1OpenSSL CHANGES 2=============== 3 4This is a detailed breakdown of significant changes. For a high-level overview 5of changes in each release, see [NEWS.md](./NEWS.md). 6 7For a full list of changes, see the [git commit log][log] and pick the 8appropriate release branch. 9 10 [log]: https://github.com/openssl/openssl/commits/ 11 12OpenSSL Releases 13---------------- 14 15 - [OpenSSL 3.5](#openssl-35) 16 - [OpenSSL 3.4](#openssl-34) 17 - [OpenSSL 3.3](#openssl-33) 18 - [OpenSSL 3.2](#openssl-32) 19 - [OpenSSL 3.1](#openssl-31) 20 - [OpenSSL 3.0](#openssl-30) 21 - [OpenSSL 1.1.1](#openssl-111) 22 - [OpenSSL 1.1.0](#openssl-110) 23 - [OpenSSL 1.0.2](#openssl-102) 24 - [OpenSSL 1.0.1](#openssl-101) 25 - [OpenSSL 1.0.0](#openssl-100) 26 - [OpenSSL 0.9.x](#openssl-09x) 27 28OpenSSL 3.5 29----------- 30 31### Changes between 3.4 and 3.5 [xx XXX xxxx] 32 33* All the BIO_meth_get_*() functions allowing reuse of the internal OpenSSL 34 BIO method implementations were deprecated. The reuse is unsafe due to 35 dependency on the code of the internal methods not changing. 36 37 *Tomáš Mráz* 38 39* Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list(). 40 SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which sets the 41 available groups to the default selection. The '-' prefix allows the calling 42 application to remove a group from the selection. 43 44 *Frederik Wedel-Heinen* 45 46 * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications 47 from `des-ede3-cbc` to `aes-256-cbc`. 48 49 AES-256 provides a stronger 256-bit key encryption than legacy 3DES. 50 51 *Aditya* 52 53 * Enhanced PKCS#7 inner contents verification. 54 In the PKCS7_verify() function, the BIO *indata parameter refers to the 55 signed data if the content is detached from p7. Otherwise, indata should be 56 NULL, and then the signed data must be in p7. 57 58 The previous OpenSSL implementation only supported MIME inner content 59 [RFC 5652, section 5.2]. 60 61 The added functionality now enables support for PKCS#7 inner content 62 [RFC 2315, section 7]. 63 64 *Małgorzata Olszówka* 65 66 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no 67 longer required) when using `-digest` or when signing or verifying with an 68 Ed25519 or Ed448 key. 69 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`. 70 71 *David von Oheimb* 72 73 * Optionally allow the FIPS provider to use the `JITTER` entropy source. 74 Note that using this option will require the resulting FIPS provider 75 to undergo entropy source validation [ESV] by the [CMVP], without this 76 the FIPS provider will not be FIPS compliant. Enable this using the 77 configuration option `enable-fips-jitter`. 78 79 *Paul Dale* 80 81OpenSSL 3.4 82----------- 83 84### Changes between 3.3 and 3.4 [xx XXX xxxx] 85 86 * For the FIPS provider only, replaced the primary DRBG with a continuous 87 health check module. This also removes the now forbidden DRBG chaining. 88 89 *Paul Dale* 90 91 * Improved base64 BIO correctness and error reporting. 92 93 *Viktor Dukhovni* 94 95 * Added support for directly fetched composite signature algorithms such as 96 RSA-SHA2-256 including new API functions in the EVP_PKEY_sign, 97 EVP_PKEY_verify and EVP_PKEY_verify_recover groups. 98 99 *Richard Levitte* 100 101 * XOF Digest API improvements 102 103 EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to 104 EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE 105 have an output size that is not fixed, so calling EVP_MD_get_size() is not 106 sufficent. The existing macros now point to the new function 107 EVP_MD_CTX_get_size_ex() which will retrieve the "size" for a XOF digest, 108 otherwise it falls back to calling EVP_MD_get_size(). Note that the SHAKE 109 implementation did not have a context getter previously, so the "size" will 110 only be able to be retrieved with new providers. 111 112 Also added a EVP_xof() helper. 113 114 *Shane Lontis* 115 116 * Added FIPS indicators to the FIPS provider. 117 118 FIPS 140-3 requires indicators to be used if the FIPS provider allows 119 non-approved algorithms. An algorithm is approved if it passes all 120 required checks such as minimum key size. By default an error will 121 occur if any check fails. For backwards compatibility individual 122 algorithms may override the checks by using either an option in the 123 FIPS configuration OR in code using an algorithm context setter. 124 Overriding the check means that the algorithm is not FIPS compliant. 125 OSSL_INDICATOR_set_callback() can be called to register a callback 126 to log unapproved algorithms. At the end of any algorithm operation 127 the approved status can be queried using an algorithm context getter. 128 FIPS provider configuration options are set using 'openssl fipsinstall'. 129 130 Note that new FIPS 140-3 restrictions have been enforced such as 131 RSA Encryption using PKCS1 padding is no longer approved. 132 Documentation related to the changes can be found on the [fips_module(7)] 133 manual page. 134 135 [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators 136 137 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov* 138 139 * Added support for hardware acceleration for HMAC on S390x architecture. 140 141 *Ingo Franzki* 142 143 * Added debuginfo Makefile target for unix platforms to produce 144 a separate DWARF info file from the corresponding shared libs. 145 146 *Neil Horman* 147 148 * Added support for encapsulation and decapsulation operations in the 149 pkeyutl command. 150 151 *Dmitry Belyavskiy* 152 153 * Added implementation of RFC 9579 (PBMAC1) in PKCS#12. 154 155 *Dmitry Belyavskiy* 156 157 * Add a new random seed source RNG `JITTER` using a statically linked 158 jitterentropy library. 159 160 *Dimitri John Ledkov* 161 162 * Added a feature to retrieve configured TLS signature algorithms, 163 e.g., via the openssl list command. 164 165 *Michael Baentsch* 166 167 * Deprecated TS_VERIFY_CTX_set_* functions and added replacement 168 TS_VERIFY_CTX_set0_* functions with improved semantics. 169 170 *Tobias Erbsland* 171 172 * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that 173 what were formerly build time locations can now be defined at run time 174 with registry keys. See NOTES-WINDOWS.md. 175 176 *Neil Horman* 177 178 * Added options `-not_before` and `-not_after` for explicit setting 179 start and end dates of certificates created with the `req` and `x509` 180 commands. Added the same options also to `ca` command as alias for 181 `-startdate` and `-enddate` options. 182 183 *Stephan Wurm* 184 185 * The X25519 and X448 key exchange implementation in the FIPS provider 186 is unapproved and has `fips=no` property. 187 188 *Tomáš Mráz* 189 190 * SHAKE-128 and SHAKE-256 implementations have no default digest length 191 anymore. That means these algorithms cannot be used with 192 EVP_DigestFinal/_ex() unless the `xoflen` param is set before. 193 194 This change was necessary because the preexisting default lengths were 195 half the size necessary for full collision resistance supported by these 196 algorithms. 197 198 *Tomáš Mráz* 199 200 * Setting `config_diagnostics=1` in the config file will cause errors to 201 be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error 202 in the ssl module configuration. 203 204 *Tomáš Mráz* 205 206 * An empty renegotiate extension will be used in TLS client hellos instead 207 of the empty renegotiation SCSV, for all connections with a minimum TLS 208 version > 1.0. 209 210 *Tim Perry* 211 212 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and 213 TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150. 214 215 This work was sponsored by Siemens AG. 216 217 *Rajeev Ranjan* 218 219 * Added support for requesting CRL in CMP. 220 221 This work was sponsored by Siemens AG. 222 223 *Rajeev Ranjan* 224 225 * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints, 226 userNotice, acceptablePrivilegePolicies, acceptableCertPolicies, 227 subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints, 228 holderNameConstraints and targetingInformation X.509v3 extensions. 229 230 *Jonathan M. Wilbur* 231 232 * Added Attribute Certificate (RFC 5755) support. Attribute 233 Certificates can be created, parsed, modified and printed via the 234 public API. There is no command-line tool support at this time. 235 236 *Damian Hobson-Garcia* 237 238 * Added support to build Position Independent Executables (PIE). Configuration 239 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to 240 support Address Space Layout Randomization (ASLR) in the openssl executable, 241 removes reliance on external toolchain configurations. 242 243 *Craig Lorentzen* 244 245 * SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions() have 246 been deprecated in favour of their respective ..._ex() replacement functions 247 which are Y2038-safe. 248 249 *Alexander Kanavin* 250 251 * ECC groups may now customize their initialization to save CPU by using 252 precomputed values. This is used by the P-256 implementation. 253 254 *Watson Ladd* 255 256OpenSSL 3.3 257----------- 258 259### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx] 260 261 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic 262 curve parameters. 263 264 Use of the low-level GF(2^m) elliptic curve APIs with untrusted 265 explicit values for the field polynomial can lead to out-of-bounds memory 266 reads or writes. 267 Applications working with "exotic" explicit binary (GF(2^m)) curve 268 parameters, that make it possible to represent invalid field polynomials 269 with a zero constant term, via the above or similar APIs, may terminate 270 abruptly as a result of reading or writing outside of array bounds. Remote 271 code execution cannot easily be ruled out. 272 273 ([CVE-2024-9143]) 274 275 *Viktor Dukhovni* 276 277### Changes between 3.3.1 and 3.3.2 [3 Sep 2024] 278 279 * Fixed possible denial of service in X.509 name checks. 280 281 Applications performing certificate name checks (e.g., TLS clients checking 282 server certificates) may attempt to read an invalid memory address when 283 comparing the expected name with an `otherName` subject alternative name of 284 an X.509 certificate. This may result in an exception that terminates the 285 application program. 286 287 ([CVE-2024-6119]) 288 289 *Viktor Dukhovni* 290 291 * Fixed possible buffer overread in SSL_select_next_proto(). 292 293 Calling the OpenSSL API function SSL_select_next_proto with an empty 294 supported client protocols buffer may cause a crash or memory contents 295 to be sent to the peer. 296 297 ([CVE-2024-5535]) 298 299 *Matt Caswell* 300 301### Changes between 3.3.0 and 3.3.1 [4 Jun 2024] 302 303 * Fixed potential use after free after SSL_free_buffers() is called. 304 305 The SSL_free_buffers function is used to free the internal OpenSSL 306 buffer used when processing an incoming record from the network. 307 The call is only expected to succeed if the buffer is not currently 308 in use. However, two scenarios have been identified where the buffer 309 is freed even when still in use. 310 311 The first scenario occurs where a record header has been received 312 from the network and processed by OpenSSL, but the full record body 313 has not yet arrived. In this case calling SSL_free_buffers will succeed 314 even though a record has only been partially processed and the buffer 315 is still in use. 316 317 The second scenario occurs where a full record containing application 318 data has been received and processed by OpenSSL but the application has 319 only read part of this data. Again a call to SSL_free_buffers will 320 succeed even though the buffer is still in use. 321 322 ([CVE-2024-4741]) 323 324 *Matt Caswell* 325 326 * Fixed an issue where checking excessively long DSA keys or parameters may 327 be very slow. 328 329 Applications that use the functions EVP_PKEY_param_check() or 330 EVP_PKEY_public_check() to check a DSA public key or DSA parameters may 331 experience long delays. Where the key or parameters that are being checked 332 have been obtained from an untrusted source this may lead to a Denial of 333 Service. 334 335 To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS 336 will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error 337 reason. 338 339 ([CVE-2024-4603]) 340 341 *Tomáš Mráz* 342 343 * Improved EC/DSA nonce generation routines to avoid bias and timing 344 side channel leaks. 345 346 Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis 347 and Hubert Kario from Red Hat for reporting the issues. 348 349 *Tomáš Mráz and Paul Dale* 350 351### Changes between 3.2 and 3.3.0 [9 Apr 2024] 352 353 * The `-verify` option to the `openssl crl` and `openssl req` will make 354 the program exit with 1 on failure. 355 356 *Vladimír Kotal* 357 358 * The BIO_get_new_index() function can only be called 127 times before it 359 reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an 360 error of -1 once it is exhausted. Users may need to reserve using this 361 function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE 362 or BIO_get_new_index() can be used to supply a type to BIO_meth_new(). 363 364 *Shane Lontis* 365 366 * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() 367 using time_t which is Y2038 safe on 32 bit systems when 64 bit time 368 is enabled (e.g via setting glibc macro _TIME_BITS=64). 369 370 *Ijtaba Hussain* 371 372 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and 373 related functions have been augmented to check for a minimum length of 374 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. 375 376 *Job Snijders* 377 378 * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms 379 config options and the respective calls to SSL[_CTX]_set1_sigalgs() and 380 SSL[_CTX]_set1_client_sigalgs() that start with `?` character are 381 ignored and the configuration will still be used. 382 383 Similarly unknown entries that start with `?` character in a TLS 384 Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored 385 and the configuration will still be used. 386 387 In both cases if the resulting list is empty, an error is returned. 388 389 *Tomáš Mráz* 390 391 * The EVP_PKEY_fromdata function has been augmented to allow for the derivation 392 of CRT (Chinese Remainder Theorem) parameters when requested. See the 393 OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. 394 395 *Neil Horman* 396 397 * The activate and soft_load configuration settings for providers in 398 openssl.cnf have been updated to require a value of [1|yes|true|on] 399 (in lower or UPPER case) to enable the setting. Conversely a value 400 of [0|no|false|off] will disable the setting. All other values, or the 401 omission of a value for these settings will result in an error. 402 403 *Neil Horman* 404 405 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to 406 override the Issuer and Subject when creating a certificate. The `-subj` 407 option now is an alias for `-set_subject`. 408 409 *Job Snijders, George Michaelson* 410 411 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1 412 if called with a NULL stack argument. 413 414 *Tomáš Mráz* 415 416 * In `openssl speed`, changed the default hash function used with `hmac` from 417 `md5` to `sha256`. 418 419 *James Muir* 420 421 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483: 422 - `certProfile` request message header and respective `-profile` CLI option 423 - support for delayed delivery of all types of response messages 424 425 *David von Oheimb* 426 427 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to 428 be less hard coded in the build file templates, and to allow easier 429 addition of more exporters. With that, an exporter for CMake is also 430 added. 431 432 *Richard Levitte* 433 434 * The BLAKE2s hash algorithm matches BLAKE2b's support 435 for configurable output length. 436 437 *Ahelenia Ziemiańska* 438 439 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3 440 server to prefer session resumption using PSK-only key exchange over PSK 441 with DHE, if both are available. 442 443 *Markus Minichmayr, Tapkey GmbH* 444 445 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN) 446 condition in an optimised way when using QUIC. 447 448 *Hugo Landau* 449 450 * New atexit configuration switch, which controls whether the OPENSSL_cleanup 451 is registered when libcrypto is unloaded. This is turned off on NonStop 452 configurations because of loader differences on that platform compared to 453 Linux. 454 455 *Randall S. Becker* 456 457 * Support for qlog for tracing QUIC connections has been added. 458 459 The qlog output from OpenSSL currently uses a pre-standard draft version of 460 qlog. The output from OpenSSL will change in incompatible ways in future 461 releases, and is not subject to any format stability or compatibility 462 guarantees at this time. This functionality can be 463 disabled with the build-time option `no-unstable-qlog`. See the 464 openssl-qlog(7) manpage for details. 465 466 *Hugo Landau* 467 468 * Added APIs to allow configuring the negotiated idle timeout for QUIC 469 connections, and to allow determining the number of additional streams 470 that can currently be created for a QUIC connection. 471 472 *Hugo Landau* 473 474 * Added APIs to allow disabling implicit QUIC event processing for 475 QUIC SSL objects, allowing applications to control when event handling 476 occurs. Refer to the SSL_get_value_uint(3) manpage for details. 477 478 *Hugo Landau* 479 480 * Limited support for polling of QUIC connection and stream objects in a 481 non-blocking manner. Refer to the SSL_poll(3) manpage for details. 482 483 *Hugo Landau* 484 485 * Added APIs to allow querying the size and utilisation of a QUIC stream's 486 write buffer. Refer to the SSL_get_value_uint(3) manpage for details. 487 488 *Hugo Landau* 489 490 * New limit on HTTP response headers is introduced to HTTP client. The 491 default limit is set to 256 header lines. If limit is exceeded the 492 response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES. 493 Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3) 494 to change the default. Setting the value to 0 disables the limit. 495 496 *Alexandr Nedvedicky* 497 498 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 499 500 *Tom Cosgrove* 501 502 * Added X509_STORE_get1_objects to avoid issues with the existing 503 X509_STORE_get0_objects API in multi-threaded applications. Refer to the 504 documentation for details. 505 506 *David Benjamin* 507 508 * Added assembly implementation for md5 on loongarch64 509 510 *Min Zhou* 511 512 * Optimized AES-CTR for ARM Neoverse V1 and V2 513 514 *Fisher Yu* 515 516 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems 517 similar to M1/M2. 518 519 *Tom Cosgrove* 520 521 * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple 522 times with different output sizes. 523 524 *Shane Lontis, Holger Dengler* 525 526 * Various optimizations for cryptographic routines using RISC-V vector crypto 527 extensions 528 529 *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen, 530 Jerry Shih* 531 532 * Accept longer context for TLS 1.2 exporters 533 534 While RFC 5705 implies that the maximum length of a context for exporters is 535 65535 bytes as the length is embedded in uint16, the previous implementation 536 enforced a much smaller limit, which is less than 1024 bytes. This 537 restriction has been removed. 538 539 *Daiki Ueno* 540 541OpenSSL 3.2 542----------- 543 544### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx] 545 546 * Fixed an issue where some non-default TLS server configurations can cause 547 unbounded memory growth when processing TLSv1.3 sessions. An attacker may 548 exploit certain server configurations to trigger unbounded memory growth that 549 would lead to a Denial of Service 550 551 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option 552 is being used (but not if early_data is also configured and the default 553 anti-replay protection is in use). In this case, under certain conditions, 554 the session cache can get into an incorrect state and it will fail to flush 555 properly as it fills. The session cache will continue to grow in an unbounded 556 manner. A malicious client could deliberately create the scenario for this 557 failure to force a Denial of Service. It may also happen by accident in 558 normal operation. 559 560 ([CVE-2024-2511]) 561 562 *Matt Caswell* 563 564 * Fixed bug where SSL_export_keying_material() could not be used with QUIC 565 connections. (#23560) 566 567 *Hugo Landau* 568 569### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] 570 571 * A file in PKCS12 format can contain certificates and keys and may come from 572 an untrusted source. The PKCS12 specification allows certain fields to be 573 NULL, but OpenSSL did not correctly check for this case. A fix has been 574 applied to prevent a NULL pointer dereference that results in OpenSSL 575 crashing. If an application processes PKCS12 files from an untrusted source 576 using the OpenSSL APIs then that application will be vulnerable to this 577 issue prior to this fix. 578 579 OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), 580 PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() 581 and PKCS12_newpass(). 582 583 We have also fixed a similar issue in SMIME_write_PKCS7(). However since this 584 function is related to writing data we do not consider it security 585 significant. 586 587 ([CVE-2024-0727]) 588 589 *Matt Caswell* 590 591 * When function EVP_PKEY_public_check() is called on RSA public keys, 592 a computation is done to confirm that the RSA modulus, n, is composite. 593 For valid RSA keys, n is a product of two or more large primes and this 594 computation completes quickly. However, if n is an overly large prime, 595 then this computation would take a long time. 596 597 An application that calls EVP_PKEY_public_check() and supplies an RSA key 598 obtained from an untrusted source could be vulnerable to a Denial of Service 599 attack. 600 601 The function EVP_PKEY_public_check() is not called from other OpenSSL 602 functions however it is called from the OpenSSL pkey command line 603 application. For that reason that application is also vulnerable if used 604 with the "-pubin" and "-check" options on untrusted data. 605 606 To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will 607 now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. 608 609 ([CVE-2023-6237]) 610 611 *Tomáš Mráz* 612 613 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to 614 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey 615 rather than SM2. 616 617 *Richard Levitte* 618 619 * The POLY1305 MAC (message authentication code) implementation in OpenSSL 620 for PowerPC CPUs saves the contents of vector registers in different 621 order than they are restored. Thus the contents of some of these vector 622 registers is corrupted when returning to the caller. The vulnerable code is 623 used only on newer PowerPC processors supporting the PowerISA 2.07 624 instructions. 625 626 The consequences of this kind of internal application state corruption can 627 be various - from no consequences, if the calling application does not 628 depend on the contents of non-volatile XMM registers at all, to the worst 629 consequences, where the attacker could get complete control of the 630 application process. However unless the compiler uses the vector registers 631 for storing pointers, the most likely consequence, if any, would be an 632 incorrect result of some application dependent calculations or a crash 633 leading to a denial of service. 634 635 ([CVE-2023-6129]) 636 637 *Rohan McLure* 638 639 * Disable building QUIC server utility when OpenSSL is configured with 640 `no-apps`. 641 642 *Vitalii Koshura* 643 644### Changes between 3.1 and 3.2.0 [23 Nov 2023] 645 646 * Fix excessive time spent in DH check / generation with large Q parameter 647 value. 648 649 Applications that use the functions DH_generate_key() to generate an 650 X9.42 DH key may experience long delays. Likewise, applications that use 651 DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() 652 to check an X9.42 DH key or X9.42 DH parameters may experience long delays. 653 Where the key or parameters that are being checked have been obtained from 654 an untrusted source this may lead to a Denial of Service. 655 656 ([CVE-2023-5678]) 657 658 *Richard Levitte* 659 660 * The BLAKE2b hash algorithm supports a configurable output length 661 by setting the "size" parameter. 662 663 *Čestmír Kalina and Tomáš Mráz* 664 665 * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. 666 667 *Evgeny Karpov* 668 669 * Added a function to delete objects from store by URI - OSSL_STORE_delete() 670 and the corresponding provider-storemgmt API function 671 OSSL_FUNC_store_delete(). 672 673 *Dmitry Belyavskiy* 674 675 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass 676 a passphrase callback when opening a store. 677 678 *Simo Sorce* 679 680 * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) 681 from 8 bytes to 16 bytes. 682 The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and 683 recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 684 requires a salt length of 128 bits. This affects OpenSSL command line 685 applications such as "genrsa" and "pkcs8" and API's such as 686 PEM_write_bio_PrivateKey() that are reliant on the default value. 687 The additional commandline option 'saltlen' has been added to the 688 OpenSSL command line applications for "pkcs8" and "enc" to allow the 689 salt length to be set to a non default value. 690 691 *Shane Lontis* 692 693 * Changed the default value of the `ess_cert_id_alg` configuration 694 option which is used to calculate the TSA's public key certificate 695 identifier. The default algorithm is updated to be sha256 instead 696 of sha1. 697 698 *Małgorzata Olszówka* 699 700 * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed 701 table for point multiplication of the base point, which increases the size of 702 libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has 703 been added to disable the precomputed table. 704 705 *Xu Yizhou* 706 707 * Added client side support for QUIC 708 709 *Hugo Landau, Matt Caswell, Paul Dale, Tomáš Mráz, Richard Levitte* 710 711 * Added multiple tutorials on the OpenSSL library and in particular 712 on writing various clients (using TLS and QUIC protocols) with libssl. 713 714 *Matt Caswell* 715 716 * Added secp384r1 implementation using Solinas' reduction to improve 717 speed of the NIST P-384 elliptic curve. To enable the implementation 718 the build option `enable-ec_nistp_64_gcc_128` must be used. 719 720 *Rohan McLure* 721 722 * Improved RFC7468 compliance of the asn1parse command. 723 724 *Matthias St. Pierre* 725 726 * Added SHA256/192 algorithm support. 727 728 *Fergus Dall* 729 730 * Added support for securely getting root CA certificate update in 731 CMP. 732 733 *David von Oheimb* 734 735 * Improved contention on global write locks by using more read locks where 736 appropriate. 737 738 *Matt Caswell* 739 740 * Improved performance of OSSL_PARAM lookups in performance critical 741 provider functions. 742 743 *Paul Dale* 744 745 * Added the SSL_get0_group_name() function to provide access to the 746 name of the group used for the TLS key exchange. 747 748 *Alex Bozarth* 749 750 * Provide a new configure option `no-http` that can be used to disable the 751 HTTP support. Provide new configure options `no-apps` and `no-docs` to 752 disable building the openssl command line application and the documentation. 753 754 *Vladimír Kotal* 755 756 * Provide a new configure option `no-ecx` that can be used to disable the 757 X25519, X448, and EdDSA support. 758 759 *Yi Li* 760 761 * When multiple OSSL_KDF_PARAM_INFO parameters are passed to 762 the EVP_KDF_CTX_set_params() function they are now concatenated not just 763 for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. 764 765 *Paul Dale* 766 767 * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get 768 the provider context as a parameter. 769 770 *Ingo Franzki* 771 772 * TLS round-trip time calculation was added by a Brigham Young University 773 Capstone team partnering with Sandia National Laboratories. A new function 774 in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this 775 value. 776 777 *Jairus Christensen* 778 779 * Added the "-quic" option to s_client to enable connectivity to QUIC servers. 780 QUIC requires the use of ALPN, so this must be specified via the "-alpn" 781 option. Use of the "advanced" s_client command command via the "-adv" option 782 is recommended. 783 784 *Matt Caswell* 785 786 * Added an "advanced" command mode to s_client. Use this with the "-adv" 787 option. The old "basic" command mode recognises certain letters that must 788 always appear at the start of a line and cannot be escaped. The advanced 789 command mode enables commands to be entered anywhere and there is an 790 escaping mechanism. After starting s_client with "-adv" type "{help}" 791 to show a list of available commands. 792 793 *Matt Caswell* 794 795 * Add Raw Public Key (RFC7250) support. Authentication is supported 796 by matching keys against either local policy (TLSA records synthesised 797 from the expected keys) or DANE (TLSA records obtained by the 798 application from DNS). TLSA records will also match the same key in 799 the server certificate, should RPK use not happen to be negotiated. 800 801 *Todd Short* 802 803 * Added support for modular exponentiation and CRT offloading for the 804 S390x architecture. 805 806 *Juergen Christ* 807 808 * Added further assembler code for the RISC-V architecture. 809 810 *Christoph Müllner* 811 812 * Added EC_GROUP_to_params() which creates an OSSL_PARAM array 813 from a given EC_GROUP. 814 815 *Oliver Mihatsch* 816 817 * Improved support for non-default library contexts and property queries 818 when parsing PKCS#12 files. 819 820 *Shane Lontis* 821 822 * Implemented support for all five instances of EdDSA from RFC8032: 823 Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. 824 The streaming is not yet supported for the HashEdDSA variants 825 (Ed25519ph and Ed448ph). 826 827 *James Muir* 828 829 * Added SM4 optimization for ARM processors using ASIMD and AES HW 830 instructions. 831 832 *Xu Yizhou* 833 834 * Implemented SM4-XTS support. 835 836 *Xu Yizhou* 837 838 * Added platform-agnostic OSSL_sleep() function. 839 840 *Richard Levitte* 841 842 * Implemented deterministic ECDSA signatures (RFC6979) support. 843 844 *Shane Lontis* 845 846 * Implemented AES-GCM-SIV (RFC8452) support. 847 848 *Todd Short* 849 850 * Added support for pluggable (provider-based) TLS signature algorithms. 851 This enables TLS 1.3 authentication operations with algorithms embedded 852 in providers not included by default in OpenSSL. In combination with 853 the already available pluggable KEM and X.509 support, this enables 854 for example suitable providers to deliver post-quantum or quantum-safe 855 cryptography to OpenSSL users. 856 857 *Michael Baentsch* 858 859 * Added support for pluggable (provider-based) CMS signature algorithms. 860 This enables CMS sign and verify operations with algorithms embedded 861 in providers not included by default in OpenSSL. 862 863 *Michael Baentsch* 864 865 * Added support for Hybrid Public Key Encryption (HPKE) as defined 866 in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH), 867 Message Layer Security (MLS) and other IETF specifications. 868 HPKE can also be used by other applications that require 869 encrypting "to" an ECDH public key. External APIs are defined in 870 include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod 871 872 *Stephen Farrell* 873 874 * Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) 875 API. 876 877 *Shane Lontis* 878 879 * Add support for certificate compression (RFC8879), including 880 library support for Brotli and Zstandard compression. 881 882 *Todd Short* 883 884 * Add the ability to add custom attributes to PKCS12 files. Add a new API 885 PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows 886 for a user specified callback and optional argument. 887 Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be 888 added to the existing STACK_OF attrs. 889 890 *Graham Woodward* 891 892 * Major refactor of the libssl record layer. 893 894 *Matt Caswell* 895 896 * Add a mac salt length option for the pkcs12 command. 897 898 *Xinping Chen* 899 900 * Add more SRTP protection profiles from RFC8723 and RFC8269. 901 902 *Kijin Kim* 903 904 * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. 905 906 *Daiki Ueno, John Baldwin and Dmitry Podgorny* 907 908 * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where 909 supported and enabled. 910 911 *Todd Short* 912 913 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 914 to the list of ciphersuites providing Perfect Forward Secrecy as 915 required by SECLEVEL >= 3. 916 917 *Dmitry Belyavskiy, Nicola Tuveri* 918 919 * Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. 920 The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the 921 SSL_get0_iana_groups() function-like macro, retrieves the list of 922 supported groups sent by the peer. 923 The function SSL_client_hello_get_extension_order() populates 924 a caller-supplied array with the list of extension types present in the 925 ClientHello, in order of appearance. 926 927 *Phus Lu* 928 929 * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() 930 to make it possible to use empty passphrase strings. 931 932 *Darshan Sen* 933 934 * The PKCS12_parse() function now supports MAC-less PKCS12 files. 935 936 *Daniel Fiala* 937 938 * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able 939 to change functions used for allocating the memory of asynchronous call stack. 940 941 *Arran Cudbard-Bell* 942 943 * Added support for signed BIGNUMs in the OSSL_PARAM APIs. 944 945 *Richard Levitte* 946 947 * A failure exit code is returned when using the openssl x509 command to check 948 certificate attributes and the checks fail. 949 950 *Rami Khaldi* 951 952 * The default SSL/TLS security level has been changed from 1 to 2. RSA, 953 DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys 954 of 160 bits and above and less than 224 bits were previously accepted by 955 default but are now no longer allowed. By default TLS compression was 956 already disabled in previous OpenSSL versions. At security level 2 it cannot 957 be enabled. 958 959 *Matt Caswell* 960 961 * The SSL_CTX_set_cipher_list family functions now accept ciphers using their 962 IANA standard names. 963 964 *Erik Lax* 965 966 * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into 967 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 968 will need to load the legacy crypto provider. 969 970 *Paul Dale* 971 972 * CCM8 cipher suites in TLS have been downgraded to security level zero 973 because they use a short authentication tag which lowers their strength. 974 975 *Paul Dale* 976 977 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings 978 by default. Also spaces surrounding `=` in DN output are removed. 979 980 *Dmitry Belyavskiy* 981 982 * Add X.509 certificate codeSigning purpose and related checks on key usage and 983 extended key usage of the leaf certificate according to the CA/Browser Forum. 984 985 * Lutz Jänicke* 986 987 * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates. 988 The `-x509v1` option of `req` prefers generation of X.509 v1 certificates. 989 `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has 990 X.509 version 3 if the certificate information includes X.509 extensions. 991 992 *David von Oheimb* 993 994 * Fix and extend certificate handling and the commands `x509`, `verify` etc. 995 such as adding a trace facility for debugging certificate chain building. 996 997 *David von Oheimb* 998 999 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app 1000 in particular supporting requests for central key generation, generalized 1001 polling, and various types of genm/genp exchanges defined in CMP Updates. 1002 1003 *David von Oheimb* 1004 1005 * Fixes and extensions to the HTTP client and to the HTTP server in `apps/` 1006 like correcting the TLS and proxy support and adding tracing for debugging. 1007 1008 *David von Oheimb* 1009 1010 * Extended the CMS API for handling `CMS_SignedData` and `CMS_EnvelopedData`. 1011 1012 *David von Oheimb* 1013 1014 * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if 1015 a certificate to be added is already present. `CMS_sign_ex()` and 1016 `CMS_sign()` now ignore any duplicate certificates in their `certs` argument 1017 and no longer throw an error for them. 1018 1019 *David von Oheimb* 1020 1021 * Fixed and extended `util/check-format.pl` for checking adherence to the 1022 coding style <https://www.openssl.org/policies/technical/coding-style.html>. 1023 The checks are meanwhile more complete and yield fewer false positives. 1024 1025 *David von Oheimb* 1026 1027 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based 1028 BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() 1029 calls. They can be used as the transport BIOs for QUIC. 1030 1031 *Hugo Landau, Matt Caswell and Tomáš Mráz* 1032 1033 * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow 1034 sending and receiving multiple messages in a single call. An implementation 1035 is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). 1036 1037 *Hugo Landau* 1038 1039 * Support for loading root certificates from the Windows certificate store 1040 has been added. The support is in the form of a store which recognises the 1041 URI string of `org.openssl.winstore://`. This URI scheme currently takes no 1042 arguments. This store is built by default and can be disabled using the new 1043 compile-time option `no-winstore`. This store is not currently used by 1044 default and must be loaded explicitly using the above store URI. It is 1045 expected to be loaded by default in the future. 1046 1047 *Hugo Landau* 1048 1049 * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux 1050 kernel versions that support KTLS have a known bug in CCM processing. That 1051 has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, 1052 and all releases since 5.16. KTLS with CCM ciphersuites should be only used 1053 on these releases. 1054 1055 *Tianjia Zhang* 1056 1057 * Added `-ktls` option to `s_server` and `s_client` commands to enable the 1058 KTLS support. 1059 1060 *Tianjia Zhang* 1061 1062 * Zerocopy KTLS sendfile() support on Linux. 1063 1064 *Maxim Mikityanskiy* 1065 1066 * The OBJ_ calls are now thread safe using a global lock. 1067 1068 *Paul Dale* 1069 1070 * New parameter `-digest` for openssl cms command allowing signing 1071 pre-computed digests and new CMS API functions supporting that 1072 functionality. 1073 1074 *Viktor Söderqvist* 1075 1076 * OPENSSL_malloc() and other allocation functions now raise errors on 1077 allocation failures. The callers do not need to explicitly raise errors 1078 unless they want to for tracing purposes. 1079 1080 *David von Oheimb* 1081 1082 * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 1083 decryption as a protection against Bleichenbacher-like attacks. 1084 The RSA decryption API will now return a randomly generated deterministic 1085 message instead of an error in case it detects an error when checking 1086 padding during PKCS#1 v1.5 decryption. This is a general protection against 1087 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be 1088 disabled by calling 1089 `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` 1090 on the RSA decryption context. 1091 1092 *Hubert Kario* 1093 1094 * Added support for Brainpool curves in TLS-1.3. 1095 1096 *Bernd Edlinger and Matt Caswell* 1097 1098 * Added OpenBSD specific build targets. 1099 1100 *David Carlier* 1101 1102 * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with 1103 a basic thread pool implementation for select platforms. 1104 1105 *Čestmír Kalina* 1106 1107OpenSSL 3.1 1108----------- 1109 1110### Changes between 3.1.3 and 3.1.4 [24 Oct 2023] 1111 1112 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), 1113 EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters 1114 that alter the key or IV length ([CVE-2023-5363]). 1115 1116 *Paul Dale* 1117 1118### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] 1119 1120 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. 1121 1122 The POLY1305 MAC (message authentication code) implementation in OpenSSL 1123 does not save the contents of non-volatile XMM registers on Windows 64 1124 platform when calculating the MAC of data larger than 64 bytes. Before 1125 returning to the caller all the XMM registers are set to zero rather than 1126 restoring their previous content. The vulnerable code is used only on newer 1127 x86_64 processors supporting the AVX512-IFMA instructions. 1128 1129 The consequences of this kind of internal application state corruption can 1130 be various - from no consequences, if the calling application does not 1131 depend on the contents of non-volatile XMM registers at all, to the worst 1132 consequences, where the attacker could get complete control of the 1133 application process. However given the contents of the registers are just 1134 zeroized so the attacker cannot put arbitrary values inside, the most likely 1135 consequence, if any, would be an incorrect result of some application 1136 dependent calculations or a crash leading to a denial of service. 1137 1138 ([CVE-2023-4807]) 1139 1140 *Bernd Edlinger* 1141 1142### Changes between 3.1.1 and 3.1.2 [1 Aug 2023] 1143 1144 * Fix excessive time spent checking DH q parameter value. 1145 1146 The function DH_check() performs various checks on DH parameters. After 1147 fixing CVE-2023-3446 it was discovered that a large q parameter value can 1148 also trigger an overly long computation during some of these checks. 1149 A correct q value, if present, cannot be larger than the modulus p 1150 parameter, thus it is unnecessary to perform these checks if q is larger 1151 than p. 1152 1153 If DH_check() is called with such q parameter value, 1154 DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally 1155 intensive checks are skipped. 1156 1157 ([CVE-2023-3817]) 1158 1159 *Tomáš Mráz* 1160 1161 * Fix DH_check() excessive time with over sized modulus. 1162 1163 The function DH_check() performs various checks on DH parameters. One of 1164 those checks confirms that the modulus ("p" parameter) is not too large. 1165 Trying to use a very large modulus is slow and OpenSSL will not normally use 1166 a modulus which is over 10,000 bits in length. 1167 1168 However the DH_check() function checks numerous aspects of the key or 1169 parameters that have been supplied. Some of those checks use the supplied 1170 modulus value even if it has already been found to be too large. 1171 1172 A new limit has been added to DH_check of 32,768 bits. Supplying a 1173 key/parameters with a modulus over this size will simply cause DH_check() to 1174 fail. 1175 1176 ([CVE-2023-3446]) 1177 1178 *Matt Caswell* 1179 1180 * Do not ignore empty associated data entries with AES-SIV. 1181 1182 The AES-SIV algorithm allows for authentication of multiple associated 1183 data entries along with the encryption. To authenticate empty data the 1184 application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`) 1185 with NULL pointer as the output buffer and 0 as the input buffer length. 1186 The AES-SIV implementation in OpenSSL just returns success for such call 1187 instead of performing the associated data authentication operation. 1188 The empty data thus will not be authenticated. ([CVE-2023-2975]) 1189 1190 Thanks to Juerg Wullschleger (Google) for discovering the issue. 1191 1192 The fix changes the authentication tag value and the ciphertext for 1193 applications that use empty associated data entries with AES-SIV. 1194 To decrypt data encrypted with previous versions of OpenSSL the application 1195 has to skip calls to `EVP_DecryptUpdate()` for empty associated data 1196 entries. 1197 1198 *Tomáš Mráz* 1199 1200 * When building with the `enable-fips` option and using the resulting 1201 FIPS provider, TLS 1.2 will, by default, mandate the use of an extended 1202 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will 1203 not operate with truncated digests (FIPS 140-3 IG G.R). 1204 1205 *Paul Dale* 1206 1207### Changes between 3.1.0 and 3.1.1 [30 May 2023] 1208 1209 * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic 1210 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. 1211 1212 OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical 1213 numeric text form. For gigantic sub-identifiers, this would take a very 1214 long time, the time complexity being O(n^2) where n is the size of that 1215 sub-identifier. ([CVE-2023-2650]) 1216 1217 To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT 1218 IDENTIFIER to canonical numeric text form if the size of that OBJECT 1219 IDENTIFIER is 586 bytes or less, and fail otherwise. 1220 1221 The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT 1222 IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at 1223 most 128 sub-identifiers, and that the maximum value that each sub- 1224 identifier may have is 2^32-1 (4294967295 decimal). 1225 1226 For each byte of every sub-identifier, only the 7 lower bits are part of 1227 the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with 1228 these restrictions may occupy is 32 * 128 / 7, which is approximately 586 1229 bytes. 1230 1231 *Richard Levitte* 1232 1233 * Multiple algorithm implementation fixes for ARM BE platforms. 1234 1235 *Liu-ErMeng* 1236 1237 * Added a -pedantic option to fipsinstall that adjusts the various 1238 settings to ensure strict FIPS compliance rather than backwards 1239 compatibility. 1240 1241 *Paul Dale* 1242 1243 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which 1244 happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can 1245 trigger a crash of an application using AES-XTS decryption if the memory 1246 just after the buffer being decrypted is not mapped. 1247 Thanks to Anton Romanov (Amazon) for discovering the issue. 1248 ([CVE-2023-1255]) 1249 1250 *Nevine Ebeid* 1251 1252 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). 1253 The previous fix for this timing side channel turned out to cause 1254 a severe 2-3x performance regression in the typical use case 1255 compared to 3.0.7. The new fix uses existing constant time 1256 code paths, and restores the previous performance level while 1257 fully eliminating all existing timing side channels. 1258 The fix was developed by Bernd Edlinger with testing support 1259 by Hubert Kario. 1260 1261 *Bernd Edlinger* 1262 1263 * Add FIPS provider configuration option to disallow the use of 1264 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). 1265 The option '-no_drbg_truncated_digests' can optionally be 1266 supplied to 'openssl fipsinstall'. 1267 1268 *Paul Dale* 1269 1270 * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention 1271 that it does not enable policy checking. Thanks to David Benjamin for 1272 discovering this issue. 1273 ([CVE-2023-0466]) 1274 1275 *Tomáš Mráz* 1276 1277 * Fixed an issue where invalid certificate policies in leaf certificates are 1278 silently ignored by OpenSSL and other certificate policy checks are skipped 1279 for that certificate. A malicious CA could use this to deliberately assert 1280 invalid certificate policies in order to circumvent policy checking on the 1281 certificate altogether. 1282 ([CVE-2023-0465]) 1283 1284 *Matt Caswell* 1285 1286 * Limited the number of nodes created in a policy tree to mitigate 1287 against CVE-2023-0464. The default limit is set to 1000 nodes, which 1288 should be sufficient for most installations. If required, the limit 1289 can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build 1290 time define to a desired maximum number of nodes or zero to allow 1291 unlimited growth. 1292 ([CVE-2023-0464]) 1293 1294 *Paul Dale* 1295 1296### Changes between 3.0 and 3.1.0 [14 Mar 2023] 1297 1298 * Add FIPS provider configuration option to enforce the 1299 Extended Master Secret (EMS) check during the TLS1_PRF KDF. 1300 The option '-ems_check' can optionally be supplied to 1301 'openssl fipsinstall'. 1302 1303 *Shane Lontis* 1304 1305 * The FIPS provider includes a few non-approved algorithms for 1306 backward compatibility purposes and the "fips=yes" property query 1307 must be used for all algorithm fetches to ensure FIPS compliance. 1308 1309 The algorithms that are included but not approved are Triple DES ECB, 1310 Triple DES CBC and EdDSA. 1311 1312 *Paul Dale* 1313 1314 * Added support for KMAC in KBKDF. 1315 1316 *Shane Lontis* 1317 1318 * RNDR and RNDRRS support in provider functions to provide 1319 random number generation for Arm CPUs (aarch64). 1320 1321 *Orr Toledano* 1322 1323 * `s_client` and `s_server` commands now explicitly say when the TLS version 1324 does not include the renegotiation mechanism. This avoids confusion 1325 between that scenario versus when the TLS version includes secure 1326 renegotiation but the peer lacks support for it. 1327 1328 *Felipe Gasper* 1329 1330 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. 1331 1332 *Tomasz Kantecki, Andrey Matyukov* 1333 1334 * The various OBJ_* functions have been made thread safe. 1335 1336 *Paul Dale* 1337 1338 * Parallel dual-prime 1536/2048-bit modular exponentiation for 1339 AVX512_IFMA capable processors. 1340 1341 *Sergey Kirillov, Andrey Matyukov (Intel Corp)* 1342 1343 * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`, 1344 `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`, 1345 `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now 1346 marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining 1347 `OPENSSL_NO_DEPRECATED_3_1`. 1348 1349 The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro 1350 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function 1351 definitions for these functions regardless of whether 1352 `OPENSSL_NO_DEPRECATED_3_1` is defined. 1353 1354 Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these 1355 functions regardless of whether they are using them. It is recommended that 1356 users transition to the new macro, `DEFINE_LHASH_OF_EX`. 1357 1358 *Hugo Landau* 1359 1360 * When generating safe-prime DH parameters set the recommended private key 1361 length equivalent to minimum key lengths as in RFC 7919. 1362 1363 *Tomáš Mráz* 1364 1365 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the 1366 maximum size that is smaller or equal to the digest length to comply with 1367 FIPS 186-4 section 5. This is implemented by a new option 1368 `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the 1369 `rsa_pss_saltlen` parameter, which is now the default. Signature 1370 verification is not affected by this change and continues to work as before. 1371 1372 *Clemens Lang* 1373 1374OpenSSL 3.0 1375----------- 1376 1377For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries 1378listed here are only a brief description. 1379The migration guide contains more detailed information related to new features, 1380breaking changes, and mappings for the large list of deprecated functions. 1381 1382[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod 1383 1384### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] 1385 1386 * Fixed NULL dereference during PKCS7 data verification. 1387 1388 A NULL pointer can be dereferenced when signatures are being 1389 verified on PKCS7 signed or signedAndEnveloped data. In case the hash 1390 algorithm used for the signature is known to the OpenSSL library but 1391 the implementation of the hash algorithm is not available the digest 1392 initialization will fail. There is a missing check for the return 1393 value from the initialization function which later leads to invalid 1394 usage of the digest API most likely leading to a crash. 1395 ([CVE-2023-0401]) 1396 1397 PKCS7 data is processed by the SMIME library calls and also by the 1398 time stamp (TS) library calls. The TLS implementation in OpenSSL does 1399 not call these functions however third party applications would be 1400 affected if they call these functions to verify signatures on untrusted 1401 data. 1402 1403 *Tomáš Mráz* 1404 1405 * Fixed X.400 address type confusion in X.509 GeneralName. 1406 1407 There is a type confusion vulnerability relating to X.400 address processing 1408 inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING 1409 but the public structure definition for GENERAL_NAME incorrectly specified 1410 the type of the x400Address field as ASN1_TYPE. This field is subsequently 1411 interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather 1412 than an ASN1_STRING. 1413 1414 When CRL checking is enabled (i.e. the application sets the 1415 X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to 1416 pass arbitrary pointers to a memcmp call, enabling them to read memory 1417 contents or enact a denial of service. 1418 ([CVE-2023-0286]) 1419 1420 *Hugo Landau* 1421 1422 * Fixed NULL dereference validating DSA public key. 1423 1424 An invalid pointer dereference on read can be triggered when an 1425 application tries to check a malformed DSA public key by the 1426 EVP_PKEY_public_check() function. This will most likely lead 1427 to an application crash. This function can be called on public 1428 keys supplied from untrusted sources which could allow an attacker 1429 to cause a denial of service attack. 1430 1431 The TLS implementation in OpenSSL does not call this function 1432 but applications might call the function if there are additional 1433 security requirements imposed by standards such as FIPS 140-3. 1434 ([CVE-2023-0217]) 1435 1436 *Shane Lontis, Tomáš Mráz* 1437 1438 * Fixed Invalid pointer dereference in d2i_PKCS7 functions. 1439 1440 An invalid pointer dereference on read can be triggered when an 1441 application tries to load malformed PKCS7 data with the 1442 d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. 1443 1444 The result of the dereference is an application crash which could 1445 lead to a denial of service attack. The TLS implementation in OpenSSL 1446 does not call this function however third party applications might 1447 call these functions on untrusted data. 1448 ([CVE-2023-0216]) 1449 1450 *Tomáš Mráz* 1451 1452 * Fixed Use-after-free following BIO_new_NDEF. 1453 1454 The public API function BIO_new_NDEF is a helper function used for 1455 streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL 1456 to support the SMIME, CMS and PKCS7 streaming capabilities, but may also 1457 be called directly by end user applications. 1458 1459 The function receives a BIO from the caller, prepends a new BIO_f_asn1 1460 filter BIO onto the front of it to form a BIO chain, and then returns 1461 the new head of the BIO chain to the caller. Under certain conditions, 1462 for example if a CMS recipient public key is invalid, the new filter BIO 1463 is freed and the function returns a NULL result indicating a failure. 1464 However, in this case, the BIO chain is not properly cleaned up and the 1465 BIO passed by the caller still retains internal pointers to the previously 1466 freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO 1467 then a use-after-free will occur. This will most likely result in a crash. 1468 ([CVE-2023-0215]) 1469 1470 *Viktor Dukhovni, Matt Caswell* 1471 1472 * Fixed Double free after calling PEM_read_bio_ex. 1473 1474 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and 1475 decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload 1476 data. If the function succeeds then the "name_out", "header" and "data" 1477 arguments are populated with pointers to buffers containing the relevant 1478 decoded data. The caller is responsible for freeing those buffers. It is 1479 possible to construct a PEM file that results in 0 bytes of payload data. 1480 In this case PEM_read_bio_ex() will return a failure code but will populate 1481 the header argument with a pointer to a buffer that has already been freed. 1482 If the caller also frees this buffer then a double free will occur. This 1483 will most likely lead to a crash. 1484 1485 The functions PEM_read_bio() and PEM_read() are simple wrappers around 1486 PEM_read_bio_ex() and therefore these functions are also directly affected. 1487 1488 These functions are also called indirectly by a number of other OpenSSL 1489 functions including PEM_X509_INFO_read_bio_ex() and 1490 SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL 1491 internal uses of these functions are not vulnerable because the caller does 1492 not free the header argument if PEM_read_bio_ex() returns a failure code. 1493 ([CVE-2022-4450]) 1494 1495 *Kurt Roeckx, Matt Caswell* 1496 1497 * Fixed Timing Oracle in RSA Decryption. 1498 1499 A timing based side channel exists in the OpenSSL RSA Decryption 1500 implementation which could be sufficient to recover a plaintext across 1501 a network in a Bleichenbacher style attack. To achieve a successful 1502 decryption an attacker would have to be able to send a very large number 1503 of trial messages for decryption. The vulnerability affects all RSA padding 1504 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. 1505 ([CVE-2022-4304]) 1506 1507 *Dmitry Belyavsky, Hubert Kario* 1508 1509 * Fixed X.509 Name Constraints Read Buffer Overflow. 1510 1511 A read buffer overrun can be triggered in X.509 certificate verification, 1512 specifically in name constraint checking. The read buffer overrun might 1513 result in a crash which could lead to a denial of service attack. 1514 In a TLS client, this can be triggered by connecting to a malicious 1515 server. In a TLS server, this can be triggered if the server requests 1516 client authentication and a malicious client connects. 1517 ([CVE-2022-4203]) 1518 1519 *Viktor Dukhovni* 1520 1521 * Fixed X.509 Policy Constraints Double Locking security issue. 1522 1523 If an X.509 certificate contains a malformed policy constraint and 1524 policy processing is enabled, then a write lock will be taken twice 1525 recursively. On some operating systems (most widely: Windows) this 1526 results in a denial of service when the affected process hangs. Policy 1527 processing being enabled on a publicly facing server is not considered 1528 to be a common setup. 1529 ([CVE-2022-3996]) 1530 1531 *Paul Dale* 1532 1533 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and 1534 `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor 1535 `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and 1536 default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting 1537 `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using 1538 `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. 1539 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` 1540 for legacy EC and SM2 keys is also changed similarly to honor the 1541 equivalent conversion format flag as specified in the underlying 1542 `EC_KEY` object being exported to a provider, when this function is 1543 called through `EVP_PKEY_export()`. 1544 1545 *Nicola Tuveri* 1546 1547### Changes between 3.0.6 and 3.0.7 [1 Nov 2022] 1548 1549 * Fixed two buffer overflows in punycode decoding functions. 1550 1551 A buffer overrun can be triggered in X.509 certificate verification, 1552 specifically in name constraint checking. Note that this occurs after 1553 certificate chain signature verification and requires either a CA to 1554 have signed the malicious certificate or for the application to continue 1555 certificate verification despite failure to construct a path to a trusted 1556 issuer. 1557 1558 In a TLS client, this can be triggered by connecting to a malicious 1559 server. In a TLS server, this can be triggered if the server requests 1560 client authentication and a malicious client connects. 1561 1562 An attacker can craft a malicious email address to overflow 1563 an arbitrary number of bytes containing the `.` character (decimal 46) 1564 on the stack. This buffer overflow could result in a crash (causing a 1565 denial of service). 1566 ([CVE-2022-3786]) 1567 1568 An attacker can craft a malicious email address to overflow four 1569 attacker-controlled bytes on the stack. This buffer overflow could 1570 result in a crash (causing a denial of service) or potentially remote code 1571 execution depending on stack layout for any given platform/compiler. 1572 ([CVE-2022-3602]) 1573 1574 *Paul Dale* 1575 1576 * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT 1577 parameters in OpenSSL code. 1578 Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, 1579 OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. 1580 Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. 1581 Using these invalid names may cause algorithms to use slower methods 1582 that ignore the CRT parameters. 1583 1584 *Shane Lontis* 1585 1586 * Fixed a regression introduced in 3.0.6 version raising errors on some stack 1587 operations. 1588 1589 *Tomáš Mráz* 1590 1591 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate 1592 data to be signed before signing the certificate. 1593 1594 *Gibeom Gwon* 1595 1596 * Added RIPEMD160 to the default provider. 1597 1598 *Paul Dale* 1599 1600 * Ensured that the key share group sent or accepted for the key exchange 1601 is allowed for the protocol version. 1602 1603 *Matt Caswell* 1604 1605### Changes between 3.0.5 and 3.0.6 [11 Oct 2022] 1606 1607 * OpenSSL supports creating a custom cipher via the legacy 1608 EVP_CIPHER_meth_new() function and associated function calls. This function 1609 was deprecated in OpenSSL 3.0 and application authors are instead encouraged 1610 to use the new provider mechanism in order to implement custom ciphers. 1611 1612 OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers 1613 passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and 1614 EVP_CipherInit_ex2() functions (as well as other similarly named encryption 1615 and decryption initialisation functions). Instead of using the custom cipher 1616 directly it incorrectly tries to fetch an equivalent cipher from the 1617 available providers. An equivalent cipher is found based on the NID passed to 1618 EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a 1619 given cipher. However it is possible for an application to incorrectly pass 1620 NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef 1621 is used in this way the OpenSSL encryption/decryption initialisation function 1622 will match the NULL cipher as being equivalent and will fetch this from the 1623 available providers. This will succeed if the default provider has been 1624 loaded (or if a third party provider has been loaded that offers this 1625 cipher). Using the NULL cipher means that the plaintext is emitted as the 1626 ciphertext. 1627 1628 Applications are only affected by this issue if they call 1629 EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an 1630 encryption/decryption initialisation function. Applications that only use 1631 SSL/TLS are not impacted by this issue. 1632 ([CVE-2022-3358]) 1633 1634 *Matt Caswell* 1635 1636 * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures 1637 on MacOS 10.11 1638 1639 *Richard Levitte* 1640 1641 * Fixed the linux-mips64 Configure target which was missing the 1642 SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that 1643 platform. 1644 1645 *Adam Joseph* 1646 1647 * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a 1648 ticket 1649 1650 *Matt Caswell* 1651 1652 * Correctly handle a retransmitted ClientHello in DTLS 1653 1654 *Matt Caswell* 1655 1656 * Fixed detection of ktls support in cross-compile environment on Linux 1657 1658 *Tomas Mraz* 1659 1660 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider 1661 against 3.0.x 1662 1663 *Paul Dale* 1664 1665 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to 1666 report correct results in some cases 1667 1668 *Matt Caswell* 1669 1670 * Fix UWP builds by defining VirtualLock 1671 1672 *Charles Milette* 1673 1674 * For known safe primes use the minimum key length according to RFC 7919. 1675 Longer private key sizes unnecessarily raise the cycles needed to compute the 1676 shared secret without any increase of the real security. This fixes a 1677 regression from 1.1.1 where these shorter keys were generated for the known 1678 safe primes. 1679 1680 *Tomas Mraz* 1681 1682 * Added the loongarch64 target 1683 1684 *Shi Pujin* 1685 1686 * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were 1687 only passed to the FIPS provider and not to the default or legacy provider. 1688 1689 *Juergen Christ* 1690 1691 * Fixed reported performance degradation on aarch64. Restored the 1692 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 1693 32-bit lane assignment in CTR mode") for 64bit targets only, since it is 1694 reportedly 2-17% slower and the silicon errata only affects 32bit targets. 1695 The new algorithm is still used for 32 bit targets. 1696 1697 *Bernd Edlinger* 1698 1699 * Added a missing header for memcmp that caused compilation failure on some 1700 platforms 1701 1702 *Gregor Jasny* 1703 1704### Changes between 3.0.4 and 3.0.5 [5 Jul 2022] 1705 1706 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA 1707 implementation for X86_64 CPUs supporting the AVX512IFMA instructions. 1708 This issue makes the RSA implementation with 2048 bit private keys 1709 incorrect on such machines and memory corruption will happen during 1710 the computation. As a consequence of the memory corruption an attacker 1711 may be able to trigger a remote code execution on the machine performing 1712 the computation. 1713 1714 SSL/TLS servers or other servers using 2048 bit RSA private keys running 1715 on machines supporting AVX512IFMA instructions of the X86_64 architecture 1716 are affected by this issue. 1717 ([CVE-2022-2274]) 1718 1719 *Xi Ruoyao* 1720 1721 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised 1722 implementation would not encrypt the entirety of the data under some 1723 circumstances. This could reveal sixteen bytes of data that was 1724 preexisting in the memory that wasn't written. In the special case of 1725 "in place" encryption, sixteen bytes of the plaintext would be revealed. 1726 1727 Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, 1728 they are both unaffected. 1729 ([CVE-2022-2097]) 1730 1731 *Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño* 1732 1733### Changes between 3.0.3 and 3.0.4 [21 Jun 2022] 1734 1735 * In addition to the c_rehash shell command injection identified in 1736 CVE-2022-1292, further bugs where the c_rehash script does not 1737 properly sanitise shell metacharacters to prevent command injection have been 1738 fixed. 1739 1740 When the CVE-2022-1292 was fixed it was not discovered that there 1741 are other places in the script where the file names of certificates 1742 being hashed were possibly passed to a command executed through the shell. 1743 1744 This script is distributed by some operating systems in a manner where 1745 it is automatically executed. On such operating systems, an attacker 1746 could execute arbitrary commands with the privileges of the script. 1747 1748 Use of the c_rehash script is considered obsolete and should be replaced 1749 by the OpenSSL rehash command line tool. 1750 (CVE-2022-2068) 1751 1752 *Daniel Fiala, Tomáš Mráz* 1753 1754 * Case insensitive string comparison no longer uses locales. It has instead 1755 been directly implemented. 1756 1757 *Paul Dale* 1758 1759### Changes between 3.0.2 and 3.0.3 [3 May 2022] 1760 1761 * Case insensitive string comparison is reimplemented via new locale-agnostic 1762 comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for 1763 comparison. The previous implementation had problems when the Turkish locale 1764 was used. 1765 1766 *Dmitry Belyavskiy* 1767 1768 * Fixed a bug in the c_rehash script which was not properly sanitising shell 1769 metacharacters to prevent command injection. This script is distributed by 1770 some operating systems in a manner where it is automatically executed. On 1771 such operating systems, an attacker could execute arbitrary commands with the 1772 privileges of the script. 1773 1774 Use of the c_rehash script is considered obsolete and should be replaced 1775 by the OpenSSL rehash command line tool. 1776 (CVE-2022-1292) 1777 1778 *Tomáš Mráz* 1779 1780 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer 1781 certificate on an OCSP response. The bug caused the function in the case 1782 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie 1783 response (meaning a successful verification) even in the case where the 1784 response signing certificate fails to verify. 1785 1786 It is anticipated that most users of `OCSP_basic_verify` will not use the 1787 OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return 1788 a negative value (indicating a fatal error) in the case of a certificate 1789 verification failure. The normal expected return value in this case would be 1790 0. 1791 1792 This issue also impacts the command line OpenSSL "ocsp" application. When 1793 verifying an ocsp response with the "-no_cert_checks" option the command line 1794 application will report that the verification is successful even though it 1795 has in fact failed. In this case the incorrect successful response will also 1796 be accompanied by error messages showing the failure and contradicting the 1797 apparently successful result. 1798 ([CVE-2022-1343]) 1799 1800 *Matt Caswell* 1801 1802 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the 1803 AAD data as the MAC key. This made the MAC key trivially predictable. 1804 1805 An attacker could exploit this issue by performing a man-in-the-middle attack 1806 to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such 1807 that the modified data would still pass the MAC integrity check. 1808 1809 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 1810 endpoint will always be rejected by the recipient and the connection will 1811 fail at that point. Many application protocols require data to be sent from 1812 the client to the server first. Therefore, in such a case, only an OpenSSL 1813 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. 1814 1815 If both endpoints are OpenSSL 3.0 then the attacker could modify data being 1816 sent in both directions. In this case both clients and servers could be 1817 affected, regardless of the application protocol. 1818 1819 Note that in the absence of an attacker this bug means that an OpenSSL 3.0 1820 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete 1821 the handshake when using this ciphersuite. 1822 1823 The confidentiality of data is not impacted by this issue, i.e. an attacker 1824 cannot decrypt data that has been encrypted using this ciphersuite - they can 1825 only modify it. 1826 1827 In order for this attack to work both endpoints must legitimately negotiate 1828 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in 1829 OpenSSL 3.0, and is not available within the default provider or the default 1830 ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been 1831 negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the 1832 following must have occurred: 1833 1834 1) OpenSSL must have been compiled with the (non-default) compile time option 1835 enable-weak-ssl-ciphers 1836 1837 2) OpenSSL must have had the legacy provider explicitly loaded (either 1838 through application code or via configuration) 1839 1840 3) The ciphersuite must have been explicitly added to the ciphersuite list 1841 1842 4) The libssl security level must have been set to 0 (default is 1) 1843 1844 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 1845 1846 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any 1847 others that both endpoints have in common 1848 (CVE-2022-1434) 1849 1850 *Matt Caswell* 1851 1852 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory 1853 occupied by the removed hash table entries. 1854 1855 This function is used when decoding certificates or keys. If a long lived 1856 process periodically decodes certificates or keys its memory usage will 1857 expand without bounds and the process might be terminated by the operating 1858 system causing a denial of service. Also traversing the empty hash table 1859 entries will take increasingly more time. 1860 1861 Typically such long lived processes might be TLS clients or TLS servers 1862 configured to accept client certificate authentication. 1863 (CVE-2022-1473) 1864 1865 *Hugo Landau, Aliaksei Levin* 1866 1867 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report 1868 the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other 1869 statistics are no longer supported. For compatibility, these statistics are 1870 still listed in the output but are now always reported as zero. 1871 1872 *Hugo Landau* 1873 1874### Changes between 3.0.1 and 3.0.2 [15 Mar 2022] 1875 1876 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever 1877 for non-prime moduli. 1878 1879 Internally this function is used when parsing certificates that contain 1880 elliptic curve public keys in compressed form or explicit elliptic curve 1881 parameters with a base point encoded in compressed form. 1882 1883 It is possible to trigger the infinite loop by crafting a certificate that 1884 has invalid explicit curve parameters. 1885 1886 Since certificate parsing happens prior to verification of the certificate 1887 signature, any process that parses an externally supplied certificate may thus 1888 be subject to a denial of service attack. The infinite loop can also be 1889 reached when parsing crafted private keys as they can contain explicit 1890 elliptic curve parameters. 1891 1892 Thus vulnerable situations include: 1893 1894 - TLS clients consuming server certificates 1895 - TLS servers consuming client certificates 1896 - Hosting providers taking certificates or private keys from customers 1897 - Certificate authorities parsing certification requests from subscribers 1898 - Anything else which parses ASN.1 elliptic curve parameters 1899 1900 Also any other applications that use the BN_mod_sqrt() where the attacker 1901 can control the parameter values are vulnerable to this DoS issue. 1902 ([CVE-2022-0778]) 1903 1904 *Tomáš Mráz* 1905 1906 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 1907 to the list of ciphersuites providing Perfect Forward Secrecy as 1908 required by SECLEVEL >= 3. 1909 1910 *Dmitry Belyavskiy, Nicola Tuveri* 1911 1912 * Made the AES constant time code for no-asm configurations 1913 optional due to the resulting 95% performance degradation. 1914 The AES constant time code can be enabled, for no assembly 1915 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME 1916 1917 *Paul Dale* 1918 1919 * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty 1920 passphrase strings. 1921 1922 *Darshan Sen* 1923 1924 * The negative return value handling of the certificate verification callback 1925 was reverted. The replacement is to set the verification retry state with 1926 the SSL_set_retry_verify() function. 1927 1928 *Tomáš Mráz* 1929 1930### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] 1931 1932 * Fixed invalid handling of X509_verify_cert() internal errors in libssl 1933 Internally libssl in OpenSSL calls X509_verify_cert() on the client side to 1934 verify a certificate supplied by a server. That function may return a 1935 negative return value to indicate an internal error (for example out of 1936 memory). Such a negative return value is mishandled by OpenSSL and will cause 1937 an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate 1938 success and a subsequent call to SSL_get_error() to return the value 1939 SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be 1940 returned by OpenSSL if the application has previously called 1941 SSL_CTX_set_cert_verify_callback(). Since most applications do not do this 1942 the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be 1943 totally unexpected and applications may not behave correctly as a result. The 1944 exact behaviour will depend on the application but it could result in 1945 crashes, infinite loops or other similar incorrect responses. 1946 1947 This issue is made more serious in combination with a separate bug in OpenSSL 1948 3.0 that will cause X509_verify_cert() to indicate an internal error when 1949 processing a certificate chain. This will occur where a certificate does not 1950 include the Subject Alternative Name extension but where a Certificate 1951 Authority has enforced name constraints. This issue can occur even with valid 1952 chains. 1953 ([CVE-2021-4044]) 1954 1955 *Matt Caswell* 1956 1957 * Corrected a few file name and file reference bugs in the build, 1958 installation and setup scripts, which lead to installation verification 1959 failures. Slightly enhanced the installation verification script. 1960 1961 *Richard Levitte* 1962 1963 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private 1964 keys. 1965 1966 *Richard Levitte* 1967 1968 * Fixed PVK encoder to properly query for the passphrase. 1969 1970 *Tomáš Mráz* 1971 1972 * Multiple fixes in the OSSL_HTTP API functions. 1973 1974 *David von Oheimb* 1975 1976 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the 1977 OSSL_PARAM_INTEGER data type and return error on negative numbers 1978 used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make 1979 OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers. 1980 1981 *Richard Levitte* 1982 1983 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex. 1984 1985 *Tomáš Mráz* 1986 1987 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD. 1988 1989 *Allan Jude* 1990 1991 * Multiple threading fixes. 1992 1993 *Matt Caswell* 1994 1995 * Added NULL digest implementation to keep compatibility with 1.1.1 version. 1996 1997 *Tomáš Mráz* 1998 1999 * Allow fetching an operation from the provider that owns an unexportable key 2000 as a fallback if that is still allowed by the property query. 2001 2002 *Richard Levitte* 2003 2004### Changes between 1.1.1 and 3.0.0 [7 Sep 2021] 2005 2006 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now 2007 deprecated. 2008 2009 *Matt Caswell* 2010 2011 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the 2012 S390X capability vector to zero. This simplifies testing of different code 2013 paths on S390X architecture. 2014 2015 *Patrick Steuer* 2016 2017 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed 2018 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from 2019 SP 800-38D". The communication will fail at this point. 2020 2021 *Paul Dale* 2022 2023 * The EC_GROUP_clear_free() function is deprecated as there is nothing 2024 confidential in EC_GROUP data. 2025 2026 *Nicola Tuveri* 2027 2028 * The byte order mark (BOM) character is ignored if encountered at the 2029 beginning of a PEM-formatted file. 2030 2031 *Dmitry Belyavskiy* 2032 2033 * Added CMS support for the Russian GOST algorithms. 2034 2035 *Dmitry Belyavskiy* 2036 2037 * Due to move of the implementation of cryptographic operations 2038 to the providers, validation of various operation parameters can 2039 be postponed until the actual operation is executed where previously 2040 it happened immediately when an operation parameter was set. 2041 2042 For example when setting an unsupported curve with 2043 EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not 2044 fail but later keygen operations with the EVP_PKEY_CTX will fail. 2045 2046 *OpenSSL team members and many third party contributors* 2047 2048 * The EVP_get_cipherbyname() function will return NULL for algorithms such as 2049 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were 2050 previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch() 2051 instead to retrieve these algorithms from a provider. 2052 2053 *Shane Lontis* 2054 2055 * On build targets where the multilib postfix is set in the build 2056 configuration the libdir directory was changing based on whether 2057 the lib directory with the multilib postfix exists on the system 2058 or not. This unpredictable behavior was removed and eventual 2059 multilib postfix is now always added to the default libdir. Use 2060 `--libdir=lib` to override the libdir if adding the postfix is 2061 undesirable. 2062 2063 *Jan Lána* 2064 2065 * The triple DES key wrap functionality now conforms to RFC 3217 but is 2066 no longer interoperable with OpenSSL 1.1.1. 2067 2068 *Paul Dale* 2069 2070 * The ERR_GET_FUNC() function was removed. With the loss of meaningful 2071 function codes, this function can only cause problems for calling 2072 applications. 2073 2074 *Paul Dale* 2075 2076 * Add a configurable flag to output date formats as ISO 8601. Does not 2077 change the default date format. 