4985 ([CVE-2018-0739]) 4986 4987 *Matt Caswell* 4988 4989### Changes between 1.0.2m and 1.0.2n [7 Dec 2017] 4990 4991 * Read/write after SSL object in error state 4992 4993 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" 4994 mechanism. The intent was that if a fatal error occurred during a handshake 4995 then OpenSSL would move into the error state and would immediately fail if 4996 you attempted to continue the handshake. This works as designed for the 4997 explicit handshake functions (SSL_do_handshake(), SSL_accept() and 4998 SSL_connect()), however due to a bug it does not work correctly if 4999 SSL_read() or SSL_write() is called directly. In that scenario, if the 5000 handshake fails then a fatal error will be returned in the initial function 5001 call. If SSL_read()/SSL_write() is subsequently called by the application 5002 for the same SSL object then it will succeed and the data is passed without 5003 being decrypted/encrypted directly from the SSL/TLS record layer. 5004 5005 In order to exploit this issue an application bug would have to be present 5006 that resulted in a call to SSL_read()/SSL_write() being issued after having 5007 already received a fatal error. 5008 5009 This issue was reported to OpenSSL by David Benjamin (Google). 5010 ([CVE-2017-3737]) 5011 5012 *Matt Caswell* 5013 5014 * rsaz_1024_mul_avx2 overflow bug on x86_64 5015 5016 There is an overflow bug in the AVX2 Montgomery multiplication procedure 5017 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 5018 Analysis suggests that attacks against RSA and DSA as a result of this 5019 defect would be very difficult to perform and are not believed likely. 5020 Attacks against DH1024 are considered just feasible, because most of the 5021 work necessary to deduce information about a private key may be performed 5022 offline. The amount of resources required for such an attack would be 5023 significant. However, for an attack on TLS to be meaningful, the server 5024 would have to share the DH1024 private key among multiple clients, which is 5025 no longer an option since CVE-2016-0701. 5026 5027 This only affects processors that support the AVX2 but not ADX extensions 5028 like Intel Haswell (4th generation). 5029 5030 This issue was reported to OpenSSL by David Benjamin (Google). The issue 5031 was originally found via the OSS-Fuzz project. 5032 ([CVE-2017-3738]) 5033 5034 *Andy Polyakov* 5035 5036### Changes between 1.0.2l and 1.0.2m [2 Nov 2017] 5037 5038 * bn_sqrx8x_internal carry bug on x86_64 5039 5040 There is a carry propagating bug in the x86_64 Montgomery squaring 5041 procedure. No EC algorithms are affected. Analysis suggests that attacks 5042 against RSA and DSA as a result of this defect would be very difficult to 5043 perform and are not believed likely. Attacks against DH are considered just 5044 feasible (although very difficult) because most of the work necessary to 5045 deduce information about a private key may be performed offline. The amount 5046 of resources required for such an attack would be very significant and 5047 likely only accessible to a limited number of attackers. An attacker would 5048 additionally need online access to an unpatched system using the target 5049 private key in a scenario with persistent DH parameters and a private 5050 key that is shared between multiple clients. 5051 5052 This only affects processors that support the BMI1, BMI2 and ADX extensions 5053 like Intel Broadwell (5th generation) and later or AMD Ryzen. 5054 5055 This issue was reported to OpenSSL by the OSS-Fuzz project. 5056 ([CVE-2017-3736]) 5057 5058 *Andy Polyakov* 5059 5060 * Malformed X.509 IPAddressFamily could cause OOB read 5061 5062 If an X.509 certificate has a malformed IPAddressFamily extension, 5063 OpenSSL could do a one-byte buffer overread. The most likely result 5064 would be an erroneous display of the certificate in text format. 5065 5066 This issue was reported to OpenSSL by the OSS-Fuzz project. 5067 5068 *Rich Salz* 5069 5070### Changes between 1.0.2k and 1.0.2l [25 May 2017] 5071 5072 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 5073 platform rather than 'mingw'. 5074 5075 *Richard Levitte* 5076 5077### Changes between 1.0.2j and 1.0.2k [26 Jan 2017] 5078 5079 * Truncated packet could crash via OOB read 5080 5081 If one side of an SSL/TLS path is running on a 32-bit host and a specific 5082 cipher is being used, then a truncated packet can cause that host to 5083 perform an out-of-bounds read, usually resulting in a crash. 5084 5085 This issue was reported to OpenSSL by Robert Święcki of Google. 5086 ([CVE-2017-3731]) 5087 5088 *Andy Polyakov* 5089 5090 * BN_mod_exp may produce incorrect results on x86_64 5091 5092 There is a carry propagating bug in the x86_64 Montgomery squaring 5093 procedure. No EC algorithms are affected. Analysis suggests that attacks 5094 against RSA and DSA as a result of this defect would be very difficult to 5095 perform and are not believed likely. Attacks against DH are considered just 5096 feasible (although very difficult) because most of the work necessary to 5097 deduce information about a private key may be performed offline. The amount 5098 of resources required for such an attack would be very significant and 5099 likely only accessible to a limited number of attackers. An attacker would 5100 additionally need online access to an unpatched system using the target 5101 private key in a scenario with persistent DH parameters and a private 5102 key that is shared between multiple clients. For example this can occur by 5103 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 5104 similar to CVE-2015-3193 but must be treated as a separate problem. 5105 5106 This issue was reported to OpenSSL by the OSS-Fuzz project. 5107 ([CVE-2017-3732]) 5108 5109 *Andy Polyakov* 5110 5111 * Montgomery multiplication may produce incorrect results 5112 5113 There is a carry propagating bug in the Broadwell-specific Montgomery 5114 multiplication procedure that handles input lengths divisible by, but 5115 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 5116 and DH private keys are impossible. This is because the subroutine in 5117 question is not used in operations with the private key itself and an input 5118 of the attacker's direct choice. Otherwise the bug can manifest itself as 5119 transient authentication and key negotiation failures or reproducible 5120 erroneous outcome of public-key operations with specially crafted input. 5121 Among EC algorithms only Brainpool P-512 curves are affected and one 5122 presumably can attack ECDH key negotiation. Impact was not analyzed in 5123 detail, because pre-requisites for attack are considered unlikely. Namely 5124 multiple clients have to choose the curve in question and the server has to 5125 share the private key among them, neither of which is default behaviour. 5126 Even then only clients that chose the curve will be affected. 5127 5128 This issue was publicly reported as transient failures and was not 5129 initially recognized as a security issue. Thanks to Richard Morgan for 5130 providing reproducible case. 5131 ([CVE-2016-7055]) 5132 5133 *Andy Polyakov* 5134 5135 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 5136 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 5137 prevent issues where no progress is being made and the peer continually 5138 sends unrecognised record types, using up resources processing them. 5139 5140 *Matt Caswell* 5141 5142### Changes between 1.0.2i and 1.0.2j [26 Sep 2016] 5143 5144 * Missing CRL sanity check 5145 5146 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 5147 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use 5148 CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. 5149 5150 This issue only affects the OpenSSL 1.0.2i 5151 ([CVE-2016-7052]) 5152 5153 *Matt Caswell* 5154 5155### Changes between 1.0.2h and 1.0.2i [22 Sep 2016] 5156 5157 * OCSP Status Request extension unbounded memory growth 5158 5159 A malicious client can send an excessively large OCSP Status Request 5160 extension. If that client continually requests renegotiation, sending a 5161 large OCSP Status Request extension each time, then there will be unbounded 5162 memory growth on the server. This will eventually lead to a Denial Of 5163 Service attack through memory exhaustion. Servers with a default 5164 configuration are vulnerable even if they do not support OCSP. Builds using 5165 the "no-ocsp" build time option are not affected. 5166 5167 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5168 ([CVE-2016-6304]) 5169 5170 *Matt Caswell* 5171 5172 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 5173 HIGH to MEDIUM. 5174 5175 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 5176 Leurent (INRIA) 5177 ([CVE-2016-2183]) 5178 5179 *Rich Salz* 5180 5181 * OOB write in MDC2_Update() 5182 5183 An overflow can occur in MDC2_Update() either if called directly or 5184 through the EVP_DigestUpdate() function using MDC2. If an attacker 5185 is able to supply very large amounts of input data after a previous 5186 call to EVP_EncryptUpdate() with a partial block then a length check 5187 can overflow resulting in a heap corruption. 5188 5189 The amount of data needed is comparable to SIZE_MAX which is impractical 5190 on most platforms. 5191 5192 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5193 ([CVE-2016-6303]) 5194 5195 *Stephen Henson* 5196 5197 * Malformed SHA512 ticket DoS 5198 5199 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 5200 DoS attack where a malformed ticket will result in an OOB read which will 5201 ultimately crash. 5202 5203 The use of SHA512 in TLS session tickets is comparatively rare as it requires 5204 a custom server callback and ticket lookup mechanism. 5205 5206 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5207 ([CVE-2016-6302]) 5208 5209 *Stephen Henson* 5210 5211 * OOB write in BN_bn2dec() 5212 5213 The function BN_bn2dec() does not check the return value of BN_div_word(). 5214 This can cause an OOB write if an application uses this function with an 5215 overly large BIGNUM. This could be a problem if an overly large certificate 5216 or CRL is printed out from an untrusted source. TLS is not affected because 5217 record limits will reject an oversized certificate before it is parsed. 5218 5219 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5220 ([CVE-2016-2182]) 5221 5222 *Stephen Henson* 5223 5224 * OOB read in TS_OBJ_print_bio() 5225 5226 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 5227 the total length the OID text representation would use and not the amount 5228 of data written. This will result in OOB reads when large OIDs are 5229 presented. 5230 5231 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5232 ([CVE-2016-2180]) 5233 5234 *Stephen Henson* 5235 5236 * Pointer arithmetic undefined behaviour 5237 5238 Avoid some undefined pointer arithmetic 5239 5240 A common idiom in the codebase is to check limits in the following manner: 5241 "p + len > limit" 5242 5243 Where "p" points to some malloc'd data of SIZE bytes and 5244 limit == p + SIZE 5245 5246 "len" here could be from some externally supplied data (e.g. from a TLS 5247 message). 5248 5249 The rules of C pointer arithmetic are such that "p + len" is only well 5250 defined where len <= SIZE. Therefore the above idiom is actually 5251 undefined behaviour. 5252 5253 For example this could cause problems if some malloc implementation 5254 provides an address for "p" such that "p + len" actually overflows for 5255 values of len that are too big and therefore p + len < limit. 5256 5257 This issue was reported to OpenSSL by Guido Vranken 5258 ([CVE-2016-2177]) 5259 5260 *Matt Caswell* 5261 5262 * Constant time flag not preserved in DSA signing 5263 5264 Operations in the DSA signing algorithm should run in constant time in 5265 order to avoid side channel attacks. A flaw in the OpenSSL DSA 5266 implementation means that a non-constant time codepath is followed for 5267 certain operations. This has been demonstrated through a cache-timing 5268 attack to be sufficient for an attacker to recover the private DSA key. 5269 5270 This issue was reported by César Pereida (Aalto University), Billy Brumley 5271 (Tampere University of Technology), and Yuval Yarom (The University of 5272 Adelaide and NICTA). 5273 ([CVE-2016-2178]) 5274 5275 *César Pereida* 5276 5277 * DTLS buffered message DoS 5278 5279 In a DTLS connection where handshake messages are delivered out-of-order 5280 those messages that OpenSSL is not yet ready to process will be buffered 5281 for later use. Under certain circumstances, a flaw in the logic means that 5282 those messages do not get removed from the buffer even though the handshake 5283 has been completed. An attacker could force up to approx. 15 messages to 5284 remain in the buffer when they are no longer required. These messages will 5285 be cleared when the DTLS connection is closed. The default maximum size for 5286 a message is 100k. Therefore the attacker could force an additional 1500k 5287 to be consumed per connection. By opening many simulataneous connections an 5288 attacker could cause a DoS attack through memory exhaustion. 5289 5290 This issue was reported to OpenSSL by Quan Luo. 5291 ([CVE-2016-2179]) 5292 5293 *Matt Caswell* 5294 5295 * DTLS replay protection DoS 5296 5297 A flaw in the DTLS replay attack protection mechanism means that records 5298 that arrive for future epochs update the replay protection "window" before 5299 the MAC for the record has been validated. This could be exploited by an 5300 attacker by sending a record for the next epoch (which does not have to 5301 decrypt or have a valid MAC), with a very large sequence number. This means 5302 that all subsequent legitimate packets are dropped causing a denial of 5303 service for a specific DTLS connection. 5304 5305 This issue was reported to OpenSSL by the OCAP audit team. 5306 ([CVE-2016-2181]) 5307 5308 *Matt Caswell* 5309 5310 * Certificate message OOB reads 5311 5312 In OpenSSL 1.0.2 and earlier some missing message length checks can result 5313 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 5314 theoretical DoS risk but this has not been observed in practice on common 5315 platforms. 5316 5317 The messages affected are client certificate, client certificate request 5318 and server certificate. As a result the attack can only be performed 5319 against a client or a server which enables client authentication. 5320 5321 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5322 ([CVE-2016-6306]) 5323 5324 *Stephen Henson* 5325 5326### Changes between 1.0.2g and 1.0.2h [3 May 2016] 5327 5328 * Prevent padding oracle in AES-NI CBC MAC check 5329 5330 A MITM attacker can use a padding oracle attack to decrypt traffic 5331 when the connection uses an AES CBC cipher and the server support 5332 AES-NI. 5333 5334 This issue was introduced as part of the fix for Lucky 13 padding 5335 attack ([CVE-2013-0169]). The padding check was rewritten to be in 5336 constant time by making sure that always the same bytes are read and 5337 compared against either the MAC or padding bytes. But it no longer 5338 checked that there was enough data to have both the MAC and padding 5339 bytes. 5340 5341 This issue was reported by Juraj Somorovsky using TLS-Attacker. 5342 5343 *Kurt Roeckx* 5344 5345 * Fix EVP_EncodeUpdate overflow 5346 5347 An overflow can occur in the EVP_EncodeUpdate() function which is used for 5348 Base64 encoding of binary data. If an attacker is able to supply very large 5349 amounts of input data then a length check can overflow resulting in a heap 5350 corruption. 5351 5352 Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by 5353 the `PEM_write_bio*` family of functions. These are mainly used within the 5354 OpenSSL command line applications, so any application which processes data 5355 from an untrusted source and outputs it as a PEM file should be considered 5356 vulnerable to this issue. User applications that call these APIs directly 5357 with large amounts of untrusted data may also be vulnerable. 5358 5359 This issue was reported by Guido Vranken. 5360 ([CVE-2016-2105]) 5361 5362 *Matt Caswell* 5363 5364 * Fix EVP_EncryptUpdate overflow 5365 5366 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 5367 is able to supply very large amounts of input data after a previous call to 5368 EVP_EncryptUpdate() with a partial block then a length check can overflow 5369 resulting in a heap corruption. Following an analysis of all OpenSSL 5370 internal usage of the EVP_EncryptUpdate() function all usage is one of two 5371 forms. The first form is where the EVP_EncryptUpdate() call is known to be 5372 the first called function after an EVP_EncryptInit(), and therefore that 5373 specific call must be safe. The second form is where the length passed to 5374 EVP_EncryptUpdate() can be seen from the code to be some small value and 5375 therefore there is no possibility of an overflow. Since all instances are 5376 one of these two forms, it is believed that there can be no overflows in 5377 internal code due to this problem. It should be noted that 5378 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 5379 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 5380 of these calls have also been analysed too and it is believed there are no 5381 instances in internal usage where an overflow could occur. 5382 5383 This issue was reported by Guido Vranken. 5384 ([CVE-2016-2106]) 5385 5386 *Matt Caswell* 5387 5388 * Prevent ASN.1 BIO excessive memory allocation 5389 5390 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 5391 a short invalid encoding can cause allocation of large amounts of memory 5392 potentially consuming excessive resources or exhausting memory. 5393 5394 Any application parsing untrusted data through d2i BIO functions is 5395 affected. The memory based functions such as d2i_X509() are *not* affected. 5396 Since the memory based functions are used by the TLS library, TLS 5397 applications are not affected. 5398 5399 This issue was reported by Brian Carpenter. 5400 ([CVE-2016-2109]) 5401 5402 *Stephen Henson* 5403 5404 * EBCDIC overread 5405 5406 ASN1 Strings that are over 1024 bytes can cause an overread in applications 5407 using the X509_NAME_oneline() function on EBCDIC systems. This could result 5408 in arbitrary stack data being returned in the buffer. 5409 5410 This issue was reported by Guido Vranken. 5411 ([CVE-2016-2176]) 5412 5413 *Matt Caswell* 5414 5415 * Modify behavior of ALPN to invoke callback after SNI/servername 5416 callback, such that updates to the SSL_CTX affect ALPN. 5417 5418 *Todd Short* 5419 5420 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 5421 default. 5422 5423 *Kurt Roeckx* 5424 5425 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 5426 methods are enabled and ssl2 is disabled the methods return NULL. 5427 5428 *Kurt Roeckx* 5429 5430### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] 5431 5432* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 5433 Builds that are not configured with "enable-weak-ssl-ciphers" will not 5434 provide any "EXPORT" or "LOW" strength ciphers. 5435 5436 *Viktor Dukhovni* 5437 5438* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 5439 is by default disabled at build-time. Builds that are not configured with 5440 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 5441 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 5442 will need to explicitly call either of: 5443 5444 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 5445 or 5446 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 5447 5448 as appropriate. Even if either of those is used, or the application 5449 explicitly uses the version-specific SSLv2_method() or its client and 5450 server variants, SSLv2 ciphers vulnerable to exhaustive search key 5451 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 5452 ciphers, and SSLv2 56-bit DES are no longer available. 5453 ([CVE-2016-0800]) 5454 5455 *Viktor Dukhovni* 5456 5457 * Fix a double-free in DSA code 5458 5459 A double free bug was discovered when OpenSSL parses malformed DSA private 5460 keys and could lead to a DoS attack or memory corruption for applications 5461 that receive DSA private keys from untrusted sources. This scenario is 5462 considered rare. 5463 5464 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 5465 libFuzzer. 5466 ([CVE-2016-0705]) 5467 5468 *Stephen Henson* 5469 5470 * Disable SRP fake user seed to address a server memory leak. 5471 5472 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 5473 5474 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 5475 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 5476 was changed to ignore the "fake user" SRP seed, even if the seed 5477 is configured. 5478 5479 Users should use SRP_VBASE_get1_by_user instead. Note that in 5480 SRP_VBASE_get1_by_user, caller must free the returned value. Note 5481 also that even though configuring the SRP seed attempts to hide 5482 invalid usernames by continuing the handshake with fake 5483 credentials, this behaviour is not constant time and no strong 5484 guarantees are made that the handshake is indistinguishable from 5485 that of a valid user. 5486 ([CVE-2016-0798]) 5487 5488 *Emilia Käsper* 5489 5490 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 5491 5492 In the BN_hex2bn function the number of hex digits is calculated using an 5493 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 5494 large values of `i` this can result in `bn_expand` not allocating any 5495 memory because `i * 4` is negative. This can leave the internal BIGNUM data 5496 field as NULL leading to a subsequent NULL ptr deref. For very large values 5497 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 5498 In this case memory is allocated to the internal BIGNUM data field, but it 5499 is insufficiently sized leading to heap corruption. A similar issue exists 5500 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 5501 is ever called by user applications with very large untrusted hex/dec data. 5502 This is anticipated to be a rare occurrence. 5503 5504 All OpenSSL internal usage of these functions use data that is not expected 5505 to be untrusted, e.g. config file data or application command line 5506 arguments. If user developed applications generate config file data based 5507 on untrusted data then it is possible that this could also lead to security 5508 consequences. This is also anticipated to be rare. 5509 5510 This issue was reported to OpenSSL by Guido Vranken. 5511 ([CVE-2016-0797]) 5512 5513 *Matt Caswell* 5514 5515 * Fix memory issues in `BIO_*printf` functions 5516 5517 The internal `fmtstr` function used in processing a "%s" format string in 5518 the `BIO_*printf` functions could overflow while calculating the length of a 5519 string and cause an OOB read when printing very long strings. 5520 5521 Additionally the internal `doapr_outch` function can attempt to write to an 5522 OOB memory location (at an offset from the NULL pointer) in the event of a 5523 memory allocation failure. In 1.0.2 and below this could be caused where 5524 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 5525 could be in processing a very long "%s" format string. Memory leaks can 5526 also occur. 5527 5528 The first issue may mask the second issue dependent on compiler behaviour. 5529 These problems could enable attacks where large amounts of untrusted data 5530 is passed to the `BIO_*printf` functions. If applications use these functions 5531 in this way then they could be vulnerable. OpenSSL itself uses these 5532 functions when printing out human-readable dumps of ASN.1 data. Therefore 5533 applications that print this data could be vulnerable if the data is from 5534 untrusted sources. OpenSSL command line applications could also be 5535 vulnerable where they print out ASN.1 data, or if untrusted data is passed 5536 as command line arguments. 5537 5538 Libssl is not considered directly vulnerable. Additionally certificates etc 5539 received via remote connections via libssl are also unlikely to be able to 5540 trigger these issues because of message size limits enforced within libssl. 5541 5542 This issue was reported to OpenSSL Guido Vranken. 5543 ([CVE-2016-0799]) 5544 5545 *Matt Caswell* 5546 5547 * Side channel attack on modular exponentiation 5548 5549 A side-channel attack was found which makes use of cache-bank conflicts on 5550 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 5551 of RSA keys. The ability to exploit this issue is limited as it relies on 5552 an attacker who has control of code in a thread running on the same 5553 hyper-threaded core as the victim thread which is performing decryptions. 5554 5555 This issue was reported to OpenSSL by Yuval Yarom, The University of 5556 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 5557 Nadia Heninger, University of Pennsylvania with more information at 5558 <http://cachebleed.info>. 5559 ([CVE-2016-0702]) 5560 5561 *Andy Polyakov* 5562 5563 * Change the `req` command to generate a 2048-bit RSA/DSA key by default, 5564 if no keysize is specified with default_bits. This fixes an 5565 omission in an earlier change that changed all RSA/DSA key generation 5566 commands to use 2048 bits by default. 5567 5568 *Emilia Käsper* 5569 5570### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] 5571 5572 * DH small subgroups 5573 5574 Historically OpenSSL only ever generated DH parameters based on "safe" 5575 primes. More recently (in version 1.0.2) support was provided for 5576 generating X9.42 style parameter files such as those required for RFC 5114 5577 support. The primes used in such files may not be "safe". Where an 5578 application is using DH configured with parameters based on primes that are 5579 not "safe" then an attacker could use this fact to find a peer's private 5580 DH exponent. This attack requires that the attacker complete multiple 5581 handshakes in which the peer uses the same private DH exponent. For example 5582 this could be used to discover a TLS server's private DH exponent if it's 5583 reusing the private DH exponent or it's using a static DH ciphersuite. 5584 5585 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in 5586 TLS. It is not on by default. If the option is not set then the server 5587 reuses the same private DH exponent for the life of the server process and 5588 would be vulnerable to this attack. It is believed that many popular 5589 applications do set this option and would therefore not be at risk. 5590 5591 The fix for this issue adds an additional check where a "q" parameter is 5592 available (as is the case in X9.42 based parameters). This detects the 5593 only known attack, and is the only possible defense for static DH 5594 ciphersuites. This could have some performance impact. 5595 5596 Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by 5597 default and cannot be disabled. This could have some performance impact. 5598 5599 This issue was reported to OpenSSL by Antonio Sanso (Adobe). 5600 ([CVE-2016-0701]) 5601 5602 *Matt Caswell* 5603 5604 * SSLv2 doesn't block disabled ciphers 5605 5606 A malicious client can negotiate SSLv2 ciphers that have been disabled on 5607 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 5608 been disabled, provided that the SSLv2 protocol was not also disabled via 5609 SSL_OP_NO_SSLv2. 5610 5611 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 5612 and Sebastian Schinzel. 5613 ([CVE-2015-3197]) 5614 5615 *Viktor Dukhovni* 5616 5617### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] 5618 5619 * BN_mod_exp may produce incorrect results on x86_64 5620 5621 There is a carry propagating bug in the x86_64 Montgomery squaring 5622 procedure. No EC algorithms are affected. Analysis suggests that attacks 5623 against RSA and DSA as a result of this defect would be very difficult to 5624 perform and are not believed likely. Attacks against DH are considered just 5625 feasible (although very difficult) because most of the work necessary to 5626 deduce information about a private key may be performed offline. The amount 5627 of resources required for such an attack would be very significant and 5628 likely only accessible to a limited number of attackers. An attacker would 5629 additionally need online access to an unpatched system using the target 5630 private key in a scenario with persistent DH parameters and a private 5631 key that is shared between multiple clients. For example this can occur by 5632 default in OpenSSL DHE based SSL/TLS ciphersuites. 5633 5634 This issue was reported to OpenSSL by Hanno Böck. 5635 ([CVE-2015-3193]) 5636 5637 *Andy Polyakov* 5638 5639 * Certificate verify crash with missing PSS parameter 5640 5641 The signature verification routines will crash with a NULL pointer 5642 dereference if presented with an ASN.1 signature using the RSA PSS 5643 algorithm and absent mask generation function parameter. Since these 5644 routines are used to verify certificate signature algorithms this can be 5645 used to crash any certificate verification operation and exploited in a 5646 DoS attack. Any application which performs certificate verification is 5647 vulnerable including OpenSSL clients and servers which enable client 5648 authentication. 5649 5650 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 5651 ([CVE-2015-3194]) 5652 5653 *Stephen Henson* 5654 5655 * X509_ATTRIBUTE memory leak 5656 5657 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 5658 memory. This structure is used by the PKCS#7 and CMS routines so any 5659 application which reads PKCS#7 or CMS data from untrusted sources is 5660 affected. SSL/TLS is not affected. 5661 5662 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 5663 libFuzzer. 5664 ([CVE-2015-3195]) 5665 5666 *Stephen Henson* 5667 5668 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 5669 This changes the decoding behaviour for some invalid messages, 5670 though the change is mostly in the more lenient direction, and 5671 legacy behaviour is preserved as much as possible. 5672 5673 *Emilia Käsper* 5674 5675 * In DSA_generate_parameters_ex, if the provided seed is too short, 5676 return an error 5677 5678 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 5679 5680### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] 5681 5682 * Alternate chains certificate forgery 5683 5684 During certificate verification, OpenSSL will attempt to find an 5685 alternative certificate chain if the first attempt to build such a chain 5686 fails. An error in the implementation of this logic can mean that an 5687 attacker could cause certain checks on untrusted certificates to be 5688 bypassed, such as the CA flag, enabling them to use a valid leaf 5689 certificate to act as a CA and "issue" an invalid certificate. 5690 5691 This issue was reported to OpenSSL by Adam Langley/David Benjamin 5692 (Google/BoringSSL). 5693 5694 *Matt Caswell* 5695 5696### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] 5697 5698 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 5699 incompatibility in the handling of HMAC. The previous ABI has now been 5700 restored. 5701 5702 *Matt Caswell* 5703 5704### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] 5705 5706 * Malformed ECParameters causes infinite loop 5707 5708 When processing an ECParameters structure OpenSSL enters an infinite loop 5709 if the curve specified is over a specially malformed binary polynomial 5710 field. 5711 5712 This can be used to perform denial of service against any 5713 system which processes public keys, certificate requests or 5714 certificates. This includes TLS clients and TLS servers with 5715 client authentication enabled. 5716 5717 This issue was reported to OpenSSL by Joseph Barr-Pixton. 5718 ([CVE-2015-1788]) 5719 5720 *Andy Polyakov* 5721 5722 * Exploitable out-of-bounds read in X509_cmp_time 5723 5724 X509_cmp_time does not properly check the length of the ASN1_TIME 5725 string and can read a few bytes out of bounds. In addition, 5726 X509_cmp_time accepts an arbitrary number of fractional seconds in the 5727 time string. 5728 5729 An attacker can use this to craft malformed certificates and CRLs of 5730 various sizes and potentially cause a segmentation fault, resulting in 5731 a DoS on applications that verify certificates or CRLs. TLS clients 5732 that verify CRLs are affected. TLS clients and servers with client 5733 authentication enabled may be affected if they use custom verification 5734 callbacks. 5735 5736 This issue was reported to OpenSSL by Robert Swiecki (Google), and 5737 independently by Hanno Böck. 5738 ([CVE-2015-1789]) 5739 5740 *Emilia Käsper* 5741 5742 * PKCS7 crash with missing EnvelopedContent 5743 5744 The PKCS#7 parsing code does not handle missing inner EncryptedContent 5745 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 5746 with missing content and trigger a NULL pointer dereference on parsing. 5747 5748 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 5749 structures from untrusted sources are affected. OpenSSL clients and 5750 servers are not affected. 5751 5752 This issue was reported to OpenSSL by Michal Zalewski (Google). 5753 ([CVE-2015-1790]) 5754 5755 *Emilia Käsper* 5756 5757 * CMS verify infinite loop with unknown hash function 5758 5759 When verifying a signedData message the CMS code can enter an infinite loop 5760 if presented with an unknown hash function OID. This can be used to perform 5761 denial of service against any system which verifies signedData messages using 5762 the CMS code. 5763 This issue was reported to OpenSSL by Johannes Bauer. 5764 ([CVE-2015-1792]) 5765 5766 *Stephen Henson* 5767 5768 * Race condition handling NewSessionTicket 5769 5770 If a NewSessionTicket is received by a multi-threaded client when attempting to 5771 reuse a previous ticket then a race condition can occur potentially leading to 5772 a double free of the ticket data. 5773 ([CVE-2015-1791]) 5774 5775 *Matt Caswell* 5776 5777 * Only support 256-bit or stronger elliptic curves with the 5778 'ecdh_auto' setting (server) or by default (client). Of supported 5779 curves, prefer P-256 (both). 5780 5781 *Emilia Kasper* 5782 5783### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] 5784 5785 * ClientHello sigalgs DoS fix 5786 5787 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an 5788 invalid signature algorithms extension a NULL pointer dereference will 5789 occur. This can be exploited in a DoS attack against the server. 5790 5791 This issue was was reported to OpenSSL by David Ramos of Stanford 5792 University. 5793 ([CVE-2015-0291]) 5794 5795 *Stephen Henson and Matt Caswell* 5796 5797 * Multiblock corrupted pointer fix 5798 5799 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This 5800 feature only applies on 64 bit x86 architecture platforms that support AES 5801 NI instructions. A defect in the implementation of "multiblock" can cause 5802 OpenSSL's internal write buffer to become incorrectly set to NULL when 5803 using non-blocking IO. Typically, when the user application is using a 5804 socket BIO for writing, this will only result in a failed connection. 5805 However if some other BIO is used then it is likely that a segmentation 5806 fault will be triggered, thus enabling a potential DoS attack. 5807 5808 This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. 5809 ([CVE-2015-0290]) 5810 5811 *Matt Caswell* 5812 5813 * Segmentation fault in DTLSv1_listen fix 5814 5815 The DTLSv1_listen function is intended to be stateless and processes the 5816 initial ClientHello from many peers. It is common for user code to loop 5817 over the call to DTLSv1_listen until a valid ClientHello is received with 5818 an associated cookie. A defect in the implementation of DTLSv1_listen means 5819 that state is preserved in the SSL object from one invocation to the next 5820 that can lead to a segmentation fault. Errors processing the initial 5821 ClientHello can trigger this scenario. An example of such an error could be 5822 that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only 5823 server. 5824 5825 This issue was reported to OpenSSL by Per Allansson. 5826 ([CVE-2015-0207]) 5827 5828 *Matt Caswell* 5829 5830 * Segmentation fault in ASN1_TYPE_cmp fix 5831 5832 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 5833 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 5834 certificate signature algorithm consistency this can be used to crash any 5835 certificate verification operation and exploited in a DoS attack. Any 5836 application which performs certificate verification is vulnerable including 5837 OpenSSL clients and servers which enable client authentication. 5838 ([CVE-2015-0286]) 5839 5840 *Stephen Henson* 5841 5842 * Segmentation fault for invalid PSS parameters fix 5843 5844 The signature verification routines will crash with a NULL pointer 5845 dereference if presented with an ASN.1 signature using the RSA PSS 5846 algorithm and invalid parameters. Since these routines are used to verify 5847 certificate signature algorithms this can be used to crash any 5848 certificate verification operation and exploited in a DoS attack. Any 5849 application which performs certificate verification is vulnerable including 5850 OpenSSL clients and servers which enable client authentication. 5851 5852 This issue was was reported to OpenSSL by Brian Carpenter. 5853 ([CVE-2015-0208]) 5854 5855 *Stephen Henson* 5856 5857 * ASN.1 structure reuse memory corruption fix 5858 5859 Reusing a structure in ASN.1 parsing may allow an attacker to cause 5860 memory corruption via an invalid write. Such reuse is and has been 5861 strongly discouraged and is believed to be rare. 5862 5863 Applications that parse structures containing CHOICE or ANY DEFINED BY 5864 components may be affected. Certificate parsing (d2i_X509 and related 5865 functions) are however not affected. OpenSSL clients and servers are 5866 not affected. 5867 ([CVE-2015-0287]) 5868 5869 *Stephen Henson* 5870 5871 * PKCS7 NULL pointer dereferences fix 5872 5873 The PKCS#7 parsing code does not handle missing outer ContentInfo 5874 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 5875 missing content and trigger a NULL pointer dereference on parsing. 5876 5877 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 5878 otherwise parse PKCS#7 structures from untrusted sources are 5879 affected. OpenSSL clients and servers are not affected. 5880 5881 This issue was reported to OpenSSL by Michal Zalewski (Google). 5882 ([CVE-2015-0289]) 5883 5884 *Emilia Käsper* 5885 5886 * DoS via reachable assert in SSLv2 servers fix 5887 5888 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 5889 servers that both support SSLv2 and enable export cipher suites by sending 5890 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 5891 5892 This issue was discovered by Sean Burford (Google) and Emilia Käsper 5893 (OpenSSL development team). 5894 ([CVE-2015-0293]) 5895 5896 *Emilia Käsper* 5897 5898 * Empty CKE with client auth and DHE fix 5899 5900 If client auth is used then a server can seg fault in the event of a DHE 5901 ciphersuite being selected and a zero length ClientKeyExchange message 5902 being sent by the client. This could be exploited in a DoS attack. 5903 ([CVE-2015-1787]) 5904 5905 *Matt Caswell* 5906 5907 * Handshake with unseeded PRNG fix 5908 5909 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake 5910 with an unseeded PRNG. The conditions are: 5911 - The client is on a platform where the PRNG has not been seeded 5912 automatically, and the user has not seeded manually 5913 - A protocol specific client method version has been used (i.e. not 5914 SSL_client_methodv23) 5915 - A ciphersuite is used that does not require additional random data from 5916 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). 5917 5918 If the handshake succeeds then the client random that has been used will 5919 have been generated from a PRNG with insufficient entropy and therefore the 5920 output may be predictable. 5921 5922 For example using the following command with an unseeded openssl will 5923 succeed on an unpatched platform: 5924 5925 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA 5926 ([CVE-2015-0285]) 5927 5928 *Matt Caswell* 5929 5930 * Use After Free following d2i_ECPrivatekey error fix 5931 5932 A malformed EC private key file consumed via the d2i_ECPrivateKey function 5933 could cause a use after free condition. This, in turn, could cause a double 5934 free in several private key parsing functions (such as d2i_PrivateKey 5935 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 5936 for applications that receive EC private keys from untrusted 5937 sources. This scenario is considered rare. 5938 5939 This issue was discovered by the BoringSSL project and fixed in their 5940 commit 517073cd4b. 5941 ([CVE-2015-0209]) 5942 5943 *Matt Caswell* 5944 5945 * X509_to_X509_REQ NULL pointer deref fix 5946 5947 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 5948 the certificate key is invalid. This function is rarely used in practice. 5949 5950 This issue was discovered by Brian Carpenter. 5951 ([CVE-2015-0288]) 5952 5953 *Stephen Henson* 5954 5955 * Removed the export ciphers from the DEFAULT ciphers 5956 5957 *Kurt Roeckx* 5958 5959### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] 5960 5961 * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. 5962 ARMv5 through ARMv8, as opposite to "locking" it to single one. 5963 So far those who have to target multiple platforms would compromise 5964 and argue that binary targeting say ARMv5 would still execute on 5965 ARMv8. "Universal" build resolves this compromise by providing 5966 near-optimal performance even on newer platforms. 5967 5968 *Andy Polyakov* 5969 5970 * Accelerated NIST P-256 elliptic curve implementation for x86_64 5971 (other platforms pending). 5972 5973 *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov* 5974 5975 * Add support for the SignedCertificateTimestampList certificate and 5976 OCSP response extensions from RFC6962. 5977 5978 *Rob Stradling* 5979 5980 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 5981 for corner cases. (Certain input points at infinity could lead to 5982 bogus results, with non-infinity inputs mapped to infinity too.) 5983 5984 *Bodo Moeller* 5985 5986 * Initial support for PowerISA 2.0.7, first implemented in POWER8. 5987 This covers AES, SHA256/512 and GHASH. "Initial" means that most 5988 common cases are optimized and there still is room for further 5989 improvements. Vector Permutation AES for Altivec is also added. 5990 5991 *Andy Polyakov* 5992 5993 * Add support for little-endian ppc64 Linux target. 5994 5995 *Marcelo Cerri (IBM)* 5996 5997 * Initial support for AMRv8 ISA crypto extensions. This covers AES, 5998 SHA1, SHA256 and GHASH. "Initial" means that most common cases 5999 are optimized and there still is room for further improvements. 6000 Both 32- and 64-bit modes are supported. 6001 6002 *Andy Polyakov, Ard Biesheuvel (Linaro)* 6003 6004 * Improved ARMv7 NEON support. 6005 6006 *Andy Polyakov* 6007 6008 * Support for SPARC Architecture 2011 crypto extensions, first 6009 implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, 6010 SHA256/512, MD5, GHASH and modular exponentiation. 6011 6012 *Andy Polyakov, David Miller* 6013 6014 * Accelerated modular exponentiation for Intel processors, a.k.a. 6015 RSAZ. 6016 6017 *Shay Gueron & Vlad Krasnov (Intel Corp)* 6018 6019 * Support for new and upcoming Intel processors, including AVX2, 6020 BMI and SHA ISA extensions. This includes additional "stitched" 6021 implementations, AESNI-SHA256 and GCM, and multi-buffer support 6022 for TLS encrypt. 6023 6024 This work was sponsored by Intel Corp. 6025 6026 *Andy Polyakov* 6027 6028 * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() 6029 supports both DTLS 1.2 and 1.0 and should use whatever version the peer 6030 supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. 6031 6032 *Steve Henson* 6033 6034 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 6035 this fixes a limitation in previous versions of OpenSSL. 6036 6037 *Steve Henson* 6038 6039 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 6040 MGF1 digest and OAEP label. 6041 6042 *Steve Henson* 6043 6044 * Add EVP support for key wrapping algorithms, to avoid problems with 6045 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 6046 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 6047 algorithms and include tests cases. 6048 6049 *Steve Henson* 6050 6051 * Add functions to allocate and set the fields of an ECDSA_METHOD 6052 structure. 6053 6054 *Douglas E. Engert, Steve Henson* 6055 6056 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the 6057 difference in days and seconds between two tm or ASN1_TIME structures. 6058 6059 *Steve Henson* 6060 6061 * Add -rev test option to s_server to just reverse order of characters 6062 received by client and send back to server. Also prints an abbreviated 6063 summary of the connection parameters. 6064 6065 *Steve Henson* 6066 6067 * New option -brief for s_client and s_server to print out a brief summary 6068 of connection parameters. 6069 6070 *Steve Henson* 6071 6072 * Add callbacks for arbitrary TLS extensions. 6073 6074 *Trevor Perrin <trevp@trevp.net> and Ben Laurie* 6075 6076 * New option -crl_download in several openssl utilities to download CRLs 6077 from CRLDP extension in certificates. 6078 6079 *Steve Henson* 6080 6081 * New options -CRL and -CRLform for s_client and s_server for CRLs. 6082 6083 *Steve Henson* 6084 6085 * New function X509_CRL_diff to generate a delta CRL from the difference 6086 of two full CRLs. Add support to "crl" utility. 6087 6088 *Steve Henson* 6089 6090 * New functions to set lookup_crls function and to retrieve 6091 X509_STORE from X509_STORE_CTX. 6092 6093 *Steve Henson* 6094 6095 * Print out deprecated issuer and subject unique ID fields in 6096 certificates. 6097 6098 *Steve Henson* 6099 6100 * Extend OCSP I/O functions so they can be used for simple general purpose 6101 HTTP as well as OCSP. New wrapper function which can be used to download 6102 CRLs using the OCSP API. 6103 6104 *Steve Henson* 6105 6106 * Delegate command line handling in s_client/s_server to SSL_CONF APIs. 6107 6108 *Steve Henson* 6109 6110 * `SSL_CONF*` functions. These provide a common framework for application 6111 configuration using configuration files or command lines. 6112 6113 *Steve Henson* 6114 6115 * SSL/TLS tracing code. This parses out SSL/TLS records using the 6116 message callback and prints the results. Needs compile time option 6117 "enable-ssl-trace". New options to s_client and s_server to enable 6118 tracing. 6119 6120 *Steve Henson* 6121 6122 * New ctrl and macro to retrieve supported points extensions. 6123 Print out extension in s_server and s_client. 6124 6125 *Steve Henson* 6126 6127 * New functions to retrieve certificate signature and signature 6128 OID NID. 6129 6130 *Steve Henson* 6131 6132 * Add functions to retrieve and manipulate the raw cipherlist sent by a 6133 client to OpenSSL. 6134 6135 *Steve Henson* 6136 6137 * New Suite B modes for TLS code. These use and enforce the requirements 6138 of RFC6460: restrict ciphersuites, only permit Suite B algorithms and 6139 only use Suite B curves. The Suite B modes can be set by using the 6140 strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. 6141 6142 *Steve Henson* 6143 6144 * New chain verification flags for Suite B levels of security. Check 6145 algorithms are acceptable when flags are set in X509_verify_cert. 6146 6147 *Steve Henson* 6148 6149 * Make tls1_check_chain return a set of flags indicating checks passed 6150 by a certificate chain. Add additional tests to handle client 6151 certificates: checks for matching certificate type and issuer name 6152 comparison. 6153 6154 *Steve Henson* 6155 6156 * If an attempt is made to use a signature algorithm not in the peer 6157 preference list abort the handshake. If client has no suitable 6158 signature algorithms in response to a certificate request do not 6159 use the certificate. 6160 6161 *Steve Henson* 6162 6163 * If server EC tmp key is not in client preference list abort handshake. 6164 6165 *Steve Henson* 6166 6167 * Add support for certificate stores in CERT structure. This makes it 6168 possible to have different stores per SSL structure or one store in 6169 the parent SSL_CTX. Include distinct stores for certificate chain 6170 verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN 6171 to build and store a certificate chain in CERT structure: returning 6172 an error if the chain cannot be built: this will allow applications 6173 to test if a chain is correctly configured. 6174 6175 Note: if the CERT based stores are not set then the parent SSL_CTX 6176 store is used to retain compatibility with existing behaviour. 6177 6178 *Steve Henson* 6179 6180 * New function ssl_set_client_disabled to set a ciphersuite disabled 6181 mask based on the current session, check mask when sending client 6182 hello and checking the requested ciphersuite. 6183 6184 *Steve Henson* 6185 6186 * New ctrls to retrieve and set certificate types in a certificate 6187 request message. Print out received values in s_client. If certificate 6188 types is not set with custom values set sensible values based on 6189 supported signature algorithms. 6190 6191 *Steve Henson* 6192 6193 * Support for distinct client and server supported signature algorithms. 6194 6195 *Steve Henson* 6196 6197 * Add certificate callback. If set this is called whenever a certificate 6198 is required by client or server. An application can decide which 6199 certificate chain to present based on arbitrary criteria: for example 6200 supported signature algorithms. Add very simple example to s_server. 6201 This fixes many of the problems and restrictions of the existing client 6202 certificate callback: for example you can now clear an existing 6203 certificate and specify the whole chain. 6204 6205 *Steve Henson* 6206 6207 * Add new "valid_flags" field to CERT_PKEY structure which determines what 6208 the certificate can be used for (if anything). Set valid_flags field 6209 in new tls1_check_chain function. Simplify ssl_set_cert_masks which used 6210 to have similar checks in it. 6211 6212 Add new "cert_flags" field to CERT structure and include a "strict mode". 6213 This enforces some TLS certificate requirements (such as only permitting 6214 certificate signature algorithms contained in the supported algorithms 6215 extension) which some implementations ignore: this option should be used 6216 with caution as it could cause interoperability issues. 6217 6218 *Steve Henson* 6219 6220 * Update and tidy signature algorithm extension processing. Work out 6221 shared signature algorithms based on preferences and peer algorithms 6222 and print them out in s_client and s_server. Abort handshake if no 6223 shared signature algorithms. 6224 6225 *Steve Henson* 6226 6227 * Add new functions to allow customised supported signature algorithms 6228 for SSL and SSL_CTX structures. Add options to s_client and s_server 6229 to support them. 6230 6231 *Steve Henson* 6232 6233 * New function SSL_certs_clear() to delete all references to certificates 6234 from an SSL structure. Before this once a certificate had been added 6235 it couldn't be removed. 6236 6237 *Steve Henson* 6238 6239 * Integrate hostname, email address and IP address checking with certificate 6240 verification. New verify options supporting checking in openssl utility. 6241 6242 *Steve Henson* 6243 6244 * Fixes and wildcard matching support to hostname and email checking 6245 functions. Add manual page. 6246 6247 *Florian Weimer (Red Hat Product Security Team)* 6248 6249 * New functions to check a hostname email or IP address against a 6250 certificate. Add options x509 utility to print results of checks against 6251 a certificate. 6252 6253 *Steve Henson* 6254 6255 * Fix OCSP checking. 6256 6257 *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie* 6258 6259 * Initial experimental support for explicitly trusted non-root CAs. 6260 OpenSSL still tries to build a complete chain to a root but if an 6261 intermediate CA has a trust setting included that is used. The first 6262 setting is used: whether to trust (e.g., -addtrust option to the x509 6263 utility) or reject. 6264 6265 *Steve Henson* 6266 6267 * Add -trusted_first option which attempts to find certificates in the 6268 trusted store even if an untrusted chain is also supplied. 6269 6270 *Steve Henson* 6271 6272 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, 6273 platform support for Linux and Android. 6274 6275 *Andy Polyakov* 6276 6277 * Support for linux-x32, ILP32 environment in x86_64 framework. 6278 6279 *Andy Polyakov* 6280 6281 * Experimental multi-implementation support for FIPS capable OpenSSL. 6282 When in FIPS mode the approved implementations are used as normal, 6283 when not in FIPS mode the internal unapproved versions are used instead. 6284 This means that the FIPS capable OpenSSL isn't forced to use the 6285 (often lower performance) FIPS implementations outside FIPS mode. 6286 6287 *Steve Henson* 6288 6289 * Transparently support X9.42 DH parameters when calling 6290 PEM_read_bio_DHparameters. This means existing applications can handle 6291 the new parameter format automatically. 6292 6293 *Steve Henson* 6294 6295 * Initial experimental support for X9.42 DH parameter format: mainly 6296 to support use of 'q' parameter for RFC5114 parameters. 6297 6298 *Steve Henson* 6299 6300 * Add DH parameters from RFC5114 including test data to dhtest. 6301 6302 *Steve Henson* 6303 6304 * Support for automatic EC temporary key parameter selection. If enabled 6305 the most preferred EC parameters are automatically used instead of 6306 hardcoded fixed parameters. Now a server just has to call: 6307 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 6308 support ECDH and use the most appropriate parameters. 6309 6310 *Steve Henson* 6311 6312 * Enhance and tidy EC curve and point format TLS extension code. Use 6313 static structures instead of allocation if default values are used. 6314 New ctrls to set curves we wish to support and to retrieve shared curves. 6315 Print out shared curves in s_server. New options to s_server and s_client 6316 to set list of supported curves. 6317 6318 *Steve Henson* 6319 6320 * New ctrls to retrieve supported signature algorithms and 6321 supported curve values as an array of NIDs. Extend openssl utility 6322 to print out received values. 6323 6324 *Steve Henson* 6325 6326 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 6327 between NIDs and the more common NIST names such as "P-256". Enhance 6328 ecparam utility and ECC method to recognise the NIST names for curves. 6329 6330 *Steve Henson* 6331 6332 * Enhance SSL/TLS certificate chain handling to support different 6333 chains for each certificate instead of one chain in the parent SSL_CTX. 6334 6335 *Steve Henson* 6336 6337 * Support for fixed DH ciphersuite client authentication: where both 6338 server and client use DH certificates with common parameters. 6339 6340 *Steve Henson* 6341 6342 * Support for fixed DH ciphersuites: those requiring DH server 6343 certificates. 6344 6345 *Steve Henson* 6346 6347 * New function i2d_re_X509_tbs for re-encoding the TBS portion of 6348 the certificate. 6349 Note: Related 1.0.2-beta specific macros X509_get_cert_info, 6350 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and 6351 X509_CINF_get_signature were reverted post internal team review. 6352 6353OpenSSL 1.0.1 6354------------- 6355 6356### Changes between 1.0.1t and 1.0.1u [22 Sep 2016] 6357 6358 * OCSP Status Request extension unbounded memory growth 6359 6360 A malicious client can send an excessively large OCSP Status Request 6361 extension. If that client continually requests renegotiation, sending a 6362 large OCSP Status Request extension each time, then there will be unbounded 6363 memory growth on the server. This will eventually lead to a Denial Of 6364 Service attack through memory exhaustion. Servers with a default 6365 configuration are vulnerable even if they do not support OCSP. Builds using 6366 the "no-ocsp" build time option are not affected. 6367 6368 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6369 ([CVE-2016-6304]) 6370 6371 *Matt Caswell* 6372 6373 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 6374 HIGH to MEDIUM. 6375 6376 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 6377 Leurent (INRIA) 6378 ([CVE-2016-2183]) 6379 6380 *Rich Salz* 6381 6382 * OOB write in MDC2_Update() 6383 6384 An overflow can occur in MDC2_Update() either if called directly or 6385 through the EVP_DigestUpdate() function using MDC2. If an attacker 6386 is able to supply very large amounts of input data after a previous 6387 call to EVP_EncryptUpdate() with a partial block then a length check 6388 can overflow resulting in a heap corruption. 6389 6390 The amount of data needed is comparable to SIZE_MAX which is impractical 6391 on most platforms. 6392 6393 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6394 ([CVE-2016-6303]) 6395 6396 *Stephen Henson* 6397 6398 * Malformed SHA512 ticket DoS 6399 6400 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 6401 DoS attack where a malformed ticket will result in an OOB read which will 6402 ultimately crash. 6403 6404 The use of SHA512 in TLS session tickets is comparatively rare as it requires 6405 a custom server callback and ticket lookup mechanism. 6406 6407 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6408 ([CVE-2016-6302]) 6409 6410 *Stephen Henson* 6411 6412 * OOB write in BN_bn2dec() 6413 6414 The function BN_bn2dec() does not check the return value of BN_div_word(). 6415 This can cause an OOB write if an application uses this function with an 6416 overly large BIGNUM. This could be a problem if an overly large certificate 6417 or CRL is printed out from an untrusted source. TLS is not affected because 6418 record limits will reject an oversized certificate before it is parsed. 6419 6420 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6421 ([CVE-2016-2182]) 6422 6423 *Stephen Henson* 6424 6425 * OOB read in TS_OBJ_print_bio() 6426 6427 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 6428 the total length the OID text representation would use and not the amount 6429 of data written. This will result in OOB reads when large OIDs are 6430 presented. 6431 6432 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6433 ([CVE-2016-2180]) 6434 6435 *Stephen Henson* 6436 6437 * Pointer arithmetic undefined behaviour 6438 6439 Avoid some undefined pointer arithmetic 6440 6441 A common idiom in the codebase is to check limits in the following manner: 6442 "p + len > limit" 6443 6444 Where "p" points to some malloc'd data of SIZE bytes and 6445 limit == p + SIZE 6446 6447 "len" here could be from some externally supplied data (e.g. from a TLS 6448 message). 6449 6450 The rules of C pointer arithmetic are such that "p + len" is only well 6451 defined where len <= SIZE. Therefore the above idiom is actually 6452 undefined behaviour. 6453 6454 For example this could cause problems if some malloc implementation 6455 provides an address for "p" such that "p + len" actually overflows for 6456 values of len that are too big and therefore p + len < limit. 6457 6458 This issue was reported to OpenSSL by Guido Vranken 6459 ([CVE-2016-2177]) 6460 6461 *Matt Caswell* 6462 6463 * Constant time flag not preserved in DSA signing 6464 6465 Operations in the DSA signing algorithm should run in constant time in 6466 order to avoid side channel attacks. A flaw in the OpenSSL DSA 6467 implementation means that a non-constant time codepath is followed for 6468 certain operations. This has been demonstrated through a cache-timing 6469 attack to be sufficient for an attacker to recover the private DSA key. 6470 6471 This issue was reported by César Pereida (Aalto University), Billy Brumley 6472 (Tampere University of Technology), and Yuval Yarom (The University of 6473 Adelaide and NICTA). 6474 ([CVE-2016-2178]) 6475 6476 *César Pereida* 6477 6478 * DTLS buffered message DoS 6479 6480 In a DTLS connection where handshake messages are delivered out-of-order 6481 those messages that OpenSSL is not yet ready to process will be buffered 6482 for later use. Under certain circumstances, a flaw in the logic means that 6483 those messages do not get removed from the buffer even though the handshake 6484 has been completed. An attacker could force up to approx. 15 messages to 6485 remain in the buffer when they are no longer required. These messages will 6486 be cleared when the DTLS connection is closed. The default maximum size for 6487 a message is 100k. Therefore the attacker could force an additional 1500k 6488 to be consumed per connection. By opening many simulataneous connections an 6489 attacker could cause a DoS attack through memory exhaustion. 6490 6491 This issue was reported to OpenSSL by Quan Luo. 6492 ([CVE-2016-2179]) 6493 6494 *Matt Caswell* 6495 6496 * DTLS replay protection DoS 6497 6498 A flaw in the DTLS replay attack protection mechanism means that records 6499 that arrive for future epochs update the replay protection "window" before 6500 the MAC for the record has been validated. This could be exploited by an 6501 attacker by sending a record for the next epoch (which does not have to 6502 decrypt or have a valid MAC), with a very large sequence number. This means 6503 that all subsequent legitimate packets are dropped causing a denial of 6504 service for a specific DTLS connection. 6505 6506 This issue was reported to OpenSSL by the OCAP audit team. 6507 ([CVE-2016-2181]) 6508 6509 *Matt Caswell* 6510 6511 * Certificate message OOB reads 6512 6513 In OpenSSL 1.0.2 and earlier some missing message length checks can result 6514 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 6515 theoretical DoS risk but this has not been observed in practice on common 6516 platforms. 6517 6518 The messages affected are client certificate, client certificate request 6519 and server certificate. As a result the attack can only be performed 6520 against a client or a server which enables client authentication. 6521 6522 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6523 ([CVE-2016-6306]) 6524 6525 *Stephen Henson* 6526 6527### Changes between 1.0.1s and 1.0.1t [3 May 2016] 6528 6529 * Prevent padding oracle in AES-NI CBC MAC check 6530 6531 A MITM attacker can use a padding oracle attack to decrypt traffic 6532 when the connection uses an AES CBC cipher and the server support 6533 AES-NI. 6534 6535 This issue was introduced as part of the fix for Lucky 13 padding 6536 attack ([CVE-2013-0169]). The padding check was rewritten to be in 6537 constant time by making sure that always the same bytes are read and 6538 compared against either the MAC or padding bytes. But it no longer 6539 checked that there was enough data to have both the MAC and padding 6540 bytes. 6541 6542 This issue was reported by Juraj Somorovsky using TLS-Attacker. 6543 ([CVE-2016-2107]) 6544 6545 *Kurt Roeckx* 6546 6547 * Fix EVP_EncodeUpdate overflow 6548 6549 An overflow can occur in the EVP_EncodeUpdate() function which is used for 6550 Base64 encoding of binary data. If an attacker is able to supply very large 6551 amounts of input data then a length check can overflow resulting in a heap 6552 corruption. 6553 6554 Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by 6555 the `PEM_write_bio*` family of functions. These are mainly used within the 6556 OpenSSL command line applications, so any application which processes data 6557 from an untrusted source and outputs it as a PEM file should be considered 6558 vulnerable to this issue. User applications that call these APIs directly 6559 with large amounts of untrusted data may also be vulnerable. 6560 6561 This issue was reported by Guido Vranken. 6562 ([CVE-2016-2105]) 6563 6564 *Matt Caswell* 6565 6566 * Fix EVP_EncryptUpdate overflow 6567 6568 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 6569 is able to supply very large amounts of input data after a previous call to 6570 EVP_EncryptUpdate() with a partial block then a length check can overflow 6571 resulting in a heap corruption. Following an analysis of all OpenSSL 6572 internal usage of the EVP_EncryptUpdate() function all usage is one of two 6573 forms. The first form is where the EVP_EncryptUpdate() call is known to be 6574 the first called function after an EVP_EncryptInit(), and therefore that 6575 specific call must be safe. The second form is where the length passed to 6576 EVP_EncryptUpdate() can be seen from the code to be some small value and 6577 therefore there is no possibility of an overflow. Since all instances are 6578 one of these two forms, it is believed that there can be no overflows in 6579 internal code due to this problem. It should be noted that 6580 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 6581 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 6582 of these calls have also been analysed too and it is believed there are no 6583 instances in internal usage where an overflow could occur. 6584 6585 This issue was reported by Guido Vranken. 6586 ([CVE-2016-2106]) 6587 6588 *Matt Caswell* 6589 6590 * Prevent ASN.1 BIO excessive memory allocation 6591 6592 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 6593 a short invalid encoding can casuse allocation of large amounts of memory 6594 potentially consuming excessive resources or exhausting memory. 6595 6596 Any application parsing untrusted data through d2i BIO functions is 6597 affected. The memory based functions such as d2i_X509() are *not* affected. 6598 Since the memory based functions are used by the TLS library, TLS 6599 applications are not affected. 6600 6601 This issue was reported by Brian Carpenter. 6602 ([CVE-2016-2109]) 6603 6604 *Stephen Henson* 6605 6606 * EBCDIC overread 6607 6608 ASN1 Strings that are over 1024 bytes can cause an overread in applications 6609 using the X509_NAME_oneline() function on EBCDIC systems. This could result 6610 in arbitrary stack data being returned in the buffer. 6611 6612 This issue was reported by Guido Vranken. 6613 ([CVE-2016-2176]) 6614 6615 *Matt Caswell* 6616 6617 * Modify behavior of ALPN to invoke callback after SNI/servername 6618 callback, such that updates to the SSL_CTX affect ALPN. 6619 6620 *Todd Short* 6621 6622 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 6623 default. 6624 6625 *Kurt Roeckx* 6626 6627 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 6628 methods are enabled and ssl2 is disabled the methods return NULL. 6629 6630 *Kurt Roeckx* 6631 6632### Changes between 1.0.1r and 1.0.1s [1 Mar 2016] 6633 6634* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 6635 Builds that are not configured with "enable-weak-ssl-ciphers" will not 6636 provide any "EXPORT" or "LOW" strength ciphers. 6637 6638 *Viktor Dukhovni* 6639 6640* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 6641 is by default disabled at build-time. Builds that are not configured with 6642 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 6643 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 6644 will need to explicitly call either of: 6645 6646 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 6647 or 6648 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 6649 6650 as appropriate. Even if either of those is used, or the application 6651 explicitly uses the version-specific SSLv2_method() or its client and 6652 server variants, SSLv2 ciphers vulnerable to exhaustive search key 6653 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 6654 ciphers, and SSLv2 56-bit DES are no longer available. 6655 ([CVE-2016-0800]) 6656 6657 *Viktor Dukhovni* 6658 6659 * Fix a double-free in DSA code 6660 6661 A double free bug was discovered when OpenSSL parses malformed DSA private 6662 keys and could lead to a DoS attack or memory corruption for applications 6663 that receive DSA private keys from untrusted sources. This scenario is 6664 considered rare. 6665 6666 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 6667 libFuzzer. 6668 ([CVE-2016-0705]) 6669 6670 *Stephen Henson* 6671 6672 * Disable SRP fake user seed to address a server memory leak. 6673 6674 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 6675 6676 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 6677 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 6678 was changed to ignore the "fake user" SRP seed, even if the seed 6679 is configured. 6680 6681 Users should use SRP_VBASE_get1_by_user instead. Note that in 6682 SRP_VBASE_get1_by_user, caller must free the returned value. Note 6683 also that even though configuring the SRP seed attempts to hide 6684 invalid usernames by continuing the handshake with fake 6685 credentials, this behaviour is not constant time and no strong 6686 guarantees are made that the handshake is indistinguishable from 6687 that of a valid user. 6688 ([CVE-2016-0798]) 6689 6690 *Emilia Käsper* 6691 6692 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 6693 6694 In the BN_hex2bn function the number of hex digits is calculated using an 6695 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 6696 large values of `i` this can result in `bn_expand` not allocating any 6697 memory because `i * 4` is negative. This can leave the internal BIGNUM data 6698 field as NULL leading to a subsequent NULL ptr deref. For very large values 6699 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 6700 In this case memory is allocated to the internal BIGNUM data field, but it 6701 is insufficiently sized leading to heap corruption. A similar issue exists 6702 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 6703 is ever called by user applications with very large untrusted hex/dec data. 6704 This is anticipated to be a rare occurrence. 6705 6706 All OpenSSL internal usage of these functions use data that is not expected 6707 to be untrusted, e.g. config file data or application command line 6708 arguments. If user developed applications generate config file data based 6709 on untrusted data then it is possible that this could also lead to security 6710 consequences. This is also anticipated to be rare. 6711 6712 This issue was reported to OpenSSL by Guido Vranken. 6713 ([CVE-2016-0797]) 6714 6715 *Matt Caswell* 6716 6717 * Fix memory issues in `BIO_*printf` functions 6718 6719 The internal `fmtstr` function used in processing a "%s" format string in 6720 the `BIO_*printf` functions could overflow while calculating the length of a 6721 string and cause an OOB read when printing very long strings. 6722 6723 Additionally the internal `doapr_outch` function can attempt to write to an 6724 OOB memory location (at an offset from the NULL pointer) in the event of a 6725 memory allocation failure. In 1.0.2 and below this could be caused where 6726 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 6727 could be in processing a very long "%s" format string. Memory leaks can 6728 also occur. 6729 6730 The first issue may mask the second issue dependent on compiler behaviour. 6731 These problems could enable attacks where large amounts of untrusted data 6732 is passed to the `BIO_*printf` functions. If applications use these functions 6733 in this way then they could be vulnerable. OpenSSL itself uses these 6734 functions when printing out human-readable dumps of ASN.1 data. Therefore 6735 applications that print this data could be vulnerable if the data is from 6736 untrusted sources. OpenSSL command line applications could also be 6737 vulnerable where they print out ASN.1 data, or if untrusted data is passed 6738 as command line arguments. 