2078 2079 *William Edmisten* 2080 2081 * Version of MSVC earlier than 1300 could get link warnings, which could 2082 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. 2083 Support for this flag has been removed. 2084 2085 *Rich Salz* 2086 2087 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, 2088 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for 2089 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG 2090 Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set 2091 also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. 2092 2093 *Rich Salz* 2094 2095 * The signatures of the functions to get and set options on SSL and 2096 SSL_CTX objects changed from "unsigned long" to "uint64_t" type. 2097 Some source code changes may be required. 2098 2099 *Rich Salz* 2100 2101 * The public definitions of conf_method_st and conf_st have been 2102 deprecated. They will be made opaque in a future release. 2103 2104 *Rich Salz and Tomáš Mráz* 2105 2106 * Client-initiated renegotiation is disabled by default. To allow it, use 2107 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION 2108 flag, or the "ClientRenegotiation" config parameter as appropriate. 2109 2110 *Rich Salz* 2111 2112 * Add "abspath" and "includedir" pragma's to config files, to prevent, 2113 or modify relative pathname inclusion. 2114 2115 *Rich Salz* 2116 2117 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 2118 validated. Please consult the README-FIPS and 2119 README-PROVIDERS files, as well as the migration guide. 2120 2121 *OpenSSL team members and many third party contributors* 2122 2123 * For the key types DH and DHX the allowed settable parameters are now different. 2124 2125 *Shane Lontis* 2126 2127 * The openssl commands that read keys, certificates, and CRLs now 2128 automatically detect the PEM or DER format of the input files. 2129 2130 *David von Oheimb, Richard Levitte, and Tomáš Mráz* 2131 2132 * Added enhanced PKCS#12 APIs which accept a library context. 2133 2134 *Jon Spillett* 2135 2136 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" 2137 2138 *Matt Caswell* 2139 2140 * Added support for Kernel TLS (KTLS). 2141 2142 *Boris Pismenny, John Baldwin and Andrew Gallatin* 2143 2144 * Support for RFC 5746 secure renegotiation is now required by default for 2145 SSL or TLS connections to succeed. 2146 2147 *Benjamin Kaduk* 2148 2149 * The signature of the `copy` functional parameter of the 2150 EVP_PKEY_meth_set_copy() function has changed so its `src` argument is 2151 now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly 2152 the signature of the `pub_decode` functional parameter of the 2153 EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is 2154 now `const X509_PUBKEY *` instead of `X509_PUBKEY *`. 2155 2156 *David von Oheimb* 2157 2158 * The error return values from some control calls (ctrl) have changed. 2159 2160 *Paul Dale* 2161 2162 * A public key check is now performed during EVP_PKEY_derive_set_peer(). 2163 2164 *Shane Lontis* 2165 2166 * Many functions in the EVP_ namespace that are getters of values from 2167 implementations or contexts were renamed to include get or get0 in their 2168 names. Old names are provided as macro aliases for compatibility and 2169 are not deprecated. 2170 2171 *Tomáš Mráz* 2172 2173 * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, 2174 EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, 2175 EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations 2176 are deprecated. 2177 2178 *Tomáš Mráz* 2179 2180 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for 2181 more key types. 2182 2183 * The output from the command line applications may have minor 2184 changes. 2185 2186 *Paul Dale* 2187 2188 * The output from numerous "printing" may have minor changes. 2189 2190 *David von Oheimb* 2191 2192 * Windows thread synchronization uses read/write primitives (SRWLock) when 2193 supported by the OS, otherwise CriticalSection continues to be used. 2194 2195 *Vincent Drake* 2196 2197 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to 2198 work on read only BIO source/sinks that do not support these functions. 2199 This allows piping or redirection of a file BIO using stdin to be buffered 2200 into memory. This is used internally in OSSL_DECODER_from_bio(). 2201 2202 *Shane Lontis* 2203 2204 * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1 2205 this function would return one of the values OSSL_STORE_INFO_NAME, 2206 OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or 2207 OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported 2208 as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now 2209 reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications 2210 using this function should be amended to handle the changed return value. 2211 2212 *Richard Levitte* 2213 2214 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) 2215 for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. 2216 As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. 2217 Correct the semantics of checking the validation chain in case ESSCertID{,v2} 2218 contains more than one certificate identifier: This means that all 2219 certificates referenced there MUST be part of the validation chain. 2220 2221 *David von Oheimb* 2222 2223 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, 2224 RC5, DESX and DES have been moved to the legacy provider. 2225 2226 *Matt Caswell* 2227 2228 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and 2229 RIPEMD-160 have been moved to the legacy provider. 2230 2231 *Matt Caswell* 2232 2233 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a 2234 provided key. 2235 2236 *Dmitry Belyavskiy* 2237 2238 * The deprecated functions EVP_PKEY_get0_RSA(), 2239 EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(), 2240 EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as 2241 well as the similarly named "get1" functions behave differently in 2242 OpenSSL 3.0. 2243 2244 *Matt Caswell* 2245 2246 * A number of functions handling low-level keys or engines were deprecated 2247 including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(), 2248 EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and 2249 EVP_PKEY_get0_siphash(). 2250 2251 *Matt Caswell* 2252 2253 * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into 2254 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 2255 will need to load the legacy crypto provider. This includes these PBE 2256 algorithms which use this KDF: 2257 - NID_pbeWithMD2AndDES_CBC 2258 - NID_pbeWithMD5AndDES_CBC 2259 - NID_pbeWithSHA1AndRC2_CBC 2260 - NID_pbeWithMD2AndRC2_CBC 2261 - NID_pbeWithMD5AndRC2_CBC 2262 - NID_pbeWithSHA1AndDES_CBC 2263 2264 *Jon Spillett* 2265 2266 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and 2267 BIO_debug_callback() functions. 2268 2269 *Tomáš Mráz* 2270 2271 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and 2272 EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions. 2273 2274 *Tomáš Mráz* 2275 2276 * The RAND_METHOD APIs have been deprecated. 2277 2278 *Paul Dale* 2279 2280 * The SRP APIs have been deprecated. 2281 2282 *Matt Caswell* 2283 2284 * Add a compile time option to prevent the caching of provider fetched 2285 algorithms. This is enabled by including the no-cached-fetch option 2286 at configuration time. 2287 2288 *Paul Dale* 2289 2290 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration 2291 count of PKCS12_DEFAULT_ITER. 2292 2293 *Tomáš Mráz and Sahana Prasad* 2294 2295 * The openssl speed command does not use low-level API calls anymore. 2296 2297 *Tomáš Mráz* 2298 2299 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA 2300 capable processors. 2301 2302 *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)* 2303 2304 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. 2305 2306 *Matt Caswell* 2307 2308 * Implemented support for fully "pluggable" TLSv1.3 groups. This means that 2309 providers may supply their own group implementations (using either the "key 2310 exchange" or the "key encapsulation" methods) which will automatically be 2311 detected and used by libssl. 2312 2313 *Matt Caswell, Nicola Tuveri* 2314 2315 * The undocumented function X509_certificate_type() has been deprecated; 2316 2317 *Rich Salz* 2318 2319 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range(). 2320 2321 *Tomáš Mráz* 2322 2323 * Removed RSA padding mode for SSLv23 (which was only used for 2324 SSLv2). This includes the functions RSA_padding_check_SSLv23() and 2325 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated 2326 `rsautl` command. 2327 2328 *Rich Salz* 2329 2330 * Deprecated the obsolete X9.31 RSA key generation related functions. 2331 2332 * While a callback function set via `SSL_CTX_set_cert_verify_callback()` 2333 is not allowed to return a value > 1, this is no more taken as failure. 2334 2335 *Viktor Dukhovni and David von Oheimb* 2336 2337 * Deprecated the obsolete X9.31 RSA key generation related functions 2338 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and 2339 BN_X931_generate_prime_ex(). 2340 2341 *Tomáš Mráz* 2342 2343 * The default key generation method for the regular 2-prime RSA keys was 2344 changed to the FIPS 186-4 B.3.6 method. 2345 2346 *Shane Lontis* 2347 2348 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. 2349 2350 *Kurt Roeckx* 2351 2352 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn(). 2353 2354 *Rich Salz* 2355 2356 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and 2357 replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*(). 2358 2359 *Rich Salz, Richard Levitte, and David von Oheimb* 2360 2361 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`. 2362 2363 *David von Oheimb* 2364 2365 * Deprecated `OCSP_parse_url()`. 2366 2367 *David von Oheimb* 2368 2369 * Validation of SM2 keys has been separated from the validation of regular EC 2370 keys. 2371 2372 *Nicola Tuveri* 2373 2374 * Behavior of the `pkey` command is changed, 2375 when using the `-check` or `-pubcheck` 2376 switches: a validation failure triggers an early exit, returning a failure 2377 exit status to the parent process. 2378 2379 *Nicola Tuveri* 2380 2381 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() 2382 to ignore unknown ciphers. 2383 2384 *Otto Hollmann* 2385 2386 * The `-cipher-commands` and `-digest-commands` options 2387 of the command line utility `list` have been deprecated. 2388 Instead use the `-cipher-algorithms` and `-digest-algorithms` options. 2389 2390 *Dmitry Belyavskiy* 2391 2392 * Added convenience functions for generating asymmetric key pairs: 2393 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)> 2394 and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>. 2395 2396 *David von Oheimb* 2397 2398 * All of the low-level EC_KEY functions have been deprecated. 2399 2400 *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz* 2401 2402 * Deprecated all the libcrypto and libssl error string loading 2403 functions. 2404 2405 *Richard Levitte* 2406 2407 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as 2408 well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been 2409 deprecated. 2410 2411 *Matt Caswell* 2412 2413 * The `-crypt` option to the `passwd` command line tool has been removed. 2414 2415 *Paul Dale* 2416 2417 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands 2418 were removed. 2419 2420 *Rich Salz* 2421 2422 * Add support for AES Key Wrap inverse ciphers to the EVP layer. 2423 2424 *Shane Lontis* 2425 2426 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and 2427 EVP_PKEY_get1_tls_encodedpoint(). 2428 2429 *Matt Caswell* 2430 2431 * The security callback, which can be customised by application code, supports 2432 the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter 2433 was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases. 2434 2435 *Matt Caswell* 2436 2437 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public 2438 interface. Their functionality remains unchanged. 2439 2440 *Jordan Montgomery* 2441 2442 * Added new option for 'openssl list', '-providers', which will display the 2443 list of loaded providers, their names, version and status. It optionally 2444 displays their gettable parameters. 2445 2446 *Paul Dale* 2447 2448 * Removed EVP_PKEY_set_alias_type(). 2449 2450 *Richard Levitte* 2451 2452 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced 2453 `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred. 2454 2455 *Jeremy Walch* 2456 2457 * Changed all "STACK" functions to be macros instead of inline functions. Macro 2458 parameters are still checked for type safety at compile time via helper 2459 inline functions. 2460 2461 *Matt Caswell* 2462 2463 * Remove the RAND_DRBG API 2464 2465 *Paul Dale and Matthias St. Pierre* 2466 2467 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses 2468 as well as actual hostnames. 2469 2470 *David Woodhouse* 2471 2472 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 2473 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 2474 conversely, silently ignore DTLS protocol version bounds when configuring 2475 TLS-based contexts. The commands can be repeated to set bounds of both 2476 types. The same applies with the corresponding "min_protocol" and 2477 "max_protocol" command-line switches, in case some application uses both TLS 2478 and DTLS. 2479 2480 SSL_CTX instances that are created for a fixed protocol version (e.g. 2481 `TLSv1_server_method()`) also silently ignore version bounds. Previously 2482 attempts to apply bounds to these protocol versions would result in an 2483 error. Now only the "version-flexible" SSL_CTX instances are subject to 2484 limits in configuration files in command-line options. 2485 2486 *Viktor Dukhovni* 2487 2488 * Deprecated the `ENGINE` API. Engines should be replaced with providers 2489 going forward. 2490 2491 *Paul Dale* 2492 2493 * Reworked the recorded ERR codes to make better space for system errors. 2494 To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the 2495 given code is a system error (true) or an OpenSSL error (false). 2496 2497 *Richard Levitte* 2498 2499 * Reworked the test perl framework to better allow parallel testing. 2500 2501 *Nicola Tuveri and David von Oheimb* 2502 2503 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and 2504 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. 2505 2506 *Shane Lontis* 2507 2508 * 'Configure' has been changed to figure out the configuration target if 2509 none is given on the command line. Consequently, the 'config' script is 2510 now only a mere wrapper. All documentation is changed to only mention 2511 'Configure'. 2512 2513 *Rich Salz and Richard Levitte* 2514 2515 * Added a library context `OSSL_LIB_CTX` that applications as well as 2516 other libraries can use to form a separate context within which 2517 libcrypto operations are performed. 2518 2519 *Richard Levitte* 2520 2521 * Added various `_ex` functions to the OpenSSL API that support using 2522 a non-default `OSSL_LIB_CTX`. 2523 2524 *OpenSSL team* 2525 2526 * Handshake now fails if Extended Master Secret extension is dropped 2527 on renegotiation. 2528 2529 *Tomáš Mráz* 2530 2531 * Dropped interactive mode from the `openssl` program. 2532 2533 *Richard Levitte* 2534 2535 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`. 2536 2537 *David von Oheimb and Shane Lontis* 2538 2539 * Deprecated `EC_METHOD_get_field_type()`. 2540 2541 *Billy Bob Brumley* 2542 2543 * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(), 2544 EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method() 2545 EC_GFp_nistp256_method(), and EC_GFp_nistp521_method(). 2546 2547 *Billy Bob Brumley* 2548 2549 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of(). 2550 2551 *Billy Bob Brumley* 2552 2553 * Add CAdES-BES signature verification support, mostly derived 2554 from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein. 2555 2556 *Filipe Raimundo da Silva* 2557 2558 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. 2559 2560 *Antonio Iacono* 2561 2562 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM 2563 parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). 2564 2565 *Jakub Zelenka* 2566 2567 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). 2568 2569 *Billy Bob Brumley* 2570 2571 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and 2572 EC_KEY_precompute_mult(). 2573 2574 *Billy Bob Brumley* 2575 2576 * Deprecated EC_POINTs_mul(). 2577 2578 *Billy Bob Brumley* 2579 2580 * Removed FIPS_mode() and FIPS_mode_set(). 2581 2582 *Shane Lontis* 2583 2584 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. 2585 2586 *Dmitry Belyavskiy* 2587 2588 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and 2589 EC_POINT_get_Jprojective_coordinates_GFp(). 2590 2591 *Billy Bob Brumley* 2592 2593 * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM 2594 arrays to be more easily constructed via a series of utility functions. 2595 Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using 2596 the various push functions and finally convert to a passable OSSL_PARAM 2597 array using OSSL_PARAM_BLD_to_param(). 2598 2599 *Paul Dale* 2600 2601 * The security strength of SHA1 and MD5 based signatures in TLS has been 2602 reduced. 2603 2604 *Kurt Roeckx* 2605 2606 * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to 2607 contain a provider side internal key. 2608 2609 *Richard Levitte* 2610 2611 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated. 2612 2613 *Richard Levitte* 2614 2615 * Project text documents not yet having a proper file name extension 2616 (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to 2617 `*.md` as far as reasonable, else `*.txt`, for better use with file managers. 2618 2619 *David von Oheimb* 2620 2621 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT) 2622 have been converted to Markdown with the goal to produce documents 2623 which not only look pretty when viewed online in the browser, but 2624 remain well readable inside a plain text editor. 2625 2626 To achieve this goal, a 'minimalistic' Markdown style has been applied 2627 which avoids formatting elements that interfere too much with the 2628 reading flow in the text file. For example, it 2629 2630 * avoids [ATX headings][] and uses [setext headings][] instead 2631 (which works for `<h1>` and `<h2>` headings only). 2632 * avoids [inline links][] and uses [reference links][] instead. 2633 * avoids [fenced code blocks][] and uses [indented code blocks][] instead. 2634 2635 [ATX headings]: https://github.github.com/gfm/#atx-headings 2636 [setext headings]: https://github.github.com/gfm/#setext-headings 2637 [inline links]: https://github.github.com/gfm/#inline-link 2638 [reference links]: https://github.github.com/gfm/#reference-link 2639 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks 2640 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks 2641 2642 *Matthias St. Pierre* 2643 2644 * The test suite is changed to preserve results of each test recipe. 2645 A new directory test-runs/ with subdirectories named like the 2646 test recipes are created in the build tree for this purpose. 2647 2648 *Richard Levitte* 2649 2650 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). 2651 This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. 2652 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points. 2653 2654 *David von Oheimb, Martin Peylo* 2655 2656 * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. 2657 It supports arbitrary request and response content types, GET redirection, 2658 TLS, connections via HTTP(S) proxies, connections and exchange via 2659 user-defined BIOs (allowing implicit connections), persistent connections, 2660 and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details. 2661 The legacy OCSP-focused (and only partly documented) API 2662 is retained for backward compatibility, while most of it is deprecated. 2663 2664 *David von Oheimb* 2665 2666 * Added `util/check-format.pl`, a tool for checking adherence to the 2667 OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>. 2668 The checks performed are incomplete and yield some false positives. 2669 Still the tool should be useful for detecting most typical glitches. 2670 2671 *David von Oheimb* 2672 2673 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended: 2674 If domain name resolution yields multiple IP addresses all of them are tried 2675 after `connect()` failures. 2676 2677 *David von Oheimb* 2678 2679 * All of the low-level RSA functions have been deprecated. 2680 2681 *Paul Dale* 2682 2683 * X509 certificates signed using SHA1 are no longer allowed at security 2684 level 1 and above. 2685 2686 *Kurt Roeckx* 2687 2688 * The command line utilities dhparam, dsa, gendsa and dsaparam have been 2689 modified to use PKEY APIs. These commands are now in maintenance mode 2690 and no new features will be added to them. 2691 2692 *Paul Dale* 2693 2694 * The command line utility rsautl has been deprecated. 2695 2696 *Paul Dale* 2697 2698 * The command line utilities genrsa and rsa have been modified to use PKEY 2699 APIs. They now write PKCS#8 keys by default. These commands are now in 2700 maintenance mode and no new features will be added to them. 2701 2702 *Paul Dale* 2703 2704 * All of the low-level DH functions have been deprecated. 2705 2706 *Paul Dale and Matt Caswell* 2707 2708 * All of the low-level DSA functions have been deprecated. 2709 2710 *Paul Dale* 2711 2712 * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to 2713 automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. 2714 2715 *Richard Levitte* 2716 2717 * Deprecated low-level ECDH and ECDSA functions. 2718 2719 *Paul Dale* 2720 2721 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old(). 2722 2723 *Richard Levitte* 2724 2725 * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits() 2726 and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed 2727 a new formulation to include all the things it can be used for, 2728 as well as words of caution. 2729 2730 *Richard Levitte* 2731 2732 * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. 2733 2734 *Paul Dale* 2735 2736 * All of the low-level HMAC functions have been deprecated. 2737 2738 *Paul Dale and David von Oheimb* 2739 2740 * Over two thousand fixes were made to the documentation, including: 2741 - Common options (such as -rand/-writerand, TLS version control, etc) 2742 were refactored and point to newly-enhanced descriptions in openssl.pod. 2743 - Added style conformance for all options (with help from Richard Levitte), 2744 documented all reported missing options, added a CI build to check 2745 that all options are documented and that no unimplemented options 2746 are documented. 2747 - Documented some internals, such as all use of environment variables. 2748 - Addressed all internal broken L<> references. 2749 2750 *Rich Salz* 2751 2752 * All of the low-level CMAC functions have been deprecated. 2753 2754 *Paul Dale* 2755 2756 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest 2757 functions have been deprecated. 2758 2759 *Paul Dale and David von Oheimb* 2760 2761 * Corrected the documentation of the return values from the `EVP_DigestSign*` 2762 set of functions. The documentation mentioned negative values for some 2763 errors, but this was never the case, so the mention of negative values 2764 was removed. 2765 2766 Code that followed the documentation and thereby check with something 2767 like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed. 2768 2769 *Richard Levitte* 2770 2771 * All of the low-level cipher functions have been deprecated. 2772 2773 *Matt Caswell and Paul Dale* 2774 2775 * Removed include/openssl/opensslconf.h.in and replaced it with 2776 include/openssl/configuration.h.in, which differs in not including 2777 <openssl/macros.h>. A short header include/openssl/opensslconf.h 2778 was added to include both. 2779 2780 This allows internal hacks where one might need to modify the set 2781 of configured macros, for example this if deprecated symbols are 2782 still supposed to be available internally: 2783 2784 #include <openssl/configuration.h> 2785 2786 #undef OPENSSL_NO_DEPRECATED 2787 #define OPENSSL_SUPPRESS_DEPRECATED 2788 2789 #include <openssl/macros.h> 2790 2791 This should not be used by applications that use the exported 2792 symbols, as that will lead to linking errors. 2793 2794 *Richard Levitte* 2795 2796 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure 2797 used in exponentiation with 512-bit moduli. No EC algorithms are 2798 affected. Analysis suggests that attacks against 2-prime RSA1024, 2799 3-prime RSA1536, and DSA1024 as a result of this defect would be very 2800 difficult to perform and are not believed likely. Attacks against DH512 2801 are considered just feasible. However, for an attack the target would 2802 have to reuse the DH512 private key, which is not recommended anyway. 2803 Also applications directly using the low-level API BN_mod_exp may be 2804 affected if they use BN_FLG_CONSTTIME. 2805 ([CVE-2019-1551]) 2806 2807 *Andy Polyakov* 2808 2809 * Most memory-debug features have been deprecated, and the functionality 2810 replaced with no-ops. 2811 2812 *Rich Salz* 2813 2814 * Added documentation for the STACK API. 2815 2816 *Rich Salz* 2817 2818 * Introduced a new method type and API, OSSL_ENCODER, to represent 2819 generic encoders. These do the same sort of job that PEM writers 2820 and d2i functions do, but with support for methods supplied by 2821 providers, and the possibility for providers to support other 2822 formats as well. 2823 2824 *Richard Levitte* 2825 2826 * Introduced a new method type and API, OSSL_DECODER, to represent 2827 generic decoders. These do the same sort of job that PEM readers 2828 and i2d functions do, but with support for methods supplied by 2829 providers, and the possibility for providers to support other 2830 formats as well. 2831 2832 *Richard Levitte* 2833 2834 * Added a .pragma directive to the syntax of configuration files, to 2835 allow varying behavior in a supported and predictable manner. 2836 Currently added pragma: 2837 2838 .pragma dollarid:on 2839 2840 This allows dollar signs to be a keyword character unless it's 2841 followed by a opening brace or parenthesis. This is useful for 2842 platforms where dollar signs are commonly used in names, such as 2843 volume names and system directory names on VMS. 2844 2845 *Richard Levitte* 2846 2847 * Added functionality to create an EVP_PKEY from user data. 2848 2849 *Richard Levitte* 2850 2851 * Change the interpretation of the '--api' configuration option to 2852 mean that this is a desired API compatibility level with no 2853 further meaning. The previous interpretation, that this would 2854 also mean to remove all deprecated symbols up to and including 2855 the given version, no requires that 'no-deprecated' is also used 2856 in the configuration. 2857 2858 When building applications, the desired API compatibility level 2859 can be set with the OPENSSL_API_COMPAT macro like before. For 2860 API compatibility version below 3.0, the old style numerical 2861 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. 2862 For version 3.0 and on, the value is expected to be the decimal 2863 value calculated from the major and minor version like this: 2864 2865 MAJOR * 10000 + MINOR * 100 2866 2867 Examples: 2868 2869 -DOPENSSL_API_COMPAT=30000 For 3.0 2870 -DOPENSSL_API_COMPAT=30200 For 3.2 2871 2872 To hide declarations that are deprecated up to and including the 2873 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be 2874 given when building the application as well. 2875 2876 *Richard Levitte* 2877 2878 * Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow 2879 access to certificate and CRL stores via URIs and OSSL_STORE 2880 loaders. 2881 2882 This adds the following functions: 2883 2884 - X509_LOOKUP_store() 2885 - X509_STORE_load_file() 2886 - X509_STORE_load_path() 2887 - X509_STORE_load_store() 2888 - SSL_add_store_cert_subjects_to_stack() 2889 - SSL_CTX_set_default_verify_store() 2890 - SSL_CTX_load_verify_file() 2891 - SSL_CTX_load_verify_dir() 2892 - SSL_CTX_load_verify_store() 2893 2894 *Richard Levitte* 2895 2896 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 2897 The presence of this system service is determined at run-time. 2898 2899 *Richard Levitte* 2900 2901 * Added functionality to create an EVP_PKEY context based on data 2902 for methods from providers. This takes an algorithm name and a 2903 property query string and simply stores them, with the intent 2904 that any operation that uses this context will use those strings 2905 to fetch the needed methods implicitly, thereby making the port 2906 of application written for pre-3.0 OpenSSL easier. 2907 2908 *Richard Levitte* 2909 2910 * The undocumented function NCONF_WIN32() has been deprecated; for 2911 conversion details see the HISTORY section of doc/man5/config.pod 2912 2913 *Rich Salz* 2914 2915 * Introduced the new functions EVP_DigestSignInit_ex() and 2916 EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and 2917 EVP_DigestVerifyUpdate() have been converted to functions. See the man 2918 pages for further details. 2919 2920 *Matt Caswell* 2921 2922 * Over two thousand fixes were made to the documentation, including: 2923 adding missing command flags, better style conformance, documentation 2924 of internals, etc. 2925 2926 *Rich Salz, Richard Levitte* 2927 2928 * s390x assembly pack: add hardware-support for P-256, P-384, P-521, 2929 X25519, X448, Ed25519 and Ed448. 2930 2931 *Patrick Steuer* 2932 2933 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 2934 the first value. 2935 2936 *Jon Spillett* 2937 2938 * Deprecated the public definition of `ERR_STATE` as well as the function 2939 `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an 2940 opaque type. 2941 2942 *Richard Levitte* 2943 2944 * Added ERR functionality to give callers access to the stored function 2945 names that have replaced the older function code based functions. 2946 2947 New functions are ERR_peek_error_func(), ERR_peek_last_error_func(), 2948 ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(), 2949 ERR_peek_error_all() and ERR_peek_last_error_all(). 2950 2951 Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(), 2952 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and 2953 ERR_func_error_string(). 2954 2955 *Richard Levitte* 2956 2957 * Extended testing to be verbose for failing tests only. The make variables 2958 VERBOSE_FAILURE or VF can be used to enable this: 2959 2960 $ make VF=1 test # Unix 2961 $ mms /macro=(VF=1) test ! OpenVMS 2962 $ nmake VF=1 test # Windows 2963 2964 *Richard Levitte* 2965 2966 * Added the `-copy_extensions` option to the `x509` command for use with 2967 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, 2968 all extensions in the request are copied to the certificate or vice versa. 2969 2970 *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>* 2971 2972 * Added the `-copy_extensions` option to the `req` command for use with 2973 `-x509`. When given with the `copy` or `copyall` argument, 2974 all extensions in the certification request are copied to the certificate. 2975 2976 *David von Oheimb* 2977 2978 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates 2979 they generate are by default RFC 5280 compliant in the following sense: 2980 There is a subjectKeyIdentifier extension with a hash value of the public key 2981 and for not self-signed certs there is an authorityKeyIdentifier extension 2982 with a keyIdentifier field or issuer information identifying the signing key. 2983 This is done unless some configuration overrides the new default behavior, 2984 such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`. 2985 2986 *David von Oheimb* 2987 2988 * Added several checks to `X509_verify_cert()` according to requirements in 2989 RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set 2990 (which may be done by using the CLI option `-x509_strict`): 2991 * The basicConstraints of CA certificates must be marked critical. 2992 * CA certificates must explicitly include the keyUsage extension. 2993 * If a pathlenConstraint is given the key usage keyCertSign must be allowed. 2994 * The issuer name of any certificate must not be empty. 2995 * The subject name of CA certs, certs with keyUsage crlSign, 2996 and certs without subjectAlternativeName must not be empty. 2997 * If a subjectAlternativeName extension is given it must not be empty. 2998 * The signatureAlgorithm field and the cert signature must be consistent. 2999 * Any given authorityKeyIdentifier and any given subjectKeyIdentifier 3000 must not be marked critical. 3001 * The authorityKeyIdentifier must be given for X.509v3 certs 3002 unless they are self-signed. 3003 * The subjectKeyIdentifier must be given for all X.509v3 CA certs. 3004 3005 *David von Oheimb* 3006 3007 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys 3008 with explicit curve parameters (specifiedCurve) as required by RFC 5480. 3009 3010 *Tomáš Mráz* 3011 3012 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 3013 used even when parsing explicit parameters, when loading a encoded key 3014 or calling `EC_GROUP_new_from_ecpkparameters()`/ 3015 `EC_GROUP_new_from_ecparameters()`. 3016 This prevents bypass of security hardening and performance gains, 3017 especially for curves with specialized EC_METHODs. 3018 By default, if a key encoded with explicit parameters is loaded and later 3019 encoded, the output is still encoded with explicit parameters, even if 3020 internally a "named" EC_GROUP is used for computation. 3021 3022 *Nicola Tuveri* 3023 3024 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 3025 this change, EC_GROUP_set_generator would accept order and/or cofactor as 3026 NULL. After this change, only the cofactor parameter can be NULL. It also 3027 does some minimal sanity checks on the passed order. 3028 ([CVE-2019-1547]) 3029 3030 *Billy Bob Brumley* 3031 3032 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 3033 An attack is simple, if the first CMS_recipientInfo is valid but the 3034 second CMS_recipientInfo is chosen ciphertext. If the second 3035 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 3036 encryption key will be replaced by garbage, and the message cannot be 3037 decoded, but if the RSA decryption fails, the correct encryption key is 3038 used and the recipient will not notice the attack. 3039 As a work around for this potential attack the length of the decrypted 3040 key must be equal to the cipher default key length, in case the 3041 certificate is not given and all recipientInfo are tried out. 3042 The old behaviour can be re-enabled in the CMS code by setting the 3043 CMS_DEBUG_DECRYPT flag. 3044 3045 *Bernd Edlinger* 3046 3047 * Early start up entropy quality from the DEVRANDOM seed source has been 3048 improved for older Linux systems. The RAND subsystem will wait for 3049 /dev/random to be producing output before seeding from /dev/urandom. 3050 The seeded state is stored for future library initialisations using 3051 a system global shared memory segment. The shared memory identifier 3052 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 3053 the desired value. The default identifier is 114. 3054 3055 *Paul Dale* 3056 3057 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 3058 when primes for RSA keys are computed. 3059 Since we previously always generated primes == 2 (mod 3) for RSA keys, 3060 the 2-prime and 3-prime RSA modules were easy to distinguish, since 3061 `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore, fingerprinting 3062 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 3063 This avoids possible fingerprinting of newly generated RSA modules. 3064 3065 *Bernd Edlinger* 3066 3067 * Correct the extended master secret constant on EBCDIC systems. Without this 3068 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 3069 negotiate EMS will fail. Unfortunately this also means that TLS connections 3070 between EBCDIC systems with this fix, and EBCDIC systems without this 3071 fix will fail if they negotiate EMS. 3072 3073 *Matt Caswell* 3074 3075 * Changed the library initialisation so that the config file is now loaded 3076 by default. This was already the case for libssl. It now occurs for both 3077 libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to 3078 `OPENSSL_init_crypto()` to suppress automatic loading of a config file. 3079 3080 *Matt Caswell* 3081 3082 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, 3083 where the former acts as a replacement for `ERR_put_error()`, and the 3084 latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. 3085 `ERR_raise_data()` adds more flexibility by taking a format string and 3086 an arbitrary number of arguments following it, to be processed with 3087 `BIO_snprintf()`. 3088 3089 *Richard Levitte* 3090 3091 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used 3092 to check if a named provider is loaded and available. When called, it 3093 will also activate all fallback providers if such are still present. 3094 3095 *Richard Levitte* 3096 3097 * Enforce a minimum DH modulus size of 512 bits. 3098 3099 *Bernd Edlinger* 3100 3101 * Changed DH parameters to generate the order q subgroup instead of 2q. 3102 Previously generated DH parameters are still accepted by DH_check 3103 but DH_generate_key works around that by clearing bit 0 of the 3104 private key for those. This avoids leaking bit 0 of the private key. 3105 3106 *Bernd Edlinger* 3107 3108 * Significantly reduce secure memory usage by the randomness pools. 3109 3110 *Paul Dale* 3111 3112 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been 3113 deprecated. 3114 3115 *Rich Salz* 3116 3117 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange 3118 algorithms. An implementation of a key exchange algorithm can be obtained 3119 by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be 3120 used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to 3121 the older EVP_PKEY_derive_init() function. See the man pages for the new 3122 functions for further details. 3123 3124 *Matt Caswell* 3125 3126 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. 3127 3128 *Matt Caswell* 3129 3130 * Removed the function names from error messages and deprecated the 3131 xxx_F_xxx define's. 3132 3133 *Richard Levitte* 3134 3135 * Removed NextStep support and the macro OPENSSL_UNISTD 3136 3137 *Rich Salz* 3138 3139 * Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, 3140 OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. 3141 Also removed "export var as function" capability; we do not export 3142 variables, only functions. 3143 3144 *Rich Salz* 3145 3146 * RC5_32_set_key has been changed to return an int type, with 0 indicating 3147 an error and 1 indicating success. In previous versions of OpenSSL this 3148 was a void type. If a key was set longer than the maximum possible this 3149 would crash. 3150 3151 *Matt Caswell* 3152 3153 * Support SM2 signing and verification schemes with X509 certificate. 3154 3155 *Paul Yang* 3156 3157 * Use SHA256 as the default digest for TS query in the `ts` app. 3158 3159 *Tomáš Mráz* 3160 3161 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. 3162 3163 *Shane Lontis* 3164 3165 * Default cipher lists/suites are now available via a function, the 3166 #defines are deprecated. 3167 3168 *Todd Short* 3169 3170 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and 3171 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries 3172 for Windows Store apps easier. Also, the "no-uplink" option has been added. 3173 3174 *Kenji Mouri* 3175 3176 * Join the directories crypto/x509 and crypto/x509v3 3177 3178 *Richard Levitte* 3179 3180 * Added command 'openssl kdf' that uses the EVP_KDF API. 3181 3182 *Shane Lontis* 3183 3184 * Added command 'openssl mac' that uses the EVP_MAC API. 3185 3186 *Shane Lontis* 3187 3188 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such 3189 as default directories. Also added the command 'openssl info' 3190 for scripting purposes. 3191 3192 *Richard Levitte* 3193 3194 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been 3195 deprecated. 3196 3197 *Matt Caswell* 3198 3199 * Add prediction resistance to the DRBG reseeding process. 3200 3201 *Paul Dale* 3202 3203 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as 3204 mandated by IEEE Std 1619-2018. 3205 3206 *Paul Dale* 3207 3208 * Added newline escaping functionality to a filename when using openssl dgst. 3209 This output format is to replicate the output format found in the `*sum` 3210 checksum programs. This aims to preserve backward compatibility. 3211 3212 *Matt Eaton, Richard Levitte, and Paul Dale* 3213 3214 * Removed the heartbeat message in DTLS feature, as it has very 3215 little usage and doesn't seem to fulfill a valuable purpose. 3216 The configuration option is now deprecated. 3217 3218 *Richard Levitte* 3219 3220 * Changed the output of 'openssl {digestname} < file' to display the 3221 digest name in its output. 3222 3223 *Richard Levitte* 3224 3225 * Added a new generic trace API which provides support for enabling 3226 instrumentation through trace output. 3227 3228 *Richard Levitte & Matthias St. Pierre* 3229 3230 * Added build tests for C++. These are generated files that only do one 3231 thing, to include one public OpenSSL head file each. This tests that 3232 the public header files can be usefully included in a C++ application. 3233 3234 This test isn't enabled by default. It can be enabled with the option 3235 'enable-buildtest-c++'. 3236 3237 *Richard Levitte* 3238 3239 * Added KB KDF (EVP_KDF_KB) to EVP_KDF. 3240 3241 *Robbie Harwood* 3242 3243 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF. 3244 3245 *Simo Sorce* 3246 3247 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF. 3248 3249 *Shane Lontis* 3250 3251 * Added KMAC to EVP_MAC. 3252 3253 *Shane Lontis* 3254 3255 * Added property based algorithm implementation selection framework to 3256 the core. 3257 3258 *Paul Dale* 3259 3260 * Added SCA hardening for modular field inversion in EC_GROUP through 3261 a new dedicated field_inv() pointer in EC_METHOD. 3262 This also addresses a leakage affecting conversions from projective 3263 to affine coordinates. 3264 3265 *Billy Bob Brumley, Nicola Tuveri* 3266 3267 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF 3268 implementations. This includes an EVP_PKEY to EVP_KDF bridge for 3269 those algorithms that were already supported through the EVP_PKEY API 3270 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 3271 and scrypt are now wrappers that call EVP_KDF. 3272 3273 *David Makepeace* 3274 3275 * Build devcrypto engine as a dynamic engine. 3276 3277 *Eneas U de Queiroz* 3278 3279 * Add keyed BLAKE2 to EVP_MAC. 3280 3281 *Antoine Salon* 3282 3283 * Fix a bug in the computation of the endpoint-pair shared secret used 3284 by DTLS over SCTP. This breaks interoperability with older versions 3285 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime 3286 switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling 3287 interoperability with such broken implementations. However, enabling 3288 this switch breaks interoperability with correct implementations. 3289 3290 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 3291 reused X509_PUBKEY object if the second PUBKEY is malformed. 3292 3293 *Bernd Edlinger* 3294 3295 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 3296 3297 *Richard Levitte* 3298 3299 * Changed the license to the Apache License v2.0. 3300 3301 *Richard Levitte* 3302 3303 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. 3304 3305 - Major releases (indicated by incrementing the MAJOR release number) 3306 may introduce incompatible API/ABI changes. 3307 - Minor releases (indicated by incrementing the MINOR release number) 3308 may introduce new features but retain API/ABI compatibility. 3309 - Patch releases (indicated by incrementing the PATCH number) 3310 are intended for bug fixes and other improvements of existing 3311 features only (like improving performance or adding documentation) 3312 and retain API/ABI compatibility. 3313 3314 *Richard Levitte* 3315 3316 * Add support for RFC5297 SIV mode (siv128), including AES-SIV. 3317 3318 *Todd Short* 3319 3320 * Remove the 'dist' target and add a tarball building script. The 3321 'dist' target has fallen out of use, and it shouldn't be 3322 necessary to configure just to create a source distribution. 3323 3324 *Richard Levitte* 3325 3326 * Recreate the OS390-Unix config target. It no longer relies on a 3327 special script like it did for OpenSSL pre-1.1.0. 3328 3329 *Richard Levitte* 3330 3331 * Instead of having the source directories listed in Configure, add 3332 a 'build.info' keyword SUBDIRS to indicate what sub-directories to 3333 look into. 3334 3335 *Richard Levitte* 3336 3337 * Add GMAC to EVP_MAC. 3338 3339 *Paul Dale* 3340 3341 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC. 3342 3343 *Richard Levitte* 3344 3345 * Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC 3346 implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, 3347 to facilitate the continued use of MACs through raw private keys in 3348 functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`. 3349 3350 *Richard Levitte* 3351 3352 * Deprecate ECDH_KDF_X9_62(). 3353 3354 *Antoine Salon* 3355 3356 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for 3357 the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names 3358 are retained for backwards compatibility. 3359 3360 *Antoine Salon* 3361 3362 * AES-XTS mode now enforces that its two keys are different to mitigate 3363 the attacked described in "Efficient Instantiations of Tweakable 3364 Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. 3365 Details of this attack can be obtained from: 3366 <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf> 3367 3368 *Paul Dale* 3369 3370 * Rename the object files, i.e. give them other names than in previous 3371 versions. Their names now include the name of the final product, as 3372 well as its type mnemonic (bin, lib, shlib). 3373 3374 *Richard Levitte* 3375 3376 * Added new option for 'openssl list', '-objects', which will display the 3377 list of built in objects, i.e. OIDs with names. 3378 3379 *Richard Levitte* 3380 3381 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`, 3382 allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to 3383 be set explicitly. 3384 3385 *Chris Novakovic* 3386 3387 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path 3388 improves application performance by removing data copies and providing 3389 applications with zero-copy system calls such as sendfile and splice. 3390 3391 *Boris Pismenny* 3392 3393 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. 3394 3395 *Martin Elshuber* 3396 3397 * `PKCS12_parse` now maintains the order of the parsed certificates 3398 when outputting them via `*ca` (rather than reversing it). 3399 3400 *David von Oheimb* 3401 3402 * Deprecated pthread fork support methods. 3403 3404 *Randall S. Becker* 3405 3406 * Added support for FFDHE key exchange in TLS 1.3. 3407 3408 *Raja Ashok* 3409 3410 * Added a new concept for OpenSSL plugability: providers. This 3411 functionality is designed to replace the ENGINE API and ENGINE 3412 implementations, and to be much more dynamic, allowing provider 3413 authors to introduce new algorithms among other things, as long as 3414 there's an API that supports the algorithm type. 3415 3416 With this concept comes a new core API for interaction between 3417 libcrypto and provider implementations. Public libcrypto functions 3418 that want to use providers do so through this core API. 3419 3420 The main documentation for this core API is found in 3421 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn 3422 refer to other manuals describing the API specific for supported 3423 algorithm types (also called operations). 3424 3425 *The OpenSSL team* 3426 3427OpenSSL 1.1.1 3428------------- 3429 3430### Changes between 1.1.1m and 1.1.1n [xx XXX xxxx] 3431 3432### Changes between 1.1.1l and 1.1.1m [14 Dec 2021] 3433 3434 * Avoid loading of a dynamic engine twice. 3435 3436 *Bernd Edlinger* 3437 3438 * Prioritise DANE TLSA issuer certs over peer certs 3439 3440 *Viktor Dukhovni* 3441 3442 * Fixed random API for MacOS prior to 10.12 3443 3444 These MacOS versions don't support the CommonCrypto APIs 3445 3446 *Lenny Primak* 3447 3448### Changes between 1.1.1k and 1.1.1l [24 Aug 2021] 3449 3450 * Fixed an SM2 Decryption Buffer Overflow. 3451 3452 In order to decrypt SM2 encrypted data an application is expected to 3453 call the API function EVP_PKEY_decrypt(). Typically an application will 3454 call this function twice. The first time, on entry, the "out" parameter 3455 can be NULL and, on exit, the "outlen" parameter is populated with the 3456 buffer size required to hold the decrypted plaintext. The application 3457 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() 3458 again, but this time passing a non-NULL value for the "out" parameter. 3459 3460 A bug in the implementation of the SM2 decryption code means that the 3461 calculation of the buffer size required to hold the plaintext returned 3462 by the first call to EVP_PKEY_decrypt() can be smaller than the actual 3463 size required by the second call. This can lead to a buffer overflow 3464 when EVP_PKEY_decrypt() is called by the application a second time with 3465 a buffer that is too small. 3466 3467 A malicious attacker who is able present SM2 content for decryption to 3468 an application could cause attacker chosen data to overflow the buffer 3469 by up to a maximum of 62 bytes altering the contents of other data held 3470 after the buffer, possibly changing application behaviour or causing 3471 the application to crash. The location of the buffer is application 3472 dependent but is typically heap allocated. 3473 ([CVE-2021-3711]) 3474 3475 *Matt Caswell* 3476 3477 * Fixed various read buffer overruns processing ASN.1 strings 3478 3479 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING 3480 structure which contains a buffer holding the string data and a field 3481 holding the buffer length. This contrasts with normal C strings which 3482 are represented as a buffer for the string data which is terminated 3483 with a NUL (0) byte. 3484 3485 Although not a strict requirement, ASN.1 strings that are parsed using 3486 OpenSSL's own "d2i" functions (and other similar parsing functions) as 3487 well as any string whose value has been set with the ASN1_STRING_set() 3488 function will additionally NUL terminate the byte array in the 3489 ASN1_STRING structure. 3490 3491 However, it is possible for applications to directly construct valid 3492 ASN1_STRING structures which do not NUL terminate the byte array by 3493 directly setting the "data" and "length" fields in the ASN1_STRING 3494 array. This can also happen by using the ASN1_STRING_set0() function. 3495 3496 Numerous OpenSSL functions that print ASN.1 data have been found to 3497 assume that the ASN1_STRING byte array will be NUL terminated, even 3498 though this is not guaranteed for strings that have been directly 3499 constructed. Where an application requests an ASN.1 structure to be 3500 printed, and where that ASN.1 structure contains ASN1_STRINGs that have 3501 been directly constructed by the application without NUL terminating 3502 the "data" field, then a read buffer overrun can occur. 3503 3504 The same thing can also occur during name constraints processing 3505 of certificates (for example if a certificate has been directly 3506 constructed by the application instead of loading it via the OpenSSL 3507 parsing functions, and the certificate contains non NUL terminated 3508 ASN1_STRING structures). It can also occur in the X509_get1_email(), 3509 X509_REQ_get1_email() and X509_get1_ocsp() functions. 3510 3511 If a malicious actor can cause an application to directly construct an 3512 ASN1_STRING and then process it through one of the affected OpenSSL 3513 functions then this issue could be hit. This might result in a crash 3514 (causing a Denial of Service attack). It could also result in the 3515 disclosure of private memory contents (such as private keys, or 3516 sensitive plaintext). 3517 ([CVE-2021-3712]) 3518 3519 *Matt Caswell* 3520 3521### Changes between 1.1.1j and 1.1.1k [25 Mar 2021] 3522 3523 * Fixed a problem with verifying a certificate chain when using the 3524 X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of 3525 the certificates present in a certificate chain. It is not set by default. 3526 3527 Starting from OpenSSL version 1.1.1h a check to disallow certificates in 3528 the chain that have explicitly encoded elliptic curve parameters was added 3529 as an additional strict check. 3530 3531 An error in the implementation of this check meant that the result of a 3532 previous check to confirm that certificates in the chain are valid CA 3533 certificates was overwritten. This effectively bypasses the check 3534 that non-CA certificates must not be able to issue other certificates. 3535 3536 If a "purpose" has been configured then there is a subsequent opportunity 3537 for checks that the certificate is a valid CA. All of the named "purpose" 3538 values implemented in libcrypto perform this check. Therefore, where 3539 a purpose is set the certificate chain will still be rejected even when the 3540 strict flag has been used. A purpose is set by default in libssl client and 3541 server certificate verification routines, but it can be overridden or 3542 removed by an application. 3543 3544 In order to be affected, an application must explicitly set the 3545 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose 3546 for the certificate verification or, in the case of TLS client or server 3547 applications, override the default purpose. 3548 ([CVE-2021-3450]) 3549 3550 *Tomáš Mráz* 3551 3552 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously 3553 crafted renegotiation ClientHello message from a client. If a TLSv1.2 3554 renegotiation ClientHello omits the signature_algorithms extension (where it 3555 was present in the initial ClientHello), but includes a 3556 signature_algorithms_cert extension then a NULL pointer dereference will 3557 result, leading to a crash and a denial of service attack. 3558 3559 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled 3560 (which is the default configuration). OpenSSL TLS clients are not impacted by 3561 this issue. 3562 ([CVE-2021-3449]) 3563 3564 *Peter Kästle and Samuel Sapalski* 3565 3566### Changes between 1.1.1i and 1.1.1j [16 Feb 2021] 3567 3568 * Fixed the X509_issuer_and_serial_hash() function. It attempts to 3569 create a unique hash value based on the issuer and serial number data 3570 contained within an X509 certificate. However, it was failing to correctly 3571 handle any errors that may occur while parsing the issuer field (which might 3572 occur if the issuer field is maliciously constructed). This may subsequently 3573 result in a NULL pointer deref and a crash leading to a potential denial of 3574 service attack. 3575 ([CVE-2021-23841]) 3576 3577 *Matt Caswell* 3578 3579 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING 3580 padding mode to correctly check for rollback attacks. This is considered a 3581 bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is 3582 CVE-2021-23839. 3583 3584 *Matt Caswell* 3585 3586 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate 3587 functions. Previously they could overflow the output length argument in some 3588 cases where the input length is close to the maximum permissible length for 3589 an integer on the platform. In such cases the return value from the function 3590 call would be 1 (indicating success), but the output length value would be 3591 negative. This could cause applications to behave incorrectly or crash. 3592 ([CVE-2021-23840]) 3593 3594 *Matt Caswell* 3595 3596 * Fixed SRP_Calc_client_key so that it runs in constant time. The previous 3597 implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This 3598 could be exploited in a side channel attack to recover the password. Since 3599 the attack is local host only this is outside of the current OpenSSL 3600 threat model and therefore no CVE is assigned. 3601 3602 Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this 3603 issue. 3604 3605 *Matt Caswell* 3606 3607### Changes between 1.1.1h and 1.1.1i [8 Dec 2020] 3608 3609 * Fixed NULL pointer deref in the GENERAL_NAME_cmp function 3610 This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. 3611 If an attacker can control both items being compared then this could lead 3612 to a possible denial of service attack. OpenSSL itself uses the 3613 GENERAL_NAME_cmp function for two purposes: 3614 1) Comparing CRL distribution point names between an available CRL and a 3615 CRL distribution point embedded in an X509 certificate 3616 2) When verifying that a timestamp response token signer matches the 3617 timestamp authority name (exposed via the API functions 3618 TS_RESP_verify_response and TS_RESP_verify_token) 3619 ([CVE-2020-1971]) 3620 3621 *Matt Caswell* 3622 3623### Changes between 1.1.1g and 1.1.1h [22 Sep 2020] 3624 3625 * Certificates with explicit curve parameters are now disallowed in 3626 verification chains if the X509_V_FLAG_X509_STRICT flag is used. 3627 3628 *Tomáš Mráz* 3629 3630 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 3631 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 3632 conversely, silently ignore DTLS protocol version bounds when configuring 3633 TLS-based contexts. The commands can be repeated to set bounds of both 3634 types. The same applies with the corresponding "min_protocol" and 3635 "max_protocol" command-line switches, in case some application uses both TLS 3636 and DTLS. 3637 3638 SSL_CTX instances that are created for a fixed protocol version (e.g. 3639 TLSv1_server_method()) also silently ignore version bounds. Previously 3640 attempts to apply bounds to these protocol versions would result in an 3641 error. Now only the "version-flexible" SSL_CTX instances are subject to 3642 limits in configuration files in command-line options. 3643 3644 *Viktor Dukhovni* 3645 3646 * Handshake now fails if Extended Master Secret extension is dropped 3647 on renegotiation. 3648 3649 *Tomáš Mráz* 3650 3651 * The Oracle Developer Studio compiler will start reporting deprecated APIs 3652 3653### Changes between 1.1.1f and 1.1.1g [21 Apr 2020] 3654 3655 * Fixed segmentation fault in SSL_check_chain() 3656 Server or client applications that call the SSL_check_chain() function 3657 during or after a TLS 1.3 handshake may crash due to a NULL pointer 3658 dereference as a result of incorrect handling of the 3659 "signature_algorithms_cert" TLS extension. The crash occurs if an invalid 3660 or unrecognised signature algorithm is received from the peer. This could 3661 be exploited by a malicious peer in a Denial of Service attack. 3662 ([CVE-2020-1967]) 3663 3664 *Benjamin Kaduk* 3665 3666 * Added AES consttime code for no-asm configurations 3667 an optional constant time support for AES was added 3668 when building openssl for no-asm. 3669 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME 3670 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME 3671 At this time this feature is by default disabled. 3672 It will be enabled by default in 3.0. 3673 3674 *Bernd Edlinger* 3675 3676### Changes between 1.1.1e and 1.1.1f [31 Mar 2020] 3677 3678 * Revert the change of EOF detection while reading in libssl to avoid 3679 regressions in applications depending on the current way of reporting 3680 the EOF. As the existing method is not fully accurate the change to 3681 reporting the EOF via SSL_ERROR_SSL is kept on the current development 3682 branch and will be present in the 3.0 release. 3683 3684 *Tomáš Mráz* 3685 3686 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 3687 when primes for RSA keys are computed. 3688 Since we previously always generated primes == 2 (mod 3) for RSA keys, 3689 the 2-prime and 3-prime RSA modules were easy to distinguish, since 3690 N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore, fingerprinting 3691 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 3692 This avoids possible fingerprinting of newly generated RSA modules. 3693 3694 *Bernd Edlinger* 3695 3696### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] 3697 3698 * Properly detect EOF while reading in libssl. Previously if we hit an EOF 3699 while reading in libssl then we would report an error back to the 3700 application (SSL_ERROR_SYSCALL) but errno would be 0. We now add 3701 an error to the stack (which means we instead return SSL_ERROR_SSL) and 3702 therefore give a hint as to what went wrong. 3703 3704 *Matt Caswell* 3705 3706 * Check that ed25519 and ed448 are allowed by the security level. Previously 3707 signature algorithms not using an MD were not being checked that they were 3708 allowed by the security level. 3709 3710 *Kurt Roeckx* 3711 3712 * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() 3713 was not quite right. The behaviour was not consistent between resumption 3714 and normal handshakes, and also not quite consistent with historical 3715 behaviour. The behaviour in various scenarios has been clarified and 3716 it has been updated to make it match historical behaviour as closely as 3717 possible. 3718 3719 *Matt Caswell* 3720 3721 * *[VMS only]* The header files that the VMS compilers include automatically, 3722 `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas 3723 that the C++ compiler doesn't understand. This is a shortcoming in the 3724 compiler, but can be worked around with `__cplusplus` guards. 3725 3726 C++ applications that use OpenSSL libraries must be compiled using the 3727 qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL 3728 functions. Otherwise, only functions with symbols of less than 31 3729 characters can be used, as the linker will not be able to successfully 3730 resolve symbols with longer names. 3731 3732 *Richard Levitte* 3733 3734 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 3735 The presence of this system service is determined at run-time. 3736 3737 *Richard Levitte* 3738 3739 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 3740 the first value. 3741 3742 *Jon Spillett* 3743 3744### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] 3745 3746 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random 3747 number generator (RNG). This was intended to include protection in the 3748 event of a fork() system call in order to ensure that the parent and child 3749 processes did not share the same RNG state. However, this protection was not 3750 being used in the default case. 3751 3752 A partial mitigation for this issue is that the output from a high 3753 precision timer is mixed into the RNG state so the likelihood of a parent 3754 and child process sharing state is significantly reduced. 3755 3756 If an application already calls OPENSSL_init_crypto() explicitly using 3757 OPENSSL_INIT_ATFORK then this problem does not occur at all. 3758 ([CVE-2019-1549]) 3759 3760 *Matthias St. Pierre* 3761 3762 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 3763 used even when parsing explicit parameters, when loading a encoded key 3764 or calling `EC_GROUP_new_from_ecpkparameters()`/ 3765 `EC_GROUP_new_from_ecparameters()`. 3766 This prevents bypass of security hardening and performance gains, 3767 especially for curves with specialized EC_METHODs. 3768 By default, if a key encoded with explicit parameters is loaded and later 3769 encoded, the output is still encoded with explicit parameters, even if 3770 internally a "named" EC_GROUP is used for computation. 3771 3772 *Nicola Tuveri* 3773 3774 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 3775 this change, EC_GROUP_set_generator would accept order and/or cofactor as 3776 NULL. After this change, only the cofactor parameter can be NULL. It also 3777 does some minimal sanity checks on the passed order. 3778 ([CVE-2019-1547]) 3779 3780 *Billy Bob Brumley* 3781 3782 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 3783 An attack is simple, if the first CMS_recipientInfo is valid but the 3784 second CMS_recipientInfo is chosen ciphertext. If the second 3785 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 3786 encryption key will be replaced by garbage, and the message cannot be 3787 decoded, but if the RSA decryption fails, the correct encryption key is 3788 used and the recipient will not notice the attack. 3789 As a work around for this potential attack the length of the decrypted 3790 key must be equal to the cipher default key length, in case the 3791 certificate is not given and all recipientInfo are tried out. 3792 The old behaviour can be re-enabled in the CMS code by setting the 3793 CMS_DEBUG_DECRYPT flag. 3794 ([CVE-2019-1563]) 3795 3796 *Bernd Edlinger* 3797 3798 * Early start up entropy quality from the DEVRANDOM seed source has been 3799 improved for older Linux systems. The RAND subsystem will wait for 3800 /dev/random to be producing output before seeding from /dev/urandom. 3801 The seeded state is stored for future library initialisations using 3802 a system global shared memory segment. The shared memory identifier 3803 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 3804 the desired value. The default identifier is 114. 3805 3806 *Paul Dale* 3807 3808 * Correct the extended master secret constant on EBCDIC systems. Without this 3809 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 3810 negotiate EMS will fail. Unfortunately this also means that TLS connections 3811 between EBCDIC systems with this fix, and EBCDIC systems without this 3812 fix will fail if they negotiate EMS. 3813 3814 *Matt Caswell* 3815 3816 * Use Windows installation paths in the mingw builds 3817 3818 Mingw isn't a POSIX environment per se, which means that Windows 3819 paths should be used for installation. 3820 ([CVE-2019-1552]) 3821 3822 *Richard Levitte* 3823 3824 * Changed DH_check to accept parameters with order q and 2q subgroups. 3825 With order 2q subgroups the bit 0 of the private key is not secret 3826 but DH_generate_key works around that by clearing bit 0 of the 3827 private key for those. This avoids leaking bit 0 of the private key. 3828 3829 *Bernd Edlinger* 3830 3831 * Significantly reduce secure memory usage by the randomness pools. 3832 3833 *Paul Dale* 3834 3835 * Revert the DEVRANDOM_WAIT feature for Linux systems 3836 3837 The DEVRANDOM_WAIT feature added a select() call to wait for the 3838 /dev/random device to become readable before reading from the 3839 /dev/urandom device. 3840 3841 It turned out that this change had negative side effects on 3842 performance which were not acceptable. After some discussion it 3843 was decided to revert this feature and leave it up to the OS 3844 resp. the platform maintainer to ensure a proper initialization 3845 during early boot time. 3846 3847 *Matthias St. Pierre* 3848 3849### Changes between 1.1.1b and 1.1.1c [28 May 2019] 3850 3851 * Add build tests for C++. These are generated files that only do one 3852 thing, to include one public OpenSSL head file each. This tests that 3853 the public header files can be usefully included in a C++ application. 3854 3855 This test isn't enabled by default. It can be enabled with the option 3856 'enable-buildtest-c++'. 3857 3858 *Richard Levitte* 3859 3860 * Enable SHA3 pre-hashing for ECDSA and DSA. 3861 3862 *Patrick Steuer* 3863 3864 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 3865 This changes the size when using the `genpkey` command when no size is given. 3866 It fixes an omission in earlier changes that changed all RSA, DSA and DH 3867 generation commands to use 2048 bits by default. 3868 3869 *Kurt Roeckx* 3870 3871 * Reorganize the manual pages to consistently have RETURN VALUES, 3872 EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust 3873 util/fix-doc-nits accordingly. 3874 3875 *Paul Yang, Joshua Lock* 3876 3877 * Add the missing accessor EVP_PKEY_get0_engine() 3878 3879 *Matt Caswell* 3880 3881 * Have commands like `s_client` and `s_server` output the signature scheme 3882 along with other cipher suite parameters when debugging. 3883 3884 *Lorinczy Zsigmond* 3885 3886 * Make OPENSSL_config() error agnostic again. 3887 3888 *Richard Levitte* 3889 3890 * Do the error handling in RSA decryption constant time. 3891 3892 *Bernd Edlinger* 3893 3894 * Prevent over long nonces in ChaCha20-Poly1305. 3895 3896 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 3897 for every encryption operation. RFC 7539 specifies that the nonce value 3898 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 3899 and front pads the nonce with 0 bytes if it is less than 12 3900 bytes. However it also incorrectly allows a nonce to be set of up to 16 3901 bytes. In this case only the last 12 bytes are significant and any 3902 additional leading bytes are ignored. 3903 3904 It is a requirement of using this cipher that nonce values are 3905 unique. Messages encrypted using a reused nonce value are susceptible to 3906 serious confidentiality and integrity attacks. If an application changes 3907 the default nonce length to be longer than 12 bytes and then makes a 3908 change to the leading bytes of the nonce expecting the new value to be a 3909 new unique nonce then such an application could inadvertently encrypt 3910 messages with a reused nonce. 3911 3912 Additionally the ignored bytes in a long nonce are not covered by the 3913 integrity guarantee of this cipher. Any application that relies on the 3914 integrity of these ignored leading bytes of a long nonce may be further 3915 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 3916 is safe because no such use sets such a long nonce value. However user 3917 applications that use this cipher directly and set a non-default nonce 3918 length to be longer than 12 bytes may be vulnerable. 3919 3920 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 3921 Greef of Ronomon. 3922 ([CVE-2019-1543]) 3923 3924 *Matt Caswell* 3925 3926 * Add DEVRANDOM_WAIT feature for Linux systems 3927 3928 On older Linux systems where the getrandom() system call is not available, 3929 OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG. 3930 Contrary to getrandom(), the /dev/urandom device will not block during 3931 early boot when the kernel CSPRNG has not been seeded yet. 3932 3933 To mitigate this known weakness, use select() to wait for /dev/random to 3934 become readable before reading from /dev/urandom. 3935 3936 * Ensure that SM2 only uses SM3 as digest algorithm 3937 3938 *Paul Yang* 3939 3940### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] 3941 3942 * Change the info callback signals for the start and end of a post-handshake 3943 message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START 3944 and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get 3945 confused by this and assume that a TLSv1.2 renegotiation has started. This 3946 can break KeyUpdate handling. Instead we no longer signal the start and end 3947 of a post handshake message exchange (although the messages themselves are 3948 still signalled). This could break some applications that were expecting 3949 the old signals. However without this KeyUpdate is not usable for many 3950 applications. 3951 3952 *Matt Caswell* 3953 3954### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] 3955 3956 * Timing vulnerability in DSA signature generation 3957 3958 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 3959 timing side channel attack. An attacker could use variations in the signing 3960 algorithm to recover the private key. 3961 3962 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 3963 ([CVE-2018-0734]) 3964 3965 *Paul Dale* 3966 3967 * Timing vulnerability in ECDSA signature generation 3968 3969 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 3970 timing side channel attack. An attacker could use variations in the signing 3971 algorithm to recover the private key. 3972 3973 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 3974 ([CVE-2018-0735]) 3975 3976 *Paul Dale* 3977 3978 * Fixed the issue that RAND_add()/RAND_seed() silently discards random input 3979 if its length exceeds 4096 bytes. The limit has been raised to a buffer size 3980 of two gigabytes and the error handling improved. 3981 3982 This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been 3983 categorized as a normal bug, not a security issue, because the DRBG reseeds 3984 automatically and is fully functional even without additional randomness 3985 provided by the application. 3986 3987### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] 3988 3989 * Add a new ClientHello callback. Provides a callback interface that gives 3990 the application the ability to adjust the nascent SSL object at the 3991 earliest stage of ClientHello processing, immediately after extensions have 3992 been collected but before they have been processed. In particular, this 3993 callback can adjust the supported TLS versions in response to the contents 3994 of the ClientHello 3995 3996 *Benjamin Kaduk* 3997 3998 * Add SM2 base algorithm support. 3999 4000 *Jack Lloyd* 4001 4002 * s390x assembly pack: add (improved) hardware-support for the following 4003 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb, 4004 aes-cfb/cfb8, aes-ecb. 4005 4006 *Patrick Steuer* 4007 4008 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 4009 parameter is no longer accepted, as it leads to a corrupt table. NULL 4010 pem_str is reserved for alias entries only. 4011 4012 *Richard Levitte* 4013 4014 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 4015 step for prime curves. The new implementation is based on formulae from 4016 differential addition-and-doubling in homogeneous projective coordinates 4017 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant 4018 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves 4019 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified 4020 to work in projective coordinates. 4021 4022 *Billy Bob Brumley, Nicola Tuveri* 4023 4024 * Change generating and checking of primes so that the error rate of not 4025 being prime depends on the intended use based on the size of the input. 4026 For larger primes this will result in more rounds of Miller-Rabin. 4027 The maximal error rate for primes with more than 1080 bits is lowered 4028 to 2^-128. 4029 4030 *Kurt Roeckx, Annie Yousar* 4031 4032 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 4033 4034 *Kurt Roeckx* 4035 4036 * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when 4037 moving between systems, and to avoid confusion when a Windows build is 4038 done with mingw vs with MSVC. For POSIX installs, there's still a 4039 symlink or copy named 'tsget' to avoid that confusion as well. 4040 4041 *Richard Levitte* 4042 4043 * Revert blinding in ECDSA sign and instead make problematic addition 4044 length-invariant. Switch even to fixed-length Montgomery multiplication. 4045 4046 *Andy Polyakov* 4047 4048 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 4049 step for binary curves. The new implementation is based on formulae from 4050 differential addition-and-doubling in mixed Lopez-Dahab projective 4051 coordinates, modified to independently blind the operands. 4052 4053 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 4054 4055 * Add a scaffold to optionally enhance the Montgomery ladder implementation 4056 for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing 4057 EC_METHODs to implement their own specialized "ladder step", to take 4058 advantage of more favorable coordinate systems or more efficient 4059 differential addition-and-doubling algorithms. 4060 4061 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 4062 4063 * Modified the random device based seed sources to keep the relevant 4064 file descriptors open rather than reopening them on each access. 4065 This allows such sources to operate in a chroot() jail without 4066 the associated device nodes being available. This behaviour can be 4067 controlled using RAND_keep_random_devices_open(). 4068 4069 *Paul Dale* 4070 4071 * Numerous side-channel attack mitigations have been applied. This may have 4072 performance impacts for some algorithms for the benefit of improved 4073 security. Specific changes are noted in this change log by their respective 4074 authors. 4075 4076 *Matt Caswell* 4077 4078 * AIX shared library support overhaul. Switch to AIX "natural" way of 4079 handling shared libraries, which means collecting shared objects of 4080 different versions and bitnesses in one common archive. This allows to 4081 mitigate conflict between 1.0 and 1.1 side-by-side installations. It 4082 doesn't affect the way 3rd party applications are linked, only how 4083 multi-version installation is managed. 4084 4085 *Andy Polyakov* 4086 4087 * Make ec_group_do_inverse_ord() more robust and available to other 4088 EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA 4089 mitigations are applied to the fallback BN_mod_inverse(). 4090 When using this function rather than BN_mod_inverse() directly, new 4091 EC cryptosystem implementations are then safer-by-default. 4092 4093 *Billy Bob Brumley* 4094 4095 * Add coordinate blinding for EC_POINT and implement projective 4096 coordinate blinding for generic prime curves as a countermeasure to 4097 chosen point SCA attacks. 4098 4099 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 4100 4101 * Add blinding to ECDSA and DSA signatures to protect against side channel 4102 attacks discovered by Keegan Ryan (NCC Group). 4103 4104 *Matt Caswell* 4105 4106 * Enforce checking in the `pkeyutl` command to ensure that the input 4107 length does not exceed the maximum supported digest length when performing 4108 a sign, verify or verifyrecover operation. 4109 4110 *Matt Caswell* 4111 4112 * SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking 4113 I/O in combination with something like select() or poll() will hang. This 4114 can be turned off again using SSL_CTX_clear_mode(). 4115 Many applications do not properly handle non-application data records, and 4116 TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works 4117 around the problems in those applications, but can also break some. 4118 It's recommended to read the manpages about SSL_read(), SSL_write(), 4119 SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and 4120 SSL_CTX_set_read_ahead() again. 4121 4122 *Kurt Roeckx* 4123 4124 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 4125 now allow empty (zero character) pass phrases. 4126 4127 *Richard Levitte* 4128 4129 * Apply blinding to binary field modular inversion and remove patent 4130 pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation. 4131 4132 *Billy Bob Brumley* 4133 4134 * Deprecate ec2_mult.c and unify scalar multiplication code paths for 4135 binary and prime elliptic curves. 4136 4137 *Billy Bob Brumley* 4138 4139 * Remove ECDSA nonce padding: EC_POINT_mul is now responsible for 4140 constant time fixed point multiplication. 4141 4142 *Billy Bob Brumley* 4143 4144 * Revise elliptic curve scalar multiplication with timing attack 4145 defenses: ec_wNAF_mul redirects to a constant time implementation 4146 when computing fixed point and variable point multiplication (which 4147 in OpenSSL are mostly used with secret scalars in keygen, sign, 4148 ECDH derive operations). 4149 *Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García, 4150 Sohaib ul Hassan* 4151 4152 * Updated CONTRIBUTING 4153 4154 *Rich Salz* 4155 4156 * Updated DRBG / RAND to request nonce and additional low entropy 4157 randomness from the system. 4158 4159 *Matthias St. Pierre* 4160 4161 * Updated 'openssl rehash' to use OpenSSL consistent default. 4162 4163 *Richard Levitte* 4164 4165 * Moved the load of the ssl_conf module to libcrypto, which helps 4166 loading engines that libssl uses before libssl is initialised. 4167 4168 *Matt Caswell* 4169 4170 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA 4171 4172 *Matt Caswell* 4173 4174 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases. 4175 4176 *Ingo Schwarze, Rich Salz* 4177 4178 * Added output of accepting IP address and port for 'openssl s_server' 4179 4180 *Richard Levitte* 4181 4182 * Added a new API for TLSv1.3 ciphersuites: 4183 SSL_CTX_set_ciphersuites() 4184 SSL_set_ciphersuites() 4185 4186 *Matt Caswell* 4187 4188 * Memory allocation failures consistently add an error to the error 4189 stack. 4190 4191 *Rich Salz* 4192 4193 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values 4194 in libcrypto when run as setuid/setgid. 