6739 6740 Libssl is not considered directly vulnerable. Additionally certificates etc 6741 received via remote connections via libssl are also unlikely to be able to 6742 trigger these issues because of message size limits enforced within libssl. 6743 6744 This issue was reported to OpenSSL Guido Vranken. 6745 ([CVE-2016-0799]) 6746 6747 *Matt Caswell* 6748 6749 * Side channel attack on modular exponentiation 6750 6751 A side-channel attack was found which makes use of cache-bank conflicts on 6752 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 6753 of RSA keys. The ability to exploit this issue is limited as it relies on 6754 an attacker who has control of code in a thread running on the same 6755 hyper-threaded core as the victim thread which is performing decryptions. 6756 6757 This issue was reported to OpenSSL by Yuval Yarom, The University of 6758 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 6759 Nadia Heninger, University of Pennsylvania with more information at 6760 <http://cachebleed.info>. 6761 ([CVE-2016-0702]) 6762 6763 *Andy Polyakov* 6764 6765 * Change the req command to generate a 2048-bit RSA/DSA key by default, 6766 if no keysize is specified with default_bits. This fixes an 6767 omission in an earlier change that changed all RSA/DSA key generation 6768 commands to use 2048 bits by default. 6769 6770 *Emilia Käsper* 6771 6772### Changes between 1.0.1q and 1.0.1r [28 Jan 2016] 6773 6774 * Protection for DH small subgroup attacks 6775 6776 As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been 6777 switched on by default and cannot be disabled. This could have some 6778 performance impact. 6779 6780 *Matt Caswell* 6781 6782 * SSLv2 doesn't block disabled ciphers 6783 6784 A malicious client can negotiate SSLv2 ciphers that have been disabled on 6785 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 6786 been disabled, provided that the SSLv2 protocol was not also disabled via 6787 SSL_OP_NO_SSLv2. 6788 6789 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 6790 and Sebastian Schinzel. 6791 ([CVE-2015-3197]) 6792 6793 *Viktor Dukhovni* 6794 6795 * Reject DH handshakes with parameters shorter than 1024 bits. 6796 6797 *Kurt Roeckx* 6798 6799### Changes between 1.0.1p and 1.0.1q [3 Dec 2015] 6800 6801 * Certificate verify crash with missing PSS parameter 6802 6803 The signature verification routines will crash with a NULL pointer 6804 dereference if presented with an ASN.1 signature using the RSA PSS 6805 algorithm and absent mask generation function parameter. Since these 6806 routines are used to verify certificate signature algorithms this can be 6807 used to crash any certificate verification operation and exploited in a 6808 DoS attack. Any application which performs certificate verification is 6809 vulnerable including OpenSSL clients and servers which enable client 6810 authentication. 6811 6812 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 6813 ([CVE-2015-3194]) 6814 6815 *Stephen Henson* 6816 6817 * X509_ATTRIBUTE memory leak 6818 6819 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 6820 memory. This structure is used by the PKCS#7 and CMS routines so any 6821 application which reads PKCS#7 or CMS data from untrusted sources is 6822 affected. SSL/TLS is not affected. 6823 6824 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 6825 libFuzzer. 6826 ([CVE-2015-3195]) 6827 6828 *Stephen Henson* 6829 6830 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 6831 This changes the decoding behaviour for some invalid messages, 6832 though the change is mostly in the more lenient direction, and 6833 legacy behaviour is preserved as much as possible. 6834 6835 *Emilia Käsper* 6836 6837 * In DSA_generate_parameters_ex, if the provided seed is too short, 6838 use a random seed, as already documented. 6839 6840 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 6841 6842### Changes between 1.0.1o and 1.0.1p [9 Jul 2015] 6843 6844 * Alternate chains certificate forgery 6845 6846 During certificate verfification, OpenSSL will attempt to find an 6847 alternative certificate chain if the first attempt to build such a chain 6848 fails. An error in the implementation of this logic can mean that an 6849 attacker could cause certain checks on untrusted certificates to be 6850 bypassed, such as the CA flag, enabling them to use a valid leaf 6851 certificate to act as a CA and "issue" an invalid certificate. 6852 6853 This issue was reported to OpenSSL by Adam Langley/David Benjamin 6854 (Google/BoringSSL). 6855 ([CVE-2015-1793]) 6856 6857 *Matt Caswell* 6858 6859 * Race condition handling PSK identify hint 6860 6861 If PSK identity hints are received by a multi-threaded client then 6862 the values are wrongly updated in the parent SSL_CTX structure. This can 6863 result in a race condition potentially leading to a double free of the 6864 identify hint data. 6865 ([CVE-2015-3196]) 6866 6867 *Stephen Henson* 6868 6869### Changes between 1.0.1n and 1.0.1o [12 Jun 2015] 6870 6871 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 6872 incompatibility in the handling of HMAC. The previous ABI has now been 6873 restored. 6874 6875### Changes between 1.0.1m and 1.0.1n [11 Jun 2015] 6876 6877 * Malformed ECParameters causes infinite loop 6878 6879 When processing an ECParameters structure OpenSSL enters an infinite loop 6880 if the curve specified is over a specially malformed binary polynomial 6881 field. 6882 6883 This can be used to perform denial of service against any 6884 system which processes public keys, certificate requests or 6885 certificates. This includes TLS clients and TLS servers with 6886 client authentication enabled. 6887 6888 This issue was reported to OpenSSL by Joseph Barr-Pixton. 6889 ([CVE-2015-1788]) 6890 6891 *Andy Polyakov* 6892 6893 * Exploitable out-of-bounds read in X509_cmp_time 6894 6895 X509_cmp_time does not properly check the length of the ASN1_TIME 6896 string and can read a few bytes out of bounds. In addition, 6897 X509_cmp_time accepts an arbitrary number of fractional seconds in the 6898 time string. 6899 6900 An attacker can use this to craft malformed certificates and CRLs of 6901 various sizes and potentially cause a segmentation fault, resulting in 6902 a DoS on applications that verify certificates or CRLs. TLS clients 6903 that verify CRLs are affected. TLS clients and servers with client 6904 authentication enabled may be affected if they use custom verification 6905 callbacks. 6906 6907 This issue was reported to OpenSSL by Robert Swiecki (Google), and 6908 independently by Hanno Böck. 6909 ([CVE-2015-1789]) 6910 6911 *Emilia Käsper* 6912 6913 * PKCS7 crash with missing EnvelopedContent 6914 6915 The PKCS#7 parsing code does not handle missing inner EncryptedContent 6916 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 6917 with missing content and trigger a NULL pointer dereference on parsing. 6918 6919 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 6920 structures from untrusted sources are affected. OpenSSL clients and 6921 servers are not affected. 6922 6923 This issue was reported to OpenSSL by Michal Zalewski (Google). 6924 ([CVE-2015-1790]) 6925 6926 *Emilia Käsper* 6927 6928 * CMS verify infinite loop with unknown hash function 6929 6930 When verifying a signedData message the CMS code can enter an infinite loop 6931 if presented with an unknown hash function OID. This can be used to perform 6932 denial of service against any system which verifies signedData messages using 6933 the CMS code. 6934 This issue was reported to OpenSSL by Johannes Bauer. 6935 ([CVE-2015-1792]) 6936 6937 *Stephen Henson* 6938 6939 * Race condition handling NewSessionTicket 6940 6941 If a NewSessionTicket is received by a multi-threaded client when attempting to 6942 reuse a previous ticket then a race condition can occur potentially leading to 6943 a double free of the ticket data. 6944 ([CVE-2015-1791]) 6945 6946 *Matt Caswell* 6947 6948 * Reject DH handshakes with parameters shorter than 768 bits. 6949 6950 *Kurt Roeckx and Emilia Kasper* 6951 6952 * dhparam: generate 2048-bit parameters by default. 6953 6954 *Kurt Roeckx and Emilia Kasper* 6955 6956### Changes between 1.0.1l and 1.0.1m [19 Mar 2015] 6957 6958 * Segmentation fault in ASN1_TYPE_cmp fix 6959 6960 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 6961 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 6962 certificate signature algorithm consistency this can be used to crash any 6963 certificate verification operation and exploited in a DoS attack. Any 6964 application which performs certificate verification is vulnerable including 6965 OpenSSL clients and servers which enable client authentication. 6966 ([CVE-2015-0286]) 6967 6968 *Stephen Henson* 6969 6970 * ASN.1 structure reuse memory corruption fix 6971 6972 Reusing a structure in ASN.1 parsing may allow an attacker to cause 6973 memory corruption via an invalid write. Such reuse is and has been 6974 strongly discouraged and is believed to be rare. 6975 6976 Applications that parse structures containing CHOICE or ANY DEFINED BY 6977 components may be affected. Certificate parsing (d2i_X509 and related 6978 functions) are however not affected. OpenSSL clients and servers are 6979 not affected. 6980 ([CVE-2015-0287]) 6981 6982 *Stephen Henson* 6983 6984 * PKCS7 NULL pointer dereferences fix 6985 6986 The PKCS#7 parsing code does not handle missing outer ContentInfo 6987 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 6988 missing content and trigger a NULL pointer dereference on parsing. 6989 6990 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 6991 otherwise parse PKCS#7 structures from untrusted sources are 6992 affected. OpenSSL clients and servers are not affected. 6993 6994 This issue was reported to OpenSSL by Michal Zalewski (Google). 6995 ([CVE-2015-0289]) 6996 6997 *Emilia Käsper* 6998 6999 * DoS via reachable assert in SSLv2 servers fix 7000 7001 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 7002 servers that both support SSLv2 and enable export cipher suites by sending 7003 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 7004 7005 This issue was discovered by Sean Burford (Google) and Emilia Käsper 7006 (OpenSSL development team). 7007 ([CVE-2015-0293]) 7008 7009 *Emilia Käsper* 7010 7011 * Use After Free following d2i_ECPrivatekey error fix 7012 7013 A malformed EC private key file consumed via the d2i_ECPrivateKey function 7014 could cause a use after free condition. This, in turn, could cause a double 7015 free in several private key parsing functions (such as d2i_PrivateKey 7016 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 7017 for applications that receive EC private keys from untrusted 7018 sources. This scenario is considered rare. 7019 7020 This issue was discovered by the BoringSSL project and fixed in their 7021 commit 517073cd4b. 7022 ([CVE-2015-0209]) 7023 7024 *Matt Caswell* 7025 7026 * X509_to_X509_REQ NULL pointer deref fix 7027 7028 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 7029 the certificate key is invalid. This function is rarely used in practice. 7030 7031 This issue was discovered by Brian Carpenter. 7032 ([CVE-2015-0288]) 7033 7034 *Stephen Henson* 7035 7036 * Removed the export ciphers from the DEFAULT ciphers 7037 7038 *Kurt Roeckx* 7039 7040### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] 7041 7042 * Build fixes for the Windows and OpenVMS platforms 7043 7044 *Matt Caswell and Richard Levitte* 7045 7046### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] 7047 7048 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 7049 message can cause a segmentation fault in OpenSSL due to a NULL pointer 7050 dereference. This could lead to a Denial Of Service attack. Thanks to 7051 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 7052 ([CVE-2014-3571]) 7053 7054 *Steve Henson* 7055 7056 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 7057 dtls1_buffer_record function under certain conditions. In particular this 7058 could occur if an attacker sent repeated DTLS records with the same 7059 sequence number but for the next epoch. The memory leak could be exploited 7060 by an attacker in a Denial of Service attack through memory exhaustion. 7061 Thanks to Chris Mueller for reporting this issue. 7062 ([CVE-2015-0206]) 7063 7064 *Matt Caswell* 7065 7066 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 7067 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl 7068 method would be set to NULL which could later result in a NULL pointer 7069 dereference. Thanks to Frank Schmirler for reporting this issue. 7070 ([CVE-2014-3569]) 7071 7072 *Kurt Roeckx* 7073 7074 * Abort handshake if server key exchange message is omitted for ephemeral 7075 ECDH ciphersuites. 7076 7077 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 7078 reporting this issue. 7079 ([CVE-2014-3572]) 7080 7081 *Steve Henson* 7082 7083 * Remove non-export ephemeral RSA code on client and server. This code 7084 violated the TLS standard by allowing the use of temporary RSA keys in 7085 non-export ciphersuites and could be used by a server to effectively 7086 downgrade the RSA key length used to a value smaller than the server 7087 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 7088 INRIA or reporting this issue. 7089 ([CVE-2015-0204]) 7090 7091 *Steve Henson* 7092 7093 * Fixed issue where DH client certificates are accepted without verification. 7094 An OpenSSL server will accept a DH certificate for client authentication 7095 without the certificate verify message. This effectively allows a client to 7096 authenticate without the use of a private key. This only affects servers 7097 which trust a client certificate authority which issues certificates 7098 containing DH keys: these are extremely rare and hardly ever encountered. 7099 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 7100 this issue. 7101 ([CVE-2015-0205]) 7102 7103 *Steve Henson* 7104 7105 * Ensure that the session ID context of an SSL is updated when its 7106 SSL_CTX is updated via SSL_set_SSL_CTX. 7107 7108 The session ID context is typically set from the parent SSL_CTX, 7109 and can vary with the CTX. 7110 7111 *Adam Langley* 7112 7113 * Fix various certificate fingerprint issues. 7114 7115 By using non-DER or invalid encodings outside the signed portion of a 7116 certificate the fingerprint can be changed without breaking the signature. 7117 Although no details of the signed portion of the certificate can be changed 7118 this can cause problems with some applications: e.g. those using the 7119 certificate fingerprint for blacklists. 7120 7121 1. Reject signatures with non zero unused bits. 7122 7123 If the BIT STRING containing the signature has non zero unused bits reject 7124 the signature. All current signature algorithms require zero unused bits. 7125 7126 2. Check certificate algorithm consistency. 7127 7128 Check the AlgorithmIdentifier inside TBS matches the one in the 7129 certificate signature. NB: this will result in signature failure 7130 errors for some broken certificates. 7131 7132 Thanks to Konrad Kraszewski from Google for reporting this issue. 7133 7134 3. Check DSA/ECDSA signatures use DER. 7135 7136 Re-encode DSA/ECDSA signatures and compare with the original received 7137 signature. Return an error if there is a mismatch. 7138 7139 This will reject various cases including garbage after signature 7140 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 7141 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 7142 (negative or with leading zeroes). 7143 7144 Further analysis was conducted and fixes were developed by Stephen Henson 7145 of the OpenSSL core team. 7146 7147 ([CVE-2014-8275]) 7148 7149 *Steve Henson* 7150 7151 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 7152 results on some platforms, including x86_64. This bug occurs at random 7153 with a very low probability, and is not known to be exploitable in any 7154 way, though its exact impact is difficult to determine. Thanks to Pieter 7155 Wuille (Blockstream) who reported this issue and also suggested an initial 7156 fix. Further analysis was conducted by the OpenSSL development team and 7157 Adam Langley of Google. The final fix was developed by Andy Polyakov of 7158 the OpenSSL core team. 7159 ([CVE-2014-3570]) 7160 7161 *Andy Polyakov* 7162 7163 * Do not resume sessions on the server if the negotiated protocol 7164 version does not match the session's version. Resuming with a different 7165 version, while not strictly forbidden by the RFC, is of questionable 7166 sanity and breaks all known clients. 7167 7168 *David Benjamin, Emilia Käsper* 7169 7170 * Tighten handling of the ChangeCipherSpec (CCS) message: reject 7171 early CCS messages during renegotiation. (Note that because 7172 renegotiation is encrypted, this early CCS was not exploitable.) 7173 7174 *Emilia Käsper* 7175 7176 * Tighten client-side session ticket handling during renegotiation: 7177 ensure that the client only accepts a session ticket if the server sends 7178 the extension anew in the ServerHello. Previously, a TLS client would 7179 reuse the old extension state and thus accept a session ticket if one was 7180 announced in the initial ServerHello. 7181 7182 Similarly, ensure that the client requires a session ticket if one 7183 was advertised in the ServerHello. Previously, a TLS client would 7184 ignore a missing NewSessionTicket message. 7185 7186 *Emilia Käsper* 7187 7188### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] 7189 7190 * SRTP Memory Leak. 7191 7192 A flaw in the DTLS SRTP extension parsing code allows an attacker, who 7193 sends a carefully crafted handshake message, to cause OpenSSL to fail 7194 to free up to 64k of memory causing a memory leak. This could be 7195 exploited in a Denial Of Service attack. This issue affects OpenSSL 7196 1.0.1 server implementations for both SSL/TLS and DTLS regardless of 7197 whether SRTP is used or configured. Implementations of OpenSSL that 7198 have been compiled with OPENSSL_NO_SRTP defined are not affected. 7199 7200 The fix was developed by the OpenSSL team. 7201 ([CVE-2014-3513]) 7202 7203 *OpenSSL team* 7204 7205 * Session Ticket Memory Leak. 7206 7207 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 7208 integrity of that ticket is first verified. In the event of a session 7209 ticket integrity check failing, OpenSSL will fail to free memory 7210 causing a memory leak. By sending a large number of invalid session 7211 tickets an attacker could exploit this issue in a Denial Of Service 7212 attack. 7213 ([CVE-2014-3567]) 7214 7215 *Steve Henson* 7216 7217 * Build option no-ssl3 is incomplete. 7218 7219 When OpenSSL is configured with "no-ssl3" as a build option, servers 7220 could accept and complete a SSL 3.0 handshake, and clients could be 7221 configured to send them. 7222 ([CVE-2014-3568]) 7223 7224 *Akamai and the OpenSSL team* 7225 7226 * Add support for TLS_FALLBACK_SCSV. 7227 Client applications doing fallback retries should call 7228 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 7229 ([CVE-2014-3566]) 7230 7231 *Adam Langley, Bodo Moeller* 7232 7233 * Add additional DigestInfo checks. 7234 7235 Re-encode DigestInto in DER and check against the original when 7236 verifying RSA signature: this will reject any improperly encoded 7237 DigestInfo structures. 7238 7239 Note: this is a precautionary measure and no attacks are currently known. 7240 7241 *Steve Henson* 7242 7243### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] 7244 7245 * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the 7246 SRP code can be overrun an internal buffer. Add sanity check that 7247 g, A, B < N to SRP code. 7248 7249 Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC 7250 Group for discovering this issue. 7251 ([CVE-2014-3512]) 7252 7253 *Steve Henson* 7254 7255 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate 7256 TLS 1.0 instead of higher protocol versions when the ClientHello message 7257 is badly fragmented. This allows a man-in-the-middle attacker to force a 7258 downgrade to TLS 1.0 even if both the server and the client support a 7259 higher protocol version, by modifying the client's TLS records. 7260 7261 Thanks to David Benjamin and Adam Langley (Google) for discovering and 7262 researching this issue. 7263 ([CVE-2014-3511]) 7264 7265 *David Benjamin* 7266 7267 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 7268 to a denial of service attack. A malicious server can crash the client 7269 with a null pointer dereference (read) by specifying an anonymous (EC)DH 7270 ciphersuite and sending carefully crafted handshake messages. 7271 7272 Thanks to Felix Gröbert (Google) for discovering and researching this 7273 issue. 7274 ([CVE-2014-3510]) 7275 7276 *Emilia Käsper* 7277 7278 * By sending carefully crafted DTLS packets an attacker could cause openssl 7279 to leak memory. This can be exploited through a Denial of Service attack. 7280 Thanks to Adam Langley for discovering and researching this issue. 7281 ([CVE-2014-3507]) 7282 7283 *Adam Langley* 7284 7285 * An attacker can force openssl to consume large amounts of memory whilst 7286 processing DTLS handshake messages. This can be exploited through a 7287 Denial of Service attack. 7288 Thanks to Adam Langley for discovering and researching this issue. 7289 ([CVE-2014-3506]) 7290 7291 *Adam Langley* 7292 7293 * An attacker can force an error condition which causes openssl to crash 7294 whilst processing DTLS packets due to memory being freed twice. This 7295 can be exploited through a Denial of Service attack. 7296 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 7297 this issue. 7298 ([CVE-2014-3505]) 7299 7300 *Adam Langley* 7301 7302 * If a multithreaded client connects to a malicious server using a resumed 7303 session and the server sends an ec point format extension it could write 7304 up to 255 bytes to freed memory. 7305 7306 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 7307 issue. 7308 ([CVE-2014-3509]) 7309 7310 *Gabor Tyukasz* 7311 7312 * A malicious server can crash an OpenSSL client with a null pointer 7313 dereference (read) by specifying an SRP ciphersuite even though it was not 7314 properly negotiated with the client. This can be exploited through a 7315 Denial of Service attack. 7316 7317 Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for 7318 discovering and researching this issue. 7319 ([CVE-2014-5139]) 7320 7321 *Steve Henson* 7322 7323 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 7324 X509_name_oneline, X509_name_print_ex et al. to leak some information 7325 from the stack. Applications may be affected if they echo pretty printing 7326 output to the attacker. 7327 7328 Thanks to Ivan Fratric (Google) for discovering this issue. 7329 ([CVE-2014-3508]) 7330 7331 *Emilia Käsper, and Steve Henson* 7332 7333 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 7334 for corner cases. (Certain input points at infinity could lead to 7335 bogus results, with non-infinity inputs mapped to infinity too.) 7336 7337 *Bodo Moeller* 7338 7339### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] 7340 7341 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 7342 handshake can force the use of weak keying material in OpenSSL 7343 SSL/TLS clients and servers. 7344 7345 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 7346 researching this issue. ([CVE-2014-0224]) 7347 7348 *KIKUCHI Masashi, Steve Henson* 7349 7350 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 7351 OpenSSL DTLS client the code can be made to recurse eventually crashing 7352 in a DoS attack. 7353 7354 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 7355 ([CVE-2014-0221]) 7356 7357 *Imre Rad, Steve Henson* 7358 7359 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 7360 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 7361 client or server. This is potentially exploitable to run arbitrary 7362 code on a vulnerable client or server. 7363 7364 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 7365 7366 *Jüri Aedla, Steve Henson* 7367 7368 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 7369 are subject to a denial of service attack. 7370 7371 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 7372 this issue. ([CVE-2014-3470]) 7373 7374 *Felix Gröbert, Ivan Fratric, Steve Henson* 7375 7376 * Harmonize version and its documentation. -f flag is used to display 7377 compilation flags. 7378 7379 *mancha <mancha1@zoho.com>* 7380 7381 * Fix eckey_priv_encode so it immediately returns an error upon a failure 7382 in i2d_ECPrivateKey. 7383 7384 *mancha <mancha1@zoho.com>* 7385 7386 * Fix some double frees. These are not thought to be exploitable. 7387 7388 *mancha <mancha1@zoho.com>* 7389 7390### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] 7391 7392 * A missing bounds check in the handling of the TLS heartbeat extension 7393 can be used to reveal up to 64k of memory to a connected client or 7394 server. 7395 7396 Thanks for Neel Mehta of Google Security for discovering this bug and to 7397 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 7398 preparing the fix ([CVE-2014-0160]) 7399 7400 *Adam Langley, Bodo Moeller* 7401 7402 * Fix for the attack described in the paper "Recovering OpenSSL 7403 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 7404 by Yuval Yarom and Naomi Benger. Details can be obtained from: 7405 <http://eprint.iacr.org/2014/140> 7406 7407 Thanks to Yuval Yarom and Naomi Benger for discovering this 7408 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 7409 7410 *Yuval Yarom and Naomi Benger* 7411 7412 * TLS pad extension: draft-agl-tls-padding-03 7413 7414 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the 7415 TLS client Hello record length value would otherwise be > 255 and 7416 less that 512 pad with a dummy extension containing zeroes so it 7417 is at least 512 bytes long. 7418 7419 *Adam Langley, Steve Henson* 7420 7421### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] 7422 7423 * Fix for TLS record tampering bug. A carefully crafted invalid 7424 handshake could crash OpenSSL with a NULL pointer exception. 7425 Thanks to Anton Johansson for reporting this issues. 7426 ([CVE-2013-4353]) 7427 7428 * Keep original DTLS digest and encryption contexts in retransmission 7429 structures so we can use the previous session parameters if they need 7430 to be resent. ([CVE-2013-6450]) 7431 7432 *Steve Henson* 7433 7434 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 7435 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 7436 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 7437 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 7438 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 7439 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 7440 7441 *Rob Stradling, Adam Langley* 7442 7443### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] 7444 7445 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI 7446 supporting platforms or when small records were transferred. 7447 7448 *Andy Polyakov, Steve Henson* 7449 7450### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] 7451 7452 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 7453 7454 This addresses the flaw in CBC record processing discovered by 7455 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 7456 at: <http://www.isg.rhul.ac.uk/tls/> 7457 7458 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 7459 Security Group at Royal Holloway, University of London 7460 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 7461 Emilia Käsper for the initial patch. 7462 ([CVE-2013-0169]) 7463 7464 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 7465 7466 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode 7467 ciphersuites which can be exploited in a denial of service attack. 7468 Thanks go to and to Adam Langley <agl@chromium.org> for discovering 7469 and detecting this bug and to Wolfgang Ettlinger 7470 <wolfgang.ettlinger@gmail.com> for independently discovering this issue. 7471 ([CVE-2012-2686]) 7472 7473 *Adam Langley* 7474 7475 * Return an error when checking OCSP signatures when key is NULL. 7476 This fixes a DoS attack. ([CVE-2013-0166]) 7477 7478 *Steve Henson* 7479 7480 * Make openssl verify return errors. 7481 7482 *Chris Palmer <palmer@google.com> and Ben Laurie* 7483 7484 * Call OCSP Stapling callback after ciphersuite has been chosen, so 7485 the right response is stapled. Also change SSL_get_certificate() 7486 so it returns the certificate actually sent. 7487 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 7488 7489 *Rob Stradling <rob.stradling@comodo.com>* 7490 7491 * Fix possible deadlock when decoding public keys. 7492 7493 *Steve Henson* 7494 7495 * Don't use TLS 1.0 record version number in initial client hello 7496 if renegotiating. 7497 7498 *Steve Henson* 7499 7500### Changes between 1.0.1b and 1.0.1c [10 May 2012] 7501 7502 * Sanity check record length before skipping explicit IV in TLS 7503 1.2, 1.1 and DTLS to fix DoS attack. 7504 7505 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 7506 fuzzing as a service testing platform. 7507 ([CVE-2012-2333]) 7508 7509 *Steve Henson* 7510 7511 * Initialise tkeylen properly when encrypting CMS messages. 7512 Thanks to Solar Designer of Openwall for reporting this issue. 7513 7514 *Steve Henson* 7515 7516 * In FIPS mode don't try to use composite ciphers as they are not 7517 approved. 7518 7519 *Steve Henson* 7520 7521### Changes between 1.0.1a and 1.0.1b [26 Apr 2012] 7522 7523 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 7524 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately 7525 mean any application compiled against OpenSSL 1.0.0 headers setting 7526 SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling 7527 TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 7528 0x10000000L Any application which was previously compiled against 7529 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 7530 will need to be recompiled as a result. Letting be results in 7531 inability to disable specifically TLS 1.1 and in client context, 7532 in unlike event, limit maximum offered version to TLS 1.0 [see below]. 7533 7534 *Steve Henson* 7535 7536 * In order to ensure interoperability SSL_OP_NO_protocolX does not 7537 disable just protocol X, but all protocols above X *if* there are 7538 protocols *below* X still enabled. In more practical terms it means 7539 that if application wants to disable TLS1.0 in favor of TLS1.1 and 7540 above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass 7541 `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to 7542 client side. 7543 7544 *Andy Polyakov* 7545 7546### Changes between 1.0.1 and 1.0.1a [19 Apr 2012] 7547 7548 * Check for potentially exploitable overflows in asn1_d2i_read_bio 7549 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 7550 in CRYPTO_realloc_clean. 7551 7552 Thanks to Tavis Ormandy, Google Security Team, for discovering this 7553 issue and to Adam Langley <agl@chromium.org> for fixing it. 7554 ([CVE-2012-2110]) 7555 7556 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 7557 7558 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. 7559 7560 *Adam Langley* 7561 7562 * Workarounds for some broken servers that "hang" if a client hello 7563 record length exceeds 255 bytes. 7564 7565 1. Do not use record version number > TLS 1.0 in initial client 7566 hello: some (but not all) hanging servers will now work. 7567 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate 7568 the number of ciphers sent in the client hello. This should be 7569 set to an even number, such as 50, for example by passing: 7570 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. 7571 Most broken servers should now work. 7572 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable 7573 TLS 1.2 client support entirely. 7574 7575 *Steve Henson* 7576 7577 * Fix SEGV in Vector Permutation AES module observed in OpenSSH. 7578 7579 *Andy Polyakov* 7580 7581### Changes between 1.0.0h and 1.0.1 [14 Mar 2012] 7582 7583 * Add compatibility with old MDC2 signatures which use an ASN1 OCTET 7584 STRING form instead of a DigestInfo. 7585 7586 *Steve Henson* 7587 7588 * The format used for MDC2 RSA signatures is inconsistent between EVP 7589 and the RSA_sign/RSA_verify functions. This was made more apparent when 7590 OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular 7591 those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 7592 the correct format in RSA_verify so both forms transparently work. 7593 7594 *Steve Henson* 7595 7596 * Some servers which support TLS 1.0 can choke if we initially indicate 7597 support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA 7598 encrypted premaster secret. As a workaround use the maximum permitted 7599 client version in client hello, this should keep such servers happy 7600 and still work with previous versions of OpenSSL. 7601 7602 *Steve Henson* 7603 7604 * Add support for TLS/DTLS heartbeats. 7605 7606 *Robin Seggelmann <seggelmann@fh-muenster.de>* 7607 7608 * Add support for SCTP. 7609 7610 *Robin Seggelmann <seggelmann@fh-muenster.de>* 7611 7612 * Improved PRNG seeding for VOS. 7613 7614 *Paul Green <Paul.Green@stratus.com>* 7615 7616 * Extensive assembler packs updates, most notably: 7617 7618 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; 7619 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); 7620 - x86_64: bit-sliced AES implementation; 7621 - ARM: NEON support, contemporary platforms optimizations; 7622 - s390x: z196 support; 7623 - `*`: GHASH and GF(2^m) multiplication implementations; 7624 7625 *Andy Polyakov* 7626 7627 * Make TLS-SRP code conformant with RFC 5054 API cleanup 7628 (removal of unnecessary code) 7629 7630 *Peter Sylvester <peter.sylvester@edelweb.fr>* 7631 7632 * Add TLS key material exporter from RFC 5705. 7633 7634 *Eric Rescorla* 7635 7636 * Add DTLS-SRTP negotiation from RFC 5764. 7637 7638 *Eric Rescorla* 7639 7640 * Add Next Protocol Negotiation, 7641 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be 7642 disabled with a no-npn flag to config or Configure. Code donated 7643 by Google. 7644 7645 *Adam Langley <agl@google.com> and Ben Laurie* 7646 7647 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224, 7648 NIST-P256, NIST-P521, with constant-time single point multiplication on 7649 typical inputs. Compiler support for the nonstandard type `__uint128_t` is 7650 required to use this (present in gcc 4.4 and later, for 64-bit builds). 7651 Code made available under Apache License version 2.0. 7652 7653 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command 7654 line to include this in your build of OpenSSL, and run "make depend" (or 7655 "make update"). This enables the following EC_METHODs: 7656 7657 EC_GFp_nistp224_method() 7658 EC_GFp_nistp256_method() 7659 EC_GFp_nistp521_method() 7660 7661 EC_GROUP_new_by_curve_name() will automatically use these (while 7662 EC_GROUP_new_curve_GFp() currently prefers the more flexible 7663 implementations). 7664 7665 *Emilia Käsper, Adam Langley, Bodo Moeller (Google)* 7666 7667 * Use type ossl_ssize_t instead of ssize_t which isn't available on 7668 all platforms. Move ssize_t definition from e_os.h to the public 7669 header file e_os2.h as it now appears in public header file cms.h 7670 7671 *Steve Henson* 7672 7673 * New -sigopt option to the ca, req and x509 utilities. Additional 7674 signature parameters can be passed using this option and in 7675 particular PSS. 7676 7677 *Steve Henson* 7678 7679 * Add RSA PSS signing function. This will generate and set the 7680 appropriate AlgorithmIdentifiers for PSS based on those in the 7681 corresponding EVP_MD_CTX structure. No application support yet. 7682 7683 *Steve Henson* 7684 7685 * Support for companion algorithm specific ASN1 signing routines. 7686 New function ASN1_item_sign_ctx() signs a pre-initialised 7687 EVP_MD_CTX structure and sets AlgorithmIdentifiers based on 7688 the appropriate parameters. 7689 7690 *Steve Henson* 7691 7692 * Add new algorithm specific ASN1 verification initialisation function 7693 to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 7694 handling will be the same no matter what EVP_PKEY_METHOD is used. 7695 Add a PSS handler to support verification of PSS signatures: checked 7696 against a number of sample certificates. 7697 7698 *Steve Henson* 7699 7700 * Add signature printing for PSS. Add PSS OIDs. 7701 7702 *Steve Henson, Martin Kaiser <lists@kaiser.cx>* 7703 7704 * Add algorithm specific signature printing. An individual ASN1 method 7705 can now print out signatures instead of the standard hex dump. 7706 7707 More complex signatures (e.g. PSS) can print out more meaningful 7708 information. Include DSA version that prints out the signature 7709 parameters r, s. 7710 7711 *Steve Henson* 7712 7713 * Password based recipient info support for CMS library: implementing 7714 RFC3211. 7715 7716 *Steve Henson* 7717 7718 * Split password based encryption into PBES2 and PBKDF2 functions. This 7719 neatly separates the code into cipher and PBE sections and is required 7720 for some algorithms that split PBES2 into separate pieces (such as 7721 password based CMS). 7722 7723 *Steve Henson* 7724 7725 * Session-handling fixes: 7726 - Fix handling of connections that are resuming with a session ID, 7727 but also support Session Tickets. 7728 - Fix a bug that suppressed issuing of a new ticket if the client 7729 presented a ticket with an expired session. 7730 - Try to set the ticket lifetime hint to something reasonable. 7731 - Make tickets shorter by excluding irrelevant information. 7732 - On the client side, don't ignore renewed tickets. 7733 7734 *Adam Langley, Bodo Moeller (Google)* 7735 7736 * Fix PSK session representation. 7737 7738 *Bodo Moeller* 7739 7740 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. 7741 7742 This work was sponsored by Intel. 7743 7744 *Andy Polyakov* 7745 7746 * Add GCM support to TLS library. Some custom code is needed to split 7747 the IV between the fixed (from PRF) and explicit (from TLS record) 7748 portions. This adds all GCM ciphersuites supported by RFC5288 and 7749 RFC5289. Generalise some `AES*` cipherstrings to include GCM and 7750 add a special AESGCM string for GCM only. 7751 7752 *Steve Henson* 7753 7754 * Expand range of ctrls for AES GCM. Permit setting invocation 7755 field on decrypt and retrieval of invocation field only on encrypt. 7756 7757 *Steve Henson* 7758 7759 * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. 7760 As required by RFC5289 these ciphersuites cannot be used if for 7761 versions of TLS earlier than 1.2. 7762 7763 *Steve Henson* 7764 7765 * For FIPS capable OpenSSL interpret a NULL default public key method 7766 as unset and return the appropriate default but do *not* set the default. 7767 This means we can return the appropriate method in applications that 7768 switch between FIPS and non-FIPS modes. 7769 7770 *Steve Henson* 7771 7772 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an 7773 ENGINE is used then we cannot handle that in the FIPS module so we 7774 keep original code iff non-FIPS operations are allowed. 7775 7776 *Steve Henson* 7777 7778 * Add -attime option to openssl utilities. 7779 7780 *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson* 7781 7782 * Redirect DSA and DH operations to FIPS module in FIPS mode. 7783 7784 *Steve Henson* 7785 7786 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use 7787 FIPS EC methods unconditionally for now. 7788 7789 *Steve Henson* 7790 7791 * New build option no-ec2m to disable characteristic 2 code. 7792 7793 *Steve Henson* 7794 7795 * Backport libcrypto audit of return value checking from 1.1.0-dev; not 7796 all cases can be covered as some introduce binary incompatibilities. 7797 7798 *Steve Henson* 7799 7800 * Redirect RSA operations to FIPS module including keygen, 7801 encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. 7802 7803 *Steve Henson* 7804 7805 * Add similar low-level API blocking to ciphers. 7806 7807 *Steve Henson* 7808 7809 * low-level digest APIs are not approved in FIPS mode: any attempt 7810 to use these will cause a fatal error. Applications that *really* want 7811 to use them can use the `private_*` version instead. 7812 7813 *Steve Henson* 7814 7815 * Redirect cipher operations to FIPS module for FIPS builds. 7816 7817 *Steve Henson* 7818 7819 * Redirect digest operations to FIPS module for FIPS builds. 7820 7821 *Steve Henson* 7822 7823 * Update build system to add "fips" flag which will link in fipscanister.o 7824 for static and shared library builds embedding a signature if needed. 7825 7826 *Steve Henson* 7827 7828 * Output TLS supported curves in preference order instead of numerical 7829 order. This is currently hardcoded for the highest order curves first. 7830 This should be configurable so applications can judge speed vs strength. 7831 7832 *Steve Henson* 7833 7834 * Add TLS v1.2 server support for client authentication. 7835 7836 *Steve Henson* 7837 7838 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers 7839 and enable MD5. 7840 7841 *Steve Henson* 7842 7843 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying 7844 FIPS modules versions. 7845 7846 *Steve Henson* 7847 7848 * Add TLS v1.2 client side support for client authentication. Keep cache 7849 of handshake records longer as we don't know the hash algorithm to use 7850 until after the certificate request message is received. 7851 7852 *Steve Henson* 7853 7854 * Initial TLS v1.2 client support. Add a default signature algorithms 7855 extension including all the algorithms we support. Parse new signature 7856 format in client key exchange. Relax some ECC signing restrictions for 7857 TLS v1.2 as indicated in RFC5246. 7858 7859 *Steve Henson* 7860 7861 * Add server support for TLS v1.2 signature algorithms extension. Switch 7862 to new signature format when needed using client digest preference. 7863 All server ciphersuites should now work correctly in TLS v1.2. No client 7864 support yet and no support for client certificates. 7865 7866 *Steve Henson* 7867 7868 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch 7869 to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based 7870 ciphersuites. At present only RSA key exchange ciphersuites work with 7871 TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete 7872 SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods 7873 and version checking. 7874 7875 *Steve Henson* 7876 7877 * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 7878 with this defined it will not be affected by any changes to ssl internal 7879 structures. Add several utility functions to allow openssl application 7880 to work with OPENSSL_NO_SSL_INTERN defined. 7881 7882 *Steve Henson* 7883 7884 * A long standing patch to add support for SRP from EdelWeb (Peter 7885 Sylvester and Christophe Renou) was integrated. 7886 *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester 7887 <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and 7888 Ben Laurie* 7889 7890 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. 7891 7892 *Steve Henson* 7893 7894 * Permit abbreviated handshakes when renegotiating using the function 7895 SSL_renegotiate_abbreviated(). 7896 7897 *Robin Seggelmann <seggelmann@fh-muenster.de>* 7898 7899 * Add call to ENGINE_register_all_complete() to 7900 ENGINE_load_builtin_engines(), so some implementations get used 7901 automatically instead of needing explicit application support. 7902 7903 *Steve Henson* 7904 7905 * Add support for TLS key exporter as described in RFC5705. 7906 7907 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson* 7908 7909 * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only 7910 a few changes are required: 7911 7912 Add SSL_OP_NO_TLSv1_1 flag. 7913 Add TLSv1_1 methods. 7914 Update version checking logic to handle version 1.1. 7915 Add explicit IV handling (ported from DTLS code). 7916 Add command line options to s_client/s_server. 7917 7918 *Steve Henson* 7919 7920OpenSSL 1.0.0 7921------------- 7922 7923### Changes between 1.0.0s and 1.0.0t [3 Dec 2015] 7924 7925 * X509_ATTRIBUTE memory leak 7926 7927 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 7928 memory. This structure is used by the PKCS#7 and CMS routines so any 7929 application which reads PKCS#7 or CMS data from untrusted sources is 7930 affected. SSL/TLS is not affected. 7931 7932 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 7933 libFuzzer. 7934 ([CVE-2015-3195]) 7935 7936 *Stephen Henson* 7937 7938 * Race condition handling PSK identify hint 7939 7940 If PSK identity hints are received by a multi-threaded client then 7941 the values are wrongly updated in the parent SSL_CTX structure. This can 7942 result in a race condition potentially leading to a double free of the 7943 identify hint data. 7944 ([CVE-2015-3196]) 7945 7946 *Stephen Henson* 7947 7948### Changes between 1.0.0r and 1.0.0s [11 Jun 2015] 7949 7950 * Malformed ECParameters causes infinite loop 7951 7952 When processing an ECParameters structure OpenSSL enters an infinite loop 7953 if the curve specified is over a specially malformed binary polynomial 7954 field. 7955 7956 This can be used to perform denial of service against any 7957 system which processes public keys, certificate requests or 7958 certificates. This includes TLS clients and TLS servers with 7959 client authentication enabled. 7960 7961 This issue was reported to OpenSSL by Joseph Barr-Pixton. 7962 ([CVE-2015-1788]) 7963 7964 *Andy Polyakov* 7965 7966 * Exploitable out-of-bounds read in X509_cmp_time 7967 7968 X509_cmp_time does not properly check the length of the ASN1_TIME 7969 string and can read a few bytes out of bounds. In addition, 7970 X509_cmp_time accepts an arbitrary number of fractional seconds in the 7971 time string. 7972 7973 An attacker can use this to craft malformed certificates and CRLs of 7974 various sizes and potentially cause a segmentation fault, resulting in 7975 a DoS on applications that verify certificates or CRLs. TLS clients 7976 that verify CRLs are affected. TLS clients and servers with client 7977 authentication enabled may be affected if they use custom verification 7978 callbacks. 7979 7980 This issue was reported to OpenSSL by Robert Swiecki (Google), and 7981 independently by Hanno Böck. 7982 ([CVE-2015-1789]) 7983 7984 *Emilia Käsper* 7985 7986 * PKCS7 crash with missing EnvelopedContent 7987 7988 The PKCS#7 parsing code does not handle missing inner EncryptedContent 7989 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 7990 with missing content and trigger a NULL pointer dereference on parsing. 7991 7992 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 7993 structures from untrusted sources are affected. OpenSSL clients and 7994 servers are not affected. 7995 7996 This issue was reported to OpenSSL by Michal Zalewski (Google). 7997 ([CVE-2015-1790]) 7998 7999 *Emilia Käsper* 8000 8001 * CMS verify infinite loop with unknown hash function 8002 8003 When verifying a signedData message the CMS code can enter an infinite loop 8004 if presented with an unknown hash function OID. This can be used to perform 8005 denial of service against any system which verifies signedData messages using 8006 the CMS code. 8007 This issue was reported to OpenSSL by Johannes Bauer. 8008 ([CVE-2015-1792]) 8009 8010 *Stephen Henson* 8011 8012 * Race condition handling NewSessionTicket 8013 8014 If a NewSessionTicket is received by a multi-threaded client when attempting to 8015 reuse a previous ticket then a race condition can occur potentially leading to 8016 a double free of the ticket data. 8017 ([CVE-2015-1791]) 8018 8019 *Matt Caswell* 8020 8021### Changes between 1.0.0q and 1.0.0r [19 Mar 2015] 8022 8023 * Segmentation fault in ASN1_TYPE_cmp fix 8024 8025 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 8026 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 8027 certificate signature algorithm consistency this can be used to crash any 8028 certificate verification operation and exploited in a DoS attack. Any 8029 application which performs certificate verification is vulnerable including 8030 OpenSSL clients and servers which enable client authentication. 8031 ([CVE-2015-0286]) 8032 8033 *Stephen Henson* 8034 8035 * ASN.1 structure reuse memory corruption fix 8036 8037 Reusing a structure in ASN.1 parsing may allow an attacker to cause 8038 memory corruption via an invalid write. Such reuse is and has been 8039 strongly discouraged and is believed to be rare. 8040 8041 Applications that parse structures containing CHOICE or ANY DEFINED BY 8042 components may be affected. Certificate parsing (d2i_X509 and related 8043 functions) are however not affected. OpenSSL clients and servers are 8044 not affected. 8045 ([CVE-2015-0287]) 8046 8047 *Stephen Henson* 8048 8049 * PKCS7 NULL pointer dereferences fix 8050 8051 The PKCS#7 parsing code does not handle missing outer ContentInfo 8052 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 8053 missing content and trigger a NULL pointer dereference on parsing. 8054 8055 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 8056 otherwise parse PKCS#7 structures from untrusted sources are 8057 affected. OpenSSL clients and servers are not affected. 8058 8059 This issue was reported to OpenSSL by Michal Zalewski (Google). 8060 ([CVE-2015-0289]) 8061 8062 *Emilia Käsper* 8063 8064 * DoS via reachable assert in SSLv2 servers fix 8065 8066 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 8067 servers that both support SSLv2 and enable export cipher suites by sending 8068 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 8069 8070 This issue was discovered by Sean Burford (Google) and Emilia Käsper 8071 (OpenSSL development team). 8072 ([CVE-2015-0293]) 8073 8074 *Emilia Käsper* 8075 8076 * Use After Free following d2i_ECPrivatekey error fix 8077 8078 A malformed EC private key file consumed via the d2i_ECPrivateKey function 8079 could cause a use after free condition. This, in turn, could cause a double 8080 free in several private key parsing functions (such as d2i_PrivateKey 8081 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 8082 for applications that receive EC private keys from untrusted 8083 sources. This scenario is considered rare. 8084 8085 This issue was discovered by the BoringSSL project and fixed in their 8086 commit 517073cd4b. 8087 ([CVE-2015-0209]) 8088 8089 *Matt Caswell* 8090 8091 * X509_to_X509_REQ NULL pointer deref fix 8092 8093 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 8094 the certificate key is invalid. This function is rarely used in practice. 8095 8096 This issue was discovered by Brian Carpenter. 8097 ([CVE-2015-0288]) 8098 8099 *Stephen Henson* 8100 8101 * Removed the export ciphers from the DEFAULT ciphers 8102 8103 *Kurt Roeckx* 8104 8105### Changes between 1.0.0p and 1.0.0q [15 Jan 2015] 8106 8107 * Build fixes for the Windows and OpenVMS platforms 8108 8109 *Matt Caswell and Richard Levitte* 8110 8111### Changes between 1.0.0o and 1.0.0p [8 Jan 2015] 8112 8113 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 8114 message can cause a segmentation fault in OpenSSL due to a NULL pointer 8115 dereference. This could lead to a Denial Of Service attack. Thanks to 8116 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 8117 ([CVE-2014-3571]) 8118 8119 *Steve Henson* 8120 8121 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 8122 dtls1_buffer_record function under certain conditions. In particular this 8123 could occur if an attacker sent repeated DTLS records with the same 8124 sequence number but for the next epoch. The memory leak could be exploited 8125 by an attacker in a Denial of Service attack through memory exhaustion. 8126 Thanks to Chris Mueller for reporting this issue. 8127 ([CVE-2015-0206]) 8128 8129 *Matt Caswell* 8130 8131 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 8132 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl 8133 method would be set to NULL which could later result in a NULL pointer 8134 dereference. Thanks to Frank Schmirler for reporting this issue. 8135 ([CVE-2014-3569]) 8136 8137 *Kurt Roeckx* 8138 8139 * Abort handshake if server key exchange message is omitted for ephemeral 8140 ECDH ciphersuites. 8141 8142 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 8143 reporting this issue. 8144 ([CVE-2014-3572]) 8145 8146 *Steve Henson* 8147 8148 * Remove non-export ephemeral RSA code on client and server. This code 8149 violated the TLS standard by allowing the use of temporary RSA keys in 8150 non-export ciphersuites and could be used by a server to effectively 8151 downgrade the RSA key length used to a value smaller than the server 8152 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 8153 INRIA or reporting this issue. 8154 ([CVE-2015-0204]) 8155 8156 *Steve Henson* 8157 8158 * Fixed issue where DH client certificates are accepted without verification. 8159 An OpenSSL server will accept a DH certificate for client authentication 8160 without the certificate verify message. This effectively allows a client to 8161 authenticate without the use of a private key. This only affects servers 8162 which trust a client certificate authority which issues certificates 8163 containing DH keys: these are extremely rare and hardly ever encountered. 8164 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 8165 this issue. 8166 ([CVE-2015-0205]) 8167 8168 *Steve Henson* 8169 8170 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 8171 results on some platforms, including x86_64. This bug occurs at random 8172 with a very low probability, and is not known to be exploitable in any 8173 way, though its exact impact is difficult to determine. Thanks to Pieter 8174 Wuille (Blockstream) who reported this issue and also suggested an initial 8175 fix. Further analysis was conducted by the OpenSSL development team and 8176 Adam Langley of Google. The final fix was developed by Andy Polyakov of 8177 the OpenSSL core team. 8178 ([CVE-2014-3570]) 8179 8180 *Andy Polyakov* 8181 8182 * Fix various certificate fingerprint issues. 8183 8184 By using non-DER or invalid encodings outside the signed portion of a 8185 certificate the fingerprint can be changed without breaking the signature. 8186 Although no details of the signed portion of the certificate can be changed 8187 this can cause problems with some applications: e.g. those using the 8188 certificate fingerprint for blacklists. 8189 8190 1. Reject signatures with non zero unused bits. 8191 8192 If the BIT STRING containing the signature has non zero unused bits reject 8193 the signature. All current signature algorithms require zero unused bits. 8194 8195 2. Check certificate algorithm consistency. 8196 8197 Check the AlgorithmIdentifier inside TBS matches the one in the 8198 certificate signature. NB: this will result in signature failure 8199 errors for some broken certificates. 8200 8201 Thanks to Konrad Kraszewski from Google for reporting this issue. 8202 8203 3. Check DSA/ECDSA signatures use DER. 8204 8205 Reencode DSA/ECDSA signatures and compare with the original received 8206 signature. Return an error if there is a mismatch. 8207 8208 This will reject various cases including garbage after signature 8209 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 8210 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 8211 (negative or with leading zeroes). 8212 8213 Further analysis was conducted and fixes were developed by Stephen Henson 8214 of the OpenSSL core team. 8215 8216 ([CVE-2014-8275]) 8217 8218 *Steve Henson* 8219 8220### Changes between 1.0.0n and 1.0.0o [15 Oct 2014] 8221 8222 * Session Ticket Memory Leak. 8223 8224 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 8225 integrity of that ticket is first verified. In the event of a session 8226 ticket integrity check failing, OpenSSL will fail to free memory 8227 causing a memory leak. By sending a large number of invalid session 8228 tickets an attacker could exploit this issue in a Denial Of Service 8229 attack. 8230 ([CVE-2014-3567]) 8231 8232 *Steve Henson* 8233 8234 * Build option no-ssl3 is incomplete. 8235 8236 When OpenSSL is configured with "no-ssl3" as a build option, servers 8237 could accept and complete a SSL 3.0 handshake, and clients could be 8238 configured to send them. 8239 ([CVE-2014-3568]) 8240 8241 *Akamai and the OpenSSL team* 8242 8243 * Add support for TLS_FALLBACK_SCSV. 8244 Client applications doing fallback retries should call 8245 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 8246 ([CVE-2014-3566]) 8247 8248 *Adam Langley, Bodo Moeller* 8249 8250 * Add additional DigestInfo checks. 8251 8252 Reencode DigestInto in DER and check against the original when 8253 verifying RSA signature: this will reject any improperly encoded 8254 DigestInfo structures. 8255 8256 Note: this is a precautionary measure and no attacks are currently known. 8257 8258 *Steve Henson* 8259 8260### Changes between 1.0.0m and 1.0.0n [6 Aug 2014] 8261 8262 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 8263 to a denial of service attack. A malicious server can crash the client 8264 with a null pointer dereference (read) by specifying an anonymous (EC)DH 8265 ciphersuite and sending carefully crafted handshake messages. 8266 8267 Thanks to Felix Gröbert (Google) for discovering and researching this 8268 issue. 8269 ([CVE-2014-3510]) 8270 8271 *Emilia Käsper* 8272 8273 * By sending carefully crafted DTLS packets an attacker could cause openssl 8274 to leak memory. This can be exploited through a Denial of Service attack. 8275 Thanks to Adam Langley for discovering and researching this issue. 8276 ([CVE-2014-3507]) 8277 8278 *Adam Langley* 8279 8280 * An attacker can force openssl to consume large amounts of memory whilst 8281 processing DTLS handshake messages. This can be exploited through a 8282 Denial of Service attack. 8283 Thanks to Adam Langley for discovering and researching this issue. 8284 ([CVE-2014-3506]) 8285 8286 *Adam Langley* 8287 8288 * An attacker can force an error condition which causes openssl to crash 8289 whilst processing DTLS packets due to memory being freed twice. This 8290 can be exploited through a Denial of Service attack. 8291 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 8292 this issue. 8293 ([CVE-2014-3505]) 8294 8295 *Adam Langley* 8296 8297 * If a multithreaded client connects to a malicious server using a resumed 8298 session and the server sends an ec point format extension it could write 8299 up to 255 bytes to freed memory. 8300 8301 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 8302 issue. 8303 ([CVE-2014-3509]) 8304 8305 *Gabor Tyukasz* 8306 8307 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 8308 X509_name_oneline, X509_name_print_ex et al. to leak some information 8309 from the stack. Applications may be affected if they echo pretty printing 8310 output to the attacker. 8311 8312 Thanks to Ivan Fratric (Google) for discovering this issue. 8313 ([CVE-2014-3508]) 8314 8315 *Emilia Käsper, and Steve Henson* 8316 8317 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 8318 for corner cases. (Certain input points at infinity could lead to 8319 bogus results, with non-infinity inputs mapped to infinity too.) 8320 8321 *Bodo Moeller* 8322 8323### Changes between 1.0.0l and 1.0.0m [5 Jun 2014] 8324 8325 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 8326 handshake can force the use of weak keying material in OpenSSL 8327 SSL/TLS clients and servers. 8328 8329 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 8330 researching this issue. ([CVE-2014-0224]) 8331 8332 *KIKUCHI Masashi, Steve Henson* 8333 8334 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 8335 OpenSSL DTLS client the code can be made to recurse eventually crashing 8336 in a DoS attack. 8337 8338 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 8339 ([CVE-2014-0221]) 8340 8341 *Imre Rad, Steve Henson* 8342 8343 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 8344 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 8345 client or server. This is potentially exploitable to run arbitrary 8346 code on a vulnerable client or server. 8347 8348 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 8349 8350 *Jüri Aedla, Steve Henson* 8351 8352 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 8353 are subject to a denial of service attack. 8354 8355 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 8356 this issue. ([CVE-2014-3470]) 8357 8358 *Felix Gröbert, Ivan Fratric, Steve Henson* 8359 8360 * Harmonize version and its documentation. -f flag is used to display 8361 compilation flags. 8362 8363 *mancha <mancha1@zoho.com>* 8364 8365 * Fix eckey_priv_encode so it immediately returns an error upon a failure 8366 in i2d_ECPrivateKey. 8367 8368 *mancha <mancha1@zoho.com>* 8369 8370 * Fix some double frees. These are not thought to be exploitable. 8371 8372 *mancha <mancha1@zoho.com>* 8373 8374 * Fix for the attack described in the paper "Recovering OpenSSL 8375 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 8376 by Yuval Yarom and Naomi Benger. Details can be obtained from: 8377 <http://eprint.iacr.org/2014/140> 8378 8379 Thanks to Yuval Yarom and Naomi Benger for discovering this 8380 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 8381 8382 *Yuval Yarom and Naomi Benger* 8383 8384### Changes between 1.0.0k and 1.0.0l [6 Jan 2014] 8385 8386 * Keep original DTLS digest and encryption contexts in retransmission 8387 structures so we can use the previous session parameters if they need 8388 to be resent. ([CVE-2013-6450]) 8389 8390 *Steve Henson* 8391 8392 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 8393 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 8394 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 8395 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 8396 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 8397 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 8398 8399 *Rob Stradling, Adam Langley* 8400 8401### Changes between 1.0.0j and 1.0.0k [5 Feb 2013] 8402 8403 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 8404 8405 This addresses the flaw in CBC record processing discovered by 8406 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 8407 at: <http://www.isg.rhul.ac.uk/tls/> 8408 8409 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 8410 Security Group at Royal Holloway, University of London 8411 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 8412 Emilia Käsper for the initial patch. 8413 ([CVE-2013-0169]) 8414 8415 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 8416 8417 * Return an error when checking OCSP signatures when key is NULL. 8418 This fixes a DoS attack. ([CVE-2013-0166]) 8419 8420 *Steve Henson* 8421 8422 * Call OCSP Stapling callback after ciphersuite has been chosen, so 8423 the right response is stapled. Also change SSL_get_certificate() 8424 so it returns the certificate actually sent. 8425 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 8426 (This is a backport) 8427 8428 *Rob Stradling <rob.stradling@comodo.com>* 8429 8430 * Fix possible deadlock when decoding public keys. 8431 8432 *Steve Henson* 8433 8434### Changes between 1.0.0i and 1.0.0j [10 May 2012] 8435 8436[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after 8437OpenSSL 1.0.1.] 8438 8439 * Sanity check record length before skipping explicit IV in DTLS 8440 to fix DoS attack. 8441 8442 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 8443 fuzzing as a service testing platform. 8444 ([CVE-2012-2333]) 8445 8446 *Steve Henson* 8447 8448 * Initialise tkeylen properly when encrypting CMS messages. 8449 Thanks to Solar Designer of Openwall for reporting this issue. 8450 8451 *Steve Henson* 8452 8453### Changes between 1.0.0h and 1.0.0i [19 Apr 2012] 8454 8455 * Check for potentially exploitable overflows in asn1_d2i_read_bio 8456 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 8457 in CRYPTO_realloc_clean. 8458 8459 Thanks to Tavis Ormandy, Google Security Team, for discovering this 8460 issue and to Adam Langley <agl@chromium.org> for fixing it. 8461 ([CVE-2012-2110]) 8462 8463 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 8464 8465### Changes between 1.0.0g and 1.0.0h [12 Mar 2012] 8466 8467 * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness 8468 in CMS and PKCS7 code. When RSA decryption fails use a random key for 8469 content decryption and always return the same error. Note: this attack 8470 needs on average 2^20 messages so it only affects automated senders. The 8471 old behaviour can be re-enabled in the CMS code by setting the 8472 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where 8473 an MMA defence is not necessary. 8474 Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering 8475 this issue. ([CVE-2012-0884]) 8476 8477 *Steve Henson* 8478 8479 * Fix CVE-2011-4619: make sure we really are receiving a 8480 client hello before rejecting multiple SGC restarts. Thanks to 8481 Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. 8482 8483 *Steve Henson* 8484 8485### Changes between 1.0.0f and 1.0.0g [18 Jan 2012] 8486 8487 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 8488 Thanks to Antonio Martin, Enterprise Secure Access Research and 8489 Development, Cisco Systems, Inc. for discovering this bug and 8490 preparing a fix. ([CVE-2012-0050]) 8491 8492 *Antonio Martin* 8493 8494### Changes between 1.0.0e and 1.0.0f [4 Jan 2012] 8495 8496 * Nadhem Alfardan and Kenny Paterson have discovered an extension 8497 of the Vaudenay padding oracle attack on CBC mode encryption 8498 which enables an efficient plaintext recovery attack against 8499 the OpenSSL implementation of DTLS. Their attack exploits timing 8500 differences arising during decryption processing. A research 8501 paper describing this attack can be found at: 8502 <http://www.isg.rhul.ac.uk/~kp/dtls.pdf> 8503 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 8504 Security Group at Royal Holloway, University of London 8505 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann 8506 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> 8507 for preparing the fix. ([CVE-2011-4108]) 8508 8509 *Robin Seggelmann, Michael Tuexen* 8510 8511 * Clear bytes used for block padding of SSL 3.0 records. 8512 ([CVE-2011-4576]) 8513 8514 *Adam Langley (Google)* 8515 8516 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George 8517 Kadianakis <desnacked@gmail.com> for discovering this issue and 8518 Adam Langley for preparing the fix. ([CVE-2011-4619]) 8519 8520 *Adam Langley (Google)* 8521 8522 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027]) 8523 8524 *Andrey Kulikov <amdeich@gmail.com>* 8525 8526 * Prevent malformed RFC3779 data triggering an assertion failure. 8527 Thanks to Andrew Chi, BBN Technologies, for discovering the flaw 8528 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577]) 8529 8530 *Rob Austein <sra@hactrn.net>* 8531 8532 * Improved PRNG seeding for VOS. 8533 8534 *Paul Green <Paul.Green@stratus.com>* 8535 8536 * Fix ssl_ciph.c set-up race. 8537 8538 *Adam Langley (Google)* 8539 8540 * Fix spurious failures in ecdsatest.c. 8541 8542 *Emilia Käsper (Google)* 8543 8544 * Fix the BIO_f_buffer() implementation (which was mixing different 8545 interpretations of the `..._len` fields). 8546 8547 *Adam Langley (Google)* 8548 8549 * Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than 8550 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent 8551 threads won't reuse the same blinding coefficients. 8552 8553 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING 8554 lock to call BN_BLINDING_invert_ex, and avoids one use of 8555 BN_BLINDING_update for each BN_BLINDING structure (previously, 8556 the last update always remained unused). 8557 8558 *Emilia Käsper (Google)* 8559 8560 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 8561 8562 *Bob Buckholz (Google)* 8563 8564### Changes between 1.0.0d and 1.0.0e [6 Sep 2011] 8565 8566 * Fix bug where CRLs with nextUpdate in the past are sometimes accepted 8567 by initialising X509_STORE_CTX properly. ([CVE-2011-3207]) 8568 8569 *Kaspar Brand <ossl@velox.ch>* 8570 8571 * Fix SSL memory handling for (EC)DH ciphersuites, in particular 8572 for multi-threaded use of ECDH. ([CVE-2011-3210]) 8573 8574 *Adam Langley (Google)* 8575 8576 * Fix x509_name_ex_d2i memory leak on bad inputs. 8577 8578 *Bodo Moeller* 8579 8580 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check 8581 signature public key algorithm by using OID xref utilities instead. 8582 Before this you could only use some ECC ciphersuites with SHA1 only. 8583 8584 *Steve Henson* 8585 8586 * Add protection against ECDSA timing attacks as mentioned in the paper 8587 by Billy Bob Brumley and Nicola Tuveri, see: 8588 <http://eprint.iacr.org/2011/232.pdf> 8589 8590 *Billy Bob Brumley and Nicola Tuveri* 8591 8592### Changes between 1.0.0c and 1.0.0d [8 Feb 2011] 8593 8594 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 8595 8596 *Neel Mehta, Adam Langley, Bodo Moeller (Google)* 8597 8598 * Fix bug in string printing code: if *any* escaping is enabled we must 8599 escape the escape character (backslash) or the resulting string is 8600 ambiguous. 8601 8602 *Steve Henson* 8603 8604### Changes between 1.0.0b and 1.0.0c [2 Dec 2010] 8605 8606 * Disable code workaround for ancient and obsolete Netscape browsers 8607 and servers: an attacker can use it in a ciphersuite downgrade attack. 8608 Thanks to Martin Rex for discovering this bug. CVE-2010-4180 8609 8610 *Steve Henson* 8611 8612 * Fixed J-PAKE implementation error, originally discovered by 8613 Sebastien Martini, further info and confirmation from Stefan 8614 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 8615 8616 *Ben Laurie* 8617 8618### Changes between 1.0.0a and 1.0.0b [16 Nov 2010] 8619 8620 * Fix extension code to avoid race conditions which can result in a buffer 8621 overrun vulnerability: resumed sessions must not be modified as they can 8622 be shared by multiple threads. CVE-2010-3864 8623 8624 *Steve Henson* 8625 8626 * Fix WIN32 build system to correctly link an ENGINE directory into 8627 a DLL. 8628 8629 *Steve Henson* 8630 8631### Changes between 1.0.0 and 1.0.0a [01 Jun 2010] 8632 8633 * Check return value of int_rsa_verify in pkey_rsa_verifyrecover 8634 ([CVE-2010-1633]) 8635 8636 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>* 8637 8638### Changes between 0.9.8n and 1.0.0 [29 Mar 2010] 8639 8640 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher 8641 context. The operation can be customised via the ctrl mechanism in 8642 case ENGINEs want to include additional functionality. 8643 8644 *Steve Henson* 8645 8646 * Tolerate yet another broken PKCS#8 key format: private key value negative. 8647 8648 *Steve Henson* 8649 8650 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to 8651 output hashes compatible with older versions of OpenSSL. 8652 8653 *Willy Weisz <weisz@vcpc.univie.ac.at>* 8654 8655 * Fix compression algorithm handling: if resuming a session use the 8656 compression algorithm of the resumed session instead of determining 8657 it from client hello again. Don't allow server to change algorithm. 8658 8659 *Steve Henson* 8660 8661 * Add load_crls() function to commands tidying load_certs() too. Add option 8662 to verify utility to allow additional CRLs to be included. 8663 8664 *Steve Henson* 8665 8666 * Update OCSP request code to permit adding custom headers to the request: 8667 some responders need this. 8668 8669 *Steve Henson* 8670 8671 * The function EVP_PKEY_sign() returns <=0 on error: check return code 8672 correctly. 8673 8674 *Julia Lawall <julia@diku.dk>* 8675 8676 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it 8677 needlessly dereferenced structures, used obsolete functions and 8678 didn't handle all updated verify codes correctly. 