4195 4196 *Bernd Edlinger* 4197 4198 * Load any config file by default when libssl is used. 4199 4200 *Matt Caswell* 4201 4202 * Added new public header file <openssl/rand_drbg.h> and documentation 4203 for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview. 4204 4205 *Matthias St. Pierre* 4206 4207 * QNX support removed (cannot find contributors to get their approval 4208 for the license change). 4209 4210 *Rich Salz* 4211 4212 * TLSv1.3 replay protection for early data has been implemented. See the 4213 SSL_read_early_data() man page for further details. 4214 4215 *Matt Caswell* 4216 4217 * Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite 4218 configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and 4219 below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3. 4220 In order to avoid issues where legacy TLSv1.2 ciphersuite configuration 4221 would otherwise inadvertently disable all TLSv1.3 ciphersuites the 4222 configuration has been separated out. See the ciphers man page or the 4223 SSL_CTX_set_ciphersuites() man page for more information. 4224 4225 *Matt Caswell* 4226 4227 * On POSIX (BSD, Linux, ...) systems the ocsp(1) command running 4228 in responder mode now supports the new "-multi" option, which 4229 spawns the specified number of child processes to handle OCSP 4230 requests. The "-timeout" option now also limits the OCSP 4231 responder's patience to wait to receive the full client request 4232 on a newly accepted connection. Child processes are respawned 4233 as needed, and the CA index file is automatically reloaded 4234 when changed. This makes it possible to run the "ocsp" responder 4235 as a long-running service, making the OpenSSL CA somewhat more 4236 feature-complete. In this mode, most diagnostic messages logged 4237 after entering the event loop are logged via syslog(3) rather than 4238 written to stderr. 4239 4240 *Viktor Dukhovni* 4241 4242 * Added support for X448 and Ed448. Heavily based on original work by 4243 Mike Hamburg. 4244 4245 *Matt Caswell* 4246 4247 * Extend OSSL_STORE with capabilities to search and to narrow the set of 4248 objects loaded. This adds the functions OSSL_STORE_expect() and 4249 OSSL_STORE_find() as well as needed tools to construct searches and 4250 get the search data out of them. 4251 4252 *Richard Levitte* 4253 4254 * Support for TLSv1.3 added. Note that users upgrading from an earlier 4255 version of OpenSSL should review their configuration settings to ensure 4256 that they are still appropriate for TLSv1.3. For further information see: 4257 <https://wiki.openssl.org/index.php/TLS1.3> 4258 4259 *Matt Caswell* 4260 4261 * Grand redesign of the OpenSSL random generator 4262 4263 The default RAND method now utilizes an AES-CTR DRBG according to 4264 NIST standard SP 800-90Ar1. The new random generator is essentially 4265 a port of the default random generator from the OpenSSL FIPS 2.0 4266 object module. It is a hybrid deterministic random bit generator 4267 using an AES-CTR bit stream and which seeds and reseeds itself 4268 automatically using trusted system entropy sources. 4269 4270 Some of its new features are: 4271 - Support for multiple DRBG instances with seed chaining. 4272 - The default RAND method makes use of a DRBG. 4273 - There is a public and private DRBG instance. 4274 - The DRBG instances are fork-safe. 4275 - Keep all global DRBG instances on the secure heap if it is enabled. 4276 - The public and private DRBG instance are per thread for lock free 4277 operation 4278 4279 *Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre* 4280 4281 * Changed Configure so it only says what it does and doesn't dump 4282 so much data. Instead, ./configdata.pm should be used as a script 4283 to display all sorts of configuration data. 4284 4285 *Richard Levitte* 4286 4287 * Added processing of "make variables" to Configure. 4288 4289 *Richard Levitte* 4290 4291 * Added SHA512/224 and SHA512/256 algorithm support. 4292 4293 *Paul Dale* 4294 4295 * The last traces of Netware support, first removed in 1.1.0, have 4296 now been removed. 4297 4298 *Rich Salz* 4299 4300 * Get rid of Makefile.shared, and in the process, make the processing 4301 of certain files (rc.obj, or the .def/.map/.opt files produced from 4302 the ordinal files) more visible and hopefully easier to trace and 4303 debug (or make silent). 4304 4305 *Richard Levitte* 4306 4307 * Make it possible to have environment variable assignments as 4308 arguments to config / Configure. 4309 4310 *Richard Levitte* 4311 4312 * Add multi-prime RSA (RFC 8017) support. 4313 4314 *Paul Yang* 4315 4316 * Add SM3 implemented according to GB/T 32905-2016 4317 *Jack Lloyd <jack.lloyd@ribose.com>,* 4318 *Ronald Tse <ronald.tse@ribose.com>,* 4319 *Erick Borsboom <erick.borsboom@ribose.com>* 4320 4321 * Add 'Maximum Fragment Length' TLS extension negotiation and support 4322 as documented in RFC6066. 4323 Based on a patch from Tomasz Moń 4324 4325 *Filipe Raimundo da Silva* 4326 4327 * Add SM4 implemented according to GB/T 32907-2016. 4328 *Jack Lloyd <jack.lloyd@ribose.com>,* 4329 *Ronald Tse <ronald.tse@ribose.com>,* 4330 *Erick Borsboom <erick.borsboom@ribose.com>* 4331 4332 * Reimplement -newreq-nodes and ERR_error_string_n; the 4333 original author does not agree with the license change. 4334 4335 *Rich Salz* 4336 4337 * Add ARIA AEAD TLS support. 4338 4339 *Jon Spillett* 4340 4341 * Some macro definitions to support VS6 have been removed. Visual 4342 Studio 6 has not worked since 1.1.0 4343 4344 *Rich Salz* 4345 4346 * Add ERR_clear_last_mark(), to allow callers to clear the last mark 4347 without clearing the errors. 4348 4349 *Richard Levitte* 4350 4351 * Add "atfork" functions. If building on a system that without 4352 pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application 4353 requirements. The RAND facility now uses/requires this. 4354 4355 *Rich Salz* 4356 4357 * Add SHA3. 4358 4359 *Andy Polyakov* 4360 4361 * The UI API becomes a permanent and integral part of libcrypto, i.e. 4362 not possible to disable entirely. However, it's still possible to 4363 disable the console reading UI method, UI_OpenSSL() (use UI_null() 4364 as a fallback). 4365 4366 To disable, configure with 'no-ui-console'. 'no-ui' is still 4367 possible to use as an alias. Check at compile time with the 4368 macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still 4369 possible to check and is an alias for OPENSSL_NO_UI_CONSOLE. 4370 4371 *Richard Levitte* 4372 4373 * Add a STORE module, which implements a uniform and URI based reader of 4374 stores that can contain keys, certificates, CRLs and numerous other 4375 objects. The main API is loosely based on a few stdio functions, 4376 and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof, 4377 OSSL_STORE_error and OSSL_STORE_close. 4378 The implementation uses backends called "loaders" to implement arbitrary 4379 URI schemes. There is one built in "loader" for the 'file' scheme. 4380 4381 *Richard Levitte* 4382 4383 * Add devcrypto engine. This has been implemented against cryptodev-linux, 4384 then adjusted to work on FreeBSD 8.4 as well. 4385 Enable by configuring with 'enable-devcryptoeng'. This is done by default 4386 on BSD implementations, as cryptodev.h is assumed to exist on all of them. 4387 4388 *Richard Levitte* 4389 4390 * Module names can prefixed with OSSL_ or OPENSSL_. This affects 4391 util/mkerr.pl, which is adapted to allow those prefixes, leading to 4392 error code calls like this: 4393 4394 OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER); 4395 4396 With this change, we claim the namespaces OSSL and OPENSSL in a manner 4397 that can be encoded in C. For the foreseeable future, this will only 4398 affect new modules. 4399 4400 *Richard Levitte and Tim Hudson* 4401 4402 * Removed BSD cryptodev engine. 4403 4404 *Rich Salz* 4405 4406 * Add a build target 'build_all_generated', to build all generated files 4407 and only that. This can be used to prepare everything that requires 4408 things like perl for a system that lacks perl and then move everything 4409 to that system and do the rest of the build there. 4410 4411 *Richard Levitte* 4412 4413 * In the UI interface, make it possible to duplicate the user data. This 4414 can be used by engines that need to retain the data for a longer time 4415 than just the call where this user data is passed. 4416 4417 *Richard Levitte* 4418 4419 * Ignore the '-named_curve auto' value for compatibility of applications 4420 with OpenSSL 1.0.2. 4421 4422 *Tomáš Mráz <tmraz@fedoraproject.org>* 4423 4424 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 4425 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such 4426 alerts across multiple records (some of which could be empty). In practice 4427 it make no sense to send an empty alert record, or to fragment one. TLSv1.3 4428 prohibits this altogether and other libraries (BoringSSL, NSS) do not 4429 support this at all. Supporting it adds significant complexity to the 4430 record layer, and its removal is unlikely to cause interoperability 4431 issues. 4432 4433 *Matt Caswell* 4434 4435 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed 4436 with Z. These are meant to replace LONG and ZLONG and to be size safe. 4437 The use of LONG and ZLONG is discouraged and scheduled for deprecation 4438 in OpenSSL 1.2.0. 4439 4440 *Richard Levitte* 4441 4442 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string, 4443 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t. 4444 4445 *Richard Levitte, Andy Polyakov* 4446 4447 * Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine() 4448 does for RSA, etc. 4449 4450 *Richard Levitte* 4451 4452 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 4453 platform rather than 'mingw'. 4454 4455 *Richard Levitte* 4456 4457 * The functions X509_STORE_add_cert and X509_STORE_add_crl return 4458 success if they are asked to add an object which already exists 4459 in the store. This change cascades to other functions which load 4460 certificates and CRLs. 4461 4462 *Paul Dale* 4463 4464 * x86_64 assembly pack: annotate code with DWARF CFI directives to 4465 facilitate stack unwinding even from assembly subroutines. 4466 4467 *Andy Polyakov* 4468 4469 * Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN. 4470 Also remove OPENSSL_GLOBAL entirely, as it became a no-op. 4471 4472 *Richard Levitte* 4473 4474 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 4475 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 4476 which is the minimum version we support. 4477 4478 *Richard Levitte* 4479 4480 * Certificate time validation (X509_cmp_time) enforces stricter 4481 compliance with RFC 5280. Fractional seconds and timezone offsets 4482 are no longer allowed. 4483 4484 *Emilia Käsper* 4485 4486 * Add support for ARIA 4487 4488 *Paul Dale* 4489 4490 * s_client will now send the Server Name Indication (SNI) extension by 4491 default unless the new "-noservername" option is used. The server name is 4492 based on the host provided to the "-connect" option unless overridden by 4493 using "-servername". 4494 4495 *Matt Caswell* 4496 4497 * Add support for SipHash 4498 4499 *Todd Short* 4500 4501 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 4502 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 4503 prevent issues where no progress is being made and the peer continually 4504 sends unrecognised record types, using up resources processing them. 4505 4506 *Matt Caswell* 4507 4508 * 'openssl passwd' can now produce SHA256 and SHA512 based output, 4509 using the algorithm defined in 4510 <https://www.akkadia.org/drepper/SHA-crypt.txt> 4511 4512 *Richard Levitte* 4513 4514 * Heartbeat support has been removed; the ABI is changed for now. 4515 4516 *Richard Levitte, Rich Salz* 4517 4518 * Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. 4519 4520 *Emilia Käsper* 4521 4522 * The RSA "null" method, which was partially supported to avoid patent 4523 issues, has been replaced to always returns NULL. 4524 4525 *Rich Salz* 4526 4527OpenSSL 1.1.0 4528------------- 4529 4530### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] 4531 4532 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 4533 used even when parsing explicit parameters, when loading a encoded key 4534 or calling `EC_GROUP_new_from_ecpkparameters()`/ 4535 `EC_GROUP_new_from_ecparameters()`. 4536 This prevents bypass of security hardening and performance gains, 4537 especially for curves with specialized EC_METHODs. 4538 By default, if a key encoded with explicit parameters is loaded and later 4539 encoded, the output is still encoded with explicit parameters, even if 4540 internally a "named" EC_GROUP is used for computation. 4541 4542 *Nicola Tuveri* 4543 4544 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 4545 this change, EC_GROUP_set_generator would accept order and/or cofactor as 4546 NULL. After this change, only the cofactor parameter can be NULL. It also 4547 does some minimal sanity checks on the passed order. 4548 ([CVE-2019-1547]) 4549 4550 *Billy Bob Brumley* 4551 4552 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 4553 An attack is simple, if the first CMS_recipientInfo is valid but the 4554 second CMS_recipientInfo is chosen ciphertext. If the second 4555 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 4556 encryption key will be replaced by garbage, and the message cannot be 4557 decoded, but if the RSA decryption fails, the correct encryption key is 4558 used and the recipient will not notice the attack. 4559 As a work around for this potential attack the length of the decrypted 4560 key must be equal to the cipher default key length, in case the 4561 certificate is not given and all recipientInfo are tried out. 4562 The old behaviour can be re-enabled in the CMS code by setting the 4563 CMS_DEBUG_DECRYPT flag. 4564 ([CVE-2019-1563]) 4565 4566 *Bernd Edlinger* 4567 4568 * Use Windows installation paths in the mingw builds 4569 4570 Mingw isn't a POSIX environment per se, which means that Windows 4571 paths should be used for installation. 4572 ([CVE-2019-1552]) 4573 4574 *Richard Levitte* 4575 4576### Changes between 1.1.0j and 1.1.0k [28 May 2019] 4577 4578 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 4579 This changes the size when using the `genpkey` command when no size is given. 4580 It fixes an omission in earlier changes that changed all RSA, DSA and DH 4581 generation commands to use 2048 bits by default. 4582 4583 *Kurt Roeckx* 4584 4585 * Prevent over long nonces in ChaCha20-Poly1305. 4586 4587 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 4588 for every encryption operation. RFC 7539 specifies that the nonce value 4589 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 4590 and front pads the nonce with 0 bytes if it is less than 12 4591 bytes. However it also incorrectly allows a nonce to be set of up to 16 4592 bytes. In this case only the last 12 bytes are significant and any 4593 additional leading bytes are ignored. 4594 4595 It is a requirement of using this cipher that nonce values are 4596 unique. Messages encrypted using a reused nonce value are susceptible to 4597 serious confidentiality and integrity attacks. If an application changes 4598 the default nonce length to be longer than 12 bytes and then makes a 4599 change to the leading bytes of the nonce expecting the new value to be a 4600 new unique nonce then such an application could inadvertently encrypt 4601 messages with a reused nonce. 4602 4603 Additionally the ignored bytes in a long nonce are not covered by the 4604 integrity guarantee of this cipher. Any application that relies on the 4605 integrity of these ignored leading bytes of a long nonce may be further 4606 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 4607 is safe because no such use sets such a long nonce value. However user 4608 applications that use this cipher directly and set a non-default nonce 4609 length to be longer than 12 bytes may be vulnerable. 4610 4611 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 4612 Greef of Ronomon. 4613 ([CVE-2019-1543]) 4614 4615 *Matt Caswell* 4616 4617 * Added SCA hardening for modular field inversion in EC_GROUP through 4618 a new dedicated field_inv() pointer in EC_METHOD. 4619 This also addresses a leakage affecting conversions from projective 4620 to affine coordinates. 4621 4622 *Billy Bob Brumley, Nicola Tuveri* 4623 4624 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 4625 reused X509_PUBKEY object if the second PUBKEY is malformed. 4626 4627 *Bernd Edlinger* 4628 4629 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 4630 4631 *Richard Levitte* 4632 4633 * Remove the 'dist' target and add a tarball building script. The 4634 'dist' target has fallen out of use, and it shouldn't be 4635 necessary to configure just to create a source distribution. 4636 4637 *Richard Levitte* 4638 4639### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] 4640 4641 * Timing vulnerability in DSA signature generation 4642 4643 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 4644 timing side channel attack. An attacker could use variations in the signing 4645 algorithm to recover the private key. 4646 4647 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 4648 ([CVE-2018-0734]) 4649 4650 *Paul Dale* 4651 4652 * Timing vulnerability in ECDSA signature generation 4653 4654 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 4655 timing side channel attack. An attacker could use variations in the signing 4656 algorithm to recover the private key. 4657 4658 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 4659 ([CVE-2018-0735]) 4660 4661 *Paul Dale* 4662 4663 * Add coordinate blinding for EC_POINT and implement projective 4664 coordinate blinding for generic prime curves as a countermeasure to 4665 chosen point SCA attacks. 4666 4667 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 4668 4669### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] 4670 4671 * Client DoS due to large DH parameter 4672 4673 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 4674 malicious server can send a very large prime value to the client. This will 4675 cause the client to spend an unreasonably long period of time generating a 4676 key for this prime resulting in a hang until the client has finished. This 4677 could be exploited in a Denial Of Service attack. 4678 4679 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 4680 ([CVE-2018-0732]) 4681 4682 *Guido Vranken* 4683 4684 * Cache timing vulnerability in RSA Key Generation 4685 4686 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 4687 a cache timing side channel attack. An attacker with sufficient access to 4688 mount cache timing attacks during the RSA key generation process could 4689 recover the private key. 4690 4691 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 4692 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 4693 ([CVE-2018-0737]) 4694 4695 *Billy Brumley* 4696 4697 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 4698 parameter is no longer accepted, as it leads to a corrupt table. NULL 4699 pem_str is reserved for alias entries only. 4700 4701 *Richard Levitte* 4702 4703 * Revert blinding in ECDSA sign and instead make problematic addition 4704 length-invariant. Switch even to fixed-length Montgomery multiplication. 4705 4706 *Andy Polyakov* 4707 4708 * Change generating and checking of primes so that the error rate of not 4709 being prime depends on the intended use based on the size of the input. 4710 For larger primes this will result in more rounds of Miller-Rabin. 4711 The maximal error rate for primes with more than 1080 bits is lowered 4712 to 2^-128. 4713 4714 *Kurt Roeckx, Annie Yousar* 4715 4716 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 4717 4718 *Kurt Roeckx* 4719 4720 * Add blinding to ECDSA and DSA signatures to protect against side channel 4721 attacks discovered by Keegan Ryan (NCC Group). 4722 4723 *Matt Caswell* 4724 4725 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 4726 now allow empty (zero character) pass phrases. 4727 4728 *Richard Levitte* 4729 4730 * Certificate time validation (X509_cmp_time) enforces stricter 4731 compliance with RFC 5280. Fractional seconds and timezone offsets 4732 are no longer allowed. 4733 4734 *Emilia Käsper* 4735 4736 * Fixed a text canonicalisation bug in CMS 4737 4738 Where a CMS detached signature is used with text content the text goes 4739 through a canonicalisation process first prior to signing or verifying a 4740 signature. This process strips trailing space at the end of lines, converts 4741 line terminators to CRLF and removes additional trailing line terminators 4742 at the end of a file. A bug in the canonicalisation process meant that 4743 some characters, such as form-feed, were incorrectly treated as whitespace 4744 and removed. This is contrary to the specification (RFC5485). This fix 4745 could mean that detached text data signed with an earlier version of 4746 OpenSSL 1.1.0 may fail to verify using the fixed version, or text data 4747 signed with a fixed OpenSSL may fail to verify with an earlier version of 4748 OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data 4749 and use the "-binary" flag (for the "cms" command line application) or set 4750 the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). 4751 4752 *Matt Caswell* 4753 4754### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] 4755 4756 * Constructed ASN.1 types with a recursive definition could exceed the stack 4757 4758 Constructed ASN.1 types with a recursive definition (such as can be found 4759 in PKCS7) could eventually exceed the stack given malicious input with 4760 excessive recursion. This could result in a Denial Of Service attack. There 4761 are no such structures used within SSL/TLS that come from untrusted sources 4762 so this is considered safe. 4763 4764 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 4765 project. 4766 ([CVE-2018-0739]) 4767 4768 *Matt Caswell* 4769 4770 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC 4771 4772 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is 4773 effectively reduced to only comparing the least significant bit of each 4774 byte. This allows an attacker to forge messages that would be considered as 4775 authenticated in an amount of tries lower than that guaranteed by the 4776 security claims of the scheme. The module can only be compiled by the 4777 HP-UX assembler, so that only HP-UX PA-RISC targets are affected. 4778 4779 This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg 4780 (IBM). 4781 ([CVE-2018-0733]) 4782 4783 *Andy Polyakov* 4784 4785 * Add a build target 'build_all_generated', to build all generated files 4786 and only that. This can be used to prepare everything that requires 4787 things like perl for a system that lacks perl and then move everything 4788 to that system and do the rest of the build there. 4789 4790 *Richard Levitte* 4791 4792 * Backport SSL_OP_NO_RENGOTIATION 4793 4794 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the 4795 (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity 4796 changes this is no longer possible in 1.1.0. Therefore, the new 4797 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to 4798 1.1.0 to provide equivalent functionality. 4799 4800 Note that if an application built against 1.1.0h headers (or above) is run 4801 using an older version of 1.1.0 (prior to 1.1.0h) then the option will be 4802 accepted but nothing will happen, i.e. renegotiation will not be prevented. 4803 4804 *Matt Caswell* 4805 4806 * Removed the OS390-Unix config target. It relied on a script that doesn't 4807 exist. 4808 4809 *Rich Salz* 4810 4811 * rsaz_1024_mul_avx2 overflow bug on x86_64 4812 4813 There is an overflow bug in the AVX2 Montgomery multiplication procedure 4814 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 4815 Analysis suggests that attacks against RSA and DSA as a result of this 4816 defect would be very difficult to perform and are not believed likely. 4817 Attacks against DH1024 are considered just feasible, because most of the 4818 work necessary to deduce information about a private key may be performed 4819 offline. The amount of resources required for such an attack would be 4820 significant. However, for an attack on TLS to be meaningful, the server 4821 would have to share the DH1024 private key among multiple clients, which is 4822 no longer an option since CVE-2016-0701. 4823 4824 This only affects processors that support the AVX2 but not ADX extensions 4825 like Intel Haswell (4th generation). 4826 4827 This issue was reported to OpenSSL by David Benjamin (Google). The issue 4828 was originally found via the OSS-Fuzz project. 4829 ([CVE-2017-3738]) 4830 4831 *Andy Polyakov* 4832 4833### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] 4834 4835 * bn_sqrx8x_internal carry bug on x86_64 4836 4837 There is a carry propagating bug in the x86_64 Montgomery squaring 4838 procedure. No EC algorithms are affected. Analysis suggests that attacks 4839 against RSA and DSA as a result of this defect would be very difficult to 4840 perform and are not believed likely. Attacks against DH are considered just 4841 feasible (although very difficult) because most of the work necessary to 4842 deduce information about a private key may be performed offline. The amount 4843 of resources required for such an attack would be very significant and 4844 likely only accessible to a limited number of attackers. An attacker would 4845 additionally need online access to an unpatched system using the target 4846 private key in a scenario with persistent DH parameters and a private 4847 key that is shared between multiple clients. 4848 4849 This only affects processors that support the BMI1, BMI2 and ADX extensions 4850 like Intel Broadwell (5th generation) and later or AMD Ryzen. 4851 4852 This issue was reported to OpenSSL by the OSS-Fuzz project. 4853 ([CVE-2017-3736]) 4854 4855 *Andy Polyakov* 4856 4857 * Malformed X.509 IPAddressFamily could cause OOB read 4858 4859 If an X.509 certificate has a malformed IPAddressFamily extension, 4860 OpenSSL could do a one-byte buffer overread. The most likely result 4861 would be an erroneous display of the certificate in text format. 4862 4863 This issue was reported to OpenSSL by the OSS-Fuzz project. 4864 ([CVE-2017-3735]) 4865 4866 *Rich Salz* 4867 4868### Changes between 1.1.0e and 1.1.0f [25 May 2017] 4869 4870 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 4871 platform rather than 'mingw'. 4872 4873 *Richard Levitte* 4874 4875 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 4876 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 4877 which is the minimum version we support. 4878 4879 *Richard Levitte* 4880 4881### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] 4882 4883 * Encrypt-Then-Mac renegotiation crash 4884 4885 During a renegotiation handshake if the Encrypt-Then-Mac extension is 4886 negotiated where it was not in the original handshake (or vice-versa) then 4887 this can cause OpenSSL to crash (dependent on ciphersuite). Both clients 4888 and servers are affected. 4889 4890 This issue was reported to OpenSSL by Joe Orton (Red Hat). 4891 ([CVE-2017-3733]) 4892 4893 *Matt Caswell* 4894 4895### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] 4896 4897 * Truncated packet could crash via OOB read 4898 4899 If one side of an SSL/TLS path is running on a 32-bit host and a specific 4900 cipher is being used, then a truncated packet can cause that host to 4901 perform an out-of-bounds read, usually resulting in a crash. 4902 4903 This issue was reported to OpenSSL by Robert Święcki of Google. 4904 ([CVE-2017-3731]) 4905 4906 *Andy Polyakov* 4907 4908 * Bad (EC)DHE parameters cause a client crash 4909 4910 If a malicious server supplies bad parameters for a DHE or ECDHE key 4911 exchange then this can result in the client attempting to dereference a 4912 NULL pointer leading to a client crash. This could be exploited in a Denial 4913 of Service attack. 4914 4915 This issue was reported to OpenSSL by Guido Vranken. 4916 ([CVE-2017-3730]) 4917 4918 *Matt Caswell* 4919 4920 * BN_mod_exp may produce incorrect results on x86_64 4921 4922 There is a carry propagating bug in the x86_64 Montgomery squaring 4923 procedure. No EC algorithms are affected. Analysis suggests that attacks 4924 against RSA and DSA as a result of this defect would be very difficult to 4925 perform and are not believed likely. Attacks against DH are considered just 4926 feasible (although very difficult) because most of the work necessary to 4927 deduce information about a private key may be performed offline. The amount 4928 of resources required for such an attack would be very significant and 4929 likely only accessible to a limited number of attackers. An attacker would 4930 additionally need online access to an unpatched system using the target 4931 private key in a scenario with persistent DH parameters and a private 4932 key that is shared between multiple clients. For example this can occur by 4933 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 4934 similar to CVE-2015-3193 but must be treated as a separate problem. 4935 4936 This issue was reported to OpenSSL by the OSS-Fuzz project. 4937 ([CVE-2017-3732]) 4938 4939 *Andy Polyakov* 4940 4941### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] 4942 4943 * ChaCha20/Poly1305 heap-buffer-overflow 4944 4945 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to 4946 a DoS attack by corrupting larger payloads. This can result in an OpenSSL 4947 crash. This issue is not considered to be exploitable beyond a DoS. 4948 4949 This issue was reported to OpenSSL by Robert Święcki (Google Security Team) 4950 ([CVE-2016-7054]) 4951 4952 *Richard Levitte* 4953 4954 * CMS Null dereference 4955 4956 Applications parsing invalid CMS structures can crash with a NULL pointer 4957 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE 4958 type in OpenSSL 1.1.0 which can result in a NULL value being passed to the 4959 structure callback if an attempt is made to free certain invalid encodings. 4960 Only CHOICE structures using a callback which do not handle NULL value are 4961 affected. 4962 4963 This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. 4964 ([CVE-2016-7053]) 4965 4966 *Stephen Henson* 4967 4968 * Montgomery multiplication may produce incorrect results 4969 4970 There is a carry propagating bug in the Broadwell-specific Montgomery 4971 multiplication procedure that handles input lengths divisible by, but 4972 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 4973 and DH private keys are impossible. This is because the subroutine in 4974 question is not used in operations with the private key itself and an input 4975 of the attacker's direct choice. Otherwise the bug can manifest itself as 4976 transient authentication and key negotiation failures or reproducible 4977 erroneous outcome of public-key operations with specially crafted input. 4978 Among EC algorithms only Brainpool P-512 curves are affected and one 4979 presumably can attack ECDH key negotiation. Impact was not analyzed in 4980 detail, because pre-requisites for attack are considered unlikely. Namely 4981 multiple clients have to choose the curve in question and the server has to 4982 share the private key among them, neither of which is default behaviour. 4983 Even then only clients that chose the curve will be affected. 4984 4985 This issue was publicly reported as transient failures and was not 4986 initially recognized as a security issue. Thanks to Richard Morgan for 4987 providing reproducible case. 4988 ([CVE-2016-7055]) 4989 4990 *Andy Polyakov* 4991 4992 * Removed automatic addition of RPATH in shared libraries and executables, 4993 as this was a remainder from OpenSSL 1.0.x and isn't needed any more. 4994 4995 *Richard Levitte* 4996 4997### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] 4998 4999 * Fix Use After Free for large message sizes 5000 5001 The patch applied to address CVE-2016-6307 resulted in an issue where if a 5002 message larger than approx 16k is received then the underlying buffer to 5003 store the incoming message is reallocated and moved. Unfortunately a 5004 dangling pointer to the old location is left which results in an attempt to 5005 write to the previously freed location. This is likely to result in a 5006 crash, however it could potentially lead to execution of arbitrary code. 5007 5008 This issue only affects OpenSSL 1.1.0a. 5009 5010 This issue was reported to OpenSSL by Robert Święcki. 5011 ([CVE-2016-6309]) 5012 5013 *Matt Caswell* 5014 5015### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] 5016 5017 * OCSP Status Request extension unbounded memory growth 5018 5019 A malicious client can send an excessively large OCSP Status Request 5020 extension. If that client continually requests renegotiation, sending a 5021 large OCSP Status Request extension each time, then there will be unbounded 5022 memory growth on the server. This will eventually lead to a Denial Of 5023 Service attack through memory exhaustion. Servers with a default 5024 configuration are vulnerable even if they do not support OCSP. Builds using 5025 the "no-ocsp" build time option are not affected. 5026 5027 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5028 ([CVE-2016-6304]) 5029 5030 *Matt Caswell* 5031 5032 * SSL_peek() hang on empty record 5033 5034 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer 5035 sends an empty record. This could be exploited by a malicious peer in a 5036 Denial Of Service attack. 5037 5038 This issue was reported to OpenSSL by Alex Gaynor. 5039 ([CVE-2016-6305]) 5040 5041 *Matt Caswell* 5042 5043 * Excessive allocation of memory in tls_get_message_header() and 5044 dtls1_preprocess_fragment() 5045 5046 A (D)TLS message includes 3 bytes for its length in the header for the 5047 message. This would allow for messages up to 16Mb in length. Messages of 5048 this length are excessive and OpenSSL includes a check to ensure that a 5049 peer is sending reasonably sized messages in order to avoid too much memory 5050 being consumed to service a connection. A flaw in the logic of version 5051 1.1.0 means that memory for the message is allocated too early, prior to 5052 the excessive message length check. Due to way memory is allocated in 5053 OpenSSL this could mean an attacker could force up to 21Mb to be allocated 5054 to service a connection. This could lead to a Denial of Service through 5055 memory exhaustion. However, the excessive message length check still takes 5056 place, and this would cause the connection to immediately fail. Assuming 5057 that the application calls SSL_free() on the failed connection in a timely 5058 manner then the 21Mb of allocated memory will then be immediately freed 5059 again. Therefore, the excessive memory allocation will be transitory in 5060 nature. This then means that there is only a security impact if: 5061 5062 1) The application does not call SSL_free() in a timely manner in the event 5063 that the connection fails 5064 or 5065 2) The application is working in a constrained environment where there is 5066 very little free memory 5067 or 5068 3) The attacker initiates multiple connection attempts such that there are 5069 multiple connections in a state where memory has been allocated for the 5070 connection; SSL_free() has not yet been called; and there is insufficient 5071 memory to service the multiple requests. 5072 5073 Except in the instance of (1) above any Denial Of Service is likely to be 5074 transitory because as soon as the connection fails the memory is 5075 subsequently freed again in the SSL_free() call. However there is an 5076 increased risk during this period of application crashes due to the lack of 5077 memory - which would then mean a more serious Denial of Service. 5078 5079 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5080 (CVE-2016-6307 and CVE-2016-6308) 5081 5082 *Matt Caswell* 5083 5084 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler, 5085 had to be removed. Primary reason is that vendor assembler can't 5086 assemble our modules with -KPIC flag. As result it, assembly 5087 support, was not even available as option. But its lack means 5088 lack of side-channel resistant code, which is incompatible with 5089 security by todays standards. Fortunately gcc is readily available 5090 prepackaged option, which we firmly point at... 5091 5092 *Andy Polyakov* 5093 5094### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] 5095 5096 * Windows command-line tool supports UTF-8 opt-in option for arguments 5097 and console input. Setting OPENSSL_WIN32_UTF8 environment variable 5098 (to any value) allows Windows user to access PKCS#12 file generated 5099 with Windows CryptoAPI and protected with non-ASCII password, as well 5100 as files generated under UTF-8 locale on Linux also protected with 5101 non-ASCII password. 5102 5103 *Andy Polyakov* 5104 5105 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites 5106 have been disabled by default and removed from DEFAULT, just like RC4. 5107 See the RC4 item below to re-enable both. 5108 5109 *Rich Salz* 5110 5111 * The method for finding the storage location for the Windows RAND seed file 5112 has changed. First we check %RANDFILE%. If that is not set then we check 5113 the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If 5114 all else fails we fall back to C:\. 5115 5116 *Matt Caswell* 5117 5118 * The EVP_EncryptUpdate() function has had its return type changed from void 5119 to int. A return of 0 indicates and error while a return of 1 indicates 5120 success. 5121 5122 *Matt Caswell* 5123 5124 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and 5125 DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch 5126 off the constant time implementation for RSA, DSA and DH have been made 5127 no-ops and deprecated. 5128 5129 *Matt Caswell* 5130 5131 * Windows RAND implementation was simplified to only get entropy by 5132 calling CryptGenRandom(). Various other RAND-related tickets 5133 were also closed. 5134 5135 *Joseph Wylie Yandle, Rich Salz* 5136 5137 * The stack and lhash API's were renamed to start with `OPENSSL_SK_` 5138 and `OPENSSL_LH_`, respectively. The old names are available 5139 with API compatibility. They new names are now completely documented. 5140 5141 *Rich Salz* 5142 5143 * Unify TYPE_up_ref(obj) methods signature. 5144 SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(), 5145 X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an 5146 int (instead of void) like all others TYPE_up_ref() methods. 5147 So now these methods also check the return value of CRYPTO_atomic_add(), 5148 and the validity of object reference counter. 5149 5150 *fdasilvayy@gmail.com* 5151 5152 * With Windows Visual Studio builds, the .pdb files are installed 5153 alongside the installed libraries and executables. For a static 5154 library installation, ossl_static.pdb is the associate compiler 5155 generated .pdb file to be used when linking programs. 5156 5157 *Richard Levitte* 5158 5159 * Remove openssl.spec. Packaging files belong with the packagers. 5160 5161 *Richard Levitte* 5162 5163 * Automatic Darwin/OSX configuration has had a refresh, it will now 5164 recognise x86_64 architectures automatically. You can still decide 5165 to build for a different bitness with the environment variable 5166 KERNEL_BITS (can be 32 or 64), for example: 5167 5168 KERNEL_BITS=32 ./config 5169 5170 *Richard Levitte* 5171 5172 * Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, 5173 256 bit AES and HMAC with SHA256. 5174 5175 *Steve Henson* 5176 5177 * Remove support for MIPS o32 ABI on IRIX (and IRIX only). 5178 5179 *Andy Polyakov* 5180 5181 * Triple-DES ciphers have been moved from HIGH to MEDIUM. 5182 5183 *Rich Salz* 5184 5185 * To enable users to have their own config files and build file templates, 5186 Configure looks in the directory indicated by the environment variable 5187 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ 5188 directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical 5189 name and is used as is. 5190 5191 *Richard Levitte* 5192 5193 * The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX, 5194 X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type 5195 X509_CERT_FILE_CTX was removed. 5196 5197 *Rich Salz* 5198 5199 * "shared" builds are now the default. To create only static libraries use 5200 the "no-shared" Configure option. 5201 5202 *Matt Caswell* 5203 5204 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options. 5205 All of these option have not worked for some while and are fundamental 5206 algorithms. 5207 5208 *Matt Caswell* 5209 5210 * Make various cleanup routines no-ops and mark them as deprecated. Most 5211 global cleanup functions are no longer required because they are handled 5212 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages). 5213 Explicitly de-initing can cause problems (e.g. where a library that uses 5214 OpenSSL de-inits, but an application is still using it). The affected 5215 functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(), 5216 EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(), 5217 RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and 5218 COMP_zlib_cleanup(). 5219 5220 *Matt Caswell* 5221 5222 * --strict-warnings no longer enables runtime debugging options 5223 such as REF_DEBUG. Instead, debug options are automatically 5224 enabled with '--debug' builds. 5225 5226 *Andy Polyakov, Emilia Käsper* 5227 5228 * Made DH and DH_METHOD opaque. The structures for managing DH objects 5229 have been moved out of the public header files. New functions for managing 5230 these have been added. 5231 5232 *Matt Caswell* 5233 5234 * Made RSA and RSA_METHOD opaque. The structures for managing RSA 5235 objects have been moved out of the public header files. New 5236 functions for managing these have been added. 5237 5238 *Richard Levitte* 5239 5240 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects 5241 have been moved out of the public header files. New functions for managing 5242 these have been added. 5243 5244 *Matt Caswell* 5245 5246 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been 5247 moved out of the public header files. New functions for managing these 5248 have been added. 5249 5250 *Matt Caswell* 5251 5252 * Removed no-rijndael as a config option. Rijndael is an old name for AES. 5253 5254 *Matt Caswell* 5255 5256 * Removed the mk1mf build scripts. 5257 5258 *Richard Levitte* 5259 5260 * Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so 5261 it is always safe to #include a header now. 5262 5263 *Rich Salz* 5264 5265 * Removed the aged BC-32 config and all its supporting scripts 5266 5267 *Richard Levitte* 5268 5269 * Removed support for Ultrix, Netware, and OS/2. 5270 5271 *Rich Salz* 5272 5273 * Add support for HKDF. 5274 5275 *Alessandro Ghedini* 5276 5277 * Add support for blake2b and blake2s 5278 5279 *Bill Cox* 5280 5281 * Added support for "pipelining". Ciphers that have the 5282 EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple 5283 encryptions/decryptions simultaneously. There are currently no built-in 5284 ciphers with this property but the expectation is that engines will be able 5285 to offer it to significantly improve throughput. Support has been extended 5286 into libssl so that multiple records for a single connection can be 5287 processed in one go (for >=TLS 1.1). 5288 5289 *Matt Caswell* 5290 5291 * Added the AFALG engine. This is an async capable engine which is able to 5292 offload work to the Linux kernel. In this initial version it only supports 5293 AES128-CBC. The kernel must be version 4.1.0 or greater. 5294 5295 *Catriona Lucey* 5296 5297 * OpenSSL now uses a new threading API. It is no longer necessary to 5298 set locking callbacks to use OpenSSL in a multi-threaded environment. There 5299 are two supported threading models: pthreads and windows threads. It is 5300 also possible to configure OpenSSL at compile time for "no-threads". The 5301 old threading API should no longer be used. The functions have been 5302 replaced with "no-op" compatibility macros. 5303 5304 *Alessandro Ghedini, Matt Caswell* 5305 5306 * Modify behavior of ALPN to invoke callback after SNI/servername 5307 callback, such that updates to the SSL_CTX affect ALPN. 5308 5309 *Todd Short* 5310 5311 * Add SSL_CIPHER queries for authentication and key-exchange. 5312 5313 *Todd Short* 5314 5315 * Changes to the DEFAULT cipherlist: 5316 - Prefer (EC)DHE handshakes over plain RSA. 5317 - Prefer AEAD ciphers over legacy ciphers. 5318 - Prefer ECDSA over RSA when both certificates are available. 5319 - Prefer TLSv1.2 ciphers/PRF. 5320 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the 5321 default cipherlist. 5322 5323 *Emilia Käsper* 5324 5325 * Change the ECC default curve list to be this, in order: x25519, 5326 secp256r1, secp521r1, secp384r1. 5327 5328 *Rich Salz* 5329 5330 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are 5331 disabled by default. They can be re-enabled using the 5332 enable-weak-ssl-ciphers option to Configure. 5333 5334 *Matt Caswell* 5335 5336 * If the server has ALPN configured, but supports no protocols that the 5337 client advertises, send a fatal "no_application_protocol" alert. 5338 This behaviour is SHALL in RFC 7301, though it isn't universally 5339 implemented by other servers. 5340 5341 *Emilia Käsper* 5342 5343 * Add X25519 support. 5344 Add ASN.1 and EVP_PKEY methods for X25519. This includes support 5345 for public and private key encoding using the format documented in 5346 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports 5347 key generation and key derivation. 5348 5349 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses 5350 X25519(29). 5351 5352 *Steve Henson* 5353 5354 * Deprecate SRP_VBASE_get_by_user. 5355 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 5356 In order to fix an unavoidable memory leak ([CVE-2016-0798]), 5357 SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP 5358 seed, even if the seed is configured. 5359 5360 Users should use SRP_VBASE_get1_by_user instead. Note that in 5361 SRP_VBASE_get1_by_user, caller must free the returned value. Note 5362 also that even though configuring the SRP seed attempts to hide 5363 invalid usernames by continuing the handshake with fake 5364 credentials, this behaviour is not constant time and no strong 5365 guarantees are made that the handshake is indistinguishable from 5366 that of a valid user. 5367 5368 *Emilia Käsper* 5369 5370 * Configuration change; it's now possible to build dynamic engines 5371 without having to build shared libraries and vice versa. This 5372 only applies to the engines in `engines/`, those in `crypto/engine/` 5373 will always be built into libcrypto (i.e. "static"). 5374 5375 Building dynamic engines is enabled by default; to disable, use 5376 the configuration option "disable-dynamic-engine". 5377 5378 The only requirements for building dynamic engines are the 5379 presence of the DSO module and building with position independent 5380 code, so they will also automatically be disabled if configuring 5381 with "disable-dso" or "disable-pic". 5382 5383 The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE 5384 are also taken away from openssl/opensslconf.h, as they are 5385 irrelevant. 5386 5387 *Richard Levitte* 5388 5389 * Configuration change; if there is a known flag to compile 5390 position independent code, it will always be applied on the 5391 libcrypto and libssl object files, and never on the application 5392 object files. This means other libraries that use routines from 5393 libcrypto / libssl can be made into shared libraries regardless 5394 of how OpenSSL was configured. 5395 5396 If this isn't desirable, the configuration options "disable-pic" 5397 or "no-pic" can be used to disable the use of PIC. This will 5398 also disable building shared libraries and dynamic engines. 5399 5400 *Richard Levitte* 5401 5402 * Removed JPAKE code. It was experimental and has no wide use. 5403 5404 *Rich Salz* 5405 5406 * The INSTALL_PREFIX Makefile variable has been renamed to 5407 DESTDIR. That makes for less confusion on what this variable 5408 is for. Also, the configuration option --install_prefix is 5409 removed. 5410 5411 *Richard Levitte* 5412 5413 * Heartbeat for TLS has been removed and is disabled by default 5414 for DTLS; configure with enable-heartbeats. Code that uses the 5415 old #define's might need to be updated. 5416 5417 *Emilia Käsper, Rich Salz* 5418 5419 * Rename REF_CHECK to REF_DEBUG. 5420 5421 *Rich Salz* 5422 5423 * New "unified" build system 5424 5425 The "unified" build system is aimed to be a common system for all 5426 platforms we support. With it comes new support for VMS. 5427 5428 This system builds supports building in a different directory tree 5429 than the source tree. It produces one Makefile (for unix family 5430 or lookalikes), or one descrip.mms (for VMS). 5431 5432 The source of information to make the Makefile / descrip.mms is 5433 small files called 'build.info', holding the necessary 5434 information for each directory with source to compile, and a 5435 template in Configurations, like unix-Makefile.tmpl or 5436 descrip.mms.tmpl. 5437 5438 With this change, the library names were also renamed on Windows 5439 and on VMS. They now have names that are closer to the standard 5440 on Unix, and include the major version number, and in certain 5441 cases, the architecture they are built for. See "Notes on shared 5442 libraries" in INSTALL. 5443 5444 We rely heavily on the perl module Text::Template. 5445 5446 *Richard Levitte* 5447 5448 * Added support for auto-initialisation and de-initialisation of the library. 5449 OpenSSL no longer requires explicit init or deinit routines to be called, 5450 except in certain circumstances. See the OPENSSL_init_crypto() and 5451 OPENSSL_init_ssl() man pages for further information. 5452 5453 *Matt Caswell* 5454 5455 * The arguments to the DTLSv1_listen function have changed. Specifically the 5456 "peer" argument is now expected to be a BIO_ADDR object. 5457 5458 * Rewrite of BIO networking library. The BIO library lacked consistent 5459 support of IPv6, and adding it required some more extensive 5460 modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, 5461 which hold all types of addresses and chains of address information. 5462 It also introduces a new API, with functions like BIO_socket, 5463 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. 5464 The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram 5465 have been adapted accordingly. 5466 5467 *Richard Levitte* 5468 5469 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without 5470 the leading 0-byte. 5471 5472 *Emilia Käsper* 5473 5474 * CRIME protection: disable compression by default, even if OpenSSL is 5475 compiled with zlib enabled. Applications can still enable compression 5476 by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by 5477 using the SSL_CONF library to configure compression. 5478 5479 *Emilia Käsper* 5480 5481 * The signature of the session callback configured with 5482 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer 5483 was explicitly marked as `const unsigned char*` instead of 5484 `unsigned char*`. 5485 5486 *Emilia Käsper* 5487 5488 * Always DPURIFY. Remove the use of uninitialized memory in the 5489 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. 5490 5491 *Emilia Käsper* 5492 5493 * Removed many obsolete configuration items, including 5494 DES_PTR, DES_RISC1, DES_RISC2, DES_INT 5495 MD2_CHAR, MD2_INT, MD2_LONG 5496 BF_PTR, BF_PTR2 5497 IDEA_SHORT, IDEA_LONG 5498 RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX 5499 5500 *Rich Salz, with advice from Andy Polyakov* 5501 5502 * Many BN internals have been moved to an internal header file. 5503 5504 *Rich Salz with help from Andy Polyakov* 5505 5506 * Configuration and writing out the results from it has changed. 5507 Files such as Makefile include/openssl/opensslconf.h and are now 5508 produced through general templates, such as Makefile.in and 5509 crypto/opensslconf.h.in and some help from the perl module 5510 Text::Template. 5511 5512 Also, the center of configuration information is no longer 5513 Makefile. Instead, Configure produces a perl module in 5514 configdata.pm which holds most of the config data (in the hash 5515 table %config), the target data that comes from the target 5516 configuration in one of the `Configurations/*.conf` files (in 5517 %target). 5518 5519 *Richard Levitte* 5520 5521 * To clarify their intended purposes, the Configure options 5522 --prefix and --openssldir change their semantics, and become more 5523 straightforward and less interdependent. 5524 5525 --prefix shall be used exclusively to give the location INSTALLTOP 5526 where programs, scripts, libraries, include files and manuals are 5527 going to be installed. The default is now /usr/local. 5528 5529 --openssldir shall be used exclusively to give the default 5530 location OPENSSLDIR where certificates, private keys, CRLs are 5531 managed. This is also where the default openssl.cnf gets 5532 installed. 5533 If the directory given with this option is a relative path, the 5534 values of both the --prefix value and the --openssldir value will 5535 be combined to become OPENSSLDIR. 5536 The default for --openssldir is INSTALLTOP/ssl. 5537 5538 Anyone who uses --openssldir to specify where OpenSSL is to be 5539 installed MUST change to use --prefix instead. 5540 5541 *Richard Levitte* 5542 5543 * The GOST engine was out of date and therefore it has been removed. An up 5544 to date GOST engine is now being maintained in an external repository. 5545 See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains 5546 support for GOST ciphersuites (these are only activated if a GOST engine 5547 is present). 5548 5549 *Matt Caswell* 5550 5551 * EGD is no longer supported by default; use enable-egd when 5552 configuring. 5553 5554 *Ben Kaduk and Rich Salz* 5555 5556 * The distribution now has Makefile.in files, which are used to 5557 create Makefile's when Configure is run. *Configure must be run 5558 before trying to build now.* 5559 5560 *Rich Salz* 5561 5562 * The return value for SSL_CIPHER_description() for error conditions 5563 has changed. 5564 5565 *Rich Salz* 5566 5567 * Support for RFC6698/RFC7671 DANE TLSA peer authentication. 5568 5569 Obtaining and performing DNSSEC validation of TLSA records is 5570 the application's responsibility. The application provides 5571 the TLSA records of its choice to OpenSSL, and these are then 5572 used to authenticate the peer. 5573 5574 The TLSA records need not even come from DNS. They can, for 5575 example, be used to implement local end-entity certificate or 5576 trust-anchor "pinning", where the "pin" data takes the form 5577 of TLSA records, which can augment or replace verification 5578 based on the usual WebPKI public certification authorities. 5579 5580 *Viktor Dukhovni* 5581 5582 * Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL 5583 continues to support deprecated interfaces in default builds. 5584 However, applications are strongly advised to compile their 5585 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides 5586 the declarations of all interfaces deprecated in 0.9.8, 1.0.0 5587 or the 1.1.0 releases. 5588 5589 In environments in which all applications have been ported to 5590 not use any deprecated interfaces OpenSSL's Configure script 5591 should be used with the --api=1.1.0 option to entirely remove 5592 support for the deprecated features from the library and 5593 unconditionally disable them in the installed headers. 5594 Essentially the same effect can be achieved with the "no-deprecated" 5595 argument to Configure, except that this will always restrict 5596 the build to just the latest API, rather than a fixed API 5597 version. 5598 5599 As applications are ported to future revisions of the API, 5600 they should update their compile-time OPENSSL_API_COMPAT define 5601 accordingly, but in most cases should be able to continue to 5602 compile with later releases. 5603 5604 The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are 5605 0x10000000L and 0x00908000L, respectively. However those 5606 versions did not support the OPENSSL_API_COMPAT feature, and 5607 so applications are not typically tested for explicit support 5608 of just the undeprecated features of either release. 5609 5610 *Viktor Dukhovni* 5611 5612 * Add support for setting the minimum and maximum supported protocol. 5613 It can bet set via the SSL_set_min_proto_version() and 5614 SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and 5615 MaxProtocol. It's recommended to use the new APIs to disable 5616 protocols instead of disabling individual protocols using 5617 SSL_set_options() or SSL_CONF's Protocol. This change also 5618 removes support for disabling TLS 1.2 in the OpenSSL TLS 5619 client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. 5620 5621 *Kurt Roeckx* 5622 5623 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl. 5624 5625 *Andy Polyakov* 5626 5627 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD 5628 and integrates ECDSA and ECDH functionality into EC. Implementations can 5629 now redirect key generation and no longer need to convert to or from 5630 ECDSA_SIG format. 5631 5632 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just 5633 include the ec.h header file instead. 5634 5635 *Steve Henson* 5636 5637 * Remove support for all 40 and 56 bit ciphers. This includes all the export 5638 ciphers who are no longer supported and drops support the ephemeral RSA key 5639 exchange. The LOW ciphers currently doesn't have any ciphers in it. 5640 5641 *Kurt Roeckx* 5642 5643 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX 5644 opaque. For HMAC_CTX, the following constructors and destructors 5645 were added: 5646 5647 HMAC_CTX *HMAC_CTX_new(void); 5648 void HMAC_CTX_free(HMAC_CTX *ctx); 5649 5650 For EVP_MD and EVP_CIPHER, complete APIs to create, fill and 5651 destroy such methods has been added. See EVP_MD_meth_new(3) and 5652 EVP_CIPHER_meth_new(3) for documentation. 5653 5654 Additional changes: 5655 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and 5656 `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and 5657 `EVP_MD_CTX_reset()` should be called instead to reinitialise 5658 an already created structure. 5659 2) For consistency with the majority of our object creators and 5660 destructors, `EVP_MD_CTX_(create|destroy)` were renamed to 5661 `EVP_MD_CTX_(new|free)`. The old names are retained as macros 5662 for deprecated builds. 5663 5664 *Richard Levitte* 5665 5666 * Added ASYNC support. Libcrypto now includes the async sub-library to enable 5667 cryptographic operations to be performed asynchronously as long as an 5668 asynchronous capable engine is used. See the ASYNC_start_job() man page for 5669 further details. Libssl has also had this capability integrated with the 5670 introduction of the new mode SSL_MODE_ASYNC and associated error 5671 SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man 5672 pages. This work was developed in partnership with Intel Corp. 5673 5674 *Matt Caswell* 5675 5676 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is 5677 always enabled now. If you want to disable the support you should 5678 exclude it using the list of supported ciphers. This also means that the 5679 "-no_ecdhe" option has been removed from s_server. 5680 5681 *Kurt Roeckx* 5682 5683 * SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls 5684 SSL_{CTX_}set1_curves() which can set a list. 5685 5686 *Kurt Roeckx* 5687 5688 * Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the 5689 curve you want to support using SSL_{CTX_}set1_curves(). 5690 5691 *Kurt Roeckx* 5692 5693 * State machine rewrite. The state machine code has been significantly 5694 refactored in order to remove much duplication of code and solve issues 5695 with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for 5696 further details). This change does have some associated API changes. 5697 Notably the SSL_state() function has been removed and replaced by 5698 SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int. 5699 SSL_set_state() has been removed altogether. The previous handshake states 5700 defined in ssl.h and ssl3.h have also been removed. 5701 5702 *Matt Caswell* 5703 5704 * All instances of the string "ssleay" in the public API were replaced 5705 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's) 5706 Some error codes related to internal RSA_eay API's were renamed. 5707 5708 *Rich Salz* 5709 5710 * The demo files in crypto/threads were moved to demo/threads. 5711 5712 *Rich Salz* 5713 5714 * Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, 5715 sureware and ubsec. 5716 5717 *Matt Caswell, Rich Salz* 5718 5719 * New ASN.1 embed macro. 5720 5721 New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the 5722 structure is not allocated: it is part of the parent. That is instead of 5723 5724 FOO *x; 5725 5726 it must be: 5727 5728 FOO x; 5729 5730 This reduces memory fragmentation and make it impossible to accidentally 5731 set a mandatory field to NULL. 5732 5733 This currently only works for some fields specifically a SEQUENCE, CHOICE, 5734 or ASN1_STRING type which is part of a parent SEQUENCE. Since it is 5735 equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or 5736 SEQUENCE OF. 5737 5738 *Steve Henson* 5739 5740 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled. 5741 5742 *Emilia Käsper* 5743 5744 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although 5745 in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also 5746 an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add 5747 DES and RC4 ciphersuites. 5748 5749 *Matt Caswell* 5750 5751 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 5752 This changes the decoding behaviour for some invalid messages, 5753 though the change is mostly in the more lenient direction, and 5754 legacy behaviour is preserved as much as possible. 5755 5756 *Emilia Käsper* 5757 5758 * Fix no-stdio build. 5759 *David Woodhouse <David.Woodhouse@intel.com> and also* 5760 *Ivan Nestlerode <ivan.nestlerode@sonos.com>* 5761 5762 * New testing framework 5763 The testing framework has been largely rewritten and is now using 5764 perl and the perl modules Test::Harness and an extended variant of 5765 Test::More called OpenSSL::Test to do its work. All test scripts in 5766 test/ have been rewritten into test recipes, and all direct calls to 5767 executables in test/Makefile have become individual recipes using the 5768 simplified testing OpenSSL::Test::Simple. 5769 5770 For documentation on our testing modules, do: 5771 5772 perldoc test/testlib/OpenSSL/Test/Simple.pm 5773 perldoc test/testlib/OpenSSL/Test.pm 5774 5775 *Richard Levitte* 5776 5777 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT 5778 are used; the latter aborts on memory leaks (usually checked on exit). 5779 Some undocumented "set malloc, etc., hooks" functions were removed 5780 and others were changed. All are now documented. 5781 5782 *Rich Salz* 5783 5784 * In DSA_generate_parameters_ex, if the provided seed is too short, 5785 return an error 5786 5787 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 5788 5789 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites 5790 from RFC4279, RFC4785, RFC5487, RFC5489. 5791 5792 Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the 5793 original RSA_PSK patch. 5794 5795 *Steve Henson* 5796 5797 * Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay 5798 era flag was never set throughout the codebase (only read). Also removed 5799 SSL3_FLAGS_POP_BUFFER which was only used if 5800 SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. 5801 5802 *Matt Caswell* 5803 5804 * Changed the default name options in the "ca", "crl", "req" and "x509" 5805 to be "oneline" instead of "compat". 5806 5807 *Richard Levitte* 5808 5809 * Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're 5810 not aware of clients that still exhibit this bug, and the workaround 5811 hasn't been working properly for a while. 5812 5813 *Emilia Käsper* 5814 5815 * The return type of BIO_number_read() and BIO_number_written() as well as 5816 the corresponding num_read and num_write members in the BIO structure has 5817 changed from unsigned long to uint64_t. On platforms where an unsigned 5818 long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is 5819 transferred. 5820 5821 *Matt Caswell* 5822 5823 * Given the pervasive nature of TLS extensions it is inadvisable to run 5824 OpenSSL without support for them. It also means that maintaining 5825 the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably 5826 not well tested). Therefore, the OPENSSL_NO_TLSEXT option has been removed. 5827 5828 *Matt Caswell* 5829 5830 * Removed support for the two export grade static DH ciphersuites 5831 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites 5832 were newly added (along with a number of other static DH ciphersuites) to 5833 1.0.2. However the two export ones have *never* worked since they were 5834 introduced. It seems strange in any case to be adding new export 5835 ciphersuites, and given "logjam" it also does not seem correct to fix them. 5836 5837 *Matt Caswell* 5838 5839 * Version negotiation has been rewritten. In particular SSLv23_method(), 5840 SSLv23_client_method() and SSLv23_server_method() have been deprecated, 5841 and turned into macros which simply call the new preferred function names 5842 TLS_method(), TLS_client_method() and TLS_server_method(). All new code 5843 should use the new names instead. Also as part of this change the ssl23.h 5844 header file has been removed. 5845 5846 *Matt Caswell* 5847 5848 * Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This 5849 code and the associated standard is no longer considered fit-for-purpose. 5850 5851 *Matt Caswell* 5852 5853 * RT2547 was closed. When generating a private key, try to make the 5854 output file readable only by the owner. This behavior change might 5855 be noticeable when interacting with other software. 5856 5857 * Documented all exdata functions. Added CRYPTO_free_ex_index. 5858 Added a test. 5859 5860 *Rich Salz* 5861 5862 * Added HTTP GET support to the ocsp command. 5863 5864 *Rich Salz* 5865 5866 * Changed default digest for the dgst and enc commands from MD5 to 5867 sha256 5868 5869 *Rich Salz* 5870 5871 * RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. 5872 5873 *Matt Caswell* 5874 5875 * Added support for TLS extended master secret from 5876 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an 5877 initial patch which was a great help during development. 5878 5879 *Steve Henson* 5880 5881 * All libssl internal structures have been removed from the public header 5882 files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is 5883 now redundant). Users should not attempt to access internal structures 5884 directly. Instead they should use the provided API functions. 5885 5886 *Matt Caswell* 5887 5888 * config has been changed so that by default OPENSSL_NO_DEPRECATED is used. 5889 Access to deprecated functions can be re-enabled by running config with 5890 "enable-deprecated". In addition applications wishing to use deprecated 5891 functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour 5892 will, by default, disable some transitive includes that previously existed 5893 in the header files (e.g. ec.h will no longer, by default, include bn.h) 5894 5895 *Matt Caswell* 5896 5897 * Added support for OCB mode. OpenSSL has been granted a patent license 5898 compatible with the OpenSSL license for use of OCB. Details are available 5899 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support 5900 for OCB can be removed by calling config with no-ocb. 5901 5902 *Matt Caswell* 5903 5904 * SSLv2 support has been removed. It still supports receiving an SSLv2 5905 compatible client hello. 5906 5907 *Kurt Roeckx* 5908 5909 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], 5910 done while fixing the error code for the key-too-small case. 5911 5912 *Annie Yousar <a.yousar@informatik.hu-berlin.de>* 5913 5914 * CA.sh has been removed; use CA.pl instead. 5915 5916 *Rich Salz* 5917 5918 * Removed old DES API. 5919 5920 *Rich Salz* 5921 5922 * Remove various unsupported platforms: 5923 Sony NEWS4 5924 BEOS and BEOS_R5 5925 NeXT 5926 SUNOS 5927 MPE/iX 5928 Sinix/ReliantUNIX RM400 5929 DGUX 5930 NCR 5931 Tandem 5932 Cray 5933 16-bit platforms such as WIN16 5934 5935 *Rich Salz* 5936 5937 * Clean up OPENSSL_NO_xxx #define's 5938 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF 5939 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx 5940 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC 5941 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 5942 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO 5943 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY 5944 OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP 5945 OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK 5946 OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY 5947 - Remove MS_STATIC; it's a relic from platforms <32 bits. 5948 5949 *Rich Salz* 5950 5951 * Cleaned up dead code 5952 Remove all but one '#ifdef undef' which is to be looked at. 5953 5954 *Rich Salz* 5955 5956 * Clean up calling of xxx_free routines. 5957 Just like free(), fix most of the xxx_free routines to accept 5958 NULL. Remove the non-null checks from callers. Save much code. 5959 5960 *Rich Salz* 5961 5962 * Add secure heap for storage of private keys (when possible). 5963 Add BIO_s_secmem(), CBIGNUM, etc. 5964 Contributed by Akamai Technologies under our Corporate CLA. 5965 5966 *Rich Salz* 5967 5968 * Experimental support for a new, fast, unbiased prime candidate generator, 5969 bn_probable_prime_dh_coprime(). Not currently used by any prime generator. 5970 5971 *Felix Laurie von Massenbach <felix@erbridge.co.uk>* 5972 5973 * New output format NSS in the sess_id command line tool. This allows 5974 exporting the session id and the master key in NSS keylog format. 5975 5976 *Martin Kaiser <martin@kaiser.cx>* 5977 5978 * Harmonize version and its documentation. -f flag is used to display 5979 compilation flags. 5980 5981 *mancha <mancha1@zoho.com>* 5982 5983 * Fix eckey_priv_encode so it immediately returns an error upon a failure 5984 in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. 5985 5986 *mancha <mancha1@zoho.com>* 5987 5988 * Fix some double frees. These are not thought to be exploitable. 5989 5990 *mancha <mancha1@zoho.com>* 5991 5992 * A missing bounds check in the handling of the TLS heartbeat extension 5993 can be used to reveal up to 64k of memory to a connected client or 5994 server. 5995 5996 Thanks for Neel Mehta of Google Security for discovering this bug and to 5997 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 5998 preparing the fix ([CVE-2014-0160]) 5999 6000 *Adam Langley, Bodo Moeller* 6001 6002 * Fix for the attack described in the paper "Recovering OpenSSL 6003 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 6004 by Yuval Yarom and Naomi Benger. Details can be obtained from: 6005 <http://eprint.iacr.org/2014/140> 6006 6007 Thanks to Yuval Yarom and Naomi Benger for discovering this 6008 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 6009 6010 *Yuval Yarom and Naomi Benger* 6011 6012 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 6013 this fixes a limitation in previous versions of OpenSSL. 6014 6015 *Steve Henson* 6016 6017 * Experimental encrypt-then-mac support. 6018 6019 Experimental support for encrypt then mac from 6020 draft-gutmann-tls-encrypt-then-mac-02.txt 6021 6022 To enable it set the appropriate extension number (0x42 for the test 6023 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 6024 6025 For non-compliant peers (i.e. just about everything) this should have no 6026 effect. 6027 6028 WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. 6029 6030 *Steve Henson* 6031 6032 * Add EVP support for key wrapping algorithms, to avoid problems with 6033 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 6034 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 6035 algorithms and include tests cases. 6036 6037 *Steve Henson* 6038 6039 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for 6040 enveloped data. 6041 6042 *Steve Henson* 6043 6044 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 6045 MGF1 digest and OAEP label. 6046 6047 *Steve Henson* 6048 6049 * Make openssl verify return errors. 6050 6051 *Chris Palmer <palmer@google.com> and Ben Laurie* 6052 6053 * New function ASN1_TIME_diff to calculate the difference between two 6054 ASN1_TIME structures or one structure and the current time. 6055 6056 *Steve Henson* 6057 6058 * Update fips_test_suite to support multiple command line options. New 6059 test to induce all self test errors in sequence and check expected 6060 failures. 6061 6062 *Steve Henson* 6063 6064 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and 6065 sign or verify all in one operation. 6066 6067 *Steve Henson* 6068 6069 * Add fips_algvs: a multicall fips utility incorporating all the algorithm 6070 test programs and fips_test_suite. Includes functionality to parse 6071 the minimal script output of fipsalgest.pl directly. 6072 6073 *Steve Henson* 6074 6075 * Add authorisation parameter to FIPS_module_mode_set(). 6076 6077 *Steve Henson* 6078 6079 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. 6080 6081 *Steve Henson* 6082 6083 * Use separate DRBG fields for internal and external flags. New function 6084 FIPS_drbg_health_check() to perform on demand health checking. Add 6085 generation tests to fips_test_suite with reduced health check interval to 6086 demonstrate periodic health checking. Add "nodh" option to 6087 fips_test_suite to skip very slow DH test. 6088 6089 *Steve Henson* 6090 6091 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers 6092 based on NID. 6093 6094 *Steve Henson* 6095 6096 * More extensive health check for DRBG checking many more failure modes. 6097 New function FIPS_selftest_drbg_all() to handle every possible DRBG 6098 combination: call this in fips_test_suite. 6099 6100 *Steve Henson* 6101 6102 * Add support for canonical generation of DSA parameter 'g'. See 6103 FIPS 186-3 A.2.3. 6104 6105 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and 6106 POST to handle HMAC cases. 6107 6108 *Steve Henson* 6109 6110 * Add functions FIPS_module_version() and FIPS_module_version_text() 6111 to return numerical and string versions of the FIPS module number. 6112 6113 *Steve Henson* 6114 6115 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and 6116 FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented 6117 outside the validated module in the FIPS capable OpenSSL. 6118 6119 *Steve Henson* 6120 6121 * Minor change to DRBG entropy callback semantics. In some cases 6122 there is no multiple of the block length between min_len and 6123 max_len. Allow the callback to return more than max_len bytes 6124 of entropy but discard any extra: it is the callback's responsibility 6125 to ensure that the extra data discarded does not impact the 6126 requested amount of entropy. 6127 6128 *Steve Henson* 6129 6130 * Add PRNG security strength checks to RSA, DSA and ECDSA using 6131 information in FIPS186-3, SP800-57 and SP800-131A. 6132 6133 *Steve Henson* 6134 6135 * CCM support via EVP. Interface is very similar to GCM case except we 6136 must supply all data in one chunk (i.e. no update, final) and the 6137 message length must be supplied if AAD is used. Add algorithm test 6138 support. 6139 6140 *Steve Henson* 6141 6142 * Initial version of POST overhaul. Add POST callback to allow the status 6143 of POST to be monitored and/or failures induced. Modify fips_test_suite 6144 to use callback. Always run all selftests even if one fails. 6145 6146 *Steve Henson* 6147 6148 * XTS support including algorithm test driver in the fips_gcmtest program. 6149 Note: this does increase the maximum key length from 32 to 64 bytes but 6150 there should be no binary compatibility issues as existing applications 6151 will never use XTS mode. 6152 6153 *Steve Henson* 6154 6155 * Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies 6156 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also 6157 performs algorithm blocking for unapproved PRNG types. Also do not 6158 set PRNG type in FIPS_mode_set(): leave this to the application. 6159 Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with 6160 the standard OpenSSL PRNG: set additional data to a date time vector. 6161 6162 *Steve Henson* 6163 6164 * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`. 6165 This shouldn't present any incompatibility problems because applications 6166 shouldn't be using these directly and any that are will need to rethink 6167 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 6168 6169 *Steve Henson* 6170 6171 * Extensive self tests and health checking required by SP800-90 DRBG. 6172 Remove strength parameter from FIPS_drbg_instantiate and always 6173 instantiate at maximum supported strength. 6174 6175 *Steve Henson* 6176 6177 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing. 6178 6179 *Steve Henson* 6180 6181 * New algorithm test program fips_dhvs to handle DH primitives only testing. 6182 6183 *Steve Henson* 6184 6185 * New function DH_compute_key_padded() to compute a DH key and pad with 6186 leading zeroes if needed: this complies with SP800-56A et al. 6187 6188 *Steve Henson* 6189 6190 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by 6191 anything, incomplete, subject to change and largely untested at present. 6192 6193 *Steve Henson* 6194 6195 * Modify fipscanisteronly build option to only build the necessary object 6196 files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. 6197 6198 *Steve Henson* 6199 6200 * Add experimental option FIPSSYMS to give all symbols in 6201 fipscanister.o and FIPS or fips prefix. This will avoid 6202 conflicts with future versions of OpenSSL. Add perl script 6203 util/fipsas.pl to preprocess assembly language source files 6204 and rename any affected symbols. 6205 6206 *Steve Henson* 6207 6208 * Add selftest checks and algorithm block of non-fips algorithms in 6209 FIPS mode. Remove DES2 from selftests. 6210 6211 *Steve Henson* 6212 6213 * Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just 6214 return internal method without any ENGINE dependencies. Add new 6215 tiny fips sign and verify functions. 6216 6217 *Steve Henson* 6218 6219 * New build option no-ec2m to disable characteristic 2 code. 6220 6221 *Steve Henson* 6222 6223 * New build option "fipscanisteronly". This only builds fipscanister.o 6224 and (currently) associated fips utilities. Uses the file Makefile.fips 6225 instead of Makefile.org as the prototype. 6226 6227 *Steve Henson* 6228 6229 * Add some FIPS mode restrictions to GCM. Add internal IV generator. 6230 Update fips_gcmtest to use IV generator. 6231 6232 *Steve Henson* 6233 6234 * Initial, experimental EVP support for AES-GCM. AAD can be input by 6235 setting output buffer to NULL. The `*Final` function must be 6236 called although it will not retrieve any additional data. The tag 6237 can be set or retrieved with a ctrl. The IV length is by default 12 6238 bytes (96 bits) but can be set to an alternative value. If the IV 6239 length exceeds the maximum IV length (currently 16 bytes) it cannot be 6240 set before the key. 6241 6242 *Steve Henson* 6243 6244 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the 6245 underlying do_cipher function handles all cipher semantics itself 6246 including padding and finalisation. This is useful if (for example) 6247 an ENGINE cipher handles block padding itself. The behaviour of 6248 do_cipher is subtly changed if this flag is set: the return value 6249 is the number of characters written to the output buffer (zero is 6250 no longer an error code) or a negative error code. Also if the 6251 input buffer is NULL and length 0 finalisation should be performed. 6252 6253 *Steve Henson* 6254 6255 * If a candidate issuer certificate is already part of the constructed 6256 path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. 6257 6258 *Steve Henson* 6259 6260 * Improve forward-security support: add functions 6261 6262 void SSL_CTX_set_not_resumable_session_callback( 6263 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) 6264 void SSL_set_not_resumable_session_callback( 6265 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) 6266 6267 for use by SSL/TLS servers; the callback function will be called whenever a 6268 new session is created, and gets to decide whether the session may be 6269 cached to make it resumable (return 0) or not (return 1). (As by the 6270 SSL/TLS protocol specifications, the session_id sent by the server will be 6271 empty to indicate that the session is not resumable; also, the server will 6272 not generate RFC 4507 (RFC 5077) session tickets.) 