8679 8680 *Steve Henson* 8681 8682 * Disable MD2 in the default configuration. 8683 8684 *Steve Henson* 8685 8686 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to 8687 indicate the initial BIO being pushed or popped. This makes it possible 8688 to determine whether the BIO is the one explicitly called or as a result 8689 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so 8690 it handles reference counts correctly and doesn't zero out the I/O bio 8691 when it is not being explicitly popped. WARNING: applications which 8692 included workarounds for the old buggy behaviour will need to be modified 8693 or they could free up already freed BIOs. 8694 8695 *Steve Henson* 8696 8697 * Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni 8698 renaming to all platforms (within the 0.9.8 branch, this was 8699 done conditionally on Netware platforms to avoid a name clash). 8700 8701 *Guenter <lists@gknw.net>* 8702 8703 * Add ECDHE and PSK support to DTLS. 8704 8705 *Michael Tuexen <tuexen@fh-muenster.de>* 8706 8707 * Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't 8708 be used on C++. 8709 8710 *Steve Henson* 8711 8712 * Add "missing" function EVP_MD_flags() (without this the only way to 8713 retrieve a digest flags is by accessing the structure directly. Update 8714 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest 8715 or cipher is registered as in the "from" argument. Print out all 8716 registered digests in the dgst usage message instead of manually 8717 attempting to work them out. 8718 8719 *Steve Henson* 8720 8721 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: 8722 this allows the use of compression and extensions. Change default cipher 8723 string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 8724 by default unless an application cipher string requests it. 8725 8726 *Steve Henson* 8727 8728 * Alter match criteria in PKCS12_parse(). It used to try to use local 8729 key ids to find matching certificates and keys but some PKCS#12 files 8730 don't follow the (somewhat unwritten) rules and this strategy fails. 8731 Now just gather all certificates together and the first private key 8732 then look for the first certificate that matches the key. 8733 8734 *Steve Henson* 8735 8736 * Support use of registered digest and cipher names for dgst and cipher 8737 commands instead of having to add each one as a special case. So now 8738 you can do: 8739 8740 openssl sha256 foo 8741 8742 as well as: 8743 8744 openssl dgst -sha256 foo 8745 8746 and this works for ENGINE based algorithms too. 8747 8748 *Steve Henson* 8749 8750 * Update Gost ENGINE to support parameter files. 8751 8752 *Victor B. Wagner <vitus@cryptocom.ru>* 8753 8754 * Support GeneralizedTime in ca utility. 8755 8756 *Oliver Martin <oliver@volatilevoid.net>, Steve Henson* 8757 8758 * Enhance the hash format used for certificate directory links. The new 8759 form uses the canonical encoding (meaning equivalent names will work 8760 even if they aren't identical) and uses SHA1 instead of MD5. This form 8761 is incompatible with the older format and as a result c_rehash should 8762 be used to rebuild symbolic links. 8763 8764 *Steve Henson* 8765 8766 * Make PKCS#8 the default write format for private keys, replacing the 8767 traditional format. This form is standardised, more secure and doesn't 8768 include an implicit MD5 dependency. 8769 8770 *Steve Henson* 8771 8772 * Add a $gcc_devteam_warn option to Configure. The idea is that any code 8773 committed to OpenSSL should pass this lot as a minimum. 8774 8775 *Steve Henson* 8776 8777 * Add session ticket override functionality for use by EAP-FAST. 8778 8779 *Jouni Malinen <j@w1.fi>* 8780 8781 * Modify HMAC functions to return a value. Since these can be implemented 8782 in an ENGINE errors can occur. 8783 8784 *Steve Henson* 8785 8786 * Type-checked OBJ_bsearch_ex. 8787 8788 *Ben Laurie* 8789 8790 * Type-checked OBJ_bsearch. Also some constification necessitated 8791 by type-checking. Still to come: TXT_DB, bsearch(?), 8792 OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, 8793 CONF_VALUE. 8794 8795 *Ben Laurie* 8796 8797 * New function OPENSSL_gmtime_adj() to add a specific number of days and 8798 seconds to a tm structure directly, instead of going through OS 8799 specific date routines. This avoids any issues with OS routines such 8800 as the year 2038 bug. New `*_adj()` functions for ASN1 time structures 8801 and X509_time_adj_ex() to cover the extended range. The existing 8802 X509_time_adj() is still usable and will no longer have any date issues. 8803 8804 *Steve Henson* 8805 8806 * Delta CRL support. New use deltas option which will attempt to locate 8807 and search any appropriate delta CRLs available. 8808 8809 This work was sponsored by Google. 8810 8811 *Steve Henson* 8812 8813 * Support for CRLs partitioned by reason code. Reorganise CRL processing 8814 code and add additional score elements. Validate alternate CRL paths 8815 as part of the CRL checking and indicate a new error "CRL path validation 8816 error" in this case. Applications wanting additional details can use 8817 the verify callback and check the new "parent" field. If this is not 8818 NULL CRL path validation is taking place. Existing applications won't 8819 see this because it requires extended CRL support which is off by 8820 default. 8821 8822 This work was sponsored by Google. 8823 8824 *Steve Henson* 8825 8826 * Support for freshest CRL extension. 8827 8828 This work was sponsored by Google. 8829 8830 *Steve Henson* 8831 8832 * Initial indirect CRL support. Currently only supported in the CRLs 8833 passed directly and not via lookup. Process certificate issuer 8834 CRL entry extension and lookup CRL entries by bother issuer name 8835 and serial number. Check and process CRL issuer entry in IDP extension. 8836 8837 This work was sponsored by Google. 8838 8839 *Steve Henson* 8840 8841 * Add support for distinct certificate and CRL paths. The CRL issuer 8842 certificate is validated separately in this case. Only enabled if 8843 an extended CRL support flag is set: this flag will enable additional 8844 CRL functionality in future. 8845 8846 This work was sponsored by Google. 8847 8848 *Steve Henson* 8849 8850 * Add support for policy mappings extension. 8851 8852 This work was sponsored by Google. 8853 8854 *Steve Henson* 8855 8856 * Fixes to pathlength constraint, self issued certificate handling, 8857 policy processing to align with RFC3280 and PKITS tests. 8858 8859 This work was sponsored by Google. 8860 8861 *Steve Henson* 8862 8863 * Support for name constraints certificate extension. DN, email, DNS 8864 and URI types are currently supported. 8865 8866 This work was sponsored by Google. 8867 8868 *Steve Henson* 8869 8870 * To cater for systems that provide a pointer-based thread ID rather 8871 than numeric, deprecate the current numeric thread ID mechanism and 8872 replace it with a structure and associated callback type. This 8873 mechanism allows a numeric "hash" to be extracted from a thread ID in 8874 either case, and on platforms where pointers are larger than 'long', 8875 mixing is done to help ensure the numeric 'hash' is usable even if it 8876 can't be guaranteed unique. The default mechanism is to use "&errno" 8877 as a pointer-based thread ID to distinguish between threads. 8878 8879 Applications that want to provide their own thread IDs should now use 8880 CRYPTO_THREADID_set_callback() to register a callback that will call 8881 either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). 8882 8883 Note that ERR_remove_state() is now deprecated, because it is tied 8884 to the assumption that thread IDs are numeric. ERR_remove_state(0) 8885 to free the current thread's error state should be replaced by 8886 ERR_remove_thread_state(NULL). 8887 8888 (This new approach replaces the functions CRYPTO_set_idptr_callback(), 8889 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in 8890 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an 8891 application was previously providing a numeric thread callback that 8892 was inappropriate for distinguishing threads, then uniqueness might 8893 have been obtained with &errno that happened immediately in the 8894 intermediate development versions of OpenSSL; this is no longer the 8895 case, the numeric thread callback will now override the automatic use 8896 of &errno.) 8897 8898 *Geoff Thorpe, with help from Bodo Moeller* 8899 8900 * Initial support for different CRL issuing certificates. This covers a 8901 simple case where the self issued certificates in the chain exist and 8902 the real CRL issuer is higher in the existing chain. 8903 8904 This work was sponsored by Google. 8905 8906 *Steve Henson* 8907 8908 * Removed effectively defunct crypto/store from the build. 8909 8910 *Ben Laurie* 8911 8912 * Revamp of STACK to provide stronger type-checking. Still to come: 8913 TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, 8914 ASN1_STRING, CONF_VALUE. 8915 8916 *Ben Laurie* 8917 8918 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer 8919 RAM on SSL connections. This option can save about 34k per idle SSL. 8920 8921 *Nick Mathewson* 8922 8923 * Revamp of LHASH to provide stronger type-checking. Still to come: 8924 STACK, TXT_DB, bsearch, qsort. 8925 8926 *Ben Laurie* 8927 8928 * Initial support for Cryptographic Message Syntax (aka CMS) based 8929 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, 8930 support for data, signedData, compressedData, digestedData and 8931 encryptedData, envelopedData types included. Scripts to check against 8932 RFC4134 examples draft and interop and consistency checks of many 8933 content types and variants. 8934 8935 *Steve Henson* 8936 8937 * Add options to enc utility to support use of zlib compression BIO. 8938 8939 *Steve Henson* 8940 8941 * Extend mk1mf to support importing of options and assembly language 8942 files from Configure script, currently only included in VC-WIN32. 8943 The assembly language rules can now optionally generate the source 8944 files from the associated perl scripts. 8945 8946 *Steve Henson* 8947 8948 * Implement remaining functionality needed to support GOST ciphersuites. 8949 Interop testing has been performed using CryptoPro implementations. 8950 8951 *Victor B. Wagner <vitus@cryptocom.ru>* 8952 8953 * s390x assembler pack. 8954 8955 *Andy Polyakov* 8956 8957 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU 8958 "family." 8959 8960 *Andy Polyakov* 8961 8962 * Implement Opaque PRF Input TLS extension as specified in 8963 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an 8964 official specification yet and no extension type assignment by 8965 IANA exists, this extension (for now) will have to be explicitly 8966 enabled when building OpenSSL by providing the extension number 8967 to use. For example, specify an option 8968 8969 -DTLSEXT_TYPE_opaque_prf_input=0x9527 8970 8971 to the "config" or "Configure" script to enable the extension, 8972 assuming extension number 0x9527 (which is a completely arbitrary 8973 and unofficial assignment based on the MD5 hash of the Internet 8974 Draft). Note that by doing so, you potentially lose 8975 interoperability with other TLS implementations since these might 8976 be using the same extension number for other purposes. 8977 8978 SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the 8979 opaque PRF input value to use in the handshake. This will create 8980 an internal copy of the length-'len' string at 'src', and will 8981 return non-zero for success. 8982 8983 To get more control and flexibility, provide a callback function 8984 by using 8985 8986 SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) 8987 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) 8988 8989 where 8990 8991 int (*cb)(SSL *, void *peerinput, size_t len, void *arg); 8992 void *arg; 8993 8994 Callback function 'cb' will be called in handshakes, and is 8995 expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. 8996 Argument 'arg' is for application purposes (the value as given to 8997 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly 8998 be provided to the callback function). The callback function 8999 has to return non-zero to report success: usually 1 to use opaque 9000 PRF input just if possible, or 2 to enforce use of the opaque PRF 9001 input. In the latter case, the library will abort the handshake 9002 if opaque PRF input is not successfully negotiated. 9003 9004 Arguments 'peerinput' and 'len' given to the callback function 9005 will always be NULL and 0 in the case of a client. A server will 9006 see the client's opaque PRF input through these variables if 9007 available (NULL and 0 otherwise). Note that if the server 9008 provides an opaque PRF input, the length must be the same as the 9009 length of the client's opaque PRF input. 9010 9011 Note that the callback function will only be called when creating 9012 a new session (session resumption can resume whatever was 9013 previously negotiated), and will not be called in SSL 2.0 9014 handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or 9015 SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended 9016 for applications that need to enforce opaque PRF input. 9017 9018 *Bodo Moeller* 9019 9020 * Update ssl code to support digests other than SHA1+MD5 for handshake 9021 MAC. 9022 9023 *Victor B. Wagner <vitus@cryptocom.ru>* 9024 9025 * Add RFC4507 support to OpenSSL. This includes the corrections in 9026 RFC4507bis. The encrypted ticket format is an encrypted encoded 9027 SSL_SESSION structure, that way new session features are automatically 9028 supported. 9029 9030 If a client application caches session in an SSL_SESSION structure 9031 support is transparent because tickets are now stored in the encoded 9032 SSL_SESSION. 9033 9034 The SSL_CTX structure automatically generates keys for ticket 9035 protection in servers so again support should be possible 9036 with no application modification. 9037 9038 If a client or server wishes to disable RFC4507 support then the option 9039 SSL_OP_NO_TICKET can be set. 9040 9041 Add a TLS extension debugging callback to allow the contents of any client 9042 or server extensions to be examined. 9043 9044 This work was sponsored by Google. 9045 9046 *Steve Henson* 9047 9048 * Final changes to avoid use of pointer pointer casts in OpenSSL. 9049 OpenSSL should now compile cleanly on gcc 4.2 9050 9051 *Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson* 9052 9053 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC 9054 support including streaming MAC support: this is required for GOST 9055 ciphersuite support. 9056 9057 *Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson* 9058 9059 * Add option -stream to use PKCS#7 streaming in smime utility. New 9060 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() 9061 to output in BER and PEM format. 9062 9063 *Steve Henson* 9064 9065 * Experimental support for use of HMAC via EVP_PKEY interface. This 9066 allows HMAC to be handled via the `EVP_DigestSign*()` interface. The 9067 EVP_PKEY "key" in this case is the HMAC key, potentially allowing 9068 ENGINE support for HMAC keys which are unextractable. New -mac and 9069 -macopt options to dgst utility. 9070 9071 *Steve Henson* 9072 9073 * New option -sigopt to dgst utility. Update dgst to use 9074 `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use 9075 alternative signing parameters such as X9.31 or PSS in the dgst 9076 utility. 9077 9078 *Steve Henson* 9079 9080 * Change ssl_cipher_apply_rule(), the internal function that does 9081 the work each time a ciphersuite string requests enabling 9082 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or 9083 removing ("!foo+bar") a class of ciphersuites: Now it maintains 9084 the order of disabled ciphersuites such that those ciphersuites 9085 that most recently went from enabled to disabled not only stay 9086 in order with respect to each other, but also have higher priority 9087 than other disabled ciphersuites the next time ciphersuites are 9088 enabled again. 9089 9090 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable 9091 the same ciphersuites as with "HIGH" alone, but in a specific 9092 order where the PSK ciphersuites come first (since they are the 9093 most recently disabled ciphersuites when "HIGH" is parsed). 9094 9095 Also, change ssl_create_cipher_list() (using this new 9096 functionality) such that between otherwise identical 9097 ciphersuites, ephemeral ECDH is preferred over ephemeral DH in 9098 the default order. 9099 9100 *Bodo Moeller* 9101 9102 * Change ssl_create_cipher_list() so that it automatically 9103 arranges the ciphersuites in reasonable order before starting 9104 to process the rule string. Thus, the definition for "DEFAULT" 9105 (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but 9106 remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`. 9107 This makes it much easier to arrive at a reasonable default order 9108 in applications for which anonymous ciphers are OK (meaning 9109 that you can't actually use DEFAULT). 9110 9111 *Bodo Moeller; suggested by Victor Duchovni* 9112 9113 * Split the SSL/TLS algorithm mask (as used for ciphersuite string 9114 processing) into multiple integers instead of setting 9115 "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", 9116 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. 9117 (These masks as well as the individual bit definitions are hidden 9118 away into the non-exported interface ssl/ssl_locl.h, so this 9119 change to the definition of the SSL_CIPHER structure shouldn't 9120 affect applications.) This give us more bits for each of these 9121 categories, so there is no longer a need to coagulate AES128 and 9122 AES256 into a single algorithm bit, and to coagulate Camellia128 9123 and Camellia256 into a single algorithm bit, which has led to all 9124 kinds of kludges. 9125 9126 Thus, among other things, the kludge introduced in 0.9.7m and 9127 0.9.8e for masking out AES256 independently of AES128 or masking 9128 out Camellia256 independently of AES256 is not needed here in 0.9.9. 9129 9130 With the change, we also introduce new ciphersuite aliases that 9131 so far were missing: "AES128", "AES256", "CAMELLIA128", and 9132 "CAMELLIA256". 9133 9134 *Bodo Moeller* 9135 9136 * Add support for dsa-with-SHA224 and dsa-with-SHA256. 9137 Use the leftmost N bytes of the signature input if the input is 9138 larger than the prime q (with N being the size in bytes of q). 9139 9140 *Nils Larsch* 9141 9142 * Very *very* experimental PKCS#7 streaming encoder support. Nothing uses 9143 it yet and it is largely untested. 9144 9145 *Steve Henson* 9146 9147 * Add support for the ecdsa-with-SHA224/256/384/512 signature types. 9148 9149 *Nils Larsch* 9150 9151 * Initial incomplete changes to avoid need for function casts in OpenSSL 9152 some compilers (gcc 4.2 and later) reject their use. Safestack is 9153 reimplemented. Update ASN1 to avoid use of legacy functions. 9154 9155 *Steve Henson* 9156 9157 * Win32/64 targets are linked with Winsock2. 9158 9159 *Andy Polyakov* 9160 9161 * Add an X509_CRL_METHOD structure to allow CRL processing to be redirected 9162 to external functions. This can be used to increase CRL handling 9163 efficiency especially when CRLs are very large by (for example) storing 9164 the CRL revoked certificates in a database. 9165 9166 *Steve Henson* 9167 9168 * Overhaul of by_dir code. Add support for dynamic loading of CRLs so 9169 new CRLs added to a directory can be used. New command line option 9170 -verify_return_error to s_client and s_server. This causes real errors 9171 to be returned by the verify callback instead of carrying on no matter 9172 what. This reflects the way a "real world" verify callback would behave. 9173 9174 *Steve Henson* 9175 9176 * GOST engine, supporting several GOST algorithms and public key formats. 9177 Kindly donated by Cryptocom. 9178 9179 *Cryptocom* 9180 9181 * Partial support for Issuing Distribution Point CRL extension. CRLs 9182 partitioned by DP are handled but no indirect CRL or reason partitioning 9183 (yet). Complete overhaul of CRL handling: now the most suitable CRL is 9184 selected via a scoring technique which handles IDP and AKID in CRLs. 9185 9186 *Steve Henson* 9187 9188 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which 9189 will ultimately be used for all verify operations: this will remove the 9190 X509_STORE dependency on certificate verification and allow alternative 9191 lookup methods. X509_STORE based implementations of these two callbacks. 9192 9193 *Steve Henson* 9194 9195 * Allow multiple CRLs to exist in an X509_STORE with matching issuer names. 9196 Modify get_crl() to find a valid (unexpired) CRL if possible. 9197 9198 *Steve Henson* 9199 9200 * New function X509_CRL_match() to check if two CRLs are identical. Normally 9201 this would be called X509_CRL_cmp() but that name is already used by 9202 a function that just compares CRL issuer names. Cache several CRL 9203 extensions in X509_CRL structure and cache CRLDP in X509. 9204 9205 *Steve Henson* 9206 9207 * Store a "canonical" representation of X509_NAME structure (ASN1 Name) 9208 this maps equivalent X509_NAME structures into a consistent structure. 9209 Name comparison can then be performed rapidly using memcmp(). 9210 9211 *Steve Henson* 9212 9213 * Non-blocking OCSP request processing. Add -timeout option to ocsp 9214 utility. 9215 9216 *Steve Henson* 9217 9218 * Allow digests to supply their own micalg string for S/MIME type using 9219 the ctrl EVP_MD_CTRL_MICALG. 9220 9221 *Steve Henson* 9222 9223 * During PKCS7 signing pass the PKCS7 SignerInfo structure to the 9224 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN 9225 ctrl. It can then customise the structure before and/or after signing 9226 if necessary. 9227 9228 *Steve Henson* 9229 9230 * New function OBJ_add_sigid() to allow application defined signature OIDs 9231 to be added to OpenSSLs internal tables. New function OBJ_sigid_free() 9232 to free up any added signature OIDs. 9233 9234 *Steve Henson* 9235 9236 * New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), 9237 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal 9238 digest and cipher tables. New options added to openssl utility: 9239 list-message-digest-algorithms and list-cipher-algorithms. 9240 9241 *Steve Henson* 9242 9243 * Change the array representation of binary polynomials: the list 9244 of degrees of non-zero coefficients is now terminated with -1. 9245 Previously it was terminated with 0, which was also part of the 9246 value; thus, the array representation was not applicable to 9247 polynomials where t^0 has coefficient zero. This change makes 9248 the array representation useful in a more general context. 9249 9250 *Douglas Stebila* 9251 9252 * Various modifications and fixes to SSL/TLS cipher string 9253 handling. For ECC, the code now distinguishes between fixed ECDH 9254 with RSA certificates on the one hand and with ECDSA certificates 9255 on the other hand, since these are separate ciphersuites. The 9256 unused code for Fortezza ciphersuites has been removed. 9257 9258 For consistency with EDH, ephemeral ECDH is now called "EECDH" 9259 (not "ECDHE"). For consistency with the code for DH 9260 certificates, use of ECDH certificates is now considered ECDH 9261 authentication, not RSA or ECDSA authentication (the latter is 9262 merely the CA's signing algorithm and not actively used in the 9263 protocol). 9264 9265 The temporary ciphersuite alias "ECCdraft" is no longer 9266 available, and ECC ciphersuites are no longer excluded from "ALL" 9267 and "DEFAULT". The following aliases now exist for RFC 4492 9268 ciphersuites, most of these by analogy with the DH case: 9269 9270 kECDHr - ECDH cert, signed with RSA 9271 kECDHe - ECDH cert, signed with ECDSA 9272 kECDH - ECDH cert (signed with either RSA or ECDSA) 9273 kEECDH - ephemeral ECDH 9274 ECDH - ECDH cert or ephemeral ECDH 9275 9276 aECDH - ECDH cert 9277 aECDSA - ECDSA cert 9278 ECDSA - ECDSA cert 9279 9280 AECDH - anonymous ECDH 9281 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") 9282 9283 *Bodo Moeller* 9284 9285 * Add additional S/MIME capabilities for AES and GOST ciphers if supported. 9286 Use correct micalg parameters depending on digest(s) in signed message. 9287 9288 *Steve Henson* 9289 9290 * Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process 9291 an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. 9292 9293 *Steve Henson* 9294 9295 * Initial engine support for EVP_PKEY_METHOD. New functions to permit 9296 an engine to register a method. Add ENGINE lookups for methods and 9297 functional reference processing. 9298 9299 *Steve Henson* 9300 9301 * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of 9302 `EVP_{Sign,Verify}*` which allow an application to customise the signature 9303 process. 9304 9305 *Steve Henson* 9306 9307 * New -resign option to smime utility. This adds one or more signers 9308 to an existing PKCS#7 signedData structure. Also -md option to use an 9309 alternative message digest algorithm for signing. 9310 9311 *Steve Henson* 9312 9313 * Tidy up PKCS#7 routines and add new functions to make it easier to 9314 create PKCS7 structures containing multiple signers. Update smime 9315 application to support multiple signers. 9316 9317 *Steve Henson* 9318 9319 * New -macalg option to pkcs12 utility to allow setting of an alternative 9320 digest MAC. 9321 9322 *Steve Henson* 9323 9324 * Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. 9325 Reorganize PBE internals to lookup from a static table using NIDs, 9326 add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: 9327 EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative 9328 PRF which will be automatically used with PBES2. 9329 9330 *Steve Henson* 9331 9332 * Replace the algorithm specific calls to generate keys in "req" with the 9333 new API. 9334 9335 *Steve Henson* 9336 9337 * Update PKCS#7 enveloped data routines to use new API. This is now 9338 supported by any public key method supporting the encrypt operation. A 9339 ctrl is added to allow the public key algorithm to examine or modify 9340 the PKCS#7 RecipientInfo structure if it needs to: for RSA this is 9341 a no op. 9342 9343 *Steve Henson* 9344 9345 * Add a ctrl to asn1 method to allow a public key algorithm to express 9346 a default digest type to use. In most cases this will be SHA1 but some 9347 algorithms (such as GOST) need to specify an alternative digest. The 9348 return value indicates how strong the preference is 1 means optional and 9349 2 is mandatory (that is it is the only supported type). Modify 9350 ASN1_item_sign() to accept a NULL digest argument to indicate it should 9351 use the default md. Update openssl utilities to use the default digest 9352 type for signing if it is not explicitly indicated. 9353 9354 *Steve Henson* 9355 9356 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 9357 EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant 9358 signing method from the key type. This effectively removes the link 9359 between digests and public key types. 9360 9361 *Steve Henson* 9362 9363 * Add an OID cross reference table and utility functions. Its purpose is to 9364 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, 9365 rsaEncryption. This will allow some of the algorithm specific hackery 9366 needed to use the correct OID to be removed. 9367 9368 *Steve Henson* 9369 9370 * Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO 9371 structures for PKCS7_sign(). They are now set up by the relevant public 9372 key ASN1 method. 9373 9374 *Steve Henson* 9375 9376 * Add provisional EC pkey method with support for ECDSA and ECDH. 9377 9378 *Steve Henson* 9379 9380 * Add support for key derivation (agreement) in the API, DH method and 9381 pkeyutl. 9382 9383 *Steve Henson* 9384 9385 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support 9386 public and private key formats. As a side effect these add additional 9387 command line functionality not previously available: DSA signatures can be 9388 generated and verified using pkeyutl and DH key support and generation in 9389 pkey, genpkey. 9390 9391 *Steve Henson* 9392 9393 * BeOS support. 9394 9395 *Oliver Tappe <zooey@hirschkaefer.de>* 9396 9397 * New make target "install_html_docs" installs HTML renditions of the 9398 manual pages. 9399 9400 *Oliver Tappe <zooey@hirschkaefer.de>* 9401 9402 * New utility "genpkey" this is analogous to "genrsa" etc except it can 9403 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to 9404 support key and parameter generation and add initial key generation 9405 functionality for RSA. 9406 9407 *Steve Henson* 9408 9409 * Add functions for main EVP_PKEY_method operations. The undocumented 9410 functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to 9411 `EVP_PKEY_{encrypt,decrypt}_old`. 9412 9413 *Steve Henson* 9414 9415 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public 9416 key API, doesn't do much yet. 9417 9418 *Steve Henson* 9419 9420 * New function EVP_PKEY_asn1_get0_info() to retrieve information about 9421 public key algorithms. New option to openssl utility: 9422 "list-public-key-algorithms" to print out info. 9423 9424 *Steve Henson* 9425 9426 * Implement the Supported Elliptic Curves Extension for 9427 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 9428 9429 *Douglas Stebila* 9430 9431 * Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or 9432 EVP_CIPHER structures to avoid later problems in EVP_cleanup(). 9433 9434 *Steve Henson* 9435 9436 * New utilities pkey and pkeyparam. These are similar to algorithm specific 9437 utilities such as rsa, dsa, dsaparam etc except they process any key 9438 type. 9439 9440 *Steve Henson* 9441 9442 * Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 9443 functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), 9444 EVP_PKEY_print_param() to print public key data from an EVP_PKEY 9445 structure. 9446 9447 *Steve Henson* 9448 9449 * Initial support for pluggable public key ASN1. 9450 De-spaghettify the public key ASN1 handling. Move public and private 9451 key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate 9452 algorithm specific handling to a single module within the relevant 9453 algorithm directory. Add functions to allow (near) opaque processing 9454 of public and private key structures. 9455 9456 *Steve Henson* 9457 9458 * Implement the Supported Point Formats Extension for 9459 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 9460 9461 *Douglas Stebila* 9462 9463 * Add initial support for RFC 4279 PSK TLS ciphersuites. Add members 9464 for the psk identity [hint] and the psk callback functions to the 9465 SSL_SESSION, SSL and SSL_CTX structure. 9466 9467 New ciphersuites: 9468 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, 9469 PSK-AES256-CBC-SHA 9470 9471 New functions: 9472 SSL_CTX_use_psk_identity_hint 9473 SSL_get_psk_identity_hint 9474 SSL_get_psk_identity 9475 SSL_use_psk_identity_hint 9476 9477 *Mika Kousa and Pasi Eronen of Nokia Corporation* 9478 9479 * Add RFC 3161 compliant time stamp request creation, response generation 9480 and response verification functionality. 9481 9482 *Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project* 9483 9484 * Add initial support for TLS extensions, specifically for the server_name 9485 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 9486 have new members for a host name. The SSL data structure has an 9487 additional member `SSL_CTX *initial_ctx` so that new sessions can be 9488 stored in that context to allow for session resumption, even after the 9489 SSL has been switched to a new SSL_CTX in reaction to a client's 9490 server_name extension. 9491 9492 New functions (subject to change): 9493 9494 SSL_get_servername() 9495 SSL_get_servername_type() 9496 SSL_set_SSL_CTX() 9497 9498 New CTRL codes and macros (subject to change): 9499 9500 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 9501 - SSL_CTX_set_tlsext_servername_callback() 9502 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 9503 - SSL_CTX_set_tlsext_servername_arg() 9504 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 9505 9506 openssl s_client has a new '-servername ...' option. 9507 9508 openssl s_server has new options '-servername_host ...', '-cert2 ...', 9509 '-key2 ...', '-servername_fatal' (subject to change). This allows 9510 testing the HostName extension for a specific single host name ('-cert' 9511 and '-key' remain fallbacks for handshakes without HostName 9512 negotiation). If the unrecognized_name alert has to be sent, this by 9513 default is a warning; it becomes fatal with the '-servername_fatal' 9514 option. 9515 9516 *Peter Sylvester, Remy Allais, Christophe Renou* 9517 9518 * Whirlpool hash implementation is added. 9519 9520 *Andy Polyakov* 9521 9522 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to 9523 bn(64,32). Because of instruction set limitations it doesn't have 9524 any negative impact on performance. This was done mostly in order 9525 to make it possible to share assembler modules, such as bn_mul_mont 9526 implementations, between 32- and 64-bit builds without hassle. 9527 9528 *Andy Polyakov* 9529 9530 * Move code previously exiled into file crypto/ec/ec2_smpt.c 9531 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP 9532 macro. 9533 9534 *Bodo Moeller* 9535 9536 * New candidate for BIGNUM assembler implementation, bn_mul_mont, 9537 dedicated Montgomery multiplication procedure, is introduced. 9538 BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher 9539 "64-bit" performance on certain 32-bit targets. 9540 9541 *Andy Polyakov* 9542 9543 * New option SSL_OP_NO_COMP to disable use of compression selectively 9544 in SSL structures. New SSL ctrl to set maximum send fragment size. 9545 Save memory by setting the I/O buffer sizes dynamically instead of 9546 using the maximum available value. 9547 9548 *Steve Henson* 9549 9550 * New option -V for 'openssl ciphers'. This prints the ciphersuite code 9551 in addition to the text details. 9552 9553 *Bodo Moeller* 9554 9555 * Very, very preliminary EXPERIMENTAL support for printing of general 9556 ASN1 structures. This currently produces rather ugly output and doesn't 9557 handle several customised structures at all. 9558 9559 *Steve Henson* 9560 9561 * Integrated support for PVK file format and some related formats such 9562 as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support 9563 these in the 'rsa' and 'dsa' utilities. 9564 9565 *Steve Henson* 9566 9567 * Support for PKCS#1 RSAPublicKey format on rsa utility command line. 9568 9569 *Steve Henson* 9570 9571 * Remove the ancient ASN1_METHOD code. This was only ever used in one 9572 place for the (very old) "NETSCAPE" format certificates which are now 9573 handled using new ASN1 code equivalents. 9574 9575 *Steve Henson* 9576 9577 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD 9578 pointer and make the SSL_METHOD parameter in SSL_CTX_new, 9579 SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. 9580 9581 *Nils Larsch* 9582 9583 * Modify CRL distribution points extension code to print out previously 9584 unsupported fields. Enhance extension setting code to allow setting of 9585 all fields. 9586 9587 *Steve Henson* 9588 9589 * Add print and set support for Issuing Distribution Point CRL extension. 9590 9591 *Steve Henson* 9592 9593 * Change 'Configure' script to enable Camellia by default. 9594 9595 *NTT* 9596 9597OpenSSL 0.9.x 9598------------- 9599 9600### Changes between 0.9.8m and 0.9.8n [24 Mar 2010] 9601 9602 * When rejecting SSL/TLS records due to an incorrect version number, never 9603 update s->server with a new major version number. As of 9604 - OpenSSL 0.9.8m if 'short' is a 16-bit type, 9605 - OpenSSL 0.9.8f if 'short' is longer than 16 bits, 9606 the previous behavior could result in a read attempt at NULL when 9607 receiving specific incorrect SSL/TLS records once record payload 9608 protection is active. ([CVE-2010-0740]) 9609 9610 *Bodo Moeller, Adam Langley <agl@chromium.org>* 9611 9612 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 9613 could be crashed if the relevant tables were not present (e.g. chrooted). 9614 9615 *Tomas Hoger <thoger@redhat.com>* 9616 9617### Changes between 0.9.8l and 0.9.8m [25 Feb 2010] 9618 9619 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245]) 9620 9621 *Martin Olsson, Neel Mehta* 9622 9623 * Fix X509_STORE locking: Every 'objs' access requires a lock (to 9624 accommodate for stack sorting, always a write lock!). 9625 9626 *Bodo Moeller* 9627 9628 * On some versions of WIN32 Heap32Next is very slow. This can cause 9629 excessive delays in the RAND_poll(): over a minute. As a workaround 9630 include a time check in the inner Heap32Next loop too. 9631 9632 *Steve Henson* 9633 9634 * The code that handled flushing of data in SSL/TLS originally used the 9635 BIO_CTRL_INFO ctrl to see if any data was pending first. This caused 9636 the problem outlined in PR#1949. The fix suggested there however can 9637 trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions 9638 of Apache). So instead simplify the code to flush unconditionally. 9639 This should be fine since flushing with no data to flush is a no op. 9640 9641 *Steve Henson* 9642 9643 * Handle TLS versions 2.0 and later properly and correctly use the 9644 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way 9645 off ancient servers have a habit of sticking around for a while... 9646 9647 *Steve Henson* 9648 9649 * Modify compression code so it frees up structures without using the 9650 ex_data callbacks. This works around a problem where some applications 9651 call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when 9652 restarting) then use compression (e.g. SSL with compression) later. 9653 This results in significant per-connection memory leaks and 9654 has caused some security issues including CVE-2008-1678 and 9655 CVE-2009-4355. 9656 9657 *Steve Henson* 9658 9659 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't 9660 change when encrypting or decrypting. 9661 9662 *Bodo Moeller* 9663 9664 * Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to 9665 connect and renegotiate with servers which do not support RI. 9666 Until RI is more widely deployed this option is enabled by default. 9667 9668 *Steve Henson* 9669 9670 * Add "missing" ssl ctrls to clear options and mode. 9671 9672 *Steve Henson* 9673 9674 * If client attempts to renegotiate and doesn't support RI respond with 9675 a no_renegotiation alert as required by RFC5746. Some renegotiating 9676 TLS clients will continue a connection gracefully when they receive 9677 the alert. Unfortunately OpenSSL mishandled this alert and would hang 9678 waiting for a server hello which it will never receive. Now we treat a 9679 received no_renegotiation alert as a fatal error. This is because 9680 applications requesting a renegotiation might well expect it to succeed 9681 and would have no code in place to handle the server denying it so the 9682 only safe thing to do is to terminate the connection. 9683 9684 *Steve Henson* 9685 9686 * Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if 9687 peer supports secure renegotiation and 0 otherwise. Print out peer 9688 renegotiation support in s_client/s_server. 9689 9690 *Steve Henson* 9691 9692 * Replace the highly broken and deprecated SPKAC certification method with 9693 the updated NID creation version. This should correctly handle UTF8. 9694 9695 *Steve Henson* 9696 9697 * Implement RFC5746. Re-enable renegotiation but require the extension 9698 as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 9699 turns out to be a bad idea. It has been replaced by 9700 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with 9701 SSL_CTX_set_options(). This is really not recommended unless you 9702 know what you are doing. 9703 9704 *Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson* 9705 9706 * Fixes to stateless session resumption handling. Use initial_ctx when 9707 issuing and attempting to decrypt tickets in case it has changed during 9708 servername handling. Use a non-zero length session ID when attempting 9709 stateless session resumption: this makes it possible to determine if 9710 a resumption has occurred immediately after receiving server hello 9711 (several places in OpenSSL subtly assume this) instead of later in 9712 the handshake. 9713 9714 *Steve Henson* 9715 9716 * The functions ENGINE_ctrl(), OPENSSL_isservice(), 9717 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error 9718 fixes for a few places where the return code is not checked 9719 correctly. 9720 9721 *Julia Lawall <julia@diku.dk>* 9722 9723 * Add --strict-warnings option to Configure script to include devteam 9724 warnings in other configurations. 9725 9726 *Steve Henson* 9727 9728 * Add support for --libdir option and LIBDIR variable in makefiles. This 9729 makes it possible to install openssl libraries in locations which 9730 have names other than "lib", for example "/usr/lib64" which some 9731 systems need. 9732 9733 *Steve Henson, based on patch from Jeremy Utley* 9734 9735 * Don't allow the use of leading 0x80 in OIDs. This is a violation of 9736 X690 8.9.12 and can produce some misleading textual output of OIDs. 9737 9738 *Steve Henson, reported by Dan Kaminsky* 9739 9740 * Delete MD2 from algorithm tables. This follows the recommendation in 9741 several standards that it is not used in new applications due to 9742 several cryptographic weaknesses. For binary compatibility reasons 9743 the MD2 API is still compiled in by default. 9744 9745 *Steve Henson* 9746 9747 * Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved 9748 and restored. 9749 9750 *Steve Henson* 9751 9752 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and 9753 OPENSSL_asc2uni conditionally on Netware platforms to avoid a name 9754 clash. 9755 9756 *Guenter <lists@gknw.net>* 9757 9758 * Fix the server certificate chain building code to use X509_verify_cert(), 9759 it used to have an ad-hoc builder which was unable to cope with anything 9760 other than a simple chain. 9761 9762 *David Woodhouse <dwmw2@infradead.org>, Steve Henson* 9763 9764 * Don't check self signed certificate signatures in X509_verify_cert() 9765 by default (a flag can override this): it just wastes time without 9766 adding any security. As a useful side effect self signed root CAs 9767 with non-FIPS digests are now usable in FIPS mode. 9768 9769 *Steve Henson* 9770 9771 * In dtls1_process_out_of_seq_message() the check if the current message 9772 is already buffered was missing. For every new message was memory 9773 allocated, allowing an attacker to perform an denial of service attack 9774 with sending out of seq handshake messages until there is no memory 9775 left. Additionally every future message was buffered, even if the 9776 sequence number made no sense and would be part of another handshake. 9777 So only messages with sequence numbers less than 10 in advance will be 9778 buffered. ([CVE-2009-1378]) 9779 9780 *Robin Seggelmann, discovered by Daniel Mentz* 9781 9782 * Records are buffered if they arrive with a future epoch to be 9783 processed after finishing the corresponding handshake. There is 9784 currently no limitation to this buffer allowing an attacker to perform 9785 a DOS attack with sending records with future epochs until there is no 9786 memory left. This patch adds the pqueue_size() function to determine 9787 the size of a buffer and limits the record buffer to 100 entries. 9788 ([CVE-2009-1377]) 9789 9790 *Robin Seggelmann, discovered by Daniel Mentz* 9791 9792 * Keep a copy of frag->msg_header.frag_len so it can be used after the 9793 parent structure is freed. ([CVE-2009-1379]) 9794 9795 *Daniel Mentz* 9796 9797 * Handle non-blocking I/O properly in SSL_shutdown() call. 9798 9799 *Darryl Miles <darryl-mailinglists@netbauds.net>* 9800 9801 * Add `2.5.4.*` OIDs 9802 9803 *Ilya O. <vrghost@gmail.com>* 9804 9805### Changes between 0.9.8k and 0.9.8l [5 Nov 2009] 9806 9807 * Disable renegotiation completely - this fixes a severe security 9808 problem ([CVE-2009-3555]) at the cost of breaking all 9809 renegotiation. Renegotiation can be re-enabled by setting 9810 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at 9811 run-time. This is really not recommended unless you know what 9812 you're doing. 9813 9814 *Ben Laurie* 9815 9816### Changes between 0.9.8j and 0.9.8k [25 Mar 2009] 9817 9818 * Don't set val to NULL when freeing up structures, it is freed up by 9819 underlying code. If `sizeof(void *) > sizeof(long)` this can result in 9820 zeroing past the valid field. ([CVE-2009-0789]) 9821 9822 *Paolo Ganci <Paolo.Ganci@AdNovum.CH>* 9823 9824 * Fix bug where return value of CMS_SignerInfo_verify_content() was not 9825 checked correctly. This would allow some invalid signed attributes to 9826 appear to verify correctly. ([CVE-2009-0591]) 9827 9828 *Ivan Nestlerode <inestlerode@us.ibm.com>* 9829 9830 * Reject UniversalString and BMPString types with invalid lengths. This 9831 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have 9832 a legal length. ([CVE-2009-0590]) 9833 9834 *Steve Henson* 9835 9836 * Set S/MIME signing as the default purpose rather than setting it 9837 unconditionally. This allows applications to override it at the store 9838 level. 9839 9840 *Steve Henson* 9841 9842 * Permit restricted recursion of ASN1 strings. This is needed in practice 9843 to handle some structures. 9844 9845 *Steve Henson* 9846 9847 * Improve efficiency of mem_gets: don't search whole buffer each time 9848 for a '\n' 9849 9850 *Jeremy Shapiro <jnshapir@us.ibm.com>* 9851 9852 * New -hex option for openssl rand. 9853 9854 *Matthieu Herrb* 9855 9856 * Print out UTF8String and NumericString when parsing ASN1. 9857 9858 *Steve Henson* 9859 9860 * Support NumericString type for name components. 9861 9862 *Steve Henson* 9863 9864 * Allow CC in the environment to override the automatically chosen 9865 compiler. Note that nothing is done to ensure flags work with the 9866 chosen compiler. 9867 9868 *Ben Laurie* 9869 9870### Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 9871 9872 * Properly check EVP_VerifyFinal() and similar return values 9873 ([CVE-2008-5077]). 9874 9875 *Ben Laurie, Bodo Moeller, Google Security Team* 9876 9877 * Enable TLS extensions by default. 9878 9879 *Ben Laurie* 9880 9881 * Allow the CHIL engine to be loaded, whether the application is 9882 multithreaded or not. (This does not release the developer from the 9883 obligation to set up the dynamic locking callbacks.) 9884 9885 *Sander Temme <sander@temme.net>* 9886 9887 * Use correct exit code if there is an error in dgst command. 9888 9889 *Steve Henson; problem pointed out by Roland Dirlewanger* 9890 9891 * Tweak Configure so that you need to say "experimental-jpake" to enable 9892 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. 9893 9894 *Bodo Moeller* 9895 9896 * Add experimental JPAKE support, including demo authentication in 9897 s_client and s_server. 9898 9899 *Ben Laurie* 9900 9901 * Set the comparison function in v3_addr_canonize(). 9902 9903 *Rob Austein <sra@hactrn.net>* 9904 9905 * Add support for XMPP STARTTLS in s_client. 9906 9907 *Philip Paeps <philip@freebsd.org>* 9908 9909 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior 9910 to ensure that even with this option, only ciphersuites in the 9911 server's preference list will be accepted. (Note that the option 9912 applies only when resuming a session, so the earlier behavior was 9913 just about the algorithm choice for symmetric cryptography.) 9914 9915 *Bodo Moeller* 9916 9917### Changes between 0.9.8h and 0.9.8i [15 Sep 2008] 9918 9919 * Fix NULL pointer dereference if a DTLS server received 9920 ChangeCipherSpec as first record ([CVE-2009-1386]). 9921 9922 *PR #1679* 9923 9924 * Fix a state transition in s3_srvr.c and d1_srvr.c 9925 (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`). 9926 9927 *Nagendra Modadugu* 9928 9929 * The fix in 0.9.8c that supposedly got rid of unsafe 9930 double-checked locking was incomplete for RSA blinding, 9931 addressing just one layer of what turns out to have been 9932 doubly unsafe triple-checked locking. 9933 9934 So now fix this for real by retiring the MONT_HELPER macro 9935 in crypto/rsa/rsa_eay.c. 9936 9937 *Bodo Moeller; problem pointed out by Marius Schilder* 9938 9939 * Various precautionary measures: 9940 9941 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). 9942 9943 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). 9944 (NB: This would require knowledge of the secret session ticket key 9945 to exploit, in which case you'd be SOL either way.) 9946 9947 - Change bn_nist.c so that it will properly handle input BIGNUMs 9948 outside the expected range. 9949 9950 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG 9951 builds. 9952 9953 *Neel Mehta, Bodo Moeller* 9954 9955 * Allow engines to be "soft loaded" - i.e. optionally don't die if 9956 the load fails. Useful for distros. 9957 9958 *Ben Laurie and the FreeBSD team* 9959 9960 * Add support for Local Machine Keyset attribute in PKCS#12 files. 9961 9962 *Steve Henson* 9963 9964 * Fix BN_GF2m_mod_arr() top-bit cleanup code. 9965 9966 *Huang Ying* 9967 9968 * Expand ENGINE to support engine supplied SSL client certificate functions. 9969 9970 This work was sponsored by Logica. 9971 9972 *Steve Henson* 9973 9974 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows 9975 keystores. Support for SSL/TLS client authentication too. 9976 Not compiled unless enable-capieng specified to Configure. 9977 9978 This work was sponsored by Logica. 9979 9980 *Steve Henson* 9981 9982 * Fix bug in X509_ATTRIBUTE creation: don't set attribute using 9983 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain 9984 attribute creation routines such as certificate requests and PKCS#12 9985 files. 9986 9987 *Steve Henson* 9988 9989### Changes between 0.9.8g and 0.9.8h [28 May 2008] 9990 9991 * Fix flaw if 'Server Key exchange message' is omitted from a TLS 9992 handshake which could lead to a client crash as found using the 9993 Codenomicon TLS test suite ([CVE-2008-1672]) 9994 9995 *Steve Henson, Mark Cox* 9996 9997 * Fix double free in TLS server name extensions which could lead to 9998 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891]) 9999 10000 *Joe Orton* 10001 10002 * Clear error queue in SSL_CTX_use_certificate_chain_file() 10003 10004 Clear the error queue to ensure that error entries left from 10005 older function calls do not interfere with the correct operation. 10006 10007 *Lutz Jaenicke, Erik de Castro Lopo* 10008 10009 * Remove root CA certificates of commercial CAs: 10010 10011 The OpenSSL project does not recommend any specific CA and does not 10012 have any policy with respect to including or excluding any CA. 10013 Therefore it does not make any sense to ship an arbitrary selection 10014 of root CA certificates with the OpenSSL software. 10015 10016 *Lutz Jaenicke* 10017 10018 * RSA OAEP patches to fix two separate invalid memory reads. 10019 The first one involves inputs when 'lzero' is greater than 10020 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes 10021 before the beginning of from). The second one involves inputs where 10022 the 'db' section contains nothing but zeroes (there is a one-byte 10023 invalid read after the end of 'db'). 10024 10025 *Ivan Nestlerode <inestlerode@us.ibm.com>* 10026 10027 * Partial backport from 0.9.9-dev: 10028 10029 Introduce bn_mul_mont (dedicated Montgomery multiplication 10030 procedure) as a candidate for BIGNUM assembler implementation. 10031 While 0.9.9-dev uses assembler for various architectures, only 10032 x86_64 is available by default here in the 0.9.8 branch, and 10033 32-bit x86 is available through a compile-time setting. 10034 10035 To try the 32-bit x86 assembler implementation, use Configure 10036 option "enable-montasm" (which exists only for this backport). 10037 10038 As "enable-montasm" for 32-bit x86 disclaims code stability 10039 anyway, in this constellation we activate additional code 10040 backported from 0.9.9-dev for further performance improvements, 10041 namely BN_from_montgomery_word. (To enable this otherwise, 10042 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.) 10043 10044 *Andy Polyakov (backport partially by Bodo Moeller)* 10045 10046 * Add TLS session ticket callback. This allows an application to set 10047 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed 10048 values. This is useful for key rollover for example where several key 10049 sets may exist with different names. 10050 10051 *Steve Henson* 10052 10053 * Reverse ENGINE-internal logic for caching default ENGINE handles. 10054 This was broken until now in 0.9.8 releases, such that the only way 10055 a registered ENGINE could be used (assuming it initialises 10056 successfully on the host) was to explicitly set it as the default 10057 for the relevant algorithms. This is in contradiction with 0.9.7 10058 behaviour and the documentation. With this fix, when an ENGINE is 10059 registered into a given algorithm's table of implementations, the 10060 'uptodate' flag is reset so that auto-discovery will be used next 10061 time a new context for that algorithm attempts to select an 10062 implementation. 10063 10064 *Ian Lister (tweaked by Geoff Thorpe)* 10065 10066 * Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 10067 implementation in the following ways: 10068 10069 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be 10070 hard coded. 10071 10072 Lack of BER streaming support means one pass streaming processing is 10073 only supported if data is detached: setting the streaming flag is 10074 ignored for embedded content. 10075 10076 CMS support is disabled by default and must be explicitly enabled 10077 with the enable-cms configuration option. 10078 10079 *Steve Henson* 10080 10081 * Update the GMP engine glue to do direct copies between BIGNUM and 10082 mpz_t when openssl and GMP use the same limb size. Otherwise the 10083 existing "conversion via a text string export" trick is still used. 10084 10085 *Paul Sheer <paulsheer@gmail.com>* 10086 10087 * Zlib compression BIO. This is a filter BIO which compressed and 10088 uncompresses any data passed through it. 10089 10090 *Steve Henson* 10091 10092 * Add AES_wrap_key() and AES_unwrap_key() functions to implement 10093 RFC3394 compatible AES key wrapping. 10094 10095 *Steve Henson* 10096 10097 * Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): 10098 sets string data without copying. X509_ALGOR_set0() and 10099 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) 10100 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data 10101 from an X509_ATTRIBUTE structure optionally checking it occurs only 10102 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied 10103 data. 10104 10105 *Steve Henson* 10106 10107 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() 10108 to get the expected BN_FLG_CONSTTIME behavior. 10109 10110 *Bodo Moeller (Google)* 10111 10112 * Netware support: 10113 10114 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets 10115 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) 10116 - added some more tests to do_tests.pl 10117 - fixed RunningProcess usage so that it works with newer LIBC NDKs too 10118 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency 10119 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, 10120 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc 10121 - various changes to netware.pl to enable gcc-cross builds on Win32 10122 platform 10123 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) 10124 - various changes to fix missing prototype warnings 10125 - fixed x86nasm.pl to create correct asm files for NASM COFF output 10126 - added AES, WHIRLPOOL and CPUID assembler code to build files 10127 - added missing AES assembler make rules to mk1mf.pl 10128 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply 10129 10130 *Guenter Knauf <eflash@gmx.net>* 10131 10132 * Implement certificate status request TLS extension defined in RFC3546. 10133 A client can set the appropriate parameters and receive the encoded 10134 OCSP response via a callback. A server can query the supplied parameters 10135 and set the encoded OCSP response in the callback. Add simplified examples 10136 to s_client and s_server. 10137 10138 *Steve Henson* 10139 10140### Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 10141 10142 * Fix various bugs: 10143 + Binary incompatibility of ssl_ctx_st structure 10144 + DTLS interoperation with non-compliant servers 10145 + Don't call get_session_cb() without proposed session 10146 + Fix ia64 assembler code 10147 10148 *Andy Polyakov, Steve Henson* 10149 10150### Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 10151 10152 * DTLS Handshake overhaul. There were longstanding issues with 10153 OpenSSL DTLS implementation, which were making it impossible for 10154 RFC 4347 compliant client to communicate with OpenSSL server. 10155 Unfortunately just fixing these incompatibilities would "cut off" 10156 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 10157 server keeps tolerating non RFC compliant syntax. The opposite is 10158 not true, 0.9.8f client can not communicate with earlier server. 10159 This update even addresses CVE-2007-4995. 10160 10161 *Andy Polyakov* 10162 10163 * Changes to avoid need for function casts in OpenSSL: some compilers 10164 (gcc 4.2 and later) reject their use. 10165 *Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 10166 Steve Henson* 10167 10168 * Add RFC4507 support to OpenSSL. This includes the corrections in 10169 RFC4507bis. The encrypted ticket format is an encrypted encoded 10170 SSL_SESSION structure, that way new session features are automatically 10171 supported. 10172 10173 If a client application caches session in an SSL_SESSION structure 10174 support is transparent because tickets are now stored in the encoded 10175 SSL_SESSION. 10176 10177 The SSL_CTX structure automatically generates keys for ticket 10178 protection in servers so again support should be possible 10179 with no application modification. 10180 10181 If a client or server wishes to disable RFC4507 support then the option 10182 SSL_OP_NO_TICKET can be set. 10183 10184 Add a TLS extension debugging callback to allow the contents of any client 10185 or server extensions to be examined. 10186 10187 This work was sponsored by Google. 10188 10189 *Steve Henson* 10190 10191 * Add initial support for TLS extensions, specifically for the server_name 10192 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 10193 have new members for a host name. The SSL data structure has an 10194 additional member `SSL_CTX *initial_ctx` so that new sessions can be 10195 stored in that context to allow for session resumption, even after the 10196 SSL has been switched to a new SSL_CTX in reaction to a client's 10197 server_name extension. 10198 10199 New functions (subject to change): 10200 10201 SSL_get_servername() 10202 SSL_get_servername_type() 10203 SSL_set_SSL_CTX() 10204 10205 New CTRL codes and macros (subject to change): 10206 10207 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 10208 - SSL_CTX_set_tlsext_servername_callback() 10209 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 10210 - SSL_CTX_set_tlsext_servername_arg() 10211 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 10212 10213 openssl s_client has a new '-servername ...' option. 10214 10215 openssl s_server has new options '-servername_host ...', '-cert2 ...', 10216 '-key2 ...', '-servername_fatal' (subject to change). This allows 10217 testing the HostName extension for a specific single host name ('-cert' 10218 and '-key' remain fallbacks for handshakes without HostName 10219 negotiation). If the unrecognized_name alert has to be sent, this by 10220 default is a warning; it becomes fatal with the '-servername_fatal' 10221 option. 10222 10223 *Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson* 10224 10225 * Add AES and SSE2 assembly language support to VC++ build. 10226 10227 *Steve Henson* 10228 10229 * Mitigate attack on final subtraction in Montgomery reduction. 10230 10231 *Andy Polyakov* 10232 10233 * Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 10234 (which previously caused an internal error). 10235 10236 *Bodo Moeller* 10237 10238 * Squeeze another 10% out of IGE mode when in != out. 10239 10240 *Ben Laurie* 10241 10242 * AES IGE mode speedup. 10243 10244 *Dean Gaudet (Google)* 10245 10246 * Add the Korean symmetric 128-bit cipher SEED (see 10247 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and 10248 add SEED ciphersuites from RFC 4162: 10249 10250 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 10251 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 10252 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 10253 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 10254 10255 To minimize changes between patchlevels in the OpenSSL 0.9.8 10256 series, SEED remains excluded from compilation unless OpenSSL 10257 is configured with 'enable-seed'. 10258 10259 *KISA, Bodo Moeller* 10260 10261 * Mitigate branch prediction attacks, which can be practical if a 10262 single processor is shared, allowing a spy process to extract 10263 information. For detailed background information, see 10264 <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron, 10265 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 10266 and Necessary Software Countermeasures"). The core of the change 10267 are new versions BN_div_no_branch() and 10268 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 10269 respectively, which are slower, but avoid the security-relevant 10270 conditional branches. These are automatically called by BN_div() 10271 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 10272 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 10273 remove a conditional branch. 10274 10275 BN_FLG_CONSTTIME is the new name for the previous 10276 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 10277 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 10278 in the exponent causes BN_mod_exp_mont() to use the alternative 10279 implementation in BN_mod_exp_mont_consttime().) The old name 10280 remains as a deprecated alias. 10281 10282 Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 10283 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 10284 constant-time implementations for more than just exponentiation. 10285 Here too the old name is kept as a deprecated alias. 10286 10287 BN_BLINDING_new() will now use BN_dup() for the modulus so that 10288 the BN_BLINDING structure gets an independent copy of the 10289 modulus. This means that the previous `BIGNUM *m` argument to 10290 BN_BLINDING_new() and to BN_BLINDING_create_param() now 10291 essentially becomes `const BIGNUM *m`, although we can't actually 10292 change this in the header file before 0.9.9. It allows 10293 RSA_setup_blinding() to use BN_with_flags() on the modulus to 10294 enable BN_FLG_CONSTTIME. 10295 10296 *Matthew D Wood (Intel Corp)* 10297 10298 * In the SSL/TLS server implementation, be strict about session ID 10299 context matching (which matters if an application uses a single 10300 external cache for different purposes). Previously, 10301 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 10302 set. This did ensure strict client verification, but meant that, 10303 with applications using a single external cache for quite 10304 different requirements, clients could circumvent ciphersuite 10305 restrictions for a given session ID context by starting a session 10306 in a different context. 10307 10308 *Bodo Moeller* 10309 10310 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 10311 a ciphersuite string such as "DEFAULT:RSA" cannot enable 10312 authentication-only ciphersuites. 10313 10314 *Bodo Moeller* 10315 10316 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was 10317 not complete and could lead to a possible single byte overflow 10318 ([CVE-2007-5135]) [Ben Laurie] 10319 10320### Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 10321 10322 * Since AES128 and AES256 (and similarly Camellia128 and 10323 Camellia256) share a single mask bit in the logic of 10324 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 10325 kludge to work properly if AES128 is available and AES256 isn't 10326 (or if Camellia128 is available and Camellia256 isn't). 10327 10328 *Victor Duchovni* 10329 10330 * Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 10331 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 10332 When a point or a seed is encoded in a BIT STRING, we need to 10333 prevent the removal of trailing zero bits to get the proper DER 10334 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 10335 of a NamedBitList, for which trailing 0 bits need to be removed.) 10336 10337 *Bodo Moeller* 10338 10339 * Have SSL/TLS server implementation tolerate "mismatched" record 10340 protocol version while receiving ClientHello even if the 10341 ClientHello is fragmented. (The server can't insist on the 10342 particular protocol version it has chosen before the ServerHello 10343 message has informed the client about his choice.) 10344 10345 *Bodo Moeller* 10346 10347 * Add RFC 3779 support. 10348 10349 *Rob Austein for ARIN, Ben Laurie* 10350 10351 * Load error codes if they are not already present instead of using a 10352 static variable. This allows them to be cleanly unloaded and reloaded. 10353 Improve header file function name parsing. 10354 10355 *Steve Henson* 10356 10357 * extend SMTP and IMAP protocol emulation in s_client to use EHLO 10358 or CAPABILITY handshake as required by RFCs. 10359 10360 *Goetz Babin-Ebell* 10361 10362### Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 10363 10364 * Introduce limits to prevent malicious keys being able to 10365 cause a denial of service. ([CVE-2006-2940]) 10366 10367 *Steve Henson, Bodo Moeller* 10368 10369 * Fix ASN.1 parsing of certain invalid structures that can result 10370 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 10371 10372 * Fix buffer overflow in SSL_get_shared_ciphers() function. 10373 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 10374 10375 * Fix SSL client code which could crash if connecting to a 10376 malicious SSLv2 server. ([CVE-2006-4343]) 10377 10378 *Tavis Ormandy and Will Drewry, Google Security Team* 10379 10380 * Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 10381 match only those. Before that, "AES256-SHA" would be interpreted 10382 as a pattern and match "AES128-SHA" too (since AES128-SHA got 10383 the same strength classification in 0.9.7h) as we currently only 10384 have a single AES bit in the ciphersuite description bitmap. 10385 That change, however, also applied to ciphersuite strings such as 10386 "RC4-MD5" that intentionally matched multiple ciphersuites -- 10387 namely, SSL 2.0 ciphersuites in addition to the more common ones 10388 from SSL 3.0/TLS 1.0. 10389 10390 So we change the selection algorithm again: Naming an explicit 10391 ciphersuite selects this one ciphersuite, and any other similar 10392 ciphersuite (same bitmap) from *other* protocol versions. 10393 Thus, "RC4-MD5" again will properly select both the SSL 2.0 10394 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 10395 10396 Since SSL 2.0 does not have any ciphersuites for which the 10397 128/256 bit distinction would be relevant, this works for now. 10398 The proper fix will be to use different bits for AES128 and 10399 AES256, which would have avoided the problems from the beginning; 10400 however, bits are scarce, so we can only do this in a new release 10401 (not just a patchlevel) when we can change the SSL_CIPHER 10402 definition to split the single 'unsigned long mask' bitmap into 10403 multiple values to extend the available space. 10404 10405 *Bodo Moeller* 10406 10407### Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 10408 10409 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 10410 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 10411 10412 * Add AES IGE and biIGE modes. 10413 10414 *Ben Laurie* 10415 10416 * Change the Unix randomness entropy gathering to use poll() when 10417 possible instead of select(), since the latter has some 10418 undesirable limitations. 10419 10420 *Darryl Miles via Richard Levitte and Bodo Moeller* 10421 10422 * Disable "ECCdraft" ciphersuites more thoroughly. Now special 10423 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 10424 cannot be implicitly activated as part of, e.g., the "AES" alias. 10425 However, please upgrade to OpenSSL 0.9.9[-dev] for 10426 non-experimental use of the ECC ciphersuites to get TLS extension 10427 support, which is required for curve and point format negotiation 10428 to avoid potential handshake problems. 10429 10430 *Bodo Moeller* 10431 10432 * Disable rogue ciphersuites: 10433 10434 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 10435 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 10436 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 10437 10438 The latter two were purportedly from 10439 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 10440 appear there. 10441 10442 Also deactivate the remaining ciphersuites from 10443 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 10444 unofficial, and the ID has long expired. 10445 10446 *Bodo Moeller* 10447 10448 * Fix RSA blinding Heisenbug (problems sometimes occurred on 10449 dual-core machines) and other potential thread-safety issues. 10450 10451 *Bodo Moeller* 10452 10453 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 10454 versions), which is now available for royalty-free use 10455 (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>). 10456 Also, add Camellia TLS ciphersuites from RFC 4132. 10457 10458 To minimize changes between patchlevels in the OpenSSL 0.9.8 10459 series, Camellia remains excluded from compilation unless OpenSSL 10460 is configured with 'enable-camellia'. 10461 10462 *NTT* 10463 10464 * Disable the padding bug check when compression is in use. The padding 10465 bug check assumes the first packet is of even length, this is not 10466 necessarily true if compression is enabled and can result in false 10467 positives causing handshake failure. The actual bug test is ancient 10468 code so it is hoped that implementations will either have fixed it by 10469 now or any which still have the bug do not support compression. 10470 10471 *Steve Henson* 10472 10473### Changes between 0.9.8a and 0.9.8b [04 May 2006] 10474 10475 * When applying a cipher rule check to see if string match is an explicit 10476 cipher suite and only match that one cipher suite if it is. 10477 10478 *Steve Henson* 10479 10480 * Link in manifests for VC++ if needed. 10481 10482 *Austin Ziegler <halostatue@gmail.com>* 10483 10484 * Update support for ECC-based TLS ciphersuites according to 10485 draft-ietf-tls-ecc-12.txt with proposed changes (but without 10486 TLS extensions, which are supported starting with the 0.9.9 10487 branch, not in the OpenSSL 0.9.8 branch). 10488 10489 *Douglas Stebila* 10490 10491 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 10492 opaque EVP_CIPHER_CTX handling. 10493 10494 *Steve Henson* 10495 10496 * Fixes and enhancements to zlib compression code. We now only use 10497 "zlib1.dll" and use the default `__cdecl` calling convention on Win32 10498 to conform with the standards mentioned here: 10499 <http://www.zlib.net/DLL_FAQ.txt> 10500 Static zlib linking now works on Windows and the new --with-zlib-include 10501 --with-zlib-lib options to Configure can be used to supply the location 10502 of the headers and library. Gracefully handle case where zlib library 10503 can't be loaded. 10504 10505 *Steve Henson* 10506 10507 * Several fixes and enhancements to the OID generation code. The old code 10508 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 10509 handle numbers larger than ULONG_MAX, truncated printing and had a 10510 non standard OBJ_obj2txt() behaviour. 10511 10512 *Steve Henson* 10513 10514 * Add support for building of engines under engine/ as shared libraries 10515 under VC++ build system. 10516 10517 *Steve Henson* 10518 10519 * Corrected the numerous bugs in the Win32 path splitter in DSO. 10520 Hopefully, we will not see any false combination of paths any more. 10521 10522 *Richard Levitte* 10523 10524### Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 10525 10526 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 10527 (part of SSL_OP_ALL). This option used to disable the 10528 countermeasure against man-in-the-middle protocol-version 10529 rollback in the SSL 2.0 server implementation, which is a bad 10530 idea. ([CVE-2005-2969]) 10531 10532 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 10533 for Information Security, National Institute of Advanced Industrial 10534 Science and Technology [AIST], Japan)* 10535 10536 * Add two function to clear and return the verify parameter flags. 10537 10538 *Steve Henson* 10539 10540 * Keep cipherlists sorted in the source instead of sorting them at 10541 runtime, thus removing the need for a lock. 10542 10543 *Nils Larsch* 10544 10545 * Avoid some small subgroup attacks in Diffie-Hellman. 10546 10547 *Nick Mathewson and Ben Laurie* 10548 10549 * Add functions for well-known primes. 10550 10551 *Nick Mathewson* 10552 10553 * Extended Windows CE support. 10554 10555 *Satoshi Nakamura and Andy Polyakov* 10556 10557 * Initialize SSL_METHOD structures at compile time instead of during 10558 runtime, thus removing the need for a lock. 10559 10560 *Steve Henson* 10561 10562 * Make PKCS7_decrypt() work even if no certificate is supplied by 10563 attempting to decrypt each encrypted key in turn. Add support to 10564 smime utility. 10565 10566 *Steve Henson* 10567 10568### Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 10569 10570[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 10571OpenSSL 0.9.8.] 10572 10573 * Add libcrypto.pc and libssl.pc for those who feel they need them. 10574 10575 *Richard Levitte* 10576 10577 * Change CA.sh and CA.pl so they don't bundle the CSR and the private 10578 key into the same file any more. 10579 10580 *Richard Levitte* 10581 10582 * Add initial support for Win64, both IA64 and AMD64/x64 flavors. 10583 10584 *Andy Polyakov* 10585 10586 * Add -utf8 command line and config file option to 'ca'. 10587 10588 *Stefan <stf@udoma.org* 10589 10590 * Removed the macro des_crypt(), as it seems to conflict with some 10591 libraries. Use DES_crypt(). 10592 10593 *Richard Levitte* 10594 10595 * Correct naming of the 'chil' and '4758cca' ENGINEs. This 10596 involves renaming the source and generated shared-libs for 10597 both. The engines will accept the corrected or legacy ids 10598 ('ncipher' and '4758_cca' respectively) when binding. NB, 10599 this only applies when building 'shared'. 10600 10601 *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe* 10602 10603 * Add attribute functions to EVP_PKEY structure. Modify 10604 PKCS12_create() to recognize a CSP name attribute and 10605 use it. Make -CSP option work again in pkcs12 utility. 10606 10607 *Steve Henson* 10608 10609 * Add new functionality to the bn blinding code: 10610 - automatic re-creation of the BN_BLINDING parameters after 10611 a fixed number of uses (currently 32) 10612 - add new function for parameter creation 10613 - introduce flags to control the update behaviour of the 10614 BN_BLINDING parameters 10615 - hide BN_BLINDING structure 10616 Add a second BN_BLINDING slot to the RSA structure to improve 10617 performance when a single RSA object is shared among several 10618 threads. 10619 10620 *Nils Larsch* 10621 10622 * Add support for DTLS. 10623 10624 *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie* 10625 10626 * Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 10627 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 10628 10629 *Walter Goulet* 10630 10631 * Remove buggy and incomplete DH cert support from 10632 ssl/ssl_rsa.c and ssl/s3_both.c 10633 10634 *Nils Larsch* 10635 10636 * Use SHA-1 instead of MD5 as the default digest algorithm for 10637 the `apps/openssl` commands. 10638 10639 *Nils Larsch* 10640 10641 * Compile clean with "-Wall -Wmissing-prototypes 10642 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 10643 DEBUG_SAFESTACK must also be set. 10644 10645 *Ben Laurie* 10646 10647 * Change ./Configure so that certain algorithms can be disabled by default. 10648 The new counterpiece to "no-xxx" is "enable-xxx". 10649 10650 The patented RC5 and MDC2 algorithms will now be disabled unless 10651 "enable-rc5" and "enable-mdc2", respectively, are specified. 10652 10653 (IDEA remains enabled despite being patented. This is because IDEA 10654 is frequently required for interoperability, and there is no license 10655 fee for non-commercial use. As before, "no-idea" can be used to 10656 avoid this algorithm.) 10657 10658 *Bodo Moeller* 10659 10660 * Add processing of proxy certificates (see RFC 3820). This work was 10661 sponsored by KTH (The Royal Institute of Technology in Stockholm) and 10662 EGEE (Enabling Grids for E-science in Europe). 10663 10664 *Richard Levitte* 10665 10666 * RC4 performance overhaul on modern architectures/implementations, such 10667 as Intel P4, IA-64 and AMD64. 10668 10669 *Andy Polyakov* 10670 10671 * New utility extract-section.pl. This can be used specify an alternative 10672 section number in a pod file instead of having to treat each file as 10673 a separate case in Makefile. This can be done by adding two lines to the 10674 pod file: 10675 10676 =for comment openssl_section:XXX 10677 10678 The blank line is mandatory. 10679 10680 *Steve Henson* 10681 10682 * New arguments -certform, -keyform and -pass for s_client and s_server 10683 to allow alternative format key and certificate files and passphrase 10684 sources. 10685 10686 *Steve Henson* 10687 10688 * New structure X509_VERIFY_PARAM which combines current verify parameters, 10689 update associated structures and add various utility functions. 10690 10691 Add new policy related verify parameters, include policy checking in 10692 standard verify code. Enhance 'smime' application with extra parameters 10693 to support policy checking and print out. 10694 10695 *Steve Henson* 10696 10697 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3 10698 Nehemiah processors. These extensions support AES encryption in hardware 10699 as well as RNG (though RNG support is currently disabled). 10700 10701 *Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov* 10702 10703 * Deprecate `BN_[get|set]_params()` functions (they were ignored internally). 10704 10705 *Geoff Thorpe* 10706 10707 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 10708 10709 *Andy Polyakov and a number of other people* 10710 10711 * Improved PowerPC platform support. Most notably BIGNUM assembler 10712 implementation contributed by IBM. 10713 10714 *Suresh Chari, Peter Waltenberg, Andy Polyakov* 10715 10716 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 10717 exponent rather than 'unsigned long'. There is a corresponding change to 10718 the new 'rsa_keygen' element of the RSA_METHOD structure. 10719 10720 *Jelte Jansen, Geoff Thorpe* 10721 10722 * Functionality for creating the initial serial number file is now 10723 moved from CA.pl to the 'ca' utility with a new option -create_serial. 10724 10725 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 10726 number file to 1, which is bound to cause problems. To avoid 10727 the problems while respecting compatibility between different 0.9.7 10728 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 10729 CA.pl for serial number initialization. With the new release 0.9.8, 10730 we can fix the problem directly in the 'ca' utility.) 10731 10732 *Steve Henson* 10733 10734 * Reduced header interdependencies by declaring more opaque objects in 10735 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 10736 give fewer recursive includes, which could break lazy source code - so 10737 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 10738 developers should define this symbol when building and using openssl to 10739 ensure they track the recommended behaviour, interfaces, [etc], but 10740 backwards-compatible behaviour prevails when this isn't defined. 10741 10742 *Geoff Thorpe* 10743 10744 * New function X509_POLICY_NODE_print() which prints out policy nodes. 10745 10746 *Steve Henson* 10747 10748 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 10749 This will generate a random key of the appropriate length based on the 10750 cipher context. The EVP_CIPHER can provide its own random key generation 10751 routine to support keys of a specific form. This is used in the des and 10752 3des routines to generate a key of the correct parity. Update S/MIME 10753 code to use new functions and hence generate correct parity DES keys. 10754 Add EVP_CHECK_DES_KEY #define to return an error if the key is not 10755 valid (weak or incorrect parity). 10756 10757 *Steve Henson* 10758 10759 * Add a local set of CRLs that can be used by X509_verify_cert() as well 10760 as looking them up. This is useful when the verified structure may contain 10761 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 10762 present unless the new PKCS7_NO_CRL flag is asserted. 10763 10764 *Steve Henson* 10765 10766 * Extend ASN1 oid configuration module. It now additionally accepts the 10767 syntax: 10768 10769 shortName = some long name, 1.2.3.4 10770 10771 *Steve Henson* 10772 10773 * Reimplemented the BN_CTX implementation. There is now no more static 10774 limitation on the number of variables it can handle nor the depth of the 10775 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 10776 information can now expand as required, and rather than having a single 10777 static array of bignums, BN_CTX now uses a linked-list of such arrays 10778 allowing it to expand on demand whilst maintaining the usefulness of 10779 BN_CTX's "bundling". 10780 10781 *Geoff Thorpe* 10782 10783 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 10784 to allow all RSA operations to function using a single BN_CTX. 10785 10786 *Geoff Thorpe* 10787 10788 * Preliminary support for certificate policy evaluation and checking. This 10789 is initially intended to pass the tests outlined in "Conformance Testing 10790 of Relying Party Client Certificate Path Processing Logic" v1.07. 10791 10792 *Steve Henson* 10793 10794 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 10795 remained unused and not that useful. A variety of other little bignum 10796 tweaks and fixes have also been made continuing on from the audit (see 10797 below). 10798 10799 *Geoff Thorpe* 10800 10801 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with 10802 associated ASN1, EVP and SSL functions and old ASN1 macros. 10803 10804 *Richard Levitte* 10805 10806 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 10807 and this should never fail. So the return value from the use of 10808 BN_set_word() (which can fail due to needless expansion) is now deprecated; 10809 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 10810 10811 *Geoff Thorpe* 10812 10813 * BN_CTX_get() should return zero-valued bignums, providing the same 10814 initialised value as BN_new(). 10815 10816 *Geoff Thorpe, suggested by Ulf Möller* 10817 10818 * Support for inhibitAnyPolicy certificate extension. 10819 10820 *Steve Henson* 10821 10822 * An audit of the BIGNUM code is underway, for which debugging code is 10823 enabled when BN_DEBUG is defined. This makes stricter enforcements on what 10824 is considered valid when processing BIGNUMs, and causes execution to 10825 assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 10826 further steps are taken to deliberately pollute unused data in BIGNUM 10827 structures to try and expose faulty code further on. For now, openssl will 10828 (in its default mode of operation) continue to tolerate the inconsistent 10829 forms that it has tolerated in the past, but authors and packagers should 10830 consider trying openssl and their own applications when compiled with 10831 these debugging symbols defined. It will help highlight potential bugs in 10832 their own code, and will improve the test coverage for OpenSSL itself. At 10833 some point, these tighter rules will become openssl's default to improve 10834 maintainability, though the assert()s and other overheads will remain only 10835 in debugging configurations. See bn.h for more details. 10836 10837 *Geoff Thorpe, Nils Larsch, Ulf Möller* 10838 10839 * BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 10840 that can only be obtained through BN_CTX_new() (which implicitly 10841 initialises it). The presence of this function only made it possible 10842 to overwrite an existing structure (and cause memory leaks). 10843 10844 *Geoff Thorpe* 10845 10846 * Because of the callback-based approach for implementing LHASH as a 10847 template type, lh_insert() adds opaque objects to hash-tables and 10848 lh_doall() or lh_doall_arg() are typically used with a destructor callback 10849 to clean up those corresponding objects before destroying the hash table 10850 (and losing the object pointers). So some over-zealous constifications in 10851 LHASH have been relaxed so that lh_insert() does not take (nor store) the 10852 objects as "const" and the `lh_doall[_arg]` callback wrappers are not 10853 prototyped to have "const" restrictions on the object pointers they are 10854 given (and so aren't required to cast them away any more). 10855 10856 *Geoff Thorpe* 10857 10858 * The tmdiff.h API was so ugly and minimal that our own timing utility 10859 (speed) prefers to use its own implementation. The two implementations 10860 haven't been consolidated as yet (volunteers?) but the tmdiff API has had 10861 its object type properly exposed (MS_TM) instead of casting to/from 10862 `char *`. This may still change yet if someone realises MS_TM and 10863 `ms_time_***` 10864 aren't necessarily the greatest nomenclatures - but this is what was used 10865 internally to the implementation so I've used that for now. 10866 10867 *Geoff Thorpe* 10868 10869 * Ensure that deprecated functions do not get compiled when 10870 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 10871 the self-tests were still using deprecated key-generation functions so 10872 these have been updated also. 10873 10874 *Geoff Thorpe* 10875 10876 * Reorganise PKCS#7 code to separate the digest location functionality 10877 into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest(). 10878 New function PKCS7_set_digest() to set the digest type for PKCS#7 10879 digestedData type. Add additional code to correctly generate the 10880 digestedData type and add support for this type in PKCS7 initialization 10881 functions. 10882 10883 *Steve Henson* 10884 10885 * New function PKCS7_set0_type_other() this initializes a PKCS7 10886 structure of type "other". 10887 10888 *Steve Henson* 10889 10890 * Fix prime generation loop in crypto/bn/bn_prime.pl by making 10891 sure the loop does correctly stop and breaking ("division by zero") 10892 modulus operations are not performed. The (pre-generated) prime 10893 table crypto/bn/bn_prime.h was already correct, but it could not be 10894 re-generated on some platforms because of the "division by zero" 10895 situation in the script. 10896 10897 *Ralf S. Engelschall* 10898 10899 * Update support for ECC-based TLS ciphersuites according to 10900 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 10901 SHA-1 now is only used for "small" curves (where the 10902 representation of a field element takes up to 24 bytes); for 10903 larger curves, the field element resulting from ECDH is directly 10904 used as premaster secret. 10905 10906 *Douglas Stebila (Sun Microsystems Laboratories)* 10907 10908 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 10909 curve secp160r1 to the tests. 10910 10911 *Douglas Stebila (Sun Microsystems Laboratories)* 10912 10913 * Add the possibility to load symbols globally with DSO. 10914 10915 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte* 10916 10917 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 10918 control of the error stack. 10919 10920 *Richard Levitte* 10921 10922 * Add support for STORE in ENGINE. 10923 10924 *Richard Levitte* 10925 10926 * Add the STORE type. The intention is to provide a common interface 10927 to certificate and key stores, be they simple file-based stores, or 10928 HSM-type store, or LDAP stores, or... 10929 NOTE: The code is currently UNTESTED and isn't really used anywhere. 10930 10931 *Richard Levitte* 10932 10933 * Add a generic structure called OPENSSL_ITEM. This can be used to 10934 pass a list of arguments to any function as well as provide a way 10935 for a function to pass data back to the caller. 10936 10937 *Richard Levitte* 10938 10939 * Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 10940 works like BUF_strdup() but can be used to duplicate a portion of 10941 a string. The copy gets NUL-terminated. BUF_memdup() duplicates 10942 a memory area. 10943 10944 *Richard Levitte* 10945 10946 * Add the function sk_find_ex() which works like sk_find(), but will 10947 return an index to an element even if an exact match couldn't be 10948 found. The index is guaranteed to point at the element where the 10949 searched-for key would be inserted to preserve sorting order. 10950 10951 *Richard Levitte* 10952 10953 * Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 10954 takes an extra flags argument for optional functionality. Currently, 10955 the following flags are defined: 10956 10957 OBJ_BSEARCH_VALUE_ON_NOMATCH 10958 This one gets OBJ_bsearch_ex() to return a pointer to the first 10959 element where the comparing function returns a negative or zero 10960 number. 10961 10962 OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 10963 This one gets OBJ_bsearch_ex() to return a pointer to the first 10964 element where the comparing function returns zero. This is useful 10965 if there are more than one element where the comparing function 10966 returns zero. 10967 10968 *Richard Levitte* 10969 10970 * Make it possible to create self-signed certificates with 'openssl ca' 10971 in such a way that the self-signed certificate becomes part of the 10972 CA database and uses the same mechanisms for serial number generation 10973 as all other certificate signing. The new flag '-selfsign' enables 10974 this functionality. Adapt CA.sh and CA.pl.in. 10975 10976 *Richard Levitte* 10977 10978 * Add functionality to check the public key of a certificate request 10979 against a given private. This is useful to check that a certificate 10980 request can be signed by that key (self-signing). 10981 10982 *Richard Levitte* 10983 10984 * Make it possible to have multiple active certificates with the same 10985 subject in the CA index file. This is done only if the keyword 10986 'unique_subject' is set to 'no' in the main CA section (default 10987 if 'CA_default') of the configuration file. The value is saved 10988 with the database itself in a separate index attribute file, 10989 named like the index file with '.attr' appended to the name. 10990 10991 *Richard Levitte* 10992 10993 * Generate multi-valued AVAs using '+' notation in config files for 10994 req and dirName. 10995 10996 *Steve Henson* 10997 10998 * Support for nameConstraints certificate extension. 10999 11000 *Steve Henson* 11001 11002 * Support for policyConstraints certificate extension. 11003 11004 *Steve Henson* 11005 11006 * Support for policyMappings certificate extension. 11007 11008 *Steve Henson* 11009 11010 * Make sure the default DSA_METHOD implementation only uses its 11011 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, 11012 and change its own handlers to be NULL so as to remove unnecessary 11013 indirection. This lets alternative implementations fallback to the 11014 default implementation more easily. 11015 11016 *Geoff Thorpe* 11017 11018 * Support for directoryName in GeneralName related extensions 11019 in config files. 11020 11021 *Steve Henson* 11022 11023 * Make it possible to link applications using Makefile.shared. 11024 Make that possible even when linking against static libraries! 11025 11026 *Richard Levitte* 11027 11028 * Support for single pass processing for S/MIME signing. This now 11029 means that S/MIME signing can be done from a pipe, in addition 11030 cleartext signing (multipart/signed type) is effectively streaming 11031 and the signed data does not need to be all held in memory. 11032 11033 This is done with a new flag PKCS7_STREAM. When this flag is set 11034 PKCS7_sign() only initializes the PKCS7 structure and the actual signing 11035 is done after the data is output (and digests calculated) in 11036 SMIME_write_PKCS7(). 11037 11038 *Steve Henson* 11039 11040 * Add full support for -rpath/-R, both in shared libraries and 11041 applications, at least on the platforms where it's known how 11042 to do it. 11043 11044 *Richard Levitte* 11045 11046 * In crypto/ec/ec_mult.c, implement fast point multiplication with 11047 precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() 11048 will now compute a table of multiples of the generator that 11049 makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() 11050 faster (notably in the case of a single point multiplication, 11051 scalar * generator). 11052 11053 *Nils Larsch, Bodo Moeller* 11054 11055 * IPv6 support for certificate extensions. The various extensions 11056 which use the IP:a.b.c.d can now take IPv6 addresses using the 11057 formats of RFC1884 2.2 . IPv6 addresses are now also displayed 11058 correctly. 11059 11060 *Steve Henson* 11061 11062 * Added an ENGINE that implements RSA by performing private key 11063 exponentiations with the GMP library. The conversions to and from 11064 GMP's mpz_t format aren't optimised nor are any montgomery forms 11065 cached, and on x86 it appears OpenSSL's own performance has caught up. 11066 However there are likely to be other architectures where GMP could 11067 provide a boost. This ENGINE is not built in by default, but it can be 11068 specified at Configure time and should be accompanied by the necessary 11069 linker additions, eg; 11070 ./config -DOPENSSL_USE_GMP -lgmp 11071 11072 *Geoff Thorpe* 11073 11074 * "openssl engine" will not display ENGINE/DSO load failure errors when 11075 testing availability of engines with "-t" - the old behaviour is 11076 produced by increasing the feature's verbosity with "-tt". 11077 11078 *Geoff Thorpe* 11079 11080 * ECDSA routines: under certain error conditions uninitialized BN objects 11081 could be freed. Solution: make sure initialization is performed early 11082 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> 11083 via PR#459) 11084 11085 *Lutz Jaenicke* 11086 11087 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD 11088 and DH_METHOD (eg. by ENGINE implementations) to override the normal 11089 software implementations. For DSA and DH, parameter generation can 11090 also be overridden by providing the appropriate method callbacks. 11091 11092 *Geoff Thorpe* 11093 11094 * Change the "progress" mechanism used in key-generation and 11095 primality testing to functions that take a new BN_GENCB pointer in 11096 place of callback/argument pairs. The new API functions have `_ex` 11097 postfixes and the older functions are reimplemented as wrappers for 11098 the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide 11099 declarations of the old functions to help (graceful) attempts to 11100 migrate to the new functions. Also, the new key-generation API 11101 functions operate on a caller-supplied key-structure and return 11102 success/failure rather than returning a key or NULL - this is to 11103 help make "keygen" another member function of RSA_METHOD etc. 11104 11105 Example for using the new callback interface: 11106 11107 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; 11108 void *my_arg = ...; 11109 BN_GENCB my_cb; 11110 11111 BN_GENCB_set(&my_cb, my_callback, my_arg); 11112 11113 return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); 11114 /* For the meaning of a, b in calls to my_callback(), see the 11115 * documentation of the function that calls the callback. 11116 * cb will point to my_cb; my_arg can be retrieved as cb->arg. 11117 * my_callback should return 1 if it wants BN_is_prime_ex() 11118 * to continue, or 0 to stop. 11119 */ 11120 11121 *Geoff Thorpe* 11122 11123 * Change the ZLIB compression method to be stateful, and make it 11124 available to TLS with the number defined in 11125 draft-ietf-tls-compression-04.txt. 11126 11127 *Richard Levitte* 11128 11129 * Add the ASN.1 structures and functions for CertificatePair, which 11130 is defined as follows (according to X.509_4thEditionDraftV6.pdf): 11131 11132 CertificatePair ::= SEQUENCE { 11133 forward [0] Certificate OPTIONAL, 11134 reverse [1] Certificate OPTIONAL, 11135 -- at least one of the pair shall be present -- } 11136 11137 Also implement the PEM functions to read and write certificate 11138 pairs, and defined the PEM tag as "CERTIFICATE PAIR". 11139 11140 This needed to be defined, mostly for the sake of the LDAP 11141 attribute crossCertificatePair, but may prove useful elsewhere as 11142 well. 11143 11144 *Richard Levitte* 11145 11146 * Make it possible to inhibit symlinking of shared libraries in 11147 Makefile.shared, for Cygwin's sake. 11148 11149 *Richard Levitte* 11150 11151 * Extend the BIGNUM API by creating a function 11152 void BN_set_negative(BIGNUM *a, int neg); 11153 and a macro that behave like 11154 int BN_is_negative(const BIGNUM *a); 11155 11156 to avoid the need to access 'a->neg' directly in applications. 11157 11158 *Nils Larsch* 11159 11160 * Implement fast modular reduction for pseudo-Mersenne primes 11161 used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). 11162 EC_GROUP_new_curve_GFp() will now automatically use this 11163 if applicable. 11164 11165 *Nils Larsch <nla@trustcenter.de>* 11166 11167 * Add new lock type (CRYPTO_LOCK_BN). 11168 11169 *Bodo Moeller* 11170 11171 * Change the ENGINE framework to automatically load engines 11172 dynamically from specific directories unless they could be 11173 found to already be built in or loaded. Move all the 11174 current engines except for the cryptodev one to a new 11175 directory engines/. 11176 The engines in engines/ are built as shared libraries if 11177 the "shared" options was given to ./Configure or ./config. 11178 Otherwise, they are inserted in libcrypto.a. 11179 /usr/local/ssl/engines is the default directory for dynamic 11180 engines, but that can be overridden at configure time through 11181 the usual use of --prefix and/or --openssldir, and at run 11182 time with the environment variable OPENSSL_ENGINES. 11183 11184 *Geoff Thorpe and Richard Levitte* 11185 11186 * Add Makefile.shared, a helper makefile to build shared 11187 libraries. Adapt Makefile.org. 11188 11189 *Richard Levitte* 11190 11191 * Add version info to Win32 DLLs. 11192 11193 *Peter 'Luna' Runestig" <peter@runestig.com>* 11194 11195 * Add new 'medium level' PKCS#12 API. Certificates and keys 11196 can be added using this API to created arbitrary PKCS#12 11197 files while avoiding the low-level API. 11198 11199 New options to PKCS12_create(), key or cert can be NULL and 11200 will then be omitted from the output file. The encryption 11201 algorithm NIDs can be set to -1 for no encryption, the mac 11202 iteration count can be set to 0 to omit the mac. 11203 11204 Enhance pkcs12 utility by making the -nokeys and -nocerts 11205 options work when creating a PKCS#12 file. New option -nomac 11206 to omit the mac, NONE can be set for an encryption algorithm. 11207 New code is modified to use the enhanced PKCS12_create() 11208 instead of the low-level API. 11209 11210 *Steve Henson* 11211 11212 * Extend ASN1 encoder to support indefinite length constructed 11213 encoding. This can output sequences tags and octet strings in 11214 this form. Modify pk7_asn1.c to support indefinite length 11215 encoding. This is experimental and needs additional code to 11216 be useful, such as an ASN1 bio and some enhanced streaming 11217 PKCS#7 code. 11218 11219 Extend template encode functionality so that tagging is passed 11220 down to the template encoder. 11221 11222 *Steve Henson* 11223 11224 * Let 'openssl req' fail if an argument to '-newkey' is not 11225 recognized instead of using RSA as a default. 11226 11227 *Bodo Moeller* 11228 11229 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. 11230 As these are not official, they are not included in "ALL"; 11231 the "ECCdraft" ciphersuite group alias can be used to select them. 11232 11233 *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)* 11234 11235 * Add ECDH engine support. 11236 11237 *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)* 11238 11239 * Add ECDH in new directory crypto/ecdh/. 11240 11241 *Douglas Stebila (Sun Microsystems Laboratories)* 11242 11243 * Let BN_rand_range() abort with an error after 100 iterations 11244 without success (which indicates a broken PRNG). 11245 11246 *Bodo Moeller* 11247 11248 * Change BN_mod_sqrt() so that it verifies that the input value 11249 is really the square of the return value. (Previously, 11250 BN_mod_sqrt would show GIGO behaviour.) 11251 11252 *Bodo Moeller* 11253 11254 * Add named elliptic curves over binary fields from X9.62, SECG, 11255 and WAP/WTLS; add OIDs that were still missing. 11256 11257 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11258 11259 * Extend the EC library for elliptic curves over binary fields 11260 (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). 11261 New EC_METHOD: 11262 11263 EC_GF2m_simple_method 11264 11265 New API functions: 11266 11267 EC_GROUP_new_curve_GF2m 11268 EC_GROUP_set_curve_GF2m 11269 EC_GROUP_get_curve_GF2m 11270 EC_POINT_set_affine_coordinates_GF2m 11271 EC_POINT_get_affine_coordinates_GF2m 11272 EC_POINT_set_compressed_coordinates_GF2m 11273 11274 Point compression for binary fields is disabled by default for 11275 patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to 11276 enable it). 11277 11278 As binary polynomials are represented as BIGNUMs, various members 11279 of the EC_GROUP and EC_POINT data structures can be shared 11280 between the implementations for prime fields and binary fields; 11281 the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m) 11282 are essentially identical to their `..._GFp` counterparts. 11283 (For simplicity, the `..._GFp` prefix has been dropped from 11284 various internal method names.) 11285 11286 An internal 'field_div' method (similar to 'field_mul' and 11287 'field_sqr') has been added; this is used only for binary fields. 11288 11289 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11290 11291 * Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() 11292 through methods ('mul', 'precompute_mult'). 11293 11294 The generic implementations (now internally called 'ec_wNAF_mul' 11295 and 'ec_wNAF_precomputed_mult') remain the default if these 11296 methods are undefined. 11297 11298 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11299 11300 * New function EC_GROUP_get_degree, which is defined through 11301 EC_METHOD. For curves over prime fields, this returns the bit 11302 length of the modulus. 11303 11304 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11305 11306 * New functions EC_GROUP_dup, EC_POINT_dup. 11307 (These simply call ..._new and ..._copy). 11308 11309 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11310 11311 * Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. 11312 Polynomials are represented as BIGNUMs (where the sign bit is not 11313 used) in the following functions [macros]: 11314 11315 BN_GF2m_add 11316 BN_GF2m_sub [= BN_GF2m_add] 11317 BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] 11318 BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] 11319 BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] 11320 BN_GF2m_mod_inv 11321 BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] 11322 BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] 11323 BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] 11324 BN_GF2m_cmp [= BN_ucmp] 11325 11326 (Note that only the 'mod' functions are actually for fields GF(2^m). 11327 BN_GF2m_add() is misnomer, but this is for the sake of consistency.) 11328 11329 For some functions, an the irreducible polynomial defining a 11330 field can be given as an 'unsigned int[]' with strictly 11331 decreasing elements giving the indices of those bits that are set; 11332 i.e., p[] represents the polynomial 11333 f(t) = t^p[0] + t^p[1] + ... + t^p[k] 11334 where 11335 p[0] > p[1] > ... > p[k] = 0. 11336 This applies to the following functions: 11337 11338 BN_GF2m_mod_arr 11339 BN_GF2m_mod_mul_arr 11340 BN_GF2m_mod_sqr_arr 11341 BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] 11342 BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] 11343 BN_GF2m_mod_exp_arr 11344 BN_GF2m_mod_sqrt_arr 11345 BN_GF2m_mod_solve_quad_arr 11346 BN_GF2m_poly2arr 11347 BN_GF2m_arr2poly 11348 11349 Conversion can be performed by the following functions: 11350 11351 BN_GF2m_poly2arr 11352 BN_GF2m_arr2poly 11353 11354 bntest.c has additional tests for binary polynomial arithmetic. 11355 11356 Two implementations for BN_GF2m_mod_div() are available. 11357 The default algorithm simply uses BN_GF2m_mod_inv() and 11358 BN_GF2m_mod_mul(). The alternative algorithm is compiled in only 11359 if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the 11360 copyright notice in crypto/bn/bn_gf2m.c before enabling it). 11361 11362 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 11363 11364 * Add new error code 'ERR_R_DISABLED' that can be used when some 11365 functionality is disabled at compile-time. 11366 11367 *Douglas Stebila <douglas.stebila@sun.com>* 11368 11369 * Change default behaviour of 'openssl asn1parse' so that more 11370 information is visible when viewing, e.g., a certificate: 11371 11372 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' 11373 mode the content of non-printable OCTET STRINGs is output in a 11374 style similar to INTEGERs, but with '[HEX DUMP]' prepended to 11375 avoid the appearance of a printable string. 11376 11377 *Nils Larsch <nla@trustcenter.de>* 11378 11379 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access 11380 functions 11381 EC_GROUP_set_asn1_flag() 11382 EC_GROUP_get_asn1_flag() 11383 EC_GROUP_set_point_conversion_form() 11384 EC_GROUP_get_point_conversion_form() 11385 These control ASN1 encoding details: 11386 - Curves (i.e., groups) are encoded explicitly unless asn1_flag 11387 has been set to OPENSSL_EC_NAMED_CURVE. 11388 - Points are encoded in uncompressed form by default; options for 11389 asn1_for are as for point2oct, namely 11390 POINT_CONVERSION_COMPRESSED 11391 POINT_CONVERSION_UNCOMPRESSED 11392 POINT_CONVERSION_HYBRID 11393 11394 Also add 'seed' and 'seed_len' members to EC_GROUP with access 11395 functions 11396 EC_GROUP_set_seed() 11397 EC_GROUP_get0_seed() 11398 EC_GROUP_get_seed_len() 11399 This is used only for ASN1 purposes (so far). 11400 11401 *Nils Larsch <nla@trustcenter.de>* 11402 11403 * Add 'field_type' member to EC_METHOD, which holds the NID 11404 of the appropriate field type OID. The new function 11405 EC_METHOD_get_field_type() returns this value. 11406 11407 *Nils Larsch <nla@trustcenter.de>* 11408 11409 * Add functions 11410 EC_POINT_point2bn() 11411 EC_POINT_bn2point() 11412 EC_POINT_point2hex() 11413 EC_POINT_hex2point() 11414 providing useful interfaces to EC_POINT_point2oct() and 11415 EC_POINT_oct2point(). 11416 11417 *Nils Larsch <nla@trustcenter.de>* 11418 11419 * Change internals of the EC library so that the functions 11420 EC_GROUP_set_generator() 11421 EC_GROUP_get_generator() 11422 EC_GROUP_get_order() 11423 EC_GROUP_get_cofactor() 11424 are implemented directly in crypto/ec/ec_lib.c and not dispatched 11425 to methods, which would lead to unnecessary code duplication when 11426 adding different types of curves. 11427 11428 *Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller* 11429 11430 * Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM 11431 arithmetic, and such that modified wNAFs are generated 11432 (which avoid length expansion in many cases). 11433 11434 *Bodo Moeller* 11435 11436 * Add a function EC_GROUP_check_discriminant() (defined via 11437 EC_METHOD) that verifies that the curve discriminant is non-zero. 11438 11439 Add a function EC_GROUP_check() that makes some sanity tests 11440 on a EC_GROUP, its generator and order. This includes 11441 EC_GROUP_check_discriminant(). 11442 11443 *Nils Larsch <nla@trustcenter.de>* 11444 11445 * Add ECDSA in new directory crypto/ecdsa/. 11446 11447 Add applications 'openssl ecparam' and 'openssl ecdsa' 11448 (these are based on 'openssl dsaparam' and 'openssl dsa'). 11449 11450 ECDSA support is also included in various other files across the 11451 library. Most notably, 11452 - 'openssl req' now has a '-newkey ecdsa:file' option; 11453 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; 11454 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and 11455 d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make 11456 them suitable for ECDSA where domain parameters must be 11457 extracted before the specific public key; 11458 - ECDSA engine support has been added. 11459 11460 *Nils Larsch <nla@trustcenter.de>* 11461 11462 * Include some named elliptic curves, and add OIDs from X9.62, 11463 SECG, and WAP/WTLS. Each curve can be obtained from the new 11464 function 11465 EC_GROUP_new_by_curve_name(), 11466 and the list of available named curves can be obtained with 11467 EC_get_builtin_curves(). 11468 Also add a 'curve_name' member to EC_GROUP objects, which can be 11469 accessed via 11470 EC_GROUP_set_curve_name() 11471 EC_GROUP_get_curve_name() 11472 11473 *Nils Larsch <larsch@trustcenter.de, Bodo Moeller* 11474 11475 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 11476 was actually never needed) and in BN_mul(). The removal in BN_mul() 11477 required a small change in bn_mul_part_recursive() and the addition 11478 of the functions bn_cmp_part_words(), bn_sub_part_words() and 11479 bn_add_part_words(), which do the same thing as bn_cmp_words(), 11480 bn_sub_words() and bn_add_words() except they take arrays with 11481 differing sizes. 11482 11483 *Richard Levitte* 11484 11485### Changes between 0.9.7l and 0.9.7m [23 Feb 2007] 11486 11487 * Cleanse PEM buffers before freeing them since they may contain 11488 sensitive data. 11489 11490 *Benjamin Bennett <ben@psc.edu>* 11491 11492 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 11493 a ciphersuite string such as "DEFAULT:RSA" cannot enable 11494 authentication-only ciphersuites. 11495 11496 *Bodo Moeller* 11497 11498 * Since AES128 and AES256 share a single mask bit in the logic of 11499 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 11500 kludge to work properly if AES128 is available and AES256 isn't. 11501 11502 *Victor Duchovni* 11503 11504 * Expand security boundary to match 1.1.1 module. 11505 11506 *Steve Henson* 11507 11508 * Remove redundant features: hash file source, editing of test vectors 11509 modify fipsld to use external fips_premain.c signature. 11510 11511 *Steve Henson* 11512 11513 * New perl script mkfipsscr.pl to create shell scripts or batch files to 11514 run algorithm test programs. 11515 11516 *Steve Henson* 11517 11518 * Make algorithm test programs more tolerant of whitespace. 11519 11520 *Steve Henson* 11521 11522 * Have SSL/TLS server implementation tolerate "mismatched" record 11523 protocol version while receiving ClientHello even if the 11524 ClientHello is fragmented. (The server can't insist on the 11525 particular protocol version it has chosen before the ServerHello 11526 message has informed the client about his choice.) 11527 11528 *Bodo Moeller* 11529 11530 * Load error codes if they are not already present instead of using a 11531 static variable. This allows them to be cleanly unloaded and reloaded. 11532 11533 *Steve Henson* 11534 11535### Changes between 0.9.7k and 0.9.7l [28 Sep 2006] 11536 11537 * Introduce limits to prevent malicious keys being able to 11538 cause a denial of service. ([CVE-2006-2940]) 11539 11540 *Steve Henson, Bodo Moeller* 11541 11542 * Fix ASN.1 parsing of certain invalid structures that can result 11543 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 11544 11545 * Fix buffer overflow in SSL_get_shared_ciphers() function. 11546 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 11547 11548 * Fix SSL client code which could crash if connecting to a 11549 malicious SSLv2 server. ([CVE-2006-4343]) 11550 11551 *Tavis Ormandy and Will Drewry, Google Security Team* 11552 11553 * Change ciphersuite string processing so that an explicit 11554 ciphersuite selects this one ciphersuite (so that "AES256-SHA" 11555 will no longer include "AES128-SHA"), and any other similar 11556 ciphersuite (same bitmap) from *other* protocol versions (so that 11557 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the 11558 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining 11559 changes from 0.9.8b and 0.9.8d. 11560 11561 *Bodo Moeller* 11562 11563### Changes between 0.9.7j and 0.9.7k [05 Sep 2006] 11564 11565 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 11566 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 11567 11568 * Change the Unix randomness entropy gathering to use poll() when 11569 possible instead of select(), since the latter has some 11570 undesirable limitations. 11571 11572 *Darryl Miles via Richard Levitte and Bodo Moeller* 11573 11574 * Disable rogue ciphersuites: 11575 11576 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 11577 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 11578 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 11579 11580 The latter two were purportedly from 11581 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 11582 appear there. 11583 11584 Also deactivate the remaining ciphersuites from 11585 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 11586 unofficial, and the ID has long expired. 11587 11588 *Bodo Moeller* 11589 11590 * Fix RSA blinding Heisenbug (problems sometimes occurred on 11591 dual-core machines) and other potential thread-safety issues. 11592 11593 *Bodo Moeller* 11594 11595### Changes between 0.9.7i and 0.9.7j [04 May 2006] 11596 11597 * Adapt fipsld and the build system to link against the validated FIPS 11598 module in FIPS mode. 11599 11600 *Steve Henson* 11601 11602 * Fixes for VC++ 2005 build under Windows. 11603 11604 *Steve Henson* 11605 11606 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 11607 from a Windows bash shell such as MSYS. It is autodetected from the 11608 "config" script when run from a VC++ environment. Modify standard VC++ 11609 build to use fipscanister.o from the GNU make build. 11610 11611 *Steve Henson* 11612 11613### Changes between 0.9.7h and 0.9.7i [14 Oct 2005] 11614 11615 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. 11616 The value now differs depending on if you build for FIPS or not. 11617 BEWARE! A program linked with a shared FIPSed libcrypto can't be 11618 safely run with a non-FIPSed libcrypto, as it may crash because of 11619 the difference induced by this change. 11620 11621 *Andy Polyakov* 11622 11623### Changes between 0.9.7g and 0.9.7h [11 Oct 2005] 11624 11625 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 11626 (part of SSL_OP_ALL). This option used to disable the 11627 countermeasure against man-in-the-middle protocol-version 11628 rollback in the SSL 2.0 server implementation, which is a bad 11629 idea. ([CVE-2005-2969]) 11630 11631 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 11632 for Information Security, National Institute of Advanced Industrial 11633 Science and Technology [AIST, Japan)]* 11634 11635 * Minimal support for X9.31 signatures and PSS padding modes. This is 11636 mainly for FIPS compliance and not fully integrated at this stage. 11637 11638 *Steve Henson* 11639 11640 * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform 11641 the exponentiation using a fixed-length exponent. (Otherwise, 11642 the information leaked through timing could expose the secret key 11643 after many signatures; cf. Bleichenbacher's attack on DSA with 11644 biased k.) 11645 11646 *Bodo Moeller* 11647 11648 * Make a new fixed-window mod_exp implementation the default for 11649 RSA, DSA, and DH private-key operations so that the sequence of 11650 squares and multiplies and the memory access pattern are 11651 independent of the particular secret key. This will mitigate 11652 cache-timing and potential related attacks. 11653 11654 BN_mod_exp_mont_consttime() is the new exponentiation implementation, 11655 and this is automatically used by BN_mod_exp_mont() if the new flag 11656 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH 11657 will use this BN flag for private exponents unless the flag 11658 RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or 11659 DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. 11660 11661 *Matthew D Wood (Intel Corp), with some changes by Bodo Moeller* 11662 11663 * Change the client implementation for SSLv23_method() and 11664 SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 11665 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. 11666 (Previously, the SSL 2.0 backwards compatible Client Hello 11667 message format would be used even with SSL_OP_NO_SSLv2.) 11668 11669 *Bodo Moeller* 11670 11671 * Add support for smime-type MIME parameter in S/MIME messages which some 11672 clients need. 11673 11674 *Steve Henson* 11675 11676 * New function BN_MONT_CTX_set_locked() to set montgomery parameters in 11677 a threadsafe manner. Modify rsa code to use new function and add calls 11678 to dsa and dh code (which had race conditions before). 11679 11680 *Steve Henson* 11681 11682 * Include the fixed error library code in the C error file definitions 11683 instead of fixing them up at runtime. This keeps the error code 11684 structures constant. 11685 11686 *Steve Henson* 11687 11688### Changes between 0.9.7f and 0.9.7g [11 Apr 2005] 11689 11690[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after 11691OpenSSL 0.9.8.] 11692 11693 * Fixes for newer kerberos headers. NB: the casts are needed because 11694 the 'length' field is signed on one version and unsigned on another 11695 with no (?) obvious way to tell the difference, without these VC++ 11696 complains. Also the "definition" of FAR (blank) is no longer included 11697 nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up 11698 some needed definitions. 11699 11700 *Steve Henson* 11701 11702 * Undo Cygwin change. 11703 11704 *Ulf Möller* 11705 11706 * Added support for proxy certificates according to RFC 3820. 11707 Because they may be a security thread to unaware applications, 11708 they must be explicitly allowed in run-time. See 11709 docs/HOWTO/proxy_certificates.txt for further information. 11710 11711 *Richard Levitte* 11712 11713### Changes between 0.9.7e and 0.9.7f [22 Mar 2005] 11714 11715 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating 11716 server and client random values. Previously 11717 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in 11718 less random data when sizeof(time_t) > 4 (some 64 bit platforms). 11719 11720 This change has negligible security impact because: 11721 11722 1. Server and client random values still have 24 bytes of pseudo random 11723 data. 11724 11725 2. Server and client random values are sent in the clear in the initial 11726 handshake. 11727 11728 3. The master secret is derived using the premaster secret (48 bytes in 11729 size for static RSA ciphersuites) as well as client server and random 11730 values. 11731 11732 The OpenSSL team would like to thank the UK NISCC for bringing this issue 11733 to our attention. 11734 11735 *Stephen Henson, reported by UK NISCC* 11736 11737 * Use Windows randomness collection on Cygwin. 11738 11739 *Ulf Möller* 11740 11741 * Fix hang in EGD/PRNGD query when communication socket is closed 11742 prematurely by EGD/PRNGD. 11743 11744 *Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014* 11745 11746 * Prompt for pass phrases when appropriate for PKCS12 input format. 11747 11748 *Steve Henson* 11749 11750 * Back-port of selected performance improvements from development 11751 branch, as well as improved support for PowerPC platforms. 11752 11753 *Andy Polyakov* 11754 11755 * Add lots of checks for memory allocation failure, error codes to indicate 11756 failure and freeing up memory if a failure occurs. 11757 11758 *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson* 11759 11760 * Add new -passin argument to dgst. 11761 11762 *Steve Henson* 11763 11764 * Perform some character comparisons of different types in X509_NAME_cmp: 11765 this is needed for some certificates that re-encode DNs into UTF8Strings 11766 (in violation of RFC3280) and can't or won't issue name rollover 11767 certificates. 11768 11769 *Steve Henson* 11770 11771 * Make an explicit check during certificate validation to see that 11772 the CA setting in each certificate on the chain is correct. As a 11773 side effect always do the following basic checks on extensions, 11774 not just when there's an associated purpose to the check: 11775 11776 - if there is an unhandled critical extension (unless the user 11777 has chosen to ignore this fault) 11778 - if the path length has been exceeded (if one is set at all) 11779 - that certain extensions fit the associated purpose (if one has 11780 been given) 11781 11782 *Richard Levitte* 11783 11784### Changes between 0.9.7d and 0.9.7e [25 Oct 2004] 11785 11786 * Avoid a race condition when CRLs are checked in a multi threaded 11787 environment. This would happen due to the reordering of the revoked 11788 entries during signature checking and serial number lookup. Now the 11789 encoding is cached and the serial number sort performed under a lock. 11790 Add new STACK function sk_is_sorted(). 11791 11792 *Steve Henson* 11793 11794 * Add Delta CRL to the extension code. 11795 11796 *Steve Henson* 11797 11798 * Various fixes to s3_pkt.c so alerts are sent properly. 11799 11800 *David Holmes <d.holmes@f5.com>* 11801 11802 * Reduce the chances of duplicate issuer name and serial numbers (in 11803 violation of RFC3280) using the OpenSSL certificate creation utilities. 11804 This is done by creating a random 64 bit value for the initial serial 11805 number when a serial number file is created or when a self signed 11806 certificate is created using 'openssl req -x509'. The initial serial 11807 number file is created using 'openssl x509 -next_serial' in CA.pl 11808 rather than being initialized to 1. 11809 11810 *Steve Henson* 11811 11812### Changes between 0.9.7c and 0.9.7d [17 Mar 2004] 11813 11814 * Fix null-pointer assignment in do_change_cipher_spec() revealed 11815 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 11816 11817 *Joe Orton, Steve Henson* 11818 11819 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites 11820 ([CVE-2004-0112]) 11821 11822 *Joe Orton, Steve Henson* 11823 11824 * Make it possible to have multiple active certificates with the same 11825 subject in the CA index file. This is done only if the keyword 11826 'unique_subject' is set to 'no' in the main CA section (default 11827 if 'CA_default') of the configuration file. The value is saved 11828 with the database itself in a separate index attribute file, 11829 named like the index file with '.attr' appended to the name. 11830 11831 *Richard Levitte* 11832 11833 * X509 verify fixes. Disable broken certificate workarounds when 11834 X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if 11835 keyUsage extension present. Don't accept CRLs with unhandled critical 11836 extensions: since verify currently doesn't process CRL extensions this 11837 rejects a CRL with *any* critical extensions. Add new verify error codes 11838 for these cases. 11839 11840 *Steve Henson* 11841 11842 * When creating an OCSP nonce use an OCTET STRING inside the extnValue. 11843 A clarification of RFC2560 will require the use of OCTET STRINGs and 11844 some implementations cannot handle the current raw format. Since OpenSSL 11845 copies and compares OCSP nonces as opaque blobs without any attempt at 11846 parsing them this should not create any compatibility issues. 11847 11848 *Steve Henson* 11849 11850 * New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when 11851 calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without 11852 this HMAC (and other) operations are several times slower than OpenSSL 11853 < 0.9.7. 11854 11855 *Steve Henson* 11856 11857 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). 11858 11859 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 11860 11861 * Use the correct content when signing type "other". 11862 11863 *Steve Henson* 11864 11865### Changes between 0.9.7b and 0.9.7c [30 Sep 2003] 11866 11867 * Fix various bugs revealed by running the NISCC test suite: 11868 11869 Stop out of bounds reads in the ASN1 code when presented with 11870 invalid tags (CVE-2003-0543 and CVE-2003-0544). 11871 11872 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]). 11873 11874 If verify callback ignores invalid public key errors don't try to check 11875 certificate signature with the NULL public key. 11876 11877 *Steve Henson* 11878 11879 * New -ignore_err option in ocsp application to stop the server 11880 exiting on the first error in a request. 11881 11882 *Steve Henson* 11883 11884 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 11885 if the server requested one: as stated in TLS 1.0 and SSL 3.0 11886 specifications. 11887 11888 *Steve Henson* 11889 11890 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 11891 extra data after the compression methods not only for TLS 1.0 11892 but also for SSL 3.0 (as required by the specification). 11893 11894 *Bodo Moeller; problem pointed out by Matthias Loepfe* 11895 11896 * Change X509_certificate_type() to mark the key as exported/exportable 11897 when it's 512 *bits* long, not 512 bytes. 11898 11899 *Richard Levitte* 11900 11901 * Change AES_cbc_encrypt() so it outputs exact multiple of 11902 blocks during encryption. 11903 11904 *Richard Levitte* 11905 11906 * Various fixes to base64 BIO and non blocking I/O. On write 11907 flushes were not handled properly if the BIO retried. On read 11908 data was not being buffered properly and had various logic bugs. 11909 This also affects blocking I/O when the data being decoded is a 11910 certain size. 11911 11912 *Steve Henson* 11913 11914 * Various S/MIME bugfixes and compatibility changes: 11915 output correct application/pkcs7 MIME type if 11916 PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. 11917 Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening 11918 of files as .eml work). Correctly handle very long lines in MIME 11919 parser. 11920 11921 *Steve Henson* 11922 11923### Changes between 0.9.7a and 0.9.7b [10 Apr 2003] 11924 11925 * Countermeasure against the Klima-Pokorny-Rosa extension of 11926 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 11927 a protocol version number mismatch like a decryption error 11928 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 11929 11930 *Bodo Moeller* 11931 11932 * Turn on RSA blinding by default in the default implementation 11933 to avoid a timing attack. Applications that don't want it can call 11934 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 11935 They would be ill-advised to do so in most cases. 11936 11937 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 11938 11939 * Change RSA blinding code so that it works when the PRNG is not 11940 seeded (in this case, the secret RSA exponent is abused as 11941 an unpredictable seed -- if it is not unpredictable, there 11942 is no point in blinding anyway). Make RSA blinding thread-safe 11943 by remembering the creator's thread ID in rsa->blinding and 11944 having all other threads use local one-time blinding factors 11945 (this requires more computation than sharing rsa->blinding, but 11946 avoids excessive locking; and if an RSA object is not shared 11947 between threads, blinding will still be very fast). 11948 11949 *Bodo Moeller* 11950 11951 * Fixed a typo bug that would cause ENGINE_set_default() to set an 11952 ENGINE as defaults for all supported algorithms irrespective of 11953 the 'flags' parameter. 'flags' is now honoured, so applications 11954 should make sure they are passing it correctly. 11955 11956 *Geoff Thorpe* 11957 11958 * Target "mingw" now allows native Windows code to be generated in 11959 the Cygwin environment as well as with the MinGW compiler. 11960 11961 *Ulf Moeller* 11962 11963### Changes between 0.9.7 and 0.9.7a [19 Feb 2003] 11964 11965 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 11966 via timing by performing a MAC computation even if incorrect 11967 block cipher padding has been found. This is a countermeasure 11968 against active attacks where the attacker has to distinguish 11969 between bad padding and a MAC verification error. ([CVE-2003-0078]) 11970 11971 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 11972 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 11973 Martin Vuagnoux (EPFL, Ilion)* 11974 11975 * Make the no-err option work as intended. The intention with no-err 11976 is not to have the whole error stack handling routines removed from 11977 libcrypto, it's only intended to remove all the function name and 11978 reason texts, thereby removing some of the footprint that may not 11979 be interesting if those errors aren't displayed anyway. 11980 11981 NOTE: it's still possible for any application or module to have its 11982 own set of error texts inserted. The routines are there, just not 11983 used by default when no-err is given. 11984 11985 *Richard Levitte* 11986 11987 * Add support for FreeBSD on IA64. 11988 11989 *dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454* 11990 11991 * Adjust DES_cbc_cksum() so it returns the same value as the MIT 11992 Kerberos function mit_des_cbc_cksum(). Before this change, 11993 the value returned by DES_cbc_cksum() was like the one from 11994 mit_des_cbc_cksum(), except the bytes were swapped. 11995 11996 *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte* 11997 11998 * Allow an application to disable the automatic SSL chain building. 11999 Before this a rather primitive chain build was always performed in 12000 ssl3_output_cert_chain(): an application had no way to send the 12001 correct chain if the automatic operation produced an incorrect result. 12002 12003 Now the chain builder is disabled if either: 12004 12005 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 12006 12007 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. 12008 12009 The reasoning behind this is that an application would not want the 12010 auto chain building to take place if extra chain certificates are 12011 present and it might also want a means of sending no additional 12012 certificates (for example the chain has two certificates and the 12013 root is omitted). 12014 12015 *Steve Henson* 12016 12017 * Add the possibility to build without the ENGINE framework. 12018 12019 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 12020 12021 * Under Win32 gmtime() can return NULL: check return value in 12022 OPENSSL_gmtime(). Add error code for case where gmtime() fails. 12023 12024 *Steve Henson* 12025 12026 * DSA routines: under certain error conditions uninitialized BN objects 12027 could be freed. Solution: make sure initialization is performed early 12028 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, 12029 Nils Larsch <nla@trustcenter.de> via PR#459) 12030 12031 *Lutz Jaenicke* 12032 12033 * Another fix for SSLv2 session ID handling: the session ID was incorrectly 12034 checked on reconnect on the client side, therefore session resumption 12035 could still fail with a "ssl session id is different" error. This 12036 behaviour is masked when SSL_OP_ALL is used due to 12037 SSL_OP_MICROSOFT_SESS_ID_BUG being set. 12038 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 12039 followup to PR #377. 12040 12041 *Lutz Jaenicke* 12042 12043 * IA-32 assembler support enhancements: unified ELF targets, support 12044 for SCO/Caldera platforms, fix for Cygwin shared build. 12045 12046 *Andy Polyakov* 12047 12048 * Add support for FreeBSD on sparc64. As a consequence, support for 12049 FreeBSD on non-x86 processors is separate from x86 processors on 12050 the config script, much like the NetBSD support. 12051 12052 *Richard Levitte & Kris Kennaway <kris@obsecurity.org>* 12053 12054### Changes between 0.9.6h and 0.9.7 [31 Dec 2002] 12055 12056[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after 12057OpenSSL 0.9.7.] 12058 12059 * Fix session ID handling in SSLv2 client code: the SERVER FINISHED 12060 code (06) was taken as the first octet of the session ID and the last 12061 octet was ignored consequently. As a result SSLv2 client side session 12062 caching could not have worked due to the session ID mismatch between 12063 client and server. 12064 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 12065 PR #377. 12066 12067 *Lutz Jaenicke* 12068 12069 * Change the declaration of needed Kerberos libraries to use EX_LIBS 12070 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is 12071 removed entirely. 12072 12073 *Richard Levitte* 12074 12075 * The hw_ncipher.c engine requires dynamic locks. Unfortunately, it 12076 seems that in spite of existing for more than a year, many application 12077 author have done nothing to provide the necessary callbacks, which 12078 means that this particular engine will not work properly anywhere. 12079 This is a very unfortunate situation which forces us, in the name 12080 of usability, to give the hw_ncipher.c a static lock, which is part 12081 of libcrypto. 12082 NOTE: This is for the 0.9.7 series ONLY. This hack will never 12083 appear in 0.9.8 or later. We EXPECT application authors to have 12084 dealt properly with this when 0.9.8 is released (unless we actually 12085 make such changes in the libcrypto locking code that changes will 12086 have to be made anyway). 12087 12088 *Richard Levitte* 12089 12090 * In asn1_d2i_read_bio() repeatedly call BIO_read() until all content 12091 octets have been read, EOF or an error occurs. Without this change 12092 some truncated ASN1 structures will not produce an error. 12093 12094 *Steve Henson* 12095 12096 * Disable Heimdal support, since it hasn't been fully implemented. 12097 Still give the possibility to force the use of Heimdal, but with 12098 warnings and a request that patches get sent to openssl-dev. 12099 12100 *Richard Levitte* 12101 12102 * Add the VC-CE target, introduce the WINCE sysname, and add 12103 INSTALL.WCE and appropriate conditionals to make it build. 12104 12105 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 12106 12107 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and 12108 cygssl-x.y.z.dll, where x, y and z are the major, minor and 12109 edit numbers of the version. 12110 12111 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 12112 12113 * Introduce safe string copy and catenation functions 12114 (BUF_strlcpy() and BUF_strlcat()). 12115 12116 *Ben Laurie (CHATS) and Richard Levitte* 12117 12118 * Avoid using fixed-size buffers for one-line DNs. 12119 12120 *Ben Laurie (CHATS)* 12121 12122 * Add BUF_MEM_grow_clean() to avoid information leakage when 12123 resizing buffers containing secrets, and use where appropriate. 12124 12125 *Ben Laurie (CHATS)* 12126 12127 * Avoid using fixed size buffers for configuration file location. 12128 12129 *Ben Laurie (CHATS)* 12130 12131 * Avoid filename truncation for various CA files. 12132 12133 *Ben Laurie (CHATS)* 12134 12135 * Use sizeof in preference to magic numbers. 12136 12137 *Ben Laurie (CHATS)* 12138 12139 * Avoid filename truncation in cert requests. 12140 12141 *Ben Laurie (CHATS)* 12142 12143 * Add assertions to check for (supposedly impossible) buffer 12144 overflows. 12145 12146 *Ben Laurie (CHATS)* 12147 12148 * Don't cache truncated DNS entries in the local cache (this could 12149 potentially lead to a spoofing attack). 12150 12151 *Ben Laurie (CHATS)* 12152 12153 * Fix various buffers to be large enough for hex/decimal 12154 representations in a platform independent manner. 12155 12156 *Ben Laurie (CHATS)* 12157 12158 * Add CRYPTO_realloc_clean() to avoid information leakage when 12159 resizing buffers containing secrets, and use where appropriate. 12160 12161 *Ben Laurie (CHATS)* 12162 12163 * Add BIO_indent() to avoid much slightly worrying code to do 12164 indents. 12165 12166 *Ben Laurie (CHATS)* 12167 12168 * Convert sprintf()/BIO_puts() to BIO_printf(). 12169 12170 *Ben Laurie (CHATS)* 12171 12172 * buffer_gets() could terminate with the buffer only half 12173 full. Fixed. 12174 12175 *Ben Laurie (CHATS)* 12176 12177 * Add assertions to prevent user-supplied crypto functions from 12178 overflowing internal buffers by having large block sizes, etc. 12179 12180 *Ben Laurie (CHATS)* 12181 12182 * New OPENSSL_assert() macro (similar to assert(), but enabled 12183 unconditionally). 12184 12185 *Ben Laurie (CHATS)* 12186 12187 * Eliminate unused copy of key in RC4. 12188 12189 *Ben Laurie (CHATS)* 12190 12191 * Eliminate unused and incorrectly sized buffers for IV in pem.h. 12192 12193 *Ben Laurie (CHATS)* 12194 12195 * Fix off-by-one error in EGD path. 12196 12197 *Ben Laurie (CHATS)* 12198 12199 * If RANDFILE path is too long, ignore instead of truncating. 12200 12201 *Ben Laurie (CHATS)* 12202 12203 * Eliminate unused and incorrectly sized X.509 structure 12204 CBCParameter. 12205 12206 *Ben Laurie (CHATS)* 12207 12208 * Eliminate unused and dangerous function knumber(). 12209 12210 *Ben Laurie (CHATS)* 12211 12212 * Eliminate unused and dangerous structure, KSSL_ERR. 12213 12214 *Ben Laurie (CHATS)* 12215 12216 * Protect against overlong session ID context length in an encoded 12217 session object. Since these are local, this does not appear to be 12218 exploitable. 12219 12220 *Ben Laurie (CHATS)* 12221 12222 * Change from security patch (see 0.9.6e below) that did not affect 12223 the 0.9.6 release series: 12224 12225 Remote buffer overflow in SSL3 protocol - an attacker could 12226 supply an oversized master key in Kerberos-enabled versions. 12227 ([CVE-2002-0657]) 12228 12229 *Ben Laurie (CHATS)* 12230 12231 * Change the SSL kerb5 codes to match RFC 2712. 12232 12233 *Richard Levitte* 12234 12235 * Make -nameopt work fully for req and add -reqopt switch. 12236 12237 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson* 12238 12239 * The "block size" for block ciphers in CFB and OFB mode should be 1. 12240 12241 *Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>* 12242 12243 * Make sure tests can be performed even if the corresponding algorithms 12244 have been removed entirely. This was also the last step to make 12245 OpenSSL compilable with DJGPP under all reasonable conditions. 12246 12247 *Richard Levitte, Doug Kaufman <dkaufman@rahul.net>* 12248 12249 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT 12250 to allow version independent disabling of normally unselected ciphers, 12251 which may be activated as a side-effect of selecting a single cipher. 12252 12253 (E.g., cipher list string "RSA" enables ciphersuites that are left 12254 out of "ALL" because they do not provide symmetric encryption. 12255 "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) 12256 12257 *Lutz Jaenicke, Bodo Moeller* 12258 12259 * Add appropriate support for separate platform-dependent build 12260 directories. The recommended way to make a platform-dependent 12261 build directory is the following (tested on Linux), maybe with 12262 some local tweaks: 12263 12264 # Place yourself outside of the OpenSSL source tree. In 12265 # this example, the environment variable OPENSSL_SOURCE 12266 # is assumed to contain the absolute OpenSSL source directory. 12267 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 12268 cd objtree/"`uname -s`-`uname -r`-`uname -m`" 12269 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 12270 mkdir -p `dirname $F` 12271 ln -s $OPENSSL_SOURCE/$F $F 12272 done 12273 12274 To be absolutely sure not to disturb the source tree, a "make clean" 12275 is a good thing. If it isn't successful, don't worry about it, 12276 it probably means the source directory is very clean. 12277 12278 *Richard Levitte* 12279 12280 * Make sure any ENGINE control commands make local copies of string 12281 pointers passed to them whenever necessary. Otherwise it is possible 12282 the caller may have overwritten (or deallocated) the original string 12283 data when a later ENGINE operation tries to use the stored values. 12284 12285 *Götz Babin-Ebell <babinebell@trustcenter.de>* 12286 12287 * Improve diagnostics in file reading and command-line digests. 12288 12289 *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>* 12290 12291 * Add AES modes CFB and OFB to the object database. Correct an 12292 error in AES-CFB decryption. 12293 12294 *Richard Levitte* 12295 12296 * Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 12297 allows existing EVP_CIPHER_CTX structures to be reused after 12298 calling `EVP_*Final()`. This behaviour is used by encryption 12299 BIOs and some applications. This has the side effect that 12300 applications must explicitly clean up cipher contexts with 12301 EVP_CIPHER_CTX_cleanup() or they will leak memory. 12302 12303 *Steve Henson* 12304 12305 * Check the values of dna and dnb in bn_mul_recursive before calling 12306 bn_mul_comba (a non zero value means the a or b arrays do not contain 12307 n2 elements) and fallback to bn_mul_normal if either is not zero. 12308 12309 *Steve Henson* 12310 12311 * Fix escaping of non-ASCII characters when using the -subj option 12312 of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) 12313 12314 *Lutz Jaenicke* 12315 12316 * Make object definitions compliant to LDAP (RFC2256): SN is the short 12317 form for "surname", serialNumber has no short form. 12318 Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; 12319 therefore remove "mail" short name for "internet 7". 12320 The OID for unique identifiers in X509 certificates is 12321 x500UniqueIdentifier, not uniqueIdentifier. 12322 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) 12323 12324 *Lutz Jaenicke* 12325 12326 * Add an "init" command to the ENGINE config module and auto initialize 12327 ENGINEs. Without any "init" command the ENGINE will be initialized 12328 after all ctrl commands have been executed on it. If init=1 the 12329 ENGINE is initialized at that point (ctrls before that point are run 12330 on the uninitialized ENGINE and after on the initialized one). If 12331 init=0 then the ENGINE will not be initialized at all. 12332 12333 *Steve Henson* 12334 12335 * Fix the 'app_verify_callback' interface so that the user-defined 12336 argument is actually passed to the callback: In the 12337 SSL_CTX_set_cert_verify_callback() prototype, the callback 12338 declaration has been changed from 12339 int (*cb)() 12340 into 12341 int (*cb)(X509_STORE_CTX *,void *); 12342 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call 12343 i=s->ctx->app_verify_callback(&ctx) 12344 has been changed into 12345 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). 