6273 6274 A simple reasonable callback implementation is to return is_forward_secure. 6275 This parameter will be set to 1 or 0 depending on the ciphersuite selected 6276 by the SSL/TLS server library, indicating whether it can provide forward 6277 security. 6278 6279 *Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)* 6280 6281 * New -verify_name option in command line utilities to set verification 6282 parameters by name. 6283 6284 *Steve Henson* 6285 6286 * Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. 6287 Add CMAC pkey methods. 6288 6289 *Steve Henson* 6290 6291 * Experimental renegotiation in s_server -www mode. If the client 6292 browses /reneg connection is renegotiated. If /renegcert it is 6293 renegotiated requesting a certificate. 6294 6295 *Steve Henson* 6296 6297 * Add an "external" session cache for debugging purposes to s_server. This 6298 should help trace issues which normally are only apparent in deployed 6299 multi-process servers. 6300 6301 *Steve Henson* 6302 6303 * Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where 6304 return value is ignored. NB. The functions RAND_add(), RAND_seed(), 6305 BIO_set_cipher() and some obscure PEM functions were changed so they 6306 can now return an error. The RAND changes required a change to the 6307 RAND_METHOD structure. 6308 6309 *Steve Henson* 6310 6311 * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of 6312 a gcc attribute to warn if the result of a function is ignored. This 6313 is enable if DEBUG_UNUSED is set. Add to several functions in evp.h 6314 whose return value is often ignored. 6315 6316 *Steve Henson* 6317 6318 * New -noct, -requestct, -requirect and -ctlogfile options for s_client. 6319 These allow SCTs (signed certificate timestamps) to be requested and 6320 validated when establishing a connection. 6321 6322 *Rob Percival <robpercival@google.com>* 6323 6324OpenSSL 1.0.2 6325------------- 6326 6327### Changes between 1.0.2s and 1.0.2t [10 Sep 2019] 6328 6329 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 6330 used even when parsing explicit parameters, when loading a encoded key 6331 or calling `EC_GROUP_new_from_ecpkparameters()`/ 6332 `EC_GROUP_new_from_ecparameters()`. 6333 This prevents bypass of security hardening and performance gains, 6334 especially for curves with specialized EC_METHODs. 6335 By default, if a key encoded with explicit parameters is loaded and later 6336 encoded, the output is still encoded with explicit parameters, even if 6337 internally a "named" EC_GROUP is used for computation. 6338 6339 *Nicola Tuveri* 6340 6341 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 6342 this change, EC_GROUP_set_generator would accept order and/or cofactor as 6343 NULL. After this change, only the cofactor parameter can be NULL. It also 6344 does some minimal sanity checks on the passed order. 6345 ([CVE-2019-1547]) 6346 6347 *Billy Bob Brumley* 6348 6349 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 6350 An attack is simple, if the first CMS_recipientInfo is valid but the 6351 second CMS_recipientInfo is chosen ciphertext. If the second 6352 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 6353 encryption key will be replaced by garbage, and the message cannot be 6354 decoded, but if the RSA decryption fails, the correct encryption key is 6355 used and the recipient will not notice the attack. 6356 As a work around for this potential attack the length of the decrypted 6357 key must be equal to the cipher default key length, in case the 6358 certificate is not given and all recipientInfo are tried out. 6359 The old behaviour can be re-enabled in the CMS code by setting the 6360 CMS_DEBUG_DECRYPT flag. 6361 ([CVE-2019-1563]) 6362 6363 *Bernd Edlinger* 6364 6365 * Document issue with installation paths in diverse Windows builds 6366 6367 '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL 6368 binaries and run-time config file. 6369 ([CVE-2019-1552]) 6370 6371 *Richard Levitte* 6372 6373### Changes between 1.0.2r and 1.0.2s [28 May 2019] 6374 6375 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 6376 This changes the size when using the `genpkey` command when no size is given. 6377 It fixes an omission in earlier changes that changed all RSA, DSA and DH 6378 generation commands to use 2048 bits by default. 6379 6380 *Kurt Roeckx* 6381 6382 * Add FIPS support for Android Arm 64-bit 6383 6384 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object 6385 Module in Version 2.0.10. For some reason, the corresponding target 6386 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be 6387 built with FIPS support on Android Arm 64-bit. This omission has been 6388 fixed. 6389 6390 *Matthias St. Pierre* 6391 6392### Changes between 1.0.2q and 1.0.2r [26 Feb 2019] 6393 6394 * 0-byte record padding oracle 6395 6396 If an application encounters a fatal protocol error and then calls 6397 SSL_shutdown() twice (once to send a close_notify, and once to receive one) 6398 then OpenSSL can respond differently to the calling application if a 0 byte 6399 record is received with invalid padding compared to if a 0 byte record is 6400 received with an invalid MAC. If the application then behaves differently 6401 based on that in a way that is detectable to the remote peer, then this 6402 amounts to a padding oracle that could be used to decrypt data. 6403 6404 In order for this to be exploitable "non-stitched" ciphersuites must be in 6405 use. Stitched ciphersuites are optimised implementations of certain 6406 commonly used ciphersuites. Also the application must call SSL_shutdown() 6407 twice even if a protocol error has occurred (applications should not do 6408 this but some do anyway). 6409 6410 This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod 6411 Aviram, with additional investigation by Steven Collison and Andrew 6412 Hourselt. It was reported to OpenSSL on 10th December 2018. 6413 ([CVE-2019-1559]) 6414 6415 *Matt Caswell* 6416 6417 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 6418 6419 *Richard Levitte* 6420 6421### Changes between 1.0.2p and 1.0.2q [20 Nov 2018] 6422 6423 * Microarchitecture timing vulnerability in ECC scalar multiplication 6424 6425 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been 6426 shown to be vulnerable to a microarchitecture timing side channel attack. 6427 An attacker with sufficient access to mount local timing attacks during 6428 ECDSA signature generation could recover the private key. 6429 6430 This issue was reported to OpenSSL on 26th October 2018 by Alejandro 6431 Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and 6432 Nicola Tuveri. 6433 ([CVE-2018-5407]) 6434 6435 *Billy Brumley* 6436 6437 * Timing vulnerability in DSA signature generation 6438 6439 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 6440 timing side channel attack. An attacker could use variations in the signing 6441 algorithm to recover the private key. 6442 6443 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 6444 ([CVE-2018-0734]) 6445 6446 *Paul Dale* 6447 6448 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object 6449 Module, accidentally introduced while backporting security fixes from the 6450 development branch and hindering the use of ECC in FIPS mode. 6451 6452 *Nicola Tuveri* 6453 6454### Changes between 1.0.2o and 1.0.2p [14 Aug 2018] 6455 6456 * Client DoS due to large DH parameter 6457 6458 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 6459 malicious server can send a very large prime value to the client. This will 6460 cause the client to spend an unreasonably long period of time generating a 6461 key for this prime resulting in a hang until the client has finished. This 6462 could be exploited in a Denial Of Service attack. 6463 6464 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 6465 ([CVE-2018-0732]) 6466 6467 *Guido Vranken* 6468 6469 * Cache timing vulnerability in RSA Key Generation 6470 6471 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 6472 a cache timing side channel attack. An attacker with sufficient access to 6473 mount cache timing attacks during the RSA key generation process could 6474 recover the private key. 6475 6476 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 6477 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 6478 ([CVE-2018-0737]) 6479 6480 *Billy Brumley* 6481 6482 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 6483 parameter is no longer accepted, as it leads to a corrupt table. NULL 6484 pem_str is reserved for alias entries only. 6485 6486 *Richard Levitte* 6487 6488 * Revert blinding in ECDSA sign and instead make problematic addition 6489 length-invariant. Switch even to fixed-length Montgomery multiplication. 6490 6491 *Andy Polyakov* 6492 6493 * Change generating and checking of primes so that the error rate of not 6494 being prime depends on the intended use based on the size of the input. 6495 For larger primes this will result in more rounds of Miller-Rabin. 6496 The maximal error rate for primes with more than 1080 bits is lowered 6497 to 2^-128. 6498 6499 *Kurt Roeckx, Annie Yousar* 6500 6501 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 6502 6503 *Kurt Roeckx* 6504 6505 * Add blinding to ECDSA and DSA signatures to protect against side channel 6506 attacks discovered by Keegan Ryan (NCC Group). 6507 6508 *Matt Caswell* 6509 6510 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 6511 now allow empty (zero character) pass phrases. 6512 6513 *Richard Levitte* 6514 6515 * Certificate time validation (X509_cmp_time) enforces stricter 6516 compliance with RFC 5280. Fractional seconds and timezone offsets 6517 are no longer allowed. 6518 6519 *Emilia Käsper* 6520 6521### Changes between 1.0.2n and 1.0.2o [27 Mar 2018] 6522 6523 * Constructed ASN.1 types with a recursive definition could exceed the stack 6524 6525 Constructed ASN.1 types with a recursive definition (such as can be found 6526 in PKCS7) could eventually exceed the stack given malicious input with 6527 excessive recursion. This could result in a Denial Of Service attack. There 6528 are no such structures used within SSL/TLS that come from untrusted sources 6529 so this is considered safe. 6530 6531 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 6532 project. 6533 ([CVE-2018-0739]) 6534 6535 *Matt Caswell* 6536 6537### Changes between 1.0.2m and 1.0.2n [7 Dec 2017] 6538 6539 * Read/write after SSL object in error state 6540 6541 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" 6542 mechanism. The intent was that if a fatal error occurred during a handshake 6543 then OpenSSL would move into the error state and would immediately fail if 6544 you attempted to continue the handshake. This works as designed for the 6545 explicit handshake functions (SSL_do_handshake(), SSL_accept() and 6546 SSL_connect()), however due to a bug it does not work correctly if 6547 SSL_read() or SSL_write() is called directly. In that scenario, if the 6548 handshake fails then a fatal error will be returned in the initial function 6549 call. If SSL_read()/SSL_write() is subsequently called by the application 6550 for the same SSL object then it will succeed and the data is passed without 6551 being decrypted/encrypted directly from the SSL/TLS record layer. 6552 6553 In order to exploit this issue an application bug would have to be present 6554 that resulted in a call to SSL_read()/SSL_write() being issued after having 6555 already received a fatal error. 6556 6557 This issue was reported to OpenSSL by David Benjamin (Google). 6558 ([CVE-2017-3737]) 6559 6560 *Matt Caswell* 6561 6562 * rsaz_1024_mul_avx2 overflow bug on x86_64 6563 6564 There is an overflow bug in the AVX2 Montgomery multiplication procedure 6565 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 6566 Analysis suggests that attacks against RSA and DSA as a result of this 6567 defect would be very difficult to perform and are not believed likely. 6568 Attacks against DH1024 are considered just feasible, because most of the 6569 work necessary to deduce information about a private key may be performed 6570 offline. The amount of resources required for such an attack would be 6571 significant. However, for an attack on TLS to be meaningful, the server 6572 would have to share the DH1024 private key among multiple clients, which is 6573 no longer an option since CVE-2016-0701. 6574 6575 This only affects processors that support the AVX2 but not ADX extensions 6576 like Intel Haswell (4th generation). 6577 6578 This issue was reported to OpenSSL by David Benjamin (Google). The issue 6579 was originally found via the OSS-Fuzz project. 6580 ([CVE-2017-3738]) 6581 6582 *Andy Polyakov* 6583 6584### Changes between 1.0.2l and 1.0.2m [2 Nov 2017] 6585 6586 * bn_sqrx8x_internal carry bug on x86_64 6587 6588 There is a carry propagating bug in the x86_64 Montgomery squaring 6589 procedure. No EC algorithms are affected. Analysis suggests that attacks 6590 against RSA and DSA as a result of this defect would be very difficult to 6591 perform and are not believed likely. Attacks against DH are considered just 6592 feasible (although very difficult) because most of the work necessary to 6593 deduce information about a private key may be performed offline. The amount 6594 of resources required for such an attack would be very significant and 6595 likely only accessible to a limited number of attackers. An attacker would 6596 additionally need online access to an unpatched system using the target 6597 private key in a scenario with persistent DH parameters and a private 6598 key that is shared between multiple clients. 6599 6600 This only affects processors that support the BMI1, BMI2 and ADX extensions 6601 like Intel Broadwell (5th generation) and later or AMD Ryzen. 6602 6603 This issue was reported to OpenSSL by the OSS-Fuzz project. 6604 ([CVE-2017-3736]) 6605 6606 *Andy Polyakov* 6607 6608 * Malformed X.509 IPAddressFamily could cause OOB read 6609 6610 If an X.509 certificate has a malformed IPAddressFamily extension, 6611 OpenSSL could do a one-byte buffer overread. The most likely result 6612 would be an erroneous display of the certificate in text format. 6613 6614 This issue was reported to OpenSSL by the OSS-Fuzz project. 6615 6616 *Rich Salz* 6617 6618### Changes between 1.0.2k and 1.0.2l [25 May 2017] 6619 6620 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 6621 platform rather than 'mingw'. 6622 6623 *Richard Levitte* 6624 6625### Changes between 1.0.2j and 1.0.2k [26 Jan 2017] 6626 6627 * Truncated packet could crash via OOB read 6628 6629 If one side of an SSL/TLS path is running on a 32-bit host and a specific 6630 cipher is being used, then a truncated packet can cause that host to 6631 perform an out-of-bounds read, usually resulting in a crash. 6632 6633 This issue was reported to OpenSSL by Robert Święcki of Google. 6634 ([CVE-2017-3731]) 6635 6636 *Andy Polyakov* 6637 6638 * BN_mod_exp may produce incorrect results on x86_64 6639 6640 There is a carry propagating bug in the x86_64 Montgomery squaring 6641 procedure. No EC algorithms are affected. Analysis suggests that attacks 6642 against RSA and DSA as a result of this defect would be very difficult to 6643 perform and are not believed likely. Attacks against DH are considered just 6644 feasible (although very difficult) because most of the work necessary to 6645 deduce information about a private key may be performed offline. The amount 6646 of resources required for such an attack would be very significant and 6647 likely only accessible to a limited number of attackers. An attacker would 6648 additionally need online access to an unpatched system using the target 6649 private key in a scenario with persistent DH parameters and a private 6650 key that is shared between multiple clients. For example this can occur by 6651 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 6652 similar to CVE-2015-3193 but must be treated as a separate problem. 6653 6654 This issue was reported to OpenSSL by the OSS-Fuzz project. 6655 ([CVE-2017-3732]) 6656 6657 *Andy Polyakov* 6658 6659 * Montgomery multiplication may produce incorrect results 6660 6661 There is a carry propagating bug in the Broadwell-specific Montgomery 6662 multiplication procedure that handles input lengths divisible by, but 6663 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 6664 and DH private keys are impossible. This is because the subroutine in 6665 question is not used in operations with the private key itself and an input 6666 of the attacker's direct choice. Otherwise the bug can manifest itself as 6667 transient authentication and key negotiation failures or reproducible 6668 erroneous outcome of public-key operations with specially crafted input. 6669 Among EC algorithms only Brainpool P-512 curves are affected and one 6670 presumably can attack ECDH key negotiation. Impact was not analyzed in 6671 detail, because pre-requisites for attack are considered unlikely. Namely 6672 multiple clients have to choose the curve in question and the server has to 6673 share the private key among them, neither of which is default behaviour. 6674 Even then only clients that chose the curve will be affected. 6675 6676 This issue was publicly reported as transient failures and was not 6677 initially recognized as a security issue. Thanks to Richard Morgan for 6678 providing reproducible case. 6679 ([CVE-2016-7055]) 6680 6681 *Andy Polyakov* 6682 6683 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 6684 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 6685 prevent issues where no progress is being made and the peer continually 6686 sends unrecognised record types, using up resources processing them. 6687 6688 *Matt Caswell* 6689 6690### Changes between 1.0.2i and 1.0.2j [26 Sep 2016] 6691 6692 * Missing CRL sanity check 6693 6694 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 6695 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use 6696 CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. 6697 6698 This issue only affects the OpenSSL 1.0.2i 6699 ([CVE-2016-7052]) 6700 6701 *Matt Caswell* 6702 6703### Changes between 1.0.2h and 1.0.2i [22 Sep 2016] 6704 6705 * OCSP Status Request extension unbounded memory growth 6706 6707 A malicious client can send an excessively large OCSP Status Request 6708 extension. If that client continually requests renegotiation, sending a 6709 large OCSP Status Request extension each time, then there will be unbounded 6710 memory growth on the server. This will eventually lead to a Denial Of 6711 Service attack through memory exhaustion. Servers with a default 6712 configuration are vulnerable even if they do not support OCSP. Builds using 6713 the "no-ocsp" build time option are not affected. 6714 6715 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6716 ([CVE-2016-6304]) 6717 6718 *Matt Caswell* 6719 6720 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 6721 HIGH to MEDIUM. 6722 6723 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 6724 Leurent (INRIA) 6725 ([CVE-2016-2183]) 6726 6727 *Rich Salz* 6728 6729 * OOB write in MDC2_Update() 6730 6731 An overflow can occur in MDC2_Update() either if called directly or 6732 through the EVP_DigestUpdate() function using MDC2. If an attacker 6733 is able to supply very large amounts of input data after a previous 6734 call to EVP_EncryptUpdate() with a partial block then a length check 6735 can overflow resulting in a heap corruption. 6736 6737 The amount of data needed is comparable to SIZE_MAX which is impractical 6738 on most platforms. 6739 6740 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6741 ([CVE-2016-6303]) 6742 6743 *Stephen Henson* 6744 6745 * Malformed SHA512 ticket DoS 6746 6747 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 6748 DoS attack where a malformed ticket will result in an OOB read which will 6749 ultimately crash. 6750 6751 The use of SHA512 in TLS session tickets is comparatively rare as it requires 6752 a custom server callback and ticket lookup mechanism. 6753 6754 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6755 ([CVE-2016-6302]) 6756 6757 *Stephen Henson* 6758 6759 * OOB write in BN_bn2dec() 6760 6761 The function BN_bn2dec() does not check the return value of BN_div_word(). 6762 This can cause an OOB write if an application uses this function with an 6763 overly large BIGNUM. This could be a problem if an overly large certificate 6764 or CRL is printed out from an untrusted source. TLS is not affected because 6765 record limits will reject an oversized certificate before it is parsed. 6766 6767 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6768 ([CVE-2016-2182]) 6769 6770 *Stephen Henson* 6771 6772 * OOB read in TS_OBJ_print_bio() 6773 6774 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 6775 the total length the OID text representation would use and not the amount 6776 of data written. This will result in OOB reads when large OIDs are 6777 presented. 6778 6779 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6780 ([CVE-2016-2180]) 6781 6782 *Stephen Henson* 6783 6784 * Pointer arithmetic undefined behaviour 6785 6786 Avoid some undefined pointer arithmetic 6787 6788 A common idiom in the codebase is to check limits in the following manner: 6789 "p + len > limit" 6790 6791 Where "p" points to some malloc'd data of SIZE bytes and 6792 limit == p + SIZE 6793 6794 "len" here could be from some externally supplied data (e.g. from a TLS 6795 message). 6796 6797 The rules of C pointer arithmetic are such that "p + len" is only well 6798 defined where len <= SIZE. Therefore the above idiom is actually 6799 undefined behaviour. 6800 6801 For example this could cause problems if some malloc implementation 6802 provides an address for "p" such that "p + len" actually overflows for 6803 values of len that are too big and therefore p + len < limit. 6804 6805 This issue was reported to OpenSSL by Guido Vranken 6806 ([CVE-2016-2177]) 6807 6808 *Matt Caswell* 6809 6810 * Constant time flag not preserved in DSA signing 6811 6812 Operations in the DSA signing algorithm should run in constant time in 6813 order to avoid side channel attacks. A flaw in the OpenSSL DSA 6814 implementation means that a non-constant time codepath is followed for 6815 certain operations. This has been demonstrated through a cache-timing 6816 attack to be sufficient for an attacker to recover the private DSA key. 6817 6818 This issue was reported by César Pereida (Aalto University), Billy Brumley 6819 (Tampere University of Technology), and Yuval Yarom (The University of 6820 Adelaide and NICTA). 6821 ([CVE-2016-2178]) 6822 6823 *César Pereida* 6824 6825 * DTLS buffered message DoS 6826 6827 In a DTLS connection where handshake messages are delivered out-of-order 6828 those messages that OpenSSL is not yet ready to process will be buffered 6829 for later use. Under certain circumstances, a flaw in the logic means that 6830 those messages do not get removed from the buffer even though the handshake 6831 has been completed. An attacker could force up to approx. 15 messages to 6832 remain in the buffer when they are no longer required. These messages will 6833 be cleared when the DTLS connection is closed. The default maximum size for 6834 a message is 100k. Therefore, the attacker could force an additional 1500k 6835 to be consumed per connection. By opening many simultaneous connections an 6836 attacker could cause a DoS attack through memory exhaustion. 6837 6838 This issue was reported to OpenSSL by Quan Luo. 6839 ([CVE-2016-2179]) 6840 6841 *Matt Caswell* 6842 6843 * DTLS replay protection DoS 6844 6845 A flaw in the DTLS replay attack protection mechanism means that records 6846 that arrive for future epochs update the replay protection "window" before 6847 the MAC for the record has been validated. This could be exploited by an 6848 attacker by sending a record for the next epoch (which does not have to 6849 decrypt or have a valid MAC), with a very large sequence number. This means 6850 that all subsequent legitimate packets are dropped causing a denial of 6851 service for a specific DTLS connection. 6852 6853 This issue was reported to OpenSSL by the OCAP audit team. 6854 ([CVE-2016-2181]) 6855 6856 *Matt Caswell* 6857 6858 * Certificate message OOB reads 6859 6860 In OpenSSL 1.0.2 and earlier some missing message length checks can result 6861 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 6862 theoretical DoS risk but this has not been observed in practice on common 6863 platforms. 6864 6865 The messages affected are client certificate, client certificate request 6866 and server certificate. As a result the attack can only be performed 6867 against a client or a server which enables client authentication. 6868 6869 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 6870 ([CVE-2016-6306]) 6871 6872 *Stephen Henson* 6873 6874### Changes between 1.0.2g and 1.0.2h [3 May 2016] 6875 6876 * Prevent padding oracle in AES-NI CBC MAC check 6877 6878 A MITM attacker can use a padding oracle attack to decrypt traffic 6879 when the connection uses an AES CBC cipher and the server support 6880 AES-NI. 6881 6882 This issue was introduced as part of the fix for Lucky 13 padding 6883 attack ([CVE-2013-0169]). The padding check was rewritten to be in 6884 constant time by making sure that always the same bytes are read and 6885 compared against either the MAC or padding bytes. But it no longer 6886 checked that there was enough data to have both the MAC and padding 6887 bytes. 6888 6889 This issue was reported by Juraj Somorovsky using TLS-Attacker. 6890 6891 *Kurt Roeckx* 6892 6893 * Fix EVP_EncodeUpdate overflow 6894 6895 An overflow can occur in the EVP_EncodeUpdate() function which is used for 6896 Base64 encoding of binary data. If an attacker is able to supply very large 6897 amounts of input data then a length check can overflow resulting in a heap 6898 corruption. 6899 6900 Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by 6901 the `PEM_write_bio*` family of functions. These are mainly used within the 6902 OpenSSL command line applications, so any application which processes data 6903 from an untrusted source and outputs it as a PEM file should be considered 6904 vulnerable to this issue. User applications that call these APIs directly 6905 with large amounts of untrusted data may also be vulnerable. 6906 6907 This issue was reported by Guido Vranken. 6908 ([CVE-2016-2105]) 6909 6910 *Matt Caswell* 6911 6912 * Fix EVP_EncryptUpdate overflow 6913 6914 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 6915 is able to supply very large amounts of input data after a previous call to 6916 EVP_EncryptUpdate() with a partial block then a length check can overflow 6917 resulting in a heap corruption. Following an analysis of all OpenSSL 6918 internal usage of the EVP_EncryptUpdate() function all usage is one of two 6919 forms. The first form is where the EVP_EncryptUpdate() call is known to be 6920 the first called function after an EVP_EncryptInit(), and therefore that 6921 specific call must be safe. The second form is where the length passed to 6922 EVP_EncryptUpdate() can be seen from the code to be some small value and 6923 therefore there is no possibility of an overflow. Since all instances are 6924 one of these two forms, it is believed that there can be no overflows in 6925 internal code due to this problem. It should be noted that 6926 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 6927 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 6928 of these calls have also been analysed too and it is believed there are no 6929 instances in internal usage where an overflow could occur. 6930 6931 This issue was reported by Guido Vranken. 6932 ([CVE-2016-2106]) 6933 6934 *Matt Caswell* 6935 6936 * Prevent ASN.1 BIO excessive memory allocation 6937 6938 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 6939 a short invalid encoding can cause allocation of large amounts of memory 6940 potentially consuming excessive resources or exhausting memory. 6941 6942 Any application parsing untrusted data through d2i BIO functions is 6943 affected. The memory based functions such as d2i_X509() are *not* affected. 6944 Since the memory based functions are used by the TLS library, TLS 6945 applications are not affected. 6946 6947 This issue was reported by Brian Carpenter. 6948 ([CVE-2016-2109]) 6949 6950 *Stephen Henson* 6951 6952 * EBCDIC overread 6953 6954 ASN1 Strings that are over 1024 bytes can cause an overread in applications 6955 using the X509_NAME_oneline() function on EBCDIC systems. This could result 6956 in arbitrary stack data being returned in the buffer. 6957 6958 This issue was reported by Guido Vranken. 6959 ([CVE-2016-2176]) 6960 6961 *Matt Caswell* 6962 6963 * Modify behavior of ALPN to invoke callback after SNI/servername 6964 callback, such that updates to the SSL_CTX affect ALPN. 6965 6966 *Todd Short* 6967 6968 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 6969 default. 6970 6971 *Kurt Roeckx* 6972 6973 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 6974 methods are enabled and ssl2 is disabled the methods return NULL. 6975 6976 *Kurt Roeckx* 6977 6978### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] 6979 6980* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 6981 Builds that are not configured with "enable-weak-ssl-ciphers" will not 6982 provide any "EXPORT" or "LOW" strength ciphers. 6983 6984 *Viktor Dukhovni* 6985 6986* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 6987 is by default disabled at build-time. Builds that are not configured with 6988 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 6989 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 6990 will need to explicitly call either of: 6991 6992 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 6993 or 6994 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 6995 6996 as appropriate. Even if either of those is used, or the application 6997 explicitly uses the version-specific SSLv2_method() or its client and 6998 server variants, SSLv2 ciphers vulnerable to exhaustive search key 6999 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 7000 ciphers, and SSLv2 56-bit DES are no longer available. 7001 ([CVE-2016-0800]) 7002 7003 *Viktor Dukhovni* 7004 7005 * Fix a double-free in DSA code 7006 7007 A double free bug was discovered when OpenSSL parses malformed DSA private 7008 keys and could lead to a DoS attack or memory corruption for applications 7009 that receive DSA private keys from untrusted sources. This scenario is 7010 considered rare. 7011 7012 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 7013 libFuzzer. 7014 ([CVE-2016-0705]) 7015 7016 *Stephen Henson* 7017 7018 * Disable SRP fake user seed to address a server memory leak. 7019 7020 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 7021 7022 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 7023 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 7024 was changed to ignore the "fake user" SRP seed, even if the seed 7025 is configured. 7026 7027 Users should use SRP_VBASE_get1_by_user instead. Note that in 7028 SRP_VBASE_get1_by_user, caller must free the returned value. Note 7029 also that even though configuring the SRP seed attempts to hide 7030 invalid usernames by continuing the handshake with fake 7031 credentials, this behaviour is not constant time and no strong 7032 guarantees are made that the handshake is indistinguishable from 7033 that of a valid user. 7034 ([CVE-2016-0798]) 7035 7036 *Emilia Käsper* 7037 7038 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 7039 7040 In the BN_hex2bn function the number of hex digits is calculated using an 7041 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 7042 large values of `i` this can result in `bn_expand` not allocating any 7043 memory because `i * 4` is negative. This can leave the internal BIGNUM data 7044 field as NULL leading to a subsequent NULL ptr deref. For very large values 7045 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 7046 In this case memory is allocated to the internal BIGNUM data field, but it 7047 is insufficiently sized leading to heap corruption. A similar issue exists 7048 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 7049 is ever called by user applications with very large untrusted hex/dec data. 7050 This is anticipated to be a rare occurrence. 7051 7052 All OpenSSL internal usage of these functions use data that is not expected 7053 to be untrusted, e.g. config file data or application command line 7054 arguments. If user developed applications generate config file data based 7055 on untrusted data then it is possible that this could also lead to security 7056 consequences. This is also anticipated to be rare. 7057 7058 This issue was reported to OpenSSL by Guido Vranken. 7059 ([CVE-2016-0797]) 7060 7061 *Matt Caswell* 7062 7063 * Fix memory issues in `BIO_*printf` functions 7064 7065 The internal `fmtstr` function used in processing a "%s" format string in 7066 the `BIO_*printf` functions could overflow while calculating the length of a 7067 string and cause an OOB read when printing very long strings. 7068 7069 Additionally the internal `doapr_outch` function can attempt to write to an 7070 OOB memory location (at an offset from the NULL pointer) in the event of a 7071 memory allocation failure. In 1.0.2 and below this could be caused where 7072 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 7073 could be in processing a very long "%s" format string. Memory leaks can 7074 also occur. 7075 7076 The first issue may mask the second issue dependent on compiler behaviour. 7077 These problems could enable attacks where large amounts of untrusted data 7078 is passed to the `BIO_*printf` functions. If applications use these functions 7079 in this way then they could be vulnerable. OpenSSL itself uses these 7080 functions when printing out human-readable dumps of ASN.1 data. Therefore 7081 applications that print this data could be vulnerable if the data is from 7082 untrusted sources. OpenSSL command line applications could also be 7083 vulnerable where they print out ASN.1 data, or if untrusted data is passed 7084 as command line arguments. 7085 7086 Libssl is not considered directly vulnerable. Additionally certificates etc 7087 received via remote connections via libssl are also unlikely to be able to 7088 trigger these issues because of message size limits enforced within libssl. 7089 7090 This issue was reported to OpenSSL Guido Vranken. 7091 ([CVE-2016-0799]) 7092 7093 *Matt Caswell* 7094 7095 * Side channel attack on modular exponentiation 7096 7097 A side-channel attack was found which makes use of cache-bank conflicts on 7098 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 7099 of RSA keys. The ability to exploit this issue is limited as it relies on 7100 an attacker who has control of code in a thread running on the same 7101 hyper-threaded core as the victim thread which is performing decryptions. 7102 7103 This issue was reported to OpenSSL by Yuval Yarom, The University of 7104 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 7105 Nadia Heninger, University of Pennsylvania with more information at 7106 <http://cachebleed.info>. 7107 ([CVE-2016-0702]) 7108 7109 *Andy Polyakov* 7110 7111 * Change the `req` command to generate a 2048-bit RSA/DSA key by default, 7112 if no keysize is specified with default_bits. This fixes an 7113 omission in an earlier change that changed all RSA/DSA key generation 7114 commands to use 2048 bits by default. 7115 7116 *Emilia Käsper* 7117 7118### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] 7119 7120 * DH small subgroups 7121 7122 Historically OpenSSL only ever generated DH parameters based on "safe" 7123 primes. More recently (in version 1.0.2) support was provided for 7124 generating X9.42 style parameter files such as those required for RFC 5114 7125 support. The primes used in such files may not be "safe". Where an 7126 application is using DH configured with parameters based on primes that are 7127 not "safe" then an attacker could use this fact to find a peer's private 7128 DH exponent. This attack requires that the attacker complete multiple 7129 handshakes in which the peer uses the same private DH exponent. For example 7130 this could be used to discover a TLS server's private DH exponent if it's 7131 reusing the private DH exponent or it's using a static DH ciphersuite. 7132 7133 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in 7134 TLS. It is not on by default. If the option is not set then the server 7135 reuses the same private DH exponent for the life of the server process and 7136 would be vulnerable to this attack. It is believed that many popular 7137 applications do set this option and would therefore not be at risk. 7138 7139 The fix for this issue adds an additional check where a "q" parameter is 7140 available (as is the case in X9.42 based parameters). This detects the 7141 only known attack, and is the only possible defense for static DH 7142 ciphersuites. This could have some performance impact. 7143 7144 Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by 7145 default and cannot be disabled. This could have some performance impact. 7146 7147 This issue was reported to OpenSSL by Antonio Sanso (Adobe). 7148 ([CVE-2016-0701]) 7149 7150 *Matt Caswell* 7151 7152 * SSLv2 doesn't block disabled ciphers 7153 7154 A malicious client can negotiate SSLv2 ciphers that have been disabled on 7155 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 7156 been disabled, provided that the SSLv2 protocol was not also disabled via 7157 SSL_OP_NO_SSLv2. 7158 7159 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 7160 and Sebastian Schinzel. 7161 ([CVE-2015-3197]) 7162 7163 *Viktor Dukhovni* 7164 7165### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] 7166 7167 * BN_mod_exp may produce incorrect results on x86_64 7168 7169 There is a carry propagating bug in the x86_64 Montgomery squaring 7170 procedure. No EC algorithms are affected. Analysis suggests that attacks 7171 against RSA and DSA as a result of this defect would be very difficult to 7172 perform and are not believed likely. Attacks against DH are considered just 7173 feasible (although very difficult) because most of the work necessary to 7174 deduce information about a private key may be performed offline. The amount 7175 of resources required for such an attack would be very significant and 7176 likely only accessible to a limited number of attackers. An attacker would 7177 additionally need online access to an unpatched system using the target 7178 private key in a scenario with persistent DH parameters and a private 7179 key that is shared between multiple clients. For example this can occur by 7180 default in OpenSSL DHE based SSL/TLS ciphersuites. 7181 7182 This issue was reported to OpenSSL by Hanno Böck. 7183 ([CVE-2015-3193]) 7184 7185 *Andy Polyakov* 7186 7187 * Certificate verify crash with missing PSS parameter 7188 7189 The signature verification routines will crash with a NULL pointer 7190 dereference if presented with an ASN.1 signature using the RSA PSS 7191 algorithm and absent mask generation function parameter. Since these 7192 routines are used to verify certificate signature algorithms this can be 7193 used to crash any certificate verification operation and exploited in a 7194 DoS attack. Any application which performs certificate verification is 7195 vulnerable including OpenSSL clients and servers which enable client 7196 authentication. 7197 7198 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 7199 ([CVE-2015-3194]) 7200 7201 *Stephen Henson* 7202 7203 * X509_ATTRIBUTE memory leak 7204 7205 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 7206 memory. This structure is used by the PKCS#7 and CMS routines so any 7207 application which reads PKCS#7 or CMS data from untrusted sources is 7208 affected. SSL/TLS is not affected. 7209 7210 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 7211 libFuzzer. 7212 ([CVE-2015-3195]) 7213 7214 *Stephen Henson* 7215 7216 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 7217 This changes the decoding behaviour for some invalid messages, 7218 though the change is mostly in the more lenient direction, and 7219 legacy behaviour is preserved as much as possible. 7220 7221 *Emilia Käsper* 7222 7223 * In DSA_generate_parameters_ex, if the provided seed is too short, 7224 return an error 7225 7226 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 7227 7228### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] 7229 7230 * Alternate chains certificate forgery 7231 7232 During certificate verification, OpenSSL will attempt to find an 7233 alternative certificate chain if the first attempt to build such a chain 7234 fails. An error in the implementation of this logic can mean that an 7235 attacker could cause certain checks on untrusted certificates to be 7236 bypassed, such as the CA flag, enabling them to use a valid leaf 7237 certificate to act as a CA and "issue" an invalid certificate. 7238 7239 This issue was reported to OpenSSL by Adam Langley/David Benjamin 7240 (Google/BoringSSL). 7241 7242 *Matt Caswell* 7243 7244### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] 7245 7246 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 7247 incompatibility in the handling of HMAC. The previous ABI has now been 7248 restored. 7249 7250 *Matt Caswell* 7251 7252### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] 7253 7254 * Malformed ECParameters causes infinite loop 7255 7256 When processing an ECParameters structure OpenSSL enters an infinite loop 7257 if the curve specified is over a specially malformed binary polynomial 7258 field. 7259 7260 This can be used to perform denial of service against any 7261 system which processes public keys, certificate requests or 7262 certificates. This includes TLS clients and TLS servers with 7263 client authentication enabled. 7264 7265 This issue was reported to OpenSSL by Joseph Barr-Pixton. 7266 ([CVE-2015-1788]) 7267 7268 *Andy Polyakov* 7269 7270 * Exploitable out-of-bounds read in X509_cmp_time 7271 7272 X509_cmp_time does not properly check the length of the ASN1_TIME 7273 string and can read a few bytes out of bounds. In addition, 7274 X509_cmp_time accepts an arbitrary number of fractional seconds in the 7275 time string. 7276 7277 An attacker can use this to craft malformed certificates and CRLs of 7278 various sizes and potentially cause a segmentation fault, resulting in 7279 a DoS on applications that verify certificates or CRLs. TLS clients 7280 that verify CRLs are affected. TLS clients and servers with client 7281 authentication enabled may be affected if they use custom verification 7282 callbacks. 7283 7284 This issue was reported to OpenSSL by Robert Swiecki (Google), and 7285 independently by Hanno Böck. 7286 ([CVE-2015-1789]) 7287 7288 *Emilia Käsper* 7289 7290 * PKCS7 crash with missing EnvelopedContent 7291 7292 The PKCS#7 parsing code does not handle missing inner EncryptedContent 7293 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 7294 with missing content and trigger a NULL pointer dereference on parsing. 7295 7296 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 7297 structures from untrusted sources are affected. OpenSSL clients and 7298 servers are not affected. 7299 7300 This issue was reported to OpenSSL by Michal Zalewski (Google). 7301 ([CVE-2015-1790]) 7302 7303 *Emilia Käsper* 7304 7305 * CMS verify infinite loop with unknown hash function 7306 7307 When verifying a signedData message the CMS code can enter an infinite loop 7308 if presented with an unknown hash function OID. This can be used to perform 7309 denial of service against any system which verifies signedData messages using 7310 the CMS code. 7311 This issue was reported to OpenSSL by Johannes Bauer. 7312 ([CVE-2015-1792]) 7313 7314 *Stephen Henson* 7315 7316 * Race condition handling NewSessionTicket 7317 7318 If a NewSessionTicket is received by a multi-threaded client when attempting to 7319 reuse a previous ticket then a race condition can occur potentially leading to 7320 a double free of the ticket data. 7321 ([CVE-2015-1791]) 7322 7323 *Matt Caswell* 7324 7325 * Only support 256-bit or stronger elliptic curves with the 7326 'ecdh_auto' setting (server) or by default (client). Of supported 7327 curves, prefer P-256 (both). 7328 7329 *Emilia Kasper* 7330 7331### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] 7332 7333 * ClientHello sigalgs DoS fix 7334 7335 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an 7336 invalid signature algorithms extension a NULL pointer dereference will 7337 occur. This can be exploited in a DoS attack against the server. 7338 7339 This issue was was reported to OpenSSL by David Ramos of Stanford 7340 University. 7341 ([CVE-2015-0291]) 7342 7343 *Stephen Henson and Matt Caswell* 7344 7345 * Multiblock corrupted pointer fix 7346 7347 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This 7348 feature only applies on 64 bit x86 architecture platforms that support AES 7349 NI instructions. A defect in the implementation of "multiblock" can cause 7350 OpenSSL's internal write buffer to become incorrectly set to NULL when 7351 using non-blocking IO. Typically, when the user application is using a 7352 socket BIO for writing, this will only result in a failed connection. 7353 However if some other BIO is used then it is likely that a segmentation 7354 fault will be triggered, thus enabling a potential DoS attack. 7355 7356 This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. 7357 ([CVE-2015-0290]) 7358 7359 *Matt Caswell* 7360 7361 * Segmentation fault in DTLSv1_listen fix 7362 7363 The DTLSv1_listen function is intended to be stateless and processes the 7364 initial ClientHello from many peers. It is common for user code to loop 7365 over the call to DTLSv1_listen until a valid ClientHello is received with 7366 an associated cookie. A defect in the implementation of DTLSv1_listen means 7367 that state is preserved in the SSL object from one invocation to the next 7368 that can lead to a segmentation fault. Errors processing the initial 7369 ClientHello can trigger this scenario. An example of such an error could be 7370 that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only 7371 server. 7372 7373 This issue was reported to OpenSSL by Per Allansson. 7374 ([CVE-2015-0207]) 7375 7376 *Matt Caswell* 7377 7378 * Segmentation fault in ASN1_TYPE_cmp fix 7379 7380 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 7381 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 7382 certificate signature algorithm consistency this can be used to crash any 7383 certificate verification operation and exploited in a DoS attack. Any 7384 application which performs certificate verification is vulnerable including 7385 OpenSSL clients and servers which enable client authentication. 7386 ([CVE-2015-0286]) 7387 7388 *Stephen Henson* 7389 7390 * Segmentation fault for invalid PSS parameters fix 7391 7392 The signature verification routines will crash with a NULL pointer 7393 dereference if presented with an ASN.1 signature using the RSA PSS 7394 algorithm and invalid parameters. Since these routines are used to verify 7395 certificate signature algorithms this can be used to crash any 7396 certificate verification operation and exploited in a DoS attack. Any 7397 application which performs certificate verification is vulnerable including 7398 OpenSSL clients and servers which enable client authentication. 7399 7400 This issue was was reported to OpenSSL by Brian Carpenter. 7401 ([CVE-2015-0208]) 7402 7403 *Stephen Henson* 7404 7405 * ASN.1 structure reuse memory corruption fix 7406 7407 Reusing a structure in ASN.1 parsing may allow an attacker to cause 7408 memory corruption via an invalid write. Such reuse is and has been 7409 strongly discouraged and is believed to be rare. 7410 7411 Applications that parse structures containing CHOICE or ANY DEFINED BY 7412 components may be affected. Certificate parsing (d2i_X509 and related 7413 functions) are however not affected. OpenSSL clients and servers are 7414 not affected. 7415 ([CVE-2015-0287]) 7416 7417 *Stephen Henson* 7418 7419 * PKCS7 NULL pointer dereferences fix 7420 7421 The PKCS#7 parsing code does not handle missing outer ContentInfo 7422 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 7423 missing content and trigger a NULL pointer dereference on parsing. 7424 7425 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 7426 otherwise parse PKCS#7 structures from untrusted sources are 7427 affected. OpenSSL clients and servers are not affected. 7428 7429 This issue was reported to OpenSSL by Michal Zalewski (Google). 7430 ([CVE-2015-0289]) 7431 7432 *Emilia Käsper* 7433 7434 * DoS via reachable assert in SSLv2 servers fix 7435 7436 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 7437 servers that both support SSLv2 and enable export cipher suites by sending 7438 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 7439 7440 This issue was discovered by Sean Burford (Google) and Emilia Käsper 7441 (OpenSSL development team). 7442 ([CVE-2015-0293]) 7443 7444 *Emilia Käsper* 7445 7446 * Empty CKE with client auth and DHE fix 7447 7448 If client auth is used then a server can seg fault in the event of a DHE 7449 ciphersuite being selected and a zero length ClientKeyExchange message 7450 being sent by the client. This could be exploited in a DoS attack. 7451 ([CVE-2015-1787]) 7452 7453 *Matt Caswell* 7454 7455 * Handshake with unseeded PRNG fix 7456 7457 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake 7458 with an unseeded PRNG. The conditions are: 7459 - The client is on a platform where the PRNG has not been seeded 7460 automatically, and the user has not seeded manually 7461 - A protocol specific client method version has been used (i.e. not 7462 SSL_client_methodv23) 7463 - A ciphersuite is used that does not require additional random data from 7464 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). 7465 7466 If the handshake succeeds then the client random that has been used will 7467 have been generated from a PRNG with insufficient entropy and therefore the 7468 output may be predictable. 7469 7470 For example using the following command with an unseeded openssl will 7471 succeed on an unpatched platform: 7472 7473 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA 7474 ([CVE-2015-0285]) 7475 7476 *Matt Caswell* 7477 7478 * Use After Free following d2i_ECPrivatekey error fix 7479 7480 A malformed EC private key file consumed via the d2i_ECPrivateKey function 7481 could cause a use after free condition. This, in turn, could cause a double 7482 free in several private key parsing functions (such as d2i_PrivateKey 7483 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 7484 for applications that receive EC private keys from untrusted 7485 sources. This scenario is considered rare. 7486 7487 This issue was discovered by the BoringSSL project and fixed in their 7488 commit 517073cd4b. 7489 ([CVE-2015-0209]) 7490 7491 *Matt Caswell* 7492 7493 * X509_to_X509_REQ NULL pointer deref fix 7494 7495 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 7496 the certificate key is invalid. This function is rarely used in practice. 7497 7498 This issue was discovered by Brian Carpenter. 7499 ([CVE-2015-0288]) 7500 7501 *Stephen Henson* 7502 7503 * Removed the export ciphers from the DEFAULT ciphers 7504 7505 *Kurt Roeckx* 7506 7507### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] 7508 7509 * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. 7510 ARMv5 through ARMv8, as opposite to "locking" it to single one. 7511 So far those who have to target multiple platforms would compromise 7512 and argue that binary targeting say ARMv5 would still execute on 7513 ARMv8. "Universal" build resolves this compromise by providing 7514 near-optimal performance even on newer platforms. 7515 7516 *Andy Polyakov* 7517 7518 * Accelerated NIST P-256 elliptic curve implementation for x86_64 7519 (other platforms pending). 7520 7521 *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov* 7522 7523 * Add support for the SignedCertificateTimestampList certificate and 7524 OCSP response extensions from RFC6962. 7525 7526 *Rob Stradling* 7527 7528 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 7529 for corner cases. (Certain input points at infinity could lead to 7530 bogus results, with non-infinity inputs mapped to infinity too.) 7531 7532 *Bodo Moeller* 7533 7534 * Initial support for PowerISA 2.0.7, first implemented in POWER8. 7535 This covers AES, SHA256/512 and GHASH. "Initial" means that most 7536 common cases are optimized and there still is room for further 7537 improvements. Vector Permutation AES for Altivec is also added. 7538 7539 *Andy Polyakov* 7540 7541 * Add support for little-endian ppc64 Linux target. 7542 7543 *Marcelo Cerri (IBM)* 7544 7545 * Initial support for AMRv8 ISA crypto extensions. This covers AES, 7546 SHA1, SHA256 and GHASH. "Initial" means that most common cases 7547 are optimized and there still is room for further improvements. 7548 Both 32- and 64-bit modes are supported. 7549 7550 *Andy Polyakov, Ard Biesheuvel (Linaro)* 7551 7552 * Improved ARMv7 NEON support. 7553 7554 *Andy Polyakov* 7555 7556 * Support for SPARC Architecture 2011 crypto extensions, first 7557 implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, 7558 SHA256/512, MD5, GHASH and modular exponentiation. 7559 7560 *Andy Polyakov, David Miller* 7561 7562 * Accelerated modular exponentiation for Intel processors, a.k.a. 7563 RSAZ. 7564 7565 *Shay Gueron & Vlad Krasnov (Intel Corp)* 7566 7567 * Support for new and upcoming Intel processors, including AVX2, 7568 BMI and SHA ISA extensions. This includes additional "stitched" 7569 implementations, AESNI-SHA256 and GCM, and multi-buffer support 7570 for TLS encrypt. 7571 7572 This work was sponsored by Intel Corp. 7573 7574 *Andy Polyakov* 7575 7576 * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() 7577 supports both DTLS 1.2 and 1.0 and should use whatever version the peer 7578 supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. 7579 7580 *Steve Henson* 7581 7582 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 7583 this fixes a limitation in previous versions of OpenSSL. 7584 7585 *Steve Henson* 7586 7587 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 7588 MGF1 digest and OAEP label. 7589 7590 *Steve Henson* 7591 7592 * Add EVP support for key wrapping algorithms, to avoid problems with 7593 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 7594 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 7595 algorithms and include tests cases. 7596 7597 *Steve Henson* 7598 7599 * Add functions to allocate and set the fields of an ECDSA_METHOD 7600 structure. 7601 7602 *Douglas E. Engert, Steve Henson* 7603 7604 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the 7605 difference in days and seconds between two tm or ASN1_TIME structures. 7606 7607 *Steve Henson* 7608 7609 * Add -rev test option to s_server to just reverse order of characters 7610 received by client and send back to server. Also prints an abbreviated 7611 summary of the connection parameters. 7612 7613 *Steve Henson* 7614 7615 * New option -brief for s_client and s_server to print out a brief summary 7616 of connection parameters. 7617 7618 *Steve Henson* 7619 7620 * Add callbacks for arbitrary TLS extensions. 7621 7622 *Trevor Perrin <trevp@trevp.net> and Ben Laurie* 7623 7624 * New option -crl_download in several openssl utilities to download CRLs 7625 from CRLDP extension in certificates. 7626 7627 *Steve Henson* 7628 7629 * New options -CRL and -CRLform for s_client and s_server for CRLs. 7630 7631 *Steve Henson* 7632 7633 * New function X509_CRL_diff to generate a delta CRL from the difference 7634 of two full CRLs. Add support to "crl" utility. 7635 7636 *Steve Henson* 7637 7638 * New functions to set lookup_crls function and to retrieve 7639 X509_STORE from X509_STORE_CTX. 7640 7641 *Steve Henson* 7642 7643 * Print out deprecated issuer and subject unique ID fields in 7644 certificates. 7645 7646 *Steve Henson* 7647 7648 * Extend OCSP I/O functions so they can be used for simple general purpose 7649 HTTP as well as OCSP. New wrapper function which can be used to download 7650 CRLs using the OCSP API. 7651 7652 *Steve Henson* 7653 7654 * Delegate command line handling in s_client/s_server to SSL_CONF APIs. 7655 7656 *Steve Henson* 7657 7658 * `SSL_CONF*` functions. These provide a common framework for application 7659 configuration using configuration files or command lines. 7660 7661 *Steve Henson* 7662 7663 * SSL/TLS tracing code. This parses out SSL/TLS records using the 7664 message callback and prints the results. Needs compile time option 7665 "enable-ssl-trace". New options to s_client and s_server to enable 7666 tracing. 7667 7668 *Steve Henson* 7669 7670 * New ctrl and macro to retrieve supported points extensions. 7671 Print out extension in s_server and s_client. 7672 7673 *Steve Henson* 7674 7675 * New functions to retrieve certificate signature and signature 7676 OID NID. 7677 7678 *Steve Henson* 7679 7680 * Add functions to retrieve and manipulate the raw cipherlist sent by a 7681 client to OpenSSL. 7682 7683 *Steve Henson* 7684 7685 * New Suite B modes for TLS code. These use and enforce the requirements 7686 of RFC6460: restrict ciphersuites, only permit Suite B algorithms and 7687 only use Suite B curves. The Suite B modes can be set by using the 7688 strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. 7689 7690 *Steve Henson* 7691 7692 * New chain verification flags for Suite B levels of security. Check 7693 algorithms are acceptable when flags are set in X509_verify_cert. 7694 7695 *Steve Henson* 7696 7697 * Make tls1_check_chain return a set of flags indicating checks passed 7698 by a certificate chain. Add additional tests to handle client 7699 certificates: checks for matching certificate type and issuer name 7700 comparison. 7701 7702 *Steve Henson* 7703 7704 * If an attempt is made to use a signature algorithm not in the peer 7705 preference list abort the handshake. If client has no suitable 7706 signature algorithms in response to a certificate request do not 7707 use the certificate. 7708 7709 *Steve Henson* 7710 7711 * If server EC tmp key is not in client preference list abort handshake. 7712 7713 *Steve Henson* 7714 7715 * Add support for certificate stores in CERT structure. This makes it 7716 possible to have different stores per SSL structure or one store in 7717 the parent SSL_CTX. Include distinct stores for certificate chain 7718 verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN 7719 to build and store a certificate chain in CERT structure: returning 7720 an error if the chain cannot be built: this will allow applications 7721 to test if a chain is correctly configured. 7722 7723 Note: if the CERT based stores are not set then the parent SSL_CTX 7724 store is used to retain compatibility with existing behaviour. 7725 7726 *Steve Henson* 7727 7728 * New function ssl_set_client_disabled to set a ciphersuite disabled 7729 mask based on the current session, check mask when sending client 7730 hello and checking the requested ciphersuite. 7731 7732 *Steve Henson* 7733 7734 * New ctrls to retrieve and set certificate types in a certificate 7735 request message. Print out received values in s_client. If certificate 7736 types is not set with custom values set sensible values based on 7737 supported signature algorithms. 7738 7739 *Steve Henson* 7740 7741 * Support for distinct client and server supported signature algorithms. 7742 7743 *Steve Henson* 7744 7745 * Add certificate callback. If set this is called whenever a certificate 7746 is required by client or server. An application can decide which 7747 certificate chain to present based on arbitrary criteria: for example 7748 supported signature algorithms. Add very simple example to s_server. 7749 This fixes many of the problems and restrictions of the existing client 7750 certificate callback: for example you can now clear an existing 7751 certificate and specify the whole chain. 7752 7753 *Steve Henson* 7754 7755 * Add new "valid_flags" field to CERT_PKEY structure which determines what 7756 the certificate can be used for (if anything). Set valid_flags field 7757 in new tls1_check_chain function. Simplify ssl_set_cert_masks which used 7758 to have similar checks in it. 7759 7760 Add new "cert_flags" field to CERT structure and include a "strict mode". 7761 This enforces some TLS certificate requirements (such as only permitting 7762 certificate signature algorithms contained in the supported algorithms 7763 extension) which some implementations ignore: this option should be used 7764 with caution as it could cause interoperability issues. 7765 7766 *Steve Henson* 7767 7768 * Update and tidy signature algorithm extension processing. Work out 7769 shared signature algorithms based on preferences and peer algorithms 7770 and print them out in s_client and s_server. Abort handshake if no 7771 shared signature algorithms. 7772 7773 *Steve Henson* 7774 7775 * Add new functions to allow customised supported signature algorithms 7776 for SSL and SSL_CTX structures. Add options to s_client and s_server 7777 to support them. 7778 7779 *Steve Henson* 7780 7781 * New function SSL_certs_clear() to delete all references to certificates 7782 from an SSL structure. Before this once a certificate had been added 7783 it couldn't be removed. 7784 7785 *Steve Henson* 7786 7787 * Integrate hostname, email address and IP address checking with certificate 7788 verification. New verify options supporting checking in openssl utility. 7789 7790 *Steve Henson* 7791 7792 * Fixes and wildcard matching support to hostname and email checking 7793 functions. Add manual page. 7794 7795 *Florian Weimer (Red Hat Product Security Team)* 7796 7797 * New functions to check a hostname email or IP address against a 7798 certificate. Add options x509 utility to print results of checks against 7799 a certificate. 7800 7801 *Steve Henson* 7802 7803 * Fix OCSP checking. 7804 7805 *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie* 7806 7807 * Initial experimental support for explicitly trusted non-root CAs. 7808 OpenSSL still tries to build a complete chain to a root but if an 7809 intermediate CA has a trust setting included that is used. The first 7810 setting is used: whether to trust (e.g., -addtrust option to the x509 7811 utility) or reject. 7812 7813 *Steve Henson* 7814 7815 * Add -trusted_first option which attempts to find certificates in the 7816 trusted store even if an untrusted chain is also supplied. 7817 7818 *Steve Henson* 7819 7820 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, 7821 platform support for Linux and Android. 7822 7823 *Andy Polyakov* 7824 7825 * Support for linux-x32, ILP32 environment in x86_64 framework. 7826 7827 *Andy Polyakov* 7828 7829 * Experimental multi-implementation support for FIPS capable OpenSSL. 7830 When in FIPS mode the approved implementations are used as normal, 7831 when not in FIPS mode the internal unapproved versions are used instead. 7832 This means that the FIPS capable OpenSSL isn't forced to use the 7833 (often lower performance) FIPS implementations outside FIPS mode. 7834 7835 *Steve Henson* 7836 7837 * Transparently support X9.42 DH parameters when calling 7838 PEM_read_bio_DHparameters. This means existing applications can handle 7839 the new parameter format automatically. 7840 7841 *Steve Henson* 7842 7843 * Initial experimental support for X9.42 DH parameter format: mainly 7844 to support use of 'q' parameter for RFC5114 parameters. 7845 7846 *Steve Henson* 7847 7848 * Add DH parameters from RFC5114 including test data to dhtest. 7849 7850 *Steve Henson* 7851 7852 * Support for automatic EC temporary key parameter selection. If enabled 7853 the most preferred EC parameters are automatically used instead of 7854 hardcoded fixed parameters. Now a server just has to call: 7855 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 7856 support ECDH and use the most appropriate parameters. 7857 7858 *Steve Henson* 7859 7860 * Enhance and tidy EC curve and point format TLS extension code. Use 7861 static structures instead of allocation if default values are used. 7862 New ctrls to set curves we wish to support and to retrieve shared curves. 7863 Print out shared curves in s_server. New options to s_server and s_client 7864 to set list of supported curves. 7865 7866 *Steve Henson* 7867 7868 * New ctrls to retrieve supported signature algorithms and 7869 supported curve values as an array of NIDs. Extend openssl utility 7870 to print out received values. 7871 7872 *Steve Henson* 7873 7874 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 7875 between NIDs and the more common NIST names such as "P-256". Enhance 7876 ecparam utility and ECC method to recognise the NIST names for curves. 7877 7878 *Steve Henson* 7879 7880 * Enhance SSL/TLS certificate chain handling to support different 7881 chains for each certificate instead of one chain in the parent SSL_CTX. 7882 7883 *Steve Henson* 7884 7885 * Support for fixed DH ciphersuite client authentication: where both 7886 server and client use DH certificates with common parameters. 7887 7888 *Steve Henson* 7889 7890 * Support for fixed DH ciphersuites: those requiring DH server 7891 certificates. 7892 7893 *Steve Henson* 7894 7895 * New function i2d_re_X509_tbs for re-encoding the TBS portion of 7896 the certificate. 7897 Note: Related 1.0.2-beta specific macros X509_get_cert_info, 7898 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and 7899 X509_CINF_get_signature were reverted post internal team review. 7900 7901OpenSSL 1.0.1 7902------------- 7903 7904### Changes between 1.0.1t and 1.0.1u [22 Sep 2016] 7905 7906 * OCSP Status Request extension unbounded memory growth 7907 7908 A malicious client can send an excessively large OCSP Status Request 7909 extension. If that client continually requests renegotiation, sending a 7910 large OCSP Status Request extension each time, then there will be unbounded 7911 memory growth on the server. This will eventually lead to a Denial Of 7912 Service attack through memory exhaustion. Servers with a default 7913 configuration are vulnerable even if they do not support OCSP. Builds using 7914 the "no-ocsp" build time option are not affected. 7915 7916 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7917 ([CVE-2016-6304]) 7918 7919 *Matt Caswell* 7920 7921 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 7922 HIGH to MEDIUM. 7923 7924 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 7925 Leurent (INRIA) 7926 ([CVE-2016-2183]) 7927 7928 *Rich Salz* 7929 7930 * OOB write in MDC2_Update() 7931 7932 An overflow can occur in MDC2_Update() either if called directly or 7933 through the EVP_DigestUpdate() function using MDC2. If an attacker 7934 is able to supply very large amounts of input data after a previous 7935 call to EVP_EncryptUpdate() with a partial block then a length check 7936 can overflow resulting in a heap corruption. 7937 7938 The amount of data needed is comparable to SIZE_MAX which is impractical 7939 on most platforms. 7940 7941 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7942 ([CVE-2016-6303]) 7943 7944 *Stephen Henson* 7945 7946 * Malformed SHA512 ticket DoS 7947 7948 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 7949 DoS attack where a malformed ticket will result in an OOB read which will 7950 ultimately crash. 7951 7952 The use of SHA512 in TLS session tickets is comparatively rare as it requires 7953 a custom server callback and ticket lookup mechanism. 7954 7955 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7956 ([CVE-2016-6302]) 7957 7958 *Stephen Henson* 7959 7960 * OOB write in BN_bn2dec() 7961 7962 The function BN_bn2dec() does not check the return value of BN_div_word(). 7963 This can cause an OOB write if an application uses this function with an 7964 overly large BIGNUM. This could be a problem if an overly large certificate 7965 or CRL is printed out from an untrusted source. TLS is not affected because 7966 record limits will reject an oversized certificate before it is parsed. 7967 7968 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7969 ([CVE-2016-2182]) 7970 7971 *Stephen Henson* 7972 7973 * OOB read in TS_OBJ_print_bio() 7974 7975 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 7976 the total length the OID text representation would use and not the amount 7977 of data written. This will result in OOB reads when large OIDs are 7978 presented. 7979 7980 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7981 ([CVE-2016-2180]) 7982 7983 *Stephen Henson* 7984 7985 * Pointer arithmetic undefined behaviour 7986 7987 Avoid some undefined pointer arithmetic 7988 7989 A common idiom in the codebase is to check limits in the following manner: 7990 "p + len > limit" 7991 7992 Where "p" points to some malloc'd data of SIZE bytes and 7993 limit == p + SIZE 7994 7995 "len" here could be from some externally supplied data (e.g. from a TLS 7996 message). 7997 7998 The rules of C pointer arithmetic are such that "p + len" is only well 7999 defined where len <= SIZE. Therefore, the above idiom is actually 8000 undefined behaviour. 8001 8002 For example this could cause problems if some malloc implementation 8003 provides an address for "p" such that "p + len" actually overflows for 8004 values of len that are too big and therefore p + len < limit. 8005 8006 This issue was reported to OpenSSL by Guido Vranken 8007 ([CVE-2016-2177]) 8008 8009 *Matt Caswell* 8010 8011 * Constant time flag not preserved in DSA signing 8012 8013 Operations in the DSA signing algorithm should run in constant time in 8014 order to avoid side channel attacks. A flaw in the OpenSSL DSA 8015 implementation means that a non-constant time codepath is followed for 8016 certain operations. This has been demonstrated through a cache-timing 8017 attack to be sufficient for an attacker to recover the private DSA key. 8018 8019 This issue was reported by César Pereida (Aalto University), Billy Brumley 8020 (Tampere University of Technology), and Yuval Yarom (The University of 8021 Adelaide and NICTA). 8022 ([CVE-2016-2178]) 8023 8024 *César Pereida* 8025 8026 * DTLS buffered message DoS 8027 8028 In a DTLS connection where handshake messages are delivered out-of-order 8029 those messages that OpenSSL is not yet ready to process will be buffered 8030 for later use. Under certain circumstances, a flaw in the logic means that 8031 those messages do not get removed from the buffer even though the handshake 8032 has been completed. An attacker could force up to approx. 15 messages to 8033 remain in the buffer when they are no longer required. These messages will 8034 be cleared when the DTLS connection is closed. The default maximum size for 8035 a message is 100k. Therefore, the attacker could force an additional 1500k 8036 to be consumed per connection. By opening many simultaneous connections an 8037 attacker could cause a DoS attack through memory exhaustion. 8038 8039 This issue was reported to OpenSSL by Quan Luo. 8040 ([CVE-2016-2179]) 8041 8042 *Matt Caswell* 8043 8044 * DTLS replay protection DoS 8045 8046 A flaw in the DTLS replay attack protection mechanism means that records 8047 that arrive for future epochs update the replay protection "window" before 8048 the MAC for the record has been validated. This could be exploited by an 8049 attacker by sending a record for the next epoch (which does not have to 8050 decrypt or have a valid MAC), with a very large sequence number. This means 8051 that all subsequent legitimate packets are dropped causing a denial of 8052 service for a specific DTLS connection. 8053 8054 This issue was reported to OpenSSL by the OCAP audit team. 8055 ([CVE-2016-2181]) 8056 8057 *Matt Caswell* 8058 8059 * Certificate message OOB reads 8060 8061 In OpenSSL 1.0.2 and earlier some missing message length checks can result 8062 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 8063 theoretical DoS risk but this has not been observed in practice on common 8064 platforms. 8065 8066 The messages affected are client certificate, client certificate request 8067 and server certificate. As a result the attack can only be performed 8068 against a client or a server which enables client authentication. 8069 8070 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8071 ([CVE-2016-6306]) 8072 8073 *Stephen Henson* 8074 8075### Changes between 1.0.1s and 1.0.1t [3 May 2016] 8076 8077 * Prevent padding oracle in AES-NI CBC MAC check 8078 8079 A MITM attacker can use a padding oracle attack to decrypt traffic 8080 when the connection uses an AES CBC cipher and the server support 8081 AES-NI. 8082 8083 This issue was introduced as part of the fix for Lucky 13 padding 8084 attack ([CVE-2013-0169]). The padding check was rewritten to be in 8085 constant time by making sure that always the same bytes are read and 8086 compared against either the MAC or padding bytes. But it no longer 8087 checked that there was enough data to have both the MAC and padding 8088 bytes. 8089 8090 This issue was reported by Juraj Somorovsky using TLS-Attacker. 8091 ([CVE-2016-2107]) 8092 8093 *Kurt Roeckx* 8094 8095 * Fix EVP_EncodeUpdate overflow 8096 8097 An overflow can occur in the EVP_EncodeUpdate() function which is used for 8098 Base64 encoding of binary data. If an attacker is able to supply very large 8099 amounts of input data then a length check can overflow resulting in a heap 8100 corruption. 8101 8102 Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by 8103 the `PEM_write_bio*` family of functions. These are mainly used within the 8104 OpenSSL command line applications, so any application which processes data 8105 from an untrusted source and outputs it as a PEM file should be considered 8106 vulnerable to this issue. User applications that call these APIs directly 8107 with large amounts of untrusted data may also be vulnerable. 8108 8109 This issue was reported by Guido Vranken. 8110 ([CVE-2016-2105]) 8111 8112 *Matt Caswell* 8113 8114 * Fix EVP_EncryptUpdate overflow 8115 8116 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 8117 is able to supply very large amounts of input data after a previous call to 8118 EVP_EncryptUpdate() with a partial block then a length check can overflow 8119 resulting in a heap corruption. Following an analysis of all OpenSSL 8120 internal usage of the EVP_EncryptUpdate() function all usage is one of two 8121 forms. The first form is where the EVP_EncryptUpdate() call is known to be 8122 the first called function after an EVP_EncryptInit(), and therefore that 8123 specific call must be safe. The second form is where the length passed to 8124 EVP_EncryptUpdate() can be seen from the code to be some small value and 8125 therefore there is no possibility of an overflow. Since all instances are 8126 one of these two forms, it is believed that there can be no overflows in 8127 internal code due to this problem. It should be noted that 8128 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 8129 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 8130 of these calls have also been analysed too and it is believed there are no 8131 instances in internal usage where an overflow could occur. 8132 8133 This issue was reported by Guido Vranken. 8134 ([CVE-2016-2106]) 8135 8136 *Matt Caswell* 8137 8138 * Prevent ASN.1 BIO excessive memory allocation 8139 8140 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 8141 a short invalid encoding can casuse allocation of large amounts of memory 8142 potentially consuming excessive resources or exhausting memory. 8143 8144 Any application parsing untrusted data through d2i BIO functions is 8145 affected. The memory based functions such as d2i_X509() are *not* affected. 8146 Since the memory based functions are used by the TLS library, TLS 8147 applications are not affected. 8148 8149 This issue was reported by Brian Carpenter. 8150 ([CVE-2016-2109]) 8151 8152 *Stephen Henson* 8153 8154 * EBCDIC overread 8155 8156 ASN1 Strings that are over 1024 bytes can cause an overread in applications 8157 using the X509_NAME_oneline() function on EBCDIC systems. This could result 8158 in arbitrary stack data being returned in the buffer. 8159 8160 This issue was reported by Guido Vranken. 8161 ([CVE-2016-2176]) 8162 8163 *Matt Caswell* 8164 8165 * Modify behavior of ALPN to invoke callback after SNI/servername 8166 callback, such that updates to the SSL_CTX affect ALPN. 8167 8168 *Todd Short* 8169 8170 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 8171 default. 8172 8173 *Kurt Roeckx* 8174 8175 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 8176 methods are enabled and ssl2 is disabled the methods return NULL. 8177 8178 *Kurt Roeckx* 8179 8180### Changes between 1.0.1r and 1.0.1s [1 Mar 2016] 8181 8182* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 8183 Builds that are not configured with "enable-weak-ssl-ciphers" will not 8184 provide any "EXPORT" or "LOW" strength ciphers. 8185 8186 *Viktor Dukhovni* 8187 8188* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 8189 is by default disabled at build-time. Builds that are not configured with 8190 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 8191 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 8192 will need to explicitly call either of: 8193 8194 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 8195 or 8196 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 8197 8198 as appropriate. Even if either of those is used, or the application 8199 explicitly uses the version-specific SSLv2_method() or its client and 8200 server variants, SSLv2 ciphers vulnerable to exhaustive search key 8201 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 8202 ciphers, and SSLv2 56-bit DES are no longer available. 8203 ([CVE-2016-0800]) 8204 8205 *Viktor Dukhovni* 8206 8207 * Fix a double-free in DSA code 8208 8209 A double free bug was discovered when OpenSSL parses malformed DSA private 8210 keys and could lead to a DoS attack or memory corruption for applications 8211 that receive DSA private keys from untrusted sources. This scenario is 8212 considered rare. 8213 8214 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 8215 libFuzzer. 8216 ([CVE-2016-0705]) 8217 8218 *Stephen Henson* 8219 8220 * Disable SRP fake user seed to address a server memory leak. 8221 8222 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 8223 8224 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 8225 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 8226 was changed to ignore the "fake user" SRP seed, even if the seed 8227 is configured. 8228 8229 Users should use SRP_VBASE_get1_by_user instead. Note that in 8230 SRP_VBASE_get1_by_user, caller must free the returned value. Note 8231 also that even though configuring the SRP seed attempts to hide 8232 invalid usernames by continuing the handshake with fake 8233 credentials, this behaviour is not constant time and no strong 8234 guarantees are made that the handshake is indistinguishable from 8235 that of a valid user. 8236 ([CVE-2016-0798]) 8237 8238 *Emilia Käsper* 8239 8240 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 8241 8242 In the BN_hex2bn function the number of hex digits is calculated using an 8243 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 8244 large values of `i` this can result in `bn_expand` not allocating any 8245 memory because `i * 4` is negative. This can leave the internal BIGNUM data 8246 field as NULL leading to a subsequent NULL ptr deref. For very large values 8247 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 8248 In this case memory is allocated to the internal BIGNUM data field, but it 8249 is insufficiently sized leading to heap corruption. A similar issue exists 8250 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 8251 is ever called by user applications with very large untrusted hex/dec data. 8252 This is anticipated to be a rare occurrence. 8253 8254 All OpenSSL internal usage of these functions use data that is not expected 8255 to be untrusted, e.g. config file data or application command line 8256 arguments. If user developed applications generate config file data based 8257 on untrusted data then it is possible that this could also lead to security 8258 consequences. This is also anticipated to be rare. 8259 8260 This issue was reported to OpenSSL by Guido Vranken. 8261 ([CVE-2016-0797]) 8262 8263 *Matt Caswell* 8264 8265 * Fix memory issues in `BIO_*printf` functions 8266 8267 The internal `fmtstr` function used in processing a "%s" format string in 8268 the `BIO_*printf` functions could overflow while calculating the length of a 8269 string and cause an OOB read when printing very long strings. 8270 8271 Additionally the internal `doapr_outch` function can attempt to write to an 8272 OOB memory location (at an offset from the NULL pointer) in the event of a 8273 memory allocation failure. In 1.0.2 and below this could be caused where 8274 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 8275 could be in processing a very long "%s" format string. Memory leaks can 8276 also occur. 8277 8278 The first issue may mask the second issue dependent on compiler behaviour. 8279 These problems could enable attacks where large amounts of untrusted data 8280 is passed to the `BIO_*printf` functions. If applications use these functions 8281 in this way then they could be vulnerable. OpenSSL itself uses these 8282 functions when printing out human-readable dumps of ASN.1 data. Therefore 8283 applications that print this data could be vulnerable if the data is from 8284 untrusted sources. OpenSSL command line applications could also be 8285 vulnerable where they print out ASN.1 data, or if untrusted data is passed 8286 as command line arguments. 8287 8288 Libssl is not considered directly vulnerable. Additionally certificates etc 8289 received via remote connections via libssl are also unlikely to be able to 8290 trigger these issues because of message size limits enforced within libssl. 8291 8292 This issue was reported to OpenSSL Guido Vranken. 8293 ([CVE-2016-0799]) 8294 8295 *Matt Caswell* 8296 8297 * Side channel attack on modular exponentiation 8298 8299 A side-channel attack was found which makes use of cache-bank conflicts on 8300 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 8301 of RSA keys. The ability to exploit this issue is limited as it relies on 8302 an attacker who has control of code in a thread running on the same 8303 hyper-threaded core as the victim thread which is performing decryptions. 8304 8305 This issue was reported to OpenSSL by Yuval Yarom, The University of 8306 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 8307 Nadia Heninger, University of Pennsylvania with more information at 8308 <http://cachebleed.info>. 8309 ([CVE-2016-0702]) 8310 8311 *Andy Polyakov* 8312 8313 * Change the req command to generate a 2048-bit RSA/DSA key by default, 8314 if no keysize is specified with default_bits. This fixes an 8315 omission in an earlier change that changed all RSA/DSA key generation 8316 commands to use 2048 bits by default. 8317 8318 *Emilia Käsper* 8319 8320### Changes between 1.0.1q and 1.0.1r [28 Jan 2016] 8321 8322 * Protection for DH small subgroup attacks 8323 8324 As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been 8325 switched on by default and cannot be disabled. This could have some 8326 performance impact. 8327 8328 *Matt Caswell* 8329 8330 * SSLv2 doesn't block disabled ciphers 8331 8332 A malicious client can negotiate SSLv2 ciphers that have been disabled on 8333 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 8334 been disabled, provided that the SSLv2 protocol was not also disabled via 8335 SSL_OP_NO_SSLv2. 8336 8337 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 8338 and Sebastian Schinzel. 8339 ([CVE-2015-3197]) 8340 8341 *Viktor Dukhovni* 8342 8343 * Reject DH handshakes with parameters shorter than 1024 bits. 8344 8345 *Kurt Roeckx* 8346 8347### Changes between 1.0.1p and 1.0.1q [3 Dec 2015] 8348 8349 * Certificate verify crash with missing PSS parameter 8350 8351 The signature verification routines will crash with a NULL pointer 8352 dereference if presented with an ASN.1 signature using the RSA PSS 8353 algorithm and absent mask generation function parameter. Since these 8354 routines are used to verify certificate signature algorithms this can be 8355 used to crash any certificate verification operation and exploited in a 8356 DoS attack. Any application which performs certificate verification is 8357 vulnerable including OpenSSL clients and servers which enable client 8358 authentication. 8359 8360 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 8361 ([CVE-2015-3194]) 8362 8363 *Stephen Henson* 8364 8365 * X509_ATTRIBUTE memory leak 8366 8367 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 8368 memory. This structure is used by the PKCS#7 and CMS routines so any 8369 application which reads PKCS#7 or CMS data from untrusted sources is 8370 affected. SSL/TLS is not affected. 8371 8372 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 8373 libFuzzer. 8374 ([CVE-2015-3195]) 8375 8376 *Stephen Henson* 8377 8378 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 8379 This changes the decoding behaviour for some invalid messages, 8380 though the change is mostly in the more lenient direction, and 8381 legacy behaviour is preserved as much as possible. 8382 8383 *Emilia Käsper* 8384 8385 * In DSA_generate_parameters_ex, if the provided seed is too short, 8386 use a random seed, as already documented. 8387 8388 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 8389 8390### Changes between 1.0.1o and 1.0.1p [9 Jul 2015] 8391 8392 * Alternate chains certificate forgery 8393 8394 During certificate verification, OpenSSL will attempt to find an 8395 alternative certificate chain if the first attempt to build such a chain 8396 fails. An error in the implementation of this logic can mean that an 8397 attacker could cause certain checks on untrusted certificates to be 8398 bypassed, such as the CA flag, enabling them to use a valid leaf 8399 certificate to act as a CA and "issue" an invalid certificate. 8400 8401 This issue was reported to OpenSSL by Adam Langley/David Benjamin 8402 (Google/BoringSSL). 8403 ([CVE-2015-1793]) 8404 8405 *Matt Caswell* 8406 8407 * Race condition handling PSK identify hint 8408 8409 If PSK identity hints are received by a multi-threaded client then 8410 the values are wrongly updated in the parent SSL_CTX structure. This can 8411 result in a race condition potentially leading to a double free of the 8412 identify hint data. 8413 ([CVE-2015-3196]) 8414 8415 *Stephen Henson* 8416 8417### Changes between 1.0.1n and 1.0.1o [12 Jun 2015] 8418 8419 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 8420 incompatibility in the handling of HMAC. The previous ABI has now been 8421 restored. 8422 8423### Changes between 1.0.1m and 1.0.1n [11 Jun 2015] 8424 8425 * Malformed ECParameters causes infinite loop 8426 8427 When processing an ECParameters structure OpenSSL enters an infinite loop 8428 if the curve specified is over a specially malformed binary polynomial 8429 field. 8430 8431 This can be used to perform denial of service against any 8432 system which processes public keys, certificate requests or 8433 certificates. This includes TLS clients and TLS servers with 8434 client authentication enabled. 8435 8436 This issue was reported to OpenSSL by Joseph Barr-Pixton. 8437 ([CVE-2015-1788]) 8438 8439 *Andy Polyakov* 8440 8441 * Exploitable out-of-bounds read in X509_cmp_time 8442 8443 X509_cmp_time does not properly check the length of the ASN1_TIME 8444 string and can read a few bytes out of bounds. In addition, 8445 X509_cmp_time accepts an arbitrary number of fractional seconds in the 8446 time string. 8447 8448 An attacker can use this to craft malformed certificates and CRLs of 8449 various sizes and potentially cause a segmentation fault, resulting in 8450 a DoS on applications that verify certificates or CRLs. TLS clients 8451 that verify CRLs are affected. TLS clients and servers with client 8452 authentication enabled may be affected if they use custom verification 8453 callbacks. 8454 8455 This issue was reported to OpenSSL by Robert Swiecki (Google), and 8456 independently by Hanno Böck. 8457 ([CVE-2015-1789]) 8458 8459 *Emilia Käsper* 8460 8461 * PKCS7 crash with missing EnvelopedContent 8462 8463 The PKCS#7 parsing code does not handle missing inner EncryptedContent 8464 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 8465 with missing content and trigger a NULL pointer dereference on parsing. 8466 8467 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 8468 structures from untrusted sources are affected. OpenSSL clients and 8469 servers are not affected. 8470 8471 This issue was reported to OpenSSL by Michal Zalewski (Google). 8472 ([CVE-2015-1790]) 8473 8474 *Emilia Käsper* 8475 8476 * CMS verify infinite loop with unknown hash function 8477 8478 When verifying a signedData message the CMS code can enter an infinite loop 8479 if presented with an unknown hash function OID. This can be used to perform 8480 denial of service against any system which verifies signedData messages using 8481 the CMS code. 8482 This issue was reported to OpenSSL by Johannes Bauer. 8483 ([CVE-2015-1792]) 8484 8485 *Stephen Henson* 8486 8487 * Race condition handling NewSessionTicket 8488 8489 If a NewSessionTicket is received by a multi-threaded client when attempting to 8490 reuse a previous ticket then a race condition can occur potentially leading to 8491 a double free of the ticket data. 8492 ([CVE-2015-1791]) 8493 8494 *Matt Caswell* 8495 8496 * Reject DH handshakes with parameters shorter than 768 bits. 8497 8498 *Kurt Roeckx and Emilia Kasper* 8499 8500 * dhparam: generate 2048-bit parameters by default. 8501 8502 *Kurt Roeckx and Emilia Kasper* 8503 8504### Changes between 1.0.1l and 1.0.1m [19 Mar 2015] 8505 8506 * Segmentation fault in ASN1_TYPE_cmp fix 8507 8508 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 8509 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 8510 certificate signature algorithm consistency this can be used to crash any 8511 certificate verification operation and exploited in a DoS attack. Any 8512 application which performs certificate verification is vulnerable including 8513 OpenSSL clients and servers which enable client authentication. 8514 ([CVE-2015-0286]) 8515 8516 *Stephen Henson* 8517 8518 * ASN.1 structure reuse memory corruption fix 8519 8520 Reusing a structure in ASN.1 parsing may allow an attacker to cause 8521 memory corruption via an invalid write. Such reuse is and has been 8522 strongly discouraged and is believed to be rare. 8523 8524 Applications that parse structures containing CHOICE or ANY DEFINED BY 8525 components may be affected. Certificate parsing (d2i_X509 and related 8526 functions) are however not affected. OpenSSL clients and servers are 8527 not affected. 8528 ([CVE-2015-0287]) 8529 8530 *Stephen Henson* 8531 8532 * PKCS7 NULL pointer dereferences fix 8533 8534 The PKCS#7 parsing code does not handle missing outer ContentInfo 8535 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 8536 missing content and trigger a NULL pointer dereference on parsing. 8537 8538 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 8539 otherwise parse PKCS#7 structures from untrusted sources are 8540 affected. OpenSSL clients and servers are not affected. 8541 8542 This issue was reported to OpenSSL by Michal Zalewski (Google). 8543 ([CVE-2015-0289]) 8544 8545 *Emilia Käsper* 8546 8547 * DoS via reachable assert in SSLv2 servers fix 8548 8549 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 8550 servers that both support SSLv2 and enable export cipher suites by sending 8551 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 8552 8553 This issue was discovered by Sean Burford (Google) and Emilia Käsper 8554 (OpenSSL development team). 8555 ([CVE-2015-0293]) 8556 8557 *Emilia Käsper* 8558 8559 * Use After Free following d2i_ECPrivatekey error fix 8560 8561 A malformed EC private key file consumed via the d2i_ECPrivateKey function 8562 could cause a use after free condition. This, in turn, could cause a double 8563 free in several private key parsing functions (such as d2i_PrivateKey 8564 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 8565 for applications that receive EC private keys from untrusted 8566 sources. This scenario is considered rare. 8567 8568 This issue was discovered by the BoringSSL project and fixed in their 8569 commit 517073cd4b. 8570 ([CVE-2015-0209]) 8571 8572 *Matt Caswell* 8573 8574 * X509_to_X509_REQ NULL pointer deref fix 8575 8576 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 8577 the certificate key is invalid. This function is rarely used in practice. 8578 8579 This issue was discovered by Brian Carpenter. 8580 ([CVE-2015-0288]) 8581 8582 *Stephen Henson* 8583 8584 * Removed the export ciphers from the DEFAULT ciphers 8585 8586 *Kurt Roeckx* 8587 8588### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] 8589 8590 * Build fixes for the Windows and OpenVMS platforms 8591 8592 *Matt Caswell and Richard Levitte* 8593 8594### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] 8595 8596 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 8597 message can cause a segmentation fault in OpenSSL due to a NULL pointer 8598 dereference. This could lead to a Denial Of Service attack. Thanks to 8599 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 8600 ([CVE-2014-3571]) 8601 8602 *Steve Henson* 8603 8604 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 8605 dtls1_buffer_record function under certain conditions. In particular this 8606 could occur if an attacker sent repeated DTLS records with the same 8607 sequence number but for the next epoch. The memory leak could be exploited 8608 by an attacker in a Denial of Service attack through memory exhaustion. 8609 Thanks to Chris Mueller for reporting this issue. 8610 ([CVE-2015-0206]) 8611 8612 *Matt Caswell* 8613 8614 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 8615 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl 8616 method would be set to NULL which could later result in a NULL pointer 8617 dereference. Thanks to Frank Schmirler for reporting this issue. 8618 ([CVE-2014-3569]) 8619 8620 *Kurt Roeckx* 8621 8622 * Abort handshake if server key exchange message is omitted for ephemeral 8623 ECDH ciphersuites. 8624 8625 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 8626 reporting this issue. 8627 ([CVE-2014-3572]) 8628 8629 *Steve Henson* 8630 8631 * Remove non-export ephemeral RSA code on client and server. This code 8632 violated the TLS standard by allowing the use of temporary RSA keys in 8633 non-export ciphersuites and could be used by a server to effectively 8634 downgrade the RSA key length used to a value smaller than the server 8635 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 8636 INRIA or reporting this issue. 8637 ([CVE-2015-0204]) 8638 8639 *Steve Henson* 8640 8641 * Fixed issue where DH client certificates are accepted without verification. 8642 An OpenSSL server will accept a DH certificate for client authentication 8643 without the certificate verify message. This effectively allows a client to 8644 authenticate without the use of a private key. This only affects servers 8645 which trust a client certificate authority which issues certificates 8646 containing DH keys: these are extremely rare and hardly ever encountered. 8647 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 8648 this issue. 8649 ([CVE-2015-0205]) 8650 8651 *Steve Henson* 8652 8653 * Ensure that the session ID context of an SSL is updated when its 8654 SSL_CTX is updated via SSL_set_SSL_CTX. 8655 8656 The session ID context is typically set from the parent SSL_CTX, 8657 and can vary with the CTX. 8658 8659 *Adam Langley* 8660 8661 * Fix various certificate fingerprint issues. 8662 8663 By using non-DER or invalid encodings outside the signed portion of a 8664 certificate the fingerprint can be changed without breaking the signature. 8665 Although no details of the signed portion of the certificate can be changed 8666 this can cause problems with some applications: e.g. those using the 8667 certificate fingerprint for blacklists. 8668 8669 1. Reject signatures with non zero unused bits. 8670 8671 If the BIT STRING containing the signature has non zero unused bits reject 8672 the signature. All current signature algorithms require zero unused bits. 8673 8674 2. Check certificate algorithm consistency. 8675 8676 Check the AlgorithmIdentifier inside TBS matches the one in the 8677 certificate signature. NB: this will result in signature failure 8678 errors for some broken certificates. 8679 8680 Thanks to Konrad Kraszewski from Google for reporting this issue. 8681 8682 3. Check DSA/ECDSA signatures use DER. 8683 8684 Re-encode DSA/ECDSA signatures and compare with the original received 8685 signature. Return an error if there is a mismatch. 8686 8687 This will reject various cases including garbage after signature 8688 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 8689 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 8690 (negative or with leading zeroes). 8691 8692 Further analysis was conducted and fixes were developed by Stephen Henson 8693 of the OpenSSL core team. 8694 8695 ([CVE-2014-8275]) 8696 8697 *Steve Henson* 8698 8699 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 8700 results on some platforms, including x86_64. This bug occurs at random 8701 with a very low probability, and is not known to be exploitable in any 8702 way, though its exact impact is difficult to determine. Thanks to Pieter 8703 Wuille (Blockstream) who reported this issue and also suggested an initial 8704 fix. Further analysis was conducted by the OpenSSL development team and 8705 Adam Langley of Google. The final fix was developed by Andy Polyakov of 8706 the OpenSSL core team. 8707 ([CVE-2014-3570]) 8708 8709 *Andy Polyakov* 8710 8711 * Do not resume sessions on the server if the negotiated protocol 8712 version does not match the session's version. Resuming with a different 8713 version, while not strictly forbidden by the RFC, is of questionable 8714 sanity and breaks all known clients. 8715 8716 *David Benjamin, Emilia Käsper* 8717 8718 * Tighten handling of the ChangeCipherSpec (CCS) message: reject 8719 early CCS messages during renegotiation. (Note that because 8720 renegotiation is encrypted, this early CCS was not exploitable.) 8721 8722 *Emilia Käsper* 8723 8724 * Tighten client-side session ticket handling during renegotiation: 8725 ensure that the client only accepts a session ticket if the server sends 8726 the extension anew in the ServerHello. Previously, a TLS client would 8727 reuse the old extension state and thus accept a session ticket if one was 8728 announced in the initial ServerHello. 8729 8730 Similarly, ensure that the client requires a session ticket if one 8731 was advertised in the ServerHello. Previously, a TLS client would 8732 ignore a missing NewSessionTicket message. 8733 8734 *Emilia Käsper* 8735 8736### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] 8737 8738 * SRTP Memory Leak. 8739 8740 A flaw in the DTLS SRTP extension parsing code allows an attacker, who 8741 sends a carefully crafted handshake message, to cause OpenSSL to fail 8742 to free up to 64k of memory causing a memory leak. This could be 8743 exploited in a Denial Of Service attack. This issue affects OpenSSL 8744 1.0.1 server implementations for both SSL/TLS and DTLS regardless of 8745 whether SRTP is used or configured. Implementations of OpenSSL that 8746 have been compiled with OPENSSL_NO_SRTP defined are not affected. 8747 8748 The fix was developed by the OpenSSL team. 8749 ([CVE-2014-3513]) 8750 8751 *OpenSSL team* 8752 8753 * Session Ticket Memory Leak. 8754 8755 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 8756 integrity of that ticket is first verified. In the event of a session 8757 ticket integrity check failing, OpenSSL will fail to free memory 8758 causing a memory leak. By sending a large number of invalid session 8759 tickets an attacker could exploit this issue in a Denial Of Service 8760 attack. 8761 ([CVE-2014-3567]) 8762 8763 *Steve Henson* 8764 8765 * Build option no-ssl3 is incomplete. 8766 8767 When OpenSSL is configured with "no-ssl3" as a build option, servers 8768 could accept and complete an SSL 3.0 handshake, and clients could be 8769 configured to send them. 8770 ([CVE-2014-3568]) 8771 8772 *Akamai and the OpenSSL team* 8773 8774 * Add support for TLS_FALLBACK_SCSV. 8775 Client applications doing fallback retries should call 8776 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 8777 ([CVE-2014-3566]) 8778 8779 *Adam Langley, Bodo Moeller* 8780 8781 * Add additional DigestInfo checks. 8782 8783 Re-encode DigestInto in DER and check against the original when 8784 verifying RSA signature: this will reject any improperly encoded 8785 DigestInfo structures. 8786 8787 Note: this is a precautionary measure and no attacks are currently known. 8788 8789 *Steve Henson* 8790 8791### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] 8792 8793 * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the 8794 SRP code can be overrun an internal buffer. Add sanity check that 8795 g, A, B < N to SRP code. 8796 8797 Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC 8798 Group for discovering this issue. 8799 ([CVE-2014-3512]) 8800 8801 *Steve Henson* 8802 8803 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate 8804 TLS 1.0 instead of higher protocol versions when the ClientHello message 8805 is badly fragmented. This allows a man-in-the-middle attacker to force a 8806 downgrade to TLS 1.0 even if both the server and the client support a 8807 higher protocol version, by modifying the client's TLS records. 8808 8809 Thanks to David Benjamin and Adam Langley (Google) for discovering and 8810 researching this issue. 8811 ([CVE-2014-3511]) 8812 8813 *David Benjamin* 8814 8815 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 8816 to a denial of service attack. A malicious server can crash the client 8817 with a null pointer dereference (read) by specifying an anonymous (EC)DH 8818 ciphersuite and sending carefully crafted handshake messages. 8819 8820 Thanks to Felix Gröbert (Google) for discovering and researching this 8821 issue. 8822 ([CVE-2014-3510]) 8823 8824 *Emilia Käsper* 8825 8826 * By sending carefully crafted DTLS packets an attacker could cause openssl 8827 to leak memory. This can be exploited through a Denial of Service attack. 8828 Thanks to Adam Langley for discovering and researching this issue. 8829 ([CVE-2014-3507]) 8830 8831 *Adam Langley* 8832 8833 * An attacker can force openssl to consume large amounts of memory whilst 8834 processing DTLS handshake messages. This can be exploited through a 8835 Denial of Service attack. 8836 Thanks to Adam Langley for discovering and researching this issue. 8837 ([CVE-2014-3506]) 8838 8839 *Adam Langley* 8840 8841 * An attacker can force an error condition which causes openssl to crash 8842 whilst processing DTLS packets due to memory being freed twice. This 8843 can be exploited through a Denial of Service attack. 8844 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 8845 this issue. 8846 ([CVE-2014-3505]) 8847 8848 *Adam Langley* 8849 8850 * If a multithreaded client connects to a malicious server using a resumed 8851 session and the server sends an ec point format extension it could write 8852 up to 255 bytes to freed memory. 8853 8854 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 8855 issue. 8856 ([CVE-2014-3509]) 8857 8858 *Gabor Tyukasz* 8859 8860 * A malicious server can crash an OpenSSL client with a null pointer 8861 dereference (read) by specifying an SRP ciphersuite even though it was not 8862 properly negotiated with the client. This can be exploited through a 8863 Denial of Service attack. 8864 8865 Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for 8866 discovering and researching this issue. 8867 ([CVE-2014-5139]) 8868 8869 *Steve Henson* 8870 8871 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 8872 X509_name_oneline, X509_name_print_ex et al. to leak some information 8873 from the stack. Applications may be affected if they echo pretty printing 8874 output to the attacker. 8875 8876 Thanks to Ivan Fratric (Google) for discovering this issue. 8877 ([CVE-2014-3508]) 8878 8879 *Emilia Käsper, and Steve Henson* 8880 8881 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 8882 for corner cases. (Certain input points at infinity could lead to 8883 bogus results, with non-infinity inputs mapped to infinity too.) 8884 8885 *Bodo Moeller* 8886 8887### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] 8888 8889 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 8890 handshake can force the use of weak keying material in OpenSSL 8891 SSL/TLS clients and servers. 8892 8893 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 8894 researching this issue. ([CVE-2014-0224]) 8895 8896 *KIKUCHI Masashi, Steve Henson* 8897 8898 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 8899 OpenSSL DTLS client the code can be made to recurse eventually crashing 8900 in a DoS attack. 8901 8902 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 8903 ([CVE-2014-0221]) 8904 8905 *Imre Rad, Steve Henson* 8906 8907 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 8908 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 8909 client or server. This is potentially exploitable to run arbitrary 8910 code on a vulnerable client or server. 8911 8912 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 8913 8914 *Jüri Aedla, Steve Henson* 8915 8916 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 8917 are subject to a denial of service attack. 8918 8919 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 8920 this issue. ([CVE-2014-3470]) 8921 8922 *Felix Gröbert, Ivan Fratric, Steve Henson* 8923 8924 * Harmonize version and its documentation. -f flag is used to display 8925 compilation flags. 8926 8927 *mancha <mancha1@zoho.com>* 8928 8929 * Fix eckey_priv_encode so it immediately returns an error upon a failure 8930 in i2d_ECPrivateKey. 8931 8932 *mancha <mancha1@zoho.com>* 8933 8934 * Fix some double frees. These are not thought to be exploitable. 8935 8936 *mancha <mancha1@zoho.com>* 8937 8938### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] 8939 8940 * A missing bounds check in the handling of the TLS heartbeat extension 8941 can be used to reveal up to 64k of memory to a connected client or 8942 server. 8943 8944 Thanks for Neel Mehta of Google Security for discovering this bug and to 8945 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 8946 preparing the fix ([CVE-2014-0160]) 8947 8948 *Adam Langley, Bodo Moeller* 8949 8950 * Fix for the attack described in the paper "Recovering OpenSSL 8951 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 8952 by Yuval Yarom and Naomi Benger. Details can be obtained from: 8953 <http://eprint.iacr.org/2014/140> 8954 8955 Thanks to Yuval Yarom and Naomi Benger for discovering this 8956 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 8957 8958 *Yuval Yarom and Naomi Benger* 8959 8960 * TLS pad extension: draft-agl-tls-padding-03 8961 8962 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the 8963 TLS client Hello record length value would otherwise be > 255 and 8964 less that 512 pad with a dummy extension containing zeroes so it 8965 is at least 512 bytes long. 8966 8967 *Adam Langley, Steve Henson* 8968 8969### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] 8970 8971 * Fix for TLS record tampering bug. A carefully crafted invalid 8972 handshake could crash OpenSSL with a NULL pointer exception. 8973 Thanks to Anton Johansson for reporting this issues. 8974 ([CVE-2013-4353]) 8975 8976 * Keep original DTLS digest and encryption contexts in retransmission 8977 structures so we can use the previous session parameters if they need 8978 to be resent. ([CVE-2013-6450]) 8979 8980 *Steve Henson* 8981 8982 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 8983 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 8984 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 8985 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 8986 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 8987 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 8988 8989 *Rob Stradling, Adam Langley* 8990 8991### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] 8992 8993 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI 8994 supporting platforms or when small records were transferred. 8995 8996 *Andy Polyakov, Steve Henson* 8997 8998### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] 8999 9000 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 9001 9002 This addresses the flaw in CBC record processing discovered by 9003 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 9004 at: <http://www.isg.rhul.ac.uk/tls/> 9005 9006 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 9007 Security Group at Royal Holloway, University of London 9008 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 9009 Emilia Käsper for the initial patch. 9010 ([CVE-2013-0169]) 9011 9012 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 9013 9014 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode 9015 ciphersuites which can be exploited in a denial of service attack. 9016 Thanks go to and to Adam Langley <agl@chromium.org> for discovering 9017 and detecting this bug and to Wolfgang Ettlinger 9018 <wolfgang.ettlinger@gmail.com> for independently discovering this issue. 9019 ([CVE-2012-2686]) 9020 9021 *Adam Langley* 9022 9023 * Return an error when checking OCSP signatures when key is NULL. 9024 This fixes a DoS attack. ([CVE-2013-0166]) 9025 9026 *Steve Henson* 9027 9028 * Make openssl verify return errors. 9029 9030 *Chris Palmer <palmer@google.com> and Ben Laurie* 9031 9032 * Call OCSP Stapling callback after ciphersuite has been chosen, so 9033 the right response is stapled. Also change SSL_get_certificate() 9034 so it returns the certificate actually sent. 9035 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 9036 9037 *Rob Stradling <rob.stradling@comodo.com>* 9038 9039 * Fix possible deadlock when decoding public keys. 9040 9041 *Steve Henson* 9042 9043 * Don't use TLS 1.0 record version number in initial client hello 9044 if renegotiating. 9045 9046 *Steve Henson* 9047 9048### Changes between 1.0.1b and 1.0.1c [10 May 2012] 9049 9050 * Sanity check record length before skipping explicit IV in TLS 9051 1.2, 1.1 and DTLS to fix DoS attack. 9052 9053 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 9054 fuzzing as a service testing platform. 9055 ([CVE-2012-2333]) 9056 9057 *Steve Henson* 9058 9059 * Initialise tkeylen properly when encrypting CMS messages. 9060 Thanks to Solar Designer of Openwall for reporting this issue. 9061 9062 *Steve Henson* 9063 9064 * In FIPS mode don't try to use composite ciphers as they are not 9065 approved. 9066 9067 *Steve Henson* 9068 9069### Changes between 1.0.1a and 1.0.1b [26 Apr 2012] 9070 9071 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 9072 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately 9073 mean any application compiled against OpenSSL 1.0.0 headers setting 9074 SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling 9075 TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 9076 0x10000000L Any application which was previously compiled against 9077 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 9078 will need to be recompiled as a result. Letting be results in 9079 inability to disable specifically TLS 1.1 and in client context, 9080 in unlike event, limit maximum offered version to TLS 1.0 [see below]. 9081 9082 *Steve Henson* 9083 9084 * In order to ensure interoperability SSL_OP_NO_protocolX does not 9085 disable just protocol X, but all protocols above X *if* there are 9086 protocols *below* X still enabled. In more practical terms it means 9087 that if application wants to disable TLS1.0 in favor of TLS1.1 and 9088 above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass 9089 `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to 9090 client side. 9091 9092 *Andy Polyakov* 9093 9094### Changes between 1.0.1 and 1.0.1a [19 Apr 2012] 9095 9096 * Check for potentially exploitable overflows in asn1_d2i_read_bio 9097 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 9098 in CRYPTO_realloc_clean. 9099 9100 Thanks to Tavis Ormandy, Google Security Team, for discovering this 9101 issue and to Adam Langley <agl@chromium.org> for fixing it. 9102 ([CVE-2012-2110]) 9103 9104 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 9105 9106 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. 9107 9108 *Adam Langley* 9109 9110 * Workarounds for some broken servers that "hang" if a client hello 9111 record length exceeds 255 bytes. 9112 9113 1. Do not use record version number > TLS 1.0 in initial client 9114 hello: some (but not all) hanging servers will now work. 9115 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate 9116 the number of ciphers sent in the client hello. This should be 9117 set to an even number, such as 50, for example by passing: 9118 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. 9119 Most broken servers should now work. 9120 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable 9121 TLS 1.2 client support entirely. 9122 9123 *Steve Henson* 9124 9125 * Fix SEGV in Vector Permutation AES module observed in OpenSSH. 9126 9127 *Andy Polyakov* 9128 9129### Changes between 1.0.0h and 1.0.1 [14 Mar 2012] 9130 9131 * Add compatibility with old MDC2 signatures which use an ASN1 OCTET 9132 STRING form instead of a DigestInfo. 9133 9134 *Steve Henson* 9135 9136 * The format used for MDC2 RSA signatures is inconsistent between EVP 9137 and the RSA_sign/RSA_verify functions. This was made more apparent when 9138 OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular 9139 those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 9140 the correct format in RSA_verify so both forms transparently work. 9141 9142 *Steve Henson* 9143 9144 * Some servers which support TLS 1.0 can choke if we initially indicate 9145 support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA 9146 encrypted premaster secret. As a workaround use the maximum permitted 9147 client version in client hello, this should keep such servers happy 9148 and still work with previous versions of OpenSSL. 9149 9150 *Steve Henson* 9151 9152 * Add support for TLS/DTLS heartbeats. 9153 9154 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9155 9156 * Add support for SCTP. 9157 9158 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9159 9160 * Improved PRNG seeding for VOS. 9161 9162 *Paul Green <Paul.Green@stratus.com>* 9163 9164 * Extensive assembler packs updates, most notably: 9165 9166 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; 9167 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); 9168 - x86_64: bit-sliced AES implementation; 9169 - ARM: NEON support, contemporary platforms optimizations; 9170 - s390x: z196 support; 9171 - `*`: GHASH and GF(2^m) multiplication implementations; 9172 9173 *Andy Polyakov* 9174 9175 * Make TLS-SRP code conformant with RFC 5054 API cleanup 9176 (removal of unnecessary code) 9177 9178 *Peter Sylvester <peter.sylvester@edelweb.fr>* 9179 9180 * Add TLS key material exporter from RFC 5705. 9181 9182 *Eric Rescorla* 9183 9184 * Add DTLS-SRTP negotiation from RFC 5764. 9185 9186 *Eric Rescorla* 9187 9188 * Add Next Protocol Negotiation, 9189 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be 9190 disabled with a no-npn flag to config or Configure. Code donated 9191 by Google. 9192 9193 *Adam Langley <agl@google.com> and Ben Laurie* 9194 9195 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224, 9196 NIST-P256, NIST-P521, with constant-time single point multiplication on 9197 typical inputs. Compiler support for the nonstandard type `__uint128_t` is 9198 required to use this (present in gcc 4.4 and later, for 64-bit builds). 9199 Code made available under Apache License version 2.0. 9200 9201 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command 9202 line to include this in your build of OpenSSL, and run "make depend" (or 9203 "make update"). This enables the following EC_METHODs: 9204 9205 EC_GFp_nistp224_method() 9206 EC_GFp_nistp256_method() 9207 EC_GFp_nistp521_method() 9208 9209 EC_GROUP_new_by_curve_name() will automatically use these (while 9210 EC_GROUP_new_curve_GFp() currently prefers the more flexible 9211 implementations). 9212 9213 *Emilia Käsper, Adam Langley, Bodo Moeller (Google)* 9214 9215 * Use type ossl_ssize_t instead of ssize_t which isn't available on 9216 all platforms. Move ssize_t definition from e_os.h to the public 9217 header file e_os2.h as it now appears in public header file cms.h 9218 9219 *Steve Henson* 9220 9221 * New -sigopt option to the ca, req and x509 utilities. Additional 9222 signature parameters can be passed using this option and in 9223 particular PSS. 9224 9225 *Steve Henson* 9226 9227 * Add RSA PSS signing function. This will generate and set the 9228 appropriate AlgorithmIdentifiers for PSS based on those in the 9229 corresponding EVP_MD_CTX structure. No application support yet. 9230 9231 *Steve Henson* 9232 9233 * Support for companion algorithm specific ASN1 signing routines. 9234 New function ASN1_item_sign_ctx() signs a pre-initialised 9235 EVP_MD_CTX structure and sets AlgorithmIdentifiers based on 9236 the appropriate parameters. 9237 9238 *Steve Henson* 9239 9240 * Add new algorithm specific ASN1 verification initialisation function 9241 to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 9242 handling will be the same no matter what EVP_PKEY_METHOD is used. 9243 Add a PSS handler to support verification of PSS signatures: checked 9244 against a number of sample certificates. 9245 9246 *Steve Henson* 9247 9248 * Add signature printing for PSS. Add PSS OIDs. 9249 9250 *Steve Henson, Martin Kaiser <lists@kaiser.cx>* 9251 9252 * Add algorithm specific signature printing. An individual ASN1 method 9253 can now print out signatures instead of the standard hex dump. 9254 9255 More complex signatures (e.g. PSS) can print out more meaningful 9256 information. Include DSA version that prints out the signature 9257 parameters r, s. 9258 9259 *Steve Henson* 9260 9261 * Password based recipient info support for CMS library: implementing 9262 RFC3211. 9263 9264 *Steve Henson* 9265 9266 * Split password based encryption into PBES2 and PBKDF2 functions. This 9267 neatly separates the code into cipher and PBE sections and is required 9268 for some algorithms that split PBES2 into separate pieces (such as 9269 password based CMS). 9270 9271 *Steve Henson* 9272 9273 * Session-handling fixes: 9274 - Fix handling of connections that are resuming with a session ID, 9275 but also support Session Tickets. 9276 - Fix a bug that suppressed issuing of a new ticket if the client 9277 presented a ticket with an expired session. 9278 - Try to set the ticket lifetime hint to something reasonable. 9279 - Make tickets shorter by excluding irrelevant information. 9280 - On the client side, don't ignore renewed tickets. 9281 9282 *Adam Langley, Bodo Moeller (Google)* 9283 9284 * Fix PSK session representation. 9285 9286 *Bodo Moeller* 9287 9288 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. 9289 9290 This work was sponsored by Intel. 9291 9292 *Andy Polyakov* 9293 9294 * Add GCM support to TLS library. Some custom code is needed to split 9295 the IV between the fixed (from PRF) and explicit (from TLS record) 9296 portions. This adds all GCM ciphersuites supported by RFC5288 and 9297 RFC5289. Generalise some `AES*` cipherstrings to include GCM and 9298 add a special AESGCM string for GCM only. 9299 9300 *Steve Henson* 9301 9302 * Expand range of ctrls for AES GCM. Permit setting invocation 9303 field on decrypt and retrieval of invocation field only on encrypt. 9304 9305 *Steve Henson* 9306 9307 * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. 9308 As required by RFC5289 these ciphersuites cannot be used if for 9309 versions of TLS earlier than 1.2. 9310 9311 *Steve Henson* 9312 9313 * For FIPS capable OpenSSL interpret a NULL default public key method 9314 as unset and return the appropriate default but do *not* set the default. 9315 This means we can return the appropriate method in applications that 9316 switch between FIPS and non-FIPS modes. 9317 9318 *Steve Henson* 9319 9320 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an 9321 ENGINE is used then we cannot handle that in the FIPS module so we 9322 keep original code iff non-FIPS operations are allowed. 9323 9324 *Steve Henson* 9325 9326 * Add -attime option to openssl utilities. 9327 9328 *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson* 9329 9330 * Redirect DSA and DH operations to FIPS module in FIPS mode. 9331 9332 *Steve Henson* 9333 9334 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use 9335 FIPS EC methods unconditionally for now. 9336 9337 *Steve Henson* 9338 9339 * New build option no-ec2m to disable characteristic 2 code. 9340 9341 *Steve Henson* 9342 9343 * Backport libcrypto audit of return value checking from 1.1.0-dev; not 9344 all cases can be covered as some introduce binary incompatibilities. 9345 9346 *Steve Henson* 9347 9348 * Redirect RSA operations to FIPS module including keygen, 9349 encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. 9350 9351 *Steve Henson* 9352 9353 * Add similar low-level API blocking to ciphers. 9354 9355 *Steve Henson* 9356 9357 * low-level digest APIs are not approved in FIPS mode: any attempt 9358 to use these will cause a fatal error. Applications that *really* want 9359 to use them can use the `private_*` version instead. 9360 9361 *Steve Henson* 9362 9363 * Redirect cipher operations to FIPS module for FIPS builds. 9364 9365 *Steve Henson* 9366 9367 * Redirect digest operations to FIPS module for FIPS builds. 9368 9369 *Steve Henson* 9370 9371 * Update build system to add "fips" flag which will link in fipscanister.o 9372 for static and shared library builds embedding a signature if needed. 9373 9374 *Steve Henson* 9375 9376 * Output TLS supported curves in preference order instead of numerical 9377 order. This is currently hardcoded for the highest order curves first. 9378 This should be configurable so applications can judge speed vs strength. 9379 9380 *Steve Henson* 9381 9382 * Add TLS v1.2 server support for client authentication. 9383 9384 *Steve Henson* 9385 9386 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers 9387 and enable MD5. 9388 9389 *Steve Henson* 9390 9391 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying 9392 FIPS modules versions. 9393 9394 *Steve Henson* 9395 9396 * Add TLS v1.2 client side support for client authentication. Keep cache 9397 of handshake records longer as we don't know the hash algorithm to use 9398 until after the certificate request message is received. 9399 9400 *Steve Henson* 9401 9402 * Initial TLS v1.2 client support. Add a default signature algorithms 9403 extension including all the algorithms we support. Parse new signature 9404 format in client key exchange. Relax some ECC signing restrictions for 9405 TLS v1.2 as indicated in RFC5246. 9406 9407 *Steve Henson* 9408 9409 * Add server support for TLS v1.2 signature algorithms extension. Switch 9410 to new signature format when needed using client digest preference. 9411 All server ciphersuites should now work correctly in TLS v1.2. No client 9412 support yet and no support for client certificates. 9413 9414 *Steve Henson* 9415 9416 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch 9417 to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based 9418 ciphersuites. At present only RSA key exchange ciphersuites work with 9419 TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete 9420 SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods 9421 and version checking. 9422 9423 *Steve Henson* 9424 9425 * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 9426 with this defined it will not be affected by any changes to ssl internal 9427 structures. Add several utility functions to allow openssl application 9428 to work with OPENSSL_NO_SSL_INTERN defined. 9429 9430 *Steve Henson* 9431 9432 * A long standing patch to add support for SRP from EdelWeb (Peter 9433 Sylvester and Christophe Renou) was integrated. 9434 *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester 9435 <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and 9436 Ben Laurie* 9437 9438 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. 9439 9440 *Steve Henson* 9441 9442 * Permit abbreviated handshakes when renegotiating using the function 9443 SSL_renegotiate_abbreviated(). 9444 9445 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9446 9447 * Add call to ENGINE_register_all_complete() to 9448 ENGINE_load_builtin_engines(), so some implementations get used 9449 automatically instead of needing explicit application support. 9450 9451 *Steve Henson* 9452 9453 * Add support for TLS key exporter as described in RFC5705. 9454 9455 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson* 9456 9457 * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only 9458 a few changes are required: 9459 9460 Add SSL_OP_NO_TLSv1_1 flag. 9461 Add TLSv1_1 methods. 9462 Update version checking logic to handle version 1.1. 9463 Add explicit IV handling (ported from DTLS code). 9464 Add command line options to s_client/s_server. 9465 9466 *Steve Henson* 9467 9468OpenSSL 1.0.0 9469------------- 9470 9471### Changes between 1.0.0s and 1.0.0t [3 Dec 2015] 9472 9473 * X509_ATTRIBUTE memory leak 9474 9475 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 9476 memory. This structure is used by the PKCS#7 and CMS routines so any 9477 application which reads PKCS#7 or CMS data from untrusted sources is 9478 affected. SSL/TLS is not affected. 9479 9480 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 9481 libFuzzer. 9482 ([CVE-2015-3195]) 9483 9484 *Stephen Henson* 9485 9486 * Race condition handling PSK identify hint 9487 9488 If PSK identity hints are received by a multi-threaded client then 9489 the values are wrongly updated in the parent SSL_CTX structure. This can 9490 result in a race condition potentially leading to a double free of the 9491 identify hint data. 9492 ([CVE-2015-3196]) 9493 9494 *Stephen Henson* 9495 9496### Changes between 1.0.0r and 1.0.0s [11 Jun 2015] 9497 9498 * Malformed ECParameters causes infinite loop 9499 9500 When processing an ECParameters structure OpenSSL enters an infinite loop 9501 if the curve specified is over a specially malformed binary polynomial 9502 field. 9503 9504 This can be used to perform denial of service against any 9505 system which processes public keys, certificate requests or 9506 certificates. This includes TLS clients and TLS servers with 9507 client authentication enabled. 9508 9509 This issue was reported to OpenSSL by Joseph Barr-Pixton. 9510 ([CVE-2015-1788]) 9511 9512 *Andy Polyakov* 9513 9514 * Exploitable out-of-bounds read in X509_cmp_time 9515 9516 X509_cmp_time does not properly check the length of the ASN1_TIME 9517 string and can read a few bytes out of bounds. In addition, 9518 X509_cmp_time accepts an arbitrary number of fractional seconds in the 9519 time string. 9520 9521 An attacker can use this to craft malformed certificates and CRLs of 9522 various sizes and potentially cause a segmentation fault, resulting in 9523 a DoS on applications that verify certificates or CRLs. TLS clients 9524 that verify CRLs are affected. TLS clients and servers with client 9525 authentication enabled may be affected if they use custom verification 9526 callbacks. 9527 9528 This issue was reported to OpenSSL by Robert Swiecki (Google), and 9529 independently by Hanno Böck. 9530 ([CVE-2015-1789]) 9531 9532 *Emilia Käsper* 9533 9534 * PKCS7 crash with missing EnvelopedContent 9535 9536 The PKCS#7 parsing code does not handle missing inner EncryptedContent 9537 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 9538 with missing content and trigger a NULL pointer dereference on parsing. 9539 9540 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 9541 structures from untrusted sources are affected. OpenSSL clients and 9542 servers are not affected. 9543 9544 This issue was reported to OpenSSL by Michal Zalewski (Google). 9545 ([CVE-2015-1790]) 9546 9547 *Emilia Käsper* 9548 9549 * CMS verify infinite loop with unknown hash function 9550 9551 When verifying a signedData message the CMS code can enter an infinite loop 9552 if presented with an unknown hash function OID. This can be used to perform 9553 denial of service against any system which verifies signedData messages using 9554 the CMS code. 9555 This issue was reported to OpenSSL by Johannes Bauer. 9556 ([CVE-2015-1792]) 9557 9558 *Stephen Henson* 9559 9560 * Race condition handling NewSessionTicket 9561 9562 If a NewSessionTicket is received by a multi-threaded client when attempting to 9563 reuse a previous ticket then a race condition can occur potentially leading to 9564 a double free of the ticket data. 9565 ([CVE-2015-1791]) 9566 9567 *Matt Caswell* 9568 9569### Changes between 1.0.0q and 1.0.0r [19 Mar 2015] 9570 9571 * Segmentation fault in ASN1_TYPE_cmp fix 9572 9573 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 9574 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 9575 certificate signature algorithm consistency this can be used to crash any 9576 certificate verification operation and exploited in a DoS attack. Any 9577 application which performs certificate verification is vulnerable including 9578 OpenSSL clients and servers which enable client authentication. 9579 ([CVE-2015-0286]) 9580 9581 *Stephen Henson* 9582 9583 * ASN.1 structure reuse memory corruption fix 9584 9585 Reusing a structure in ASN.1 parsing may allow an attacker to cause 9586 memory corruption via an invalid write. Such reuse is and has been 9587 strongly discouraged and is believed to be rare. 9588 9589 Applications that parse structures containing CHOICE or ANY DEFINED BY 9590 components may be affected. Certificate parsing (d2i_X509 and related 9591 functions) are however not affected. OpenSSL clients and servers are 9592 not affected. 9593 ([CVE-2015-0287]) 9594 9595 *Stephen Henson* 9596 9597 * PKCS7 NULL pointer dereferences fix 9598 9599 The PKCS#7 parsing code does not handle missing outer ContentInfo 9600 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 9601 missing content and trigger a NULL pointer dereference on parsing. 9602 9603 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 9604 otherwise parse PKCS#7 structures from untrusted sources are 9605 affected. OpenSSL clients and servers are not affected. 9606 9607 This issue was reported to OpenSSL by Michal Zalewski (Google). 9608 ([CVE-2015-0289]) 9609 9610 *Emilia Käsper* 9611 9612 * DoS via reachable assert in SSLv2 servers fix 9613 9614 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 9615 servers that both support SSLv2 and enable export cipher suites by sending 9616 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 9617 9618 This issue was discovered by Sean Burford (Google) and Emilia Käsper 9619 (OpenSSL development team). 9620 ([CVE-2015-0293]) 9621 9622 *Emilia Käsper* 9623 9624 * Use After Free following d2i_ECPrivatekey error fix 9625 9626 A malformed EC private key file consumed via the d2i_ECPrivateKey function 9627 could cause a use after free condition. This, in turn, could cause a double 9628 free in several private key parsing functions (such as d2i_PrivateKey 9629 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 9630 for applications that receive EC private keys from untrusted 9631 sources. This scenario is considered rare. 9632 9633 This issue was discovered by the BoringSSL project and fixed in their 9634 commit 517073cd4b. 9635 ([CVE-2015-0209]) 9636 9637 *Matt Caswell* 9638 9639 * X509_to_X509_REQ NULL pointer deref fix 9640 9641 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 9642 the certificate key is invalid. This function is rarely used in practice. 9643 9644 This issue was discovered by Brian Carpenter. 9645 ([CVE-2015-0288]) 9646 9647 *Stephen Henson* 9648 9649 * Removed the export ciphers from the DEFAULT ciphers 9650 9651 *Kurt Roeckx* 9652 9653### Changes between 1.0.0p and 1.0.0q [15 Jan 2015] 9654 9655 * Build fixes for the Windows and OpenVMS platforms 9656 9657 *Matt Caswell and Richard Levitte* 9658 9659### Changes between 1.0.0o and 1.0.0p [8 Jan 2015] 9660 9661 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 9662 message can cause a segmentation fault in OpenSSL due to a NULL pointer 9663 dereference. This could lead to a Denial Of Service attack. Thanks to 9664 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 9665 ([CVE-2014-3571]) 9666 9667 *Steve Henson* 9668 9669 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 9670 dtls1_buffer_record function under certain conditions. In particular this 9671 could occur if an attacker sent repeated DTLS records with the same 9672 sequence number but for the next epoch. The memory leak could be exploited 9673 by an attacker in a Denial of Service attack through memory exhaustion. 9674 Thanks to Chris Mueller for reporting this issue. 9675 ([CVE-2015-0206]) 9676 9677 *Matt Caswell* 9678 9679 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 9680 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl 9681 method would be set to NULL which could later result in a NULL pointer 9682 dereference. Thanks to Frank Schmirler for reporting this issue. 9683 ([CVE-2014-3569]) 9684 9685 *Kurt Roeckx* 9686 9687 * Abort handshake if server key exchange message is omitted for ephemeral 9688 ECDH ciphersuites. 9689 9690 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 9691 reporting this issue. 9692 ([CVE-2014-3572]) 9693 9694 *Steve Henson* 9695 9696 * Remove non-export ephemeral RSA code on client and server. This code 9697 violated the TLS standard by allowing the use of temporary RSA keys in 9698 non-export ciphersuites and could be used by a server to effectively 9699 downgrade the RSA key length used to a value smaller than the server 9700 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 9701 INRIA or reporting this issue. 9702 ([CVE-2015-0204]) 9703 9704 *Steve Henson* 9705 9706 * Fixed issue where DH client certificates are accepted without verification. 9707 An OpenSSL server will accept a DH certificate for client authentication 9708 without the certificate verify message. This effectively allows a client to 9709 authenticate without the use of a private key. This only affects servers 9710 which trust a client certificate authority which issues certificates 9711 containing DH keys: these are extremely rare and hardly ever encountered. 9712 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 9713 this issue. 9714 ([CVE-2015-0205]) 9715 9716 *Steve Henson* 9717 9718 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 9719 results on some platforms, including x86_64. This bug occurs at random 9720 with a very low probability, and is not known to be exploitable in any 9721 way, though its exact impact is difficult to determine. Thanks to Pieter 9722 Wuille (Blockstream) who reported this issue and also suggested an initial 9723 fix. Further analysis was conducted by the OpenSSL development team and 9724 Adam Langley of Google. The final fix was developed by Andy Polyakov of 9725 the OpenSSL core team. 9726 ([CVE-2014-3570]) 9727 9728 *Andy Polyakov* 9729 9730 * Fix various certificate fingerprint issues. 9731 9732 By using non-DER or invalid encodings outside the signed portion of a 9733 certificate the fingerprint can be changed without breaking the signature. 9734 Although no details of the signed portion of the certificate can be changed 9735 this can cause problems with some applications: e.g. those using the 9736 certificate fingerprint for blacklists. 9737 9738 1. Reject signatures with non zero unused bits. 9739 9740 If the BIT STRING containing the signature has non zero unused bits reject 9741 the signature. All current signature algorithms require zero unused bits. 9742 9743 2. Check certificate algorithm consistency. 9744 9745 Check the AlgorithmIdentifier inside TBS matches the one in the 9746 certificate signature. NB: this will result in signature failure 9747 errors for some broken certificates. 9748 9749 Thanks to Konrad Kraszewski from Google for reporting this issue. 9750 9751 3. Check DSA/ECDSA signatures use DER. 9752 9753 Re-encode DSA/ECDSA signatures and compare with the original received 9754 signature. Return an error if there is a mismatch. 9755 9756 This will reject various cases including garbage after signature 9757 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 9758 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 9759 (negative or with leading zeroes). 9760 9761 Further analysis was conducted and fixes were developed by Stephen Henson 9762 of the OpenSSL core team. 9763 9764 ([CVE-2014-8275]) 9765 9766 *Steve Henson* 9767 9768### Changes between 1.0.0n and 1.0.0o [15 Oct 2014] 9769 9770 * Session Ticket Memory Leak. 9771 9772 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 9773 integrity of that ticket is first verified. In the event of a session 9774 ticket integrity check failing, OpenSSL will fail to free memory 9775 causing a memory leak. By sending a large number of invalid session 9776 tickets an attacker could exploit this issue in a Denial Of Service 9777 attack. 9778 ([CVE-2014-3567]) 9779 9780 *Steve Henson* 9781 9782 * Build option no-ssl3 is incomplete. 9783 9784 When OpenSSL is configured with "no-ssl3" as a build option, servers 9785 could accept and complete an SSL 3.0 handshake, and clients could be 9786 configured to send them. 9787 ([CVE-2014-3568]) 9788 9789 *Akamai and the OpenSSL team* 9790 9791 * Add support for TLS_FALLBACK_SCSV. 9792 Client applications doing fallback retries should call 9793 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 9794 ([CVE-2014-3566]) 9795 9796 *Adam Langley, Bodo Moeller* 9797 9798 * Add additional DigestInfo checks. 9799 9800 Re-encode DigestInto in DER and check against the original when 9801 verifying RSA signature: this will reject any improperly encoded 9802 DigestInfo structures. 9803 9804 Note: this is a precautionary measure and no attacks are currently known. 9805 9806 *Steve Henson* 9807 9808### Changes between 1.0.0m and 1.0.0n [6 Aug 2014] 9809 9810 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 9811 to a denial of service attack. A malicious server can crash the client 9812 with a null pointer dereference (read) by specifying an anonymous (EC)DH 9813 ciphersuite and sending carefully crafted handshake messages. 9814 9815 Thanks to Felix Gröbert (Google) for discovering and researching this 9816 issue. 9817 ([CVE-2014-3510]) 9818 9819 *Emilia Käsper* 9820 9821 * By sending carefully crafted DTLS packets an attacker could cause openssl 9822 to leak memory. This can be exploited through a Denial of Service attack. 9823 Thanks to Adam Langley for discovering and researching this issue. 9824 ([CVE-2014-3507]) 9825 9826 *Adam Langley* 9827 9828 * An attacker can force openssl to consume large amounts of memory whilst 9829 processing DTLS handshake messages. This can be exploited through a 9830 Denial of Service attack. 9831 Thanks to Adam Langley for discovering and researching this issue. 9832 ([CVE-2014-3506]) 9833 9834 *Adam Langley* 9835 9836 * An attacker can force an error condition which causes openssl to crash 9837 whilst processing DTLS packets due to memory being freed twice. This 9838 can be exploited through a Denial of Service attack. 9839 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 9840 this issue. 9841 ([CVE-2014-3505]) 9842 9843 *Adam Langley* 9844 9845 * If a multithreaded client connects to a malicious server using a resumed 9846 session and the server sends an ec point format extension it could write 9847 up to 255 bytes to freed memory. 9848 9849 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 9850 issue. 9851 ([CVE-2014-3509]) 9852 9853 *Gabor Tyukasz* 9854 9855 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 9856 X509_name_oneline, X509_name_print_ex et al. to leak some information 9857 from the stack. Applications may be affected if they echo pretty printing 9858 output to the attacker. 9859 9860 Thanks to Ivan Fratric (Google) for discovering this issue. 9861 ([CVE-2014-3508]) 9862 9863 *Emilia Käsper, and Steve Henson* 9864 9865 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 9866 for corner cases. (Certain input points at infinity could lead to 9867 bogus results, with non-infinity inputs mapped to infinity too.) 9868 9869 *Bodo Moeller* 9870 9871### Changes between 1.0.0l and 1.0.0m [5 Jun 2014] 9872 9873 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 9874 handshake can force the use of weak keying material in OpenSSL 9875 SSL/TLS clients and servers. 9876 9877 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 9878 researching this issue. ([CVE-2014-0224]) 9879 9880 *KIKUCHI Masashi, Steve Henson* 9881 9882 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 9883 OpenSSL DTLS client the code can be made to recurse eventually crashing 9884 in a DoS attack. 9885 9886 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 9887 ([CVE-2014-0221]) 9888 9889 *Imre Rad, Steve Henson* 9890 9891 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 9892 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 9893 client or server. This is potentially exploitable to run arbitrary 9894 code on a vulnerable client or server. 9895 9896 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 9897 9898 *Jüri Aedla, Steve Henson* 9899 9900 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 9901 are subject to a denial of service attack. 9902 9903 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 9904 this issue. ([CVE-2014-3470]) 9905 9906 *Felix Gröbert, Ivan Fratric, Steve Henson* 9907 9908 * Harmonize version and its documentation. -f flag is used to display 9909 compilation flags. 9910 9911 *mancha <mancha1@zoho.com>* 9912 9913 * Fix eckey_priv_encode so it immediately returns an error upon a failure 9914 in i2d_ECPrivateKey. 9915 9916 *mancha <mancha1@zoho.com>* 9917 9918 * Fix some double frees. These are not thought to be exploitable. 9919 9920 *mancha <mancha1@zoho.com>* 9921 9922 * Fix for the attack described in the paper "Recovering OpenSSL 9923 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 9924 by Yuval Yarom and Naomi Benger. Details can be obtained from: 9925 <http://eprint.iacr.org/2014/140> 9926 9927 Thanks to Yuval Yarom and Naomi Benger for discovering this 9928 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 9929 9930 *Yuval Yarom and Naomi Benger* 9931 9932### Changes between 1.0.0k and 1.0.0l [6 Jan 2014] 9933 9934 * Keep original DTLS digest and encryption contexts in retransmission 9935 structures so we can use the previous session parameters if they need 9936 to be resent. ([CVE-2013-6450]) 9937 9938 *Steve Henson* 9939 9940 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 9941 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 9942 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 9943 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 9944 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 9945 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 9946 9947 *Rob Stradling, Adam Langley* 9948 9949### Changes between 1.0.0j and 1.0.0k [5 Feb 2013] 9950 9951 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 9952 9953 This addresses the flaw in CBC record processing discovered by 9954 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 9955 at: <http://www.isg.rhul.ac.uk/tls/> 9956 9957 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 9958 Security Group at Royal Holloway, University of London 9959 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 9960 Emilia Käsper for the initial patch. 9961 ([CVE-2013-0169]) 9962 9963 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 9964 9965 * Return an error when checking OCSP signatures when key is NULL. 9966 This fixes a DoS attack. ([CVE-2013-0166]) 9967 9968 *Steve Henson* 9969 9970 * Call OCSP Stapling callback after ciphersuite has been chosen, so 9971 the right response is stapled. Also change SSL_get_certificate() 9972 so it returns the certificate actually sent. 9973 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 9974 (This is a backport) 9975 9976 *Rob Stradling <rob.stradling@comodo.com>* 9977 9978 * Fix possible deadlock when decoding public keys. 9979 9980 *Steve Henson* 9981 9982### Changes between 1.0.0i and 1.0.0j [10 May 2012] 9983 9984[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after 9985OpenSSL 1.0.1.] 9986 9987 * Sanity check record length before skipping explicit IV in DTLS 9988 to fix DoS attack. 9989 9990 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 9991 fuzzing as a service testing platform. 9992 ([CVE-2012-2333]) 9993 9994 *Steve Henson* 9995 9996 * Initialise tkeylen properly when encrypting CMS messages. 9997 Thanks to Solar Designer of Openwall for reporting this issue. 9998 9999 *Steve Henson* 10000 10001### Changes between 1.0.0h and 1.0.0i [19 Apr 2012] 10002 10003 * Check for potentially exploitable overflows in asn1_d2i_read_bio 10004 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 10005 in CRYPTO_realloc_clean. 10006 10007 Thanks to Tavis Ormandy, Google Security Team, for discovering this 10008 issue and to Adam Langley <agl@chromium.org> for fixing it. 10009 ([CVE-2012-2110]) 10010 10011 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 10012 10013### Changes between 1.0.0g and 1.0.0h [12 Mar 2012] 10014 10015 * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness 10016 in CMS and PKCS7 code. When RSA decryption fails use a random key for 10017 content decryption and always return the same error. Note: this attack 10018 needs on average 2^20 messages so it only affects automated senders. The 10019 old behaviour can be re-enabled in the CMS code by setting the 10020 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where 10021 an MMA defence is not necessary. 10022 Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering 10023 this issue. ([CVE-2012-0884]) 10024 10025 *Steve Henson* 10026 10027 * Fix CVE-2011-4619: make sure we really are receiving a 10028 client hello before rejecting multiple SGC restarts. Thanks to 10029 Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. 10030 10031 *Steve Henson* 10032 10033### Changes between 1.0.0f and 1.0.0g [18 Jan 2012] 10034 10035 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 10036 Thanks to Antonio Martin, Enterprise Secure Access Research and 10037 Development, Cisco Systems, Inc. for discovering this bug and 10038 preparing a fix. ([CVE-2012-0050]) 10039 10040 *Antonio Martin* 10041 10042### Changes between 1.0.0e and 1.0.0f [4 Jan 2012] 10043 10044 * Nadhem Alfardan and Kenny Paterson have discovered an extension 10045 of the Vaudenay padding oracle attack on CBC mode encryption 10046 which enables an efficient plaintext recovery attack against 10047 the OpenSSL implementation of DTLS. Their attack exploits timing 10048 differences arising during decryption processing. A research 10049 paper describing this attack can be found at: 10050 <http://www.isg.rhul.ac.uk/~kp/dtls.pdf> 10051 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 10052 Security Group at Royal Holloway, University of London 10053 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann 10054 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> 10055 for preparing the fix. ([CVE-2011-4108]) 10056 10057 *Robin Seggelmann, Michael Tuexen* 10058 10059 * Clear bytes used for block padding of SSL 3.0 records. 10060 ([CVE-2011-4576]) 10061 10062 *Adam Langley (Google)* 10063 10064 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George 10065 Kadianakis <desnacked@gmail.com> for discovering this issue and 10066 Adam Langley for preparing the fix. ([CVE-2011-4619]) 10067 10068 *Adam Langley (Google)* 10069 10070 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027]) 10071 10072 *Andrey Kulikov <amdeich@gmail.com>* 10073 10074 * Prevent malformed RFC3779 data triggering an assertion failure. 10075 Thanks to Andrew Chi, BBN Technologies, for discovering the flaw 10076 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577]) 10077 10078 *Rob Austein <sra@hactrn.net>* 10079 10080 * Improved PRNG seeding for VOS. 10081 10082 *Paul Green <Paul.Green@stratus.com>* 10083 10084 * Fix ssl_ciph.c set-up race. 10085 10086 *Adam Langley (Google)* 10087 10088 * Fix spurious failures in ecdsatest.c. 10089 10090 *Emilia Käsper (Google)* 10091 10092 * Fix the BIO_f_buffer() implementation (which was mixing different 10093 interpretations of the `..._len` fields). 10094 10095 *Adam Langley (Google)* 10096 10097 * Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than 10098 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent 10099 threads won't reuse the same blinding coefficients. 10100 10101 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING 10102 lock to call BN_BLINDING_invert_ex, and avoids one use of 10103 BN_BLINDING_update for each BN_BLINDING structure (previously, 10104 the last update always remained unused). 10105 10106 *Emilia Käsper (Google)* 10107 10108 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 10109 10110 *Bob Buckholz (Google)* 10111 10112### Changes between 1.0.0d and 1.0.0e [6 Sep 2011] 10113 10114 * Fix bug where CRLs with nextUpdate in the past are sometimes accepted 10115 by initialising X509_STORE_CTX properly. ([CVE-2011-3207]) 10116 10117 *Kaspar Brand <ossl@velox.ch>* 10118 10119 * Fix SSL memory handling for (EC)DH ciphersuites, in particular 10120 for multi-threaded use of ECDH. ([CVE-2011-3210]) 10121 10122 *Adam Langley (Google)* 10123 10124 * Fix x509_name_ex_d2i memory leak on bad inputs. 10125 10126 *Bodo Moeller* 10127 10128 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check 10129 signature public key algorithm by using OID xref utilities instead. 10130 Before this you could only use some ECC ciphersuites with SHA1 only. 10131 10132 *Steve Henson* 10133 10134 * Add protection against ECDSA timing attacks as mentioned in the paper 10135 by Billy Bob Brumley and Nicola Tuveri, see: 10136 <http://eprint.iacr.org/2011/232.pdf> 10137 10138 *Billy Bob Brumley and Nicola Tuveri* 10139 10140### Changes between 1.0.0c and 1.0.0d [8 Feb 2011] 10141 10142 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 10143 10144 *Neel Mehta, Adam Langley, Bodo Moeller (Google)* 10145 10146 * Fix bug in string printing code: if *any* escaping is enabled we must 10147 escape the escape character (backslash) or the resulting string is 10148 ambiguous. 10149 10150 *Steve Henson* 10151 10152### Changes between 1.0.0b and 1.0.0c [2 Dec 2010] 10153 10154 * Disable code workaround for ancient and obsolete Netscape browsers 10155 and servers: an attacker can use it in a ciphersuite downgrade attack. 10156 Thanks to Martin Rex for discovering this bug. CVE-2010-4180 10157 10158 *Steve Henson* 10159 10160 * Fixed J-PAKE implementation error, originally discovered by 10161 Sebastien Martini, further info and confirmation from Stefan 10162 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 10163 10164 *Ben Laurie* 10165 10166### Changes between 1.0.0a and 1.0.0b [16 Nov 2010] 10167 10168 * Fix extension code to avoid race conditions which can result in a buffer 10169 overrun vulnerability: resumed sessions must not be modified as they can 10170 be shared by multiple threads. CVE-2010-3864 10171 10172 *Steve Henson* 10173 10174 * Fix WIN32 build system to correctly link an ENGINE directory into 10175 a DLL. 10176 10177 *Steve Henson* 10178 10179### Changes between 1.0.0 and 1.0.0a [01 Jun 2010] 10180 10181 * Check return value of int_rsa_verify in pkey_rsa_verifyrecover 10182 ([CVE-2010-1633]) 10183 10184 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>* 10185 10186### Changes between 0.9.8n and 1.0.0 [29 Mar 2010] 10187 10188 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher 10189 context. The operation can be customised via the ctrl mechanism in 10190 case ENGINEs want to include additional functionality. 10191 10192 *Steve Henson* 10193 10194 * Tolerate yet another broken PKCS#8 key format: private key value negative. 10195 10196 *Steve Henson* 10197 10198 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to 10199 output hashes compatible with older versions of OpenSSL. 10200 10201 *Willy Weisz <weisz@vcpc.univie.ac.at>* 10202 10203 * Fix compression algorithm handling: if resuming a session use the 10204 compression algorithm of the resumed session instead of determining 10205 it from client hello again. Don't allow server to change algorithm. 10206 10207 *Steve Henson* 10208 10209 * Add load_crls() function to commands tidying load_certs() too. Add option 10210 to verify utility to allow additional CRLs to be included. 10211 10212 *Steve Henson* 10213 10214 * Update OCSP request code to permit adding custom headers to the request: 10215 some responders need this. 10216 10217 *Steve Henson* 10218 10219 * The function EVP_PKEY_sign() returns <=0 on error: check return code 10220 correctly. 10221 10222 *Julia Lawall <julia@diku.dk>* 10223 10224 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it 10225 needlessly dereferenced structures, used obsolete functions and 10226 didn't handle all updated verify codes correctly. 10227 10228 *Steve Henson* 10229 10230 * Disable MD2 in the default configuration. 10231 10232 *Steve Henson* 10233 10234 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to 10235 indicate the initial BIO being pushed or popped. This makes it possible 10236 to determine whether the BIO is the one explicitly called or as a result 10237 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so 10238 it handles reference counts correctly and doesn't zero out the I/O bio 10239 when it is not being explicitly popped. WARNING: applications which 10240 included workarounds for the old buggy behaviour will need to be modified 10241 or they could free up already freed BIOs. 10242 10243 *Steve Henson* 10244 10245 * Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni 10246 renaming to all platforms (within the 0.9.8 branch, this was 10247 done conditionally on Netware platforms to avoid a name clash). 10248 10249 *Guenter <lists@gknw.net>* 10250 10251 * Add ECDHE and PSK support to DTLS. 10252 10253 *Michael Tuexen <tuexen@fh-muenster.de>* 10254 10255 * Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't 10256 be used on C++. 10257 10258 *Steve Henson* 10259 10260 * Add "missing" function EVP_MD_flags() (without this the only way to 10261 retrieve a digest flags is by accessing the structure directly. Update 10262 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest 10263 or cipher is registered as in the "from" argument. Print out all 10264 registered digests in the dgst usage message instead of manually 10265 attempting to work them out. 10266 10267 *Steve Henson* 10268 10269 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: 10270 this allows the use of compression and extensions. Change default cipher 10271 string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 10272 by default unless an application cipher string requests it. 10273 10274 *Steve Henson* 10275 10276 * Alter match criteria in PKCS12_parse(). It used to try to use local 10277 key ids to find matching certificates and keys but some PKCS#12 files 10278 don't follow the (somewhat unwritten) rules and this strategy fails. 10279 Now just gather all certificates together and the first private key 10280 then look for the first certificate that matches the key. 10281 10282 *Steve Henson* 10283 10284 * Support use of registered digest and cipher names for dgst and cipher 10285 commands instead of having to add each one as a special case. So now 10286 you can do: 10287 10288 openssl sha256 foo 10289 10290 as well as: 10291 10292 openssl dgst -sha256 foo 10293 10294 and this works for ENGINE based algorithms too. 10295 10296 *Steve Henson* 10297 10298 * Update Gost ENGINE to support parameter files. 10299 10300 *Victor B. Wagner <vitus@cryptocom.ru>* 10301 10302 * Support GeneralizedTime in ca utility. 10303 10304 *Oliver Martin <oliver@volatilevoid.net>, Steve Henson* 10305 10306 * Enhance the hash format used for certificate directory links. The new 10307 form uses the canonical encoding (meaning equivalent names will work 10308 even if they aren't identical) and uses SHA1 instead of MD5. This form 10309 is incompatible with the older format and as a result c_rehash should 10310 be used to rebuild symbolic links. 10311 10312 *Steve Henson* 10313 10314 * Make PKCS#8 the default write format for private keys, replacing the 10315 traditional format. This form is standardised, more secure and doesn't 10316 include an implicit MD5 dependency. 10317 10318 *Steve Henson* 10319 10320 * Add a $gcc_devteam_warn option to Configure. The idea is that any code 10321 committed to OpenSSL should pass this lot as a minimum. 10322 10323 *Steve Henson* 10324 10325 * Add session ticket override functionality for use by EAP-FAST. 10326 10327 *Jouni Malinen <j@w1.fi>* 10328 10329 * Modify HMAC functions to return a value. Since these can be implemented 10330 in an ENGINE errors can occur. 10331 10332 *Steve Henson* 10333 10334 * Type-checked OBJ_bsearch_ex. 10335 10336 *Ben Laurie* 10337 10338 * Type-checked OBJ_bsearch. Also some constification necessitated 10339 by type-checking. Still to come: TXT_DB, bsearch(?), 10340 OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, 10341 CONF_VALUE. 10342 10343 *Ben Laurie* 10344 10345 * New function OPENSSL_gmtime_adj() to add a specific number of days and 10346 seconds to a tm structure directly, instead of going through OS 10347 specific date routines. This avoids any issues with OS routines such 10348 as the year 2038 bug. New `*_adj()` functions for ASN1 time structures 10349 and X509_time_adj_ex() to cover the extended range. The existing 10350 X509_time_adj() is still usable and will no longer have any date issues. 10351 10352 *Steve Henson* 10353 10354 * Delta CRL support. New use deltas option which will attempt to locate 10355 and search any appropriate delta CRLs available. 10356 10357 This work was sponsored by Google. 10358 10359 *Steve Henson* 10360 10361 * Support for CRLs partitioned by reason code. Reorganise CRL processing 10362 code and add additional score elements. Validate alternate CRL paths 10363 as part of the CRL checking and indicate a new error "CRL path validation 10364 error" in this case. Applications wanting additional details can use 10365 the verify callback and check the new "parent" field. If this is not 10366 NULL CRL path validation is taking place. Existing applications won't 10367 see this because it requires extended CRL support which is off by 10368 default. 10369 10370 This work was sponsored by Google. 10371 10372 *Steve Henson* 10373 10374 * Support for freshest CRL extension. 10375 10376 This work was sponsored by Google. 10377 10378 *Steve Henson* 10379 10380 * Initial indirect CRL support. Currently only supported in the CRLs 10381 passed directly and not via lookup. Process certificate issuer 10382 CRL entry extension and lookup CRL entries by bother issuer name 10383 and serial number. Check and process CRL issuer entry in IDP extension. 10384 10385 This work was sponsored by Google. 10386 10387 *Steve Henson* 10388 10389 * Add support for distinct certificate and CRL paths. The CRL issuer 10390 certificate is validated separately in this case. Only enabled if 10391 an extended CRL support flag is set: this flag will enable additional 10392 CRL functionality in future. 10393 10394 This work was sponsored by Google. 10395 10396 *Steve Henson* 10397 10398 * Add support for policy mappings extension. 10399 10400 This work was sponsored by Google. 10401 10402 *Steve Henson* 10403 10404 * Fixes to pathlength constraint, self issued certificate handling, 10405 policy processing to align with RFC3280 and PKITS tests. 10406 10407 This work was sponsored by Google. 10408 10409 *Steve Henson* 10410 10411 * Support for name constraints certificate extension. DN, email, DNS 10412 and URI types are currently supported. 10413 10414 This work was sponsored by Google. 