12346 12347 To update applications using SSL_CTX_set_cert_verify_callback(), 12348 a dummy argument can be added to their callback functions. 12349 12350 *D. K. Smetters <smetters@parc.xerox.com>* 12351 12352 * Added the '4758cca' ENGINE to support IBM 4758 cards. 12353 12354 *Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe* 12355 12356 * Add and OPENSSL_LOAD_CONF define which will cause 12357 OpenSSL_add_all_algorithms() to load the openssl.cnf config file. 12358 This allows older applications to transparently support certain 12359 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. 12360 Two new functions OPENSSL_add_all_algorithms_noconf() which will never 12361 load the config file and OPENSSL_add_all_algorithms_conf() which will 12362 always load it have also been added. 12363 12364 *Steve Henson* 12365 12366 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. 12367 Adjust NIDs and EVP layer. 12368 12369 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 12370 12371 * Config modules support in openssl utility. 12372 12373 Most commands now load modules from the config file, 12374 though in a few (such as version) this isn't done 12375 because it couldn't be used for anything. 12376 12377 In the case of ca and req the config file used is 12378 the same as the utility itself: that is the -config 12379 command line option can be used to specify an 12380 alternative file. 12381 12382 *Steve Henson* 12383 12384 * Move default behaviour from OPENSSL_config(). If appname is NULL 12385 use "openssl_conf" if filename is NULL use default openssl config file. 12386 12387 *Steve Henson* 12388 12389 * Add an argument to OPENSSL_config() to allow the use of an alternative 12390 config section name. Add a new flag to tolerate a missing config file 12391 and move code to CONF_modules_load_file(). 12392 12393 *Steve Henson* 12394 12395 * Support for crypto accelerator cards from Accelerated Encryption 12396 Processing, www.aep.ie. (Use engine 'aep') 12397 The support was copied from 0.9.6c [engine] and adapted/corrected 12398 to work with the new engine framework. 12399 12400 *AEP Inc. and Richard Levitte* 12401 12402 * Support for SureWare crypto accelerator cards from Baltimore 12403 Technologies. (Use engine 'sureware') 12404 The support was copied from 0.9.6c [engine] and adapted 12405 to work with the new engine framework. 12406 12407 *Richard Levitte* 12408 12409 * Have the CHIL engine fork-safe (as defined by nCipher) and actually 12410 make the newer ENGINE framework commands for the CHIL engine work. 12411 12412 *Toomas Kiisk <vix@cyber.ee> and Richard Levitte* 12413 12414 * Make it possible to produce shared libraries on ReliantUNIX. 12415 12416 *Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte* 12417 12418 * Add the configuration target debug-linux-ppro. 12419 Make 'openssl rsa' use the general key loading routines 12420 implemented in `apps.c`, and make those routines able to 12421 handle the key format FORMAT_NETSCAPE and the variant 12422 FORMAT_IISSGC. 12423 12424 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 12425 12426 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 12427 12428 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 12429 12430 * Add -keyform to rsautl, and document -engine. 12431 12432 *Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>* 12433 12434 * Change BIO_new_file (crypto/bio/bss_file.c) to use new 12435 BIO_R_NO_SUCH_FILE error code rather than the generic 12436 ERR_R_SYS_LIB error code if fopen() fails with ENOENT. 12437 12438 *Ben Laurie* 12439 12440 * Add new functions 12441 ERR_peek_last_error 12442 ERR_peek_last_error_line 12443 ERR_peek_last_error_line_data. 12444 These are similar to 12445 ERR_peek_error 12446 ERR_peek_error_line 12447 ERR_peek_error_line_data, 12448 but report on the latest error recorded rather than the first one 12449 still in the error queue. 12450 12451 *Ben Laurie, Bodo Moeller* 12452 12453 * default_algorithms option in ENGINE config module. This allows things 12454 like: 12455 default_algorithms = ALL 12456 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS 12457 12458 *Steve Henson* 12459 12460 * Preliminary ENGINE config module. 12461 12462 *Steve Henson* 12463 12464 * New experimental application configuration code. 12465 12466 *Steve Henson* 12467 12468 * Change the AES code to follow the same name structure as all other 12469 symmetric ciphers, and behave the same way. Move everything to 12470 the directory crypto/aes, thereby obsoleting crypto/rijndael. 12471 12472 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 12473 12474 * SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. 12475 12476 *Ben Laurie and Theo de Raadt* 12477 12478 * Add option to output public keys in req command. 12479 12480 *Massimiliano Pala madwolf@openca.org* 12481 12482 * Use wNAFs in EC_POINTs_mul() for improved efficiency 12483 (up to about 10% better than before for P-192 and P-224). 12484 12485 *Bodo Moeller* 12486 12487 * New functions/macros 12488 12489 SSL_CTX_set_msg_callback(ctx, cb) 12490 SSL_CTX_set_msg_callback_arg(ctx, arg) 12491 SSL_set_msg_callback(ssl, cb) 12492 SSL_set_msg_callback_arg(ssl, arg) 12493 12494 to request calling a callback function 12495 12496 void cb(int write_p, int version, int content_type, 12497 const void *buf, size_t len, SSL *ssl, void *arg) 12498 12499 whenever a protocol message has been completely received 12500 (write_p == 0) or sent (write_p == 1). Here 'version' is the 12501 protocol version according to which the SSL library interprets 12502 the current protocol message (SSL2_VERSION, SSL3_VERSION, or 12503 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or 12504 the content type as defined in the SSL 3.0/TLS 1.0 protocol 12505 specification (change_cipher_spec(20), alert(21), handshake(22)). 12506 'buf' and 'len' point to the actual message, 'ssl' to the 12507 SSL object, and 'arg' is the application-defined value set by 12508 SSL[_CTX]_set_msg_callback_arg(). 12509 12510 'openssl s_client' and 'openssl s_server' have new '-msg' options 12511 to enable a callback that displays all protocol messages. 12512 12513 *Bodo Moeller* 12514 12515 * Change the shared library support so shared libraries are built as 12516 soon as the corresponding static library is finished, and thereby get 12517 openssl and the test programs linked against the shared library. 12518 This still only happens when the keyword "shard" has been given to 12519 the configuration scripts. 12520 12521 NOTE: shared library support is still an experimental thing, and 12522 backward binary compatibility is still not guaranteed. 12523 12524 *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte* 12525 12526 * Add support for Subject Information Access extension. 12527 12528 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 12529 12530 * Make BUF_MEM_grow() behaviour more consistent: Initialise to zero 12531 additional bytes when new memory had to be allocated, not just 12532 when reusing an existing buffer. 12533 12534 *Bodo Moeller* 12535 12536 * New command line and configuration option 'utf8' for the req command. 12537 This allows field values to be specified as UTF8 strings. 12538 12539 *Steve Henson* 12540 12541 * Add -multi and -mr options to "openssl speed" - giving multiple parallel 12542 runs for the former and machine-readable output for the latter. 12543 12544 *Ben Laurie* 12545 12546 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion 12547 of the e-mail address in the DN (i.e., it will go into a certificate 12548 extension only). The new configuration file option 'email_in_dn = no' 12549 has the same effect. 12550 12551 *Massimiliano Pala madwolf@openca.org* 12552 12553 * Change all functions with names starting with `des_` to be starting 12554 with `DES_` instead. Add wrappers that are compatible with libdes, 12555 but are named `_ossl_old_des_*`. Finally, add macros that map the 12556 `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes 12557 compatibility is desired. If OpenSSL 0.9.6c compatibility is 12558 desired, the `des_*` symbols will be mapped to `DES_*`, with one 12559 exception. 12560 12561 Since we provide two compatibility mappings, the user needs to 12562 define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes 12563 compatibility is desired. The default (i.e., when that macro 12564 isn't defined) is OpenSSL 0.9.6c compatibility. 12565 12566 There are also macros that enable and disable the support of old 12567 des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT 12568 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those 12569 are defined, the default will apply: to support the old des routines. 12570 12571 In either case, one must include openssl/des.h to get the correct 12572 definitions. Do not try to just include openssl/des_old.h, that 12573 won't work. 12574 12575 NOTE: This is a major break of an old API into a new one. Software 12576 authors are encouraged to switch to the `DES_` style functions. Some 12577 time in the future, des_old.h and the libdes compatibility functions 12578 will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the 12579 default), and then completely removed. 12580 12581 *Richard Levitte* 12582 12583 * Test for certificates which contain unsupported critical extensions. 12584 If such a certificate is found during a verify operation it is 12585 rejected by default: this behaviour can be overridden by either 12586 handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or 12587 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function 12588 X509_supported_extension() has also been added which returns 1 if a 12589 particular extension is supported. 12590 12591 *Steve Henson* 12592 12593 * Modify the behaviour of EVP cipher functions in similar way to digests 12594 to retain compatibility with existing code. 12595 12596 *Steve Henson* 12597 12598 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain 12599 compatibility with existing code. In particular the 'ctx' parameter does 12600 not have to be to be initialized before the call to EVP_DigestInit() and 12601 it is tidied up after a call to EVP_DigestFinal(). New function 12602 EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function 12603 EVP_MD_CTX_copy() changed to not require the destination to be 12604 initialized valid and new function EVP_MD_CTX_copy_ex() added which 12605 requires the destination to be valid. 12606 12607 Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), 12608 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). 12609 12610 *Steve Henson* 12611 12612 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it 12613 so that complete 'Handshake' protocol structures are kept in memory 12614 instead of overwriting 'msg_type' and 'length' with 'body' data. 12615 12616 *Bodo Moeller* 12617 12618 * Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. 12619 12620 *Massimo Santin via Richard Levitte* 12621 12622 * Major restructuring to the underlying ENGINE code. This includes 12623 reduction of linker bloat, separation of pure "ENGINE" manipulation 12624 (initialisation, etc) from functionality dealing with implementations 12625 of specific crypto interfaces. This change also introduces integrated 12626 support for symmetric ciphers and digest implementations - so ENGINEs 12627 can now accelerate these by providing EVP_CIPHER and EVP_MD 12628 implementations of their own. This is detailed in 12629 [crypto/engine/README.md](crypto/engine/README.md) 12630 as it couldn't be adequately described here. However, there are a few 12631 API changes worth noting - some RSA, DSA, DH, and RAND functions that 12632 were changed in the original introduction of ENGINE code have now 12633 reverted back - the hooking from this code to ENGINE is now a good 12634 deal more passive and at run-time, operations deal directly with 12635 RSA_METHODs, DSA_METHODs (etc) as they did before, rather than 12636 dereferencing through an ENGINE pointer any more. Also, the ENGINE 12637 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed - 12638 they were not being used by the framework as there is no concept of a 12639 BIGNUM_METHOD and they could not be generalised to the new 12640 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, 12641 ENGINE_cpy() has been removed as it cannot be consistently defined in 12642 the new code. 12643 12644 *Geoff Thorpe* 12645 12646 * Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. 12647 12648 *Steve Henson* 12649 12650 * Change mkdef.pl to sort symbols that get the same entry number, 12651 and make sure the automatically generated functions `ERR_load_*` 12652 become part of libeay.num as well. 12653 12654 *Richard Levitte* 12655 12656 * New function SSL_renegotiate_pending(). This returns true once 12657 renegotiation has been requested (either SSL_renegotiate() call 12658 or HelloRequest/ClientHello received from the peer) and becomes 12659 false once a handshake has been completed. 12660 (For servers, SSL_renegotiate() followed by SSL_do_handshake() 12661 sends a HelloRequest, but does not ensure that a handshake takes 12662 place. SSL_renegotiate_pending() is useful for checking if the 12663 client has followed the request.) 12664 12665 *Bodo Moeller* 12666 12667 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. 12668 By default, clients may request session resumption even during 12669 renegotiation (if session ID contexts permit); with this option, 12670 session resumption is possible only in the first handshake. 12671 12672 SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes 12673 more bits available for options that should not be part of 12674 SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). 12675 12676 *Bodo Moeller* 12677 12678 * Add some demos for certificate and certificate request creation. 12679 12680 *Steve Henson* 12681 12682 * Make maximum certificate chain size accepted from the peer application 12683 settable (`SSL*_get/set_max_cert_list()`), as proposed by 12684 "Douglas E. Engert" <deengert@anl.gov>. 12685 12686 *Lutz Jaenicke* 12687 12688 * Add support for shared libraries for Unixware-7 12689 (Boyd Lynn Gerber <gerberb@zenez.com>). 12690 12691 *Lutz Jaenicke* 12692 12693 * Add a "destroy" handler to ENGINEs that allows structural cleanup to 12694 be done prior to destruction. Use this to unload error strings from 12695 ENGINEs that load their own error strings. NB: This adds two new API 12696 functions to "get" and "set" this destroy handler in an ENGINE. 12697 12698 *Geoff Thorpe* 12699 12700 * Alter all existing ENGINE implementations (except "openssl" and 12701 "openbsd") to dynamically instantiate their own error strings. This 12702 makes them more flexible to be built both as statically-linked ENGINEs 12703 and self-contained shared-libraries loadable via the "dynamic" ENGINE. 12704 Also, add stub code to each that makes building them as self-contained 12705 shared-libraries easier (see [README-Engine.md](README-Engine.md)). 12706 12707 *Geoff Thorpe* 12708 12709 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE 12710 implementations into applications that are completely implemented in 12711 self-contained shared-libraries. The "dynamic" ENGINE exposes control 12712 commands that can be used to configure what shared-library to load and 12713 to control aspects of the way it is handled. Also, made an update to 12714 the [README-Engine.md](README-Engine.md) file 12715 that brings its information up-to-date and 12716 provides some information and instructions on the "dynamic" ENGINE 12717 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). 12718 12719 *Geoff Thorpe* 12720 12721 * Make it possible to unload ranges of ERR strings with a new 12722 "ERR_unload_strings" function. 12723 12724 *Geoff Thorpe* 12725 12726 * Add a copy() function to EVP_MD. 12727 12728 *Ben Laurie* 12729 12730 * Make EVP_MD routines take a context pointer instead of just the 12731 md_data void pointer. 12732 12733 *Ben Laurie* 12734 12735 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates 12736 that the digest can only process a single chunk of data 12737 (typically because it is provided by a piece of 12738 hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application 12739 is only going to provide a single chunk of data, and hence the 12740 framework needn't accumulate the data for oneshot drivers. 12741 12742 *Ben Laurie* 12743 12744 * As with "ERR", make it possible to replace the underlying "ex_data" 12745 functions. This change also alters the storage and management of global 12746 ex_data state - it's now all inside ex_data.c and all "class" code (eg. 12747 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class 12748 index counters. The API functions that use this state have been changed 12749 to take a "class_index" rather than pointers to the class's local STACK 12750 and counter, and there is now an API function to dynamically create new 12751 classes. This centralisation allows us to (a) plug a lot of the 12752 thread-safety problems that existed, and (b) makes it possible to clean 12753 up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) 12754 such data would previously have always leaked in application code and 12755 workarounds were in place to make the memory debugging turn a blind eye 12756 to it. Application code that doesn't use this new function will still 12757 leak as before, but their memory debugging output will announce it now 12758 rather than letting it slide. 12759 12760 Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change 12761 induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now 12762 has a return value to indicate success or failure. 12763 12764 *Geoff Thorpe* 12765 12766 * Make it possible to replace the underlying "ERR" functions such that the 12767 global state (2 LHASH tables and 2 locks) is only used by the "default" 12768 implementation. This change also adds two functions to "get" and "set" 12769 the implementation prior to it being automatically set the first time 12770 any other ERR function takes place. Ie. an application can call "get", 12771 pass the return value to a module it has just loaded, and that module 12772 can call its own "set" function using that value. This means the 12773 module's "ERR" operations will use (and modify) the error state in the 12774 application and not in its own statically linked copy of OpenSSL code. 12775 12776 *Geoff Thorpe* 12777 12778 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment 12779 reference counts. This performs normal REF_PRINT/REF_CHECK macros on 12780 the operation, and provides a more encapsulated way for external code 12781 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code 12782 to use these functions rather than manually incrementing the counts. 12783 12784 Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". 12785 12786 *Geoff Thorpe* 12787 12788 * Add EVP test program. 12789 12790 *Ben Laurie* 12791 12792 * Add symmetric cipher support to ENGINE. Expect the API to change! 12793 12794 *Ben Laurie* 12795 12796 * New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() 12797 X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), 12798 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). 12799 These allow a CRL to be built without having to access X509_CRL fields 12800 directly. Modify 'ca' application to use new functions. 12801 12802 *Steve Henson* 12803 12804 * Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended 12805 bug workarounds. Rollback attack detection is a security feature. 12806 The problem will only arise on OpenSSL servers when TLSv1 is not 12807 available (sslv3_server_method() or SSL_OP_NO_TLSv1). 12808 Software authors not wanting to support TLSv1 will have special reasons 12809 for their choice and can explicitly enable this option. 12810 12811 *Bodo Moeller, Lutz Jaenicke* 12812 12813 * Rationalise EVP so it can be extended: don't include a union of 12814 cipher/digest structures, add init/cleanup functions for EVP_MD_CTX 12815 (similar to those existing for EVP_CIPHER_CTX). 12816 Usage example: 12817 12818 EVP_MD_CTX md; 12819 12820 EVP_MD_CTX_init(&md); /* new function call */ 12821 EVP_DigestInit(&md, EVP_sha1()); 12822 EVP_DigestUpdate(&md, in, len); 12823 EVP_DigestFinal(&md, out, NULL); 12824 EVP_MD_CTX_cleanup(&md); /* new function call */ 12825 12826 *Ben Laurie* 12827 12828 * Make DES key schedule conform to the usual scheme, as well as 12829 correcting its structure. This means that calls to DES functions 12830 now have to pass a pointer to a des_key_schedule instead of a 12831 plain des_key_schedule (which was actually always a pointer 12832 anyway): E.g., 12833 12834 des_key_schedule ks; 12835 12836 des_set_key_checked(..., &ks); 12837 des_ncbc_encrypt(..., &ks, ...); 12838 12839 (Note that a later change renames 'des_...' into 'DES_...'.) 12840 12841 *Ben Laurie* 12842 12843 * Initial reduction of linker bloat: the use of some functions, such as 12844 PEM causes large amounts of unused functions to be linked in due to 12845 poor organisation. For example pem_all.c contains every PEM function 12846 which has a knock on effect of linking in large amounts of (unused) 12847 ASN1 code. Grouping together similar functions and splitting unrelated 12848 functions prevents this. 12849 12850 *Steve Henson* 12851 12852 * Cleanup of EVP macros. 12853 12854 *Ben Laurie* 12855 12856 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the 12857 correct `_ecb suffix`. 12858 12859 *Ben Laurie* 12860 12861 * Add initial OCSP responder support to ocsp application. The 12862 revocation information is handled using the text based index 12863 use by the ca application. The responder can either handle 12864 requests generated internally, supplied in files (for example 12865 via a CGI script) or using an internal minimal server. 12866 12867 *Steve Henson* 12868 12869 * Add configuration choices to get zlib compression for TLS. 12870 12871 *Richard Levitte* 12872 12873 * Changes to Kerberos SSL for RFC 2712 compliance: 12874 1. Implemented real KerberosWrapper, instead of just using 12875 KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] 12876 2. Implemented optional authenticator field of KerberosWrapper. 12877 12878 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, 12879 and authenticator structs; see crypto/krb5/. 12880 12881 Generalized Kerberos calls to support multiple Kerberos libraries. 12882 *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu> 12883 via Richard Levitte* 12884 12885 * Cause 'openssl speed' to use fully hard-coded DSA keys as it 12886 already does with RSA. testdsa.h now has 'priv_key/pub_key' 12887 values for each of the key sizes rather than having just 12888 parameters (and 'speed' generating keys each time). 12889 12890 *Geoff Thorpe* 12891 12892 * Speed up EVP routines. 12893 Before: 12894crypt 12895pe 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 12896s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k 12897s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k 12898s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k 12899crypt 12900s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k 12901s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k 12902s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k 12903 After: 12904crypt 12905s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k 12906crypt 12907s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 12908 12909 *Ben Laurie* 12910 12911 * Added the OS2-EMX target. 12912 12913 *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte* 12914 12915 * Rewrite commands to use `NCONF` routines instead of the old `CONF`. 12916 New functions to support `NCONF` routines in extension code. 12917 New function `CONF_set_nconf()` 12918 to allow functions which take an `NCONF` to also handle the old `LHASH` 12919 structure: this means that the old `CONF` compatible routines can be 12920 retained (in particular w.rt. extensions) without having to duplicate the 12921 code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack. 12922 12923 *Steve Henson* 12924 12925 * Enhance the general user interface with mechanisms for inner control 12926 and with possibilities to have yes/no kind of prompts. 12927 12928 *Richard Levitte* 12929 12930 * Change all calls to low-level digest routines in the library and 12931 applications to use EVP. Add missing calls to HMAC_cleanup() and 12932 don't assume HMAC_CTX can be copied using memcpy(). 12933 12934 *Verdon Walker <VWalker@novell.com>, Steve Henson* 12935 12936 * Add the possibility to control engines through control names but with 12937 arbitrary arguments instead of just a string. 12938 Change the key loaders to take a UI_METHOD instead of a callback 12939 function pointer. NOTE: this breaks binary compatibility with earlier 12940 versions of OpenSSL [engine]. 12941 Adapt the nCipher code for these new conditions and add a card insertion 12942 callback. 12943 12944 *Richard Levitte* 12945 12946 * Enhance the general user interface with mechanisms to better support 12947 dialog box interfaces, application-defined prompts, the possibility 12948 to use defaults (for example default passwords from somewhere else) 12949 and interrupts/cancellations. 12950 12951 *Richard Levitte* 12952 12953 * Tidy up PKCS#12 attribute handling. Add support for the CSP name 12954 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. 12955 12956 *Steve Henson* 12957 12958 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also 12959 tidy up some unnecessarily weird code in 'sk_new()'). 12960 12961 *Geoff, reported by Diego Tartara <dtartara@novamens.com>* 12962 12963 * Change the key loading routines for ENGINEs to use the same kind 12964 callback (pem_password_cb) as all other routines that need this 12965 kind of callback. 12966 12967 *Richard Levitte* 12968 12969 * Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 12970 256 bit (=32 byte) keys. Of course seeding with more entropy bytes 12971 than this minimum value is recommended. 12972 12973 *Lutz Jaenicke* 12974 12975 * New random seeder for OpenVMS, using the system process statistics 12976 that are easily reachable. 12977 12978 *Richard Levitte* 12979 12980 * Windows apparently can't transparently handle global 12981 variables defined in DLLs. Initialisations such as: 12982 12983 const ASN1_ITEM *it = &ASN1_INTEGER_it; 12984 12985 won't compile. This is used by the any applications that need to 12986 declare their own ASN1 modules. This was fixed by adding the option 12987 EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly 12988 needed for static libraries under Win32. 12989 12990 *Steve Henson* 12991 12992 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle 12993 setting of purpose and trust fields. New X509_STORE trust and 12994 purpose functions and tidy up setting in other SSL functions. 12995 12996 *Steve Henson* 12997 12998 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE 12999 structure. These are inherited by X509_STORE_CTX when it is 13000 initialised. This allows various defaults to be set in the 13001 X509_STORE structure (such as flags for CRL checking and custom 13002 purpose or trust settings) for functions which only use X509_STORE_CTX 13003 internally such as S/MIME. 13004 13005 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and 13006 trust settings if they are not set in X509_STORE. This allows X509_STORE 13007 purposes and trust (in S/MIME for example) to override any set by default. 13008 13009 Add command line options for CRL checking to smime, s_client and s_server 13010 applications. 13011 13012 *Steve Henson* 13013 13014 * Initial CRL based revocation checking. If the CRL checking flag(s) 13015 are set then the CRL is looked up in the X509_STORE structure and 13016 its validity and signature checked, then if the certificate is found 13017 in the CRL the verify fails with a revoked error. 13018 13019 Various new CRL related callbacks added to X509_STORE_CTX structure. 13020 13021 Command line options added to 'verify' application to support this. 13022 13023 This needs some additional work, such as being able to handle multiple 13024 CRLs with different times, extension based lookup (rather than just 13025 by subject name) and ultimately more complete V2 CRL extension 13026 handling. 13027 13028 *Steve Henson* 13029 13030 * Add a general user interface API (crypto/ui/). This is designed 13031 to replace things like des_read_password and friends (backward 13032 compatibility functions using this new API are provided). 13033 The purpose is to remove prompting functions from the DES code 13034 section as well as provide for prompting through dialog boxes in 13035 a window system and the like. 13036 13037 *Richard Levitte* 13038 13039 * Add "ex_data" support to ENGINE so implementations can add state at a 13040 per-structure level rather than having to store it globally. 13041 13042 *Geoff* 13043 13044 * Make it possible for ENGINE structures to be copied when retrieved by 13045 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. 13046 This causes the "original" ENGINE structure to act like a template, 13047 analogous to the RSA vs. RSA_METHOD type of separation. Because of this 13048 operational state can be localised to each ENGINE structure, despite the 13049 fact they all share the same "methods". New ENGINE structures returned in 13050 this case have no functional references and the return value is the single 13051 structural reference. This matches the single structural reference returned 13052 by ENGINE_by_id() normally, when it is incremented on the pre-existing 13053 ENGINE structure. 13054 13055 *Geoff* 13056 13057 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this 13058 needs to match any other type at all we need to manually clear the 13059 tag cache. 13060 13061 *Steve Henson* 13062 13063 * Changes to the "openssl engine" utility to include; 13064 - verbosity levels ('-v', '-vv', and '-vvv') that provide information 13065 about an ENGINE's available control commands. 13066 - executing control commands from command line arguments using the 13067 '-pre' and '-post' switches. '-post' is only used if '-t' is 13068 specified and the ENGINE is successfully initialised. The syntax for 13069 the individual commands are colon-separated, for example; 13070 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so 13071 13072 *Geoff* 13073 13074 * New dynamic control command support for ENGINEs. ENGINEs can now 13075 declare their own commands (numbers), names (strings), descriptions, 13076 and input types for run-time discovery by calling applications. A 13077 subset of these commands are implicitly classed as "executable" 13078 depending on their input type, and only these can be invoked through 13079 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this 13080 can be based on user input, config files, etc). The distinction is 13081 that "executable" commands cannot return anything other than a boolean 13082 result and can only support numeric or string input, whereas some 13083 discoverable commands may only be for direct use through 13084 ENGINE_ctrl(), eg. supporting the exchange of binary data, function 13085 pointers, or other custom uses. The "executable" commands are to 13086 support parameterisations of ENGINE behaviour that can be 13087 unambiguously defined by ENGINEs and used consistently across any 13088 OpenSSL-based application. Commands have been added to all the 13089 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow 13090 control over shared-library paths without source code alterations. 13091 13092 *Geoff* 13093 13094 * Changed all ENGINE implementations to dynamically allocate their 13095 ENGINEs rather than declaring them statically. Apart from this being 13096 necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, 13097 this also allows the implementations to compile without using the 13098 internal engine_int.h header. 13099 13100 *Geoff* 13101 13102 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 13103 'const' value. Any code that should be able to modify a RAND_METHOD 13104 should already have non-const pointers to it (ie. they should only 13105 modify their own ones). 13106 13107 *Geoff* 13108 13109 * Made a variety of little tweaks to the ENGINE code. 13110 - "atalla" and "ubsec" string definitions were moved from header files 13111 to C code. "nuron" string definitions were placed in variables 13112 rather than hard-coded - allowing parameterisation of these values 13113 later on via ctrl() commands. 13114 - Removed unused "#if 0"'d code. 13115 - Fixed engine list iteration code so it uses ENGINE_free() to release 13116 structural references. 13117 - Constified the RAND_METHOD element of ENGINE structures. 13118 - Constified various get/set functions as appropriate and added 13119 missing functions (including a catch-all ENGINE_cpy that duplicates 13120 all ENGINE values onto a new ENGINE except reference counts/state). 13121 - Removed NULL parameter checks in get/set functions. Setting a method 13122 or function to NULL is a way of cancelling out a previously set 13123 value. Passing a NULL ENGINE parameter is just plain stupid anyway 13124 and doesn't justify the extra error symbols and code. 13125 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for 13126 flags from engine_int.h to engine.h. 13127 - Changed prototypes for ENGINE handler functions (init(), finish(), 13128 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. 13129 13130 *Geoff* 13131 13132 * Implement binary inversion algorithm for BN_mod_inverse in addition 13133 to the algorithm using long division. The binary algorithm can be 13134 used only if the modulus is odd. On 32-bit systems, it is faster 13135 only for relatively small moduli (roughly 20-30% for 128-bit moduli, 13136 roughly 5-15% for 256-bit moduli), so we use it only for moduli 13137 up to 450 bits. In 64-bit environments, the binary algorithm 13138 appears to be advantageous for much longer moduli; here we use it 13139 for moduli up to 2048 bits. 13140 13141 *Bodo Moeller* 13142 13143 * Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code 13144 could not support the combine flag in choice fields. 13145 13146 *Steve Henson* 13147 13148 * Add a 'copy_extensions' option to the 'ca' utility. This copies 13149 extensions from a certificate request to the certificate. 13150 13151 *Steve Henson* 13152 13153 * Allow multiple 'certopt' and 'nameopt' options to be separated 13154 by commas. Add 'namopt' and 'certopt' options to the 'ca' config 13155 file: this allows the display of the certificate about to be 13156 signed to be customised, to allow certain fields to be included 13157 or excluded and extension details. The old system didn't display 13158 multicharacter strings properly, omitted fields not in the policy 13159 and couldn't display additional details such as extensions. 13160 13161 *Steve Henson* 13162 13163 * Function EC_POINTs_mul for multiple scalar multiplication 13164 of an arbitrary number of elliptic curve points 13165 \sum scalars[i]*points[i], 13166 optionally including the generator defined for the EC_GROUP: 13167 scalar*generator + \sum scalars[i]*points[i]. 13168 13169 EC_POINT_mul is a simple wrapper function for the typical case 13170 that the point list has just one item (besides the optional 13171 generator). 13172 13173 *Bodo Moeller* 13174 13175 * First EC_METHODs for curves over GF(p): 13176 13177 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr 13178 operations and provides various method functions that can also 13179 operate with faster implementations of modular arithmetic. 13180 13181 EC_GFp_mont_method() reuses most functions that are part of 13182 EC_GFp_simple_method, but uses Montgomery arithmetic. 13183 13184 *Bodo Moeller; point addition and point doubling 13185 implementation directly derived from source code provided by 13186 Lenka Fibikova <fibikova@exp-math.uni-essen.de>* 13187 13188 * Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, 13189 crypto/ec/ec_lib.c): 13190 13191 Curves are EC_GROUP objects (with an optional group generator) 13192 based on EC_METHODs that are built into the library. 13193 13194 Points are EC_POINT objects based on EC_GROUP objects. 13195 13196 Most of the framework would be able to handle curves over arbitrary 13197 finite fields, but as there are no obvious types for fields other 13198 than GF(p), some functions are limited to that for now. 13199 13200 *Bodo Moeller* 13201 13202 * Add the -HTTP option to s_server. It is similar to -WWW, but requires 13203 that the file contains a complete HTTP response. 13204 13205 *Richard Levitte* 13206 13207 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl 13208 change the def and num file printf format specifier from "%-40sXXX" 13209 to "%-39s XXX". The latter will always guarantee a space after the 13210 field while the former will cause them to run together if the field 13211 is 40 of more characters long. 13212 13213 *Steve Henson* 13214 13215 * Constify the cipher and digest 'method' functions and structures 13216 and modify related functions to take constant EVP_MD and EVP_CIPHER 13217 pointers. 13218 13219 *Steve Henson* 13220 13221 * Hide BN_CTX structure details in bn_lcl.h instead of publishing them 13222 in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. 13223 13224 *Bodo Moeller* 13225 13226 * Modify `EVP_Digest*()` routines so they now return values. Although the 13227 internal software routines can never fail additional hardware versions 13228 might. 13229 13230 *Steve Henson* 13231 13232 * Clean up crypto/err/err.h and change some error codes to avoid conflicts: 13233 13234 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 13235 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. 13236 13237 ASN1 error codes 13238 ERR_R_NESTED_ASN1_ERROR 13239 ... 13240 ERR_R_MISSING_ASN1_EOS 13241 were 4 .. 9, conflicting with 13242 ERR_LIB_RSA (= ERR_R_RSA_LIB) 13243 ... 13244 ERR_LIB_PEM (= ERR_R_PEM_LIB). 13245 They are now 58 .. 63 (i.e., just below ERR_R_FATAL). 13246 13247 Add new error code 'ERR_R_INTERNAL_ERROR'. 13248 13249 *Bodo Moeller* 13250 13251 * Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock 13252 suffices. 13253 13254 *Bodo Moeller* 13255 13256 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This 13257 sets the subject name for a new request or supersedes the 13258 subject name in a given request. Formats that can be parsed are 13259 'CN=Some Name, OU=myOU, C=IT' 13260 and 13261 'CN=Some Name/OU=myOU/C=IT'. 13262 13263 Add options '-batch' and '-verbose' to 'openssl req'. 13264 13265 *Massimiliano Pala <madwolf@hackmasters.net>* 13266 13267 * Introduce the possibility to access global variables through 13268 functions on platform were that's the best way to handle exporting 13269 global variables in shared libraries. To enable this functionality, 13270 one must configure with "EXPORT_VAR_AS_FN" or defined the C macro 13271 "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter 13272 is normally done by Configure or something similar). 13273 13274 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL 13275 in the source file (foo.c) like this: 13276 13277 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; 13278 OPENSSL_IMPLEMENT_GLOBAL(double,bar); 13279 13280 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL 13281 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: 13282 13283 OPENSSL_DECLARE_GLOBAL(int,foo); 13284 #define foo OPENSSL_GLOBAL_REF(foo) 13285 OPENSSL_DECLARE_GLOBAL(double,bar); 13286 #define bar OPENSSL_GLOBAL_REF(bar) 13287 13288 The #defines are very important, and therefore so is including the 13289 header file everywhere where the defined globals are used. 13290 13291 The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition 13292 of ASN.1 items, but that structure is a bit different. 13293 13294 The largest change is in util/mkdef.pl which has been enhanced with 13295 better and easier to understand logic to choose which symbols should 13296 go into the Windows .def files as well as a number of fixes and code 13297 cleanup (among others, algorithm keywords are now sorted 13298 lexicographically to avoid constant rewrites). 13299 13300 *Richard Levitte* 13301 13302 * In BN_div() keep a copy of the sign of 'num' before writing the 13303 result to 'rm' because if rm==num the value will be overwritten 13304 and produce the wrong result if 'num' is negative: this caused 13305 problems with BN_mod() and BN_nnmod(). 13306 13307 *Steve Henson* 13308 13309 * Function OCSP_request_verify(). This checks the signature on an 13310 OCSP request and verifies the signer certificate. The signer 13311 certificate is just checked for a generic purpose and OCSP request 13312 trust settings. 13313 13314 *Steve Henson* 13315 13316 * Add OCSP_check_validity() function to check the validity of OCSP 13317 responses. OCSP responses are prepared in real time and may only 13318 be a few seconds old. Simply checking that the current time lies 13319 between thisUpdate and nextUpdate max reject otherwise valid responses 13320 caused by either OCSP responder or client clock inaccuracy. Instead 13321 we allow thisUpdate and nextUpdate to fall within a certain period of 13322 the current time. The age of the response can also optionally be 13323 checked. Two new options -validity_period and -status_age added to 13324 ocsp utility. 13325 13326 *Steve Henson* 13327 13328 * If signature or public key algorithm is unrecognized print out its 13329 OID rather that just UNKNOWN. 13330 13331 *Steve Henson* 13332 13333 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and 13334 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate 13335 ID to be generated from the issuer certificate alone which can then be 13336 passed to OCSP_id_issuer_cmp(). 13337 13338 *Steve Henson* 13339 13340 * New compilation option ASN1_ITEM_FUNCTIONS. This causes the new 13341 ASN1 modules to export functions returning ASN1_ITEM pointers 13342 instead of the ASN1_ITEM structures themselves. This adds several 13343 new macros which allow the underlying ASN1 function/structure to 13344 be accessed transparently. As a result code should not use ASN1_ITEM 13345 references directly (such as &X509_it) but instead use the relevant 13346 macros (such as ASN1_ITEM_rptr(X509)). This option is to allow 13347 use of the new ASN1 code on platforms where exporting structures 13348 is problematical (for example in shared libraries) but exporting 13349 functions returning pointers to structures is not. 13350 13351 *Steve Henson* 13352 13353 * Add support for overriding the generation of SSL/TLS session IDs. 13354 These callbacks can be registered either in an SSL_CTX or per SSL. 13355 The purpose of this is to allow applications to control, if they wish, 13356 the arbitrary values chosen for use as session IDs, particularly as it 13357 can be useful for session caching in multiple-server environments. A 13358 command-line switch for testing this (and any client code that wishes 13359 to use such a feature) has been added to "s_server". 13360 13361 *Geoff Thorpe, Lutz Jaenicke* 13362 13363 * Modify mkdef.pl to recognise and parse preprocessor conditionals 13364 of the form `#if defined(...) || defined(...) || ...` and 13365 `#if !defined(...) && !defined(...) && ...`. This also avoids 13366 the growing number of special cases it was previously handling. 13367 13368 *Richard Levitte* 13369 13370 * Make all configuration macros available for application by making 13371 sure they are available in opensslconf.h, by giving them names starting 13372 with `OPENSSL_` to avoid conflicts with other packages and by making 13373 sure e_os2.h will cover all platform-specific cases together with 13374 opensslconf.h. 13375 Additionally, it is now possible to define configuration/platform- 13376 specific names (called "system identities"). In the C code, these 13377 are prefixed with `OPENSSL_SYSNAME_`. e_os2.h will create another 13378 macro with the name beginning with `OPENSSL_SYS_`, which is determined 13379 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on 13380 what is available. 13381 13382 *Richard Levitte* 13383 13384 * New option -set_serial to 'req' and 'x509' this allows the serial 13385 number to use to be specified on the command line. Previously self 13386 signed certificates were hard coded with serial number 0 and the 13387 CA options of 'x509' had to use a serial number in a file which was 13388 auto incremented. 13389 13390 *Steve Henson* 13391 13392 * New options to 'ca' utility to support V2 CRL entry extensions. 13393 Currently CRL reason, invalidity date and hold instruction are 13394 supported. Add new CRL extensions to V3 code and some new objects. 13395 13396 *Steve Henson* 13397 13398 * New function EVP_CIPHER_CTX_set_padding() this is used to 13399 disable standard block padding (aka PKCS#5 padding) in the EVP 13400 API, which was previously mandatory. This means that the data is 13401 not padded in any way and so the total length much be a multiple 13402 of the block size, otherwise an error occurs. 13403 13404 *Steve Henson* 13405 13406 * Initial (incomplete) OCSP SSL support. 13407 13408 *Steve Henson* 13409 13410 * New function OCSP_parse_url(). This splits up a URL into its host, 13411 port and path components: primarily to parse OCSP URLs. New -url 13412 option to ocsp utility. 13413 13414 *Steve Henson* 13415 13416 * New nonce behavior. The return value of OCSP_check_nonce() now 13417 reflects the various checks performed. Applications can decide 13418 whether to tolerate certain situations such as an absent nonce 13419 in a response when one was present in a request: the ocsp application 13420 just prints out a warning. New function OCSP_add1_basic_nonce() 13421 this is to allow responders to include a nonce in a response even if 13422 the request is nonce-less. 13423 13424 *Steve Henson* 13425 13426 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are 13427 skipped when using openssl x509 multiple times on a single input file, 13428 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`. 13429 13430 *Bodo Moeller* 13431 13432 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() 13433 set string type: to handle setting ASN1_TIME structures. Fix ca 13434 utility to correctly initialize revocation date of CRLs. 13435 13436 *Steve Henson* 13437 13438 * New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override 13439 the clients preferred ciphersuites and rather use its own preferences. 13440 Should help to work around M$ SGC (Server Gated Cryptography) bug in 13441 Internet Explorer by ensuring unchanged hash method during stepup. 13442 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) 13443 13444 *Lutz Jaenicke* 13445 13446 * Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael 13447 to aes and add a new 'exist' option to print out symbols that don't 13448 appear to exist. 13449 13450 *Steve Henson* 13451 13452 * Additional options to ocsp utility to allow flags to be set and 13453 additional certificates supplied. 13454 13455 *Steve Henson* 13456 13457 * Add the option -VAfile to 'openssl ocsp', so the user can give the 13458 OCSP client a number of certificate to only verify the response 13459 signature against. 13460 13461 *Richard Levitte* 13462 13463 * Update Rijndael code to version 3.0 and change EVP AES ciphers to 13464 handle the new API. Currently only ECB, CBC modes supported. Add new 13465 AES OIDs. 13466 13467 Add TLS AES ciphersuites as described in RFC3268, "Advanced 13468 Encryption Standard (AES) Ciphersuites for Transport Layer 13469 Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were 13470 not enabled by default and were not part of the "ALL" ciphersuite 13471 alias because they were not yet official; they could be 13472 explicitly requested by specifying the "AESdraft" ciphersuite 13473 group alias. In the final release of OpenSSL 0.9.7, the group 13474 alias is called "AES" and is part of "ALL".) 13475 13476 *Ben Laurie, Steve Henson, Bodo Moeller* 13477 13478 * New function OCSP_copy_nonce() to copy nonce value (if present) from 13479 request to response. 13480 13481 *Steve Henson* 13482 13483 * Functions for OCSP responders. OCSP_request_onereq_count(), 13484 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() 13485 extract information from a certificate request. OCSP_response_create() 13486 creates a response and optionally adds a basic response structure. 13487 OCSP_basic_add1_status() adds a complete single response to a basic 13488 response and returns the OCSP_SINGLERESP structure just added (to allow 13489 extensions to be included for example). OCSP_basic_add1_cert() adds a 13490 certificate to a basic response and OCSP_basic_sign() signs a basic 13491 response with various flags. New helper functions ASN1_TIME_check() 13492 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() 13493 (converts ASN1_TIME to GeneralizedTime). 13494 13495 *Steve Henson* 13496 13497 * Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() 13498 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key 13499 structure from a certificate. X509_pubkey_digest() digests the public_key 13500 contents: this is used in various key identifiers. 13501 13502 *Steve Henson* 13503 13504 * Make sk_sort() tolerate a NULL argument. 13505 13506 *Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>* 13507 13508 * New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates 13509 passed by the function are trusted implicitly. If any of them signed the 13510 response then it is assumed to be valid and is not verified. 13511 13512 *Steve Henson* 13513 13514 * In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT 13515 to data. This was previously part of the PKCS7 ASN1 code. This 13516 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. 13517 *Steve Henson, reported by Kenneth R. Robinette 13518 <support@securenetterm.com>* 13519 13520 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 13521 routines: without these tracing memory leaks is very painful. 13522 Fix leaks in PKCS12 and PKCS7 routines. 13523 13524 *Steve Henson* 13525 13526 * Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). 13527 Previously it initialised the 'type' argument to V_ASN1_UTCTIME which 13528 effectively meant GeneralizedTime would never be used. Now it 13529 is initialised to -1 but X509_time_adj() now has to check the value 13530 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or 13531 V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. 13532 *Steve Henson, reported by Kenneth R. Robinette 13533 <support@securenetterm.com>* 13534 13535 * Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously 13536 result in a zero length in the ASN1_INTEGER structure which was 13537 not consistent with the structure when d2i_ASN1_INTEGER() was used 13538 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() 13539 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() 13540 where it did not print out a minus for negative ASN1_INTEGER. 13541 13542 *Steve Henson* 13543 13544 * Add summary printout to ocsp utility. The various functions which 13545 convert status values to strings have been renamed to: 13546 OCSP_response_status_str(), OCSP_cert_status_str() and 13547 OCSP_crl_reason_str() and are no longer static. New options 13548 to verify nonce values and to disable verification. OCSP response 13549 printout format cleaned up. 13550 13551 *Steve Henson* 13552 13553 * Add additional OCSP certificate checks. These are those specified 13554 in RFC2560. This consists of two separate checks: the CA of the 13555 certificate being checked must either be the OCSP signer certificate 13556 or the issuer of the OCSP signer certificate. In the latter case the 13557 OCSP signer certificate must contain the OCSP signing extended key 13558 usage. This check is performed by attempting to match the OCSP 13559 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash 13560 in the OCSP_CERTID structures of the response. 13561 13562 *Steve Henson* 13563 13564 * Initial OCSP certificate verification added to OCSP_basic_verify() 13565 and related routines. This uses the standard OpenSSL certificate 13566 verify routines to perform initial checks (just CA validity) and 13567 to obtain the certificate chain. Then additional checks will be 13568 performed on the chain. Currently the root CA is checked to see 13569 if it is explicitly trusted for OCSP signing. This is used to set 13570 a root CA as a global signing root: that is any certificate that 13571 chains to that CA is an acceptable OCSP signing certificate. 13572 13573 *Steve Henson* 13574 13575 * New '-extfile ...' option to 'openssl ca' for reading X.509v3 13576 extensions from a separate configuration file. 13577 As when reading extensions from the main configuration file, 13578 the '-extensions ...' option may be used for specifying the 13579 section to use. 13580 13581 *Massimiliano Pala <madwolf@comune.modena.it>* 13582 13583 * New OCSP utility. Allows OCSP requests to be generated or 13584 read. The request can be sent to a responder and the output 13585 parsed, outputted or printed in text form. Not complete yet: 13586 still needs to check the OCSP response validity. 13587 13588 *Steve Henson* 13589 13590 * New subcommands for 'openssl ca': 13591 `openssl ca -status <serial>` prints the status of the cert with 13592 the given serial number (according to the index file). 13593 `openssl ca -updatedb` updates the expiry status of certificates 13594 in the index file. 13595 13596 *Massimiliano Pala <madwolf@comune.modena.it>* 13597 13598 * New '-newreq-nodes' command option to CA.pl. This is like 13599 '-newreq', but calls 'openssl req' with the '-nodes' option 13600 so that the resulting key is not encrypted. 13601 13602 *Damien Miller <djm@mindrot.org>* 13603 13604 * New configuration for the GNU Hurd. 13605 13606 *Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte* 13607 13608 * Initial code to implement OCSP basic response verify. This 13609 is currently incomplete. Currently just finds the signer's 13610 certificate and verifies the signature on the response. 13611 13612 *Steve Henson* 13613 13614 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in 13615 value of OPENSSLDIR. This is available via the new '-d' option 13616 to 'openssl version', and is also included in 'openssl version -a'. 13617 13618 *Bodo Moeller* 13619 13620 * Allowing defining memory allocation callbacks that will be given 13621 file name and line number information in additional arguments 13622 (a `const char*` and an int). The basic functionality remains, as 13623 well as the original possibility to just replace malloc(), 13624 realloc() and free() by functions that do not know about these 13625 additional arguments. To register and find out the current 13626 settings for extended allocation functions, the following 13627 functions are provided: 13628 13629 CRYPTO_set_mem_ex_functions 13630 CRYPTO_set_locked_mem_ex_functions 13631 CRYPTO_get_mem_ex_functions 13632 CRYPTO_get_locked_mem_ex_functions 13633 13634 These work the same way as CRYPTO_set_mem_functions and friends. 13635 `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an 13636 extended allocation function is enabled. 13637 Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where 13638 a conventional allocation function is enabled. 13639 13640 *Richard Levitte, Bodo Moeller* 13641 13642 * Finish off removing the remaining LHASH function pointer casts. 13643 There should no longer be any prototype-casting required when using 13644 the LHASH abstraction, and any casts that remain are "bugs". See 13645 the callback types and macros at the head of lhash.h for details 13646 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). 13647 13648 *Geoff Thorpe* 13649 13650 * Add automatic query of EGD sockets in RAND_poll() for the unix variant. 13651 If /dev/[u]random devices are not available or do not return enough 13652 entropy, EGD style sockets (served by EGD or PRNGD) will automatically 13653 be queried. 13654 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and 13655 /etc/entropy will be queried once each in this sequence, querying stops 13656 when enough entropy was collected without querying more sockets. 13657 13658 *Lutz Jaenicke* 13659 13660 * Change the Unix RAND_poll() variant to be able to poll several 13661 random devices, as specified by DEVRANDOM, until a sufficient amount 13662 of data has been collected. We spend at most 10 ms on each file 13663 (select timeout) and read in non-blocking mode. DEVRANDOM now 13664 defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" 13665 (previously it was just the string "/dev/urandom"), so on typical 13666 platforms the 10 ms delay will never occur. 13667 Also separate out the Unix variant to its own file, rand_unix.c. 13668 For VMS, there's a currently-empty rand_vms.c. 13669 13670 *Richard Levitte* 13671 13672 * Move OCSP client related routines to ocsp_cl.c. These 13673 provide utility functions which an application needing 13674 to issue a request to an OCSP responder and analyse the 13675 response will typically need: as opposed to those which an 13676 OCSP responder itself would need which will be added later. 13677 13678 OCSP_request_sign() signs an OCSP request with an API similar 13679 to PKCS7_sign(). OCSP_response_status() returns status of OCSP 13680 response. OCSP_response_get1_basic() extracts basic response 13681 from response. OCSP_resp_find_status(): finds and extracts status 13682 information from an OCSP_CERTID structure (which will be created 13683 when the request structure is built). These are built from lower 13684 level functions which work on OCSP_SINGLERESP structures but 13685 won't normally be used unless the application wishes to examine 13686 extensions in the OCSP response for example. 13687 13688 Replace nonce routines with a pair of functions. 13689 OCSP_request_add1_nonce() adds a nonce value and optionally 13690 generates a random value. OCSP_check_nonce() checks the 13691 validity of the nonce in an OCSP response. 13692 13693 *Steve Henson* 13694 13695 * Change function OCSP_request_add() to OCSP_request_add0_id(). 13696 This doesn't copy the supplied OCSP_CERTID and avoids the 13697 need to free up the newly created id. Change return type 13698 to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. 13699 This can then be used to add extensions to the request. 13700 Deleted OCSP_request_new(), since most of its functionality 13701 is now in OCSP_REQUEST_new() (and the case insensitive name 13702 clash) apart from the ability to set the request name which 13703 will be added elsewhere. 13704 13705 *Steve Henson* 13706 13707 * Update OCSP API. Remove obsolete extensions argument from 13708 various functions. Extensions are now handled using the new 13709 OCSP extension code. New simple OCSP HTTP function which 13710 can be used to send requests and parse the response. 13711 13712 *Steve Henson* 13713 13714 * Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new 13715 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN 13716 uses the special reorder version of SET OF to sort the attributes 13717 and reorder them to match the encoded order. This resolves a long 13718 standing problem: a verify on a PKCS7 structure just after signing 13719 it used to fail because the attribute order did not match the 13720 encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: 13721 it uses the received order. This is necessary to tolerate some broken 13722 software that does not order SET OF. This is handled by encoding 13723 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) 13724 to produce the required SET OF. 13725 13726 *Steve Henson* 13727 13728 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and 13729 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header 13730 files to get correct declarations of the ASN.1 item variables. 13731 13732 *Richard Levitte* 13733 13734 * Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many 13735 PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: 13736 asn1_check_tlen() would sometimes attempt to use 'ctx' when it was 13737 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). 13738 New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant 13739 ASN1_ITEM and no wrapper functions. 13740 13741 *Steve Henson* 13742 13743 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These 13744 replace the old function pointer based I/O routines. Change most of 13745 the `*_d2i_bio()` and `*_d2i_fp()` functions to use these. 13746 13747 *Steve Henson* 13748 13749 * Enhance mkdef.pl to be more accepting about spacing in C preprocessor 13750 lines, recognize more "algorithms" that can be deselected, and make 13751 it complain about algorithm deselection that isn't recognised. 13752 13753 *Richard Levitte* 13754 13755 * New ASN1 functions to handle dup, sign, verify, digest, pack and 13756 unpack operations in terms of ASN1_ITEM. Modify existing wrappers 13757 to use new functions. Add NO_ASN1_OLD which can be set to remove 13758 some old style ASN1 functions: this can be used to determine if old 13759 code will still work when these eventually go away. 13760 13761 *Steve Henson* 13762 13763 * New extension functions for OCSP structures, these follow the 13764 same conventions as certificates and CRLs. 13765 13766 *Steve Henson* 13767 13768 * New function X509V3_add1_i2d(). This automatically encodes and 13769 adds an extension. Its behaviour can be customised with various 13770 flags to append, replace or delete. Various wrappers added for 13771 certificates and CRLs. 13772 13773 *Steve Henson* 13774 13775 * Fix to avoid calling the underlying ASN1 print routine when 13776 an extension cannot be parsed. Correct a typo in the 13777 OCSP_SERVICELOC extension. Tidy up print OCSP format. 13778 13779 *Steve Henson* 13780 13781 * Make mkdef.pl parse some of the ASN1 macros and add appropriate 13782 entries for variables. 13783 13784 *Steve Henson* 13785 13786 * Add functionality to `apps/openssl.c` for detecting locking 13787 problems: As the program is single-threaded, all we have 13788 to do is register a locking callback using an array for 13789 storing which locks are currently held by the program. 13790 13791 *Bodo Moeller* 13792 13793 * Use a lock around the call to CRYPTO_get_ex_new_index() in 13794 SSL_get_ex_data_X509_STORE_idx(), which is used in 13795 ssl_verify_cert_chain() and thus can be called at any time 13796 during TLS/SSL handshakes so that thread-safety is essential. 13797 Unfortunately, the ex_data design is not at all suited 13798 for multi-threaded use, so it probably should be abolished. 13799 13800 *Bodo Moeller* 13801 13802 * Added Broadcom "ubsec" ENGINE to OpenSSL. 13803 13804 *Broadcom, tweaked and integrated by Geoff Thorpe* 13805 13806 * Move common extension printing code to new function 13807 X509V3_print_extensions(). Reorganise OCSP print routines and 13808 implement some needed OCSP ASN1 functions. Add OCSP extensions. 13809 13810 *Steve Henson* 13811 13812 * New function X509_signature_print() to remove duplication in some 13813 print routines. 13814 13815 *Steve Henson* 13816 13817 * Add a special meaning when SET OF and SEQUENCE OF flags are both 13818 set (this was treated exactly the same as SET OF previously). This 13819 is used to reorder the STACK representing the structure to match the 13820 encoding. This will be used to get round a problem where a PKCS7 13821 structure which was signed could not be verified because the STACK 13822 order did not reflect the encoded order. 13823 13824 *Steve Henson* 13825 13826 * Reimplement the OCSP ASN1 module using the new code. 13827 13828 *Steve Henson* 13829 13830 * Update the X509V3 code to permit the use of an ASN1_ITEM structure 13831 for its ASN1 operations. The old style function pointers still exist 13832 for now but they will eventually go away. 13833 13834 *Steve Henson* 13835 13836 * Merge in replacement ASN1 code from the ASN1 branch. This almost 13837 completely replaces the old ASN1 functionality with a table driven 13838 encoder and decoder which interprets an ASN1_ITEM structure describing 13839 the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is 13840 largely maintained. Almost all of the old asn1_mac.h macro based ASN1 13841 has also been converted to the new form. 13842 13843 *Steve Henson* 13844 13845 * Change BN_mod_exp_recp so that negative moduli are tolerated 13846 (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set 13847 so that BN_mod_exp_mont and BN_mod_exp_mont_word work 13848 for negative moduli. 13849 13850 *Bodo Moeller* 13851 13852 * Fix BN_uadd and BN_usub: Always return non-negative results instead 13853 of not touching the result's sign bit. 13854 13855 *Bodo Moeller* 13856 13857 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be 13858 set. 13859 13860 *Bodo Moeller* 13861 13862 * Changed the LHASH code to use prototypes for callbacks, and created 13863 macros to declare and implement thin (optionally static) functions 13864 that provide type-safety and avoid function pointer casting for the 13865 type-specific callbacks. 13866 13867 *Geoff Thorpe* 13868 13869 * Added Kerberos Cipher Suites to be used with TLS, as written in 13870 RFC 2712. 13871 *Veers Staats <staatsvr@asc.hpc.mil>, 13872 Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte* 13873 13874 * Reformat the FAQ so the different questions and answers can be divided 13875 in sections depending on the subject. 13876 13877 *Richard Levitte* 13878 13879 * Have the zlib compression code load ZLIB.DLL dynamically under 13880 Windows. 13881 13882 *Richard Levitte* 13883 13884 * New function BN_mod_sqrt for computing square roots modulo a prime 13885 (using the probabilistic Tonelli-Shanks algorithm unless 13886 p == 3 (mod 4) or p == 5 (mod 8), which are cases that can 13887 be handled deterministically). 13888 13889 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 13890 13891 * Make BN_mod_inverse faster by explicitly handling small quotients 13892 in the Euclid loop. (Speed gain about 20% for small moduli [256 or 13893 512 bits], about 30% for larger ones [1024 or 2048 bits].) 13894 13895 *Bodo Moeller* 13896 13897 * New function BN_kronecker. 13898 13899 *Bodo Moeller* 13900 13901 * Fix BN_gcd so that it works on negative inputs; the result is 13902 positive unless both parameters are zero. 13903 Previously something reasonably close to an infinite loop was 13904 possible because numbers could be growing instead of shrinking 13905 in the implementation of Euclid's algorithm. 13906 13907 *Bodo Moeller* 13908 13909 * Fix BN_is_word() and BN_is_one() macros to take into account the 13910 sign of the number in question. 13911 13912 Fix BN_is_word(a,w) to work correctly for w == 0. 13913 13914 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) 13915 because its test if the absolute value of 'a' equals 'w'. 13916 Note that BN_abs_is_word does *not* handle w == 0 reliably; 13917 it exists mostly for use in the implementations of BN_is_zero(), 13918 BN_is_one(), and BN_is_word(). 13919 13920 *Bodo Moeller* 13921 13922 * New function BN_swap. 13923 13924 *Bodo Moeller* 13925 13926 * Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that 13927 the exponentiation functions are more likely to produce reasonable 13928 results on negative inputs. 13929 13930 *Bodo Moeller* 13931 13932 * Change BN_mod_mul so that the result is always non-negative. 13933 Previously, it could be negative if one of the factors was negative; 13934 I don't think anyone really wanted that behaviour. 13935 13936 *Bodo Moeller* 13937 13938 * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c` 13939 (except for exponentiation, which stays in `crypto/bn/bn_exp.c`, 13940 and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`) 13941 and add new functions: 13942 13943 BN_nnmod 13944 BN_mod_sqr 13945 BN_mod_add 13946 BN_mod_add_quick 13947 BN_mod_sub 13948 BN_mod_sub_quick 13949 BN_mod_lshift1 13950 BN_mod_lshift1_quick 13951 BN_mod_lshift 13952 BN_mod_lshift_quick 13953 13954 These functions always generate non-negative results. 13955 13956 `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r` 13957 such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead). 13958 13959 `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as 13960 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`] 13961 be reduced modulo `m`. 13962 13963 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 13964 13965<!-- 13966 The following entry accidentally appeared in the CHANGES file 13967 distributed with OpenSSL 0.9.7. The modifications described in 13968 it do *not* apply to OpenSSL 0.9.7. 13969 13970 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 13971 was actually never needed) and in BN_mul(). The removal in BN_mul() 13972 required a small change in bn_mul_part_recursive() and the addition 13973 of the functions bn_cmp_part_words(), bn_sub_part_words() and 13974 bn_add_part_words(), which do the same thing as bn_cmp_words(), 13975 bn_sub_words() and bn_add_words() except they take arrays with 13976 differing sizes. 13977 13978 *Richard Levitte* 13979--> 13980 13981 * In 'openssl passwd', verify passwords read from the terminal 13982 unless the '-salt' option is used (which usually means that 13983 verification would just waste user's time since the resulting 13984 hash is going to be compared with some given password hash) 13985 or the new '-noverify' option is used. 13986 13987 This is an incompatible change, but it does not affect 13988 non-interactive use of 'openssl passwd' (passwords on the command 13989 line, '-stdin' option, '-in ...' option) and thus should not 13990 cause any problems. 13991 13992 *Bodo Moeller* 13993 13994 * Remove all references to RSAref, since there's no more need for it. 13995 13996 *Richard Levitte* 13997 13998 * Make DSO load along a path given through an environment variable 13999 (SHLIB_PATH) with shl_load(). 14000 14001 *Richard Levitte* 14002 14003 * Constify the ENGINE code as a result of BIGNUM constification. 14004 Also constify the RSA code and most things related to it. In a 14005 few places, most notable in the depth of the ASN.1 code, ugly 14006 casts back to non-const were required (to be solved at a later 14007 time) 14008 14009 *Richard Levitte* 14010 14011 * Make it so the openssl application has all engines loaded by default. 14012 14013 *Richard Levitte* 14014 14015 * Constify the BIGNUM routines a little more. 14016 14017 *Richard Levitte* 14018 14019 * Add the following functions: 14020 14021 ENGINE_load_cswift() 14022 ENGINE_load_chil() 14023 ENGINE_load_atalla() 14024 ENGINE_load_nuron() 14025 ENGINE_load_builtin_engines() 14026 14027 That way, an application can itself choose if external engines that 14028 are built-in in OpenSSL shall ever be used or not. The benefit is 14029 that applications won't have to be linked with libdl or other dso 14030 libraries unless it's really needed. 14031 14032 Changed 'openssl engine' to load all engines on demand. 14033 Changed the engine header files to avoid the duplication of some 14034 declarations (they differed!). 14035 14036 *Richard Levitte* 14037 14038 * 'openssl engine' can now list capabilities. 14039 14040 *Richard Levitte* 14041 14042 * Better error reporting in 'openssl engine'. 14043 14044 *Richard Levitte* 14045 14046 * Never call load_dh_param(NULL) in s_server. 14047 14048 *Bodo Moeller* 14049 14050 * Add engine application. It can currently list engines by name and 14051 identity, and test if they are actually available. 