10415 10416 *Steve Henson* 10417 10418 * To cater for systems that provide a pointer-based thread ID rather 10419 than numeric, deprecate the current numeric thread ID mechanism and 10420 replace it with a structure and associated callback type. This 10421 mechanism allows a numeric "hash" to be extracted from a thread ID in 10422 either case, and on platforms where pointers are larger than 'long', 10423 mixing is done to help ensure the numeric 'hash' is usable even if it 10424 can't be guaranteed unique. The default mechanism is to use "&errno" 10425 as a pointer-based thread ID to distinguish between threads. 10426 10427 Applications that want to provide their own thread IDs should now use 10428 CRYPTO_THREADID_set_callback() to register a callback that will call 10429 either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). 10430 10431 Note that ERR_remove_state() is now deprecated, because it is tied 10432 to the assumption that thread IDs are numeric. ERR_remove_state(0) 10433 to free the current thread's error state should be replaced by 10434 ERR_remove_thread_state(NULL). 10435 10436 (This new approach replaces the functions CRYPTO_set_idptr_callback(), 10437 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in 10438 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an 10439 application was previously providing a numeric thread callback that 10440 was inappropriate for distinguishing threads, then uniqueness might 10441 have been obtained with &errno that happened immediately in the 10442 intermediate development versions of OpenSSL; this is no longer the 10443 case, the numeric thread callback will now override the automatic use 10444 of &errno.) 10445 10446 *Geoff Thorpe, with help from Bodo Moeller* 10447 10448 * Initial support for different CRL issuing certificates. This covers a 10449 simple case where the self issued certificates in the chain exist and 10450 the real CRL issuer is higher in the existing chain. 10451 10452 This work was sponsored by Google. 10453 10454 *Steve Henson* 10455 10456 * Removed effectively defunct crypto/store from the build. 10457 10458 *Ben Laurie* 10459 10460 * Revamp of STACK to provide stronger type-checking. Still to come: 10461 TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, 10462 ASN1_STRING, CONF_VALUE. 10463 10464 *Ben Laurie* 10465 10466 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer 10467 RAM on SSL connections. This option can save about 34k per idle SSL. 10468 10469 *Nick Mathewson* 10470 10471 * Revamp of LHASH to provide stronger type-checking. Still to come: 10472 STACK, TXT_DB, bsearch, qsort. 10473 10474 *Ben Laurie* 10475 10476 * Initial support for Cryptographic Message Syntax (aka CMS) based 10477 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, 10478 support for data, signedData, compressedData, digestedData and 10479 encryptedData, envelopedData types included. Scripts to check against 10480 RFC4134 examples draft and interop and consistency checks of many 10481 content types and variants. 10482 10483 *Steve Henson* 10484 10485 * Add options to enc utility to support use of zlib compression BIO. 10486 10487 *Steve Henson* 10488 10489 * Extend mk1mf to support importing of options and assembly language 10490 files from Configure script, currently only included in VC-WIN32. 10491 The assembly language rules can now optionally generate the source 10492 files from the associated perl scripts. 10493 10494 *Steve Henson* 10495 10496 * Implement remaining functionality needed to support GOST ciphersuites. 10497 Interop testing has been performed using CryptoPro implementations. 10498 10499 *Victor B. Wagner <vitus@cryptocom.ru>* 10500 10501 * s390x assembler pack. 10502 10503 *Andy Polyakov* 10504 10505 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU 10506 "family." 10507 10508 *Andy Polyakov* 10509 10510 * Implement Opaque PRF Input TLS extension as specified in 10511 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an 10512 official specification yet and no extension type assignment by 10513 IANA exists, this extension (for now) will have to be explicitly 10514 enabled when building OpenSSL by providing the extension number 10515 to use. For example, specify an option 10516 10517 -DTLSEXT_TYPE_opaque_prf_input=0x9527 10518 10519 to the "config" or "Configure" script to enable the extension, 10520 assuming extension number 0x9527 (which is a completely arbitrary 10521 and unofficial assignment based on the MD5 hash of the Internet 10522 Draft). Note that by doing so, you potentially lose 10523 interoperability with other TLS implementations since these might 10524 be using the same extension number for other purposes. 10525 10526 SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the 10527 opaque PRF input value to use in the handshake. This will create 10528 an internal copy of the length-'len' string at 'src', and will 10529 return non-zero for success. 10530 10531 To get more control and flexibility, provide a callback function 10532 by using 10533 10534 SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) 10535 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) 10536 10537 where 10538 10539 int (*cb)(SSL *, void *peerinput, size_t len, void *arg); 10540 void *arg; 10541 10542 Callback function 'cb' will be called in handshakes, and is 10543 expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. 10544 Argument 'arg' is for application purposes (the value as given to 10545 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly 10546 be provided to the callback function). The callback function 10547 has to return non-zero to report success: usually 1 to use opaque 10548 PRF input just if possible, or 2 to enforce use of the opaque PRF 10549 input. In the latter case, the library will abort the handshake 10550 if opaque PRF input is not successfully negotiated. 10551 10552 Arguments 'peerinput' and 'len' given to the callback function 10553 will always be NULL and 0 in the case of a client. A server will 10554 see the client's opaque PRF input through these variables if 10555 available (NULL and 0 otherwise). Note that if the server 10556 provides an opaque PRF input, the length must be the same as the 10557 length of the client's opaque PRF input. 10558 10559 Note that the callback function will only be called when creating 10560 a new session (session resumption can resume whatever was 10561 previously negotiated), and will not be called in SSL 2.0 10562 handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or 10563 SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended 10564 for applications that need to enforce opaque PRF input. 10565 10566 *Bodo Moeller* 10567 10568 * Update ssl code to support digests other than SHA1+MD5 for handshake 10569 MAC. 10570 10571 *Victor B. Wagner <vitus@cryptocom.ru>* 10572 10573 * Add RFC4507 support to OpenSSL. This includes the corrections in 10574 RFC4507bis. The encrypted ticket format is an encrypted encoded 10575 SSL_SESSION structure, that way new session features are automatically 10576 supported. 10577 10578 If a client application caches session in an SSL_SESSION structure 10579 support is transparent because tickets are now stored in the encoded 10580 SSL_SESSION. 10581 10582 The SSL_CTX structure automatically generates keys for ticket 10583 protection in servers so again support should be possible 10584 with no application modification. 10585 10586 If a client or server wishes to disable RFC4507 support then the option 10587 SSL_OP_NO_TICKET can be set. 10588 10589 Add a TLS extension debugging callback to allow the contents of any client 10590 or server extensions to be examined. 10591 10592 This work was sponsored by Google. 10593 10594 *Steve Henson* 10595 10596 * Final changes to avoid use of pointer pointer casts in OpenSSL. 10597 OpenSSL should now compile cleanly on gcc 4.2 10598 10599 *Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson* 10600 10601 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC 10602 support including streaming MAC support: this is required for GOST 10603 ciphersuite support. 10604 10605 *Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson* 10606 10607 * Add option -stream to use PKCS#7 streaming in smime utility. New 10608 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() 10609 to output in BER and PEM format. 10610 10611 *Steve Henson* 10612 10613 * Experimental support for use of HMAC via EVP_PKEY interface. This 10614 allows HMAC to be handled via the `EVP_DigestSign*()` interface. The 10615 EVP_PKEY "key" in this case is the HMAC key, potentially allowing 10616 ENGINE support for HMAC keys which are unextractable. New -mac and 10617 -macopt options to dgst utility. 10618 10619 *Steve Henson* 10620 10621 * New option -sigopt to dgst utility. Update dgst to use 10622 `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use 10623 alternative signing parameters such as X9.31 or PSS in the dgst 10624 utility. 10625 10626 *Steve Henson* 10627 10628 * Change ssl_cipher_apply_rule(), the internal function that does 10629 the work each time a ciphersuite string requests enabling 10630 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or 10631 removing ("!foo+bar") a class of ciphersuites: Now it maintains 10632 the order of disabled ciphersuites such that those ciphersuites 10633 that most recently went from enabled to disabled not only stay 10634 in order with respect to each other, but also have higher priority 10635 than other disabled ciphersuites the next time ciphersuites are 10636 enabled again. 10637 10638 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable 10639 the same ciphersuites as with "HIGH" alone, but in a specific 10640 order where the PSK ciphersuites come first (since they are the 10641 most recently disabled ciphersuites when "HIGH" is parsed). 10642 10643 Also, change ssl_create_cipher_list() (using this new 10644 functionality) such that between otherwise identical 10645 ciphersuites, ephemeral ECDH is preferred over ephemeral DH in 10646 the default order. 10647 10648 *Bodo Moeller* 10649 10650 * Change ssl_create_cipher_list() so that it automatically 10651 arranges the ciphersuites in reasonable order before starting 10652 to process the rule string. Thus, the definition for "DEFAULT" 10653 (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but 10654 remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`. 10655 This makes it much easier to arrive at a reasonable default order 10656 in applications for which anonymous ciphers are OK (meaning 10657 that you can't actually use DEFAULT). 10658 10659 *Bodo Moeller; suggested by Victor Duchovni* 10660 10661 * Split the SSL/TLS algorithm mask (as used for ciphersuite string 10662 processing) into multiple integers instead of setting 10663 "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", 10664 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. 10665 (These masks as well as the individual bit definitions are hidden 10666 away into the non-exported interface ssl/ssl_locl.h, so this 10667 change to the definition of the SSL_CIPHER structure shouldn't 10668 affect applications.) This give us more bits for each of these 10669 categories, so there is no longer a need to coagulate AES128 and 10670 AES256 into a single algorithm bit, and to coagulate Camellia128 10671 and Camellia256 into a single algorithm bit, which has led to all 10672 kinds of kludges. 10673 10674 Thus, among other things, the kludge introduced in 0.9.7m and 10675 0.9.8e for masking out AES256 independently of AES128 or masking 10676 out Camellia256 independently of AES256 is not needed here in 0.9.9. 10677 10678 With the change, we also introduce new ciphersuite aliases that 10679 so far were missing: "AES128", "AES256", "CAMELLIA128", and 10680 "CAMELLIA256". 10681 10682 *Bodo Moeller* 10683 10684 * Add support for dsa-with-SHA224 and dsa-with-SHA256. 10685 Use the leftmost N bytes of the signature input if the input is 10686 larger than the prime q (with N being the size in bytes of q). 10687 10688 *Nils Larsch* 10689 10690 * Very *very* experimental PKCS#7 streaming encoder support. Nothing uses 10691 it yet and it is largely untested. 10692 10693 *Steve Henson* 10694 10695 * Add support for the ecdsa-with-SHA224/256/384/512 signature types. 10696 10697 *Nils Larsch* 10698 10699 * Initial incomplete changes to avoid need for function casts in OpenSSL 10700 some compilers (gcc 4.2 and later) reject their use. Safestack is 10701 reimplemented. Update ASN1 to avoid use of legacy functions. 10702 10703 *Steve Henson* 10704 10705 * Win32/64 targets are linked with Winsock2. 10706 10707 *Andy Polyakov* 10708 10709 * Add an X509_CRL_METHOD structure to allow CRL processing to be redirected 10710 to external functions. This can be used to increase CRL handling 10711 efficiency especially when CRLs are very large by (for example) storing 10712 the CRL revoked certificates in a database. 10713 10714 *Steve Henson* 10715 10716 * Overhaul of by_dir code. Add support for dynamic loading of CRLs so 10717 new CRLs added to a directory can be used. New command line option 10718 -verify_return_error to s_client and s_server. This causes real errors 10719 to be returned by the verify callback instead of carrying on no matter 10720 what. This reflects the way a "real world" verify callback would behave. 10721 10722 *Steve Henson* 10723 10724 * GOST engine, supporting several GOST algorithms and public key formats. 10725 Kindly donated by Cryptocom. 10726 10727 *Cryptocom* 10728 10729 * Partial support for Issuing Distribution Point CRL extension. CRLs 10730 partitioned by DP are handled but no indirect CRL or reason partitioning 10731 (yet). Complete overhaul of CRL handling: now the most suitable CRL is 10732 selected via a scoring technique which handles IDP and AKID in CRLs. 10733 10734 *Steve Henson* 10735 10736 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which 10737 will ultimately be used for all verify operations: this will remove the 10738 X509_STORE dependency on certificate verification and allow alternative 10739 lookup methods. X509_STORE based implementations of these two callbacks. 10740 10741 *Steve Henson* 10742 10743 * Allow multiple CRLs to exist in an X509_STORE with matching issuer names. 10744 Modify get_crl() to find a valid (unexpired) CRL if possible. 10745 10746 *Steve Henson* 10747 10748 * New function X509_CRL_match() to check if two CRLs are identical. Normally 10749 this would be called X509_CRL_cmp() but that name is already used by 10750 a function that just compares CRL issuer names. Cache several CRL 10751 extensions in X509_CRL structure and cache CRLDP in X509. 10752 10753 *Steve Henson* 10754 10755 * Store a "canonical" representation of X509_NAME structure (ASN1 Name) 10756 this maps equivalent X509_NAME structures into a consistent structure. 10757 Name comparison can then be performed rapidly using memcmp(). 10758 10759 *Steve Henson* 10760 10761 * Non-blocking OCSP request processing. Add -timeout option to ocsp 10762 utility. 10763 10764 *Steve Henson* 10765 10766 * Allow digests to supply their own micalg string for S/MIME type using 10767 the ctrl EVP_MD_CTRL_MICALG. 10768 10769 *Steve Henson* 10770 10771 * During PKCS7 signing pass the PKCS7 SignerInfo structure to the 10772 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN 10773 ctrl. It can then customise the structure before and/or after signing 10774 if necessary. 10775 10776 *Steve Henson* 10777 10778 * New function OBJ_add_sigid() to allow application defined signature OIDs 10779 to be added to OpenSSLs internal tables. New function OBJ_sigid_free() 10780 to free up any added signature OIDs. 10781 10782 *Steve Henson* 10783 10784 * New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), 10785 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal 10786 digest and cipher tables. New options added to openssl utility: 10787 list-message-digest-algorithms and list-cipher-algorithms. 10788 10789 *Steve Henson* 10790 10791 * Change the array representation of binary polynomials: the list 10792 of degrees of non-zero coefficients is now terminated with -1. 10793 Previously it was terminated with 0, which was also part of the 10794 value; thus, the array representation was not applicable to 10795 polynomials where t^0 has coefficient zero. This change makes 10796 the array representation useful in a more general context. 10797 10798 *Douglas Stebila* 10799 10800 * Various modifications and fixes to SSL/TLS cipher string 10801 handling. For ECC, the code now distinguishes between fixed ECDH 10802 with RSA certificates on the one hand and with ECDSA certificates 10803 on the other hand, since these are separate ciphersuites. The 10804 unused code for Fortezza ciphersuites has been removed. 10805 10806 For consistency with EDH, ephemeral ECDH is now called "EECDH" 10807 (not "ECDHE"). For consistency with the code for DH 10808 certificates, use of ECDH certificates is now considered ECDH 10809 authentication, not RSA or ECDSA authentication (the latter is 10810 merely the CA's signing algorithm and not actively used in the 10811 protocol). 10812 10813 The temporary ciphersuite alias "ECCdraft" is no longer 10814 available, and ECC ciphersuites are no longer excluded from "ALL" 10815 and "DEFAULT". The following aliases now exist for RFC 4492 10816 ciphersuites, most of these by analogy with the DH case: 10817 10818 kECDHr - ECDH cert, signed with RSA 10819 kECDHe - ECDH cert, signed with ECDSA 10820 kECDH - ECDH cert (signed with either RSA or ECDSA) 10821 kEECDH - ephemeral ECDH 10822 ECDH - ECDH cert or ephemeral ECDH 10823 10824 aECDH - ECDH cert 10825 aECDSA - ECDSA cert 10826 ECDSA - ECDSA cert 10827 10828 AECDH - anonymous ECDH 10829 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") 10830 10831 *Bodo Moeller* 10832 10833 * Add additional S/MIME capabilities for AES and GOST ciphers if supported. 10834 Use correct micalg parameters depending on digest(s) in signed message. 10835 10836 *Steve Henson* 10837 10838 * Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process 10839 an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. 10840 10841 *Steve Henson* 10842 10843 * Initial engine support for EVP_PKEY_METHOD. New functions to permit 10844 an engine to register a method. Add ENGINE lookups for methods and 10845 functional reference processing. 10846 10847 *Steve Henson* 10848 10849 * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of 10850 `EVP_{Sign,Verify}*` which allow an application to customise the signature 10851 process. 10852 10853 *Steve Henson* 10854 10855 * New -resign option to smime utility. This adds one or more signers 10856 to an existing PKCS#7 signedData structure. Also -md option to use an 10857 alternative message digest algorithm for signing. 10858 10859 *Steve Henson* 10860 10861 * Tidy up PKCS#7 routines and add new functions to make it easier to 10862 create PKCS7 structures containing multiple signers. Update smime 10863 application to support multiple signers. 10864 10865 *Steve Henson* 10866 10867 * New -macalg option to pkcs12 utility to allow setting of an alternative 10868 digest MAC. 10869 10870 *Steve Henson* 10871 10872 * Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. 10873 Reorganize PBE internals to lookup from a static table using NIDs, 10874 add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: 10875 EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative 10876 PRF which will be automatically used with PBES2. 10877 10878 *Steve Henson* 10879 10880 * Replace the algorithm specific calls to generate keys in "req" with the 10881 new API. 10882 10883 *Steve Henson* 10884 10885 * Update PKCS#7 enveloped data routines to use new API. This is now 10886 supported by any public key method supporting the encrypt operation. A 10887 ctrl is added to allow the public key algorithm to examine or modify 10888 the PKCS#7 RecipientInfo structure if it needs to: for RSA this is 10889 a no op. 10890 10891 *Steve Henson* 10892 10893 * Add a ctrl to asn1 method to allow a public key algorithm to express 10894 a default digest type to use. In most cases this will be SHA1 but some 10895 algorithms (such as GOST) need to specify an alternative digest. The 10896 return value indicates how strong the preference is 1 means optional and 10897 2 is mandatory (that is it is the only supported type). Modify 10898 ASN1_item_sign() to accept a NULL digest argument to indicate it should 10899 use the default md. Update openssl utilities to use the default digest 10900 type for signing if it is not explicitly indicated. 10901 10902 *Steve Henson* 10903 10904 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 10905 EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant 10906 signing method from the key type. This effectively removes the link 10907 between digests and public key types. 10908 10909 *Steve Henson* 10910 10911 * Add an OID cross reference table and utility functions. Its purpose is to 10912 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, 10913 rsaEncryption. This will allow some of the algorithm specific hackery 10914 needed to use the correct OID to be removed. 10915 10916 *Steve Henson* 10917 10918 * Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO 10919 structures for PKCS7_sign(). They are now set up by the relevant public 10920 key ASN1 method. 10921 10922 *Steve Henson* 10923 10924 * Add provisional EC pkey method with support for ECDSA and ECDH. 10925 10926 *Steve Henson* 10927 10928 * Add support for key derivation (agreement) in the API, DH method and 10929 pkeyutl. 10930 10931 *Steve Henson* 10932 10933 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support 10934 public and private key formats. As a side effect these add additional 10935 command line functionality not previously available: DSA signatures can be 10936 generated and verified using pkeyutl and DH key support and generation in 10937 pkey, genpkey. 10938 10939 *Steve Henson* 10940 10941 * BeOS support. 10942 10943 *Oliver Tappe <zooey@hirschkaefer.de>* 10944 10945 * New make target "install_html_docs" installs HTML renditions of the 10946 manual pages. 10947 10948 *Oliver Tappe <zooey@hirschkaefer.de>* 10949 10950 * New utility "genpkey" this is analogous to "genrsa" etc except it can 10951 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to 10952 support key and parameter generation and add initial key generation 10953 functionality for RSA. 10954 10955 *Steve Henson* 10956 10957 * Add functions for main EVP_PKEY_method operations. The undocumented 10958 functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to 10959 `EVP_PKEY_{encrypt,decrypt}_old`. 10960 10961 *Steve Henson* 10962 10963 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public 10964 key API, doesn't do much yet. 10965 10966 *Steve Henson* 10967 10968 * New function EVP_PKEY_asn1_get0_info() to retrieve information about 10969 public key algorithms. New option to openssl utility: 10970 "list-public-key-algorithms" to print out info. 10971 10972 *Steve Henson* 10973 10974 * Implement the Supported Elliptic Curves Extension for 10975 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 10976 10977 *Douglas Stebila* 10978 10979 * Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or 10980 EVP_CIPHER structures to avoid later problems in EVP_cleanup(). 10981 10982 *Steve Henson* 10983 10984 * New utilities pkey and pkeyparam. These are similar to algorithm specific 10985 utilities such as rsa, dsa, dsaparam etc except they process any key 10986 type. 10987 10988 *Steve Henson* 10989 10990 * Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 10991 functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), 10992 EVP_PKEY_print_param() to print public key data from an EVP_PKEY 10993 structure. 10994 10995 *Steve Henson* 10996 10997 * Initial support for pluggable public key ASN1. 10998 De-spaghettify the public key ASN1 handling. Move public and private 10999 key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate 11000 algorithm specific handling to a single module within the relevant 11001 algorithm directory. Add functions to allow (near) opaque processing 11002 of public and private key structures. 11003 11004 *Steve Henson* 11005 11006 * Implement the Supported Point Formats Extension for 11007 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 11008 11009 *Douglas Stebila* 11010 11011 * Add initial support for RFC 4279 PSK TLS ciphersuites. Add members 11012 for the psk identity [hint] and the psk callback functions to the 11013 SSL_SESSION, SSL and SSL_CTX structure. 11014 11015 New ciphersuites: 11016 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, 11017 PSK-AES256-CBC-SHA 11018 11019 New functions: 11020 SSL_CTX_use_psk_identity_hint 11021 SSL_get_psk_identity_hint 11022 SSL_get_psk_identity 11023 SSL_use_psk_identity_hint 11024 11025 *Mika Kousa and Pasi Eronen of Nokia Corporation* 11026 11027 * Add RFC 3161 compliant time stamp request creation, response generation 11028 and response verification functionality. 11029 11030 *Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project* 11031 11032 * Add initial support for TLS extensions, specifically for the server_name 11033 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 11034 have new members for a hostname. The SSL data structure has an 11035 additional member `SSL_CTX *initial_ctx` so that new sessions can be 11036 stored in that context to allow for session resumption, even after the 11037 SSL has been switched to a new SSL_CTX in reaction to a client's 11038 server_name extension. 11039 11040 New functions (subject to change): 11041 11042 SSL_get_servername() 11043 SSL_get_servername_type() 11044 SSL_set_SSL_CTX() 11045 11046 New CTRL codes and macros (subject to change): 11047 11048 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 11049 - SSL_CTX_set_tlsext_servername_callback() 11050 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 11051 - SSL_CTX_set_tlsext_servername_arg() 11052 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 11053 11054 openssl s_client has a new '-servername ...' option. 11055 11056 openssl s_server has new options '-servername_host ...', '-cert2 ...', 11057 '-key2 ...', '-servername_fatal' (subject to change). This allows 11058 testing the HostName extension for a specific single hostname ('-cert' 11059 and '-key' remain fallbacks for handshakes without HostName 11060 negotiation). If the unrecognized_name alert has to be sent, this by 11061 default is a warning; it becomes fatal with the '-servername_fatal' 11062 option. 11063 11064 *Peter Sylvester, Remy Allais, Christophe Renou* 11065 11066 * Whirlpool hash implementation is added. 11067 11068 *Andy Polyakov* 11069 11070 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to 11071 bn(64,32). Because of instruction set limitations it doesn't have 11072 any negative impact on performance. This was done mostly in order 11073 to make it possible to share assembler modules, such as bn_mul_mont 11074 implementations, between 32- and 64-bit builds without hassle. 11075 11076 *Andy Polyakov* 11077 11078 * Move code previously exiled into file crypto/ec/ec2_smpt.c 11079 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP 11080 macro. 11081 11082 *Bodo Moeller* 11083 11084 * New candidate for BIGNUM assembler implementation, bn_mul_mont, 11085 dedicated Montgomery multiplication procedure, is introduced. 11086 BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher 11087 "64-bit" performance on certain 32-bit targets. 11088 11089 *Andy Polyakov* 11090 11091 * New option SSL_OP_NO_COMP to disable use of compression selectively 11092 in SSL structures. New SSL ctrl to set maximum send fragment size. 11093 Save memory by setting the I/O buffer sizes dynamically instead of 11094 using the maximum available value. 11095 11096 *Steve Henson* 11097 11098 * New option -V for 'openssl ciphers'. This prints the ciphersuite code 11099 in addition to the text details. 11100 11101 *Bodo Moeller* 11102 11103 * Very, very preliminary EXPERIMENTAL support for printing of general 11104 ASN1 structures. This currently produces rather ugly output and doesn't 11105 handle several customised structures at all. 11106 11107 *Steve Henson* 11108 11109 * Integrated support for PVK file format and some related formats such 11110 as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support 11111 these in the 'rsa' and 'dsa' utilities. 11112 11113 *Steve Henson* 11114 11115 * Support for PKCS#1 RSAPublicKey format on rsa utility command line. 11116 11117 *Steve Henson* 11118 11119 * Remove the ancient ASN1_METHOD code. This was only ever used in one 11120 place for the (very old) "NETSCAPE" format certificates which are now 11121 handled using new ASN1 code equivalents. 11122 11123 *Steve Henson* 11124 11125 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD 11126 pointer and make the SSL_METHOD parameter in SSL_CTX_new, 11127 SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. 11128 11129 *Nils Larsch* 11130 11131 * Modify CRL distribution points extension code to print out previously 11132 unsupported fields. Enhance extension setting code to allow setting of 11133 all fields. 11134 11135 *Steve Henson* 11136 11137 * Add print and set support for Issuing Distribution Point CRL extension. 11138 11139 *Steve Henson* 11140 11141 * Change 'Configure' script to enable Camellia by default. 11142 11143 *NTT* 11144 11145OpenSSL 0.9.x 11146------------- 11147 11148### Changes between 0.9.8m and 0.9.8n [24 Mar 2010] 11149 11150 * When rejecting SSL/TLS records due to an incorrect version number, never 11151 update s->server with a new major version number. As of 11152 - OpenSSL 0.9.8m if 'short' is a 16-bit type, 11153 - OpenSSL 0.9.8f if 'short' is longer than 16 bits, 11154 the previous behavior could result in a read attempt at NULL when 11155 receiving specific incorrect SSL/TLS records once record payload 11156 protection is active. ([CVE-2010-0740]) 11157 11158 *Bodo Moeller, Adam Langley <agl@chromium.org>* 11159 11160 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 11161 could be crashed if the relevant tables were not present (e.g. chrooted). 11162 11163 *Tomas Hoger <thoger@redhat.com>* 11164 11165### Changes between 0.9.8l and 0.9.8m [25 Feb 2010] 11166 11167 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245]) 11168 11169 *Martin Olsson, Neel Mehta* 11170 11171 * Fix X509_STORE locking: Every 'objs' access requires a lock (to 11172 accommodate for stack sorting, always a write lock!). 11173 11174 *Bodo Moeller* 11175 11176 * On some versions of WIN32 Heap32Next is very slow. This can cause 11177 excessive delays in the RAND_poll(): over a minute. As a workaround 11178 include a time check in the inner Heap32Next loop too. 11179 11180 *Steve Henson* 11181 11182 * The code that handled flushing of data in SSL/TLS originally used the 11183 BIO_CTRL_INFO ctrl to see if any data was pending first. This caused 11184 the problem outlined in PR#1949. The fix suggested there however can 11185 trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions 11186 of Apache). So instead simplify the code to flush unconditionally. 11187 This should be fine since flushing with no data to flush is a no op. 11188 11189 *Steve Henson* 11190 11191 * Handle TLS versions 2.0 and later properly and correctly use the 11192 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way 11193 off ancient servers have a habit of sticking around for a while... 11194 11195 *Steve Henson* 11196 11197 * Modify compression code so it frees up structures without using the 11198 ex_data callbacks. This works around a problem where some applications 11199 call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when 11200 restarting) then use compression (e.g. SSL with compression) later. 11201 This results in significant per-connection memory leaks and 11202 has caused some security issues including CVE-2008-1678 and 11203 CVE-2009-4355. 11204 11205 *Steve Henson* 11206 11207 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't 11208 change when encrypting or decrypting. 11209 11210 *Bodo Moeller* 11211 11212 * Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to 11213 connect and renegotiate with servers which do not support RI. 11214 Until RI is more widely deployed this option is enabled by default. 11215 11216 *Steve Henson* 11217 11218 * Add "missing" ssl ctrls to clear options and mode. 11219 11220 *Steve Henson* 11221 11222 * If client attempts to renegotiate and doesn't support RI respond with 11223 a no_renegotiation alert as required by RFC5746. Some renegotiating 11224 TLS clients will continue a connection gracefully when they receive 11225 the alert. Unfortunately OpenSSL mishandled this alert and would hang 11226 waiting for a server hello which it will never receive. Now we treat a 11227 received no_renegotiation alert as a fatal error. This is because 11228 applications requesting a renegotiation might well expect it to succeed 11229 and would have no code in place to handle the server denying it so the 11230 only safe thing to do is to terminate the connection. 11231 11232 *Steve Henson* 11233 11234 * Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if 11235 peer supports secure renegotiation and 0 otherwise. Print out peer 11236 renegotiation support in s_client/s_server. 11237 11238 *Steve Henson* 11239 11240 * Replace the highly broken and deprecated SPKAC certification method with 11241 the updated NID creation version. This should correctly handle UTF8. 11242 11243 *Steve Henson* 11244 11245 * Implement RFC5746. Re-enable renegotiation but require the extension 11246 as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 11247 turns out to be a bad idea. It has been replaced by 11248 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with 11249 SSL_CTX_set_options(). This is really not recommended unless you 11250 know what you are doing. 11251 11252 *Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson* 11253 11254 * Fixes to stateless session resumption handling. Use initial_ctx when 11255 issuing and attempting to decrypt tickets in case it has changed during 11256 servername handling. Use a non-zero length session ID when attempting 11257 stateless session resumption: this makes it possible to determine if 11258 a resumption has occurred immediately after receiving server hello 11259 (several places in OpenSSL subtly assume this) instead of later in 11260 the handshake. 11261 11262 *Steve Henson* 11263 11264 * The functions ENGINE_ctrl(), OPENSSL_isservice(), 11265 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error 11266 fixes for a few places where the return code is not checked 11267 correctly. 11268 11269 *Julia Lawall <julia@diku.dk>* 11270 11271 * Add --strict-warnings option to Configure script to include devteam 11272 warnings in other configurations. 11273 11274 *Steve Henson* 11275 11276 * Add support for --libdir option and LIBDIR variable in makefiles. This 11277 makes it possible to install openssl libraries in locations which 11278 have names other than "lib", for example "/usr/lib64" which some 11279 systems need. 11280 11281 *Steve Henson, based on patch from Jeremy Utley* 11282 11283 * Don't allow the use of leading 0x80 in OIDs. This is a violation of 11284 X690 8.9.12 and can produce some misleading textual output of OIDs. 11285 11286 *Steve Henson, reported by Dan Kaminsky* 11287 11288 * Delete MD2 from algorithm tables. This follows the recommendation in 11289 several standards that it is not used in new applications due to 11290 several cryptographic weaknesses. For binary compatibility reasons 11291 the MD2 API is still compiled in by default. 11292 11293 *Steve Henson* 11294 11295 * Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved 11296 and restored. 11297 11298 *Steve Henson* 11299 11300 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and 11301 OPENSSL_asc2uni conditionally on Netware platforms to avoid a name 11302 clash. 11303 11304 *Guenter <lists@gknw.net>* 11305 11306 * Fix the server certificate chain building code to use X509_verify_cert(), 11307 it used to have an ad-hoc builder which was unable to cope with anything 11308 other than a simple chain. 11309 11310 *David Woodhouse <dwmw2@infradead.org>, Steve Henson* 11311 11312 * Don't check self signed certificate signatures in X509_verify_cert() 11313 by default (a flag can override this): it just wastes time without 11314 adding any security. As a useful side effect self signed root CAs 11315 with non-FIPS digests are now usable in FIPS mode. 11316 11317 *Steve Henson* 11318 11319 * In dtls1_process_out_of_seq_message() the check if the current message 11320 is already buffered was missing. For every new message was memory 11321 allocated, allowing an attacker to perform an denial of service attack 11322 with sending out of seq handshake messages until there is no memory 11323 left. Additionally every future message was buffered, even if the 11324 sequence number made no sense and would be part of another handshake. 11325 So only messages with sequence numbers less than 10 in advance will be 11326 buffered. ([CVE-2009-1378]) 11327 11328 *Robin Seggelmann, discovered by Daniel Mentz* 11329 11330 * Records are buffered if they arrive with a future epoch to be 11331 processed after finishing the corresponding handshake. There is 11332 currently no limitation to this buffer allowing an attacker to perform 11333 a DOS attack with sending records with future epochs until there is no 11334 memory left. This patch adds the pqueue_size() function to determine 11335 the size of a buffer and limits the record buffer to 100 entries. 11336 ([CVE-2009-1377]) 11337 11338 *Robin Seggelmann, discovered by Daniel Mentz* 11339 11340 * Keep a copy of frag->msg_header.frag_len so it can be used after the 11341 parent structure is freed. ([CVE-2009-1379]) 11342 11343 *Daniel Mentz* 11344 11345 * Handle non-blocking I/O properly in SSL_shutdown() call. 11346 11347 *Darryl Miles <darryl-mailinglists@netbauds.net>* 11348 11349 * Add `2.5.4.*` OIDs 11350 11351 *Ilya O. <vrghost@gmail.com>* 11352 11353### Changes between 0.9.8k and 0.9.8l [5 Nov 2009] 11354 11355 * Disable renegotiation completely - this fixes a severe security 11356 problem ([CVE-2009-3555]) at the cost of breaking all 11357 renegotiation. Renegotiation can be re-enabled by setting 11358 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at 11359 run-time. This is really not recommended unless you know what 11360 you're doing. 11361 11362 *Ben Laurie* 11363 11364### Changes between 0.9.8j and 0.9.8k [25 Mar 2009] 11365 11366 * Don't set val to NULL when freeing up structures, it is freed up by 11367 underlying code. If `sizeof(void *) > sizeof(long)` this can result in 11368 zeroing past the valid field. ([CVE-2009-0789]) 11369 11370 *Paolo Ganci <Paolo.Ganci@AdNovum.CH>* 11371 11372 * Fix bug where return value of CMS_SignerInfo_verify_content() was not 11373 checked correctly. This would allow some invalid signed attributes to 11374 appear to verify correctly. ([CVE-2009-0591]) 11375 11376 *Ivan Nestlerode <inestlerode@us.ibm.com>* 11377 11378 * Reject UniversalString and BMPString types with invalid lengths. This 11379 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have 11380 a legal length. ([CVE-2009-0590]) 11381 11382 *Steve Henson* 11383 11384 * Set S/MIME signing as the default purpose rather than setting it 11385 unconditionally. This allows applications to override it at the store 11386 level. 11387 11388 *Steve Henson* 11389 11390 * Permit restricted recursion of ASN1 strings. This is needed in practice 11391 to handle some structures. 11392 11393 *Steve Henson* 11394 11395 * Improve efficiency of mem_gets: don't search whole buffer each time 11396 for a '\n' 11397 11398 *Jeremy Shapiro <jnshapir@us.ibm.com>* 11399 11400 * New -hex option for openssl rand. 11401 11402 *Matthieu Herrb* 11403 11404 * Print out UTF8String and NumericString when parsing ASN1. 11405 11406 *Steve Henson* 11407 11408 * Support NumericString type for name components. 11409 11410 *Steve Henson* 11411 11412 * Allow CC in the environment to override the automatically chosen 11413 compiler. Note that nothing is done to ensure flags work with the 11414 chosen compiler. 11415 11416 *Ben Laurie* 11417 11418### Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 11419 11420 * Properly check EVP_VerifyFinal() and similar return values 11421 ([CVE-2008-5077]). 11422 11423 *Ben Laurie, Bodo Moeller, Google Security Team* 11424 11425 * Enable TLS extensions by default. 11426 11427 *Ben Laurie* 11428 11429 * Allow the CHIL engine to be loaded, whether the application is 11430 multithreaded or not. (This does not release the developer from the 11431 obligation to set up the dynamic locking callbacks.) 11432 11433 *Sander Temme <sander@temme.net>* 11434 11435 * Use correct exit code if there is an error in dgst command. 11436 11437 *Steve Henson; problem pointed out by Roland Dirlewanger* 11438 11439 * Tweak Configure so that you need to say "experimental-jpake" to enable 11440 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. 11441 11442 *Bodo Moeller* 11443 11444 * Add experimental JPAKE support, including demo authentication in 11445 s_client and s_server. 11446 11447 *Ben Laurie* 11448 11449 * Set the comparison function in v3_addr_canonize(). 11450 11451 *Rob Austein <sra@hactrn.net>* 11452 11453 * Add support for XMPP STARTTLS in s_client. 11454 11455 *Philip Paeps <philip@freebsd.org>* 11456 11457 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior 11458 to ensure that even with this option, only ciphersuites in the 11459 server's preference list will be accepted. (Note that the option 11460 applies only when resuming a session, so the earlier behavior was 11461 just about the algorithm choice for symmetric cryptography.) 11462 11463 *Bodo Moeller* 11464 11465### Changes between 0.9.8h and 0.9.8i [15 Sep 2008] 11466 11467 * Fix NULL pointer dereference if a DTLS server received 11468 ChangeCipherSpec as first record ([CVE-2009-1386]). 11469 11470 *PR #1679* 11471 11472 * Fix a state transition in s3_srvr.c and d1_srvr.c 11473 (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`). 11474 11475 *Nagendra Modadugu* 11476 11477 * The fix in 0.9.8c that supposedly got rid of unsafe 11478 double-checked locking was incomplete for RSA blinding, 11479 addressing just one layer of what turns out to have been 11480 doubly unsafe triple-checked locking. 11481 11482 So now fix this for real by retiring the MONT_HELPER macro 11483 in crypto/rsa/rsa_eay.c. 11484 11485 *Bodo Moeller; problem pointed out by Marius Schilder* 11486 11487 * Various precautionary measures: 11488 11489 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). 11490 11491 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). 11492 (NB: This would require knowledge of the secret session ticket key 11493 to exploit, in which case you'd be SOL either way.) 11494 11495 - Change bn_nist.c so that it will properly handle input BIGNUMs 11496 outside the expected range. 11497 11498 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG 11499 builds. 11500 11501 *Neel Mehta, Bodo Moeller* 11502 11503 * Allow engines to be "soft loaded" - i.e. optionally don't die if 11504 the load fails. Useful for distros. 11505 11506 *Ben Laurie and the FreeBSD team* 11507 11508 * Add support for Local Machine Keyset attribute in PKCS#12 files. 11509 11510 *Steve Henson* 11511 11512 * Fix BN_GF2m_mod_arr() top-bit cleanup code. 11513 11514 *Huang Ying* 11515 11516 * Expand ENGINE to support engine supplied SSL client certificate functions. 11517 11518 This work was sponsored by Logica. 11519 11520 *Steve Henson* 11521 11522 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows 11523 keystores. Support for SSL/TLS client authentication too. 11524 Not compiled unless enable-capieng specified to Configure. 11525 11526 This work was sponsored by Logica. 11527 11528 *Steve Henson* 11529 11530 * Fix bug in X509_ATTRIBUTE creation: don't set attribute using 11531 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain 11532 attribute creation routines such as certificate requests and PKCS#12 11533 files. 11534 11535 *Steve Henson* 11536 11537### Changes between 0.9.8g and 0.9.8h [28 May 2008] 11538 11539 * Fix flaw if 'Server Key exchange message' is omitted from a TLS 11540 handshake which could lead to a client crash as found using the 11541 Codenomicon TLS test suite ([CVE-2008-1672]) 11542 11543 *Steve Henson, Mark Cox* 11544 11545 * Fix double free in TLS server name extensions which could lead to 11546 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891]) 11547 11548 *Joe Orton* 11549 11550 * Clear error queue in SSL_CTX_use_certificate_chain_file() 11551 11552 Clear the error queue to ensure that error entries left from 11553 older function calls do not interfere with the correct operation. 11554 11555 *Lutz Jaenicke, Erik de Castro Lopo* 11556 11557 * Remove root CA certificates of commercial CAs: 11558 11559 The OpenSSL project does not recommend any specific CA and does not 11560 have any policy with respect to including or excluding any CA. 11561 Therefore, it does not make any sense to ship an arbitrary selection 11562 of root CA certificates with the OpenSSL software. 11563 11564 *Lutz Jaenicke* 11565 11566 * RSA OAEP patches to fix two separate invalid memory reads. 11567 The first one involves inputs when 'lzero' is greater than 11568 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes 11569 before the beginning of from). The second one involves inputs where 11570 the 'db' section contains nothing but zeroes (there is a one-byte 11571 invalid read after the end of 'db'). 11572 11573 *Ivan Nestlerode <inestlerode@us.ibm.com>* 11574 11575 * Partial backport from 0.9.9-dev: 11576 11577 Introduce bn_mul_mont (dedicated Montgomery multiplication 11578 procedure) as a candidate for BIGNUM assembler implementation. 11579 While 0.9.9-dev uses assembler for various architectures, only 11580 x86_64 is available by default here in the 0.9.8 branch, and 11581 32-bit x86 is available through a compile-time setting. 11582 11583 To try the 32-bit x86 assembler implementation, use Configure 11584 option "enable-montasm" (which exists only for this backport). 11585 11586 As "enable-montasm" for 32-bit x86 disclaims code stability 11587 anyway, in this constellation we activate additional code 11588 backported from 0.9.9-dev for further performance improvements, 11589 namely BN_from_montgomery_word. (To enable this otherwise, 11590 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.) 11591 11592 *Andy Polyakov (backport partially by Bodo Moeller)* 11593 11594 * Add TLS session ticket callback. This allows an application to set 11595 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed 11596 values. This is useful for key rollover for example where several key 11597 sets may exist with different names. 11598 11599 *Steve Henson* 11600 11601 * Reverse ENGINE-internal logic for caching default ENGINE handles. 11602 This was broken until now in 0.9.8 releases, such that the only way 11603 a registered ENGINE could be used (assuming it initialises 11604 successfully on the host) was to explicitly set it as the default 11605 for the relevant algorithms. This is in contradiction with 0.9.7 11606 behaviour and the documentation. With this fix, when an ENGINE is 11607 registered into a given algorithm's table of implementations, the 11608 'uptodate' flag is reset so that auto-discovery will be used next 11609 time a new context for that algorithm attempts to select an 11610 implementation. 11611 11612 *Ian Lister (tweaked by Geoff Thorpe)* 11613 11614 * Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 11615 implementation in the following ways: 11616 11617 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be 11618 hard coded. 11619 11620 Lack of BER streaming support means one pass streaming processing is 11621 only supported if data is detached: setting the streaming flag is 11622 ignored for embedded content. 11623 11624 CMS support is disabled by default and must be explicitly enabled 11625 with the enable-cms configuration option. 11626 11627 *Steve Henson* 11628 11629 * Update the GMP engine glue to do direct copies between BIGNUM and 11630 mpz_t when openssl and GMP use the same limb size. Otherwise the 11631 existing "conversion via a text string export" trick is still used. 11632 11633 *Paul Sheer <paulsheer@gmail.com>* 11634 11635 * Zlib compression BIO. This is a filter BIO which compressed and 11636 uncompresses any data passed through it. 11637 11638 *Steve Henson* 11639 11640 * Add AES_wrap_key() and AES_unwrap_key() functions to implement 11641 RFC3394 compatible AES key wrapping. 11642 11643 *Steve Henson* 11644 11645 * Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): 11646 sets string data without copying. X509_ALGOR_set0() and 11647 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) 11648 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data 11649 from an X509_ATTRIBUTE structure optionally checking it occurs only 11650 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied 11651 data. 11652 11653 *Steve Henson* 11654 11655 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() 11656 to get the expected BN_FLG_CONSTTIME behavior. 11657 11658 *Bodo Moeller (Google)* 11659 11660 * Netware support: 11661 11662 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets 11663 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) 11664 - added some more tests to do_tests.pl 11665 - fixed RunningProcess usage so that it works with newer LIBC NDKs too 11666 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency 11667 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, 11668 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc 11669 - various changes to netware.pl to enable gcc-cross builds on Win32 11670 platform 11671 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) 11672 - various changes to fix missing prototype warnings 11673 - fixed x86nasm.pl to create correct asm files for NASM COFF output 11674 - added AES, WHIRLPOOL and CPUID assembler code to build files 11675 - added missing AES assembler make rules to mk1mf.pl 11676 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply 11677 11678 *Guenter Knauf <eflash@gmx.net>* 11679 11680 * Implement certificate status request TLS extension defined in RFC3546. 11681 A client can set the appropriate parameters and receive the encoded 11682 OCSP response via a callback. A server can query the supplied parameters 11683 and set the encoded OCSP response in the callback. Add simplified examples 11684 to s_client and s_server. 11685 11686 *Steve Henson* 11687 11688### Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 11689 11690 * Fix various bugs: 11691 + Binary incompatibility of ssl_ctx_st structure 11692 + DTLS interoperation with non-compliant servers 11693 + Don't call get_session_cb() without proposed session 11694 + Fix ia64 assembler code 11695 11696 *Andy Polyakov, Steve Henson* 11697 11698### Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 11699 11700 * DTLS Handshake overhaul. There were longstanding issues with 11701 OpenSSL DTLS implementation, which were making it impossible for 11702 RFC 4347 compliant client to communicate with OpenSSL server. 11703 Unfortunately just fixing these incompatibilities would "cut off" 11704 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 11705 server keeps tolerating non RFC compliant syntax. The opposite is 11706 not true, 0.9.8f client can not communicate with earlier server. 11707 This update even addresses CVE-2007-4995. 11708 11709 *Andy Polyakov* 11710 11711 * Changes to avoid need for function casts in OpenSSL: some compilers 11712 (gcc 4.2 and later) reject their use. 11713 *Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 11714 Steve Henson* 11715 11716 * Add RFC4507 support to OpenSSL. This includes the corrections in 11717 RFC4507bis. The encrypted ticket format is an encrypted encoded 11718 SSL_SESSION structure, that way new session features are automatically 11719 supported. 11720 11721 If a client application caches session in an SSL_SESSION structure 11722 support is transparent because tickets are now stored in the encoded 11723 SSL_SESSION. 11724 11725 The SSL_CTX structure automatically generates keys for ticket 11726 protection in servers so again support should be possible 11727 with no application modification. 11728 11729 If a client or server wishes to disable RFC4507 support then the option 11730 SSL_OP_NO_TICKET can be set. 11731 11732 Add a TLS extension debugging callback to allow the contents of any client 11733 or server extensions to be examined. 11734 11735 This work was sponsored by Google. 11736 11737 *Steve Henson* 11738 11739 * Add initial support for TLS extensions, specifically for the server_name 11740 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 11741 have new members for a hostname. The SSL data structure has an 11742 additional member `SSL_CTX *initial_ctx` so that new sessions can be 11743 stored in that context to allow for session resumption, even after the 11744 SSL has been switched to a new SSL_CTX in reaction to a client's 11745 server_name extension. 11746 11747 New functions (subject to change): 11748 11749 SSL_get_servername() 11750 SSL_get_servername_type() 11751 SSL_set_SSL_CTX() 11752 11753 New CTRL codes and macros (subject to change): 11754 11755 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 11756 - SSL_CTX_set_tlsext_servername_callback() 11757 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 11758 - SSL_CTX_set_tlsext_servername_arg() 11759 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 11760 11761 openssl s_client has a new '-servername ...' option. 11762 11763 openssl s_server has new options '-servername_host ...', '-cert2 ...', 11764 '-key2 ...', '-servername_fatal' (subject to change). This allows 11765 testing the HostName extension for a specific single hostname ('-cert' 11766 and '-key' remain fallbacks for handshakes without HostName 11767 negotiation). If the unrecognized_name alert has to be sent, this by 11768 default is a warning; it becomes fatal with the '-servername_fatal' 11769 option. 11770 11771 *Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson* 11772 11773 * Add AES and SSE2 assembly language support to VC++ build. 11774 11775 *Steve Henson* 11776 11777 * Mitigate attack on final subtraction in Montgomery reduction. 11778 11779 *Andy Polyakov* 11780 11781 * Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 11782 (which previously caused an internal error). 11783 11784 *Bodo Moeller* 11785 11786 * Squeeze another 10% out of IGE mode when in != out. 11787 11788 *Ben Laurie* 11789 11790 * AES IGE mode speedup. 11791 11792 *Dean Gaudet (Google)* 11793 11794 * Add the Korean symmetric 128-bit cipher SEED (see 11795 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and 11796 add SEED ciphersuites from RFC 4162: 11797 11798 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 11799 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 11800 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 11801 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 11802 11803 To minimize changes between patchlevels in the OpenSSL 0.9.8 11804 series, SEED remains excluded from compilation unless OpenSSL 11805 is configured with 'enable-seed'. 11806 11807 *KISA, Bodo Moeller* 11808 11809 * Mitigate branch prediction attacks, which can be practical if a 11810 single processor is shared, allowing a spy process to extract 11811 information. For detailed background information, see 11812 <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron, 11813 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 11814 and Necessary Software Countermeasures"). The core of the change 11815 are new versions BN_div_no_branch() and 11816 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 11817 respectively, which are slower, but avoid the security-relevant 11818 conditional branches. These are automatically called by BN_div() 11819 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 11820 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 11821 remove a conditional branch. 11822 11823 BN_FLG_CONSTTIME is the new name for the previous 11824 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 11825 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 11826 in the exponent causes BN_mod_exp_mont() to use the alternative 11827 implementation in BN_mod_exp_mont_consttime().) The old name 11828 remains as a deprecated alias. 11829 11830 Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 11831 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 11832 constant-time implementations for more than just exponentiation. 11833 Here too the old name is kept as a deprecated alias. 11834 11835 BN_BLINDING_new() will now use BN_dup() for the modulus so that 11836 the BN_BLINDING structure gets an independent copy of the 11837 modulus. This means that the previous `BIGNUM *m` argument to 11838 BN_BLINDING_new() and to BN_BLINDING_create_param() now 11839 essentially becomes `const BIGNUM *m`, although we can't actually 11840 change this in the header file before 0.9.9. It allows 11841 RSA_setup_blinding() to use BN_with_flags() on the modulus to 11842 enable BN_FLG_CONSTTIME. 11843 11844 *Matthew D Wood (Intel Corp)* 11845 11846 * In the SSL/TLS server implementation, be strict about session ID 11847 context matching (which matters if an application uses a single 11848 external cache for different purposes). Previously, 11849 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 11850 set. This did ensure strict client verification, but meant that, 11851 with applications using a single external cache for quite 11852 different requirements, clients could circumvent ciphersuite 11853 restrictions for a given session ID context by starting a session 11854 in a different context. 11855 11856 *Bodo Moeller* 11857 11858 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 11859 a ciphersuite string such as "DEFAULT:RSA" cannot enable 11860 authentication-only ciphersuites. 11861 11862 *Bodo Moeller* 11863 11864 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was 11865 not complete and could lead to a possible single byte overflow 11866 ([CVE-2007-5135]) [Ben Laurie] 11867 11868### Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 11869 11870 * Since AES128 and AES256 (and similarly Camellia128 and 11871 Camellia256) share a single mask bit in the logic of 11872 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 11873 kludge to work properly if AES128 is available and AES256 isn't 11874 (or if Camellia128 is available and Camellia256 isn't). 11875 11876 *Victor Duchovni* 11877 11878 * Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 11879 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 11880 When a point or a seed is encoded in a BIT STRING, we need to 11881 prevent the removal of trailing zero bits to get the proper DER 11882 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 11883 of a NamedBitList, for which trailing 0 bits need to be removed.) 11884 11885 *Bodo Moeller* 11886 11887 * Have SSL/TLS server implementation tolerate "mismatched" record 11888 protocol version while receiving ClientHello even if the 11889 ClientHello is fragmented. (The server can't insist on the 11890 particular protocol version it has chosen before the ServerHello 11891 message has informed the client about his choice.) 11892 11893 *Bodo Moeller* 11894 11895 * Add RFC 3779 support. 11896 11897 *Rob Austein for ARIN, Ben Laurie* 11898 11899 * Load error codes if they are not already present instead of using a 11900 static variable. This allows them to be cleanly unloaded and reloaded. 11901 Improve header file function name parsing. 11902 11903 *Steve Henson* 11904 11905 * extend SMTP and IMAP protocol emulation in s_client to use EHLO 11906 or CAPABILITY handshake as required by RFCs. 11907 11908 *Goetz Babin-Ebell* 11909 11910### Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 11911 11912 * Introduce limits to prevent malicious keys being able to 11913 cause a denial of service. ([CVE-2006-2940]) 11914 11915 *Steve Henson, Bodo Moeller* 11916 11917 * Fix ASN.1 parsing of certain invalid structures that can result 11918 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 11919 11920 * Fix buffer overflow in SSL_get_shared_ciphers() function. 11921 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 11922 11923 * Fix SSL client code which could crash if connecting to a 11924 malicious SSLv2 server. ([CVE-2006-4343]) 11925 11926 *Tavis Ormandy and Will Drewry, Google Security Team* 11927 11928 * Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 11929 match only those. Before that, "AES256-SHA" would be interpreted 11930 as a pattern and match "AES128-SHA" too (since AES128-SHA got 11931 the same strength classification in 0.9.7h) as we currently only 11932 have a single AES bit in the ciphersuite description bitmap. 11933 That change, however, also applied to ciphersuite strings such as 11934 "RC4-MD5" that intentionally matched multiple ciphersuites -- 11935 namely, SSL 2.0 ciphersuites in addition to the more common ones 11936 from SSL 3.0/TLS 1.0. 11937 11938 So we change the selection algorithm again: Naming an explicit 11939 ciphersuite selects this one ciphersuite, and any other similar 11940 ciphersuite (same bitmap) from *other* protocol versions. 11941 Thus, "RC4-MD5" again will properly select both the SSL 2.0 11942 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 11943 11944 Since SSL 2.0 does not have any ciphersuites for which the 11945 128/256 bit distinction would be relevant, this works for now. 11946 The proper fix will be to use different bits for AES128 and 11947 AES256, which would have avoided the problems from the beginning; 11948 however, bits are scarce, so we can only do this in a new release 11949 (not just a patchlevel) when we can change the SSL_CIPHER 11950 definition to split the single 'unsigned long mask' bitmap into 11951 multiple values to extend the available space. 11952 11953 *Bodo Moeller* 11954 11955### Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 11956 11957 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 11958 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 11959 11960 * Add AES IGE and biIGE modes. 11961 11962 *Ben Laurie* 11963 11964 * Change the Unix randomness entropy gathering to use poll() when 11965 possible instead of select(), since the latter has some 11966 undesirable limitations. 11967 11968 *Darryl Miles via Richard Levitte and Bodo Moeller* 11969 11970 * Disable "ECCdraft" ciphersuites more thoroughly. Now special 11971 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 11972 cannot be implicitly activated as part of, e.g., the "AES" alias. 11973 However, please upgrade to OpenSSL 0.9.9[-dev] for 11974 non-experimental use of the ECC ciphersuites to get TLS extension 11975 support, which is required for curve and point format negotiation 11976 to avoid potential handshake problems. 11977 11978 *Bodo Moeller* 11979 11980 * Disable rogue ciphersuites: 11981 11982 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 11983 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 11984 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 11985 11986 The latter two were purportedly from 11987 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 11988 appear there. 11989 11990 Also deactivate the remaining ciphersuites from 11991 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 11992 unofficial, and the ID has long expired. 11993 11994 *Bodo Moeller* 11995 11996 * Fix RSA blinding Heisenbug (problems sometimes occurred on 11997 dual-core machines) and other potential thread-safety issues. 11998 11999 *Bodo Moeller* 12000 12001 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 12002 versions), which is now available for royalty-free use 12003 (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>). 12004 Also, add Camellia TLS ciphersuites from RFC 4132. 12005 12006 To minimize changes between patchlevels in the OpenSSL 0.9.8 12007 series, Camellia remains excluded from compilation unless OpenSSL 12008 is configured with 'enable-camellia'. 12009 12010 *NTT* 12011 12012 * Disable the padding bug check when compression is in use. The padding 12013 bug check assumes the first packet is of even length, this is not 12014 necessarily true if compression is enabled and can result in false 12015 positives causing handshake failure. The actual bug test is ancient 12016 code so it is hoped that implementations will either have fixed it by 12017 now or any which still have the bug do not support compression. 12018 12019 *Steve Henson* 12020 12021### Changes between 0.9.8a and 0.9.8b [04 May 2006] 12022 12023 * When applying a cipher rule check to see if string match is an explicit 12024 cipher suite and only match that one cipher suite if it is. 12025 12026 *Steve Henson* 12027 12028 * Link in manifests for VC++ if needed. 12029 12030 *Austin Ziegler <halostatue@gmail.com>* 12031 12032 * Update support for ECC-based TLS ciphersuites according to 12033 draft-ietf-tls-ecc-12.txt with proposed changes (but without 12034 TLS extensions, which are supported starting with the 0.9.9 12035 branch, not in the OpenSSL 0.9.8 branch). 12036 12037 *Douglas Stebila* 12038 12039 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 12040 opaque EVP_CIPHER_CTX handling. 12041 12042 *Steve Henson* 12043 12044 * Fixes and enhancements to zlib compression code. We now only use 12045 "zlib1.dll" and use the default `__cdecl` calling convention on Win32 12046 to conform with the standards mentioned here: 12047 <http://www.zlib.net/DLL_FAQ.txt> 12048 Static zlib linking now works on Windows and the new --with-zlib-include 12049 --with-zlib-lib options to Configure can be used to supply the location 12050 of the headers and library. Gracefully handle case where zlib library 12051 can't be loaded. 12052 12053 *Steve Henson* 12054 12055 * Several fixes and enhancements to the OID generation code. The old code 12056 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 12057 handle numbers larger than ULONG_MAX, truncated printing and had a 12058 non standard OBJ_obj2txt() behaviour. 12059 12060 *Steve Henson* 12061 12062 * Add support for building of engines under engine/ as shared libraries 12063 under VC++ build system. 12064 12065 *Steve Henson* 12066 12067 * Corrected the numerous bugs in the Win32 path splitter in DSO. 12068 Hopefully, we will not see any false combination of paths any more. 12069 12070 *Richard Levitte* 12071 12072### Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 12073 12074 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 12075 (part of SSL_OP_ALL). This option used to disable the 12076 countermeasure against man-in-the-middle protocol-version 12077 rollback in the SSL 2.0 server implementation, which is a bad 12078 idea. ([CVE-2005-2969]) 12079 12080 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 12081 for Information Security, National Institute of Advanced Industrial 12082 Science and Technology [AIST], Japan)* 12083 12084 * Add two function to clear and return the verify parameter flags. 12085 12086 *Steve Henson* 12087 12088 * Keep cipherlists sorted in the source instead of sorting them at 12089 runtime, thus removing the need for a lock. 12090 12091 *Nils Larsch* 12092 12093 * Avoid some small subgroup attacks in Diffie-Hellman. 12094 12095 *Nick Mathewson and Ben Laurie* 12096 12097 * Add functions for well-known primes. 12098 12099 *Nick Mathewson* 12100 12101 * Extended Windows CE support. 12102 12103 *Satoshi Nakamura and Andy Polyakov* 12104 12105 * Initialize SSL_METHOD structures at compile time instead of during 12106 runtime, thus removing the need for a lock. 12107 12108 *Steve Henson* 12109 12110 * Make PKCS7_decrypt() work even if no certificate is supplied by 12111 attempting to decrypt each encrypted key in turn. Add support to 12112 smime utility. 12113 12114 *Steve Henson* 12115 12116### Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 12117 12118[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 12119OpenSSL 0.9.8.] 12120 12121 * Add libcrypto.pc and libssl.pc for those who feel they need them. 12122 12123 *Richard Levitte* 12124 12125 * Change CA.sh and CA.pl so they don't bundle the CSR and the private 12126 key into the same file any more. 12127 12128 *Richard Levitte* 12129 12130 * Add initial support for Win64, both IA64 and AMD64/x64 flavors. 12131 12132 *Andy Polyakov* 12133 12134 * Add -utf8 command line and config file option to 'ca'. 12135 12136 *Stefan <stf@udoma.org* 12137 12138 * Removed the macro des_crypt(), as it seems to conflict with some 12139 libraries. Use DES_crypt(). 12140 12141 *Richard Levitte* 12142 12143 * Correct naming of the 'chil' and '4758cca' ENGINEs. This 12144 involves renaming the source and generated shared-libs for 12145 both. The engines will accept the corrected or legacy ids 12146 ('ncipher' and '4758_cca' respectively) when binding. NB, 12147 this only applies when building 'shared'. 12148 12149 *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe* 12150 12151 * Add attribute functions to EVP_PKEY structure. Modify 12152 PKCS12_create() to recognize a CSP name attribute and 12153 use it. Make -CSP option work again in pkcs12 utility. 12154 12155 *Steve Henson* 12156 12157 * Add new functionality to the bn blinding code: 12158 - automatic re-creation of the BN_BLINDING parameters after 12159 a fixed number of uses (currently 32) 12160 - add new function for parameter creation 12161 - introduce flags to control the update behaviour of the 12162 BN_BLINDING parameters 12163 - hide BN_BLINDING structure 12164 Add a second BN_BLINDING slot to the RSA structure to improve 12165 performance when a single RSA object is shared among several 12166 threads. 12167 12168 *Nils Larsch* 12169 12170 * Add support for DTLS. 12171 12172 *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie* 12173 12174 * Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 12175 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 12176 12177 *Walter Goulet* 12178 12179 * Remove buggy and incomplete DH cert support from 12180 ssl/ssl_rsa.c and ssl/s3_both.c 12181 12182 *Nils Larsch* 12183 12184 * Use SHA-1 instead of MD5 as the default digest algorithm for 12185 the `apps/openssl` commands. 12186 12187 *Nils Larsch* 12188 12189 * Compile clean with "-Wall -Wmissing-prototypes 12190 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 12191 DEBUG_SAFESTACK must also be set. 12192 12193 *Ben Laurie* 12194 12195 * Change ./Configure so that certain algorithms can be disabled by default. 12196 The new counterpiece to "no-xxx" is "enable-xxx". 12197 12198 The patented RC5 and MDC2 algorithms will now be disabled unless 12199 "enable-rc5" and "enable-mdc2", respectively, are specified. 12200 12201 (IDEA remains enabled despite being patented. This is because IDEA 12202 is frequently required for interoperability, and there is no license 12203 fee for non-commercial use. As before, "no-idea" can be used to 12204 avoid this algorithm.) 12205 12206 *Bodo Moeller* 12207 12208 * Add processing of proxy certificates (see RFC 3820). This work was 12209 sponsored by KTH (The Royal Institute of Technology in Stockholm) and 12210 EGEE (Enabling Grids for E-science in Europe). 12211 12212 *Richard Levitte* 12213 12214 * RC4 performance overhaul on modern architectures/implementations, such 12215 as Intel P4, IA-64 and AMD64. 12216 12217 *Andy Polyakov* 12218 12219 * New utility extract-section.pl. This can be used specify an alternative 12220 section number in a pod file instead of having to treat each file as 12221 a separate case in Makefile. This can be done by adding two lines to the 12222 pod file: 12223 12224 =for comment openssl_section:XXX 12225 12226 The blank line is mandatory. 12227 12228 *Steve Henson* 12229 12230 * New arguments -certform, -keyform and -pass for s_client and s_server 12231 to allow alternative format key and certificate files and passphrase 12232 sources. 12233 12234 *Steve Henson* 12235 12236 * New structure X509_VERIFY_PARAM which combines current verify parameters, 12237 update associated structures and add various utility functions. 12238 12239 Add new policy related verify parameters, include policy checking in 12240 standard verify code. Enhance 'smime' application with extra parameters 12241 to support policy checking and print out. 12242 12243 *Steve Henson* 12244 12245 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3 12246 Nehemiah processors. These extensions support AES encryption in hardware 12247 as well as RNG (though RNG support is currently disabled). 12248 12249 *Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov* 12250 12251 * Deprecate `BN_[get|set]_params()` functions (they were ignored internally). 12252 12253 *Geoff Thorpe* 12254 12255 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 12256 12257 *Andy Polyakov and a number of other people* 12258 12259 * Improved PowerPC platform support. Most notably BIGNUM assembler 12260 implementation contributed by IBM. 12261 12262 *Suresh Chari, Peter Waltenberg, Andy Polyakov* 12263 12264 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 12265 exponent rather than 'unsigned long'. There is a corresponding change to 12266 the new 'rsa_keygen' element of the RSA_METHOD structure. 12267 12268 *Jelte Jansen, Geoff Thorpe* 12269 12270 * Functionality for creating the initial serial number file is now 12271 moved from CA.pl to the 'ca' utility with a new option -create_serial. 12272 12273 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 12274 number file to 1, which is bound to cause problems. To avoid 12275 the problems while respecting compatibility between different 0.9.7 12276 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 12277 CA.pl for serial number initialization. With the new release 0.9.8, 12278 we can fix the problem directly in the 'ca' utility.) 12279 12280 *Steve Henson* 12281 12282 * Reduced header interdependencies by declaring more opaque objects in 12283 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 12284 give fewer recursive includes, which could break lazy source code - so 12285 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 12286 developers should define this symbol when building and using openssl to 12287 ensure they track the recommended behaviour, interfaces, [etc], but 12288 backwards-compatible behaviour prevails when this isn't defined. 12289 12290 *Geoff Thorpe* 12291 12292 * New function X509_POLICY_NODE_print() which prints out policy nodes. 12293 12294 *Steve Henson* 12295 12296 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 12297 This will generate a random key of the appropriate length based on the 12298 cipher context. The EVP_CIPHER can provide its own random key generation 12299 routine to support keys of a specific form. This is used in the des and 12300 3des routines to generate a key of the correct parity. Update S/MIME 12301 code to use new functions and hence generate correct parity DES keys. 12302 Add EVP_CHECK_DES_KEY #define to return an error if the key is not 12303 valid (weak or incorrect parity). 12304 12305 *Steve Henson* 12306 12307 * Add a local set of CRLs that can be used by X509_verify_cert() as well 12308 as looking them up. This is useful when the verified structure may contain 12309 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 12310 present unless the new PKCS7_NO_CRL flag is asserted. 12311 12312 *Steve Henson* 12313 12314 * Extend ASN1 oid configuration module. It now additionally accepts the 12315 syntax: 12316 12317 shortName = some long name, 1.2.3.4 12318 12319 *Steve Henson* 12320 12321 * Reimplemented the BN_CTX implementation. There is now no more static 12322 limitation on the number of variables it can handle nor the depth of the 12323 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 12324 information can now expand as required, and rather than having a single 12325 static array of bignums, BN_CTX now uses a linked-list of such arrays 12326 allowing it to expand on demand whilst maintaining the usefulness of 12327 BN_CTX's "bundling". 12328 12329 *Geoff Thorpe* 12330 12331 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 12332 to allow all RSA operations to function using a single BN_CTX. 12333 12334 *Geoff Thorpe* 12335 12336 * Preliminary support for certificate policy evaluation and checking. This 12337 is initially intended to pass the tests outlined in "Conformance Testing 12338 of Relying Party Client Certificate Path Processing Logic" v1.07. 12339 12340 *Steve Henson* 12341 12342 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 12343 remained unused and not that useful. A variety of other little bignum 12344 tweaks and fixes have also been made continuing on from the audit (see 12345 below). 12346 12347 *Geoff Thorpe* 12348 12349 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with 12350 associated ASN1, EVP and SSL functions and old ASN1 macros. 12351 12352 *Richard Levitte* 12353 12354 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 12355 and this should never fail. So the return value from the use of 12356 BN_set_word() (which can fail due to needless expansion) is now deprecated; 12357 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 12358 12359 *Geoff Thorpe* 12360 12361 * BN_CTX_get() should return zero-valued bignums, providing the same 12362 initialised value as BN_new(). 12363 12364 *Geoff Thorpe, suggested by Ulf Möller* 12365 12366 * Support for inhibitAnyPolicy certificate extension. 12367 12368 *Steve Henson* 12369 12370 * An audit of the BIGNUM code is underway, for which debugging code is 12371 enabled when BN_DEBUG is defined. This makes stricter enforcements on what 12372 is considered valid when processing BIGNUMs, and causes execution to 12373 assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 12374 further steps are taken to deliberately pollute unused data in BIGNUM 12375 structures to try and expose faulty code further on. For now, openssl will 12376 (in its default mode of operation) continue to tolerate the inconsistent 12377 forms that it has tolerated in the past, but authors and packagers should 12378 consider trying openssl and their own applications when compiled with 12379 these debugging symbols defined. It will help highlight potential bugs in 12380 their own code, and will improve the test coverage for OpenSSL itself. At 12381 some point, these tighter rules will become openssl's default to improve 12382 maintainability, though the assert()s and other overheads will remain only 12383 in debugging configurations. See bn.h for more details. 12384 12385 *Geoff Thorpe, Nils Larsch, Ulf Möller* 12386 12387 * BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 12388 that can only be obtained through BN_CTX_new() (which implicitly 12389 initialises it). The presence of this function only made it possible 12390 to overwrite an existing structure (and cause memory leaks). 12391 12392 *Geoff Thorpe* 12393 12394 * Because of the callback-based approach for implementing LHASH as a 12395 template type, lh_insert() adds opaque objects to hash-tables and 12396 lh_doall() or lh_doall_arg() are typically used with a destructor callback 12397 to clean up those corresponding objects before destroying the hash table 12398 (and losing the object pointers). So some over-zealous constifications in 12399 LHASH have been relaxed so that lh_insert() does not take (nor store) the 12400 objects as "const" and the `lh_doall[_arg]` callback wrappers are not 12401 prototyped to have "const" restrictions on the object pointers they are 12402 given (and so aren't required to cast them away any more). 12403 12404 *Geoff Thorpe* 12405 12406 * The tmdiff.h API was so ugly and minimal that our own timing utility 12407 (speed) prefers to use its own implementation. The two implementations 12408 haven't been consolidated as yet (volunteers?) but the tmdiff API has had 12409 its object type properly exposed (MS_TM) instead of casting to/from 12410 `char *`. This may still change yet if someone realises MS_TM and 12411 `ms_time_***` 12412 aren't necessarily the greatest nomenclatures - but this is what was used 12413 internally to the implementation so I've used that for now. 12414 12415 *Geoff Thorpe* 12416 12417 * Ensure that deprecated functions do not get compiled when 12418 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 12419 the self-tests were still using deprecated key-generation functions so 12420 these have been updated also. 12421 12422 *Geoff Thorpe* 12423 12424 * Reorganise PKCS#7 code to separate the digest location functionality 12425 into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest(). 12426 New function PKCS7_set_digest() to set the digest type for PKCS#7 12427 digestedData type. Add additional code to correctly generate the 12428 digestedData type and add support for this type in PKCS7 initialization 12429 functions. 12430 12431 *Steve Henson* 12432 12433 * New function PKCS7_set0_type_other() this initializes a PKCS7 12434 structure of type "other". 12435 12436 *Steve Henson* 12437 12438 * Fix prime generation loop in crypto/bn/bn_prime.pl by making 12439 sure the loop does correctly stop and breaking ("division by zero") 12440 modulus operations are not performed. The (pre-generated) prime 12441 table crypto/bn/bn_prime.h was already correct, but it could not be 12442 re-generated on some platforms because of the "division by zero" 12443 situation in the script. 12444 12445 *Ralf S. Engelschall* 12446 12447 * Update support for ECC-based TLS ciphersuites according to 12448 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 12449 SHA-1 now is only used for "small" curves (where the 12450 representation of a field element takes up to 24 bytes); for 12451 larger curves, the field element resulting from ECDH is directly 12452 used as premaster secret. 12453 12454 *Douglas Stebila (Sun Microsystems Laboratories)* 12455 12456 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 12457 curve secp160r1 to the tests. 12458 12459 *Douglas Stebila (Sun Microsystems Laboratories)* 12460 12461 * Add the possibility to load symbols globally with DSO. 12462 12463 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte* 12464 12465 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 12466 control of the error stack. 12467 12468 *Richard Levitte* 12469 12470 * Add support for STORE in ENGINE. 12471 12472 *Richard Levitte* 12473 12474 * Add the STORE type. The intention is to provide a common interface 12475 to certificate and key stores, be they simple file-based stores, or 12476 HSM-type store, or LDAP stores, or... 12477 NOTE: The code is currently UNTESTED and isn't really used anywhere. 12478 12479 *Richard Levitte* 12480 12481 * Add a generic structure called OPENSSL_ITEM. This can be used to 12482 pass a list of arguments to any function as well as provide a way 12483 for a function to pass data back to the caller. 12484 12485 *Richard Levitte* 12486 12487 * Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 12488 works like BUF_strdup() but can be used to duplicate a portion of 12489 a string. The copy gets NUL-terminated. BUF_memdup() duplicates 12490 a memory area. 12491 12492 *Richard Levitte* 12493 12494 * Add the function sk_find_ex() which works like sk_find(), but will 12495 return an index to an element even if an exact match couldn't be 12496 found. The index is guaranteed to point at the element where the 12497 searched-for key would be inserted to preserve sorting order. 12498 12499 *Richard Levitte* 12500 12501 * Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 12502 takes an extra flags argument for optional functionality. Currently, 12503 the following flags are defined: 12504 12505 OBJ_BSEARCH_VALUE_ON_NOMATCH 12506 This one gets OBJ_bsearch_ex() to return a pointer to the first 12507 element where the comparing function returns a negative or zero 12508 number. 12509 12510 OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 12511 This one gets OBJ_bsearch_ex() to return a pointer to the first 12512 element where the comparing function returns zero. This is useful 12513 if there are more than one element where the comparing function 12514 returns zero. 12515 12516 *Richard Levitte* 12517 12518 * Make it possible to create self-signed certificates with 'openssl ca' 12519 in such a way that the self-signed certificate becomes part of the 12520 CA database and uses the same mechanisms for serial number generation 12521 as all other certificate signing. The new flag '-selfsign' enables 12522 this functionality. Adapt CA.sh and CA.pl.in. 12523 12524 *Richard Levitte* 12525 12526 * Add functionality to check the public key of a certificate request 12527 against a given private. This is useful to check that a certificate 12528 request can be signed by that key (self-signing). 12529 12530 *Richard Levitte* 12531 12532 * Make it possible to have multiple active certificates with the same 12533 subject in the CA index file. This is done only if the keyword 12534 'unique_subject' is set to 'no' in the main CA section (default 12535 if 'CA_default') of the configuration file. The value is saved 12536 with the database itself in a separate index attribute file, 12537 named like the index file with '.attr' appended to the name. 12538 12539 *Richard Levitte* 12540 12541 * Generate multi-valued AVAs using '+' notation in config files for 12542 req and dirName. 12543 12544 *Steve Henson* 12545 12546 * Support for nameConstraints certificate extension. 12547 12548 *Steve Henson* 12549 12550 * Support for policyConstraints certificate extension. 12551 12552 *Steve Henson* 12553 12554 * Support for policyMappings certificate extension. 12555 12556 *Steve Henson* 12557 12558 * Make sure the default DSA_METHOD implementation only uses its 12559 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, 12560 and change its own handlers to be NULL so as to remove unnecessary 12561 indirection. This lets alternative implementations fallback to the 12562 default implementation more easily. 12563 12564 *Geoff Thorpe* 12565 12566 * Support for directoryName in GeneralName related extensions 12567 in config files. 12568 12569 *Steve Henson* 12570 12571 * Make it possible to link applications using Makefile.shared. 12572 Make that possible even when linking against static libraries! 12573 12574 *Richard Levitte* 12575 12576 * Support for single pass processing for S/MIME signing. This now 12577 means that S/MIME signing can be done from a pipe, in addition 12578 cleartext signing (multipart/signed type) is effectively streaming 12579 and the signed data does not need to be all held in memory. 12580 12581 This is done with a new flag PKCS7_STREAM. When this flag is set 12582 PKCS7_sign() only initializes the PKCS7 structure and the actual signing 12583 is done after the data is output (and digests calculated) in 12584 SMIME_write_PKCS7(). 12585 12586 *Steve Henson* 12587 12588 * Add full support for -rpath/-R, both in shared libraries and 12589 applications, at least on the platforms where it's known how 12590 to do it. 12591 12592 *Richard Levitte* 12593 12594 * In crypto/ec/ec_mult.c, implement fast point multiplication with 12595 precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() 12596 will now compute a table of multiples of the generator that 12597 makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() 12598 faster (notably in the case of a single point multiplication, 12599 scalar * generator). 12600 12601 *Nils Larsch, Bodo Moeller* 12602 12603 * IPv6 support for certificate extensions. The various extensions 12604 which use the IP:a.b.c.d can now take IPv6 addresses using the 12605 formats of RFC1884 2.2 . IPv6 addresses are now also displayed 12606 correctly. 12607 12608 *Steve Henson* 12609 12610 * Added an ENGINE that implements RSA by performing private key 12611 exponentiations with the GMP library. The conversions to and from 12612 GMP's mpz_t format aren't optimised nor are any montgomery forms 12613 cached, and on x86 it appears OpenSSL's own performance has caught up. 12614 However there are likely to be other architectures where GMP could 12615 provide a boost. This ENGINE is not built in by default, but it can be 12616 specified at Configure time and should be accompanied by the necessary 12617 linker additions, eg; 12618 ./config -DOPENSSL_USE_GMP -lgmp 12619 12620 *Geoff Thorpe* 12621 12622 * "openssl engine" will not display ENGINE/DSO load failure errors when 12623 testing availability of engines with "-t" - the old behaviour is 12624 produced by increasing the feature's verbosity with "-tt". 12625 12626 *Geoff Thorpe* 12627 12628 * ECDSA routines: under certain error conditions uninitialized BN objects 12629 could be freed. Solution: make sure initialization is performed early 12630 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> 12631 via PR#459) 12632 12633 *Lutz Jaenicke* 12634 12635 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD 12636 and DH_METHOD (eg. by ENGINE implementations) to override the normal 12637 software implementations. For DSA and DH, parameter generation can 12638 also be overridden by providing the appropriate method callbacks. 12639 12640 *Geoff Thorpe* 12641 12642 * Change the "progress" mechanism used in key-generation and 12643 primality testing to functions that take a new BN_GENCB pointer in 12644 place of callback/argument pairs. The new API functions have `_ex` 12645 postfixes and the older functions are reimplemented as wrappers for 12646 the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide 12647 declarations of the old functions to help (graceful) attempts to 12648 migrate to the new functions. Also, the new key-generation API 12649 functions operate on a caller-supplied key-structure and return 12650 success/failure rather than returning a key or NULL - this is to 12651 help make "keygen" another member function of RSA_METHOD etc. 12652 12653 Example for using the new callback interface: 12654 12655 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; 12656 void *my_arg = ...; 12657 BN_GENCB my_cb; 12658 12659 BN_GENCB_set(&my_cb, my_callback, my_arg); 12660 12661 return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); 12662 /* For the meaning of a, b in calls to my_callback(), see the 12663 * documentation of the function that calls the callback. 12664 * cb will point to my_cb; my_arg can be retrieved as cb->arg. 12665 * my_callback should return 1 if it wants BN_is_prime_ex() 12666 * to continue, or 0 to stop. 12667 */ 12668 12669 *Geoff Thorpe* 12670 12671 * Change the ZLIB compression method to be stateful, and make it 12672 available to TLS with the number defined in 12673 draft-ietf-tls-compression-04.txt. 12674 12675 *Richard Levitte* 12676 12677 * Add the ASN.1 structures and functions for CertificatePair, which 12678 is defined as follows (according to X.509_4thEditionDraftV6.pdf): 12679 12680 CertificatePair ::= SEQUENCE { 12681 forward [0] Certificate OPTIONAL, 12682 reverse [1] Certificate OPTIONAL, 12683 -- at least one of the pair shall be present -- } 12684 12685 Also implement the PEM functions to read and write certificate 12686 pairs, and defined the PEM tag as "CERTIFICATE PAIR". 12687 12688 This needed to be defined, mostly for the sake of the LDAP 12689 attribute crossCertificatePair, but may prove useful elsewhere as 12690 well. 12691 12692 *Richard Levitte* 12693 12694 * Make it possible to inhibit symlinking of shared libraries in 12695 Makefile.shared, for Cygwin's sake. 12696 12697 *Richard Levitte* 12698 12699 * Extend the BIGNUM API by creating a function 12700 void BN_set_negative(BIGNUM *a, int neg); 12701 and a macro that behave like 12702 int BN_is_negative(const BIGNUM *a); 12703 12704 to avoid the need to access 'a->neg' directly in applications. 12705 12706 *Nils Larsch* 12707 12708 * Implement fast modular reduction for pseudo-Mersenne primes 12709 used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). 12710 EC_GROUP_new_curve_GFp() will now automatically use this 12711 if applicable. 12712 12713 *Nils Larsch <nla@trustcenter.de>* 12714 12715 * Add new lock type (CRYPTO_LOCK_BN). 12716 12717 *Bodo Moeller* 12718 12719 * Change the ENGINE framework to automatically load engines 12720 dynamically from specific directories unless they could be 12721 found to already be built in or loaded. Move all the 12722 current engines except for the cryptodev one to a new 12723 directory engines/. 12724 The engines in engines/ are built as shared libraries if 12725 the "shared" options was given to ./Configure or ./config. 12726 Otherwise, they are inserted in libcrypto.a. 12727 /usr/local/ssl/engines is the default directory for dynamic 12728 engines, but that can be overridden at configure time through 12729 the usual use of --prefix and/or --openssldir, and at run 12730 time with the environment variable OPENSSL_ENGINES. 12731 12732 *Geoff Thorpe and Richard Levitte* 12733 12734 * Add Makefile.shared, a helper makefile to build shared 12735 libraries. Adapt Makefile.org. 12736 12737 *Richard Levitte* 12738 12739 * Add version info to Win32 DLLs. 12740 12741 *Peter 'Luna' Runestig" <peter@runestig.com>* 12742 12743 * Add new 'medium level' PKCS#12 API. Certificates and keys 12744 can be added using this API to created arbitrary PKCS#12 12745 files while avoiding the low-level API. 12746 12747 New options to PKCS12_create(), key or cert can be NULL and 12748 will then be omitted from the output file. The encryption 12749 algorithm NIDs can be set to -1 for no encryption, the mac 12750 iteration count can be set to 0 to omit the mac. 12751 12752 Enhance pkcs12 utility by making the -nokeys and -nocerts 12753 options work when creating a PKCS#12 file. New option -nomac 12754 to omit the mac, NONE can be set for an encryption algorithm. 12755 New code is modified to use the enhanced PKCS12_create() 12756 instead of the low-level API. 12757 12758 *Steve Henson* 12759 12760 * Extend ASN1 encoder to support indefinite length constructed 12761 encoding. This can output sequences tags and octet strings in 12762 this form. Modify pk7_asn1.c to support indefinite length 12763 encoding. This is experimental and needs additional code to 12764 be useful, such as an ASN1 bio and some enhanced streaming 12765 PKCS#7 code. 12766 12767 Extend template encode functionality so that tagging is passed 12768 down to the template encoder. 12769 12770 *Steve Henson* 12771 12772 * Let 'openssl req' fail if an argument to '-newkey' is not 12773 recognized instead of using RSA as a default. 12774 12775 *Bodo Moeller* 12776 12777 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. 12778 As these are not official, they are not included in "ALL"; 12779 the "ECCdraft" ciphersuite group alias can be used to select them. 12780 12781 *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)* 12782 12783 * Add ECDH engine support. 12784 12785 *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)* 12786 12787 * Add ECDH in new directory crypto/ecdh/. 12788 12789 *Douglas Stebila (Sun Microsystems Laboratories)* 12790 12791 * Let BN_rand_range() abort with an error after 100 iterations 12792 without success (which indicates a broken PRNG). 12793 12794 *Bodo Moeller* 12795 12796 * Change BN_mod_sqrt() so that it verifies that the input value 12797 is really the square of the return value. (Previously, 12798 BN_mod_sqrt would show GIGO behaviour.) 12799 12800 *Bodo Moeller* 12801 12802 * Add named elliptic curves over binary fields from X9.62, SECG, 12803 and WAP/WTLS; add OIDs that were still missing. 12804 12805 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12806 12807 * Extend the EC library for elliptic curves over binary fields 12808 (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). 12809 New EC_METHOD: 12810 12811 EC_GF2m_simple_method 12812 12813 New API functions: 12814 12815 EC_GROUP_new_curve_GF2m 12816 EC_GROUP_set_curve_GF2m 12817 EC_GROUP_get_curve_GF2m 12818 EC_POINT_set_affine_coordinates_GF2m 12819 EC_POINT_get_affine_coordinates_GF2m 12820 EC_POINT_set_compressed_coordinates_GF2m 12821 12822 Point compression for binary fields is disabled by default for 12823 patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to 12824 enable it). 12825 12826 As binary polynomials are represented as BIGNUMs, various members 12827 of the EC_GROUP and EC_POINT data structures can be shared 12828 between the implementations for prime fields and binary fields; 12829 the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m) 12830 are essentially identical to their `..._GFp` counterparts. 12831 (For simplicity, the `..._GFp` prefix has been dropped from 12832 various internal method names.) 12833 12834 An internal 'field_div' method (similar to 'field_mul' and 12835 'field_sqr') has been added; this is used only for binary fields. 12836 12837 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12838 12839 * Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() 12840 through methods ('mul', 'precompute_mult'). 12841 12842 The generic implementations (now internally called 'ec_wNAF_mul' 12843 and 'ec_wNAF_precomputed_mult') remain the default if these 12844 methods are undefined. 12845 12846 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12847 12848 * New function EC_GROUP_get_degree, which is defined through 12849 EC_METHOD. For curves over prime fields, this returns the bit 12850 length of the modulus. 12851 12852 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12853 12854 * New functions EC_GROUP_dup, EC_POINT_dup. 12855 (These simply call ..._new and ..._copy). 12856 12857 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12858 12859 * Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. 12860 Polynomials are represented as BIGNUMs (where the sign bit is not 12861 used) in the following functions [macros]: 12862 12863 BN_GF2m_add 12864 BN_GF2m_sub [= BN_GF2m_add] 12865 BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] 12866 BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] 12867 BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] 12868 BN_GF2m_mod_inv 12869 BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] 12870 BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] 12871 BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] 12872 BN_GF2m_cmp [= BN_ucmp] 12873 12874 (Note that only the 'mod' functions are actually for fields GF(2^m). 12875 BN_GF2m_add() is misnomer, but this is for the sake of consistency.) 12876 12877 For some functions, an the irreducible polynomial defining a 12878 field can be given as an 'unsigned int[]' with strictly 12879 decreasing elements giving the indices of those bits that are set; 12880 i.e., p[] represents the polynomial 12881 f(t) = t^p[0] + t^p[1] + ... + t^p[k] 12882 where 12883 p[0] > p[1] > ... > p[k] = 0. 12884 This applies to the following functions: 12885 12886 BN_GF2m_mod_arr 12887 BN_GF2m_mod_mul_arr 12888 BN_GF2m_mod_sqr_arr 12889 BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] 12890 BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] 12891 BN_GF2m_mod_exp_arr 12892 BN_GF2m_mod_sqrt_arr 12893 BN_GF2m_mod_solve_quad_arr 12894 BN_GF2m_poly2arr 12895 BN_GF2m_arr2poly 12896 12897 Conversion can be performed by the following functions: 12898 12899 BN_GF2m_poly2arr 12900 BN_GF2m_arr2poly 12901 12902 bntest.c has additional tests for binary polynomial arithmetic. 12903 12904 Two implementations for BN_GF2m_mod_div() are available. 12905 The default algorithm simply uses BN_GF2m_mod_inv() and 12906 BN_GF2m_mod_mul(). The alternative algorithm is compiled in only 12907 if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the 12908 copyright notice in crypto/bn/bn_gf2m.c before enabling it). 12909 12910 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 12911 12912 * Add new error code 'ERR_R_DISABLED' that can be used when some 12913 functionality is disabled at compile-time. 12914 12915 *Douglas Stebila <douglas.stebila@sun.com>* 12916 12917 * Change default behaviour of 'openssl asn1parse' so that more 12918 information is visible when viewing, e.g., a certificate: 12919 12920 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' 12921 mode the content of non-printable OCTET STRINGs is output in a 12922 style similar to INTEGERs, but with '[HEX DUMP]' prepended to 12923 avoid the appearance of a printable string. 12924 12925 *Nils Larsch <nla@trustcenter.de>* 12926 12927 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access 12928 functions 12929 EC_GROUP_set_asn1_flag() 12930 EC_GROUP_get_asn1_flag() 12931 EC_GROUP_set_point_conversion_form() 12932 EC_GROUP_get_point_conversion_form() 12933 These control ASN1 encoding details: 12934 - Curves (i.e., groups) are encoded explicitly unless asn1_flag 12935 has been set to OPENSSL_EC_NAMED_CURVE. 12936 - Points are encoded in uncompressed form by default; options for 12937 asn1_for are as for point2oct, namely 12938 POINT_CONVERSION_COMPRESSED 12939 POINT_CONVERSION_UNCOMPRESSED 12940 POINT_CONVERSION_HYBRID 12941 12942 Also add 'seed' and 'seed_len' members to EC_GROUP with access 12943 functions 12944 EC_GROUP_set_seed() 12945 EC_GROUP_get0_seed() 12946 EC_GROUP_get_seed_len() 12947 This is used only for ASN1 purposes (so far). 12948 12949 *Nils Larsch <nla@trustcenter.de>* 12950 12951 * Add 'field_type' member to EC_METHOD, which holds the NID 12952 of the appropriate field type OID. The new function 12953 EC_METHOD_get_field_type() returns this value. 12954 12955 *Nils Larsch <nla@trustcenter.de>* 12956 12957 * Add functions 12958 EC_POINT_point2bn() 12959 EC_POINT_bn2point() 12960 EC_POINT_point2hex() 12961 EC_POINT_hex2point() 12962 providing useful interfaces to EC_POINT_point2oct() and 12963 EC_POINT_oct2point(). 12964 12965 *Nils Larsch <nla@trustcenter.de>* 12966 12967 * Change internals of the EC library so that the functions 12968 EC_GROUP_set_generator() 12969 EC_GROUP_get_generator() 12970 EC_GROUP_get_order() 12971 EC_GROUP_get_cofactor() 12972 are implemented directly in crypto/ec/ec_lib.c and not dispatched 12973 to methods, which would lead to unnecessary code duplication when 12974 adding different types of curves. 12975 12976 *Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller* 12977 12978 * Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM 12979 arithmetic, and such that modified wNAFs are generated 12980 (which avoid length expansion in many cases). 12981 12982 *Bodo Moeller* 12983 12984 * Add a function EC_GROUP_check_discriminant() (defined via 12985 EC_METHOD) that verifies that the curve discriminant is non-zero. 12986 12987 Add a function EC_GROUP_check() that makes some sanity tests 12988 on a EC_GROUP, its generator and order. This includes 12989 EC_GROUP_check_discriminant(). 12990 12991 *Nils Larsch <nla@trustcenter.de>* 12992 12993 * Add ECDSA in new directory crypto/ecdsa/. 12994 12995 Add applications 'openssl ecparam' and 'openssl ecdsa' 12996 (these are based on 'openssl dsaparam' and 'openssl dsa'). 12997 12998 ECDSA support is also included in various other files across the 12999 library. Most notably, 13000 - 'openssl req' now has a '-newkey ecdsa:file' option; 13001 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; 13002 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and 13003 d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make 13004 them suitable for ECDSA where domain parameters must be 13005 extracted before the specific public key; 13006 - ECDSA engine support has been added. 13007 13008 *Nils Larsch <nla@trustcenter.de>* 13009 13010 * Include some named elliptic curves, and add OIDs from X9.62, 13011 SECG, and WAP/WTLS. Each curve can be obtained from the new 13012 function 13013 EC_GROUP_new_by_curve_name(), 13014 and the list of available named curves can be obtained with 13015 EC_get_builtin_curves(). 13016 Also add a 'curve_name' member to EC_GROUP objects, which can be 13017 accessed via 13018 EC_GROUP_set_curve_name() 13019 EC_GROUP_get_curve_name() 13020 13021 *Nils Larsch <larsch@trustcenter.de, Bodo Moeller* 13022 13023 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 13024 was actually never needed) and in BN_mul(). The removal in BN_mul() 13025 required a small change in bn_mul_part_recursive() and the addition 13026 of the functions bn_cmp_part_words(), bn_sub_part_words() and 13027 bn_add_part_words(), which do the same thing as bn_cmp_words(), 13028 bn_sub_words() and bn_add_words() except they take arrays with 13029 differing sizes. 13030 13031 *Richard Levitte* 13032 13033### Changes between 0.9.7l and 0.9.7m [23 Feb 2007] 13034 13035 * Cleanse PEM buffers before freeing them since they may contain 13036 sensitive data. 13037 13038 *Benjamin Bennett <ben@psc.edu>* 13039 13040 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 13041 a ciphersuite string such as "DEFAULT:RSA" cannot enable 13042 authentication-only ciphersuites. 13043 13044 *Bodo Moeller* 13045 13046 * Since AES128 and AES256 share a single mask bit in the logic of 13047 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 13048 kludge to work properly if AES128 is available and AES256 isn't. 13049 13050 *Victor Duchovni* 13051 13052 * Expand security boundary to match 1.1.1 module. 13053 13054 *Steve Henson* 13055 13056 * Remove redundant features: hash file source, editing of test vectors 13057 modify fipsld to use external fips_premain.c signature. 13058 13059 *Steve Henson* 13060 13061 * New perl script mkfipsscr.pl to create shell scripts or batch files to 13062 run algorithm test programs. 13063 13064 *Steve Henson* 13065 13066 * Make algorithm test programs more tolerant of whitespace. 13067 13068 *Steve Henson* 13069 13070 * Have SSL/TLS server implementation tolerate "mismatched" record 13071 protocol version while receiving ClientHello even if the 13072 ClientHello is fragmented. (The server can't insist on the 13073 particular protocol version it has chosen before the ServerHello 13074 message has informed the client about his choice.) 13075 13076 *Bodo Moeller* 13077 13078 * Load error codes if they are not already present instead of using a 13079 static variable. This allows them to be cleanly unloaded and reloaded. 13080 13081 *Steve Henson* 13082 13083### Changes between 0.9.7k and 0.9.7l [28 Sep 2006] 13084 13085 * Introduce limits to prevent malicious keys being able to 13086 cause a denial of service. ([CVE-2006-2940]) 13087 13088 *Steve Henson, Bodo Moeller* 13089 13090 * Fix ASN.1 parsing of certain invalid structures that can result 13091 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 13092 13093 * Fix buffer overflow in SSL_get_shared_ciphers() function. 13094 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 13095 13096 * Fix SSL client code which could crash if connecting to a 13097 malicious SSLv2 server. ([CVE-2006-4343]) 13098 13099 *Tavis Ormandy and Will Drewry, Google Security Team* 13100 13101 * Change ciphersuite string processing so that an explicit 13102 ciphersuite selects this one ciphersuite (so that "AES256-SHA" 13103 will no longer include "AES128-SHA"), and any other similar 13104 ciphersuite (same bitmap) from *other* protocol versions (so that 13105 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the 13106 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining 13107 changes from 0.9.8b and 0.9.8d. 13108 13109 *Bodo Moeller* 13110 13111### Changes between 0.9.7j and 0.9.7k [05 Sep 2006] 13112 13113 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 13114 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 13115 13116 * Change the Unix randomness entropy gathering to use poll() when 13117 possible instead of select(), since the latter has some 13118 undesirable limitations. 13119 13120 *Darryl Miles via Richard Levitte and Bodo Moeller* 13121 13122 * Disable rogue ciphersuites: 13123 13124 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 13125 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 13126 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 13127 13128 The latter two were purportedly from 13129 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 13130 appear there. 13131 13132 Also deactivate the remaining ciphersuites from 13133 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 13134 unofficial, and the ID has long expired. 13135 13136 *Bodo Moeller* 13137 13138 * Fix RSA blinding Heisenbug (problems sometimes occurred on 13139 dual-core machines) and other potential thread-safety issues. 13140 13141 *Bodo Moeller* 13142 13143### Changes between 0.9.7i and 0.9.7j [04 May 2006] 13144 13145 * Adapt fipsld and the build system to link against the validated FIPS 13146 module in FIPS mode. 13147 13148 *Steve Henson* 13149 13150 * Fixes for VC++ 2005 build under Windows. 13151 13152 *Steve Henson* 13153 13154 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 13155 from a Windows bash shell such as MSYS. It is autodetected from the 13156 "config" script when run from a VC++ environment. Modify standard VC++ 13157 build to use fipscanister.o from the GNU make build. 13158 13159 *Steve Henson* 13160 13161### Changes between 0.9.7h and 0.9.7i [14 Oct 2005] 13162 13163 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. 13164 The value now differs depending on if you build for FIPS or not. 13165 BEWARE! A program linked with a shared FIPSed libcrypto can't be 13166 safely run with a non-FIPSed libcrypto, as it may crash because of 13167 the difference induced by this change. 13168 13169 *Andy Polyakov* 13170 13171### Changes between 0.9.7g and 0.9.7h [11 Oct 2005] 13172 13173 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 13174 (part of SSL_OP_ALL). This option used to disable the 13175 countermeasure against man-in-the-middle protocol-version 13176 rollback in the SSL 2.0 server implementation, which is a bad 13177 idea. ([CVE-2005-2969]) 13178 13179 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 13180 for Information Security, National Institute of Advanced Industrial 13181 Science and Technology [AIST, Japan)]* 13182 13183 * Minimal support for X9.31 signatures and PSS padding modes. This is 13184 mainly for FIPS compliance and not fully integrated at this stage. 13185 13186 *Steve Henson* 13187 13188 * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform 13189 the exponentiation using a fixed-length exponent. (Otherwise, 13190 the information leaked through timing could expose the secret key 13191 after many signatures; cf. Bleichenbacher's attack on DSA with 13192 biased k.) 13193 13194 *Bodo Moeller* 13195 13196 * Make a new fixed-window mod_exp implementation the default for 13197 RSA, DSA, and DH private-key operations so that the sequence of 13198 squares and multiplies and the memory access pattern are 13199 independent of the particular secret key. This will mitigate 13200 cache-timing and potential related attacks. 13201 13202 BN_mod_exp_mont_consttime() is the new exponentiation implementation, 13203 and this is automatically used by BN_mod_exp_mont() if the new flag 13204 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH 13205 will use this BN flag for private exponents unless the flag 13206 RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or 13207 DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. 13208 13209 *Matthew D Wood (Intel Corp), with some changes by Bodo Moeller* 13210 13211 * Change the client implementation for SSLv23_method() and 13212 SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 13213 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. 13214 (Previously, the SSL 2.0 backwards compatible Client Hello 13215 message format would be used even with SSL_OP_NO_SSLv2.) 13216 13217 *Bodo Moeller* 13218 13219 * Add support for smime-type MIME parameter in S/MIME messages which some 13220 clients need. 13221 13222 *Steve Henson* 13223 13224 * New function BN_MONT_CTX_set_locked() to set montgomery parameters in 13225 a threadsafe manner. Modify rsa code to use new function and add calls 13226 to dsa and dh code (which had race conditions before). 13227 13228 *Steve Henson* 13229 13230 * Include the fixed error library code in the C error file definitions 13231 instead of fixing them up at runtime. This keeps the error code 13232 structures constant. 13233 13234 *Steve Henson* 13235 13236### Changes between 0.9.7f and 0.9.7g [11 Apr 2005] 13237 13238[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after 13239OpenSSL 0.9.8.] 13240 13241 * Fixes for newer kerberos headers. NB: the casts are needed because 13242 the 'length' field is signed on one version and unsigned on another 13243 with no (?) obvious way to tell the difference, without these VC++ 13244 complains. Also the "definition" of FAR (blank) is no longer included 13245 nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up 13246 some needed definitions. 13247 13248 *Steve Henson* 13249 13250 * Undo Cygwin change. 13251 13252 *Ulf Möller* 13253 13254 * Added support for proxy certificates according to RFC 3820. 13255 Because they may be a security thread to unaware applications, 13256 they must be explicitly allowed in run-time. See 13257 docs/HOWTO/proxy_certificates.txt for further information. 13258 13259 *Richard Levitte* 13260 13261### Changes between 0.9.7e and 0.9.7f [22 Mar 2005] 13262 13263 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating 13264 server and client random values. Previously 13265 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in 13266 less random data when sizeof(time_t) > 4 (some 64 bit platforms). 13267 13268 This change has negligible security impact because: 13269 13270 1. Server and client random values still have 24 bytes of pseudo random 13271 data. 13272 13273 2. Server and client random values are sent in the clear in the initial 13274 handshake. 13275 13276 3. The master secret is derived using the premaster secret (48 bytes in 13277 size for static RSA ciphersuites) as well as client server and random 13278 values. 13279 13280 The OpenSSL team would like to thank the UK NISCC for bringing this issue 13281 to our attention. 13282 13283 *Stephen Henson, reported by UK NISCC* 13284 13285 * Use Windows randomness collection on Cygwin. 13286 13287 *Ulf Möller* 13288 13289 * Fix hang in EGD/PRNGD query when communication socket is closed 13290 prematurely by EGD/PRNGD. 13291 13292 *Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014* 13293 13294 * Prompt for pass phrases when appropriate for PKCS12 input format. 13295 13296 *Steve Henson* 13297 13298 * Back-port of selected performance improvements from development 13299 branch, as well as improved support for PowerPC platforms. 13300 13301 *Andy Polyakov* 13302 13303 * Add lots of checks for memory allocation failure, error codes to indicate 13304 failure and freeing up memory if a failure occurs. 13305 13306 *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson* 13307 13308 * Add new -passin argument to dgst. 13309 13310 *Steve Henson* 13311 13312 * Perform some character comparisons of different types in X509_NAME_cmp: 13313 this is needed for some certificates that re-encode DNs into UTF8Strings 13314 (in violation of RFC3280) and can't or won't issue name rollover 13315 certificates. 13316 13317 *Steve Henson* 13318 13319 * Make an explicit check during certificate validation to see that 13320 the CA setting in each certificate on the chain is correct. As a 13321 side effect always do the following basic checks on extensions, 13322 not just when there's an associated purpose to the check: 13323 13324 - if there is an unhandled critical extension (unless the user 13325 has chosen to ignore this fault) 13326 - if the path length has been exceeded (if one is set at all) 13327 - that certain extensions fit the associated purpose (if one has 13328 been given) 13329 13330 *Richard Levitte* 13331 13332### Changes between 0.9.7d and 0.9.7e [25 Oct 2004] 13333 13334 * Avoid a race condition when CRLs are checked in a multi threaded 13335 environment. This would happen due to the reordering of the revoked 13336 entries during signature checking and serial number lookup. Now the 13337 encoding is cached and the serial number sort performed under a lock. 13338 Add new STACK function sk_is_sorted(). 13339 13340 *Steve Henson* 13341 13342 * Add Delta CRL to the extension code. 13343 13344 *Steve Henson* 13345 13346 * Various fixes to s3_pkt.c so alerts are sent properly. 13347 13348 *David Holmes <d.holmes@f5.com>* 13349 13350 * Reduce the chances of duplicate issuer name and serial numbers (in 13351 violation of RFC3280) using the OpenSSL certificate creation utilities. 13352 This is done by creating a random 64 bit value for the initial serial 13353 number when a serial number file is created or when a self signed 13354 certificate is created using 'openssl req -x509'. The initial serial 13355 number file is created using 'openssl x509 -next_serial' in CA.pl 13356 rather than being initialized to 1. 13357 13358 *Steve Henson* 13359 13360### Changes between 0.9.7c and 0.9.7d [17 Mar 2004] 13361 13362 * Fix null-pointer assignment in do_change_cipher_spec() revealed 13363 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 13364 13365 *Joe Orton, Steve Henson* 13366 13367 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites 13368 ([CVE-2004-0112]) 13369 13370 *Joe Orton, Steve Henson* 13371 13372 * Make it possible to have multiple active certificates with the same 13373 subject in the CA index file. This is done only if the keyword 13374 'unique_subject' is set to 'no' in the main CA section (default 13375 if 'CA_default') of the configuration file. The value is saved 13376 with the database itself in a separate index attribute file, 13377 named like the index file with '.attr' appended to the name. 13378 13379 *Richard Levitte* 13380 13381 * X509 verify fixes. Disable broken certificate workarounds when 13382 X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if 13383 keyUsage extension present. Don't accept CRLs with unhandled critical 13384 extensions: since verify currently doesn't process CRL extensions this 13385 rejects a CRL with *any* critical extensions. Add new verify error codes 13386 for these cases. 13387 13388 *Steve Henson* 13389 13390 * When creating an OCSP nonce use an OCTET STRING inside the extnValue. 13391 A clarification of RFC2560 will require the use of OCTET STRINGs and 13392 some implementations cannot handle the current raw format. Since OpenSSL 13393 copies and compares OCSP nonces as opaque blobs without any attempt at 13394 parsing them this should not create any compatibility issues. 13395 13396 *Steve Henson* 13397 13398 * New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when 13399 calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without 13400 this HMAC (and other) operations are several times slower than OpenSSL 13401 < 0.9.7. 13402 13403 *Steve Henson* 13404 13405 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). 13406 13407 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 13408 13409 * Use the correct content when signing type "other". 13410 13411 *Steve Henson* 13412 13413### Changes between 0.9.7b and 0.9.7c [30 Sep 2003] 13414 13415 * Fix various bugs revealed by running the NISCC test suite: 13416 13417 Stop out of bounds reads in the ASN1 code when presented with 13418 invalid tags (CVE-2003-0543 and CVE-2003-0544). 13419 13420 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]). 13421 13422 If verify callback ignores invalid public key errors don't try to check 13423 certificate signature with the NULL public key. 13424 13425 *Steve Henson* 13426 13427 * New -ignore_err option in ocsp application to stop the server 13428 exiting on the first error in a request. 13429 13430 *Steve Henson* 13431 13432 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 13433 if the server requested one: as stated in TLS 1.0 and SSL 3.0 13434 specifications. 13435 13436 *Steve Henson* 13437 13438 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 13439 extra data after the compression methods not only for TLS 1.0 13440 but also for SSL 3.0 (as required by the specification). 13441 13442 *Bodo Moeller; problem pointed out by Matthias Loepfe* 13443 13444 * Change X509_certificate_type() to mark the key as exported/exportable 13445 when it's 512 *bits* long, not 512 bytes. 13446 13447 *Richard Levitte* 13448 13449 * Change AES_cbc_encrypt() so it outputs exact multiple of 13450 blocks during encryption. 13451 13452 *Richard Levitte* 13453 13454 * Various fixes to base64 BIO and non blocking I/O. On write 13455 flushes were not handled properly if the BIO retried. On read 13456 data was not being buffered properly and had various logic bugs. 13457 This also affects blocking I/O when the data being decoded is a 13458 certain size. 13459 13460 *Steve Henson* 13461 13462 * Various S/MIME bugfixes and compatibility changes: 13463 output correct application/pkcs7 MIME type if 13464 PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. 13465 Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening 13466 of files as .eml work). Correctly handle very long lines in MIME 13467 parser. 13468 13469 *Steve Henson* 13470 13471### Changes between 0.9.7a and 0.9.7b [10 Apr 2003] 13472 13473 * Countermeasure against the Klima-Pokorny-Rosa extension of 13474 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 13475 a protocol version number mismatch like a decryption error 13476 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 13477 13478 *Bodo Moeller* 13479 13480 * Turn on RSA blinding by default in the default implementation 13481 to avoid a timing attack. Applications that don't want it can call 13482 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 13483 They would be ill-advised to do so in most cases. 13484 13485 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 13486 13487 * Change RSA blinding code so that it works when the PRNG is not 13488 seeded (in this case, the secret RSA exponent is abused as 13489 an unpredictable seed -- if it is not unpredictable, there 13490 is no point in blinding anyway). Make RSA blinding thread-safe 13491 by remembering the creator's thread ID in rsa->blinding and 13492 having all other threads use local one-time blinding factors 13493 (this requires more computation than sharing rsa->blinding, but 13494 avoids excessive locking; and if an RSA object is not shared 13495 between threads, blinding will still be very fast). 13496 13497 *Bodo Moeller* 13498 13499 * Fixed a typo bug that would cause ENGINE_set_default() to set an 13500 ENGINE as defaults for all supported algorithms irrespective of 13501 the 'flags' parameter. 'flags' is now honoured, so applications 13502 should make sure they are passing it correctly. 13503 13504 *Geoff Thorpe* 13505 13506 * Target "mingw" now allows native Windows code to be generated in 13507 the Cygwin environment as well as with the MinGW compiler. 13508 13509 *Ulf Moeller* 13510 13511### Changes between 0.9.7 and 0.9.7a [19 Feb 2003] 13512 13513 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 13514 via timing by performing a MAC computation even if incorrect 13515 block cipher padding has been found. This is a countermeasure 13516 against active attacks where the attacker has to distinguish 13517 between bad padding and a MAC verification error. ([CVE-2003-0078]) 13518 13519 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 13520 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 13521 Martin Vuagnoux (EPFL, Ilion)* 13522 13523 * Make the no-err option work as intended. The intention with no-err 13524 is not to have the whole error stack handling routines removed from 13525 libcrypto, it's only intended to remove all the function name and 13526 reason texts, thereby removing some of the footprint that may not 13527 be interesting if those errors aren't displayed anyway. 13528 13529 NOTE: it's still possible for any application or module to have its 13530 own set of error texts inserted. The routines are there, just not 13531 used by default when no-err is given. 13532 13533 *Richard Levitte* 13534 13535 * Add support for FreeBSD on IA64. 13536 13537 *dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454* 13538 13539 * Adjust DES_cbc_cksum() so it returns the same value as the MIT 13540 Kerberos function mit_des_cbc_cksum(). Before this change, 13541 the value returned by DES_cbc_cksum() was like the one from 13542 mit_des_cbc_cksum(), except the bytes were swapped. 13543 13544 *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte* 13545 13546 * Allow an application to disable the automatic SSL chain building. 13547 Before this a rather primitive chain build was always performed in 13548 ssl3_output_cert_chain(): an application had no way to send the 13549 correct chain if the automatic operation produced an incorrect result. 13550 13551 Now the chain builder is disabled if either: 13552 13553 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 13554 13555 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. 13556 13557 The reasoning behind this is that an application would not want the 13558 auto chain building to take place if extra chain certificates are 13559 present and it might also want a means of sending no additional 13560 certificates (for example the chain has two certificates and the 13561 root is omitted). 13562 13563 *Steve Henson* 13564 13565 * Add the possibility to build without the ENGINE framework. 13566 13567 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 13568 13569 * Under Win32 gmtime() can return NULL: check return value in 13570 OPENSSL_gmtime(). Add error code for case where gmtime() fails. 13571 13572 *Steve Henson* 13573 13574 * DSA routines: under certain error conditions uninitialized BN objects 13575 could be freed. Solution: make sure initialization is performed early 13576 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, 13577 Nils Larsch <nla@trustcenter.de> via PR#459) 13578 13579 *Lutz Jaenicke* 13580 13581 * Another fix for SSLv2 session ID handling: the session ID was incorrectly 13582 checked on reconnect on the client side, therefore session resumption 13583 could still fail with a "ssl session id is different" error. This 13584 behaviour is masked when SSL_OP_ALL is used due to 13585 SSL_OP_MICROSOFT_SESS_ID_BUG being set. 13586 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 13587 followup to PR #377. 13588 13589 *Lutz Jaenicke* 13590 13591 * IA-32 assembler support enhancements: unified ELF targets, support 13592 for SCO/Caldera platforms, fix for Cygwin shared build. 13593 13594 *Andy Polyakov* 13595 13596 * Add support for FreeBSD on sparc64. As a consequence, support for 13597 FreeBSD on non-x86 processors is separate from x86 processors on 13598 the config script, much like the NetBSD support. 13599 13600 *Richard Levitte & Kris Kennaway <kris@obsecurity.org>* 13601 13602### Changes between 0.9.6h and 0.9.7 [31 Dec 2002] 13603 13604[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after 13605OpenSSL 0.9.7.] 13606 13607 * Fix session ID handling in SSLv2 client code: the SERVER FINISHED 13608 code (06) was taken as the first octet of the session ID and the last 13609 octet was ignored consequently. As a result SSLv2 client side session 13610 caching could not have worked due to the session ID mismatch between 13611 client and server. 13612 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 13613 PR #377. 13614 13615 *Lutz Jaenicke* 13616 13617 * Change the declaration of needed Kerberos libraries to use EX_LIBS 13618 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is 13619 removed entirely. 13620 13621 *Richard Levitte* 13622 13623 * The hw_ncipher.c engine requires dynamic locks. Unfortunately, it 13624 seems that in spite of existing for more than a year, many application 13625 author have done nothing to provide the necessary callbacks, which 13626 means that this particular engine will not work properly anywhere. 13627 This is a very unfortunate situation which forces us, in the name 13628 of usability, to give the hw_ncipher.c a static lock, which is part 13629 of libcrypto. 13630 NOTE: This is for the 0.9.7 series ONLY. This hack will never 13631 appear in 0.9.8 or later. We EXPECT application authors to have 13632 dealt properly with this when 0.9.8 is released (unless we actually 13633 make such changes in the libcrypto locking code that changes will 13634 have to be made anyway). 13635 13636 *Richard Levitte* 13637 13638 * In asn1_d2i_read_bio() repeatedly call BIO_read() until all content 13639 octets have been read, EOF or an error occurs. Without this change 13640 some truncated ASN1 structures will not produce an error. 13641 13642 *Steve Henson* 13643 13644 * Disable Heimdal support, since it hasn't been fully implemented. 13645 Still give the possibility to force the use of Heimdal, but with 13646 warnings and a request that patches get sent to openssl-dev. 13647 13648 *Richard Levitte* 13649 13650 * Add the VC-CE target, introduce the WINCE sysname, and add 13651 INSTALL.WCE and appropriate conditionals to make it build. 13652 13653 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 13654 13655 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and 13656 cygssl-x.y.z.dll, where x, y and z are the major, minor and 13657 edit numbers of the version. 13658 13659 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 13660 13661 * Introduce safe string copy and catenation functions 13662 (BUF_strlcpy() and BUF_strlcat()). 13663 13664 *Ben Laurie (CHATS) and Richard Levitte* 13665 13666 * Avoid using fixed-size buffers for one-line DNs. 13667 13668 *Ben Laurie (CHATS)* 13669 13670 * Add BUF_MEM_grow_clean() to avoid information leakage when 13671 resizing buffers containing secrets, and use where appropriate. 13672 13673 *Ben Laurie (CHATS)* 13674 13675 * Avoid using fixed size buffers for configuration file location. 13676 13677 *Ben Laurie (CHATS)* 13678 13679 * Avoid filename truncation for various CA files. 13680 13681 *Ben Laurie (CHATS)* 13682 13683 * Use sizeof in preference to magic numbers. 13684 13685 *Ben Laurie (CHATS)* 13686 13687 * Avoid filename truncation in cert requests. 13688 13689 *Ben Laurie (CHATS)* 13690 13691 * Add assertions to check for (supposedly impossible) buffer 13692 overflows. 13693 13694 *Ben Laurie (CHATS)* 13695 13696 * Don't cache truncated DNS entries in the local cache (this could 13697 potentially lead to a spoofing attack). 13698 13699 *Ben Laurie (CHATS)* 13700 13701 * Fix various buffers to be large enough for hex/decimal 13702 representations in a platform independent manner. 13703 13704 *Ben Laurie (CHATS)* 13705 13706 * Add CRYPTO_realloc_clean() to avoid information leakage when 13707 resizing buffers containing secrets, and use where appropriate. 13708 13709 *Ben Laurie (CHATS)* 13710 13711 * Add BIO_indent() to avoid much slightly worrying code to do 13712 indents. 13713 13714 *Ben Laurie (CHATS)* 13715 13716 * Convert sprintf()/BIO_puts() to BIO_printf(). 13717 13718 *Ben Laurie (CHATS)* 13719 13720 * buffer_gets() could terminate with the buffer only half 13721 full. Fixed. 13722 13723 *Ben Laurie (CHATS)* 13724 13725 * Add assertions to prevent user-supplied crypto functions from 13726 overflowing internal buffers by having large block sizes, etc. 13727 13728 *Ben Laurie (CHATS)* 13729 13730 * New OPENSSL_assert() macro (similar to assert(), but enabled 13731 unconditionally). 13732 13733 *Ben Laurie (CHATS)* 13734 13735 * Eliminate unused copy of key in RC4. 13736 13737 *Ben Laurie (CHATS)* 13738 13739 * Eliminate unused and incorrectly sized buffers for IV in pem.h. 13740 13741 *Ben Laurie (CHATS)* 13742 13743 * Fix off-by-one error in EGD path. 13744 13745 *Ben Laurie (CHATS)* 13746 13747 * If RANDFILE path is too long, ignore instead of truncating. 13748 13749 *Ben Laurie (CHATS)* 13750 13751 * Eliminate unused and incorrectly sized X.509 structure 13752 CBCParameter. 13753 13754 *Ben Laurie (CHATS)* 13755 13756 * Eliminate unused and dangerous function knumber(). 13757 13758 *Ben Laurie (CHATS)* 13759 13760 * Eliminate unused and dangerous structure, KSSL_ERR. 13761 13762 *Ben Laurie (CHATS)* 13763 13764 * Protect against overlong session ID context length in an encoded 13765 session object. Since these are local, this does not appear to be 13766 exploitable. 13767 13768 *Ben Laurie (CHATS)* 13769 13770 * Change from security patch (see 0.9.6e below) that did not affect 13771 the 0.9.6 release series: 13772 13773 Remote buffer overflow in SSL3 protocol - an attacker could 13774 supply an oversized master key in Kerberos-enabled versions. 13775 ([CVE-2002-0657]) 13776 13777 *Ben Laurie (CHATS)* 13778 13779 * Change the SSL kerb5 codes to match RFC 2712. 13780 13781 *Richard Levitte* 13782 13783 * Make -nameopt work fully for req and add -reqopt switch. 13784 13785 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson* 13786 13787 * The "block size" for block ciphers in CFB and OFB mode should be 1. 13788 13789 *Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>* 13790 13791 * Make sure tests can be performed even if the corresponding algorithms 13792 have been removed entirely. This was also the last step to make 13793 OpenSSL compilable with DJGPP under all reasonable conditions. 13794 13795 *Richard Levitte, Doug Kaufman <dkaufman@rahul.net>* 13796 13797 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT 13798 to allow version independent disabling of normally unselected ciphers, 13799 which may be activated as a side-effect of selecting a single cipher. 13800 13801 (E.g., cipher list string "RSA" enables ciphersuites that are left 13802 out of "ALL" because they do not provide symmetric encryption. 13803 "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) 13804 13805 *Lutz Jaenicke, Bodo Moeller* 13806 13807 * Add appropriate support for separate platform-dependent build 13808 directories. The recommended way to make a platform-dependent 13809 build directory is the following (tested on Linux), maybe with 13810 some local tweaks: 13811 13812 # Place yourself outside of the OpenSSL source tree. In 13813 # this example, the environment variable OPENSSL_SOURCE 13814 # is assumed to contain the absolute OpenSSL source directory. 13815 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 13816 cd objtree/"`uname -s`-`uname -r`-`uname -m`" 13817 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 13818 mkdir -p `dirname $F` 13819 ln -s $OPENSSL_SOURCE/$F $F 13820 done 13821 13822 To be absolutely sure not to disturb the source tree, a "make clean" 13823 is a good thing. If it isn't successful, don't worry about it, 13824 it probably means the source directory is very clean. 13825 13826 *Richard Levitte* 13827 13828 * Make sure any ENGINE control commands make local copies of string 13829 pointers passed to them whenever necessary. Otherwise it is possible 13830 the caller may have overwritten (or deallocated) the original string 13831 data when a later ENGINE operation tries to use the stored values. 13832 13833 *Götz Babin-Ebell <babinebell@trustcenter.de>* 13834 13835 * Improve diagnostics in file reading and command-line digests. 13836 13837 *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>* 13838 13839 * Add AES modes CFB and OFB to the object database. Correct an 13840 error in AES-CFB decryption. 13841 13842 *Richard Levitte* 13843 13844 * Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 13845 allows existing EVP_CIPHER_CTX structures to be reused after 13846 calling `EVP_*Final()`. This behaviour is used by encryption 13847 BIOs and some applications. This has the side effect that 13848 applications must explicitly clean up cipher contexts with 13849 EVP_CIPHER_CTX_cleanup() or they will leak memory. 13850 13851 *Steve Henson* 13852 13853 * Check the values of dna and dnb in bn_mul_recursive before calling 13854 bn_mul_comba (a non zero value means the a or b arrays do not contain 13855 n2 elements) and fallback to bn_mul_normal if either is not zero. 13856 13857 *Steve Henson* 13858 13859 * Fix escaping of non-ASCII characters when using the -subj option 13860 of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) 13861 13862 *Lutz Jaenicke* 13863 13864 * Make object definitions compliant to LDAP (RFC2256): SN is the short 13865 form for "surname", serialNumber has no short form. 13866 Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; 13867 therefore remove "mail" short name for "internet 7". 13868 The OID for unique identifiers in X509 certificates is 13869 x500UniqueIdentifier, not uniqueIdentifier. 13870 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) 13871 13872 *Lutz Jaenicke* 13873 13874 * Add an "init" command to the ENGINE config module and auto initialize 13875 ENGINEs. Without any "init" command the ENGINE will be initialized 13876 after all ctrl commands have been executed on it. If init=1 the 13877 ENGINE is initialized at that point (ctrls before that point are run 13878 on the uninitialized ENGINE and after on the initialized one). If 13879 init=0 then the ENGINE will not be initialized at all. 13880 13881 *Steve Henson* 13882 13883 * Fix the 'app_verify_callback' interface so that the user-defined 13884 argument is actually passed to the callback: In the 13885 SSL_CTX_set_cert_verify_callback() prototype, the callback 13886 declaration has been changed from 13887 int (*cb)() 13888 into 13889 int (*cb)(X509_STORE_CTX *,void *); 13890 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call 13891 i=s->ctx->app_verify_callback(&ctx) 13892 has been changed into 13893 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). 13894 13895 To update applications using SSL_CTX_set_cert_verify_callback(), 13896 a dummy argument can be added to their callback functions. 13897 13898 *D. K. Smetters <smetters@parc.xerox.com>* 13899 13900 * Added the '4758cca' ENGINE to support IBM 4758 cards. 13901 13902 *Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe* 13903 13904 * Add and OPENSSL_LOAD_CONF define which will cause 13905 OpenSSL_add_all_algorithms() to load the openssl.cnf config file. 13906 This allows older applications to transparently support certain 13907 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. 13908 Two new functions OPENSSL_add_all_algorithms_noconf() which will never 13909 load the config file and OPENSSL_add_all_algorithms_conf() which will 13910 always load it have also been added. 13911 13912 *Steve Henson* 13913 13914 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. 13915 Adjust NIDs and EVP layer. 13916 13917 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 13918 13919 * Config modules support in openssl utility. 13920 13921 Most commands now load modules from the config file, 13922 though in a few (such as version) this isn't done 13923 because it couldn't be used for anything. 13924 13925 In the case of ca and req the config file used is 13926 the same as the utility itself: that is the -config 13927 command line option can be used to specify an 13928 alternative file. 13929 13930 *Steve Henson* 13931 13932 * Move default behaviour from OPENSSL_config(). If appname is NULL 13933 use "openssl_conf" if filename is NULL use default openssl config file. 13934 13935 *Steve Henson* 13936 13937 * Add an argument to OPENSSL_config() to allow the use of an alternative 13938 config section name. Add a new flag to tolerate a missing config file 13939 and move code to CONF_modules_load_file(). 13940 13941 *Steve Henson* 13942 13943 * Support for crypto accelerator cards from Accelerated Encryption 13944 Processing, www.aep.ie. (Use engine 'aep') 13945 The support was copied from 0.9.6c [engine] and adapted/corrected 13946 to work with the new engine framework. 13947 13948 *AEP Inc. and Richard Levitte* 13949 13950 * Support for SureWare crypto accelerator cards from Baltimore 13951 Technologies. (Use engine 'sureware') 13952 The support was copied from 0.9.6c [engine] and adapted 13953 to work with the new engine framework. 13954 13955 *Richard Levitte* 13956 13957 * Have the CHIL engine fork-safe (as defined by nCipher) and actually 13958 make the newer ENGINE framework commands for the CHIL engine work. 13959 13960 *Toomas Kiisk <vix@cyber.ee> and Richard Levitte* 13961 13962 * Make it possible to produce shared libraries on ReliantUNIX. 13963 13964 *Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte* 13965 13966 * Add the configuration target debug-linux-ppro. 13967 Make 'openssl rsa' use the general key loading routines 13968 implemented in `apps.c`, and make those routines able to 13969 handle the key format FORMAT_NETSCAPE and the variant 13970 FORMAT_IISSGC. 13971 13972 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 13973 13974 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 13975 13976 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 13977 13978 * Add -keyform to rsautl, and document -engine. 13979 13980 *Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>* 13981 13982 * Change BIO_new_file (crypto/bio/bss_file.c) to use new 13983 BIO_R_NO_SUCH_FILE error code rather than the generic 13984 ERR_R_SYS_LIB error code if fopen() fails with ENOENT. 13985 13986 *Ben Laurie* 13987 13988 * Add new functions 13989 ERR_peek_last_error 13990 ERR_peek_last_error_line 13991 ERR_peek_last_error_line_data. 13992 These are similar to 13993 ERR_peek_error 13994 ERR_peek_error_line 13995 ERR_peek_error_line_data, 13996 but report on the latest error recorded rather than the first one 13997 still in the error queue. 13998 13999 *Ben Laurie, Bodo Moeller* 14000 14001 * default_algorithms option in ENGINE config module. This allows things 14002 like: 14003 default_algorithms = ALL 14004 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS 14005 14006 *Steve Henson* 14007 14008 * Preliminary ENGINE config module. 14009 14010 *Steve Henson* 14011 14012 * New experimental application configuration code. 14013 14014 *Steve Henson* 14015 14016 * Change the AES code to follow the same name structure as all other 14017 symmetric ciphers, and behave the same way. Move everything to 14018 the directory crypto/aes, thereby obsoleting crypto/rijndael. 14019 14020 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 14021 14022 * SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. 14023 14024 *Ben Laurie and Theo de Raadt* 14025 14026 * Add option to output public keys in req command. 14027 14028 *Massimiliano Pala madwolf@openca.org* 14029 14030 * Use wNAFs in EC_POINTs_mul() for improved efficiency 14031 (up to about 10% better than before for P-192 and P-224). 14032 14033 *Bodo Moeller* 14034 14035 * New functions/macros 14036 14037 SSL_CTX_set_msg_callback(ctx, cb) 14038 SSL_CTX_set_msg_callback_arg(ctx, arg) 14039 SSL_set_msg_callback(ssl, cb) 14040 SSL_set_msg_callback_arg(ssl, arg) 14041 14042 to request calling a callback function 14043 14044 void cb(int write_p, int version, int content_type, 14045 const void *buf, size_t len, SSL *ssl, void *arg) 14046 14047 whenever a protocol message has been completely received 14048 (write_p == 0) or sent (write_p == 1). Here 'version' is the 14049 protocol version according to which the SSL library interprets 14050 the current protocol message (SSL2_VERSION, SSL3_VERSION, or 14051 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or 14052 the content type as defined in the SSL 3.0/TLS 1.0 protocol 14053 specification (change_cipher_spec(20), alert(21), handshake(22)). 14054 'buf' and 'len' point to the actual message, 'ssl' to the 14055 SSL object, and 'arg' is the application-defined value set by 14056 SSL[_CTX]_set_msg_callback_arg(). 14057 14058 'openssl s_client' and 'openssl s_server' have new '-msg' options 14059 to enable a callback that displays all protocol messages. 14060 14061 *Bodo Moeller* 14062 14063 * Change the shared library support so shared libraries are built as 14064 soon as the corresponding static library is finished, and thereby get 14065 openssl and the test programs linked against the shared library. 14066 This still only happens when the keyword "shard" has been given to 14067 the configuration scripts. 14068 14069 NOTE: shared library support is still an experimental thing, and 14070 backward binary compatibility is still not guaranteed. 14071 14072 *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte* 14073 14074 * Add support for Subject Information Access extension. 14075 14076 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 14077 14078 * Make BUF_MEM_grow() behaviour more consistent: Initialise to zero 14079 additional bytes when new memory had to be allocated, not just 14080 when reusing an existing buffer. 14081 14082 *Bodo Moeller* 14083 14084 * New command line and configuration option 'utf8' for the req command. 14085 This allows field values to be specified as UTF8 strings. 14086 14087 *Steve Henson* 14088 14089 * Add -multi and -mr options to "openssl speed" - giving multiple parallel 14090 runs for the former and machine-readable output for the latter. 14091 14092 *Ben Laurie* 14093 14094 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion 14095 of the e-mail address in the DN (i.e., it will go into a certificate 14096 extension only). The new configuration file option 'email_in_dn = no' 14097 has the same effect. 14098 14099 *Massimiliano Pala madwolf@openca.org* 14100 14101 * Change all functions with names starting with `des_` to be starting 14102 with `DES_` instead. Add wrappers that are compatible with libdes, 14103 but are named `_ossl_old_des_*`. Finally, add macros that map the 14104 `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes 14105 compatibility is desired. If OpenSSL 0.9.6c compatibility is 14106 desired, the `des_*` symbols will be mapped to `DES_*`, with one 14107 exception. 14108 14109 Since we provide two compatibility mappings, the user needs to 14110 define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes 14111 compatibility is desired. The default (i.e., when that macro 14112 isn't defined) is OpenSSL 0.9.6c compatibility. 14113 14114 There are also macros that enable and disable the support of old 14115 des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT 14116 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those 14117 are defined, the default will apply: to support the old des routines. 14118 14119 In either case, one must include openssl/des.h to get the correct 14120 definitions. Do not try to just include openssl/des_old.h, that 14121 won't work. 14122 14123 NOTE: This is a major break of an old API into a new one. Software 14124 authors are encouraged to switch to the `DES_` style functions. Some 14125 time in the future, des_old.h and the libdes compatibility functions 14126 will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the 14127 default), and then completely removed. 14128 14129 *Richard Levitte* 14130 14131 * Test for certificates which contain unsupported critical extensions. 14132 If such a certificate is found during a verify operation it is 14133 rejected by default: this behaviour can be overridden by either 14134 handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or 14135 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function 14136 X509_supported_extension() has also been added which returns 1 if a 14137 particular extension is supported. 14138 14139 *Steve Henson* 14140 14141 * Modify the behaviour of EVP cipher functions in similar way to digests 14142 to retain compatibility with existing code. 14143 14144 *Steve Henson* 14145 14146 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain 14147 compatibility with existing code. In particular the 'ctx' parameter does 14148 not have to be to be initialized before the call to EVP_DigestInit() and 14149 it is tidied up after a call to EVP_DigestFinal(). New function 14150 EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function 14151 EVP_MD_CTX_copy() changed to not require the destination to be 14152 initialized valid and new function EVP_MD_CTX_copy_ex() added which 14153 requires the destination to be valid. 14154 14155 Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), 14156 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). 14157 14158 *Steve Henson* 14159 14160 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it 14161 so that complete 'Handshake' protocol structures are kept in memory 14162 instead of overwriting 'msg_type' and 'length' with 'body' data. 14163 14164 *Bodo Moeller* 14165 14166 * Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. 14167 14168 *Massimo Santin via Richard Levitte* 14169 14170 * Major restructuring to the underlying ENGINE code. This includes 14171 reduction of linker bloat, separation of pure "ENGINE" manipulation 14172 (initialisation, etc) from functionality dealing with implementations 14173 of specific crypto interfaces. This change also introduces integrated 14174 support for symmetric ciphers and digest implementations - so ENGINEs 14175 can now accelerate these by providing EVP_CIPHER and EVP_MD 14176 implementations of their own. This is detailed in 14177 [crypto/engine/README.md](crypto/engine/README.md) 14178 as it couldn't be adequately described here. However, there are a few 14179 API changes worth noting - some RSA, DSA, DH, and RAND functions that 14180 were changed in the original introduction of ENGINE code have now 14181 reverted back - the hooking from this code to ENGINE is now a good 14182 deal more passive and at run-time, operations deal directly with 14183 RSA_METHODs, DSA_METHODs (etc) as they did before, rather than 14184 dereferencing through an ENGINE pointer any more. Also, the ENGINE 14185 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed - 14186 they were not being used by the framework as there is no concept of a 14187 BIGNUM_METHOD and they could not be generalised to the new 14188 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, 14189 ENGINE_cpy() has been removed as it cannot be consistently defined in 14190 the new code. 14191 14192 *Geoff Thorpe* 14193 14194 * Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. 14195 14196 *Steve Henson* 14197 14198 * Change mkdef.pl to sort symbols that get the same entry number, 14199 and make sure the automatically generated functions `ERR_load_*` 14200 become part of libeay.num as well. 14201 14202 *Richard Levitte* 14203 14204 * New function SSL_renegotiate_pending(). This returns true once 14205 renegotiation has been requested (either SSL_renegotiate() call 14206 or HelloRequest/ClientHello received from the peer) and becomes 14207 false once a handshake has been completed. 14208 (For servers, SSL_renegotiate() followed by SSL_do_handshake() 14209 sends a HelloRequest, but does not ensure that a handshake takes 14210 place. SSL_renegotiate_pending() is useful for checking if the 14211 client has followed the request.) 14212 14213 *Bodo Moeller* 14214 14215 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. 14216 By default, clients may request session resumption even during 14217 renegotiation (if session ID contexts permit); with this option, 14218 session resumption is possible only in the first handshake. 14219 14220 SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes 14221 more bits available for options that should not be part of 14222 SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). 14223 14224 *Bodo Moeller* 14225 14226 * Add some demos for certificate and certificate request creation. 14227 14228 *Steve Henson* 14229 14230 * Make maximum certificate chain size accepted from the peer application 14231 settable (`SSL*_get/set_max_cert_list()`), as proposed by 14232 "Douglas E. Engert" <deengert@anl.gov>. 14233 14234 *Lutz Jaenicke* 14235 14236 * Add support for shared libraries for Unixware-7 14237 (Boyd Lynn Gerber <gerberb@zenez.com>). 14238 14239 *Lutz Jaenicke* 14240 14241 * Add a "destroy" handler to ENGINEs that allows structural cleanup to 14242 be done prior to destruction. Use this to unload error strings from 14243 ENGINEs that load their own error strings. NB: This adds two new API 14244 functions to "get" and "set" this destroy handler in an ENGINE. 14245 14246 *Geoff Thorpe* 14247 14248 * Alter all existing ENGINE implementations (except "openssl" and 14249 "openbsd") to dynamically instantiate their own error strings. This 14250 makes them more flexible to be built both as statically-linked ENGINEs 14251 and self-contained shared-libraries loadable via the "dynamic" ENGINE. 14252 Also, add stub code to each that makes building them as self-contained 14253 shared-libraries easier (see [README-Engine.md](README-Engine.md)). 14254 14255 *Geoff Thorpe* 14256 14257 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE 14258 implementations into applications that are completely implemented in 14259 self-contained shared-libraries. The "dynamic" ENGINE exposes control 14260 commands that can be used to configure what shared-library to load and 14261 to control aspects of the way it is handled. Also, made an update to 14262 the [README-Engine.md](README-Engine.md) file 14263 that brings its information up-to-date and 14264 provides some information and instructions on the "dynamic" ENGINE 14265 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). 14266 14267 *Geoff Thorpe* 14268 14269 * Make it possible to unload ranges of ERR strings with a new 14270 "ERR_unload_strings" function. 14271 14272 *Geoff Thorpe* 14273 14274 * Add a copy() function to EVP_MD. 14275 14276 *Ben Laurie* 14277 14278 * Make EVP_MD routines take a context pointer instead of just the 14279 md_data void pointer. 14280 14281 *Ben Laurie* 14282 14283 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates 14284 that the digest can only process a single chunk of data 14285 (typically because it is provided by a piece of 14286 hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application 14287 is only going to provide a single chunk of data, and hence the 14288 framework needn't accumulate the data for oneshot drivers. 14289 14290 *Ben Laurie* 14291 14292 * As with "ERR", make it possible to replace the underlying "ex_data" 14293 functions. This change also alters the storage and management of global 14294 ex_data state - it's now all inside ex_data.c and all "class" code (eg. 14295 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class 14296 index counters. The API functions that use this state have been changed 14297 to take a "class_index" rather than pointers to the class's local STACK 14298 and counter, and there is now an API function to dynamically create new 14299 classes. This centralisation allows us to (a) plug a lot of the 14300 thread-safety problems that existed, and (b) makes it possible to clean 14301 up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) 14302 such data would previously have always leaked in application code and 14303 workarounds were in place to make the memory debugging turn a blind eye 14304 to it. Application code that doesn't use this new function will still 14305 leak as before, but their memory debugging output will announce it now 14306 rather than letting it slide. 14307 14308 Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change 14309 induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now 14310 has a return value to indicate success or failure. 14311 14312 *Geoff Thorpe* 14313 14314 * Make it possible to replace the underlying "ERR" functions such that the 14315 global state (2 LHASH tables and 2 locks) is only used by the "default" 14316 implementation. This change also adds two functions to "get" and "set" 14317 the implementation prior to it being automatically set the first time 14318 any other ERR function takes place. Ie. an application can call "get", 14319 pass the return value to a module it has just loaded, and that module 14320 can call its own "set" function using that value. This means the 14321 module's "ERR" operations will use (and modify) the error state in the 14322 application and not in its own statically linked copy of OpenSSL code. 14323 14324 *Geoff Thorpe* 14325 14326 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment 14327 reference counts. This performs normal REF_PRINT/REF_CHECK macros on 14328 the operation, and provides a more encapsulated way for external code 14329 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code 14330 to use these functions rather than manually incrementing the counts. 14331 14332 Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". 14333 14334 *Geoff Thorpe* 14335 14336 * Add EVP test program. 14337 14338 *Ben Laurie* 14339 14340 * Add symmetric cipher support to ENGINE. Expect the API to change! 14341 14342 *Ben Laurie* 14343 14344 * New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() 14345 X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), 14346 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). 14347 These allow a CRL to be built without having to access X509_CRL fields 14348 directly. Modify 'ca' application to use new functions. 14349 14350 *Steve Henson* 14351 14352 * Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended 14353 bug workarounds. Rollback attack detection is a security feature. 14354 The problem will only arise on OpenSSL servers when TLSv1 is not 14355 available (sslv3_server_method() or SSL_OP_NO_TLSv1). 14356 Software authors not wanting to support TLSv1 will have special reasons 14357 for their choice and can explicitly enable this option. 14358 14359 *Bodo Moeller, Lutz Jaenicke* 14360 14361 * Rationalise EVP so it can be extended: don't include a union of 14362 cipher/digest structures, add init/cleanup functions for EVP_MD_CTX 14363 (similar to those existing for EVP_CIPHER_CTX). 14364 Usage example: 14365 14366 EVP_MD_CTX md; 14367 14368 EVP_MD_CTX_init(&md); /* new function call */ 14369 EVP_DigestInit(&md, EVP_sha1()); 14370 EVP_DigestUpdate(&md, in, len); 14371 EVP_DigestFinal(&md, out, NULL); 14372 EVP_MD_CTX_cleanup(&md); /* new function call */ 14373 14374 *Ben Laurie* 14375 14376 * Make DES key schedule conform to the usual scheme, as well as 14377 correcting its structure. This means that calls to DES functions 14378 now have to pass a pointer to a des_key_schedule instead of a 14379 plain des_key_schedule (which was actually always a pointer 14380 anyway): E.g., 14381 14382 des_key_schedule ks; 14383 14384 des_set_key_checked(..., &ks); 14385 des_ncbc_encrypt(..., &ks, ...); 14386 14387 (Note that a later change renames 'des_...' into 'DES_...'.) 14388 14389 *Ben Laurie* 14390 14391 * Initial reduction of linker bloat: the use of some functions, such as 14392 PEM causes large amounts of unused functions to be linked in due to 14393 poor organisation. For example pem_all.c contains every PEM function 14394 which has a knock on effect of linking in large amounts of (unused) 14395 ASN1 code. Grouping together similar functions and splitting unrelated 14396 functions prevents this. 14397 14398 *Steve Henson* 14399 14400 * Cleanup of EVP macros. 14401 14402 *Ben Laurie* 14403 14404 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the 14405 correct `_ecb suffix`. 14406 14407 *Ben Laurie* 14408 14409 * Add initial OCSP responder support to ocsp application. The 14410 revocation information is handled using the text based index 14411 use by the ca application. The responder can either handle 14412 requests generated internally, supplied in files (for example 14413 via a CGI script) or using an internal minimal server. 14414 14415 *Steve Henson* 14416 14417 * Add configuration choices to get zlib compression for TLS. 14418 14419 *Richard Levitte* 14420 14421 * Changes to Kerberos SSL for RFC 2712 compliance: 14422 1. Implemented real KerberosWrapper, instead of just using 14423 KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] 14424 2. Implemented optional authenticator field of KerberosWrapper. 14425 14426 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, 14427 and authenticator structs; see crypto/krb5/. 14428 14429 Generalized Kerberos calls to support multiple Kerberos libraries. 14430 *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu> 14431 via Richard Levitte* 14432 14433 * Cause 'openssl speed' to use fully hard-coded DSA keys as it 14434 already does with RSA. testdsa.h now has 'priv_key/pub_key' 14435 values for each of the key sizes rather than having just 14436 parameters (and 'speed' generating keys each time). 14437 14438 *Geoff Thorpe* 14439 14440 * Speed up EVP routines. 14441 Before: 14442crypt 14443pe 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 14444s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k 14445s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k 14446s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k 14447crypt 14448s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k 14449s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k 14450s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k 14451 After: 14452crypt 14453s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k 14454crypt 14455s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 14456 14457 *Ben Laurie* 14458 14459 * Added the OS2-EMX target. 14460 14461 *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte* 14462 14463 * Rewrite commands to use `NCONF` routines instead of the old `CONF`. 