14052 14053 *Richard Levitte* 14054 14055 * Improve RPM specification file by forcing symbolic linking and making 14056 sure the installed documentation is also owned by root.root. 14057 14058 *Damien Miller <djm@mindrot.org>* 14059 14060 * Give the OpenSSL applications more possibilities to make use of 14061 keys (public as well as private) handled by engines. 14062 14063 *Richard Levitte* 14064 14065 * Add OCSP code that comes from CertCo. 14066 14067 *Richard Levitte* 14068 14069 * Add VMS support for the Rijndael code. 14070 14071 *Richard Levitte* 14072 14073 * Added untested support for Nuron crypto accelerator. 14074 14075 *Ben Laurie* 14076 14077 * Add support for external cryptographic devices. This code was 14078 previously distributed separately as the "engine" branch. 14079 14080 *Geoff Thorpe, Richard Levitte* 14081 14082 * Rework the filename-translation in the DSO code. It is now possible to 14083 have far greater control over how a "name" is turned into a filename 14084 depending on the operating environment and any oddities about the 14085 different shared library filenames on each system. 14086 14087 *Geoff Thorpe* 14088 14089 * Support threads on FreeBSD-elf in Configure. 14090 14091 *Richard Levitte* 14092 14093 * Fix for SHA1 assembly problem with MASM: it produces 14094 warnings about corrupt line number information when assembling 14095 with debugging information. This is caused by the overlapping 14096 of two sections. 14097 14098 *Bernd Matthes <mainbug@celocom.de>, Steve Henson* 14099 14100 * NCONF changes. 14101 NCONF_get_number() has no error checking at all. As a replacement, 14102 NCONF_get_number_e() is defined (`_e` for "error checking") and is 14103 promoted strongly. The old NCONF_get_number is kept around for 14104 binary backward compatibility. 14105 Make it possible for methods to load from something other than a BIO, 14106 by providing a function pointer that is given a name instead of a BIO. 14107 For example, this could be used to load configuration data from an 14108 LDAP server. 14109 14110 *Richard Levitte* 14111 14112 * Fix for non blocking accept BIOs. Added new I/O special reason 14113 BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs 14114 with non blocking I/O was not possible because no retry code was 14115 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover 14116 this case. 14117 14118 *Steve Henson* 14119 14120 * Added the beginnings of Rijndael support. 14121 14122 *Ben Laurie* 14123 14124 * Fix for bug in DirectoryString mask setting. Add support for 14125 X509_NAME_print_ex() in 'req' and X509_print_ex() function 14126 to allow certificate printing to more controllable, additional 14127 'certopt' option to 'x509' to allow new printing options to be 14128 set. 14129 14130 *Steve Henson* 14131 14132 * Clean old EAY MD5 hack from e_os.h. 14133 14134 *Richard Levitte* 14135 14136### Changes between 0.9.6l and 0.9.6m [17 Mar 2004] 14137 14138 * Fix null-pointer assignment in do_change_cipher_spec() revealed 14139 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 14140 14141 *Joe Orton, Steve Henson* 14142 14143### Changes between 0.9.6k and 0.9.6l [04 Nov 2003] 14144 14145 * Fix additional bug revealed by the NISCC test suite: 14146 14147 Stop bug triggering large recursion when presented with 14148 certain ASN.1 tags ([CVE-2003-0851]) 14149 14150 *Steve Henson* 14151 14152### Changes between 0.9.6j and 0.9.6k [30 Sep 2003] 14153 14154 * Fix various bugs revealed by running the NISCC test suite: 14155 14156 Stop out of bounds reads in the ASN1 code when presented with 14157 invalid tags (CVE-2003-0543 and CVE-2003-0544). 14158 14159 If verify callback ignores invalid public key errors don't try to check 14160 certificate signature with the NULL public key. 14161 14162 *Steve Henson* 14163 14164 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 14165 if the server requested one: as stated in TLS 1.0 and SSL 3.0 14166 specifications. 14167 14168 *Steve Henson* 14169 14170 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 14171 extra data after the compression methods not only for TLS 1.0 14172 but also for SSL 3.0 (as required by the specification). 14173 14174 *Bodo Moeller; problem pointed out by Matthias Loepfe* 14175 14176 * Change X509_certificate_type() to mark the key as exported/exportable 14177 when it's 512 *bits* long, not 512 bytes. 14178 14179 *Richard Levitte* 14180 14181### Changes between 0.9.6i and 0.9.6j [10 Apr 2003] 14182 14183 * Countermeasure against the Klima-Pokorny-Rosa extension of 14184 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 14185 a protocol version number mismatch like a decryption error 14186 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 14187 14188 *Bodo Moeller* 14189 14190 * Turn on RSA blinding by default in the default implementation 14191 to avoid a timing attack. Applications that don't want it can call 14192 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 14193 They would be ill-advised to do so in most cases. 14194 14195 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 14196 14197 * Change RSA blinding code so that it works when the PRNG is not 14198 seeded (in this case, the secret RSA exponent is abused as 14199 an unpredictable seed -- if it is not unpredictable, there 14200 is no point in blinding anyway). Make RSA blinding thread-safe 14201 by remembering the creator's thread ID in rsa->blinding and 14202 having all other threads use local one-time blinding factors 14203 (this requires more computation than sharing rsa->blinding, but 14204 avoids excessive locking; and if an RSA object is not shared 14205 between threads, blinding will still be very fast). 14206 14207 *Bodo Moeller* 14208 14209### Changes between 0.9.6h and 0.9.6i [19 Feb 2003] 14210 14211 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 14212 via timing by performing a MAC computation even if incorrect 14213 block cipher padding has been found. This is a countermeasure 14214 against active attacks where the attacker has to distinguish 14215 between bad padding and a MAC verification error. ([CVE-2003-0078]) 14216 14217 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 14218 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 14219 Martin Vuagnoux (EPFL, Ilion)* 14220 14221### Changes between 0.9.6g and 0.9.6h [5 Dec 2002] 14222 14223 * New function OPENSSL_cleanse(), which is used to cleanse a section of 14224 memory from its contents. This is done with a counter that will 14225 place alternating values in each byte. This can be used to solve 14226 two issues: 1) the removal of calls to memset() by highly optimizing 14227 compilers, and 2) cleansing with other values than 0, since those can 14228 be read through on certain media, for example a swap space on disk. 14229 14230 *Geoff Thorpe* 14231 14232 * Bugfix: client side session caching did not work with external caching, 14233 because the session->cipher setting was not restored when reloading 14234 from the external cache. This problem was masked, when 14235 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. 14236 (Found by Steve Haslam <steve@araqnid.ddts.net>.) 14237 14238 *Lutz Jaenicke* 14239 14240 * Fix client_certificate (ssl/s2_clnt.c): The permissible total 14241 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. 14242 14243 *Zeev Lieber <zeev-l@yahoo.com>* 14244 14245 * Undo an undocumented change introduced in 0.9.6e which caused 14246 repeated calls to OpenSSL_add_all_ciphers() and 14247 OpenSSL_add_all_digests() to be ignored, even after calling 14248 EVP_cleanup(). 14249 14250 *Richard Levitte* 14251 14252 * Change the default configuration reader to deal with last line not 14253 being properly terminated. 14254 14255 *Richard Levitte* 14256 14257 * Change X509_NAME_cmp() so it applies the special rules on handling 14258 DN values that are of type PrintableString, as well as RDNs of type 14259 emailAddress where the value has the type ia5String. 14260 14261 *stefank@valicert.com via Richard Levitte* 14262 14263 * Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half 14264 the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently 14265 doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be 14266 the bitwise-OR of the two for use by the majority of applications 14267 wanting this behaviour, and update the docs. The documented 14268 behaviour and actual behaviour were inconsistent and had been 14269 changing anyway, so this is more a bug-fix than a behavioural 14270 change. 14271 14272 *Geoff Thorpe, diagnosed by Nadav Har'El* 14273 14274 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c 14275 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). 14276 14277 *Bodo Moeller* 14278 14279 * Fix initialization code race conditions in 14280 SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), 14281 SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), 14282 SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), 14283 TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), 14284 ssl2_get_cipher_by_char(), 14285 ssl3_get_cipher_by_char(). 14286 14287 *Patrick McCormick <patrick@tellme.com>, Bodo Moeller* 14288 14289 * Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after 14290 the cached sessions are flushed, as the remove_cb() might use ex_data 14291 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> 14292 (see [openssl.org #212]). 14293 14294 *Geoff Thorpe, Lutz Jaenicke* 14295 14296 * Fix typo in OBJ_txt2obj which incorrectly passed the content 14297 length, instead of the encoding length to d2i_ASN1_OBJECT. 14298 14299 *Steve Henson* 14300 14301### Changes between 0.9.6f and 0.9.6g [9 Aug 2002] 14302 14303 * [In 0.9.6g-engine release:] 14304 Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`). 14305 14306 *Lynn Gazis <lgazis@rainbow.com>* 14307 14308### Changes between 0.9.6e and 0.9.6f [8 Aug 2002] 14309 14310 * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX 14311 and get fix the header length calculation. 14312 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 14313 Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson* 14314 14315 * Use proper error handling instead of 'assertions' in buffer 14316 overflow checks added in 0.9.6e. This prevents DoS (the 14317 assertions could call abort()). 14318 14319 *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller* 14320 14321### Changes between 0.9.6d and 0.9.6e [30 Jul 2002] 14322 14323 * Add various sanity checks to asn1_get_length() to reject 14324 the ASN1 length bytes if they exceed sizeof(long), will appear 14325 negative or the content length exceeds the length of the 14326 supplied buffer. 14327 14328 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 14329 14330 * Fix cipher selection routines: ciphers without encryption had no flags 14331 for the cipher strength set and where therefore not handled correctly 14332 by the selection routines (PR #130). 14333 14334 *Lutz Jaenicke* 14335 14336 * Fix EVP_dsa_sha macro. 14337 14338 *Nils Larsch* 14339 14340 * New option 14341 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 14342 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure 14343 that was added in OpenSSL 0.9.6d. 14344 14345 As the countermeasure turned out to be incompatible with some 14346 broken SSL implementations, the new option is part of SSL_OP_ALL. 14347 SSL_OP_ALL is usually employed when compatibility with weird SSL 14348 implementations is desired (e.g. '-bugs' option to 's_client' and 14349 's_server'), so the new option is automatically set in many 14350 applications. 14351 14352 *Bodo Moeller* 14353 14354 * Changes in security patch: 14355 14356 Changes marked "(CHATS)" were sponsored by the Defense Advanced 14357 Research Projects Agency (DARPA) and Air Force Research Laboratory, 14358 Air Force Materiel Command, USAF, under agreement number 14359 F30602-01-2-0537. 14360 14361 * Add various sanity checks to asn1_get_length() to reject 14362 the ASN1 length bytes if they exceed sizeof(long), will appear 14363 negative or the content length exceeds the length of the 14364 supplied buffer. ([CVE-2002-0659]) 14365 14366 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 14367 14368 * Assertions for various potential buffer overflows, not known to 14369 happen in practice. 14370 14371 *Ben Laurie (CHATS)* 14372 14373 * Various temporary buffers to hold ASCII versions of integers were 14374 too small for 64 bit platforms. ([CVE-2002-0655]) 14375 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>* 14376 14377 * Remote buffer overflow in SSL3 protocol - an attacker could 14378 supply an oversized session ID to a client. ([CVE-2002-0656]) 14379 14380 *Ben Laurie (CHATS)* 14381 14382 * Remote buffer overflow in SSL2 protocol - an attacker could 14383 supply an oversized client master key. ([CVE-2002-0656]) 14384 14385 *Ben Laurie (CHATS)* 14386 14387### Changes between 0.9.6c and 0.9.6d [9 May 2002] 14388 14389 * Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not 14390 encoded as NULL) with id-dsa-with-sha1. 14391 14392 *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller* 14393 14394 * Check various `X509_...()` return values in `apps/req.c`. 14395 14396 *Nils Larsch <nla@trustcenter.de>* 14397 14398 * Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: 14399 an end-of-file condition would erroneously be flagged, when the CRLF 14400 was just at the end of a processed block. The bug was discovered when 14401 processing data through a buffering memory BIO handing the data to a 14402 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov 14403 <ptsekov@syntrex.com> and Nedelcho Stanev. 14404 14405 *Lutz Jaenicke* 14406 14407 * Implement a countermeasure against a vulnerability recently found 14408 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment 14409 before application data chunks to avoid the use of known IVs 14410 with data potentially chosen by the attacker. 14411 14412 *Bodo Moeller* 14413 14414 * Fix length checks in ssl3_get_client_hello(). 14415 14416 *Bodo Moeller* 14417 14418 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently 14419 to prevent ssl3_read_internal() from incorrectly assuming that 14420 ssl3_read_bytes() found application data while handshake 14421 processing was enabled when in fact s->s3->in_read_app_data was 14422 merely automatically cleared during the initial handshake. 14423 14424 *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>* 14425 14426 * Fix object definitions for Private and Enterprise: they were not 14427 recognized in their shortname (=lowercase) representation. Extend 14428 obj_dat.pl to issue an error when using undefined keywords instead 14429 of silently ignoring the problem (Svenning Sorensen 14430 <sss@sss.dnsalias.net>). 14431 14432 *Lutz Jaenicke* 14433 14434 * Fix DH_generate_parameters() so that it works for 'non-standard' 14435 generators, i.e. generators other than 2 and 5. (Previously, the 14436 code did not properly initialise the 'add' and 'rem' values to 14437 BN_generate_prime().) 14438 14439 In the new general case, we do not insist that 'generator' is 14440 actually a primitive root: This requirement is rather pointless; 14441 a generator of the order-q subgroup is just as good, if not 14442 better. 14443 14444 *Bodo Moeller* 14445 14446 * Map new X509 verification errors to alerts. Discovered and submitted by 14447 Tom Wu <tom@arcot.com>. 14448 14449 *Lutz Jaenicke* 14450 14451 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from 14452 returning non-zero before the data has been completely received 14453 when using non-blocking I/O. 14454 14455 *Bodo Moeller; problem pointed out by John Hughes* 14456 14457 * Some of the ciphers missed the strength entry (SSL_LOW etc). 14458 14459 *Ben Laurie, Lutz Jaenicke* 14460 14461 * Fix bug in SSL_clear(): bad sessions were not removed (found by 14462 Yoram Zahavi <YoramZ@gilian.com>). 14463 14464 *Lutz Jaenicke* 14465 14466 * Add information about CygWin 1.3 and on, and preserve proper 14467 configuration for the versions before that. 14468 14469 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 14470 14471 * Make removal from session cache (SSL_CTX_remove_session()) more robust: 14472 check whether we deal with a copy of a session and do not delete from 14473 the cache in this case. Problem reported by "Izhar Shoshani Levi" 14474 <izhar@checkpoint.com>. 14475 14476 *Lutz Jaenicke* 14477 14478 * Do not store session data into the internal session cache, if it 14479 is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 14480 flag is set). Proposed by Aslam <aslam@funk.com>. 14481 14482 *Lutz Jaenicke* 14483 14484 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested 14485 value is 0. 14486 14487 *Richard Levitte* 14488 14489 * [In 0.9.6d-engine release:] 14490 Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 14491 14492 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 14493 14494 * Add the configuration target linux-s390x. 14495 14496 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte* 14497 14498 * The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of 14499 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag 14500 variable as an indication that a ClientHello message has been 14501 received. As the flag value will be lost between multiple 14502 invocations of ssl3_accept when using non-blocking I/O, the 14503 function may not be aware that a handshake has actually taken 14504 place, thus preventing a new session from being added to the 14505 session cache. 14506 14507 To avoid this problem, we now set s->new_session to 2 instead of 14508 using a local variable. 14509 14510 *Lutz Jaenicke, Bodo Moeller* 14511 14512 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) 14513 if the SSL_R_LENGTH_MISMATCH error is detected. 14514 14515 *Geoff Thorpe, Bodo Moeller* 14516 14517 * New 'shared_ldflag' column in Configure platform table. 14518 14519 *Richard Levitte* 14520 14521 * Fix EVP_CIPHER_mode macro. 14522 14523 *"Dan S. Camper" <dan@bti.net>* 14524 14525 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown 14526 type, we must throw them away by setting rr->length to 0. 14527 14528 *D P Chang <dpc@qualys.com>* 14529 14530### Changes between 0.9.6b and 0.9.6c [21 dec 2001] 14531 14532 * Fix BN_rand_range bug pointed out by Dominikus Scherkl 14533 <Dominikus.Scherkl@biodata.com>. (The previous implementation 14534 worked incorrectly for those cases where range = `10..._2` and 14535 `3*range` is two bits longer than range.) 14536 14537 *Bodo Moeller* 14538 14539 * Only add signing time to PKCS7 structures if it is not already 14540 present. 14541 14542 *Steve Henson* 14543 14544 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 14545 OBJ_ld_ce should be OBJ_id_ce. 14546 Also some ip-pda OIDs in crypto/objects/objects.txt were 14547 incorrect (cf. RFC 3039). 14548 14549 *Matt Cooper, Frederic Giudicelli, Bodo Moeller* 14550 14551 * Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 14552 returns early because it has nothing to do. 14553 14554 *Andy Schneider <andy.schneider@bjss.co.uk>* 14555 14556 * [In 0.9.6c-engine release:] 14557 Fix mutex callback return values in crypto/engine/hw_ncipher.c. 14558 14559 *Andy Schneider <andy.schneider@bjss.co.uk>* 14560 14561 * [In 0.9.6c-engine release:] 14562 Add support for Cryptographic Appliance's keyserver technology. 14563 (Use engine 'keyclient') 14564 14565 *Cryptographic Appliances and Geoff Thorpe* 14566 14567 * Add a configuration entry for OS/390 Unix. The C compiler 'c89' 14568 is called via tools/c89.sh because arguments have to be 14569 rearranged (all '-L' options must appear before the first object 14570 modules). 14571 14572 *Richard Shapiro <rshapiro@abinitio.com>* 14573 14574 * [In 0.9.6c-engine release:] 14575 Add support for Broadcom crypto accelerator cards, backported 14576 from 0.9.7. 14577 14578 *Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox* 14579 14580 * [In 0.9.6c-engine release:] 14581 Add support for SureWare crypto accelerator cards from 14582 Baltimore Technologies. (Use engine 'sureware') 14583 14584 *Baltimore Technologies and Mark Cox* 14585 14586 * [In 0.9.6c-engine release:] 14587 Add support for crypto accelerator cards from Accelerated 14588 Encryption Processing, www.aep.ie. (Use engine 'aep') 14589 14590 *AEP Inc. and Mark Cox* 14591 14592 * Add a configuration entry for gcc on UnixWare. 14593 14594 *Gary Benson <gbenson@redhat.com>* 14595 14596 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 14597 messages are stored in a single piece (fixed-length part and 14598 variable-length part combined) and fix various bugs found on the way. 14599 14600 *Bodo Moeller* 14601 14602 * Disable caching in BIO_gethostbyname(), directly use gethostbyname() 14603 instead. BIO_gethostbyname() does not know what timeouts are 14604 appropriate, so entries would stay in cache even when they have 14605 become invalid. 14606 *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>* 14607 14608 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 14609 faced with a pathologically small ClientHello fragment that does 14610 not contain client_version: Instead of aborting with an error, 14611 simply choose the highest available protocol version (i.e., 14612 TLS 1.0 unless it is disabled). In practice, ClientHello 14613 messages are never sent like this, but this change gives us 14614 strictly correct behaviour at least for TLS. 14615 14616 *Bodo Moeller* 14617 14618 * Fix SSL handshake functions and SSL_clear() such that SSL_clear() 14619 never resets s->method to s->ctx->method when called from within 14620 one of the SSL handshake functions. 14621 14622 *Bodo Moeller; problem pointed out by Niko Baric* 14623 14624 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 14625 (sent using the client's version number) if client_version is 14626 smaller than the protocol version in use. Also change 14627 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 14628 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 14629 the client will at least see that alert. 14630 14631 *Bodo Moeller* 14632 14633 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 14634 correctly. 14635 14636 *Bodo Moeller* 14637 14638 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 14639 client receives HelloRequest while in a handshake. 14640 14641 *Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>* 14642 14643 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 14644 should end in 'break', not 'goto end' which circumvents various 14645 cleanups done in state SSL_ST_OK. But session related stuff 14646 must be disabled for SSL_ST_OK in the case that we just sent a 14647 HelloRequest. 14648 14649 Also avoid some overhead by not calling ssl_init_wbio_buffer() 14650 before just sending a HelloRequest. 14651 14652 *Bodo Moeller, Eric Rescorla <ekr@rtfm.com>* 14653 14654 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 14655 reveal whether illegal block cipher padding was found or a MAC 14656 verification error occurred. (Neither SSLerr() codes nor alerts 14657 are directly visible to potential attackers, but the information 14658 may leak via logfiles.) 14659 14660 Similar changes are not required for the SSL 2.0 implementation 14661 because the number of padding bytes is sent in clear for SSL 2.0, 14662 and the extra bytes are just ignored. However ssl/s2_pkt.c 14663 failed to verify that the purported number of padding bytes is in 14664 the legal range. 14665 14666 *Bodo Moeller* 14667 14668 * Add OpenUNIX-8 support including shared libraries 14669 (Boyd Lynn Gerber <gerberb@zenez.com>). 14670 14671 *Lutz Jaenicke* 14672 14673 * Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 14674 'wristwatch attack' using huge encoding parameters (cf. 14675 James H. Manger's CRYPTO 2001 paper). Note that the 14676 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 14677 encoding parameters and hence was not vulnerable. 14678 14679 *Bodo Moeller* 14680 14681 * BN_sqr() bug fix. 14682 14683 *Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>* 14684 14685 * Rabin-Miller test analyses assume uniformly distributed witnesses, 14686 so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 14687 followed by modular reduction. 14688 14689 *Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>* 14690 14691 * Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 14692 equivalent based on BN_pseudo_rand() instead of BN_rand(). 14693 14694 *Bodo Moeller* 14695 14696 * s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 14697 This function was broken, as the check for a new client hello message 14698 to handle SGC did not allow these large messages. 14699 (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 14700 14701 *Lutz Jaenicke* 14702 14703 * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`. 14704 14705 *Lutz Jaenicke* 14706 14707 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 14708 for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 14709 14710 *Lutz Jaenicke* 14711 14712 * Rework the configuration and shared library support for Tru64 Unix. 14713 The configuration part makes use of modern compiler features and 14714 still retains old compiler behavior for those that run older versions 14715 of the OS. The shared library support part includes a variant that 14716 uses the RPATH feature, and is available through the special 14717 configuration target "alpha-cc-rpath", which will never be selected 14718 automatically. 14719 14720 *Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte* 14721 14722 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 14723 with the same message size as in ssl3_get_certificate_request(). 14724 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 14725 messages might inadvertently be reject as too long. 14726 14727 *Petr Lampa <lampa@fee.vutbr.cz>* 14728 14729 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 14730 14731 *Andy Polyakov* 14732 14733 * Modified SSL library such that the verify_callback that has been set 14734 specifically for an SSL object with SSL_set_verify() is actually being 14735 used. Before the change, a verify_callback set with this function was 14736 ignored and the verify_callback() set in the SSL_CTX at the time of 14737 the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 14738 to allow the necessary settings. 14739 14740 *Lutz Jaenicke* 14741 14742 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 14743 explicitly to NULL, as at least on Solaris 8 this seems not always to be 14744 done automatically (in contradiction to the requirements of the C 14745 standard). This made problems when used from OpenSSH. 14746 14747 *Lutz Jaenicke* 14748 14749 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 14750 dh->length and always used 14751 14752 BN_rand_range(priv_key, dh->p). 14753 14754 BN_rand_range() is not necessary for Diffie-Hellman, and this 14755 specific range makes Diffie-Hellman unnecessarily inefficient if 14756 dh->length (recommended exponent length) is much smaller than the 14757 length of dh->p. We could use BN_rand_range() if the order of 14758 the subgroup was stored in the DH structure, but we only have 14759 dh->length. 14760 14761 So switch back to 14762 14763 BN_rand(priv_key, l, ...) 14764 14765 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 14766 otherwise. 14767 14768 *Bodo Moeller* 14769 14770 * In 14771 14772 RSA_eay_public_encrypt 14773 RSA_eay_private_decrypt 14774 RSA_eay_private_encrypt (signing) 14775 RSA_eay_public_decrypt (signature verification) 14776 14777 (default implementations for RSA_public_encrypt, 14778 RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 14779 always reject numbers >= n. 14780 14781 *Bodo Moeller* 14782 14783 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 14784 to synchronize access to 'locking_thread'. This is necessary on 14785 systems where access to 'locking_thread' (an 'unsigned long' 14786 variable) is not atomic. 14787 14788 *Bodo Moeller* 14789 14790 * In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 14791 *before* setting the 'crypto_lock_rand' flag. The previous code had 14792 a race condition if 0 is a valid thread ID. 14793 14794 *Travis Vitek <vitek@roguewave.com>* 14795 14796 * Add support for shared libraries under Irix. 14797 14798 *Albert Chin-A-Young <china@thewrittenword.com>* 14799 14800 * Add configuration option to build on Linux on both big-endian and 14801 little-endian MIPS. 14802 14803 *Ralf Baechle <ralf@uni-koblenz.de>* 14804 14805 * Add the possibility to create shared libraries on HP-UX. 14806 14807 *Richard Levitte* 14808 14809### Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 14810 14811 * Change ssleay_rand_bytes (crypto/rand/md_rand.c) 14812 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 14813 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 14814 PRNG state recovery was possible based on the output of 14815 one PRNG request appropriately sized to gain knowledge on 14816 'md' followed by enough consecutive 1-byte PRNG requests 14817 to traverse all of 'state'. 14818 14819 1. When updating 'md_local' (the current thread's copy of 'md') 14820 during PRNG output generation, hash all of the previous 14821 'md_local' value, not just the half used for PRNG output. 14822 14823 2. Make the number of bytes from 'state' included into the hash 14824 independent from the number of PRNG bytes requested. 14825 14826 The first measure alone would be sufficient to avoid 14827 Markku-Juhani's attack. (Actually it had never occurred 14828 to me that the half of 'md_local' used for chaining was the 14829 half from which PRNG output bytes were taken -- I had always 14830 assumed that the secret half would be used.) The second 14831 measure makes sure that additional data from 'state' is never 14832 mixed into 'md_local' in small portions; this heuristically 14833 further strengthens the PRNG. 14834 14835 *Bodo Moeller* 14836 14837 * Fix crypto/bn/asm/mips3.s. 14838 14839 *Andy Polyakov* 14840 14841 * When only the key is given to "enc", the IV is undefined. Print out 14842 an error message in this case. 14843 14844 *Lutz Jaenicke* 14845 14846 * Handle special case when X509_NAME is empty in X509 printing routines. 14847 14848 *Steve Henson* 14849 14850 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 14851 positive and less than q. 14852 14853 *Bodo Moeller* 14854 14855 * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is 14856 used: it isn't thread safe and the add_lock_callback should handle 14857 that itself. 14858 14859 *Paul Rose <Paul.Rose@bridge.com>* 14860 14861 * Verify that incoming data obeys the block size in 14862 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 14863 14864 *Bodo Moeller* 14865 14866 * Fix OAEP check. 14867 14868 *Ulf Möller, Bodo Möller* 14869 14870 * The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 14871 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 14872 when fixing the server behaviour for backwards-compatible 'client 14873 hello' messages. (Note that the attack is impractical against 14874 SSL 3.0 and TLS 1.0 anyway because length and version checking 14875 means that the probability of guessing a valid ciphertext is 14876 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 14877 paper.) 14878 14879 Before 0.9.5, the countermeasure (hide the error by generating a 14880 random 'decryption result') did not work properly because 14881 ERR_clear_error() was missing, meaning that SSL_get_error() would 14882 detect the supposedly ignored error. 14883 14884 Both problems are now fixed. 14885 14886 *Bodo Moeller* 14887 14888 * In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 14889 (previously it was 1024). 14890 14891 *Bodo Moeller* 14892 14893 * Fix for compatibility mode trust settings: ignore trust settings 14894 unless some valid trust or reject settings are present. 14895 14896 *Steve Henson* 14897 14898 * Fix for blowfish EVP: its a variable length cipher. 14899 14900 *Steve Henson* 14901 14902 * Fix various bugs related to DSA S/MIME verification. Handle missing 14903 parameters in DSA public key structures and return an error in the 14904 DSA routines if parameters are absent. 14905 14906 *Steve Henson* 14907 14908 * In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 14909 in the current directory if neither $RANDFILE nor $HOME was set. 14910 RAND_file_name() in 0.9.6a returned NULL in this case. This has 14911 caused some confusion to Windows users who haven't defined $HOME. 14912 Thus RAND_file_name() is changed again: e_os.h can define a 14913 DEFAULT_HOME, which will be used if $HOME is not set. 14914 For Windows, we use "C:"; on other platforms, we still require 14915 environment variables. 14916 14917 * Move 'if (!initialized) RAND_poll()' into regions protected by 14918 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 14919 having multiple threads call RAND_poll() concurrently. 14920 14921 *Bodo Moeller* 14922 14923 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 14924 combination of a flag and a thread ID variable. 14925 Otherwise while one thread is in ssleay_rand_bytes (which sets the 14926 flag), *other* threads can enter ssleay_add_bytes without obeying 14927 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock 14928 that they do not hold after the first thread unsets add_do_not_lock). 14929 14930 *Bodo Moeller* 14931 14932 * Change bctest again: '-x' expressions are not available in all 14933 versions of 'test'. 14934 14935 *Bodo Moeller* 14936 14937### Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 14938 14939 * Fix a couple of memory leaks in PKCS7_dataDecode() 14940 14941 *Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>* 14942 14943 * Change Configure and Makefiles to provide EXE_EXT, which will contain 14944 the default extension for executables, if any. Also, make the perl 14945 scripts that use symlink() to test if it really exists and use "cp" 14946 if it doesn't. All this made OpenSSL compilable and installable in 14947 CygWin. 14948 14949 *Richard Levitte* 14950 14951 * Fix for asn1_GetSequence() for indefinite length constructed data. 14952 If SEQUENCE is length is indefinite just set c->slen to the total 14953 amount of data available. 14954 14955 *Steve Henson, reported by shige@FreeBSD.org* 14956 14957 *This change does not apply to 0.9.7.* 14958 14959 * Change bctest to avoid here-documents inside command substitution 14960 (workaround for FreeBSD /bin/sh bug). 14961 For compatibility with Ultrix, avoid shell functions (introduced 14962 in the bctest version that searches along $PATH). 14963 14964 *Bodo Moeller* 14965 14966 * Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes 14967 with des_encrypt() defined on some operating systems, like Solaris 14968 and UnixWare. 14969 14970 *Richard Levitte* 14971 14972 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: 14973 On the Importance of Eliminating Errors in Cryptographic 14974 Computations, J. Cryptology 14 (2001) 2, 101-119, 14975 <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>). 14976 14977 *Ulf Moeller* 14978 14979 * MIPS assembler BIGNUM division bug fix. 14980 14981 *Andy Polyakov* 14982 14983 * Disabled incorrect Alpha assembler code. 14984 14985 *Richard Levitte* 14986 14987 * Fix PKCS#7 decode routines so they correctly update the length 14988 after reading an EOC for the EXPLICIT tag. 14989 14990 *Steve Henson* 14991 14992 *This change does not apply to 0.9.7.* 14993 14994 * Fix bug in PKCS#12 key generation routines. This was triggered 14995 if a 3DES key was generated with a 0 initial byte. Include 14996 PKCS12_BROKEN_KEYGEN compilation option to retain the old 14997 (but broken) behaviour. 14998 14999 *Steve Henson* 15000 15001 * Enhance bctest to search for a working bc along $PATH and print 15002 it when found. 15003 15004 *Tim Rice <tim@multitalents.net> via Richard Levitte* 15005 15006 * Fix memory leaks in err.c: free err_data string if necessary; 15007 don't write to the wrong index in ERR_set_error_data. 15008 15009 *Bodo Moeller* 15010 15011 * Implement ssl23_peek (analogous to ssl23_read), which previously 15012 did not exist. 15013 15014 *Bodo Moeller* 15015 15016 * Replace rdtsc with `_emit` statements for VC++ version 5. 15017 15018 *Jeremy Cooper <jeremy@baymoo.org>* 15019 15020 * Make it possible to reuse SSLv2 sessions. 15021 15022 *Richard Levitte* 15023 15024 * In copy_email() check for >= 0 as a return value for 15025 X509_NAME_get_index_by_NID() since 0 is a valid index. 15026 15027 *Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>* 15028 15029 * Avoid coredump with unsupported or invalid public keys by checking if 15030 X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when 15031 PKCS7_verify() fails with non detached data. 15032 15033 *Steve Henson* 15034 15035 * Don't use getenv in library functions when run as setuid/setgid. 15036 New function OPENSSL_issetugid(). 15037 15038 *Ulf Moeller* 15039 15040 * Avoid false positives in memory leak detection code (crypto/mem_dbg.c) 15041 due to incorrect handling of multi-threading: 15042 15043 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 15044 15045 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 15046 15047 3. Count how many times MemCheck_off() has been called so that 15048 nested use can be treated correctly. This also avoids 15049 inband-signalling in the previous code (which relied on the 15050 assumption that thread ID 0 is impossible). 15051 15052 *Bodo Moeller* 15053 15054 * Add "-rand" option also to s_client and s_server. 15055 15056 *Lutz Jaenicke* 15057 15058 * Fix CPU detection on Irix 6.x. 15059 *Kurt Hockenbury <khockenb@stevens-tech.edu> and 15060 "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 15061 15062 * Fix X509_NAME bug which produced incorrect encoding if X509_NAME 15063 was empty. 15064 15065 *Steve Henson* 15066 15067 *This change does not apply to 0.9.7.* 15068 15069 * Use the cached encoding of an X509_NAME structure rather than 15070 copying it. This is apparently the reason for the libsafe "errors" 15071 but the code is actually correct. 15072 15073 *Steve Henson* 15074 15075 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent 15076 Bleichenbacher's DSA attack. 15077 Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits 15078 to be set and top=0 forces the highest bit to be set; top=-1 is new 15079 and leaves the highest bit random. 15080 15081 *Ulf Moeller, Bodo Moeller* 15082 15083 * In the `NCONF_...`-based implementations for `CONF_...` queries 15084 (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using 15085 a temporary CONF structure with the data component set to NULL 15086 (which gives segmentation faults in lh_retrieve). 15087 Instead, use NULL for the CONF pointer in CONF_get_string and 15088 CONF_get_number (which may use environment variables) and directly 15089 return NULL from CONF_get_section. 15090 15091 *Bodo Moeller* 15092 15093 * Fix potential buffer overrun for EBCDIC. 15094 15095 *Ulf Moeller* 15096 15097 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign 15098 keyUsage if basicConstraints absent for a CA. 15099 15100 *Steve Henson* 15101 15102 * Make SMIME_write_PKCS7() write mail header values with a format that 15103 is more generally accepted (no spaces before the semicolon), since 15104 some programs can't parse those values properly otherwise. Also make 15105 sure BIO's that break lines after each write do not create invalid 15106 headers. 15107 15108 *Richard Levitte* 15109 15110 * Make the CRL encoding routines work with empty SEQUENCE OF. The 15111 macros previously used would not encode an empty SEQUENCE OF 15112 and break the signature. 15113 15114 *Steve Henson* 15115 15116 *This change does not apply to 0.9.7.* 15117 15118 * Zero the premaster secret after deriving the master secret in 15119 DH ciphersuites. 15120 15121 *Steve Henson* 15122 15123 * Add some EVP_add_digest_alias registrations (as found in 15124 OpenSSL_add_all_digests()) to SSL_library_init() 15125 aka OpenSSL_add_ssl_algorithms(). This provides improved 15126 compatibility with peers using X.509 certificates 15127 with unconventional AlgorithmIdentifier OIDs. 15128 15129 *Bodo Moeller* 15130 15131 * Fix for Irix with NO_ASM. 15132 15133 *"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 15134 15135 * ./config script fixes. 15136 15137 *Ulf Moeller, Richard Levitte* 15138 15139 * Fix 'openssl passwd -1'. 15140 15141 *Bodo Moeller* 15142 15143 * Change PKCS12_key_gen_asc() so it can cope with non null 15144 terminated strings whose length is passed in the passlen 15145 parameter, for example from PEM callbacks. This was done 15146 by adding an extra length parameter to asc2uni(). 15147 15148 *Steve Henson, reported by <oddissey@samsung.co.kr>* 15149 15150 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn 15151 call failed, free the DSA structure. 15152 15153 *Bodo Moeller* 15154 15155 * Fix to uni2asc() to cope with zero length Unicode strings. 15156 These are present in some PKCS#12 files. 15157 15158 *Steve Henson* 15159 15160 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). 15161 Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits 15162 when writing a 32767 byte record. 15163 15164 *Bodo Moeller; problem reported by Eric Day <eday@concentric.net>* 15165 15166 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c), 15167 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`. 15168 15169 (RSA objects have a reference count access to which is protected 15170 by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], 15171 so they are meant to be shared between threads.) 15172 *Bodo Moeller, Geoff Thorpe; original patch submitted by 15173 "Reddie, Steven" <Steven.Reddie@ca.com>* 15174 15175 * Fix a deadlock in CRYPTO_mem_leaks(). 15176 15177 *Bodo Moeller* 15178 15179 * Use better test patterns in bntest. 15180 15181 *Ulf Möller* 15182 15183 * rand_win.c fix for Borland C. 15184 15185 *Ulf Möller* 15186 15187 * BN_rshift bugfix for n == 0. 15188 15189 *Bodo Moeller* 15190 15191 * Add a 'bctest' script that checks for some known 'bc' bugs 15192 so that 'make test' does not abort just because 'bc' is broken. 15193 15194 *Bodo Moeller* 15195 15196 * Store verify_result within SSL_SESSION also for client side to 15197 avoid potential security hole. (Re-used sessions on the client side 15198 always resulted in verify_result==X509_V_OK, not using the original 15199 result of the server certificate verification.) 15200 15201 *Lutz Jaenicke* 15202 15203 * Fix ssl3_pending: If the record in s->s3->rrec is not of type 15204 SSL3_RT_APPLICATION_DATA, return 0. 15205 Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. 15206 15207 *Bodo Moeller* 15208 15209 * Fix SSL_peek: 15210 Both ssl2_peek and ssl3_peek, which were totally broken in earlier 15211 releases, have been re-implemented by renaming the previous 15212 implementations of ssl2_read and ssl3_read to ssl2_read_internal 15213 and ssl3_read_internal, respectively, and adding 'peek' parameters 15214 to them. The new ssl[23]_{read,peek} functions are calls to 15215 ssl[23]_read_internal with the 'peek' flag set appropriately. 15216 A 'peek' parameter has also been added to ssl3_read_bytes, which 15217 does the actual work for ssl3_read_internal. 15218 15219 *Bodo Moeller* 15220 15221 * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling 15222 the method-specific "init()" handler. Also clean up ex_data after 15223 calling the method-specific "finish()" handler. Previously, this was 15224 happening the other way round. 15225 15226 *Geoff Thorpe* 15227 15228 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. 15229 The previous value, 12, was not always sufficient for BN_mod_exp(). 15230 15231 *Bodo Moeller* 15232 15233 * Make sure that shared libraries get the internal name engine with 15234 the full version number and not just 0. This should mark the 15235 shared libraries as not backward compatible. Of course, this should 15236 be changed again when we can guarantee backward binary compatibility. 15237 15238 *Richard Levitte* 15239 15240 * Fix typo in get_cert_by_subject() in by_dir.c 15241 15242 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>* 15243 15244 * Rework the system to generate shared libraries: 15245 15246 - Make note of the expected extension for the shared libraries and 15247 if there is a need for symbolic links from for example libcrypto.so.0 15248 to libcrypto.so.0.9.7. There is extended info in Configure for 15249 that. 15250 15251 - Make as few rebuilds of the shared libraries as possible. 15252 15253 - Still avoid linking the OpenSSL programs with the shared libraries. 15254 15255 - When installing, install the shared libraries separately from the 15256 static ones. 15257 15258 *Richard Levitte* 15259 15260 * Fix SSL_CTX_set_read_ahead macro to actually use its argument. 15261 15262 Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new 15263 and not in SSL_clear because the latter is also used by the 15264 accept/connect functions; previously, the settings made by 15265 SSL_set_read_ahead would be lost during the handshake. 15266 15267 *Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>* 15268 15269 * Correct util/mkdef.pl to be selective about disabled algorithms. 15270 Previously, it would create entries for disabled algorithms no 15271 matter what. 15272 15273 *Richard Levitte* 15274 15275 * Added several new manual pages for SSL_* function. 15276 15277 *Lutz Jaenicke* 15278 15279### Changes between 0.9.5a and 0.9.6 [24 Sep 2000] 15280 15281 * In ssl23_get_client_hello, generate an error message when faced 15282 with an initial SSL 3.0/TLS record that is too small to contain the 15283 first two bytes of the ClientHello message, i.e. client_version. 15284 (Note that this is a pathologic case that probably has never happened 15285 in real life.) The previous approach was to use the version number 15286 from the record header as a substitute; but our protocol choice 15287 should not depend on that one because it is not authenticated 15288 by the Finished messages. 15289 15290 *Bodo Moeller* 15291 15292 * More robust randomness gathering functions for Windows. 15293 15294 *Jeffrey Altman <jaltman@columbia.edu>* 15295 15296 * For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is 15297 not set then we don't setup the error code for issuer check errors 15298 to avoid possibly overwriting other errors which the callback does 15299 handle. If an application does set the flag then we assume it knows 15300 what it is doing and can handle the new informational codes 15301 appropriately. 15302 15303 *Steve Henson* 15304 15305 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for 15306 a general "ANY" type, as such it should be able to decode anything 15307 including tagged types. However it didn't check the class so it would 15308 wrongly interpret tagged types in the same way as their universal 15309 counterpart and unknown types were just rejected. Changed so that the 15310 tagged and unknown types are handled in the same way as a SEQUENCE: 15311 that is the encoding is stored intact. There is also a new type 15312 "V_ASN1_OTHER" which is used when the class is not universal, in this 15313 case we have no idea what the actual type is so we just lump them all 15314 together. 15315 15316 *Steve Henson* 15317 15318 * On VMS, stdout may very well lead to a file that is written to 15319 in a record-oriented fashion. That means that every write() will 15320 write a separate record, which will be read separately by the 15321 programs trying to read from it. This can be very confusing. 15322 15323 The solution is to put a BIO filter in the way that will buffer 15324 text until a linefeed is reached, and then write everything a 15325 line at a time, so every record written will be an actual line, 15326 not chunks of lines and not (usually doesn't happen, but I've 15327 seen it once) several lines in one record. BIO_f_linebuffer() is 15328 the answer. 15329 15330 Currently, it's a VMS-only method, because that's where it has 15331 been tested well enough. 15332 15333 *Richard Levitte* 15334 15335 * Remove 'optimized' squaring variant in BN_mod_mul_montgomery, 15336 it can return incorrect results. 15337 (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, 15338 but it was in 0.9.6-beta[12].) 15339 15340 *Bodo Moeller* 15341 15342 * Disable the check for content being present when verifying detached 15343 signatures in pk7_smime.c. Some versions of Netscape (wrongly) 15344 include zero length content when signing messages. 15345 15346 *Steve Henson* 15347 15348 * New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR 15349 BIO_ctrl (for BIO pairs). 15350 15351 *Bodo Möller* 15352 15353 * Add DSO method for VMS. 15354 15355 *Richard Levitte* 15356 15357 * Bug fix: Montgomery multiplication could produce results with the 15358 wrong sign. 15359 15360 *Ulf Möller* 15361 15362 * Add RPM specification openssl.spec and modify it to build three 15363 packages. The default package contains applications, application 15364 documentation and run-time libraries. The devel package contains 15365 include files, static libraries and function documentation. The 15366 doc package contains the contents of the doc directory. The original 15367 openssl.spec was provided by Damien Miller <djm@mindrot.org>. 15368 15369 *Richard Levitte* 15370 15371 * Add a large number of documentation files for many SSL routines. 15372 15373 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 15374 15375 * Add a configuration entry for Sony News 4. 15376 15377 *NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>* 15378 15379 * Don't set the two most significant bits to one when generating a 15380 random number < q in the DSA library. 15381 15382 *Ulf Möller* 15383 15384 * New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default 15385 behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if 15386 the underlying transport is blocking) if a handshake took place. 15387 (The default behaviour is needed by applications such as s_client 15388 and s_server that use select() to determine when to use SSL_read; 15389 but for applications that know in advance when to expect data, it 15390 just makes things more complicated.) 15391 15392 *Bodo Moeller* 15393 15394 * Add RAND_egd_bytes(), which gives control over the number of bytes read 15395 from EGD. 15396 15397 *Ben Laurie* 15398 15399 * Add a few more EBCDIC conditionals that make `req` and `x509` 15400 work better on such systems. 15401 15402 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 15403 15404 * Add two demo programs for PKCS12_parse() and PKCS12_create(). 15405 Update PKCS12_parse() so it copies the friendlyName and the 15406 keyid to the certificates aux info. 15407 15408 *Steve Henson* 15409 15410 * Fix bug in PKCS7_verify() which caused an infinite loop 15411 if there was more than one signature. 15412 15413 *Sven Uszpelkat <su@celocom.de>* 15414 15415 * Major change in util/mkdef.pl to include extra information 15416 about each symbol, as well as presenting variables as well 15417 as functions. This change means that there's n more need 15418 to rebuild the .num files when some algorithms are excluded. 15419 15420 *Richard Levitte* 15421 15422 * Allow the verify time to be set by an application, 15423 rather than always using the current time. 15424 15425 *Steve Henson* 15426 15427 * Phase 2 verify code reorganisation. The certificate 15428 verify code now looks up an issuer certificate by a 15429 number of criteria: subject name, authority key id 15430 and key usage. It also verifies self signed certificates 15431 by the same criteria. The main comparison function is 15432 X509_check_issued() which performs these checks. 15433 15434 Lot of changes were necessary in order to support this 15435 without completely rewriting the lookup code. 15436 15437 Authority and subject key identifier are now cached. 15438 15439 The LHASH 'certs' is X509_STORE has now been replaced 15440 by a STACK_OF(X509_OBJECT). This is mainly because an 15441 LHASH can't store or retrieve multiple objects with 15442 the same hash value. 15443 15444 As a result various functions (which were all internal 15445 use only) have changed to handle the new X509_STORE 15446 structure. This will break anything that messed round 15447 with X509_STORE internally. 15448 15449 The functions X509_STORE_add_cert() now checks for an 15450 exact match, rather than just subject name. 15451 15452 The X509_STORE API doesn't directly support the retrieval 15453 of multiple certificates matching a given criteria, however 15454 this can be worked round by performing a lookup first 15455 (which will fill the cache with candidate certificates) 15456 and then examining the cache for matches. This is probably 15457 the best we can do without throwing out X509_LOOKUP 15458 entirely (maybe later...). 15459 15460 The X509_VERIFY_CTX structure has been enhanced considerably. 15461 15462 All certificate lookup operations now go via a get_issuer() 15463 callback. Although this currently uses an X509_STORE it 15464 can be replaced by custom lookups. This is a simple way 15465 to bypass the X509_STORE hackery necessary to make this 15466 work and makes it possible to use more efficient techniques 15467 in future. A very simple version which uses a simple 15468 STACK for its trusted certificate store is also provided 15469 using X509_STORE_CTX_trusted_stack(). 15470 15471 The verify_cb() and verify() callbacks now have equivalents 15472 in the X509_STORE_CTX structure. 15473 15474 X509_STORE_CTX also has a 'flags' field which can be used 15475 to customise the verify behaviour. 15476 15477 *Steve Henson* 15478 15479 * Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 15480 excludes S/MIME capabilities. 15481 15482 *Steve Henson* 15483 15484 * When a certificate request is read in keep a copy of the 15485 original encoding of the signed data and use it when outputting 15486 again. Signatures then use the original encoding rather than 15487 a decoded, encoded version which may cause problems if the 15488 request is improperly encoded. 15489 15490 *Steve Henson* 15491 15492 * For consistency with other BIO_puts implementations, call 15493 buffer_write(b, ...) directly in buffer_puts instead of calling 15494 BIO_write(b, ...). 15495 15496 In BIO_puts, increment b->num_write as in BIO_write. 15497 15498 *Peter.Sylvester@EdelWeb.fr* 15499 15500 * Fix BN_mul_word for the case where the word is 0. (We have to use 15501 BN_zero, we may not return a BIGNUM with an array consisting of 15502 words set to zero.) 15503 15504 *Bodo Moeller* 15505 15506 * Avoid calling abort() from within the library when problems are 15507 detected, except if preprocessor symbols have been defined 15508 (such as REF_CHECK, BN_DEBUG etc.). 15509 15510 *Bodo Moeller* 15511 15512 * New openssl application 'rsautl'. This utility can be 15513 used for low-level RSA operations. DER public key 15514 BIO/fp routines also added. 15515 15516 *Steve Henson* 15517 15518 * New Configure entry and patches for compiling on QNX 4. 15519 15520 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>* 15521 15522 * A demo state-machine implementation was sponsored by 15523 Nuron (<http://www.nuron.com/>) and is now available in 15524 demos/state_machine. 15525 15526 *Ben Laurie* 15527 15528 * New options added to the 'dgst' utility for signature 15529 generation and verification. 15530 15531 *Steve Henson* 15532 15533 * Unrecognized PKCS#7 content types are now handled via a 15534 catch all ASN1_TYPE structure. This allows unsupported 15535 types to be stored as a "blob" and an application can 15536 encode and decode it manually. 15537 15538 *Steve Henson* 15539 15540 * Fix various signed/unsigned issues to make a_strex.c 15541 compile under VC++. 15542 15543 *Oscar Jacobsson <oscar.jacobsson@celocom.com>* 15544 15545 * ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct 15546 length if passed a buffer. ASN1_INTEGER_to_BN failed 15547 if passed a NULL BN and its argument was negative. 15548 15549 *Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>* 15550 15551 * Modification to PKCS#7 encoding routines to output definite 15552 length encoding. Since currently the whole structures are in 15553 memory there's not real point in using indefinite length 15554 constructed encoding. However if OpenSSL is compiled with 15555 the flag PKCS7_INDEFINITE_ENCODING the old form is used. 15556 15557 *Steve Henson* 15558 15559 * Added BIO_vprintf() and BIO_vsnprintf(). 15560 15561 *Richard Levitte* 15562 15563 * Added more prefixes to parse for in the strings written 15564 through a logging bio, to cover all the levels that are available 15565 through syslog. The prefixes are now: 15566 15567 PANIC, EMERG, EMR => LOG_EMERG 15568 ALERT, ALR => LOG_ALERT 15569 CRIT, CRI => LOG_CRIT 15570 ERROR, ERR => LOG_ERR 15571 WARNING, WARN, WAR => LOG_WARNING 15572 NOTICE, NOTE, NOT => LOG_NOTICE 15573 INFO, INF => LOG_INFO 15574 DEBUG, DBG => LOG_DEBUG 15575 15576 and as before, if none of those prefixes are present at the 15577 beginning of the string, LOG_ERR is chosen. 15578 15579 On Win32, the `LOG_*` levels are mapped according to this: 15580 15581 LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE 15582 LOG_WARNING => EVENTLOG_WARNING_TYPE 15583 LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE 15584 15585 *Richard Levitte* 15586 15587 * Made it possible to reconfigure with just the configuration 15588 argument "reconf" or "reconfigure". The command line arguments 15589 are stored in Makefile.ssl in the variable CONFIGURE_ARGS, 15590 and are retrieved from there when reconfiguring. 15591 15592 *Richard Levitte* 15593 15594 * MD4 implemented. 15595 15596 *Assar Westerlund <assar@sics.se>, Richard Levitte* 15597 15598 * Add the arguments -CAfile and -CApath to the pkcs12 utility. 15599 15600 *Richard Levitte* 15601 15602 * The obj_dat.pl script was messing up the sorting of object 15603 names. The reason was that it compared the quoted version 15604 of strings as a result "OCSP" > "OCSP Signing" because 15605 " > SPACE. Changed script to store unquoted versions of 15606 names and add quotes on output. It was also omitting some 15607 names from the lookup table if they were given a default 15608 value (that is if SN is missing it is given the same 15609 value as LN and vice versa), these are now added on the 15610 grounds that if an object has a name we should be able to 15611 look it up. Finally added warning output when duplicate 15612 short or long names are found. 15613 15614 *Steve Henson* 15615 15616 * Changes needed for Tandem NSK. 15617 15618 *Scott Uroff <scott@xypro.com>* 15619 15620 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in 15621 RSA_padding_check_SSLv23(), special padding was never detected 15622 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol 15623 version rollback attacks was not effective. 15624 15625 In s23_clnt.c, don't use special rollback-attack detection padding 15626 (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the 15627 client; similarly, in s23_srvr.c, don't do the rollback check if 15628 SSL 2.0 is the only protocol enabled in the server. 15629 15630 *Bodo Moeller* 15631 15632 * Make it possible to get hexdumps of unprintable data with 'openssl 15633 asn1parse'. By implication, the functions ASN1_parse_dump() and 15634 BIO_dump_indent() are added. 15635 15636 *Richard Levitte* 15637 15638 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() 15639 these print out strings and name structures based on various 15640 flags including RFC2253 support and proper handling of 15641 multibyte characters. Added options to the 'x509' utility 15642 to allow the various flags to be set. 15643 15644 *Steve Henson* 15645 15646 * Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. 15647 Also change the functions X509_cmp_current_time() and 15648 X509_gmtime_adj() work with an ASN1_TIME structure, 15649 this will enable certificates using GeneralizedTime in validity 15650 dates to be checked. 15651 15652 *Steve Henson* 15653 15654 * Make the NEG_PUBKEY_BUG code (which tolerates invalid 15655 negative public key encodings) on by default, 15656 NO_NEG_PUBKEY_BUG can be set to disable it. 15657 15658 *Steve Henson* 15659 15660 * New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT 15661 content octets. An i2c_ASN1_OBJECT is unnecessary because 15662 the encoding can be trivially obtained from the structure. 15663 15664 *Steve Henson* 15665 15666 * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`), 15667 not read locks (`CRYPTO_r_[un]lock`). 15668 15669 *Bodo Moeller* 15670 15671 * A first attempt at creating official support for shared 15672 libraries through configuration. I've kept it so the 15673 default is static libraries only, and the OpenSSL programs 15674 are always statically linked for now, but there are 15675 preparations for dynamic linking in place. 15676 This has been tested on Linux and Tru64. 15677 15678 *Richard Levitte* 15679 15680 * Randomness polling function for Win9x, as described in: 15681 Peter Gutmann, Software Generation of Practically Strong 15682 Random Numbers. 15683 15684 *Ulf Möller* 15685 15686 * Fix so PRNG is seeded in req if using an already existing 15687 DSA key. 15688 15689 *Steve Henson* 15690 15691 * New options to smime application. -inform and -outform 15692 allow alternative formats for the S/MIME message including 15693 PEM and DER. The -content option allows the content to be 15694 specified separately. This should allow things like Netscape 15695 form signing output easier to verify. 15696 15697 *Steve Henson* 15698 15699 * Fix the ASN1 encoding of tags using the 'long form'. 15700 15701 *Steve Henson* 15702 15703 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT 15704 STRING types. These convert content octets to and from the 15705 underlying type. The actual tag and length octets are 15706 already assumed to have been read in and checked. These 15707 are needed because all other string types have virtually 15708 identical handling apart from the tag. By having versions 15709 of the ASN1 functions that just operate on content octets 15710 IMPLICIT tagging can be handled properly. It also allows 15711 the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED 15712 and ASN1_INTEGER are identical apart from the tag. 15713 15714 *Steve Henson* 15715 15716 * Change the handling of OID objects as follows: 15717 15718 - New object identifiers are inserted in objects.txt, following 15719 the syntax given in [crypto/objects/README.md](crypto/objects/README.md). 15720 - objects.pl is used to process obj_mac.num and create a new 15721 obj_mac.h. 15722 - obj_dat.pl is used to create a new obj_dat.h, using the data in 15723 obj_mac.h. 15724 15725 This is currently kind of a hack, and the perl code in objects.pl 15726 isn't very elegant, but it works as I intended. The simplest way 15727 to check that it worked correctly is to look in obj_dat.h and 15728 check the array nid_objs and make sure the objects haven't moved 15729 around (this is important!). Additions are OK, as well as 15730 consistent name changes. 15731 15732 *Richard Levitte* 15733 15734 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). 15735 15736 *Bodo Moeller* 15737 15738 * Addition of the command line parameter '-rand file' to 'openssl req'. 15739 The given file adds to whatever has already been seeded into the 15740 random pool through the RANDFILE configuration file option or 15741 environment variable, or the default random state file. 15742 15743 *Richard Levitte* 15744 15745 * mkstack.pl now sorts each macro group into lexical order. 15746 Previously the output order depended on the order the files 15747 appeared in the directory, resulting in needless rewriting 15748 of safestack.h . 15749 15750 *Steve Henson* 15751 15752 * Patches to make OpenSSL compile under Win32 again. Mostly 15753 work arounds for the VC++ problem that it treats func() as 15754 func(void). Also stripped out the parts of mkdef.pl that 15755 added extra typesafe functions: these no longer exist. 15756 15757 *Steve Henson* 15758 15759 * Reorganisation of the stack code. The macros are now all 15760 collected in safestack.h . Each macro is defined in terms of 15761 a "stack macro" of the form `SKM_<name>(type, a, b)`. The 15762 DEBUG_SAFESTACK is now handled in terms of function casts, 15763 this has the advantage of retaining type safety without the 15764 use of additional functions. If DEBUG_SAFESTACK is not defined 15765 then the non typesafe macros are used instead. Also modified the 15766 mkstack.pl script to handle the new form. Needs testing to see 15767 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK 15768 the default if no major problems. Similar behaviour for ASN1_SET_OF 15769 and PKCS12_STACK_OF. 15770 15771 *Steve Henson* 15772 15773 * When some versions of IIS use the 'NET' form of private key the 15774 key derivation algorithm is different. Normally MD5(password) is 15775 used as a 128 bit RC4 key. In the modified case 15776 MD5(MD5(password) + "SGCKEYSALT") is used instead. Added some 15777 new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same 15778 as the old Netscape_RSA functions except they have an additional 15779 'sgckey' parameter which uses the modified algorithm. Also added 15780 an -sgckey command line option to the rsa utility. Thanks to 15781 Adrian Peck <bertie@ncipher.com> for posting details of the modified 15782 algorithm to openssl-dev. 15783 15784 *Steve Henson* 15785 15786 * The evp_local.h macros were using 'c.##kname' which resulted in 15787 invalid expansion on some systems (SCO 5.0.5 for example). 15788 Corrected to 'c.kname'. 15789 15790 *Phillip Porch <root@theporch.com>* 15791 15792 * New X509_get1_email() and X509_REQ_get1_email() functions that return 15793 a STACK of email addresses from a certificate or request, these look 15794 in the subject name and the subject alternative name extensions and 15795 omit any duplicate addresses. 15796 15797 *Steve Henson* 15798 15799 * Re-implement BN_mod_exp2_mont using independent (and larger) windows. 15800 This makes DSA verification about 2 % faster. 15801 15802 *Bodo Moeller* 15803 15804 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5 15805 (meaning that now 2^5 values will be precomputed, which is only 4 KB 15806 plus overhead for 1024 bit moduli). 15807 This makes exponentiations about 0.5 % faster for 1024 bit 15808 exponents (as measured by "openssl speed rsa2048"). 15809 15810 *Bodo Moeller* 15811 15812 * Rename memory handling macros to avoid conflicts with other 15813 software: 15814 Malloc => OPENSSL_malloc 15815 Malloc_locked => OPENSSL_malloc_locked 15816 Realloc => OPENSSL_realloc 15817 Free => OPENSSL_free 15818 15819 *Richard Levitte* 15820 15821 * New function BN_mod_exp_mont_word for small bases (roughly 15% 15822 faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). 15823 15824 *Bodo Moeller* 15825 15826 * CygWin32 support. 15827 15828 *John Jarvie <jjarvie@newsguy.com>* 15829 15830 * The type-safe stack code has been rejigged. It is now only compiled 15831 in when OpenSSL is configured with the DEBUG_SAFESTACK option and 15832 by default all type-specific stack functions are "#define"d back to 15833 standard stack functions. This results in more streamlined output 15834 but retains the type-safety checking possibilities of the original 15835 approach. 15836 15837 *Geoff Thorpe* 15838 15839 * The STACK code has been cleaned up, and certain type declarations 15840 that didn't make a lot of sense have been brought in line. This has 15841 also involved a cleanup of sorts in safestack.h to more correctly 15842 map type-safe stack functions onto their plain stack counterparts. 15843 This work has also resulted in a variety of "const"ifications of 15844 lots of the code, especially `_cmp` operations which should normally 15845 be prototyped with "const" parameters anyway. 15846 15847 *Geoff Thorpe* 15848 15849 * When generating bytes for the first time in md_rand.c, 'stir the pool' 15850 by seeding with STATE_SIZE dummy bytes (with zero entropy count). 15851 (The PRNG state consists of two parts, the large pool 'state' and 'md', 15852 where all of 'md' is used each time the PRNG is used, but 'state' 15853 is used only indexed by a cyclic counter. As entropy may not be 15854 well distributed from the beginning, 'md' is important as a 15855 chaining variable. However, the output function chains only half 15856 of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains 15857 all of 'md', and seeding with STATE_SIZE dummy bytes will result 15858 in all of 'state' being rewritten, with the new values depending 15859 on virtually all of 'md'. This overcomes the 80 bit limitation.) 15860 15861 *Bodo Moeller* 15862 15863 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when 15864 the handshake is continued after ssl_verify_cert_chain(); 15865 otherwise, if SSL_VERIFY_NONE is set, remaining error codes 15866 can lead to 'unexplainable' connection aborts later. 15867 15868 *Bodo Moeller; problem tracked down by Lutz Jaenicke* 15869 15870 * Major EVP API cipher revision. 15871 Add hooks for extra EVP features. This allows various cipher 15872 parameters to be set in the EVP interface. Support added for variable 15873 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and 15874 setting of RC2 and RC5 parameters. 15875 15876 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length 15877 ciphers. 15878 15879 Remove lots of duplicated code from the EVP library. For example *every* 15880 cipher init() function handles the 'iv' in the same way according to the 15881 cipher mode. They also all do nothing if the 'key' parameter is NULL and 15882 for CFB and OFB modes they zero ctx->num. 15883 15884 New functionality allows removal of S/MIME code RC2 hack. 15885 15886 Most of the routines have the same form and so can be declared in terms 15887 of macros. 15888 15889 By shifting this to the top level EVP_CipherInit() it can be removed from 15890 all individual ciphers. If the cipher wants to handle IVs or keys 15891 differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT 15892 flags. 15893 15894 Change lots of functions like EVP_EncryptUpdate() to now return a 15895 value: although software versions of the algorithms cannot fail 15896 any installed hardware versions can. 15897 15898 *Steve Henson* 15899 15900 * Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if 15901 this option is set, tolerate broken clients that send the negotiated 15902 protocol version number instead of the requested protocol version 15903 number. 15904 15905 *Bodo Moeller* 15906 15907 * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag; 15908 i.e. non-zero for export ciphersuites, zero otherwise. 15909 Previous versions had this flag inverted, inconsistent with 15910 rsa_tmp_cb (..._TMP_RSA_CB). 15911 15912 *Bodo Moeller; problem reported by Amit Chopra* 15913 15914 * Add missing DSA library text string. Work around for some IIS 15915 key files with invalid SEQUENCE encoding. 15916 15917 *Steve Henson* 15918 15919 * Add a document (doc/standards.txt) that list all kinds of standards 15920 and so on that are implemented in OpenSSL. 15921 15922 *Richard Levitte* 15923 15924 * Enhance c_rehash script. Old version would mishandle certificates 15925 with the same subject name hash and wouldn't handle CRLs at all. 15926 Added -fingerprint option to crl utility, to support new c_rehash 15927 features. 15928 15929 *Steve Henson* 15930 15931 * Eliminate non-ANSI declarations in crypto.h and stack.h. 15932 15933 *Ulf Möller* 15934 15935 * Fix for SSL server purpose checking. Server checking was 15936 rejecting certificates which had extended key usage present 15937 but no ssl client purpose. 15938 15939 *Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>* 15940 15941 * Make PKCS#12 code work with no password. The PKCS#12 spec 15942 is a little unclear about how a blank password is handled. 15943 Since the password in encoded as a BMPString with terminating 15944 double NULL a zero length password would end up as just the 15945 double NULL. However no password at all is different and is 15946 handled differently in the PKCS#12 key generation code. NS 15947 treats a blank password as zero length. MSIE treats it as no 15948 password on export: but it will try both on import. We now do 15949 the same: PKCS12_parse() tries zero length and no password if 15950 the password is set to "" or NULL (NULL is now a valid password: 15951 it wasn't before) as does the pkcs12 application. 15952 15953 *Steve Henson* 15954 15955 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use 15956 perror when PEM_read_bio_X509_REQ fails, the error message must 15957 be obtained from the error queue. 15958 15959 *Bodo Moeller* 15960 15961 * Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing 15962 it in ERR_remove_state if appropriate, and change ERR_get_state 15963 accordingly to avoid race conditions (this is necessary because 15964 thread_hash is no longer constant once set). 15965 15966 *Bodo Moeller* 15967 15968 * Bugfix for linux-elf makefile.one. 15969 15970 *Ulf Möller* 15971 15972 * RSA_get_default_method() will now cause a default 15973 RSA_METHOD to be chosen if one doesn't exist already. 15974 Previously this was only set during a call to RSA_new() 15975 or RSA_new_method(NULL) meaning it was possible for 15976 RSA_get_default_method() to return NULL. 15977 15978 *Geoff Thorpe* 15979 15980 * Added native name translation to the existing DSO code 15981 that will convert (if the flag to do so is set) filenames 15982 that are sufficiently small and have no path information 15983 into a canonical native form. Eg. "blah" converted to 15984 "libblah.so" or "blah.dll" etc. 15985 15986 *Geoff Thorpe* 15987 15988 * New function ERR_error_string_n(e, buf, len) which is like 15989 ERR_error_string(e, buf), but writes at most 'len' bytes 15990 including the 0 terminator. For ERR_error_string_n, 'buf' 15991 may not be NULL. 15992 15993 *Damien Miller <djm@mindrot.org>, Bodo Moeller* 15994 15995 * CONF library reworked to become more general. A new CONF 15996 configuration file reader "class" is implemented as well as a 15997 new functions (`NCONF_*`, for "New CONF") to handle it. The now 15998 old `CONF_*` functions are still there, but are reimplemented to 15999 work in terms of the new functions. Also, a set of functions 16000 to handle the internal storage of the configuration data is 16001 provided to make it easier to write new configuration file 16002 reader "classes" (I can definitely see something reading a 16003 configuration file in XML format, for example), called `_CONF_*`, 16004 or "the configuration storage API"... 16005 16006 The new configuration file reading functions are: 16007 16008 NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, 16009 NCONF_get_section, NCONF_get_string, NCONF_get_numbre 16010 16011 NCONF_default, NCONF_WIN32 16012 16013 NCONF_dump_fp, NCONF_dump_bio 16014 16015 NCONF_default and NCONF_WIN32 are method (or "class") choosers, 16016 NCONF_new creates a new CONF object. This works in the same way 16017 as other interfaces in OpenSSL, like the BIO interface. 16018 `NCONF_dump_*` dump the internal storage of the configuration file, 16019 which is useful for debugging. All other functions take the same 16020 arguments as the old `CONF_*` functions with the exception of the 16021 first that must be a `CONF *` instead of a `LHASH *`. 16022 16023 To make it easier to use the new classes with the old `CONF_*` functions, 16024 the function CONF_set_default_method is provided. 16025 16026 *Richard Levitte* 16027 16028 * Add '-tls1' option to 'openssl ciphers', which was already 16029 mentioned in the documentation but had not been implemented. 16030 (This option is not yet really useful because even the additional 16031 experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) 16032 16033 *Bodo Moeller* 16034 16035 * Initial DSO code added into libcrypto for letting OpenSSL (and 16036 OpenSSL-based applications) load shared libraries and bind to 16037 them in a portable way. 16038 16039 *Geoff Thorpe, with contributions from Richard Levitte* 16040 16041### Changes between 0.9.5 and 0.9.5a [1 Apr 2000] 16042 16043 * Make sure _lrotl and _lrotr are only used with MSVC. 16044 16045 * Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status 16046 (the default implementation of RAND_status). 16047 16048 * Rename openssl x509 option '-crlext', which was added in 0.9.5, 16049 to '-clrext' (= clear extensions), as intended and documented. 16050 *Bodo Moeller; inconsistency pointed out by Michael Attili 16051 <attili@amaxo.com>* 16052 16053 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length 16054 was larger than the MD block size. 16055 16056 *Steve Henson, pointed out by Yost William <YostW@tce.com>* 16057 16058 * Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument 16059 fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() 16060 using the passed key: if the passed key was a private key the result 16061 of X509_print(), for example, would be to print out all the private key 16062 components. 16063 16064 *Steve Henson* 16065 16066 * des_quad_cksum() byte order bug fix. 16067 *Ulf Möller, using the problem description in krb4-0.9.7, where 16068 the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>* 16069 16070 * Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly 16071 discouraged. 16072 16073 *Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>* 16074 16075 * For easily testing in shell scripts whether some command 16076 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' 16077 returns with exit code 0 iff no command of the given name is available. 16078 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, 16079 the output goes to stdout and nothing is printed to stderr. 16080 Additional arguments are always ignored. 16081 16082 Since for each cipher there is a command of the same name, 16083 the 'no-cipher' compilation switches can be tested this way. 16084 16085 ('openssl no-XXX' is not able to detect pseudo-commands such 16086 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) 16087 16088 *Bodo Moeller* 16089 16090 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration. 16091 16092 *Bodo Moeller* 16093 16094 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE 16095 is set; it will be thrown away anyway because each handshake creates 16096 its own key. 16097 ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition 16098 to parameters -- in previous versions (since OpenSSL 0.9.3) the 16099 'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning 16100 you effectively got SSL_OP_SINGLE_DH_USE when using this macro. 16101 16102 *Bodo Moeller* 16103 16104 * New s_client option -ign_eof: EOF at stdin is ignored, and 16105 'Q' and 'R' lose their special meanings (quit/renegotiate). 16106 This is part of what -quiet does; unlike -quiet, -ign_eof 16107 does not suppress any output. 16108 16109 *Richard Levitte* 16110 16111 * Add compatibility options to the purpose and trust code. The 16112 purpose X509_PURPOSE_ANY is "any purpose" which automatically 16113 accepts a certificate or CA, this was the previous behaviour, 16114 with all the associated security issues. 16115 16116 X509_TRUST_COMPAT is the old trust behaviour: only and 16117 automatically trust self signed roots in certificate store. A 16118 new trust setting X509_TRUST_DEFAULT is used to specify that 16119 a purpose has no associated trust setting and it should instead 16120 use the value in the default purpose. 16121 16122 *Steve Henson* 16123 16124 * Fix the PKCS#8 DSA private key code so it decodes keys again 16125 and fix a memory leak. 16126 16127 *Steve Henson* 16128 16129 * In util/mkerr.pl (which implements 'make errors'), preserve 16130 reason strings from the previous version of the .c file, as 16131 the default to have only downcase letters (and digits) in 16132 automatically generated reasons codes is not always appropriate. 16133 16134 *Bodo Moeller* 16135 16136 * In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table 16137 using strerror. Previously, ERR_reason_error_string() returned 16138 library names as reason strings for SYSerr; but SYSerr is a special 16139 case where small numbers are errno values, not library numbers. 16140 16141 *Bodo Moeller* 16142 16143 * Add '-dsaparam' option to 'openssl dhparam' application. This 16144 converts DSA parameters into DH parameters. (When creating parameters, 16145 DSA_generate_parameters is used.) 16146 16147 *Bodo Moeller* 16148 16149 * Include 'length' (recommended exponent length) in C code generated 16150 by 'openssl dhparam -C'. 16151 16152 *Bodo Moeller* 16153 16154 * The second argument to set_label in perlasm was already being used 16155 so couldn't be used as a "file scope" flag. Moved to third argument 16156 which was free. 16157 16158 *Steve Henson* 16159 16160 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes 16161 instead of RAND_bytes for encryption IVs and salts. 16162 16163 *Bodo Moeller* 16164 16165 * Include RAND_status() into RAND_METHOD instead of implementing 16166 it only for md_rand.c Otherwise replacing the PRNG by calling 16167 RAND_set_rand_method would be impossible. 16168 16169 *Bodo Moeller* 16170 16171 * Don't let DSA_generate_key() enter an infinite loop if the random 16172 number generation fails. 16173 16174 *Bodo Moeller* 16175 16176 * New 'rand' application for creating pseudo-random output. 16177 16178 *Bodo Moeller* 16179 16180 * Added configuration support for Linux/IA64 16181 16182 *Rolf Haberrecker <rolf@suse.de>* 16183 16184 * Assembler module support for Mingw32. 16185 16186 *Ulf Möller* 16187 16188 * Shared library support for HPUX (in shlib/). 16189 16190 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous* 16191 16192 * Shared library support for Solaris gcc. 16193 16194 *Lutz Behnke <behnke@trustcenter.de>* 16195 16196### Changes between 0.9.4 and 0.9.5 [28 Feb 2000] 16197 16198 * PKCS7_encrypt() was adding text MIME headers twice because they 16199 were added manually and by SMIME_crlf_copy(). 16200 16201 *Steve Henson* 16202 16203 * In bntest.c don't call BN_rand with zero bits argument. 16204 16205 *Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>* 16206 16207 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] 16208 case was implemented. This caused BN_div_recp() to fail occasionally. 16209 16210 *Ulf Möller* 16211 16212 * Add an optional second argument to the set_label() in the perl 16213 assembly language builder. If this argument exists and is set 16214 to 1 it signals that the assembler should use a symbol whose 16215 scope is the entire file, not just the current function. This 16216 is needed with MASM which uses the format label:: for this scope. 16217 16218 *Steve Henson, pointed out by Peter Runestig <peter@runestig.com>* 16219 16220 * Change the ASN1 types so they are typedefs by default. Before 16221 almost all types were #define'd to ASN1_STRING which was causing 16222 STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) 16223 for example. 16224 16225 *Steve Henson* 16226 16227 * Change names of new functions to the new get1/get0 naming 16228 convention: After 'get1', the caller owns a reference count 16229 and has to call `..._free`; 'get0' returns a pointer to some 16230 data structure without incrementing reference counters. 16231 (Some of the existing 'get' functions increment a reference 16232 counter, some don't.) 16233 Similarly, 'set1' and 'add1' functions increase reference 16234 counters or duplicate objects. 16235 16236 *Steve Henson* 16237 16238 * Allow for the possibility of temp RSA key generation failure: 16239 the code used to assume it always worked and crashed on failure. 16240 16241 *Steve Henson* 16242 16243 * Fix potential buffer overrun problem in BIO_printf(). 16244 *Ulf Möller, using public domain code by Patrick Powell; problem 16245 pointed out by David Sacerdote <das33@cornell.edu>* 16246 16247 * Support EGD <http://www.lothar.com/tech/crypto/>. New functions 16248 RAND_egd() and RAND_status(). In the command line application, 16249 the EGD socket can be specified like a seed file using RANDFILE 16250 or -rand. 16251 16252 *Ulf Möller* 16253 16254 * Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. 16255 Some CAs (e.g. Verisign) distribute certificates in this form. 16256 16257 *Steve Henson* 16258 16259 * Remove the SSL_ALLOW_ADH compile option and set the default cipher 16260 list to exclude them. This means that no special compilation option 16261 is needed to use anonymous DH: it just needs to be included in the 16262 cipher list. 16263 16264 *Steve Henson* 16265 16266 * Change the EVP_MD_CTX_type macro so its meaning consistent with 16267 EVP_MD_type. The old functionality is available in a new macro called 16268 EVP_MD_md(). Change code that uses it and update docs. 16269 16270 *Steve Henson* 16271 16272 * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions 16273 where the `void *` argument is replaced by a function pointer argument. 16274 Previously `void *` was abused to point to functions, which works on 16275 many platforms, but is not correct. As these functions are usually 16276 called by macros defined in OpenSSL header files, most source code 16277 should work without changes. 16278 16279 *Richard Levitte* 16280 16281 * `<openssl/opensslconf.h>` (which is created by Configure) now contains 16282 sections with information on -D... compiler switches used for 16283 compiling the library so that applications can see them. To enable 16284 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES` 16285 must be defined. E.g., 16286 #define OPENSSL_ALGORITHM_DEFINES 16287 #include <openssl/opensslconf.h> 16288 defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc. 16289 16290 *Richard Levitte, Ulf and Bodo Möller* 16291 16292 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS 16293 record layer. 16294 16295 *Bodo Moeller* 16296 16297 * Change the 'other' type in certificate aux info to a STACK_OF 16298 X509_ALGOR. Although not an AlgorithmIdentifier as such it has 16299 the required ASN1 format: arbitrary types determined by an OID. 16300 16301 *Steve Henson* 16302 16303 * Add some PEM_write_X509_REQ_NEW() functions and a command line 16304 argument to 'req'. This is not because the function is newer or 16305 better than others it just uses the work 'NEW' in the certificate 16306 request header lines. Some software needs this. 16307 16308 *Steve Henson* 16309 16310 * Reorganise password command line arguments: now passwords can be 16311 obtained from various sources. Delete the PEM_cb function and make 16312 it the default behaviour: i.e. if the callback is NULL and the 16313 usrdata argument is not NULL interpret it as a null terminated pass 16314 phrase. If usrdata and the callback are NULL then the pass phrase 16315 is prompted for as usual. 16316 16317 *Steve Henson* 16318 16319 * Add support for the Compaq Atalla crypto accelerator. If it is installed, 16320 the support is automatically enabled. The resulting binaries will 16321 autodetect the card and use it if present. 16322 16323 *Ben Laurie and Compaq Inc.* 16324 16325 * Work around for Netscape hang bug. This sends certificate request 16326 and server done in one record. Since this is perfectly legal in the 16327 SSL/TLS protocol it isn't a "bug" option and is on by default. See 16328 the bugs/SSLv3 entry for more info. 16329 16330 *Steve Henson* 16331 16332 * HP-UX tune-up: new unified configs, HP C compiler bug workaround. 16333 16334 *Andy Polyakov* 16335 16336 * Add -rand argument to smime and pkcs12 applications and read/write 16337 of seed file. 16338 16339 *Steve Henson* 16340 16341 * New 'passwd' tool for crypt(3) and apr1 password hashes. 16342 16343 *Bodo Moeller* 16344 16345 * Add command line password options to the remaining applications. 16346 16347 *Steve Henson* 16348 16349 * Bug fix for BN_div_recp() for numerators with an even number of 16350 bits. 16351 16352 *Ulf Möller* 16353 16354 * More tests in bntest.c, and changed test_bn output. 16355 16356 *Ulf Möller* 16357 16358 * ./config recognizes MacOS X now. 16359 16360 *Andy Polyakov* 16361 16362 * Bug fix for BN_div() when the first words of num and divisor are 16363 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`. 16364 16365 *Ulf Möller* 16366 16367 * Add support for various broken PKCS#8 formats, and command line 16368 options to produce them. 16369 16370 *Steve Henson* 16371 16372 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to 16373 get temporary BIGNUMs from a BN_CTX. 16374 16375 *Ulf Möller* 16376 16377 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() 16378 for p == 0. 16379 16380 *Ulf Möller* 16381 16382 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and 16383 include a #define from the old name to the new. The original intent 16384 was that statically linked binaries could for example just call 16385 SSLeay_add_all_ciphers() to just add ciphers to the table and not 16386 link with digests. This never worked because SSLeay_add_all_digests() 16387 and SSLeay_add_all_ciphers() were in the same source file so calling 16388 one would link with the other. They are now in separate source files. 16389 16390 *Steve Henson* 16391 16392 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. 16393 16394 *Steve Henson* 16395 16396 * Use a less unusual form of the Miller-Rabin primality test (it used 16397 a binary algorithm for exponentiation integrated into the Miller-Rabin 16398 loop, our standard modexp algorithms are faster). 16399 16400 *Bodo Moeller* 16401 16402 * Support for the EBCDIC character set completed. 16403 16404 *Martin Kraemer <Martin.Kraemer@Mch.SNI.De>* 16405 16406 * Source code cleanups: use const where appropriate, eliminate casts, 16407 use `void *` instead of `char *` in lhash. 16408 16409 *Ulf Möller* 16410 16411 * Bugfix: ssl3_send_server_key_exchange was not restartable 16412 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of 16413 this the server could overwrite ephemeral keys that the client 16414 has already seen). 16415 16416 *Bodo Moeller* 16417 16418 * Turn DSA_is_prime into a macro that calls BN_is_prime, 16419 using 50 iterations of the Rabin-Miller test. 16420 16421 DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 16422 iterations of the Rabin-Miller test as required by the appendix 16423 to FIPS PUB 186[-1]) instead of DSA_is_prime. 16424 As BN_is_prime_fasttest includes trial division, DSA parameter 16425 generation becomes much faster. 16426 16427 This implies a change for the callback functions in DSA_is_prime 16428 and DSA_generate_parameters: The callback function is called once 16429 for each positive witness in the Rabin-Miller test, not just 16430 occasionally in the inner loop; and the parameters to the 16431 callback function now provide an iteration count for the outer 16432 loop rather than for the current invocation of the inner loop. 16433 DSA_generate_parameters additionally can call the callback 16434 function with an 'iteration count' of -1, meaning that a 16435 candidate has passed the trial division test (when q is generated 16436 from an application-provided seed, trial division is skipped). 16437 16438 *Bodo Moeller* 16439 16440 * New function BN_is_prime_fasttest that optionally does trial 16441 division before starting the Rabin-Miller test and has 16442 an additional BN_CTX * argument (whereas BN_is_prime always 16443 has to allocate at least one BN_CTX). 16444 'callback(1, -1, cb_arg)' is called when a number has passed the 16445 trial division stage. 16446 16447 *Bodo Moeller* 16448 16449 * Fix for bug in CRL encoding. The validity dates weren't being handled 16450 as ASN1_TIME. 16451 16452 *Steve Henson* 16453 16454 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file. 16455 16456 *Steve Henson* 16457 16458 * New function BN_pseudo_rand(). 16459 16460 *Ulf Möller* 16461 16462 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) 16463 bignum version of BN_from_montgomery() with the working code from 16464 SSLeay 0.9.0 (the word based version is faster anyway), and clean up 16465 the comments. 16466 16467 *Ulf Möller* 16468 16469 * Avoid a race condition in s2_clnt.c (function get_server_hello) that 16470 made it impossible to use the same SSL_SESSION data structure in 16471 SSL2 clients in multiple threads. 16472 16473 *Bodo Moeller* 16474 16475 * The return value of RAND_load_file() no longer counts bytes obtained 16476 by stat(). RAND_load_file(..., -1) is new and uses the complete file 16477 to seed the PRNG (previously an explicit byte count was required). 16478 16479 *Ulf Möller, Bodo Möller* 16480 16481 * Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes 16482 used `char *` instead of `void *` and had casts all over the place. 16483 16484 *Steve Henson* 16485 16486 * Make BN_generate_prime() return NULL on error if ret!=NULL. 16487 16488 *Ulf Möller* 16489 16490 * Retain source code compatibility for BN_prime_checks macro: 16491 BN_is_prime(..., BN_prime_checks, ...) now uses 16492 BN_prime_checks_for_size to determine the appropriate number of 16493 Rabin-Miller iterations. 16494 16495 *Ulf Möller* 16496 16497 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to 16498 DH_CHECK_P_NOT_SAFE_PRIME. 16499 (Check if this is true? OpenPGP calls them "strong".) 16500 16501 *Ulf Möller* 16502 16503 * Merge the functionality of "dh" and "gendh" programs into a new program 16504 "dhparam". The old programs are retained for now but will handle DH keys 16505 (instead of parameters) in future. 16506 16507 *Steve Henson* 16508 16509 * Make the ciphers, s_server and s_client programs check the return values 16510 when a new cipher list is set. 16511 16512 *Steve Henson* 16513 16514 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit 16515 ciphers. Before when the 56bit ciphers were enabled the sorting was 16516 wrong. 16517 16518 The syntax for the cipher sorting has been extended to support sorting by 16519 cipher-strength (using the strength_bits hard coded in the tables). 16520 The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`). 16521 16522 Fix a bug in the cipher-command parser: when supplying a cipher command 16523 string with an "undefined" symbol (neither command nor alphanumeric 16524 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now 16525 an error is flagged. 16526 16527 Due to the strength-sorting extension, the code of the 16528 ssl_create_cipher_list() function was completely rearranged. I hope that 16529 the readability was also increased :-) 16530 16531 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 16532 16533 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1 16534 for the first serial number and places 2 in the serial number file. This 16535 avoids problems when the root CA is created with serial number zero and 16536 the first user certificate has the same issuer name and serial number 16537 as the root CA. 16538 16539 *Steve Henson* 16540 16541 * Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses 16542 the new code. Add documentation for this stuff. 16543 16544 *Steve Henson* 16545 16546 * Changes to X509_ATTRIBUTE utilities. These have been renamed from 16547 `X509_*()` to `X509at_*()` on the grounds that they don't handle X509 16548 structures and behave in an analogous way to the X509v3 functions: 16549 they shouldn't be called directly but wrapper functions should be used 16550 instead. 16551 16552 So we also now have some wrapper functions that call the X509at functions 16553 when passed certificate requests. (TO DO: similar things can be done with 16554 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other 16555 things. Some of these need some d2i or i2d and print functionality 16556 because they handle more complex structures.) 16557 16558 *Steve Henson* 16559 16560 * Add missing #ifndefs that caused missing symbols when building libssl 16561 as a shared library without RSA. Use #ifndef NO_SSL2 instead of 16562 NO_RSA in `ssl/s2*.c`. 16563 16564 *Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller* 16565 16566 * Precautions against using the PRNG uninitialized: RAND_bytes() now 16567 has a return value which indicates the quality of the random data 16568 (1 = ok, 0 = not seeded). Also an error is recorded on the thread's 16569 error queue. New function RAND_pseudo_bytes() generates output that is 16570 guaranteed to be unique but not unpredictable. RAND_add is like 16571 RAND_seed, but takes an extra argument for an entropy estimate 16572 (RAND_seed always assumes full entropy). 16573 16574 *Ulf Möller* 16575 16576 * Do more iterations of Rabin-Miller probable prime test (specifically, 16577 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes 16578 instead of only 2 for all lengths; see BN_prime_checks_for_size definition 16579 in crypto/bn/bn_prime.c for the complete table). This guarantees a 16580 false-positive rate of at most 2^-80 for random input. 16581 16582 *Bodo Moeller* 16583 16584 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. 16585 16586 *Bodo Moeller* 16587 16588 * New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain 16589 in the 0.9.5 release), this returns the chain 16590 from an X509_CTX structure with a dup of the stack and all 16591 the X509 reference counts upped: so the stack will exist 16592 after X509_CTX_cleanup() has been called. Modify pkcs12.c 16593 to use this. 16594 16595 Also make SSL_SESSION_print() print out the verify return 16596 code. 16597 16598 *Steve Henson* 16599 16600 * Add manpage for the pkcs12 command. Also change the default 16601 behaviour so MAC iteration counts are used unless the new 16602 -nomaciter option is used. This improves file security and 16603 only older versions of MSIE (4.0 for example) need it. 16604 16605 *Steve Henson* 16606 16607 * Honor the no-xxx Configure options when creating .DEF files. 16608 16609 *Ulf Möller* 16610 16611 * Add PKCS#10 attributes to field table: challengePassword, 16612 unstructuredName and unstructuredAddress. These are taken from 16613 draft PKCS#9 v2.0 but are compatible with v1.2 provided no 16614 international characters are used. 16615 16616 More changes to X509_ATTRIBUTE code: allow the setting of types 16617 based on strings. Remove the 'loc' parameter when adding 16618 attributes because these will be a SET OF encoding which is sorted 16619 in ASN1 order. 16620 16621 *Steve Henson* 16622 16623 * Initial changes to the 'req' utility to allow request generation 16624 automation. This will allow an application to just generate a template 16625 file containing all the field values and have req construct the 16626 request. 16627 16628 Initial support for X509_ATTRIBUTE handling. Stacks of these are 16629 used all over the place including certificate requests and PKCS#7 16630 structures. They are currently handled manually where necessary with 16631 some primitive wrappers for PKCS#7. The new functions behave in a 16632 manner analogous to the X509 extension functions: they allow 16633 attributes to be looked up by NID and added. 16634 16635 Later something similar to the X509V3 code would be desirable to 16636 automatically handle the encoding, decoding and printing of the 16637 more complex types. The string types like challengePassword can 16638 be handled by the string table functions. 16639 16640 Also modified the multi byte string table handling. Now there is 16641 a 'global mask' which masks out certain types. The table itself 16642 can use the flag STABLE_NO_MASK to ignore the mask setting: this 16643 is useful when for example there is only one permissible type 16644 (as in countryName) and using the mask might result in no valid 16645 types at all. 16646 16647 *Steve Henson* 16648 16649 * Clean up 'Finished' handling, and add functions SSL_get_finished and 16650 SSL_get_peer_finished to allow applications to obtain the latest 16651 Finished messages sent to the peer or expected from the peer, 16652 respectively. (SSL_get_peer_finished is usually the Finished message 16653 actually received from the peer, otherwise the protocol will be aborted.) 16654 16655 As the Finished message are message digests of the complete handshake 16656 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can 16657 be used for external authentication procedures when the authentication 16658 provided by SSL/TLS is not desired or is not enough. 16659 16660 *Bodo Moeller* 16661 16662 * Enhanced support for Alpha Linux is added. Now ./config checks if 16663 the host supports BWX extension and if Compaq C is present on the 16664 $PATH. Just exploiting of the BWX extension results in 20-30% 16665 performance kick for some algorithms, e.g. DES and RC4 to mention 16666 a couple. Compaq C in turn generates ~20% faster code for MD5 and 16667 SHA1. 16668 16669 *Andy Polyakov* 16670 16671 * Add support for MS "fast SGC". This is arguably a violation of the 16672 SSL3/TLS protocol. Netscape SGC does two handshakes: the first with 16673 weak crypto and after checking the certificate is SGC a second one 16674 with strong crypto. MS SGC stops the first handshake after receiving 16675 the server certificate message and sends a second client hello. Since 16676 a server will typically do all the time consuming operations before 16677 expecting any further messages from the client (server key exchange 16678 is the most expensive) there is little difference between the two. 16679 16680 To get OpenSSL to support MS SGC we have to permit a second client 16681 hello message after we have sent server done. In addition we have to 16682 reset the MAC if we do get this second client hello. 16683 16684 *Steve Henson* 16685 16686 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide 16687 if a DER encoded private key is RSA or DSA traditional format. Changed 16688 d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" 16689 format DER encoded private key. Newer code should use PKCS#8 format which 16690 has the key type encoded in the ASN1 structure. Added DER private key 16691 support to pkcs8 application. 16692 16693 *Steve Henson* 16694 16695 * SSL 3/TLS 1 servers now don't request certificates when an anonymous 16696 ciphersuites has been selected (as required by the SSL 3/TLS 1 16697 specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT 16698 is set, we interpret this as a request to violate the specification 16699 (the worst that can happen is a handshake failure, and 'correct' 16700 behaviour would result in a handshake failure anyway). 16701 16702 *Bodo Moeller* 16703 16704 * In SSL_CTX_add_session, take into account that there might be multiple 16705 SSL_SESSION structures with the same session ID (e.g. when two threads 16706 concurrently obtain them from an external cache). 16707 The internal cache can handle only one SSL_SESSION with a given ID, 16708 so if there's a conflict, we now throw out the old one to achieve 16709 consistency. 16710 16711 *Bodo Moeller* 16712 16713 * Add OIDs for idea and blowfish in CBC mode. This will allow both 16714 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to 16715 some routines that use cipher OIDs: some ciphers do not have OIDs 16716 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for 16717 example. 16718 16719 *Steve Henson* 16720 16721 * Simplify the trust setting structure and code. Now we just have 16722 two sequences of OIDs for trusted and rejected settings. These will 16723 typically have values the same as the extended key usage extension 16724 and any application specific purposes. 16725 16726 The trust checking code now has a default behaviour: it will just 16727 check for an object with the same NID as the passed id. Functions can 16728 be provided to override either the default behaviour or the behaviour 16729 for a given id. SSL client, server and email already have functions 16730 in place for compatibility: they check the NID and also return "trusted" 16731 if the certificate is self signed. 16732 16733 *Steve Henson* 16734 16735 * Add d2i,i2d bio/fp functions for PrivateKey: these convert the 16736 traditional format into an EVP_PKEY structure. 16737 16738 *Steve Henson* 16739 16740 * Add a password callback function PEM_cb() which either prompts for 16741 a password if usr_data is NULL or otherwise assumes it is a null 16742 terminated password. Allow passwords to be passed on command line 16743 environment or config files in a few more utilities. 16744 16745 *Steve Henson* 16746 16747 * Add a bunch of DER and PEM functions to handle PKCS#8 format private 16748 keys. Add some short names for PKCS#8 PBE algorithms and allow them 16749 to be specified on the command line for the pkcs8 and pkcs12 utilities. 16750 Update documentation. 16751 16752 *Steve Henson* 16753 16754 * Support for ASN1 "NULL" type. This could be handled before by using 16755 ASN1_TYPE but there wasn't any function that would try to read a NULL 16756 and produce an error if it couldn't. For compatibility we also have 16757 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and 16758 don't allocate anything because they don't need to. 16759 16760 *Steve Henson* 16761 16762 * Initial support for MacOS is now provided. Examine INSTALL.MacOS 16763 for details. 16764 16765 *Andy Polyakov, Roy Woods <roy@centicsystems.ca>* 16766 16767 * Rebuild of the memory allocation routines used by OpenSSL code and 16768 possibly others as well. The purpose is to make an interface that 16769 provide hooks so anyone can build a separate set of allocation and 16770 deallocation routines to be used by OpenSSL, for example memory 16771 pool implementations, or something else, which was previously hard 16772 since Malloc(), Realloc() and Free() were defined as macros having 16773 the values malloc, realloc and free, respectively (except for Win32 16774 compilations). The same is provided for memory debugging code. 16775 OpenSSL already comes with functionality to find memory leaks, but 16776 this gives people a chance to debug other memory problems. 16777 16778 With these changes, a new set of functions and macros have appeared: 16779 16780 CRYPTO_set_mem_debug_functions() [F] 16781 CRYPTO_get_mem_debug_functions() [F] 16782 CRYPTO_dbg_set_options() [F] 16783 CRYPTO_dbg_get_options() [F] 16784 CRYPTO_malloc_debug_init() [M] 16785 16786 The memory debug functions are NULL by default, unless the library 16787 is compiled with CRYPTO_MDEBUG or friends is defined. If someone 16788 wants to debug memory anyway, CRYPTO_malloc_debug_init() (which 16789 gives the standard debugging functions that come with OpenSSL) or 16790 CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions 16791 provided by the library user) must be used. When the standard 16792 debugging functions are used, CRYPTO_dbg_set_options can be used to 16793 request additional information: 16794 CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting 16795 the CRYPTO_MDEBUG_xxx macro when compiling the library. 16796 16797 Also, things like CRYPTO_set_mem_functions will always give the 16798 expected result (the new set of functions is used for allocation 16799 and deallocation) at all times, regardless of platform and compiler 16800 options. 16801 16802 To finish it up, some functions that were never use in any other 16803 way than through macros have a new API and new semantic: 16804 16805 CRYPTO_dbg_malloc() 16806 CRYPTO_dbg_realloc() 16807 CRYPTO_dbg_free() 16808 16809 All macros of value have retained their old syntax. 16810 16811 *Richard Levitte and Bodo Moeller* 16812 16813 * Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the 16814 ordering of SMIMECapabilities wasn't in "strength order" and there 16815 was a missing NULL in the AlgorithmIdentifier for the SHA1 signature 16816 algorithm. 16817 16818 *Steve Henson* 16819 16820 * Some ASN1 types with illegal zero length encoding (INTEGER, 16821 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. 16822 16823 *Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson* 16824 16825 * Merge in my S/MIME library for OpenSSL. This provides a simple 16826 S/MIME API on top of the PKCS#7 code, a MIME parser (with enough 16827 functionality to handle multipart/signed properly) and a utility 16828 called 'smime' to call all this stuff. This is based on code I 16829 originally wrote for Celo who have kindly allowed it to be 16830 included in OpenSSL. 16831 16832 *Steve Henson* 16833 16834 * Add variants des_set_key_checked and des_set_key_unchecked of 16835 des_set_key (aka des_key_sched). Global variable des_check_key 16836 decides which of these is called by des_set_key; this way 16837 des_check_key behaves as it always did, but applications and 16838 the library itself, which was buggy for des_check_key == 1, 16839 have a cleaner way to pick the version they need. 16840 16841 *Bodo Moeller* 16842 16843 * New function PKCS12_newpass() which changes the password of a 16844 PKCS12 structure. 16845 16846 *Steve Henson* 16847 16848 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and 16849 dynamic mix. In both cases the ids can be used as an index into the 16850 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() 16851 functions so they accept a list of the field values and the 16852 application doesn't need to directly manipulate the X509_TRUST 16853 structure. 16854 16855 *Steve Henson* 16856 16857 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't 16858 need initialising. 16859 16860 *Steve Henson* 16861 16862 * Modify the way the V3 extension code looks up extensions. This now 16863 works in a similar way to the object code: we have some "standard" 16864 extensions in a static table which is searched with OBJ_bsearch() 16865 and the application can add dynamic ones if needed. The file 16866 crypto/x509v3/ext_dat.h now has the info: this file needs to be 16867 updated whenever a new extension is added to the core code and kept 16868 in ext_nid order. There is a simple program 'tabtest.c' which checks 16869 this. New extensions are not added too often so this file can readily 16870 be maintained manually. 16871 16872 There are two big advantages in doing things this way. The extensions 16873 can be looked up immediately and no longer need to be "added" using 16874 X509V3_add_standard_extensions(): this function now does nothing. 16875 Side note: I get *lots* of email saying the extension code doesn't 16876 work because people forget to call this function. 16877 Also no dynamic allocation is done unless new extensions are added: 16878 so if we don't add custom extensions there is no need to call 16879 X509V3_EXT_cleanup(). 16880 16881 *Steve Henson* 16882 16883 * Modify enc utility's salting as follows: make salting the default. Add a 16884 magic header, so unsalted files fail gracefully instead of just decrypting 16885 to garbage. This is because not salting is a big security hole, so people 16886 should be discouraged from doing it. 16887 16888 *Ben Laurie* 16889 16890 * Fixes and enhancements to the 'x509' utility. It allowed a message 16891 digest to be passed on the command line but it only used this 16892 parameter when signing a certificate. Modified so all relevant 16893 operations are affected by the digest parameter including the 16894 -fingerprint and -x509toreq options. Also -x509toreq choked if a 16895 DSA key was used because it didn't fix the digest. 16896 16897 *Steve Henson* 16898 16899 * Initial certificate chain verify code. Currently tests the untrusted 16900 certificates for consistency with the verify purpose (which is set 16901 when the X509_STORE_CTX structure is set up) and checks the pathlength. 16902 16903 There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: 16904 this is because it will reject chains with invalid extensions whereas 16905 every previous version of OpenSSL and SSLeay made no checks at all. 16906 16907 Trust code: checks the root CA for the relevant trust settings. Trust 16908 settings have an initial value consistent with the verify purpose: e.g. 16909 if the verify purpose is for SSL client use it expects the CA to be 16910 trusted for SSL client use. However the default value can be changed to 16911 permit custom trust settings: one example of this would be to only trust 16912 certificates from a specific "secure" set of CAs. 16913 16914 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions 16915 which should be used for version portability: especially since the 16916 verify structure is likely to change more often now. 16917 16918 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions 16919 to set them. If not set then assume SSL clients will verify SSL servers 16920 and vice versa. 16921 16922 Two new options to the verify program: -untrusted allows a set of 16923 untrusted certificates to be passed in and -purpose which sets the 16924 intended purpose of the certificate. If a purpose is set then the 16925 new chain verify code is used to check extension consistency. 16926 16927 *Steve Henson* 16928 16929 * Support for the authority information access extension. 16930 16931 *Steve Henson* 16932 16933 * Modify RSA and DSA PEM read routines to transparently handle 16934 PKCS#8 format private keys. New *_PUBKEY_* functions that handle 16935 public keys in a format compatible with certificate 16936 SubjectPublicKeyInfo structures. Unfortunately there were already 16937 functions called *_PublicKey_* which used various odd formats so 16938 these are retained for compatibility: however the DSA variants were 16939 never in a public release so they have been deleted. Changed dsa/rsa 16940 utilities to handle the new format: note no releases ever handled public 16941 keys so we should be OK. 16942 16943 The primary motivation for this change is to avoid the same fiasco 16944 that dogs private keys: there are several incompatible private key 16945 formats some of which are standard and some OpenSSL specific and 16946 require various evil hacks to allow partial transparent handling and 16947 even then it doesn't work with DER formats. Given the option anything 16948 other than PKCS#8 should be dumped: but the other formats have to 16949 stay in the name of compatibility. 16950 16951 With public keys and the benefit of hindsight one standard format 16952 is used which works with EVP_PKEY, RSA or DSA structures: though 16953 it clearly returns an error if you try to read the wrong kind of key. 16954 16955 Added a -pubkey option to the 'x509' utility to output the public key. 16956 Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()` 16957 (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add 16958 `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`) 16959 that do the same as the `EVP_PKEY_assign_*()` except they up the 16960 reference count of the added key (they don't "swallow" the 16961 supplied key). 16962 16963 *Steve Henson* 16964 16965 * Fixes to crypto/x509/by_file.c the code to read in certificates and 16966 CRLs would fail if the file contained no certificates or no CRLs: 16967 added a new function to read in both types and return the number 16968 read: this means that if none are read it will be an error. The 16969 DER versions of the certificate and CRL reader would always fail 16970 because it isn't possible to mix certificates and CRLs in DER format 16971 without choking one or the other routine. Changed this to just read 16972 a certificate: this is the best we can do. Also modified the code 16973 in `apps/verify.c` to take notice of return codes: it was previously 16974 attempting to read in certificates from NULL pointers and ignoring 16975 any errors: this is one reason why the cert and CRL reader seemed 16976 to work. It doesn't check return codes from the default certificate 16977 routines: these may well fail if the certificates aren't installed. 16978 16979 *Steve Henson* 16980 16981 * Code to support otherName option in GeneralName. 16982 16983 *Steve Henson* 16984 16985 * First update to verify code. Change the verify utility 16986 so it warns if it is passed a self signed certificate: 16987 for consistency with the normal behaviour. X509_verify 16988 has been modified to it will now verify a self signed 16989 certificate if *exactly* the same certificate appears 16990 in the store: it was previously impossible to trust a 16991 single self signed certificate. This means that: 16992 openssl verify ss.pem 16993 now gives a warning about a self signed certificate but 16994 openssl verify -CAfile ss.pem ss.pem 16995 is OK. 16996 16997 *Steve Henson* 16998 16999 * For servers, store verify_result in SSL_SESSION data structure 17000 (and add it to external session representation). 17001 This is needed when client certificate verifications fails, 17002 but an application-provided verification callback (set by 17003 SSL_CTX_set_cert_verify_callback) allows accepting the session 17004 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK 17005 but returns 1): When the session is reused, we have to set 17006 ssl->verify_result to the appropriate error code to avoid 17007 security holes. 17008 17009 *Bodo Moeller, problem pointed out by Lutz Jaenicke* 17010 17011 * Fix a bug in the new PKCS#7 code: it didn't consider the 17012 case in PKCS7_dataInit() where the signed PKCS7 structure 17013 didn't contain any existing data because it was being created. 17014 17015 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson* 17016 17017 * Add a salt to the key derivation routines in enc.c. This 17018 forms the first 8 bytes of the encrypted file. Also add a 17019 -S option to allow a salt to be input on the command line. 17020 17021 *Steve Henson* 17022 17023 * New function X509_cmp(). Oddly enough there wasn't a function 17024 to compare two certificates. We do this by working out the SHA1 17025 hash and comparing that. X509_cmp() will be needed by the trust 17026 code. 17027 17028 *Steve Henson* 17029 17030 * SSL_get1_session() is like SSL_get_session(), but increments 17031 the reference count in the SSL_SESSION returned. 17032 17033 *Geoff Thorpe <geoff@eu.c2.net>* 17034 17035 * Fix for 'req': it was adding a null to request attributes. 17036 Also change the X509_LOOKUP and X509_INFO code to handle 17037 certificate auxiliary information. 17038 17039 *Steve Henson* 17040 17041 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document 17042 the 'enc' command. 17043 17044 *Steve Henson* 17045 17046 * Add the possibility to add extra information to the memory leak 17047 detecting output, to form tracebacks, showing from where each 17048 allocation was originated: CRYPTO_push_info("constant string") adds 17049 the string plus current file name and line number to a per-thread 17050 stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() 17051 is like calling CYRPTO_pop_info() until the stack is empty. 17052 Also updated memory leak detection code to be multi-thread-safe. 17053 17054 *Richard Levitte* 17055 17056 * Add options -text and -noout to pkcs7 utility and delete the 17057 encryption options which never did anything. Update docs. 17058 17059 *Steve Henson* 17060 17061 * Add options to some of the utilities to allow the pass phrase 17062 to be included on either the command line (not recommended on 17063 OSes like Unix) or read from the environment. Update the 17064 manpages and fix a few bugs. 17065 17066 *Steve Henson* 17067 17068 * Add a few manpages for some of the openssl commands. 17069 17070 *Steve Henson* 17071 17072 * Fix the -revoke option in ca. It was freeing up memory twice, 17073 leaking and not finding already revoked certificates. 17074 17075 *Steve Henson* 17076 17077 * Extensive changes to support certificate auxiliary information. 17078 This involves the use of X509_CERT_AUX structure and X509_AUX 17079 functions. An X509_AUX function such as PEM_read_X509_AUX() 17080 can still read in a certificate file in the usual way but it 17081 will also read in any additional "auxiliary information". By 17082 doing things this way a fair degree of compatibility can be 17083 retained: existing certificates can have this information added 17084 using the new 'x509' options. 17085 17086 Current auxiliary information includes an "alias" and some trust 17087 settings. The trust settings will ultimately be used in enhanced 17088 certificate chain verification routines: currently a certificate 17089 can only be trusted if it is self signed and then it is trusted 17090 for all purposes. 17091 17092 *Steve Henson* 17093 17094 * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`). 17095 The problem was that one of the replacement routines had not been working 17096 since SSLeay releases. For now the offending routine has been replaced 17097 with non-optimised assembler. Even so, this now gives around 95% 17098 performance improvement for 1024 bit RSA signs. 17099 17100 *Mark Cox* 17101 17102 * Hack to fix PKCS#7 decryption when used with some unorthodox RC2 17103 handling. Most clients have the effective key size in bits equal to 17104 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. 17105 A few however don't do this and instead use the size of the decrypted key 17106 to determine the RC2 key length and the AlgorithmIdentifier to determine 17107 the effective key length. In this case the effective key length can still 17108 be 40 bits but the key length can be 168 bits for example. This is fixed 17109 by manually forcing an RC2 key into the EVP_PKEY structure because the 17110 EVP code can't currently handle unusual RC2 key sizes: it always assumes 17111 the key length and effective key length are equal. 17112 17113 *Steve Henson* 17114 17115 * Add a bunch of functions that should simplify the creation of 17116 X509_NAME structures. Now you should be able to do: 17117 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); 17118 and have it automatically work out the correct field type and fill in 17119 the structures. The more adventurous can try: 17120 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); 17121 and it will (hopefully) work out the correct multibyte encoding. 17122 17123 *Steve Henson* 17124 17125 * Change the 'req' utility to use the new field handling and multibyte 17126 copy routines. Before the DN field creation was handled in an ad hoc 17127 way in req, ca, and x509 which was rather broken and didn't support 17128 BMPStrings or UTF8Strings. Since some software doesn't implement 17129 BMPStrings or UTF8Strings yet, they can be enabled using the config file 17130 using the dirstring_type option. See the new comment in the default 17131 openssl.cnf for more info. 17132 17133 *Steve Henson* 17134 17135 * Make crypto/rand/md_rand.c more robust: 17136 - Assure unique random numbers after fork(). 17137 - Make sure that concurrent threads access the global counter and 17138 md serializably so that we never lose entropy in them 17139 or use exactly the same state in multiple threads. 17140 Access to the large state is not always serializable because 17141 the additional locking could be a performance killer, and 17142 md should be large enough anyway. 17143 17144 *Bodo Moeller* 17145 17146 * New file `apps/app_rand.c` with commonly needed functionality 17147 for handling the random seed file. 17148 17149 Use the random seed file in some applications that previously did not: 17150 ca, 17151 dsaparam -genkey (which also ignored its '-rand' option), 17152 s_client, 17153 s_server, 17154 x509 (when signing). 17155 Except on systems with /dev/urandom, it is crucial to have a random 17156 seed file at least for key creation, DSA signing, and for DH exchanges; 17157 for RSA signatures we could do without one. 17158 17159 gendh and gendsa (unlike genrsa) used to read only the first byte 17160 of each file listed in the '-rand' option. The function as previously 17161 found in genrsa is now in app_rand.c and is used by all programs 17162 that support '-rand'. 17163 17164 *Bodo Moeller* 17165 17166 * In RAND_write_file, use mode 0600 for creating files; 17167 don't just chmod when it may be too late. 17168 17169 *Bodo Moeller* 17170 17171 * Report an error from X509_STORE_load_locations 17172 when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. 17173 17174 *Bill Perry* 17175 17176 * New function ASN1_mbstring_copy() this copies a string in either 17177 ASCII, Unicode, Universal (4 bytes per character) or UTF8 format 17178 into an ASN1_STRING type. A mask of permissible types is passed 17179 and it chooses the "minimal" type to use or an error if not type 17180 is suitable. 17181 17182 *Steve Henson* 17183 17184 * Add function equivalents to the various macros in asn1.h. The old 17185 macros are retained with an `M_` prefix. Code inside the library can 17186 use the `M_` macros. External code (including the openssl utility) 17187 should *NOT* in order to be "shared library friendly". 17188 17189 *Steve Henson* 17190 17191 * Add various functions that can check a certificate's extensions 17192 to see if it usable for various purposes such as SSL client, 17193 server or S/MIME and CAs of these types. This is currently 17194 VERY EXPERIMENTAL but will ultimately be used for certificate chain 17195 verification. Also added a -purpose flag to x509 utility to 17196 print out all the purposes. 17197 17198 *Steve Henson* 17199 17200 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated 17201 functions. 17202 17203 *Steve Henson* 17204 17205 * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search 17206 for, obtain and decode and extension and obtain its critical flag. 17207 This allows all the necessary extension code to be handled in a 17208 single function call. 17209 17210 *Steve Henson* 17211 17212 * RC4 tune-up featuring 30-40% performance improvement on most RISC 17213 platforms. See crypto/rc4/rc4_enc.c for further details. 17214 17215 *Andy Polyakov* 17216 17217 * New -noout option to asn1parse. This causes no output to be produced 17218 its main use is when combined with -strparse and -out to extract data 17219 from a file (which may not be in ASN.1 format). 17220 17221 *Steve Henson* 17222 17223 * Fix for pkcs12 program. It was hashing an invalid certificate pointer 17224 when producing the local key id. 17225 17226 *Richard Levitte <levitte@stacken.kth.se>* 17227 17228 * New option -dhparam in s_server. This allows a DH parameter file to be 17229 stated explicitly. If it is not stated then it tries the first server 17230 certificate file. The previous behaviour hard coded the filename 17231 "server.pem". 17232 17233 *Steve Henson* 17234 17235 * Add -pubin and -pubout options to the rsa and dsa commands. These allow 17236 a public key to be input or output. For example: 17237 openssl rsa -in key.pem -pubout -out pubkey.pem 17238 Also added necessary DSA public key functions to handle this. 17239 17240 *Steve Henson* 17241 17242 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained 17243 in the message. This was handled by allowing 17244 X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. 17245 17246 *Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>* 17247 17248 * Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null 17249 to the end of the strings whereas this didn't. This would cause problems 17250 if strings read with d2i_ASN1_bytes() were later modified. 17251 17252 *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>* 17253 17254 * Fix for base64 decode bug. When a base64 bio reads only one line of 17255 data and it contains EOF it will end up returning an error. This is 17256 caused by input 46 bytes long. The cause is due to the way base64 17257 BIOs find the start of base64 encoded data. They do this by trying a 17258 trial decode on each line until they find one that works. When they 17259 do a flag is set and it starts again knowing it can pass all the 17260 data directly through the decoder. Unfortunately it doesn't reset 17261 the context it uses. This means that if EOF is reached an attempt 17262 is made to pass two EOFs through the context and this causes the 17263 resulting error. This can also cause other problems as well. As is 17264 usual with these problems it takes *ages* to find and the fix is 17265 trivial: move one line. 17266 17267 *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)* 17268 17269 * Ugly workaround to get s_client and s_server working under Windows. The 17270 old code wouldn't work because it needed to select() on sockets and the 17271 tty (for keypresses and to see if data could be written). Win32 only 17272 supports select() on sockets so we select() with a 1s timeout on the 17273 sockets and then see if any characters are waiting to be read, if none 17274 are present then we retry, we also assume we can always write data to 17275 the tty. This isn't nice because the code then blocks until we've 17276 received a complete line of data and it is effectively polling the 17277 keyboard at 1s intervals: however it's quite a bit better than not 17278 working at all :-) A dedicated Windows application might handle this 17279 with an event loop for example. 17280 17281 *Steve Henson* 17282 17283 * Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign 17284 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions 17285 will be called when RSA_sign() and RSA_verify() are used. This is useful 17286 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. 17287 For this to work properly RSA_public_decrypt() and RSA_private_encrypt() 17288 should *not* be used: RSA_sign() and RSA_verify() must be used instead. 17289 This necessitated the support of an extra signature type NID_md5_sha1 17290 for SSL signatures and modifications to the SSL library to use it instead 17291 of calling RSA_public_decrypt() and RSA_private_encrypt(). 17292 17293 *Steve Henson* 17294 17295 * Add new -verify -CAfile and -CApath options to the crl program, these 17296 will lookup a CRL issuers certificate and verify the signature in a 17297 similar way to the verify program. Tidy up the crl program so it 17298 no longer accesses structures directly. Make the ASN1 CRL parsing a bit 17299 less strict. It will now permit CRL extensions even if it is not 17300 a V2 CRL: this will allow it to tolerate some broken CRLs. 17301 17302 *Steve Henson* 17303 17304 * Initialize all non-automatic variables each time one of the openssl 17305 sub-programs is started (this is necessary as they may be started 17306 multiple times from the "OpenSSL>" prompt). 17307 17308 *Lennart Bang, Bodo Moeller* 17309 17310 * Preliminary compilation option RSA_NULL which disables RSA crypto without 17311 removing all other RSA functionality (this is what NO_RSA does). This 17312 is so (for example) those in the US can disable those operations covered 17313 by the RSA patent while allowing storage and parsing of RSA keys and RSA 17314 key generation. 17315 17316 *Steve Henson* 17317 17318 * Non-copying interface to BIO pairs. 17319 (still largely untested) 17320 17321 *Bodo Moeller* 17322 17323 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive 17324 ASCII string. This was handled independently in various places before. 17325 17326 *Steve Henson* 17327 17328 * New functions UTF8_getc() and UTF8_putc() that parse and generate 17329 UTF8 strings a character at a time. 17330 17331 *Steve Henson* 17332 17333 * Use client_version from client hello to select the protocol 17334 (s23_srvr.c) and for RSA client key exchange verification 17335 (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. 17336 17337 *Bodo Moeller* 17338 17339 * Add various utility functions to handle SPKACs, these were previously 17340 handled by poking round in the structure internals. Added new function 17341 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to 17342 print, verify and generate SPKACs. Based on an original idea from 17343 Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. 17344 17345 *Steve Henson* 17346 17347 * RIPEMD160 is operational on all platforms and is back in 'make test'. 17348 17349 *Andy Polyakov* 17350 17351 * Allow the config file extension section to be overwritten on the 17352 command line. Based on an original idea from Massimiliano Pala 17353 <madwolf@comune.modena.it>. The new option is called -extensions 17354 and can be applied to ca, req and x509. Also -reqexts to override 17355 the request extensions in req and -crlexts to override the crl extensions 17356 in ca. 17357 17358 *Steve Henson* 17359 17360 * Add new feature to the SPKAC handling in ca. Now you can include 17361 the same field multiple times by preceding it by "XXXX." for example: 17362 1.OU="Unit name 1" 17363 2.OU="Unit name 2" 17364 this is the same syntax as used in the req config file. 17365 17366 *Steve Henson* 17367 17368 * Allow certificate extensions to be added to certificate requests. These 17369 are specified in a 'req_extensions' option of the req section of the 17370 config file. They can be printed out with the -text option to req but 17371 are otherwise ignored at present. 17372 17373 *Steve Henson* 17374 17375 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first 17376 data read consists of only the final block it would not decrypted because 17377 EVP_CipherUpdate() would correctly report zero bytes had been decrypted. 17378 A misplaced 'break' also meant the decrypted final block might not be 17379 copied until the next read. 17380 17381 *Steve Henson* 17382 17383 * Initial support for DH_METHOD. Again based on RSA_METHOD. Also added 17384 a few extra parameters to the DH structure: these will be useful if 17385 for example we want the value of 'q' or implement X9.42 DH. 17386 17387 *Steve Henson* 17388 17389 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and 17390 provides hooks that allow the default DSA functions or functions on a 17391 "per key" basis to be replaced. This allows hardware acceleration and 17392 hardware key storage to be handled without major modification to the 17393 library. Also added low-level modexp hooks and CRYPTO_EX structure and 17394 associated functions. 17395 17396 *Steve Henson* 17397 17398 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO 17399 as "read only": it can't be written to and the buffer it points to will 17400 not be freed. Reading from a read only BIO is much more efficient than 17401 a normal memory BIO. This was added because there are several times when 17402 an area of memory needs to be read from a BIO. The previous method was 17403 to create a memory BIO and write the data to it, this results in two 17404 copies of the data and an O(n^2) reading algorithm. There is a new 17405 function BIO_new_mem_buf() which creates a read only memory BIO from 17406 an area of memory. Also modified the PKCS#7 routines to use read only 17407 memory BIOs. 17408 17409 *Steve Henson* 17410 17411 * Bugfix: ssl23_get_client_hello did not work properly when called in 17412 state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of 17413 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, 17414 but a retry condition occurred while trying to read the rest. 17415 17416 *Bodo Moeller* 17417 17418 * The PKCS7_ENC_CONTENT_new() function was setting the content type as 17419 NID_pkcs7_encrypted by default: this was wrong since this should almost 17420 always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle 17421 the encrypted data type: this is a more sensible place to put it and it 17422 allows the PKCS#12 code to be tidied up that duplicated this 17423 functionality. 17424 17425 *Steve Henson* 17426 17427 * Changed obj_dat.pl script so it takes its input and output files on 17428 the command line. This should avoid shell escape redirection problems 17429 under Win32. 17430 17431 *Steve Henson* 17432 17433 * Initial support for certificate extension requests, these are included 17434 in things like Xenroll certificate requests. Included functions to allow 17435 extensions to be obtained and added. 17436 17437 *Steve Henson* 17438 17439 * -crlf option to s_client and s_server for sending newlines as 17440 CRLF (as required by many protocols). 17441 17442 *Bodo Moeller* 17443 17444### Changes between 0.9.3a and 0.9.4 [09 Aug 1999] 17445 17446 * Install libRSAglue.a when OpenSSL is built with RSAref. 17447 17448 *Ralf S. Engelschall* 17449 17450 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency. 17451 17452 *Andrija Antonijevic <TheAntony2@bigfoot.com>* 17453 17454 * Fix -startdate and -enddate (which was missing) arguments to 'ca' 17455 program. 17456 17457 *Steve Henson* 17458 17459 * New function DSA_dup_DH, which duplicates DSA parameters/keys as 17460 DH parameters/keys (q is lost during that conversion, but the resulting 17461 DH parameters contain its length). 17462 17463 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is 17464 much faster than DH_generate_parameters (which creates parameters 17465 where `p = 2*q + 1`), and also the smaller q makes DH computations 17466 much more efficient (160-bit exponentiation instead of 1024-bit 17467 exponentiation); so this provides a convenient way to support DHE 17468 ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of 17469 utter importance to use 17470 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 17471 or 17472 SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 17473 when such DH parameters are used, because otherwise small subgroup 17474 attacks may become possible! 17475 17476 *Bodo Moeller* 17477 17478 * Avoid memory leak in i2d_DHparams. 17479 17480 *Bodo Moeller* 17481 17482 * Allow the -k option to be used more than once in the enc program: 17483 this allows the same encrypted message to be read by multiple recipients. 17484 17485 *Steve Henson* 17486 17487 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts 17488 an ASN1_OBJECT to a text string. If the "no_name" parameter is set then 17489 it will always use the numerical form of the OID, even if it has a short 17490 or long name. 17491 17492 *Steve Henson* 17493 17494 * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp 17495 method only got called if p,q,dmp1,dmq1,iqmp components were present, 17496 otherwise bn_mod_exp was called. In the case of hardware keys for example 17497 no private key components need be present and it might store extra data 17498 in the RSA structure, which cannot be accessed from bn_mod_exp. 17499 By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for 17500 private key operations. 17501 17502 *Steve Henson* 17503 17504 * Added support for SPARC Linux. 17505 17506 *Andy Polyakov* 17507 17508 * pem_password_cb function type incompatibly changed from 17509 typedef int pem_password_cb(char *buf, int size, int rwflag); 17510 to 17511 ....(char *buf, int size, int rwflag, void *userdata); 17512 so that applications can pass data to their callbacks: 17513 The `PEM[_ASN1]_{read,write}...` functions and macros now take an 17514 additional void * argument, which is just handed through whenever 17515 the password callback is called. 17516 17517 *Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller* 17518 17519 New function SSL_CTX_set_default_passwd_cb_userdata. 17520 17521 Compatibility note: As many C implementations push function arguments 17522 onto the stack in reverse order, the new library version is likely to 17523 interoperate with programs that have been compiled with the old 17524 pem_password_cb definition (PEM_whatever takes some data that 17525 happens to be on the stack as its last argument, and the callback 17526 just ignores this garbage); but there is no guarantee whatsoever that 17527 this will work. 17528 17529 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... 17530 (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused 17531 problems not only on Windows, but also on some Unix platforms. 17532 To avoid problematic command lines, these definitions are now in an 17533 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl 17534 for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). 17535 17536 *Bodo Moeller* 17537 17538 * MIPS III/IV assembler module is reimplemented. 17539 17540 *Andy Polyakov* 17541 17542 * More DES library cleanups: remove references to srand/rand and 17543 delete an unused file. 17544 17545 *Ulf Möller* 17546 17547 * Add support for the free Netwide assembler (NASM) under Win32, 17548 since not many people have MASM (ml) and it can be hard to obtain. 17549 This is currently experimental but it seems to work OK and pass all 17550 the tests. Check out INSTALL.W32 for info. 17551 17552 *Steve Henson* 17553 17554 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections 17555 without temporary keys kept an extra copy of the server key, 17556 and connections with temporary keys did not free everything in case 17557 of an error. 17558 17559 *Bodo Moeller* 17560 17561 * New function RSA_check_key and new openssl rsa option -check 17562 for verifying the consistency of RSA keys. 17563 17564 *Ulf Moeller, Bodo Moeller* 17565 17566 * Various changes to make Win32 compile work: 17567 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 17568 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned 17569 comparison" warnings. 17570 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update. 17571 17572 *Steve Henson* 17573 17574 * Add a debugging option to PKCS#5 v2 key generation function: when 17575 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and 17576 derived keys are printed to stderr. 17577 17578 *Steve Henson* 17579 17580 * Copy the flags in ASN1_STRING_dup(). 17581 17582 *Roman E. Pavlov <pre@mo.msk.ru>* 17583 17584 * The x509 application mishandled signing requests containing DSA 17585 keys when the signing key was also DSA and the parameters didn't match. 17586 17587 It was supposed to omit the parameters when they matched the signing key: 17588 the verifying software was then supposed to automatically use the CA's 17589 parameters if they were absent from the end user certificate. 17590 17591 Omitting parameters is no longer recommended. The test was also 17592 the wrong way round! This was probably due to unusual behaviour in 17593 EVP_cmp_parameters() which returns 1 if the parameters match. 17594 This meant that parameters were omitted when they *didn't* match and 17595 the certificate was useless. Certificates signed with 'ca' didn't have 17596 this bug. 17597 17598 *Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>* 17599 17600 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems. 17601 The interface is as follows: 17602 Applications can use 17603 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), 17604 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); 17605 "off" is now the default. 17606 The library internally uses 17607 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), 17608 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() 17609 to disable memory-checking temporarily. 17610 17611 Some inconsistent states that previously were possible (and were 17612 even the default) are now avoided. 17613 17614 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time 17615 with each memory chunk allocated; this is occasionally more helpful 17616 than just having a counter. 17617 17618 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. 17619 17620 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future 17621 extensions. 17622 17623 *Bodo Moeller* 17624 17625 * Introduce "mode" for SSL structures (with defaults in SSL_CTX), 17626 which largely parallels "options", but is for changing API behaviour, 17627 whereas "options" are about protocol behaviour. 17628 Initial "mode" flags are: 17629 17630 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 17631 a single record has been written. 17632 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 17633 retries use the same buffer location. 17634 (But all of the contents must be 17635 copied!) 17636 17637 *Bodo Moeller* 17638 17639 * Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options 17640 worked. 17641 17642 * Fix problems with no-hmac etc. 17643 17644 *Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>* 17645 17646 * New functions RSA_get_default_method(), RSA_set_method() and 17647 RSA_get_method(). These allows replacement of RSA_METHODs without having 17648 to mess around with the internals of an RSA structure. 17649 17650 *Steve Henson* 17651 17652 * Fix memory leaks in DSA_do_sign and DSA_is_prime. 17653 Also really enable memory leak checks in openssl.c and in some 17654 test programs. 17655 17656 *Chad C. Mulligan, Bodo Moeller* 17657 17658 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess 17659 up the length of negative integers. This has now been simplified to just 17660 store the length when it is first determined and use it later, rather 17661 than trying to keep track of where data is copied and updating it to 17662 point to the end. 17663 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>* 17664 17665 * Add a new function PKCS7_signatureVerify. This allows the verification 17666 of a PKCS#7 signature but with the signing certificate passed to the 17667 function itself. This contrasts with PKCS7_dataVerify which assumes the 17668 certificate is present in the PKCS#7 structure. This isn't always the 17669 case: certificates can be omitted from a PKCS#7 structure and be 17670 distributed by "out of band" means (such as a certificate database). 17671 17672 *Steve Henson* 17673 17674 * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the 17675 function prototypes in pem.h, also change util/mkdef.pl to add the 17676 necessary function names. 17677 17678 *Steve Henson* 17679 17680 * mk1mf.pl (used by Windows builds) did not properly read the 17681 options set by Configure in the top level Makefile, and Configure 17682 was not even able to write more than one option correctly. 17683 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. 17684 17685 *Bodo Moeller* 17686 17687 * New functions CONF_load_bio() and CONF_load_fp() to allow a config 17688 file to be loaded from a BIO or FILE pointer. The BIO version will 17689 for example allow memory BIOs to contain config info. 17690 17691 *Steve Henson* 17692 17693 * New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. 17694 Whoever hopes to achieve shared-library compatibility across versions 17695 must use this, not the compile-time macro. 17696 (Exercise 0.9.4: Which is the minimum library version required by 17697 such programs?) 17698 Note: All this applies only to multi-threaded programs, others don't 17699 need locks. 17700 17701 *Bodo Moeller* 17702 17703 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests 17704 through a BIO pair triggered the default case, i.e. 17705 SSLerr(...,SSL_R_UNKNOWN_STATE). 17706 17707 *Bodo Moeller* 17708 17709 * New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications 17710 can use the SSL library even if none of the specific BIOs is 17711 appropriate. 17712 17713 *Bodo Moeller* 17714 17715 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value 17716 for the encoded length. 17717 17718 *Jeon KyoungHo <khjeon@sds.samsung.co.kr>* 17719 17720 * Add initial documentation of the X509V3 functions. 17721 17722 *Steve Henson* 17723 17724 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and 17725 PEM_write_bio_PKCS8PrivateKey() that are equivalent to 17726 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more 17727 secure PKCS#8 private key format with a high iteration count. 17728 17729 *Steve Henson* 17730 17731 * Fix determination of Perl interpreter: A perl or perl5 17732 *directory* in $PATH was also accepted as the interpreter. 17733 17734 *Ralf S. Engelschall* 17735 17736 * Fix demos/sign/sign.c: well there wasn't anything strictly speaking 17737 wrong with it but it was very old and did things like calling 17738 PEM_ASN1_read() directly and used MD5 for the hash not to mention some 17739 unusual formatting. 17740 17741 *Steve Henson* 17742 17743 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed 17744 to use the new extension code. 17745 17746 *Steve Henson* 17747 17748 * Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c 17749 with macros. This should make it easier to change their form, add extra 17750 arguments etc. Fix a few PEM prototypes which didn't have cipher as a 17751 constant. 17752 17753 *Steve Henson* 17754 17755 * Add to configuration table a new entry that can specify an alternative 17756 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, 17757 according to Mark Crispin <MRC@Panda.COM>. 17758 17759 *Bodo Moeller* 17760 17761 * DES CBC did not update the IV. Weird. 17762 17763 *Ben Laurie* 17764lse 17765 des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. 17766 Changing the behaviour of the former might break existing programs -- 17767 where IV updating is needed, des_ncbc_encrypt can be used. 17768ndif 17769 17770 * When bntest is run from "make test" it drives bc to check its 17771 calculations, as well as internally checking them. If an internal check 17772 fails, it needs to cause bc to give a non-zero result or make test carries 17773 on without noticing the failure. Fixed. 17774 17775 *Ben Laurie* 17776 17777 * DES library cleanups. 17778 17779 *Ulf Möller* 17780 17781 * Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be 17782 used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit 17783 ciphers. NOTE: although the key derivation function has been verified 17784 against some published test vectors it has not been extensively tested 17785 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use 17786 of v2.0. 17787 17788 *Steve Henson* 17789 17790 * Instead of "mkdir -p", which is not fully portable, use new 17791 Perl script "util/mkdir-p.pl". 17792 17793 *Bodo Moeller* 17794 17795 * Rewrite the way password based encryption (PBE) is handled. It used to 17796 assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter 17797 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms 17798 but doesn't apply to PKCS#5 v2.0 where it can be something else. Now 17799 the 'parameter' field of the AlgorithmIdentifier is passed to the 17800 underlying key generation function so it must do its own ASN1 parsing. 17801 This has also changed the EVP_PBE_CipherInit() function which now has a 17802 'parameter' argument instead of literal salt and iteration count values 17803 and the function EVP_PBE_ALGOR_CipherInit() has been deleted. 17804 17805 *Steve Henson* 17806 17807 * Support for PKCS#5 v1.5 compatible password based encryption algorithms 17808 and PKCS#8 functionality. New 'pkcs8' application linked to openssl. 17809 Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE 17810 KEY" because this clashed with PKCS#8 unencrypted string. Since this 17811 value was just used as a "magic string" and not used directly its 17812 value doesn't matter. 17813 17814 *Steve Henson* 17815 17816 * Introduce some semblance of const correctness to BN. Shame C doesn't 17817 support mutable. 17818 17819 *Ben Laurie* 17820 17821 * "linux-sparc64" configuration (ultrapenguin). 17822 17823 *Ray Miller <ray.miller@oucs.ox.ac.uk>* 17824 "linux-sparc" configuration. 17825 17826 *Christian Forster <fo@hawo.stw.uni-erlangen.de>* 17827 17828 * config now generates no-xxx options for missing ciphers. 17829 17830 *Ulf Möller* 17831 17832 * Support the EBCDIC character set (work in progress). 17833 File ebcdic.c not yet included because it has a different license. 17834 17835 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 17836 17837 * Support BS2000/OSD-POSIX. 17838 17839 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 17840 17841 * Make callbacks for key generation use `void *` instead of `char *`. 17842 17843 *Ben Laurie* 17844 17845 * Make S/MIME samples compile (not yet tested). 17846 17847 *Ben Laurie* 17848 17849 * Additional typesafe stacks. 17850 17851 *Ben Laurie* 17852 17853 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). 17854 17855 *Bodo Moeller* 17856 17857### Changes between 0.9.3 and 0.9.3a [29 May 1999] 17858 17859 * New configuration variant "sco5-gcc". 17860 17861 * Updated some demos. 17862 17863 *Sean O Riordain, Wade Scholine* 17864 17865 * Add missing BIO_free at exit of pkcs12 application. 17866 17867 *Wu Zhigang* 17868 17869 * Fix memory leak in conf.c. 17870 17871 *Steve Henson* 17872 17873 * Updates for Win32 to assembler version of MD5. 17874 17875 *Steve Henson* 17876 17877 * Set #! path to perl in `apps/der_chop` to where we found it 17878 instead of using a fixed path. 17879 17880 *Bodo Moeller* 17881 17882 * SHA library changes for irix64-mips4-cc. 17883 17884 *Andy Polyakov* 17885 17886 * Improvements for VMS support. 17887 17888 *Richard Levitte* 17889 17890### Changes between 0.9.2b and 0.9.3 [24 May 1999] 17891 17892 * Bignum library bug fix. IRIX 6 passes "make test" now! 17893 This also avoids the problems with SC4.2 and unpatched SC5. 17894 17895 *Andy Polyakov <appro@fy.chalmers.se>* 17896 17897 * New functions sk_num, sk_value and sk_set to replace the previous macros. 17898 These are required because of the typesafe stack would otherwise break 17899 existing code. If old code used a structure member which used to be STACK 17900 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with 17901 sk_num or sk_value it would produce an error because the num, data members 17902 are not present in STACK_OF. Now it just produces a warning. sk_set 17903 replaces the old method of assigning a value to sk_value 17904 (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code 17905 that does this will no longer work (and should use sk_set instead) but 17906 this could be regarded as a "questionable" behaviour anyway. 17907 17908 *Steve Henson* 17909 17910 * Fix most of the other PKCS#7 bugs. The "experimental" code can now 17911 correctly handle encrypted S/MIME data. 17912 17913 *Steve Henson* 17914 17915 * Change type of various DES function arguments from des_cblock 17916 (which means, in function argument declarations, pointer to char) 17917 to des_cblock * (meaning pointer to array with 8 char elements), 17918 which allows the compiler to do more typechecking; it was like 17919 that back in SSLeay, but with lots of ugly casts. 17920 17921 Introduce new type const_des_cblock. 17922 17923 *Bodo Moeller* 17924 17925 * Reorganise the PKCS#7 library and get rid of some of the more obvious 17926 problems: find RecipientInfo structure that matches recipient certificate 17927 and initialise the ASN1 structures properly based on passed cipher. 17928 17929 *Steve Henson* 17930 17931 * Belatedly make the BN tests actually check the results. 17932 17933 *Ben Laurie* 17934 17935 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion 17936 to and from BNs: it was completely broken. New compilation option 17937 NEG_PUBKEY_BUG to allow for some broken certificates that encode public 17938 key elements as negative integers. 17939 17940 *Steve Henson* 17941 17942 * Reorganize and speed up MD5. 17943 17944 *Andy Polyakov <appro@fy.chalmers.se>* 17945 17946 * VMS support. 17947 17948 *Richard Levitte <richard@levitte.org>* 17949 17950 * New option -out to asn1parse to allow the parsed structure to be 17951 output to a file. This is most useful when combined with the -strparse 17952 option to examine the output of things like OCTET STRINGS. 17953 17954 *Steve Henson* 17955 17956 * Make SSL library a little more fool-proof by not requiring any longer 17957 that `SSL_set_{accept,connect}_state` be called before 17958 `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted 17959 in many applications because usually everything *appeared* to work as 17960 intended anyway -- now it really works as intended). 17961 17962 *Bodo Moeller* 17963 17964 * Move openssl.cnf out of lib/. 17965 17966 *Ulf Möller* 17967 17968 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall 17969 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes 17970 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+ 17971 17972 *Ralf S. Engelschall* 17973 17974 * Various fixes to the EVP and PKCS#7 code. It may now be able to 17975 handle PKCS#7 enveloped data properly. 17976 17977 *Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve* 17978 17979 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of 17980 copying pointers. The cert_st handling is changed by this in 17981 various ways (and thus what used to be known as ctx->default_cert 17982 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert` 17983 any longer when s->cert does not give us what we need). 17984 ssl_cert_instantiate becomes obsolete by this change. 17985 As soon as we've got the new code right (possibly it already is?), 17986 we have solved a couple of bugs of the earlier code where s->cert 17987 was used as if it could not have been shared with other SSL structures. 17988 17989 Note that using the SSL API in certain dirty ways now will result 17990 in different behaviour than observed with earlier library versions: 17991 Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx) 17992 does not influence s as it used to. 17993 17994 In order to clean up things more thoroughly, inside SSL_SESSION 17995 we don't use CERT any longer, but a new structure SESS_CERT 17996 that holds per-session data (if available); currently, this is 17997 the peer's certificate chain and, for clients, the server's certificate 17998 and temporary key. CERT holds only those values that can have 17999 meaningful defaults in an SSL_CTX. 18000 18001 *Bodo Moeller* 18002 18003 * New function X509V3_EXT_i2d() to create an X509_EXTENSION structure 18004 from the internal representation. Various PKCS#7 fixes: remove some 18005 evil casts and set the enc_dig_alg field properly based on the signing 18006 key type. 18007 18008 *Steve Henson* 18009 18010 * Allow PKCS#12 password to be set from the command line or the 18011 environment. Let 'ca' get its config file name from the environment 18012 variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' 18013 and 'x509'). 18014 18015 *Steve Henson* 18016 18017 * Allow certificate policies extension to use an IA5STRING for the 18018 organization field. This is contrary to the PKIX definition but 18019 VeriSign uses it and IE5 only recognises this form. Document 'x509' 18020 extension option. 18021 18022 *Steve Henson* 18023 18024 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, 18025 without disallowing inline assembler and the like for non-pedantic builds. 18026 18027 *Ben Laurie* 18028 18029 * Support Borland C++ builder. 18030 18031 *Janez Jere <jj@void.si>, modified by Ulf Möller* 18032 18033 * Support Mingw32. 18034 18035 *Ulf Möller* 18036 18037 * SHA-1 cleanups and performance enhancements. 18038 18039 *Andy Polyakov <appro@fy.chalmers.se>* 18040 18041 * Sparc v8plus assembler for the bignum library. 18042 18043 *Andy Polyakov <appro@fy.chalmers.se>* 18044 18045 * Accept any -xxx and +xxx compiler options in Configure. 18046 18047 *Ulf Möller* 18048 18049 * Update HPUX configuration. 18050 18051 *Anonymous* 18052 18053 * Add missing `sk_<type>_unshift()` function to safestack.h 18054 18055 *Ralf S. Engelschall* 18056 18057 * New function SSL_CTX_use_certificate_chain_file that sets the 18058 "extra_cert"s in addition to the certificate. (This makes sense 18059 only for "PEM" format files, as chains as a whole are not 18060 DER-encoded.) 18061 18062 *Bodo Moeller* 18063 18064 * Support verify_depth from the SSL API. 18065 x509_vfy.c had what can be considered an off-by-one-error: 18066 Its depth (which was not part of the external interface) 18067 was actually counting the number of certificates in a chain; 18068 now it really counts the depth. 18069 18070 *Bodo Moeller* 18071 18072 * Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used 18073 instead of X509err, which often resulted in confusing error 18074 messages since the error codes are not globally unique 18075 (e.g. an alleged error in ssl3_accept when a certificate 18076 didn't match the private key). 18077 18078 * New function SSL_CTX_set_session_id_context that allows to set a default 18079 value (so that you don't need SSL_set_session_id_context for each 18080 connection using the SSL_CTX). 18081 18082 *Bodo Moeller* 18083 18084 * OAEP decoding bug fix. 18085 18086 *Ulf Möller* 18087 18088 * Support INSTALL_PREFIX for package builders, as proposed by 18089 David Harris. 18090 18091 *Bodo Moeller* 18092 18093 * New Configure options "threads" and "no-threads". For systems 18094 where the proper compiler options are known (currently Solaris 18095 and Linux), "threads" is the default. 18096 18097 *Bodo Moeller* 18098 18099 * New script util/mklink.pl as a faster substitute for util/mklink.sh. 18100 18101 *Bodo Moeller* 18102 18103 * Install various scripts to $(OPENSSLDIR)/misc, not to 18104 $(INSTALLTOP)/bin -- they shouldn't clutter directories 18105 such as /usr/local/bin. 18106 18107 *Bodo Moeller* 18108 18109 * "make linux-shared" to build shared libraries. 18110 18111 *Niels Poppe <niels@netbox.org>* 18112 18113 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...). 18114 18115 *Ulf Möller* 18116 18117 * Add the PKCS#12 API documentation to openssl.txt. Preliminary support for 18118 extension adding in x509 utility. 18119 18120 *Steve Henson* 18121 18122 * Remove NOPROTO sections and error code comments. 18123 18124 *Ulf Möller* 18125 18126 * Partial rewrite of the DEF file generator to now parse the ANSI 18127 prototypes. 18128 18129 *Steve Henson* 18130 18131 * New Configure options --prefix=DIR and --openssldir=DIR. 18132 18133 *Ulf Möller* 18134 18135 * Complete rewrite of the error code script(s). It is all now handled 18136 by one script at the top level which handles error code gathering, 18137 header rewriting and C source file generation. It should be much better 18138 than the old method: it now uses a modified version of Ulf's parser to 18139 read the ANSI prototypes in all header files (thus the old K&R definitions 18140 aren't needed for error creation any more) and do a better job of 18141 translating function codes into names. The old 'ASN1 error code embedded 18142 in a comment' is no longer necessary and it doesn't use .err files which 18143 have now been deleted. Also the error code call doesn't have to appear all 18144 on one line (which resulted in some large lines...). 18145 18146 *Steve Henson* 18147 18148 * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`. 18149 18150 *Bodo Moeller* 18151 18152 * Change behaviour of ssl2_read when facing length-0 packets: Don't return 18153 0 (which usually indicates a closed connection), but continue reading. 18154 18155 *Bodo Moeller* 18156 18157 * Fix some race conditions. 18158 18159 *Bodo Moeller* 18160 18161 * Add support for CRL distribution points extension. Add Certificate 18162 Policies and CRL distribution points documentation. 18163 18164 *Steve Henson* 18165 18166 * Move the autogenerated header file parts to crypto/opensslconf.h. 18167 18168 *Ulf Möller* 18169 18170 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 18171 8 of keying material. Merlin has also confirmed interop with this fix 18172 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. 18173 18174 *Merlin Hughes <merlin@baltimore.ie>* 18175 18176 * Fix lots of warnings. 18177 18178 *Richard Levitte <levitte@stacken.kth.se>* 18179 18180 * In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if 18181 the directory spec didn't end with a LIST_SEPARATOR_CHAR. 18182 18183 *Richard Levitte <levitte@stacken.kth.se>* 18184 18185 * Fix problems with sizeof(long) == 8. 18186 18187 *Andy Polyakov <appro@fy.chalmers.se>* 18188 18189 * Change functions to ANSI C. 18190 18191 *Ulf Möller* 18192 18193 * Fix typos in error codes. 18194 18195 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller* 18196 18197 * Remove defunct assembler files from Configure. 18198 18199 *Ulf Möller* 18200 18201 * SPARC v8 assembler BIGNUM implementation. 18202 18203 *Andy Polyakov <appro@fy.chalmers.se>* 18204 18205 * Support for Certificate Policies extension: both print and set. 18206 Various additions to support the r2i method this uses. 18207 18208 *Steve Henson* 18209 18210 * A lot of constification, and fix a bug in X509_NAME_oneline() that could 18211 return a const string when you are expecting an allocated buffer. 18212 18213 *Ben Laurie* 18214 18215 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE 18216 types DirectoryString and DisplayText. 18217 18218 *Steve Henson* 18219 18220 * Add code to allow r2i extensions to access the configuration database, 18221 add an LHASH database driver and add several ctx helper functions. 18222 18223 *Steve Henson* 18224 18225 * Fix an evil bug in bn_expand2() which caused various BN functions to 18226 fail when they extended the size of a BIGNUM. 18227 18228 *Steve Henson* 18229 18230 * Various utility functions to handle SXNet extension. Modify mkdef.pl to 18231 support typesafe stack. 18232 18233 *Steve Henson* 18234 18235 * Fix typo in SSL_[gs]et_options(). 18236 18237 *Nils Frostberg <nils@medcom.se>* 18238 18239 * Delete various functions and files that belonged to the (now obsolete) 18240 old X509V3 handling code. 18241 18242 *Steve Henson* 18243 18244 * New Configure option "rsaref". 18245 18246 *Ulf Möller* 18247 18248 * Don't auto-generate pem.h. 18249 18250 *Bodo Moeller* 18251 18252 * Introduce type-safe ASN.1 SETs. 18253 18254 *Ben Laurie* 18255 18256 * Convert various additional casted stacks to type-safe STACK_OF() variants. 18257 18258 *Ben Laurie, Ralf S. Engelschall, Steve Henson* 18259 18260 * Introduce type-safe STACKs. This will almost certainly break lots of code 18261 that links with OpenSSL (well at least cause lots of warnings), but fear 18262 not: the conversion is trivial, and it eliminates loads of evil casts. A 18263 few STACKed things have been converted already. Feel free to convert more. 18264 In the fullness of time, I'll do away with the STACK type altogether. 18265 18266 *Ben Laurie* 18267 18268 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate 18269 specified in `<certfile>` by updating the entry in the index.txt file. 18270 This way one no longer has to edit the index.txt file manually for 18271 revoking a certificate. The -revoke option does the gory details now. 18272 18273 *Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall* 18274 18275 * Fix `openssl crl -noout -text` combination where `-noout` killed the 18276 `-text` option at all and this way the `-noout -text` combination was 18277 inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`. 18278 18279 *Ralf S. Engelschall* 18280 18281 * Make sure a corresponding plain text error message exists for the 18282 X509_V_ERR_CERT_REVOKED/23 error number which can occur when a 18283 verify callback function determined that a certificate was revoked. 18284 18285 *Ralf S. Engelschall* 18286 18287 * Bugfix: In test/testenc, don't test `openssl <cipher>` for 18288 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test 18289 all available ciphers including rc5, which was forgotten until now. 18290 In order to let the testing shell script know which algorithms 18291 are available, a new (up to now undocumented) command 18292 `openssl list-cipher-commands` is used. 18293 18294 *Bodo Moeller* 18295 18296 * Bugfix: s_client occasionally would sleep in select() when 18297 it should have checked SSL_pending() first. 18298 18299 *Bodo Moeller* 18300 18301 * New functions DSA_do_sign and DSA_do_verify to provide access to 18302 the raw DSA values prior to ASN.1 encoding. 18303 18304 *Ulf Möller* 18305 18306 * Tweaks to Configure 18307 18308 *Niels Poppe <niels@netbox.org>* 18309 18310 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, 18311 yet... 18312 18313 *Steve Henson* 18314 18315 * New variables $(RANLIB) and $(PERL) in the Makefiles. 18316 18317 *Ulf Möller* 18318 18319 * New config option to avoid instructions that are illegal on the 80386. 18320 The default code is faster, but requires at least a 486. 18321 18322 *Ulf Möller* 18323 18324 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and 18325 SSL2_SERVER_VERSION (not used at all) macros, which are now the 18326 same as SSL2_VERSION anyway. 18327 18328 *Bodo Moeller* 18329 18330 * New "-showcerts" option for s_client. 18331 18332 *Bodo Moeller* 18333 18334 * Still more PKCS#12 integration. Add pkcs12 application to openssl 18335 application. Various cleanups and fixes. 18336 18337 *Steve Henson* 18338 18339 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and 18340 modify error routines to work internally. Add error codes and PBE init 18341 to library startup routines. 18342 18343 *Steve Henson* 18344 18345 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and 18346 packing functions to asn1 and evp. Changed function names and error 18347 codes along the way. 18348 18349 *Steve Henson* 18350 18351 * PKCS12 integration: and so it begins... First of several patches to 18352 slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 18353 objects to objects.h 18354 18355 *Steve Henson* 18356 18357 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1 18358 and display support for Thawte strong extranet extension. 18359 18360 *Steve Henson* 18361 18362 * Add LinuxPPC support. 18363 18364 *Jeff Dubrule <igor@pobox.org>* 18365 18366 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to 18367 bn_div_words in alpha.s. 18368 18369 *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie* 18370 18371 * Make sure the RSA OAEP test is skipped under -DRSAref because 18372 OAEP isn't supported when OpenSSL is built with RSAref. 18373 18374 *Ulf Moeller <ulf@fitug.de>* 18375 18376 * Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 18377 so they no longer are missing under -DNOPROTO. 18378 18379 *Soren S. Jorvang <soren@t.dk>* 18380 18381### Changes between 0.9.1c and 0.9.2b [22 Mar 1999] 18382 18383 * Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still 18384 doesn't work when the session is reused. Coming soon! 18385 18386 *Ben Laurie* 18387 18388 * Fix a security hole, that allows sessions to be reused in the wrong 18389 context thus bypassing client cert protection! All software that uses 18390 client certs and session caches in multiple contexts NEEDS PATCHING to 18391 allow session reuse! A fuller solution is in the works. 18392 18393 *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)* 18394 18395 * Some more source tree cleanups (removed obsolete files 18396 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed 18397 permission on "config" script to be executable) and a fix for the INSTALL 18398 document. 18399 18400 *Ulf Moeller <ulf@fitug.de>* 18401 18402 * Remove some legacy and erroneous uses of malloc, free instead of 18403 Malloc, Free. 18404 18405 *Lennart Bang <lob@netstream.se>, with minor changes by Steve* 18406 18407 * Make rsa_oaep_test return non-zero on error. 18408 18409 *Ulf Moeller <ulf@fitug.de>* 18410 18411 * Add support for native Solaris shared libraries. Configure 18412 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice 18413 if someone would make that last step automatic. 18414 18415 *Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>* 18416 18417 * ctx_size was not built with the right compiler during "make links". Fixed. 18418 18419 *Ben Laurie* 18420 18421 * Change the meaning of 'ALL' in the cipher list. It now means "everything 18422 except NULL ciphers". This means the default cipher list will no longer 18423 enable NULL ciphers. They need to be specifically enabled e.g. with 18424 the string "DEFAULT:eNULL". 18425 18426 *Steve Henson* 18427 18428 * Fix to RSA private encryption routines: if p < q then it would 18429 occasionally produce an invalid result. This will only happen with 18430 externally generated keys because OpenSSL (and SSLeay) ensure p > q. 18431 18432 *Steve Henson* 18433 18434 * Be less restrictive and allow also `perl util/perlpath.pl 18435 /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`, 18436 because this way one can also use an interpreter named `perl5` (which is 18437 usually the name of Perl 5.xxx on platforms where an Perl 4.x is still 18438 installed as `perl`). 18439 18440 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 18441 18442 * Let util/clean-depend.pl work also with older Perl 5.00x versions. 18443 18444 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 18445 18446 * Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add 18447 advapi32.lib to Win32 build and change the pem test comparison 18448 to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the 18449 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h 18450 and crypto/des/ede_cbcm_enc.c. 18451 18452 *Steve Henson* 18453 18454 * DES quad checksum was broken on big-endian architectures. Fixed. 18455 18456 *Ben Laurie* 18457 18458 * Comment out two functions in bio.h that aren't implemented. Fix up the 18459 Win32 test batch file so it (might) work again. The Win32 test batch file 18460 is horrible: I feel ill.... 18461 18462 *Steve Henson* 18463 18464 * Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected 18465 in e_os.h. Audit of header files to check ANSI and non ANSI 18466 sections: 10 functions were absent from non ANSI section and not exported 18467 from Windows DLLs. Fixed up libeay.num for new functions. 18468 18469 *Steve Henson* 18470 18471 * Make `openssl version` output lines consistent. 18472 18473 *Ralf S. Engelschall* 18474 18475 * Fix Win32 symbol export lists for BIO functions: Added 18476 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data 18477 to ms/libeay{16,32}.def. 18478 18479 *Ralf S. Engelschall* 18480 18481 * Second round of fixing the OpenSSL perl/ stuff. It now at least compiled 18482 fine under Unix and passes some trivial tests I've now added. But the 18483 whole stuff is horribly incomplete, so a README.1ST with a disclaimer was 18484 added to make sure no one expects that this stuff really works in the 18485 OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources 18486 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and 18487 openssl_bio.xs. 18488 18489 *Ralf S. Engelschall* 18490 18491 * Fix the generation of two part addresses in perl. 18492 18493 *Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie* 18494 18495 * Add config entry for Linux on MIPS. 18496 18497 *John Tobey <jtobey@channel1.com>* 18498 18499 * Make links whenever Configure is run, unless we are on Windoze. 18500 18501 *Ben Laurie* 18502 18503 * Permit extensions to be added to CRLs using crl_section in openssl.cnf. 18504 Currently only issuerAltName and AuthorityKeyIdentifier make any sense 18505 in CRLs. 18506 18507 *Steve Henson* 18508 18509 * Add a useful kludge to allow package maintainers to specify compiler and 18510 other platforms details on the command line without having to patch the 18511 Configure script every time: One now can use 18512 `perl Configure <id>:<details>`, 18513 i.e. platform ids are allowed to have details appended 18514 to them (separated by colons). This is treated as there would be a static 18515 pre-configured entry in Configure's %table under key `<id>` with value 18516 `<details>` and `perl Configure <id>` is called. So, when you want to 18517 perform a quick test-compile under FreeBSD 3.1 with pgcc and without 18518 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"` 18519 now, which overrides the FreeBSD-elf entry on-the-fly. 18520 18521 *Ralf S. Engelschall* 18522 18523 * Disable new TLS1 ciphersuites by default: they aren't official yet. 18524 18525 *Ben Laurie* 18526 18527 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified 18528 on the `perl Configure ...` command line. This way one can compile 18529 OpenSSL libraries with Position Independent Code (PIC) which is needed 18530 for linking it into DSOs. 18531 18532 *Ralf S. Engelschall* 18533 18534 * Remarkably, export ciphers were totally broken and no-one had noticed! 18535 Fixed. 18536 18537 *Ben Laurie* 18538 18539 * Cleaned up the LICENSE document: The official contact for any license 18540 questions now is the OpenSSL core team under openssl-core@openssl.org. 18541 And add a paragraph about the dual-license situation to make sure people 18542 recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply 18543 to the OpenSSL toolkit. 18544 18545 *Ralf S. Engelschall* 18546 18547 * General source tree makefile cleanups: Made `making xxx in yyy...` 18548 display consistent in the source tree and replaced `/bin/rm` by `rm`. 18549 Additionally cleaned up the `make links` target: Remove unnecessary 18550 semicolons, subsequent redundant removes, inline point.sh into mklink.sh 18551 to speed processing and no longer clutter the display with confusing 18552 stuff. Instead only the actually done links are displayed. 18553 18554 *Ralf S. Engelschall* 18555 18556 * Permit null encryption ciphersuites, used for authentication only. It used 18557 to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. 18558 It is now necessary to set SSL_FORBID_ENULL to prevent the use of null 18559 encryption. 18560 18561 *Ben Laurie* 18562 18563 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder 18564 signed attributes when verifying signatures (this would break them), 18565 the detached data encoding was wrong and public keys obtained using 18566 X509_get_pubkey() weren't freed. 18567 18568 *Steve Henson* 18569 18570 * Add text documentation for the BUFFER functions. Also added a work around 18571 to a Win95 console bug. This was triggered by the password read stuff: the 18572 last character typed gets carried over to the next fread(). If you were 18573 generating a new cert request using 'req' for example then the last 18574 character of the passphrase would be CR which would then enter the first 18575 field as blank. 18576 18577 *Steve Henson* 18578 18579 * Added the new 'Includes OpenSSL Cryptography Software' button as 18580 doc/openssl_button.{gif,html} which is similar in style to the old SSLeay 18581 button and can be used by applications based on OpenSSL to show the 18582 relationship to the OpenSSL project. 18583 18584 *Ralf S. Engelschall* 18585 18586 * Remove confusing variables in function signatures in files 18587 ssl/ssl_lib.c and ssl/ssl.h. 18588 18589 *Lennart Bong <lob@kulthea.stacken.kth.se>* 18590 18591 * Don't install bss_file.c under PREFIX/include/ 18592 18593 *Lennart Bong <lob@kulthea.stacken.kth.se>* 18594 18595 * Get the Win32 compile working again. Modify mkdef.pl so it can handle 18596 functions that return function pointers and has support for NT specific 18597 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various 18598 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from 18599 unsigned to signed types: this was killing the Win32 compile. 18600 18601 *Steve Henson* 18602 18603 * Add new certificate file to stack functions, 18604 SSL_add_dir_cert_subjects_to_stack() and 18605 SSL_add_file_cert_subjects_to_stack(). These largely supplant 18606 SSL_load_client_CA_file(), and can be used to add multiple certs easily 18607 to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). 18608 This means that Apache-SSL and similar packages don't have to mess around 18609 to add as many CAs as they want to the preferred list. 18610 18611 *Ben Laurie* 18612 18613 * Experiment with doxygen documentation. Currently only partially applied to 18614 ssl/ssl_lib.c. 18615 See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with 18616 openssl.doxy as the configuration file. 18617 18618 *Ben Laurie* 18619 18620 * Get rid of remaining C++-style comments which strict C compilers hate. 18621 18622 *Ralf S. Engelschall, pointed out by Carlos Amengual* 18623 18624 * Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not 18625 compiled in by default: it has problems with large keys. 18626 18627 *Steve Henson* 18628 18629 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and 18630 DH private keys and/or callback functions which directly correspond to 18631 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This 18632 is needed for applications which have to configure certificates on a 18633 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis 18634 (e.g. s_server). 18635 For the RSA certificate situation is makes no difference, but 18636 for the DSA certificate situation this fixes the "no shared cipher" 18637 problem where the OpenSSL cipher selection procedure failed because the 18638 temporary keys were not overtaken from the context and the API provided 18639 no way to reconfigure them. 18640 The new functions now let applications reconfigure the stuff and they 18641 are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, 18642 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new 18643 non-public-API function ssl_cert_instantiate() is used as a helper 18644 function and also to reduce code redundancy inside ssl_rsa.c. 18645 18646 *Ralf S. Engelschall* 18647 18648 * Move s_server -dcert and -dkey options out of the undocumented feature 18649 area because they are useful for the DSA situation and should be 18650 recognized by the users. 18651 18652 *Ralf S. Engelschall* 18653 18654 * Fix the cipher decision scheme for export ciphers: the export bits are 18655 *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within 18656 SSL_EXP_MASK. So, the original variable has to be used instead of the 18657 already masked variable. 18658 18659 *Richard Levitte <levitte@stacken.kth.se>* 18660 18661 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c 18662 18663 *Richard Levitte <levitte@stacken.kth.se>* 18664 18665 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() 18666 from `int` to `unsigned int` because it is a length and initialized by 18667 EVP_DigestFinal() which expects an `unsigned int *`. 18668 18669 *Richard Levitte <levitte@stacken.kth.se>* 18670 18671 * Don't hard-code path to Perl interpreter on shebang line of Configure 18672 script. Instead use the usual Shell->Perl transition trick. 18673 18674 *Ralf S. Engelschall* 18675 18676 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates 18677 (in addition to RSA certificates) to match the behaviour of `openssl dsa 18678 -noout -modulus` as it's already the case for `openssl rsa -noout 18679 -modulus`. For RSA the -modulus is the real "modulus" while for DSA 18680 currently the public key is printed (a decision which was already done by 18681 `openssl dsa -modulus` in the past) which serves a similar purpose. 18682 Additionally the NO_RSA no longer completely removes the whole -modulus 18683 option; it now only avoids using the RSA stuff. Same applies to NO_DSA 18684 now, too. 18685 18686 *Ralf S. Engelschall* 18687 18688 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested 18689 BIO. See the source (crypto/evp/bio_ok.c) for more info. 18690 18691 *Arne Ansper <arne@ats.cyber.ee>* 18692 18693 * Dump the old yucky req code that tried (and failed) to allow raw OIDs 18694 to be added. Now both 'req' and 'ca' can use new objects defined in the 18695 config file. 18696 18697 *Steve Henson* 18698 18699 * Add cool BIO that does syslog (or event log on NT). 18700 18701 *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie* 18702 18703 * Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, 18704 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and 18705 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher 18706 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. 18707 18708 *Ben Laurie* 18709 18710 * Add preliminary config info for new extension code. 18711 18712 *Steve Henson* 18713 18714 * Make RSA_NO_PADDING really use no padding. 18715 18716 *Ulf Moeller <ulf@fitug.de>* 18717 18718 * Generate errors when private/public key check is done. 18719 18720 *Ben Laurie* 18721 18722 * Overhaul for 'crl' utility. New function X509_CRL_print. Partial support 18723 for some CRL extensions and new objects added. 18724 18725 *Steve Henson* 18726 18727 * Really fix the ASN1 IMPLICIT bug this time... Partial support for private 18728 key usage extension and fuller support for authority key id. 18729 18730 *Steve Henson* 18731 18732 * Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved 18733 padding method for RSA, which is recommended for new applications in PKCS 18734 #1 v2.0 (RFC 2437, October 1998). 18735 OAEP (Optimal Asymmetric Encryption Padding) has better theoretical 18736 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure 18737 against Bleichbacher's attack on RSA. 18738 *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by 18739 Ben Laurie* 18740 18741 * Updates to the new SSL compression code 18742 18743 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 18744 18745 * Fix so that the version number in the master secret, when passed 18746 via RSA, checks that if TLS was proposed, but we roll back to SSLv3 18747 (because the server will not accept higher), that the version number 18748 is 0x03,0x01, not 0x03,0x00 18749 18750 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 18751 18752 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory 18753 leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes 18754 in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`. 18755 18756 *Steve Henson* 18757 18758 * Support for RAW extensions where an arbitrary extension can be 18759 created by including its DER encoding. See `apps/openssl.cnf` for 18760 an example. 18761 18762 *Steve Henson* 18763 18764 * Make sure latest Perl versions don't interpret some generated C array 18765 code as Perl array code in the crypto/err/err_genc.pl script. 18766 18767 *Lars Weber <3weber@informatik.uni-hamburg.de>* 18768 18769 * Modify ms/do_ms.bat to not generate assembly language makefiles since 18770 not many people have the assembler. Various Win32 compilation fixes and 18771 update to the INSTALL.W32 file with (hopefully) more accurate Win32 18772 build instructions. 18773 18774 *Steve Henson* 18775 18776 * Modify configure script 'Configure' to automatically create crypto/date.h 18777 file under Win32 and also build pem.h from pem.org. New script 18778 util/mkfiles.pl to create the MINFO file on environments that can't do a 18779 'make files': perl util/mkfiles.pl >MINFO should work. 18780 18781 *Steve Henson* 18782 18783 * Major rework of DES function declarations, in the pursuit of correctness 18784 and purity. As a result, many evil casts evaporated, and some weirdness, 18785 too. You may find this causes warnings in your code. Zapping your evil 18786 casts will probably fix them. Mostly. 18787 18788 *Ben Laurie* 18789 18790 * Fix for a typo in asn1.h. Bug fix to object creation script 18791 obj_dat.pl. It considered a zero in an object definition to mean 18792 "end of object": none of the objects in objects.h have any zeros 18793 so it wasn't spotted. 18794 18795 *Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>* 18796 18797 * Add support for Triple DES Cipher Block Chaining with Output Feedback 18798 Masking (CBCM). In the absence of test vectors, the best I have been able 18799 to do is check that the decrypt undoes the encrypt, so far. Send me test 18800 vectors if you have them. 18801 18802 *Ben Laurie* 18803 18804 * Correct calculation of key length for export ciphers (too much space was 18805 allocated for null ciphers). This has not been tested! 18806 18807 *Ben Laurie* 18808 18809 * Modifications to the mkdef.pl for Win32 DEF file creation. The usage 18810 message is now correct (it understands "crypto" and "ssl" on its 18811 command line). There is also now an "update" option. This will update 18812 the util/ssleay.num and util/libeay.num files with any new functions. 18813 If you do a: 18814 perl util/mkdef.pl crypto ssl update 18815 it will update them. 18816 18817 *Steve Henson* 18818 18819 * Overhauled the Perl interface: 18820 - ported BN stuff to OpenSSL's different BN library 18821 - made the perl/ source tree CVS-aware 18822 - renamed the package from SSLeay to OpenSSL (the files still contain 18823 their history because I've copied them in the repository) 18824 - removed obsolete files (the test scripts will be replaced 18825 by better Test::Harness variants in the future) 18826 18827 *Ralf S. Engelschall* 18828 18829 * First cut for a very conservative source tree cleanup: 18830 1. merge various obsolete readme texts into doc/ssleay.txt 18831 where we collect the old documents and readme texts. 18832 2. remove the first part of files where I'm already sure that we no 18833 longer need them because of three reasons: either they are just temporary 18834 files which were left by Eric or they are preserved original files where 18835 I've verified that the diff is also available in the CVS via "cvs diff 18836 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for 18837 the crypto/md/ stuff). 18838 18839 *Ralf S. Engelschall* 18840 18841 * More extension code. Incomplete support for subject and issuer alt 18842 name, issuer and authority key id. Change the i2v function parameters 18843 and add an extra 'crl' parameter in the X509V3_CTX structure: guess 18844 what that's for :-) Fix to ASN1 macro which messed up 18845 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. 18846 18847 *Steve Henson* 18848 18849 * Preliminary support for ENUMERATED type. This is largely copied from the 18850 INTEGER code. 18851 18852 *Steve Henson* 18853 18854 * Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. 18855 18856 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 18857 18858 * Make sure `make rehash` target really finds the `openssl` program. 18859 18860 *Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 18861 18862 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd 18863 like to hear about it if this slows down other processors. 18864 18865 *Ben Laurie* 18866 18867 * Add CygWin32 platform information to Configure script. 18868 18869 *Alan Batie <batie@aahz.jf.intel.com>* 18870 18871 * Fixed ms/32all.bat script: `no_asm` -> `no-asm` 18872 18873 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>* 18874 18875 * New program nseq to manipulate netscape certificate sequences 18876 18877 *Steve Henson* 18878 18879 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a 18880 few typos. 18881 18882 *Steve Henson* 18883 18884 * Fixes to BN code. Previously the default was to define BN_RECURSION 18885 but the BN code had some problems that would cause failures when 18886 doing certificate verification and some other functions. 18887 18888 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 18889 18890 * Add ASN1 and PEM code to support netscape certificate sequences. 18891 18892 *Steve Henson* 18893 18894 * Add ASN1 and PEM code to support netscape certificate sequences. 18895 18896 *Steve Henson* 18897 18898 * Add several PKIX and private extended key usage OIDs. 18899 18900 *Steve Henson* 18901 18902 * Modify the 'ca' program to handle the new extension code. Modify 18903 openssl.cnf for new extension format, add comments. 18904 18905 *Steve Henson* 18906 18907 * More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' 18908 and add a sample to openssl.cnf so req -x509 now adds appropriate 18909 CA extensions. 18910 18911 *Steve Henson* 18912 18913 * Continued X509 V3 changes. Add to other makefiles, integrate with the 18914 error code, add initial support to X509_print() and x509 application. 18915 18916 *Steve Henson* 18917 18918 * Takes a deep breath and start adding X509 V3 extension support code. Add 18919 files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this 18920 stuff is currently isolated and isn't even compiled yet. 18921 18922 *Steve Henson* 18923 18924 * Continuing patches for GeneralizedTime. Fix up certificate and CRL 18925 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. 18926 Removed the versions check from X509 routines when loading extensions: 18927 this allows certain broken certificates that don't set the version 18928 properly to be processed. 18929 18930 *Steve Henson* 18931 18932 * Deal with irritating shit to do with dependencies, in YAAHW (Yet Another 18933 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which 18934 can still be regenerated with "make depend". 18935 18936 *Ben Laurie* 18937 18938 * Spelling mistake in C version of CAST-128. 18939 18940 *Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>* 18941 18942 * Changes to the error generation code. The perl script err-code.pl 18943 now reads in the old error codes and retains the old numbers, only 18944 adding new ones if necessary. It also only changes the .err files if new 18945 codes are added. The makefiles have been modified to only insert errors 18946 when needed (to avoid needlessly modifying header files). This is done 18947 by only inserting errors if the .err file is newer than the auto generated 18948 C file. To rebuild all the error codes from scratch (the old behaviour) 18949 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl 18950 or delete all the .err files. 18951 18952 *Steve Henson* 18953 18954 * CAST-128 was incorrectly implemented for short keys. The C version has 18955 been fixed, but is untested. The assembler versions are also fixed, but 18956 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing 18957 to regenerate it if needed. 18958 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun 18959 Hagino <itojun@kame.net>* 18960 18961 * File was opened incorrectly in randfile.c. 18962 18963 *Ulf Möller <ulf@fitug.de>* 18964 18965 * Beginning of support for GeneralizedTime. d2i, i2d, check and print 18966 functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or 18967 GeneralizedTime. ASN1_TIME is the proper type used in certificates et 18968 al: it's just almost always a UTCTime. Note this patch adds new error 18969 codes so do a "make errors" if there are problems. 18970 18971 *Steve Henson* 18972 18973 * Correct Linux 1 recognition in config. 18974 18975 *Ulf Möller <ulf@fitug.de>* 18976 18977 * Remove pointless MD5 hash when using DSA keys in ca. 18978 18979 *Anonymous <nobody@replay.com>* 18980 18981 * Generate an error if given an empty string as a cert directory. Also 18982 generate an error if handed NULL (previously returned 0 to indicate an 18983 error, but didn't set one). 18984 18985 *Ben Laurie, reported by Anonymous <nobody@replay.com>* 18986 18987 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last. 18988 18989 *Ben Laurie* 18990 18991 * Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct 18992 parameters. This was causing a warning which killed off the Win32 compile. 18993 18994 *Steve Henson* 18995 18996 * Remove C++ style comments from crypto/bn/bn_local.h. 18997 18998 *Neil Costigan <neil.costigan@celocom.com>* 18999 19000 * The function OBJ_txt2nid was broken. It was supposed to return a nid 19001 based on a text string, looking up short and long names and finally 19002 "dot" format. The "dot" format stuff didn't work. Added new function 19003 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 19004 OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the 19005 OID is not part of the table. 19006 19007 *Steve Henson* 19008 19009 * Add prototypes to X509 lookup/verify methods, fixing a bug in 19010 X509_LOOKUP_by_alias(). 19011 19012 *Ben Laurie* 19013 19014 * Sort openssl functions by name. 19015 19016 *Ben Laurie* 19017 19018 * Get the `gendsa` command working and add it to the `list` command. Remove 19019 encryption from sample DSA keys (in case anyone is interested the password 19020 was "1234"). 19021 19022 *Steve Henson* 19023 19024 * Make *all* `*_free` functions accept a NULL pointer. 19025 19026 *Frans Heymans <fheymans@isaserver.be>* 19027 19028 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use 19029 NULL pointers. 19030 19031 *Anonymous <nobody@replay.com>* 19032 19033 * s_server should send the CAfile as acceptable CAs, not its own cert. 19034 19035 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 19036 19037 * Don't blow it for numeric `-newkey` arguments to `apps/req`. 19038 19039 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 19040 19041 * Temp key "for export" tests were wrong in s3_srvr.c. 19042 19043 *Anonymous <nobody@replay.com>* 19044 19045 * Add prototype for temp key callback functions 19046 SSL_CTX_set_tmp_{rsa,dh}_callback(). 19047 19048 *Ben Laurie* 19049 19050 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and 19051 DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). 19052 19053 *Steve Henson* 19054 19055 * X509_name_add_entry() freed the wrong thing after an error. 19056 19057 *Arne Ansper <arne@ats.cyber.ee>* 19058 19059 * rsa_eay.c would attempt to free a NULL context. 19060 19061 *Arne Ansper <arne@ats.cyber.ee>* 19062 19063 * BIO_s_socket() had a broken should_retry() on Windoze. 19064 19065 *Arne Ansper <arne@ats.cyber.ee>* 19066 19067 * BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. 19068 19069 *Arne Ansper <arne@ats.cyber.ee>* 19070 19071 * Make sure the already existing X509_STORE->depth variable is initialized 19072 in X509_STORE_new(), but document the fact that this variable is still 19073 unused in the certificate verification process. 19074 19075 *Ralf S. Engelschall* 19076 19077 * Fix the various library and `apps/` files to free up pkeys obtained from 19078 X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. 19079 19080 *Steve Henson* 19081 19082 * Fix reference counting in X509_PUBKEY_get(). This makes 19083 demos/maurice/example2.c work, amongst others, probably. 19084 19085 *Steve Henson and Ben Laurie* 19086 19087 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named 19088 `openssl` and second, the shortcut symlinks for the `openssl <command>` 19089 are no longer created. This way we have a single and consistent command 19090 line interface `openssl <command>`, similar to `cvs <command>`. 19091 19092 *Ralf S. Engelschall, Paul Sutton and Ben Laurie* 19093 19094 * ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey 19095 BIT STRING wrapper always have zero unused bits. 19096 19097 *Steve Henson* 19098 19099 * Add CA.pl, perl version of CA.sh, add extended key usage OID. 19100 19101 *Steve Henson* 19102 19103 * Make the top-level INSTALL documentation easier to understand. 19104 19105 *Paul Sutton* 19106 19107 * Makefiles updated to exit if an error occurs in a sub-directory 19108 make (including if user presses ^C) [Paul Sutton] 19109 19110 * Make Montgomery context stuff explicit in RSA data structure. 19111 19112 *Ben Laurie* 19113 19114 * Fix build order of pem and err to allow for generated pem.h. 19115 19116 *Ben Laurie* 19117 19118 * Fix renumbering bug in X509_NAME_delete_entry(). 19119 19120 *Ben Laurie* 19121 19122 * Enhanced the err-ins.pl script so it makes the error library number 19123 global and can add a library name. This is needed for external ASN1 and 19124 other error libraries. 19125 19126 *Steve Henson* 19127 19128 * Fixed sk_insert which never worked properly. 19129 19130 *Steve Henson* 19131 19132 * Fix ASN1 macros so they can handle indefinite length constructed 19133 EXPLICIT tags. Some non standard certificates use these: they can now 19134 be read in. 19135 19136 *Steve Henson* 19137 19138 * Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) 19139 into a single doc/ssleay.txt bundle. This way the information is still 19140 preserved but no longer messes up this directory. Now it's new room for 19141 the new set of documentation files. 19142 19143 *Ralf S. Engelschall* 19144 19145 * SETs were incorrectly DER encoded. This was a major pain, because they 19146 shared code with SEQUENCEs, which aren't coded the same. This means that 19147 almost everything to do with SETs or SEQUENCEs has either changed name or 19148 number of arguments. 19149 19150 *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>* 19151 19152 * Fix test data to work with the above. 19153 19154 *Ben Laurie* 19155 19156 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but 19157 was already fixed by Eric for 0.9.1 it seems. 19158 19159 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>* 19160 19161 * Autodetect FreeBSD3. 19162 19163 *Ben Laurie* 19164 19165 * Fix various bugs in Configure. This affects the following platforms: 19166 nextstep 19167 ncr-scde 19168 unixware-2.0 19169 unixware-2.0-pentium 19170 sco5-cc. 19171 19172 *Ben Laurie* 19173 19174 * Eliminate generated files from CVS. Reorder tests to regenerate files 19175 before they are needed. 19176 19177 *Ben Laurie* 19178 19179 * Generate Makefile.ssl from Makefile.org (to keep CVS happy). 19180 19181 *Ben Laurie* 19182 19183### Changes between 0.9.1b and 0.9.1c [23-Dec-1998] 19184 19185 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 19186 changed SSLeay to OpenSSL in version strings. 19187 19188 *Ralf S. Engelschall* 19189 19190 * Some fixups to the top-level documents. 19191 19192 *Paul Sutton* 19193 19194 * Fixed the nasty bug where rsaref.h was not found under compile-time 19195 because the symlink to include/ was missing. 19196 19197 *Ralf S. Engelschall* 19198 19199 * Incorporated the popular no-RSA/DSA-only patches 19200 which allow to compile a RSA-free SSLeay. 19201 19202 *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall* 19203 19204 * Fixed nasty rehash problem under `make -f Makefile.ssl links` 19205 when "ssleay" is still not found. 19206 19207 *Ralf S. Engelschall* 19208 19209 * Added more platforms to Configure: Cray T3E, HPUX 11, 19210 19211 *Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>* 19212 19213 * Updated the README file. 19214 19215 *Ralf S. Engelschall* 19216 19217 * Added various .cvsignore files in the CVS repository subdirs 19218 to make a "cvs update" really silent. 19219 19220 *Ralf S. Engelschall* 19221 19222 * Recompiled the error-definition header files and added 19223 missing symbols to the Win32 linker tables. 19224 19225 *Ralf S. Engelschall* 19226 19227 * Cleaned up the top-level documents; 19228 o new files: CHANGES and LICENSE 19229 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 19230 o merged COPYRIGHT into LICENSE 19231 o removed obsolete TODO file 19232 o renamed MICROSOFT to INSTALL.W32 19233 19234 *Ralf S. Engelschall* 19235 19236 * Removed dummy files from the 0.9.1b source tree: 19237 crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi 19238 crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f 19239 crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f 19240 crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f 19241 util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f 19242 19243 *Ralf S. Engelschall* 19244 19245 * Added various platform portability fixes. 19246 19247 *Mark J. Cox* 19248 19249 * The Genesis of the OpenSSL rpject: 19250 We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. 19251 Young and Tim J. Hudson created while they were working for C2Net until 19252 summer 1998. 19253 19254 *The OpenSSL Project* 19255 19256### Changes between 0.9.0b and 0.9.1b [not released] 19257 19258 * Updated a few CA certificates under certs/ 19259 19260 *Eric A. Young* 19261 19262 * Changed some BIGNUM api stuff. 19263 19264 *Eric A. Young* 19265 19266 * Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 19267 DGUX x86, Linux Alpha, etc. 19268 19269 *Eric A. Young* 19270 19271 * New COMP library [crypto/comp/] for SSL Record Layer Compression: 19272 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is 19273 available). 19274 19275 *Eric A. Young* 19276 19277 * Add -strparse option to asn1pars program which parses nested 19278 binary structures 19279 19280 *Dr Stephen Henson <shenson@bigfoot.com>* 19281 19282 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs. 19283 19284 *Eric A. Young* 19285 19286 * DSA fix for "ca" program. 19287 19288 *Eric A. Young* 19289 19290 * Added "-genkey" option to "dsaparam" program. 19291 19292 *Eric A. Young* 19293 19294 * Added RIPE MD160 (rmd160) message digest. 19295 19296 *Eric A. Young* 19297 19298 * Added -a (all) option to "ssleay version" command. 19299 19300 *Eric A. Young* 19301 19302 * Added PLATFORM define which is the id given to Configure. 19303 19304 *Eric A. Young* 19305 19306 * Added MemCheck_XXXX functions to crypto/mem.c for memory checking. 19307 19308 *Eric A. Young* 19309 19310 * Extended the ASN.1 parser routines. 19311 19312 *Eric A. Young* 19313 19314 * Extended BIO routines to support REUSEADDR, seek, tell, etc. 19315 19316 *Eric A. Young* 19317 19318 * Added a BN_CTX to the BN library. 19319 19320 *Eric A. Young* 19321 19322 * Fixed the weak key values in DES library 19323 19324 *Eric A. Young* 19325 19326 * Changed API in EVP library for cipher aliases. 19327 19328 *Eric A. Young* 19329 19330 * Added support for RC2/64bit cipher. 19331 19332 *Eric A. Young* 19333 19334 * Converted the lhash library to the crypto/mem.c functions. 19335 19336 *Eric A. Young* 19337 19338 * Added more recognized ASN.1 object ids. 19339 19340 *Eric A. Young* 19341 19342 * Added more RSA padding checks for SSL/TLS. 19343 19344 *Eric A. Young* 19345 19346 * Added BIO proxy/filter functionality. 19347 19348 *Eric A. Young* 19349 19350 * Added extra_certs to SSL_CTX which can be used 19351 send extra CA certificates to the client in the CA cert chain sending 19352 process. It can be configured with SSL_CTX_add_extra_chain_cert(). 19353 19354 *Eric A. Young* 19355 19356 * Now Fortezza is denied in the authentication phase because 19357 this is key exchange mechanism is not supported by SSLeay at all. 19358 19359 *Eric A. Young* 19360 19361 * Additional PKCS1 checks. 19362 19363 *Eric A. Young* 19364 19365 * Support the string "TLSv1" for all TLS v1 ciphers. 19366 19367 *Eric A. Young* 19368 19369 * Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the 19370 ex_data index of the SSL context in the X509_STORE_CTX ex_data. 19371 19372 *Eric A. Young* 19373 19374 * Fixed a few memory leaks. 19375 19376 *Eric A. Young* 19377 19378 * Fixed various code and comment typos. 19379 19380 *Eric A. Young* 19381 19382 * A minor bug in ssl/s3_clnt.c where there would always be 4 0 19383 bytes sent in the client random. 19384 19385 *Edward Bishop <ebishop@spyglass.com>* 19386 19387<!-- Links --> 19388 19389[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 19390[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 19391[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 19392[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 19393[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 19394[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 19395[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 19396[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 19397[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 19398[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 19399[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 19400[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 19401[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 19402[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 19403[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 19404[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 19405[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 19406[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 19407[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 19408[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 19409[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 19410[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 19411[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 19412[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 19413[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 19414[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 19415[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 19416[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 19417[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 19418[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 19419[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 19420[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 19421[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 19422[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 19423[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 19424[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 19425[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 19426[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 19427[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 19428[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 19429[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 19430[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 19431[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 19432[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 19433[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 19434[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 19435[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 19436[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 19437[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 19438[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 19439[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 19440[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 19441[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 19442[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 19443[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 19444[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 19445[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 19446[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 19447[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 19448[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 19449[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 19450[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 19451[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 19452[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 19453[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 19454[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 19455[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 19456[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 19457[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 19458[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 19459[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 19460[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 19461[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 19462[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 19463[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 19464[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 19465[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 19466[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 19467[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 19468[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 19469[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 19470[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 19471[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 19472[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 19473[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 19474[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 19475[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 19476[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 19477[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 19478[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 19479[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 19480[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 19481[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 19482[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 19483[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 19484[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 19485[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 19486[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 19487[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 19488[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 19489[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 19490[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 19491[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 19492[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 19493[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 19494[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 19495[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 19496[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 19497[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 19498[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 19499[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 19500[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 19501[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 19502[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 19503[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 19504[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 19505[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 19506[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 19507[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109 19508[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 19509[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 19510[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 19511[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 19512[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 19513[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 19514[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 19515[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 19516[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 19517[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 19518[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355 19519[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 19520[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245 19521[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386 19522[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379 19523[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378 19524[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377 19525[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 19526[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 19527[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 19528[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 19529[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678 19530[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672 19531[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891 19532[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135 19533[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995 19534[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 19535[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 19536[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738 19537[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 19538[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 19539[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 19540[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112 19541[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079 19542[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851 19543[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545 19544[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544 19545[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543 19546[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078 19547[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659 19548[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657 19549[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656 19550[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655 19551