14464 New functions to support `NCONF` routines in extension code. 14465 New function `CONF_set_nconf()` 14466 to allow functions which take an `NCONF` to also handle the old `LHASH` 14467 structure: this means that the old `CONF` compatible routines can be 14468 retained (in particular w.rt. extensions) without having to duplicate the 14469 code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack. 14470 14471 *Steve Henson* 14472 14473 * Enhance the general user interface with mechanisms for inner control 14474 and with possibilities to have yes/no kind of prompts. 14475 14476 *Richard Levitte* 14477 14478 * Change all calls to low-level digest routines in the library and 14479 applications to use EVP. Add missing calls to HMAC_cleanup() and 14480 don't assume HMAC_CTX can be copied using memcpy(). 14481 14482 *Verdon Walker <VWalker@novell.com>, Steve Henson* 14483 14484 * Add the possibility to control engines through control names but with 14485 arbitrary arguments instead of just a string. 14486 Change the key loaders to take a UI_METHOD instead of a callback 14487 function pointer. NOTE: this breaks binary compatibility with earlier 14488 versions of OpenSSL [engine]. 14489 Adapt the nCipher code for these new conditions and add a card insertion 14490 callback. 14491 14492 *Richard Levitte* 14493 14494 * Enhance the general user interface with mechanisms to better support 14495 dialog box interfaces, application-defined prompts, the possibility 14496 to use defaults (for example default passwords from somewhere else) 14497 and interrupts/cancellations. 14498 14499 *Richard Levitte* 14500 14501 * Tidy up PKCS#12 attribute handling. Add support for the CSP name 14502 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. 14503 14504 *Steve Henson* 14505 14506 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also 14507 tidy up some unnecessarily weird code in 'sk_new()'). 14508 14509 *Geoff, reported by Diego Tartara <dtartara@novamens.com>* 14510 14511 * Change the key loading routines for ENGINEs to use the same kind 14512 callback (pem_password_cb) as all other routines that need this 14513 kind of callback. 14514 14515 *Richard Levitte* 14516 14517 * Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 14518 256 bit (=32 byte) keys. Of course seeding with more entropy bytes 14519 than this minimum value is recommended. 14520 14521 *Lutz Jaenicke* 14522 14523 * New random seeder for OpenVMS, using the system process statistics 14524 that are easily reachable. 14525 14526 *Richard Levitte* 14527 14528 * Windows apparently can't transparently handle global 14529 variables defined in DLLs. Initialisations such as: 14530 14531 const ASN1_ITEM *it = &ASN1_INTEGER_it; 14532 14533 won't compile. This is used by the any applications that need to 14534 declare their own ASN1 modules. This was fixed by adding the option 14535 EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly 14536 needed for static libraries under Win32. 14537 14538 *Steve Henson* 14539 14540 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle 14541 setting of purpose and trust fields. New X509_STORE trust and 14542 purpose functions and tidy up setting in other SSL functions. 14543 14544 *Steve Henson* 14545 14546 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE 14547 structure. These are inherited by X509_STORE_CTX when it is 14548 initialised. This allows various defaults to be set in the 14549 X509_STORE structure (such as flags for CRL checking and custom 14550 purpose or trust settings) for functions which only use X509_STORE_CTX 14551 internally such as S/MIME. 14552 14553 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and 14554 trust settings if they are not set in X509_STORE. This allows X509_STORE 14555 purposes and trust (in S/MIME for example) to override any set by default. 14556 14557 Add command line options for CRL checking to smime, s_client and s_server 14558 applications. 14559 14560 *Steve Henson* 14561 14562 * Initial CRL based revocation checking. If the CRL checking flag(s) 14563 are set then the CRL is looked up in the X509_STORE structure and 14564 its validity and signature checked, then if the certificate is found 14565 in the CRL the verify fails with a revoked error. 14566 14567 Various new CRL related callbacks added to X509_STORE_CTX structure. 14568 14569 Command line options added to 'verify' application to support this. 14570 14571 This needs some additional work, such as being able to handle multiple 14572 CRLs with different times, extension based lookup (rather than just 14573 by subject name) and ultimately more complete V2 CRL extension 14574 handling. 14575 14576 *Steve Henson* 14577 14578 * Add a general user interface API (crypto/ui/). This is designed 14579 to replace things like des_read_password and friends (backward 14580 compatibility functions using this new API are provided). 14581 The purpose is to remove prompting functions from the DES code 14582 section as well as provide for prompting through dialog boxes in 14583 a window system and the like. 14584 14585 *Richard Levitte* 14586 14587 * Add "ex_data" support to ENGINE so implementations can add state at a 14588 per-structure level rather than having to store it globally. 14589 14590 *Geoff* 14591 14592 * Make it possible for ENGINE structures to be copied when retrieved by 14593 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. 14594 This causes the "original" ENGINE structure to act like a template, 14595 analogous to the RSA vs. RSA_METHOD type of separation. Because of this 14596 operational state can be localised to each ENGINE structure, despite the 14597 fact they all share the same "methods". New ENGINE structures returned in 14598 this case have no functional references and the return value is the single 14599 structural reference. This matches the single structural reference returned 14600 by ENGINE_by_id() normally, when it is incremented on the pre-existing 14601 ENGINE structure. 14602 14603 *Geoff* 14604 14605 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this 14606 needs to match any other type at all we need to manually clear the 14607 tag cache. 14608 14609 *Steve Henson* 14610 14611 * Changes to the "openssl engine" utility to include; 14612 - verbosity levels ('-v', '-vv', and '-vvv') that provide information 14613 about an ENGINE's available control commands. 14614 - executing control commands from command line arguments using the 14615 '-pre' and '-post' switches. '-post' is only used if '-t' is 14616 specified and the ENGINE is successfully initialised. The syntax for 14617 the individual commands are colon-separated, for example; 14618 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so 14619 14620 *Geoff* 14621 14622 * New dynamic control command support for ENGINEs. ENGINEs can now 14623 declare their own commands (numbers), names (strings), descriptions, 14624 and input types for run-time discovery by calling applications. A 14625 subset of these commands are implicitly classed as "executable" 14626 depending on their input type, and only these can be invoked through 14627 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this 14628 can be based on user input, config files, etc). The distinction is 14629 that "executable" commands cannot return anything other than a boolean 14630 result and can only support numeric or string input, whereas some 14631 discoverable commands may only be for direct use through 14632 ENGINE_ctrl(), eg. supporting the exchange of binary data, function 14633 pointers, or other custom uses. The "executable" commands are to 14634 support parameterisations of ENGINE behaviour that can be 14635 unambiguously defined by ENGINEs and used consistently across any 14636 OpenSSL-based application. Commands have been added to all the 14637 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow 14638 control over shared-library paths without source code alterations. 14639 14640 *Geoff* 14641 14642 * Changed all ENGINE implementations to dynamically allocate their 14643 ENGINEs rather than declaring them statically. Apart from this being 14644 necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, 14645 this also allows the implementations to compile without using the 14646 internal engine_int.h header. 14647 14648 *Geoff* 14649 14650 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 14651 'const' value. Any code that should be able to modify a RAND_METHOD 14652 should already have non-const pointers to it (ie. they should only 14653 modify their own ones). 14654 14655 *Geoff* 14656 14657 * Made a variety of little tweaks to the ENGINE code. 14658 - "atalla" and "ubsec" string definitions were moved from header files 14659 to C code. "nuron" string definitions were placed in variables 14660 rather than hard-coded - allowing parameterisation of these values 14661 later on via ctrl() commands. 14662 - Removed unused "#if 0"'d code. 14663 - Fixed engine list iteration code so it uses ENGINE_free() to release 14664 structural references. 14665 - Constified the RAND_METHOD element of ENGINE structures. 14666 - Constified various get/set functions as appropriate and added 14667 missing functions (including a catch-all ENGINE_cpy that duplicates 14668 all ENGINE values onto a new ENGINE except reference counts/state). 14669 - Removed NULL parameter checks in get/set functions. Setting a method 14670 or function to NULL is a way of cancelling out a previously set 14671 value. Passing a NULL ENGINE parameter is just plain stupid anyway 14672 and doesn't justify the extra error symbols and code. 14673 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for 14674 flags from engine_int.h to engine.h. 14675 - Changed prototypes for ENGINE handler functions (init(), finish(), 14676 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. 14677 14678 *Geoff* 14679 14680 * Implement binary inversion algorithm for BN_mod_inverse in addition 14681 to the algorithm using long division. The binary algorithm can be 14682 used only if the modulus is odd. On 32-bit systems, it is faster 14683 only for relatively small moduli (roughly 20-30% for 128-bit moduli, 14684 roughly 5-15% for 256-bit moduli), so we use it only for moduli 14685 up to 450 bits. In 64-bit environments, the binary algorithm 14686 appears to be advantageous for much longer moduli; here we use it 14687 for moduli up to 2048 bits. 14688 14689 *Bodo Moeller* 14690 14691 * Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code 14692 could not support the combine flag in choice fields. 14693 14694 *Steve Henson* 14695 14696 * Add a 'copy_extensions' option to the 'ca' utility. This copies 14697 extensions from a certificate request to the certificate. 14698 14699 *Steve Henson* 14700 14701 * Allow multiple 'certopt' and 'nameopt' options to be separated 14702 by commas. Add 'namopt' and 'certopt' options to the 'ca' config 14703 file: this allows the display of the certificate about to be 14704 signed to be customised, to allow certain fields to be included 14705 or excluded and extension details. The old system didn't display 14706 multicharacter strings properly, omitted fields not in the policy 14707 and couldn't display additional details such as extensions. 14708 14709 *Steve Henson* 14710 14711 * Function EC_POINTs_mul for multiple scalar multiplication 14712 of an arbitrary number of elliptic curve points 14713 \sum scalars[i]*points[i], 14714 optionally including the generator defined for the EC_GROUP: 14715 scalar*generator + \sum scalars[i]*points[i]. 14716 14717 EC_POINT_mul is a simple wrapper function for the typical case 14718 that the point list has just one item (besides the optional 14719 generator). 14720 14721 *Bodo Moeller* 14722 14723 * First EC_METHODs for curves over GF(p): 14724 14725 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr 14726 operations and provides various method functions that can also 14727 operate with faster implementations of modular arithmetic. 14728 14729 EC_GFp_mont_method() reuses most functions that are part of 14730 EC_GFp_simple_method, but uses Montgomery arithmetic. 14731 14732 *Bodo Moeller; point addition and point doubling 14733 implementation directly derived from source code provided by 14734 Lenka Fibikova <fibikova@exp-math.uni-essen.de>* 14735 14736 * Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, 14737 crypto/ec/ec_lib.c): 14738 14739 Curves are EC_GROUP objects (with an optional group generator) 14740 based on EC_METHODs that are built into the library. 14741 14742 Points are EC_POINT objects based on EC_GROUP objects. 14743 14744 Most of the framework would be able to handle curves over arbitrary 14745 finite fields, but as there are no obvious types for fields other 14746 than GF(p), some functions are limited to that for now. 14747 14748 *Bodo Moeller* 14749 14750 * Add the -HTTP option to s_server. It is similar to -WWW, but requires 14751 that the file contains a complete HTTP response. 14752 14753 *Richard Levitte* 14754 14755 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl 14756 change the def and num file printf format specifier from "%-40sXXX" 14757 to "%-39s XXX". The latter will always guarantee a space after the 14758 field while the former will cause them to run together if the field 14759 is 40 of more characters long. 14760 14761 *Steve Henson* 14762 14763 * Constify the cipher and digest 'method' functions and structures 14764 and modify related functions to take constant EVP_MD and EVP_CIPHER 14765 pointers. 14766 14767 *Steve Henson* 14768 14769 * Hide BN_CTX structure details in bn_lcl.h instead of publishing them 14770 in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. 14771 14772 *Bodo Moeller* 14773 14774 * Modify `EVP_Digest*()` routines so they now return values. Although the 14775 internal software routines can never fail additional hardware versions 14776 might. 14777 14778 *Steve Henson* 14779 14780 * Clean up crypto/err/err.h and change some error codes to avoid conflicts: 14781 14782 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 14783 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. 14784 14785 ASN1 error codes 14786 ERR_R_NESTED_ASN1_ERROR 14787 ... 14788 ERR_R_MISSING_ASN1_EOS 14789 were 4 .. 9, conflicting with 14790 ERR_LIB_RSA (= ERR_R_RSA_LIB) 14791 ... 14792 ERR_LIB_PEM (= ERR_R_PEM_LIB). 14793 They are now 58 .. 63 (i.e., just below ERR_R_FATAL). 14794 14795 Add new error code 'ERR_R_INTERNAL_ERROR'. 14796 14797 *Bodo Moeller* 14798 14799 * Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock 14800 suffices. 14801 14802 *Bodo Moeller* 14803 14804 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This 14805 sets the subject name for a new request or supersedes the 14806 subject name in a given request. Formats that can be parsed are 14807 'CN=Some Name, OU=myOU, C=IT' 14808 and 14809 'CN=Some Name/OU=myOU/C=IT'. 14810 14811 Add options '-batch' and '-verbose' to 'openssl req'. 14812 14813 *Massimiliano Pala <madwolf@hackmasters.net>* 14814 14815 * Introduce the possibility to access global variables through 14816 functions on platform were that's the best way to handle exporting 14817 global variables in shared libraries. To enable this functionality, 14818 one must configure with "EXPORT_VAR_AS_FN" or defined the C macro 14819 "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter 14820 is normally done by Configure or something similar). 14821 14822 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL 14823 in the source file (foo.c) like this: 14824 14825 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; 14826 OPENSSL_IMPLEMENT_GLOBAL(double,bar); 14827 14828 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL 14829 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: 14830 14831 OPENSSL_DECLARE_GLOBAL(int,foo); 14832 #define foo OPENSSL_GLOBAL_REF(foo) 14833 OPENSSL_DECLARE_GLOBAL(double,bar); 14834 #define bar OPENSSL_GLOBAL_REF(bar) 14835 14836 The #defines are very important, and therefore so is including the 14837 header file everywhere where the defined globals are used. 14838 14839 The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition 14840 of ASN.1 items, but that structure is a bit different. 14841 14842 The largest change is in util/mkdef.pl which has been enhanced with 14843 better and easier to understand logic to choose which symbols should 14844 go into the Windows .def files as well as a number of fixes and code 14845 cleanup (among others, algorithm keywords are now sorted 14846 lexicographically to avoid constant rewrites). 14847 14848 *Richard Levitte* 14849 14850 * In BN_div() keep a copy of the sign of 'num' before writing the 14851 result to 'rm' because if rm==num the value will be overwritten 14852 and produce the wrong result if 'num' is negative: this caused 14853 problems with BN_mod() and BN_nnmod(). 14854 14855 *Steve Henson* 14856 14857 * Function OCSP_request_verify(). This checks the signature on an 14858 OCSP request and verifies the signer certificate. The signer 14859 certificate is just checked for a generic purpose and OCSP request 14860 trust settings. 14861 14862 *Steve Henson* 14863 14864 * Add OCSP_check_validity() function to check the validity of OCSP 14865 responses. OCSP responses are prepared in real time and may only 14866 be a few seconds old. Simply checking that the current time lies 14867 between thisUpdate and nextUpdate max reject otherwise valid responses 14868 caused by either OCSP responder or client clock inaccuracy. Instead 14869 we allow thisUpdate and nextUpdate to fall within a certain period of 14870 the current time. The age of the response can also optionally be 14871 checked. Two new options -validity_period and -status_age added to 14872 ocsp utility. 14873 14874 *Steve Henson* 14875 14876 * If signature or public key algorithm is unrecognized print out its 14877 OID rather that just UNKNOWN. 14878 14879 *Steve Henson* 14880 14881 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and 14882 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate 14883 ID to be generated from the issuer certificate alone which can then be 14884 passed to OCSP_id_issuer_cmp(). 14885 14886 *Steve Henson* 14887 14888 * New compilation option ASN1_ITEM_FUNCTIONS. This causes the new 14889 ASN1 modules to export functions returning ASN1_ITEM pointers 14890 instead of the ASN1_ITEM structures themselves. This adds several 14891 new macros which allow the underlying ASN1 function/structure to 14892 be accessed transparently. As a result code should not use ASN1_ITEM 14893 references directly (such as &X509_it) but instead use the relevant 14894 macros (such as ASN1_ITEM_rptr(X509)). This option is to allow 14895 use of the new ASN1 code on platforms where exporting structures 14896 is problematical (for example in shared libraries) but exporting 14897 functions returning pointers to structures is not. 14898 14899 *Steve Henson* 14900 14901 * Add support for overriding the generation of SSL/TLS session IDs. 14902 These callbacks can be registered either in an SSL_CTX or per SSL. 14903 The purpose of this is to allow applications to control, if they wish, 14904 the arbitrary values chosen for use as session IDs, particularly as it 14905 can be useful for session caching in multiple-server environments. A 14906 command-line switch for testing this (and any client code that wishes 14907 to use such a feature) has been added to "s_server". 14908 14909 *Geoff Thorpe, Lutz Jaenicke* 14910 14911 * Modify mkdef.pl to recognise and parse preprocessor conditionals 14912 of the form `#if defined(...) || defined(...) || ...` and 14913 `#if !defined(...) && !defined(...) && ...`. This also avoids 14914 the growing number of special cases it was previously handling. 14915 14916 *Richard Levitte* 14917 14918 * Make all configuration macros available for application by making 14919 sure they are available in opensslconf.h, by giving them names starting 14920 with `OPENSSL_` to avoid conflicts with other packages and by making 14921 sure e_os2.h will cover all platform-specific cases together with 14922 opensslconf.h. 14923 Additionally, it is now possible to define configuration/platform- 14924 specific names (called "system identities"). In the C code, these 14925 are prefixed with `OPENSSL_SYSNAME_`. e_os2.h will create another 14926 macro with the name beginning with `OPENSSL_SYS_`, which is determined 14927 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on 14928 what is available. 14929 14930 *Richard Levitte* 14931 14932 * New option -set_serial to 'req' and 'x509' this allows the serial 14933 number to use to be specified on the command line. Previously self 14934 signed certificates were hard coded with serial number 0 and the 14935 CA options of 'x509' had to use a serial number in a file which was 14936 auto incremented. 14937 14938 *Steve Henson* 14939 14940 * New options to 'ca' utility to support V2 CRL entry extensions. 14941 Currently CRL reason, invalidity date and hold instruction are 14942 supported. Add new CRL extensions to V3 code and some new objects. 14943 14944 *Steve Henson* 14945 14946 * New function EVP_CIPHER_CTX_set_padding() this is used to 14947 disable standard block padding (aka PKCS#5 padding) in the EVP 14948 API, which was previously mandatory. This means that the data is 14949 not padded in any way and so the total length much be a multiple 14950 of the block size, otherwise an error occurs. 14951 14952 *Steve Henson* 14953 14954 * Initial (incomplete) OCSP SSL support. 14955 14956 *Steve Henson* 14957 14958 * New function OCSP_parse_url(). This splits up a URL into its host, 14959 port and path components: primarily to parse OCSP URLs. New -url 14960 option to ocsp utility. 14961 14962 *Steve Henson* 14963 14964 * New nonce behavior. The return value of OCSP_check_nonce() now 14965 reflects the various checks performed. Applications can decide 14966 whether to tolerate certain situations such as an absent nonce 14967 in a response when one was present in a request: the ocsp application 14968 just prints out a warning. New function OCSP_add1_basic_nonce() 14969 this is to allow responders to include a nonce in a response even if 14970 the request is nonce-less. 14971 14972 *Steve Henson* 14973 14974 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are 14975 skipped when using openssl x509 multiple times on a single input file, 14976 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`. 14977 14978 *Bodo Moeller* 14979 14980 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() 14981 set string type: to handle setting ASN1_TIME structures. Fix ca 14982 utility to correctly initialize revocation date of CRLs. 14983 14984 *Steve Henson* 14985 14986 * New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override 14987 the clients preferred ciphersuites and rather use its own preferences. 14988 Should help to work around M$ SGC (Server Gated Cryptography) bug in 14989 Internet Explorer by ensuring unchanged hash method during stepup. 14990 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) 14991 14992 *Lutz Jaenicke* 14993 14994 * Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael 14995 to aes and add a new 'exist' option to print out symbols that don't 14996 appear to exist. 14997 14998 *Steve Henson* 14999 15000 * Additional options to ocsp utility to allow flags to be set and 15001 additional certificates supplied. 15002 15003 *Steve Henson* 15004 15005 * Add the option -VAfile to 'openssl ocsp', so the user can give the 15006 OCSP client a number of certificate to only verify the response 15007 signature against. 15008 15009 *Richard Levitte* 15010 15011 * Update Rijndael code to version 3.0 and change EVP AES ciphers to 15012 handle the new API. Currently only ECB, CBC modes supported. Add new 15013 AES OIDs. 15014 15015 Add TLS AES ciphersuites as described in RFC3268, "Advanced 15016 Encryption Standard (AES) Ciphersuites for Transport Layer 15017 Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were 15018 not enabled by default and were not part of the "ALL" ciphersuite 15019 alias because they were not yet official; they could be 15020 explicitly requested by specifying the "AESdraft" ciphersuite 15021 group alias. In the final release of OpenSSL 0.9.7, the group 15022 alias is called "AES" and is part of "ALL".) 15023 15024 *Ben Laurie, Steve Henson, Bodo Moeller* 15025 15026 * New function OCSP_copy_nonce() to copy nonce value (if present) from 15027 request to response. 15028 15029 *Steve Henson* 15030 15031 * Functions for OCSP responders. OCSP_request_onereq_count(), 15032 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() 15033 extract information from a certificate request. OCSP_response_create() 15034 creates a response and optionally adds a basic response structure. 15035 OCSP_basic_add1_status() adds a complete single response to a basic 15036 response and returns the OCSP_SINGLERESP structure just added (to allow 15037 extensions to be included for example). OCSP_basic_add1_cert() adds a 15038 certificate to a basic response and OCSP_basic_sign() signs a basic 15039 response with various flags. New helper functions ASN1_TIME_check() 15040 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() 15041 (converts ASN1_TIME to GeneralizedTime). 15042 15043 *Steve Henson* 15044 15045 * Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() 15046 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key 15047 structure from a certificate. X509_pubkey_digest() digests the public_key 15048 contents: this is used in various key identifiers. 15049 15050 *Steve Henson* 15051 15052 * Make sk_sort() tolerate a NULL argument. 15053 15054 *Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>* 15055 15056 * New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates 15057 passed by the function are trusted implicitly. If any of them signed the 15058 response then it is assumed to be valid and is not verified. 15059 15060 *Steve Henson* 15061 15062 * In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT 15063 to data. This was previously part of the PKCS7 ASN1 code. This 15064 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. 15065 *Steve Henson, reported by Kenneth R. Robinette 15066 <support@securenetterm.com>* 15067 15068 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 15069 routines: without these tracing memory leaks is very painful. 15070 Fix leaks in PKCS12 and PKCS7 routines. 15071 15072 *Steve Henson* 15073 15074 * Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). 15075 Previously it initialised the 'type' argument to V_ASN1_UTCTIME which 15076 effectively meant GeneralizedTime would never be used. Now it 15077 is initialised to -1 but X509_time_adj() now has to check the value 15078 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or 15079 V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. 15080 *Steve Henson, reported by Kenneth R. Robinette 15081 <support@securenetterm.com>* 15082 15083 * Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously 15084 result in a zero length in the ASN1_INTEGER structure which was 15085 not consistent with the structure when d2i_ASN1_INTEGER() was used 15086 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() 15087 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() 15088 where it did not print out a minus for negative ASN1_INTEGER. 15089 15090 *Steve Henson* 15091 15092 * Add summary printout to ocsp utility. The various functions which 15093 convert status values to strings have been renamed to: 15094 OCSP_response_status_str(), OCSP_cert_status_str() and 15095 OCSP_crl_reason_str() and are no longer static. New options 15096 to verify nonce values and to disable verification. OCSP response 15097 printout format cleaned up. 15098 15099 *Steve Henson* 15100 15101 * Add additional OCSP certificate checks. These are those specified 15102 in RFC2560. This consists of two separate checks: the CA of the 15103 certificate being checked must either be the OCSP signer certificate 15104 or the issuer of the OCSP signer certificate. In the latter case the 15105 OCSP signer certificate must contain the OCSP signing extended key 15106 usage. This check is performed by attempting to match the OCSP 15107 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash 15108 in the OCSP_CERTID structures of the response. 15109 15110 *Steve Henson* 15111 15112 * Initial OCSP certificate verification added to OCSP_basic_verify() 15113 and related routines. This uses the standard OpenSSL certificate 15114 verify routines to perform initial checks (just CA validity) and 15115 to obtain the certificate chain. Then additional checks will be 15116 performed on the chain. Currently the root CA is checked to see 15117 if it is explicitly trusted for OCSP signing. This is used to set 15118 a root CA as a global signing root: that is any certificate that 15119 chains to that CA is an acceptable OCSP signing certificate. 15120 15121 *Steve Henson* 15122 15123 * New '-extfile ...' option to 'openssl ca' for reading X.509v3 15124 extensions from a separate configuration file. 15125 As when reading extensions from the main configuration file, 15126 the '-extensions ...' option may be used for specifying the 15127 section to use. 15128 15129 *Massimiliano Pala <madwolf@comune.modena.it>* 15130 15131 * New OCSP utility. Allows OCSP requests to be generated or 15132 read. The request can be sent to a responder and the output 15133 parsed, outputted or printed in text form. Not complete yet: 15134 still needs to check the OCSP response validity. 15135 15136 *Steve Henson* 15137 15138 * New subcommands for 'openssl ca': 15139 `openssl ca -status <serial>` prints the status of the cert with 15140 the given serial number (according to the index file). 15141 `openssl ca -updatedb` updates the expiry status of certificates 15142 in the index file. 15143 15144 *Massimiliano Pala <madwolf@comune.modena.it>* 15145 15146 * New '-newreq-nodes' command option to CA.pl. This is like 15147 '-newreq', but calls 'openssl req' with the '-nodes' option 15148 so that the resulting key is not encrypted. 15149 15150 *Damien Miller <djm@mindrot.org>* 15151 15152 * New configuration for the GNU Hurd. 15153 15154 *Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte* 15155 15156 * Initial code to implement OCSP basic response verify. This 15157 is currently incomplete. Currently just finds the signer's 15158 certificate and verifies the signature on the response. 15159 15160 *Steve Henson* 15161 15162 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in 15163 value of OPENSSLDIR. This is available via the new '-d' option 15164 to 'openssl version', and is also included in 'openssl version -a'. 15165 15166 *Bodo Moeller* 15167 15168 * Allowing defining memory allocation callbacks that will be given 15169 file name and line number information in additional arguments 15170 (a `const char*` and an int). The basic functionality remains, as 15171 well as the original possibility to just replace malloc(), 15172 realloc() and free() by functions that do not know about these 15173 additional arguments. To register and find out the current 15174 settings for extended allocation functions, the following 15175 functions are provided: 15176 15177 CRYPTO_set_mem_ex_functions 15178 CRYPTO_set_locked_mem_ex_functions 15179 CRYPTO_get_mem_ex_functions 15180 CRYPTO_get_locked_mem_ex_functions 15181 15182 These work the same way as CRYPTO_set_mem_functions and friends. 15183 `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an 15184 extended allocation function is enabled. 15185 Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where 15186 a conventional allocation function is enabled. 15187 15188 *Richard Levitte, Bodo Moeller* 15189 15190 * Finish off removing the remaining LHASH function pointer casts. 15191 There should no longer be any prototype-casting required when using 15192 the LHASH abstraction, and any casts that remain are "bugs". See 15193 the callback types and macros at the head of lhash.h for details 15194 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). 15195 15196 *Geoff Thorpe* 15197 15198 * Add automatic query of EGD sockets in RAND_poll() for the unix variant. 15199 If /dev/[u]random devices are not available or do not return enough 15200 entropy, EGD style sockets (served by EGD or PRNGD) will automatically 15201 be queried. 15202 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and 15203 /etc/entropy will be queried once each in this sequence, querying stops 15204 when enough entropy was collected without querying more sockets. 15205 15206 *Lutz Jaenicke* 15207 15208 * Change the Unix RAND_poll() variant to be able to poll several 15209 random devices, as specified by DEVRANDOM, until a sufficient amount 15210 of data has been collected. We spend at most 10 ms on each file 15211 (select timeout) and read in non-blocking mode. DEVRANDOM now 15212 defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" 15213 (previously it was just the string "/dev/urandom"), so on typical 15214 platforms the 10 ms delay will never occur. 15215 Also separate out the Unix variant to its own file, rand_unix.c. 15216 For VMS, there's a currently-empty rand_vms.c. 15217 15218 *Richard Levitte* 15219 15220 * Move OCSP client related routines to ocsp_cl.c. These 15221 provide utility functions which an application needing 15222 to issue a request to an OCSP responder and analyse the 15223 response will typically need: as opposed to those which an 15224 OCSP responder itself would need which will be added later. 15225 15226 OCSP_request_sign() signs an OCSP request with an API similar 15227 to PKCS7_sign(). OCSP_response_status() returns status of OCSP 15228 response. OCSP_response_get1_basic() extracts basic response 15229 from response. OCSP_resp_find_status(): finds and extracts status 15230 information from an OCSP_CERTID structure (which will be created 15231 when the request structure is built). These are built from lower 15232 level functions which work on OCSP_SINGLERESP structures but 15233 won't normally be used unless the application wishes to examine 15234 extensions in the OCSP response for example. 15235 15236 Replace nonce routines with a pair of functions. 15237 OCSP_request_add1_nonce() adds a nonce value and optionally 15238 generates a random value. OCSP_check_nonce() checks the 15239 validity of the nonce in an OCSP response. 15240 15241 *Steve Henson* 15242 15243 * Change function OCSP_request_add() to OCSP_request_add0_id(). 15244 This doesn't copy the supplied OCSP_CERTID and avoids the 15245 need to free up the newly created id. Change return type 15246 to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. 15247 This can then be used to add extensions to the request. 15248 Deleted OCSP_request_new(), since most of its functionality 15249 is now in OCSP_REQUEST_new() (and the case insensitive name 15250 clash) apart from the ability to set the request name which 15251 will be added elsewhere. 15252 15253 *Steve Henson* 15254 15255 * Update OCSP API. Remove obsolete extensions argument from 15256 various functions. Extensions are now handled using the new 15257 OCSP extension code. New simple OCSP HTTP function which 15258 can be used to send requests and parse the response. 15259 15260 *Steve Henson* 15261 15262 * Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new 15263 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN 15264 uses the special reorder version of SET OF to sort the attributes 15265 and reorder them to match the encoded order. This resolves a long 15266 standing problem: a verify on a PKCS7 structure just after signing 15267 it used to fail because the attribute order did not match the 15268 encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: 15269 it uses the received order. This is necessary to tolerate some broken 15270 software that does not order SET OF. This is handled by encoding 15271 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) 15272 to produce the required SET OF. 15273 15274 *Steve Henson* 15275 15276 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and 15277 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header 15278 files to get correct declarations of the ASN.1 item variables. 15279 15280 *Richard Levitte* 15281 15282 * Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many 15283 PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: 15284 asn1_check_tlen() would sometimes attempt to use 'ctx' when it was 15285 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). 15286 New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant 15287 ASN1_ITEM and no wrapper functions. 15288 15289 *Steve Henson* 15290 15291 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These 15292 replace the old function pointer based I/O routines. Change most of 15293 the `*_d2i_bio()` and `*_d2i_fp()` functions to use these. 15294 15295 *Steve Henson* 15296 15297 * Enhance mkdef.pl to be more accepting about spacing in C preprocessor 15298 lines, recognize more "algorithms" that can be deselected, and make 15299 it complain about algorithm deselection that isn't recognised. 15300 15301 *Richard Levitte* 15302 15303 * New ASN1 functions to handle dup, sign, verify, digest, pack and 15304 unpack operations in terms of ASN1_ITEM. Modify existing wrappers 15305 to use new functions. Add NO_ASN1_OLD which can be set to remove 15306 some old style ASN1 functions: this can be used to determine if old 15307 code will still work when these eventually go away. 15308 15309 *Steve Henson* 15310 15311 * New extension functions for OCSP structures, these follow the 15312 same conventions as certificates and CRLs. 15313 15314 *Steve Henson* 15315 15316 * New function X509V3_add1_i2d(). This automatically encodes and 15317 adds an extension. Its behaviour can be customised with various 15318 flags to append, replace or delete. Various wrappers added for 15319 certificates and CRLs. 15320 15321 *Steve Henson* 15322 15323 * Fix to avoid calling the underlying ASN1 print routine when 15324 an extension cannot be parsed. Correct a typo in the 15325 OCSP_SERVICELOC extension. Tidy up print OCSP format. 15326 15327 *Steve Henson* 15328 15329 * Make mkdef.pl parse some of the ASN1 macros and add appropriate 15330 entries for variables. 15331 15332 *Steve Henson* 15333 15334 * Add functionality to `apps/openssl.c` for detecting locking 15335 problems: As the program is single-threaded, all we have 15336 to do is register a locking callback using an array for 15337 storing which locks are currently held by the program. 15338 15339 *Bodo Moeller* 15340 15341 * Use a lock around the call to CRYPTO_get_ex_new_index() in 15342 SSL_get_ex_data_X509_STORE_idx(), which is used in 15343 ssl_verify_cert_chain() and thus can be called at any time 15344 during TLS/SSL handshakes so that thread-safety is essential. 15345 Unfortunately, the ex_data design is not at all suited 15346 for multi-threaded use, so it probably should be abolished. 15347 15348 *Bodo Moeller* 15349 15350 * Added Broadcom "ubsec" ENGINE to OpenSSL. 15351 15352 *Broadcom, tweaked and integrated by Geoff Thorpe* 15353 15354 * Move common extension printing code to new function 15355 X509V3_print_extensions(). Reorganise OCSP print routines and 15356 implement some needed OCSP ASN1 functions. Add OCSP extensions. 15357 15358 *Steve Henson* 15359 15360 * New function X509_signature_print() to remove duplication in some 15361 print routines. 15362 15363 *Steve Henson* 15364 15365 * Add a special meaning when SET OF and SEQUENCE OF flags are both 15366 set (this was treated exactly the same as SET OF previously). This 15367 is used to reorder the STACK representing the structure to match the 15368 encoding. This will be used to get round a problem where a PKCS7 15369 structure which was signed could not be verified because the STACK 15370 order did not reflect the encoded order. 15371 15372 *Steve Henson* 15373 15374 * Reimplement the OCSP ASN1 module using the new code. 15375 15376 *Steve Henson* 15377 15378 * Update the X509V3 code to permit the use of an ASN1_ITEM structure 15379 for its ASN1 operations. The old style function pointers still exist 15380 for now but they will eventually go away. 15381 15382 *Steve Henson* 15383 15384 * Merge in replacement ASN1 code from the ASN1 branch. This almost 15385 completely replaces the old ASN1 functionality with a table driven 15386 encoder and decoder which interprets an ASN1_ITEM structure describing 15387 the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is 15388 largely maintained. Almost all of the old asn1_mac.h macro based ASN1 15389 has also been converted to the new form. 15390 15391 *Steve Henson* 15392 15393 * Change BN_mod_exp_recp so that negative moduli are tolerated 15394 (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set 15395 so that BN_mod_exp_mont and BN_mod_exp_mont_word work 15396 for negative moduli. 15397 15398 *Bodo Moeller* 15399 15400 * Fix BN_uadd and BN_usub: Always return non-negative results instead 15401 of not touching the result's sign bit. 15402 15403 *Bodo Moeller* 15404 15405 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be 15406 set. 15407 15408 *Bodo Moeller* 15409 15410 * Changed the LHASH code to use prototypes for callbacks, and created 15411 macros to declare and implement thin (optionally static) functions 15412 that provide type-safety and avoid function pointer casting for the 15413 type-specific callbacks. 15414 15415 *Geoff Thorpe* 15416 15417 * Added Kerberos Cipher Suites to be used with TLS, as written in 15418 RFC 2712. 15419 *Veers Staats <staatsvr@asc.hpc.mil>, 15420 Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte* 15421 15422 * Reformat the FAQ so the different questions and answers can be divided 15423 in sections depending on the subject. 15424 15425 *Richard Levitte* 15426 15427 * Have the zlib compression code load ZLIB.DLL dynamically under 15428 Windows. 15429 15430 *Richard Levitte* 15431 15432 * New function BN_mod_sqrt for computing square roots modulo a prime 15433 (using the probabilistic Tonelli-Shanks algorithm unless 15434 p == 3 (mod 4) or p == 5 (mod 8), which are cases that can 15435 be handled deterministically). 15436 15437 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 15438 15439 * Make BN_mod_inverse faster by explicitly handling small quotients 15440 in the Euclid loop. (Speed gain about 20% for small moduli [256 or 15441 512 bits], about 30% for larger ones [1024 or 2048 bits].) 15442 15443 *Bodo Moeller* 15444 15445 * New function BN_kronecker. 15446 15447 *Bodo Moeller* 15448 15449 * Fix BN_gcd so that it works on negative inputs; the result is 15450 positive unless both parameters are zero. 15451 Previously something reasonably close to an infinite loop was 15452 possible because numbers could be growing instead of shrinking 15453 in the implementation of Euclid's algorithm. 15454 15455 *Bodo Moeller* 15456 15457 * Fix BN_is_word() and BN_is_one() macros to take into account the 15458 sign of the number in question. 15459 15460 Fix BN_is_word(a,w) to work correctly for w == 0. 15461 15462 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) 15463 because its test if the absolute value of 'a' equals 'w'. 15464 Note that BN_abs_is_word does *not* handle w == 0 reliably; 15465 it exists mostly for use in the implementations of BN_is_zero(), 15466 BN_is_one(), and BN_is_word(). 15467 15468 *Bodo Moeller* 15469 15470 * New function BN_swap. 15471 15472 *Bodo Moeller* 15473 15474 * Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that 15475 the exponentiation functions are more likely to produce reasonable 15476 results on negative inputs. 15477 15478 *Bodo Moeller* 15479 15480 * Change BN_mod_mul so that the result is always non-negative. 15481 Previously, it could be negative if one of the factors was negative; 15482 I don't think anyone really wanted that behaviour. 15483 15484 *Bodo Moeller* 15485 15486 * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c` 15487 (except for exponentiation, which stays in `crypto/bn/bn_exp.c`, 15488 and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`) 15489 and add new functions: 15490 15491 BN_nnmod 15492 BN_mod_sqr 15493 BN_mod_add 15494 BN_mod_add_quick 15495 BN_mod_sub 15496 BN_mod_sub_quick 15497 BN_mod_lshift1 15498 BN_mod_lshift1_quick 15499 BN_mod_lshift 15500 BN_mod_lshift_quick 15501 15502 These functions always generate non-negative results. 15503 15504 `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r` 15505 such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead). 15506 15507 `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as 15508 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`] 15509 be reduced modulo `m`. 15510 15511 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 15512 15513<!-- 15514 The following entry accidentally appeared in the CHANGES file 15515 distributed with OpenSSL 0.9.7. The modifications described in 15516 it do *not* apply to OpenSSL 0.9.7. 15517 15518 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 15519 was actually never needed) and in BN_mul(). The removal in BN_mul() 15520 required a small change in bn_mul_part_recursive() and the addition 15521 of the functions bn_cmp_part_words(), bn_sub_part_words() and 15522 bn_add_part_words(), which do the same thing as bn_cmp_words(), 15523 bn_sub_words() and bn_add_words() except they take arrays with 15524 differing sizes. 15525 15526 *Richard Levitte* 15527--> 15528 15529 * In 'openssl passwd', verify passwords read from the terminal 15530 unless the '-salt' option is used (which usually means that 15531 verification would just waste user's time since the resulting 15532 hash is going to be compared with some given password hash) 15533 or the new '-noverify' option is used. 15534 15535 This is an incompatible change, but it does not affect 15536 non-interactive use of 'openssl passwd' (passwords on the command 15537 line, '-stdin' option, '-in ...' option) and thus should not 15538 cause any problems. 15539 15540 *Bodo Moeller* 15541 15542 * Remove all references to RSAref, since there's no more need for it. 15543 15544 *Richard Levitte* 15545 15546 * Make DSO load along a path given through an environment variable 15547 (SHLIB_PATH) with shl_load(). 15548 15549 *Richard Levitte* 15550 15551 * Constify the ENGINE code as a result of BIGNUM constification. 15552 Also constify the RSA code and most things related to it. In a 15553 few places, most notable in the depth of the ASN.1 code, ugly 15554 casts back to non-const were required (to be solved at a later 15555 time) 15556 15557 *Richard Levitte* 15558 15559 * Make it so the openssl application has all engines loaded by default. 15560 15561 *Richard Levitte* 15562 15563 * Constify the BIGNUM routines a little more. 15564 15565 *Richard Levitte* 15566 15567 * Add the following functions: 15568 15569 ENGINE_load_cswift() 15570 ENGINE_load_chil() 15571 ENGINE_load_atalla() 15572 ENGINE_load_nuron() 15573 ENGINE_load_builtin_engines() 15574 15575 That way, an application can itself choose if external engines that 15576 are built-in in OpenSSL shall ever be used or not. The benefit is 15577 that applications won't have to be linked with libdl or other dso 15578 libraries unless it's really needed. 15579 15580 Changed 'openssl engine' to load all engines on demand. 15581 Changed the engine header files to avoid the duplication of some 15582 declarations (they differed!). 15583 15584 *Richard Levitte* 15585 15586 * 'openssl engine' can now list capabilities. 15587 15588 *Richard Levitte* 15589 15590 * Better error reporting in 'openssl engine'. 15591 15592 *Richard Levitte* 15593 15594 * Never call load_dh_param(NULL) in s_server. 15595 15596 *Bodo Moeller* 15597 15598 * Add engine application. It can currently list engines by name and 15599 identity, and test if they are actually available. 15600 15601 *Richard Levitte* 15602 15603 * Improve RPM specification file by forcing symbolic linking and making 15604 sure the installed documentation is also owned by root.root. 15605 15606 *Damien Miller <djm@mindrot.org>* 15607 15608 * Give the OpenSSL applications more possibilities to make use of 15609 keys (public as well as private) handled by engines. 15610 15611 *Richard Levitte* 15612 15613 * Add OCSP code that comes from CertCo. 15614 15615 *Richard Levitte* 15616 15617 * Add VMS support for the Rijndael code. 15618 15619 *Richard Levitte* 15620 15621 * Added untested support for Nuron crypto accelerator. 15622 15623 *Ben Laurie* 15624 15625 * Add support for external cryptographic devices. This code was 15626 previously distributed separately as the "engine" branch. 15627 15628 *Geoff Thorpe, Richard Levitte* 15629 15630 * Rework the filename-translation in the DSO code. It is now possible to 15631 have far greater control over how a "name" is turned into a filename 15632 depending on the operating environment and any oddities about the 15633 different shared library filenames on each system. 15634 15635 *Geoff Thorpe* 15636 15637 * Support threads on FreeBSD-elf in Configure. 15638 15639 *Richard Levitte* 15640 15641 * Fix for SHA1 assembly problem with MASM: it produces 15642 warnings about corrupt line number information when assembling 15643 with debugging information. This is caused by the overlapping 15644 of two sections. 15645 15646 *Bernd Matthes <mainbug@celocom.de>, Steve Henson* 15647 15648 * NCONF changes. 15649 NCONF_get_number() has no error checking at all. As a replacement, 15650 NCONF_get_number_e() is defined (`_e` for "error checking") and is 15651 promoted strongly. The old NCONF_get_number is kept around for 15652 binary backward compatibility. 15653 Make it possible for methods to load from something other than a BIO, 15654 by providing a function pointer that is given a name instead of a BIO. 15655 For example, this could be used to load configuration data from an 15656 LDAP server. 15657 15658 *Richard Levitte* 15659 15660 * Fix for non blocking accept BIOs. Added new I/O special reason 15661 BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs 15662 with non blocking I/O was not possible because no retry code was 15663 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover 15664 this case. 15665 15666 *Steve Henson* 15667 15668 * Added the beginnings of Rijndael support. 15669 15670 *Ben Laurie* 15671 15672 * Fix for bug in DirectoryString mask setting. Add support for 15673 X509_NAME_print_ex() in 'req' and X509_print_ex() function 15674 to allow certificate printing to more controllable, additional 15675 'certopt' option to 'x509' to allow new printing options to be 15676 set. 15677 15678 *Steve Henson* 15679 15680 * Clean old EAY MD5 hack from e_os.h. 15681 15682 *Richard Levitte* 15683 15684### Changes between 0.9.6l and 0.9.6m [17 Mar 2004] 15685 15686 * Fix null-pointer assignment in do_change_cipher_spec() revealed 15687 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 15688 15689 *Joe Orton, Steve Henson* 15690 15691### Changes between 0.9.6k and 0.9.6l [04 Nov 2003] 15692 15693 * Fix additional bug revealed by the NISCC test suite: 15694 15695 Stop bug triggering large recursion when presented with 15696 certain ASN.1 tags ([CVE-2003-0851]) 15697 15698 *Steve Henson* 15699 15700### Changes between 0.9.6j and 0.9.6k [30 Sep 2003] 15701 15702 * Fix various bugs revealed by running the NISCC test suite: 15703 15704 Stop out of bounds reads in the ASN1 code when presented with 15705 invalid tags (CVE-2003-0543 and CVE-2003-0544). 15706 15707 If verify callback ignores invalid public key errors don't try to check 15708 certificate signature with the NULL public key. 15709 15710 *Steve Henson* 15711 15712 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 15713 if the server requested one: as stated in TLS 1.0 and SSL 3.0 15714 specifications. 15715 15716 *Steve Henson* 15717 15718 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 15719 extra data after the compression methods not only for TLS 1.0 15720 but also for SSL 3.0 (as required by the specification). 15721 15722 *Bodo Moeller; problem pointed out by Matthias Loepfe* 15723 15724 * Change X509_certificate_type() to mark the key as exported/exportable 15725 when it's 512 *bits* long, not 512 bytes. 15726 15727 *Richard Levitte* 15728 15729### Changes between 0.9.6i and 0.9.6j [10 Apr 2003] 15730 15731 * Countermeasure against the Klima-Pokorny-Rosa extension of 15732 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 15733 a protocol version number mismatch like a decryption error 15734 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 15735 15736 *Bodo Moeller* 15737 15738 * Turn on RSA blinding by default in the default implementation 15739 to avoid a timing attack. Applications that don't want it can call 15740 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 15741 They would be ill-advised to do so in most cases. 15742 15743 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 15744 15745 * Change RSA blinding code so that it works when the PRNG is not 15746 seeded (in this case, the secret RSA exponent is abused as 15747 an unpredictable seed -- if it is not unpredictable, there 15748 is no point in blinding anyway). Make RSA blinding thread-safe 15749 by remembering the creator's thread ID in rsa->blinding and 15750 having all other threads use local one-time blinding factors 15751 (this requires more computation than sharing rsa->blinding, but 15752 avoids excessive locking; and if an RSA object is not shared 15753 between threads, blinding will still be very fast). 15754 15755 *Bodo Moeller* 15756 15757### Changes between 0.9.6h and 0.9.6i [19 Feb 2003] 15758 15759 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 15760 via timing by performing a MAC computation even if incorrect 15761 block cipher padding has been found. This is a countermeasure 15762 against active attacks where the attacker has to distinguish 15763 between bad padding and a MAC verification error. ([CVE-2003-0078]) 15764 15765 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 15766 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 15767 Martin Vuagnoux (EPFL, Ilion)* 15768 15769### Changes between 0.9.6g and 0.9.6h [5 Dec 2002] 15770 15771 * New function OPENSSL_cleanse(), which is used to cleanse a section of 15772 memory from its contents. This is done with a counter that will 15773 place alternating values in each byte. This can be used to solve 15774 two issues: 1) the removal of calls to memset() by highly optimizing 15775 compilers, and 2) cleansing with other values than 0, since those can 15776 be read through on certain media, for example a swap space on disk. 15777 15778 *Geoff Thorpe* 15779 15780 * Bugfix: client side session caching did not work with external caching, 15781 because the session->cipher setting was not restored when reloading 15782 from the external cache. This problem was masked, when 15783 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. 15784 (Found by Steve Haslam <steve@araqnid.ddts.net>.) 15785 15786 *Lutz Jaenicke* 15787 15788 * Fix client_certificate (ssl/s2_clnt.c): The permissible total 15789 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. 15790 15791 *Zeev Lieber <zeev-l@yahoo.com>* 15792 15793 * Undo an undocumented change introduced in 0.9.6e which caused 15794 repeated calls to OpenSSL_add_all_ciphers() and 15795 OpenSSL_add_all_digests() to be ignored, even after calling 15796 EVP_cleanup(). 15797 15798 *Richard Levitte* 15799 15800 * Change the default configuration reader to deal with last line not 15801 being properly terminated. 15802 15803 *Richard Levitte* 15804 15805 * Change X509_NAME_cmp() so it applies the special rules on handling 15806 DN values that are of type PrintableString, as well as RDNs of type 15807 emailAddress where the value has the type ia5String. 15808 15809 *stefank@valicert.com via Richard Levitte* 15810 15811 * Add an SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half 15812 the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently 15813 doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be 15814 the bitwise-OR of the two for use by the majority of applications 15815 wanting this behaviour, and update the docs. The documented 15816 behaviour and actual behaviour were inconsistent and had been 15817 changing anyway, so this is more a bug-fix than a behavioural 15818 change. 15819 15820 *Geoff Thorpe, diagnosed by Nadav Har'El* 15821 15822 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c 15823 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). 15824 15825 *Bodo Moeller* 15826 15827 * Fix initialization code race conditions in 15828 SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), 15829 SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), 15830 SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), 15831 TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), 15832 ssl2_get_cipher_by_char(), 15833 ssl3_get_cipher_by_char(). 15834 15835 *Patrick McCormick <patrick@tellme.com>, Bodo Moeller* 15836 15837 * Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after 15838 the cached sessions are flushed, as the remove_cb() might use ex_data 15839 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> 15840 (see [openssl.org #212]). 15841 15842 *Geoff Thorpe, Lutz Jaenicke* 15843 15844 * Fix typo in OBJ_txt2obj which incorrectly passed the content 15845 length, instead of the encoding length to d2i_ASN1_OBJECT. 15846 15847 *Steve Henson* 15848 15849### Changes between 0.9.6f and 0.9.6g [9 Aug 2002] 15850 15851 * [In 0.9.6g-engine release:] 15852 Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`). 15853 15854 *Lynn Gazis <lgazis@rainbow.com>* 15855 15856### Changes between 0.9.6e and 0.9.6f [8 Aug 2002] 15857 15858 * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX 15859 and get fix the header length calculation. 15860 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 15861 Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson* 15862 15863 * Use proper error handling instead of 'assertions' in buffer 15864 overflow checks added in 0.9.6e. This prevents DoS (the 15865 assertions could call abort()). 15866 15867 *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller* 15868 15869### Changes between 0.9.6d and 0.9.6e [30 Jul 2002] 15870 15871 * Add various sanity checks to asn1_get_length() to reject 15872 the ASN1 length bytes if they exceed sizeof(long), will appear 15873 negative or the content length exceeds the length of the 15874 supplied buffer. 15875 15876 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 15877 15878 * Fix cipher selection routines: ciphers without encryption had no flags 15879 for the cipher strength set and where therefore not handled correctly 15880 by the selection routines (PR #130). 15881 15882 *Lutz Jaenicke* 15883 15884 * Fix EVP_dsa_sha macro. 15885 15886 *Nils Larsch* 15887 15888 * New option 15889 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 15890 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure 15891 that was added in OpenSSL 0.9.6d. 15892 15893 As the countermeasure turned out to be incompatible with some 15894 broken SSL implementations, the new option is part of SSL_OP_ALL. 15895 SSL_OP_ALL is usually employed when compatibility with weird SSL 15896 implementations is desired (e.g. '-bugs' option to 's_client' and 15897 's_server'), so the new option is automatically set in many 15898 applications. 15899 15900 *Bodo Moeller* 15901 15902 * Changes in security patch: 15903 15904 Changes marked "(CHATS)" were sponsored by the Defense Advanced 15905 Research Projects Agency (DARPA) and Air Force Research Laboratory, 15906 Air Force Materiel Command, USAF, under agreement number 15907 F30602-01-2-0537. 15908 15909 * Add various sanity checks to asn1_get_length() to reject 15910 the ASN1 length bytes if they exceed sizeof(long), will appear 15911 negative or the content length exceeds the length of the 15912 supplied buffer. ([CVE-2002-0659]) 15913 15914 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 15915 15916 * Assertions for various potential buffer overflows, not known to 15917 happen in practice. 15918 15919 *Ben Laurie (CHATS)* 15920 15921 * Various temporary buffers to hold ASCII versions of integers were 15922 too small for 64 bit platforms. ([CVE-2002-0655]) 15923 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>* 15924 15925 * Remote buffer overflow in SSL3 protocol - an attacker could 15926 supply an oversized session ID to a client. ([CVE-2002-0656]) 15927 15928 *Ben Laurie (CHATS)* 15929 15930 * Remote buffer overflow in SSL2 protocol - an attacker could 15931 supply an oversized client master key. ([CVE-2002-0656]) 15932 15933 *Ben Laurie (CHATS)* 15934 15935### Changes between 0.9.6c and 0.9.6d [9 May 2002] 15936 15937 * Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not 15938 encoded as NULL) with id-dsa-with-sha1. 15939 15940 *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller* 15941 15942 * Check various `X509_...()` return values in `apps/req.c`. 15943 15944 *Nils Larsch <nla@trustcenter.de>* 15945 15946 * Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: 15947 an end-of-file condition would erroneously be flagged, when the CRLF 15948 was just at the end of a processed block. The bug was discovered when 15949 processing data through a buffering memory BIO handing the data to a 15950 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov 15951 <ptsekov@syntrex.com> and Nedelcho Stanev. 15952 15953 *Lutz Jaenicke* 15954 15955 * Implement a countermeasure against a vulnerability recently found 15956 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment 15957 before application data chunks to avoid the use of known IVs 15958 with data potentially chosen by the attacker. 15959 15960 *Bodo Moeller* 15961 15962 * Fix length checks in ssl3_get_client_hello(). 15963 15964 *Bodo Moeller* 15965 15966 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently 15967 to prevent ssl3_read_internal() from incorrectly assuming that 15968 ssl3_read_bytes() found application data while handshake 15969 processing was enabled when in fact s->s3->in_read_app_data was 15970 merely automatically cleared during the initial handshake. 15971 15972 *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>* 15973 15974 * Fix object definitions for Private and Enterprise: they were not 15975 recognized in their shortname (=lowercase) representation. Extend 15976 obj_dat.pl to issue an error when using undefined keywords instead 15977 of silently ignoring the problem (Svenning Sorensen 15978 <sss@sss.dnsalias.net>). 15979 15980 *Lutz Jaenicke* 15981 15982 * Fix DH_generate_parameters() so that it works for 'non-standard' 15983 generators, i.e. generators other than 2 and 5. (Previously, the 15984 code did not properly initialise the 'add' and 'rem' values to 15985 BN_generate_prime().) 15986 15987 In the new general case, we do not insist that 'generator' is 15988 actually a primitive root: This requirement is rather pointless; 15989 a generator of the order-q subgroup is just as good, if not 15990 better. 15991 15992 *Bodo Moeller* 15993 15994 * Map new X509 verification errors to alerts. Discovered and submitted by 15995 Tom Wu <tom@arcot.com>. 15996 15997 *Lutz Jaenicke* 15998 15999 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from 16000 returning non-zero before the data has been completely received 16001 when using non-blocking I/O. 16002 16003 *Bodo Moeller; problem pointed out by John Hughes* 16004 16005 * Some of the ciphers missed the strength entry (SSL_LOW etc). 16006 16007 *Ben Laurie, Lutz Jaenicke* 16008 16009 * Fix bug in SSL_clear(): bad sessions were not removed (found by 16010 Yoram Zahavi <YoramZ@gilian.com>). 16011 16012 *Lutz Jaenicke* 16013 16014 * Add information about CygWin 1.3 and on, and preserve proper 16015 configuration for the versions before that. 16016 16017 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 16018 16019 * Make removal from session cache (SSL_CTX_remove_session()) more robust: 16020 check whether we deal with a copy of a session and do not delete from 16021 the cache in this case. Problem reported by "Izhar Shoshani Levi" 16022 <izhar@checkpoint.com>. 16023 16024 *Lutz Jaenicke* 16025 16026 * Do not store session data into the internal session cache, if it 16027 is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 16028 flag is set). Proposed by Aslam <aslam@funk.com>. 16029 16030 *Lutz Jaenicke* 16031 16032 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested 16033 value is 0. 16034 16035 *Richard Levitte* 16036 16037 * [In 0.9.6d-engine release:] 16038 Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 16039 16040 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 16041 16042 * Add the configuration target linux-s390x. 16043 16044 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte* 16045 16046 * The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of 16047 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag 16048 variable as an indication that a ClientHello message has been 16049 received. As the flag value will be lost between multiple 16050 invocations of ssl3_accept when using non-blocking I/O, the 16051 function may not be aware that a handshake has actually taken 16052 place, thus preventing a new session from being added to the 16053 session cache. 16054 16055 To avoid this problem, we now set s->new_session to 2 instead of 16056 using a local variable. 16057 16058 *Lutz Jaenicke, Bodo Moeller* 16059 16060 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) 16061 if the SSL_R_LENGTH_MISMATCH error is detected. 16062 16063 *Geoff Thorpe, Bodo Moeller* 16064 16065 * New 'shared_ldflag' column in Configure platform table. 16066 16067 *Richard Levitte* 16068 16069 * Fix EVP_CIPHER_mode macro. 16070 16071 *"Dan S. Camper" <dan@bti.net>* 16072 16073 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown 16074 type, we must throw them away by setting rr->length to 0. 16075 16076 *D P Chang <dpc@qualys.com>* 16077 16078### Changes between 0.9.6b and 0.9.6c [21 dec 2001] 16079 16080 * Fix BN_rand_range bug pointed out by Dominikus Scherkl 16081 <Dominikus.Scherkl@biodata.com>. (The previous implementation 16082 worked incorrectly for those cases where range = `10..._2` and 16083 `3*range` is two bits longer than range.) 16084 16085 *Bodo Moeller* 16086 16087 * Only add signing time to PKCS7 structures if it is not already 16088 present. 16089 16090 *Steve Henson* 16091 16092 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 16093 OBJ_ld_ce should be OBJ_id_ce. 16094 Also some ip-pda OIDs in crypto/objects/objects.txt were 16095 incorrect (cf. RFC 3039). 16096 16097 *Matt Cooper, Frederic Giudicelli, Bodo Moeller* 16098 16099 * Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 16100 returns early because it has nothing to do. 16101 16102 *Andy Schneider <andy.schneider@bjss.co.uk>* 16103 16104 * [In 0.9.6c-engine release:] 16105 Fix mutex callback return values in crypto/engine/hw_ncipher.c. 16106 16107 *Andy Schneider <andy.schneider@bjss.co.uk>* 16108 16109 * [In 0.9.6c-engine release:] 16110 Add support for Cryptographic Appliance's keyserver technology. 16111 (Use engine 'keyclient') 16112 16113 *Cryptographic Appliances and Geoff Thorpe* 16114 16115 * Add a configuration entry for OS/390 Unix. The C compiler 'c89' 16116 is called via tools/c89.sh because arguments have to be 16117 rearranged (all '-L' options must appear before the first object 16118 modules). 16119 16120 *Richard Shapiro <rshapiro@abinitio.com>* 16121 16122 * [In 0.9.6c-engine release:] 16123 Add support for Broadcom crypto accelerator cards, backported 16124 from 0.9.7. 16125 16126 *Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox* 16127 16128 * [In 0.9.6c-engine release:] 16129 Add support for SureWare crypto accelerator cards from 16130 Baltimore Technologies. (Use engine 'sureware') 16131 16132 *Baltimore Technologies and Mark Cox* 16133 16134 * [In 0.9.6c-engine release:] 16135 Add support for crypto accelerator cards from Accelerated 16136 Encryption Processing, www.aep.ie. (Use engine 'aep') 16137 16138 *AEP Inc. and Mark Cox* 16139 16140 * Add a configuration entry for gcc on UnixWare. 16141 16142 *Gary Benson <gbenson@redhat.com>* 16143 16144 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 16145 messages are stored in a single piece (fixed-length part and 16146 variable-length part combined) and fix various bugs found on the way. 16147 16148 *Bodo Moeller* 16149 16150 * Disable caching in BIO_gethostbyname(), directly use gethostbyname() 16151 instead. BIO_gethostbyname() does not know what timeouts are 16152 appropriate, so entries would stay in cache even when they have 16153 become invalid. 16154 *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>* 16155 16156 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 16157 faced with a pathologically small ClientHello fragment that does 16158 not contain client_version: Instead of aborting with an error, 16159 simply choose the highest available protocol version (i.e., 16160 TLS 1.0 unless it is disabled). In practice, ClientHello 16161 messages are never sent like this, but this change gives us 16162 strictly correct behaviour at least for TLS. 16163 16164 *Bodo Moeller* 16165 16166 * Fix SSL handshake functions and SSL_clear() such that SSL_clear() 16167 never resets s->method to s->ctx->method when called from within 16168 one of the SSL handshake functions. 16169 16170 *Bodo Moeller; problem pointed out by Niko Baric* 16171 16172 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 16173 (sent using the client's version number) if client_version is 16174 smaller than the protocol version in use. Also change 16175 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 16176 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 16177 the client will at least see that alert. 16178 16179 *Bodo Moeller* 16180 16181 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 16182 correctly. 16183 16184 *Bodo Moeller* 16185 16186 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 16187 client receives HelloRequest while in a handshake. 16188 16189 *Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>* 16190 16191 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 16192 should end in 'break', not 'goto end' which circumvents various 16193 cleanups done in state SSL_ST_OK. But session related stuff 16194 must be disabled for SSL_ST_OK in the case that we just sent a 16195 HelloRequest. 16196 16197 Also avoid some overhead by not calling ssl_init_wbio_buffer() 16198 before just sending a HelloRequest. 16199 16200 *Bodo Moeller, Eric Rescorla <ekr@rtfm.com>* 16201 16202 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 16203 reveal whether illegal block cipher padding was found or a MAC 16204 verification error occurred. (Neither SSLerr() codes nor alerts 16205 are directly visible to potential attackers, but the information 16206 may leak via logfiles.) 16207 16208 Similar changes are not required for the SSL 2.0 implementation 16209 because the number of padding bytes is sent in clear for SSL 2.0, 16210 and the extra bytes are just ignored. However ssl/s2_pkt.c 16211 failed to verify that the purported number of padding bytes is in 16212 the legal range. 16213 16214 *Bodo Moeller* 16215 16216 * Add OpenUNIX-8 support including shared libraries 16217 (Boyd Lynn Gerber <gerberb@zenez.com>). 16218 16219 *Lutz Jaenicke* 16220 16221 * Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 16222 'wristwatch attack' using huge encoding parameters (cf. 16223 James H. Manger's CRYPTO 2001 paper). Note that the 16224 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 16225 encoding parameters and hence was not vulnerable. 16226 16227 *Bodo Moeller* 16228 16229 * BN_sqr() bug fix. 16230 16231 *Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>* 16232 16233 * Rabin-Miller test analyses assume uniformly distributed witnesses, 16234 so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 16235 followed by modular reduction. 16236 16237 *Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>* 16238 16239 * Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 16240 equivalent based on BN_pseudo_rand() instead of BN_rand(). 16241 16242 *Bodo Moeller* 16243 16244 * s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 16245 This function was broken, as the check for a new client hello message 16246 to handle SGC did not allow these large messages. 16247 (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 16248 16249 *Lutz Jaenicke* 16250 16251 * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`. 16252 16253 *Lutz Jaenicke* 16254 16255 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 16256 for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 16257 16258 *Lutz Jaenicke* 16259 16260 * Rework the configuration and shared library support for Tru64 Unix. 16261 The configuration part makes use of modern compiler features and 16262 still retains old compiler behavior for those that run older versions 16263 of the OS. The shared library support part includes a variant that 16264 uses the RPATH feature, and is available through the special 16265 configuration target "alpha-cc-rpath", which will never be selected 16266 automatically. 16267 16268 *Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte* 16269 16270 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 16271 with the same message size as in ssl3_get_certificate_request(). 16272 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 16273 messages might inadvertently be reject as too long. 16274 16275 *Petr Lampa <lampa@fee.vutbr.cz>* 16276 16277 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 16278 16279 *Andy Polyakov* 16280 16281 * Modified SSL library such that the verify_callback that has been set 16282 specifically for an SSL object with SSL_set_verify() is actually being 16283 used. Before the change, a verify_callback set with this function was 16284 ignored and the verify_callback() set in the SSL_CTX at the time of 16285 the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 16286 to allow the necessary settings. 16287 16288 *Lutz Jaenicke* 16289 16290 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 16291 explicitly to NULL, as at least on Solaris 8 this seems not always to be 16292 done automatically (in contradiction to the requirements of the C 16293 standard). This made problems when used from OpenSSH. 16294 16295 *Lutz Jaenicke* 16296 16297 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 16298 dh->length and always used 16299 16300 BN_rand_range(priv_key, dh->p). 16301 16302 BN_rand_range() is not necessary for Diffie-Hellman, and this 16303 specific range makes Diffie-Hellman unnecessarily inefficient if 16304 dh->length (recommended exponent length) is much smaller than the 16305 length of dh->p. We could use BN_rand_range() if the order of 16306 the subgroup was stored in the DH structure, but we only have 16307 dh->length. 16308 16309 So switch back to 16310 16311 BN_rand(priv_key, l, ...) 16312 16313 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 16314 otherwise. 16315 16316 *Bodo Moeller* 16317 16318 * In 16319 16320 RSA_eay_public_encrypt 16321 RSA_eay_private_decrypt 16322 RSA_eay_private_encrypt (signing) 16323 RSA_eay_public_decrypt (signature verification) 16324 16325 (default implementations for RSA_public_encrypt, 16326 RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 16327 always reject numbers >= n. 16328 16329 *Bodo Moeller* 16330 16331 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 16332 to synchronize access to 'locking_thread'. This is necessary on 16333 systems where access to 'locking_thread' (an 'unsigned long' 16334 variable) is not atomic. 16335 16336 *Bodo Moeller* 16337 16338 * In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 16339 *before* setting the 'crypto_lock_rand' flag. The previous code had 16340 a race condition if 0 is a valid thread ID. 16341 16342 *Travis Vitek <vitek@roguewave.com>* 16343 16344 * Add support for shared libraries under Irix. 16345 16346 *Albert Chin-A-Young <china@thewrittenword.com>* 16347 16348 * Add configuration option to build on Linux on both big-endian and 16349 little-endian MIPS. 16350 16351 *Ralf Baechle <ralf@uni-koblenz.de>* 16352 16353 * Add the possibility to create shared libraries on HP-UX. 16354 16355 *Richard Levitte* 16356 16357### Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 16358 16359 * Change ssleay_rand_bytes (crypto/rand/md_rand.c) 16360 to avoid an SSLeay/OpenSSL PRNG weakness pointed out by 16361 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 16362 PRNG state recovery was possible based on the output of 16363 one PRNG request appropriately sized to gain knowledge on 16364 'md' followed by enough consecutive 1-byte PRNG requests 16365 to traverse all of 'state'. 16366 16367 1. When updating 'md_local' (the current thread's copy of 'md') 16368 during PRNG output generation, hash all of the previous 16369 'md_local' value, not just the half used for PRNG output. 16370 16371 2. Make the number of bytes from 'state' included into the hash 16372 independent from the number of PRNG bytes requested. 16373 16374 The first measure alone would be sufficient to avoid 16375 Markku-Juhani's attack. (Actually it had never occurred 16376 to me that the half of 'md_local' used for chaining was the 16377 half from which PRNG output bytes were taken -- I had always 16378 assumed that the secret half would be used.) The second 16379 measure makes sure that additional data from 'state' is never 16380 mixed into 'md_local' in small portions; this heuristically 16381 further strengthens the PRNG. 16382 16383 *Bodo Moeller* 16384 16385 * Fix crypto/bn/asm/mips3.s. 16386 16387 *Andy Polyakov* 16388 16389 * When only the key is given to "enc", the IV is undefined. Print out 16390 an error message in this case. 16391 16392 *Lutz Jaenicke* 16393 16394 * Handle special case when X509_NAME is empty in X509 printing routines. 16395 16396 *Steve Henson* 16397 16398 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 16399 positive and less than q. 16400 16401 *Bodo Moeller* 16402 16403 * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is 16404 used: it isn't thread safe and the add_lock_callback should handle 16405 that itself. 16406 16407 *Paul Rose <Paul.Rose@bridge.com>* 16408 16409 * Verify that incoming data obeys the block size in 16410 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 16411 16412 *Bodo Moeller* 16413 16414 * Fix OAEP check. 16415 16416 *Ulf Möller, Bodo Möller* 16417 16418 * The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 16419 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 16420 when fixing the server behaviour for backwards-compatible 'client 16421 hello' messages. (Note that the attack is impractical against 16422 SSL 3.0 and TLS 1.0 anyway because length and version checking 16423 means that the probability of guessing a valid ciphertext is 16424 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 16425 paper.) 16426 16427 Before 0.9.5, the countermeasure (hide the error by generating a 16428 random 'decryption result') did not work properly because 16429 ERR_clear_error() was missing, meaning that SSL_get_error() would 16430 detect the supposedly ignored error. 16431 16432 Both problems are now fixed. 16433 16434 *Bodo Moeller* 16435 16436 * In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 16437 (previously it was 1024). 16438 16439 *Bodo Moeller* 16440 16441 * Fix for compatibility mode trust settings: ignore trust settings 16442 unless some valid trust or reject settings are present. 16443 16444 *Steve Henson* 16445 16446 * Fix for blowfish EVP: its a variable length cipher. 16447 16448 *Steve Henson* 16449 16450 * Fix various bugs related to DSA S/MIME verification. Handle missing 16451 parameters in DSA public key structures and return an error in the 16452 DSA routines if parameters are absent. 16453 16454 *Steve Henson* 16455 16456 * In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 16457 in the current directory if neither $RANDFILE nor $HOME was set. 16458 RAND_file_name() in 0.9.6a returned NULL in this case. This has 16459 caused some confusion to Windows users who haven't defined $HOME. 16460 Thus RAND_file_name() is changed again: e_os.h can define a 16461 DEFAULT_HOME, which will be used if $HOME is not set. 16462 For Windows, we use "C:"; on other platforms, we still require 16463 environment variables. 16464 16465 * Move 'if (!initialized) RAND_poll()' into regions protected by 16466 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 16467 having multiple threads call RAND_poll() concurrently. 16468 16469 *Bodo Moeller* 16470 16471 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 16472 combination of a flag and a thread ID variable. 16473 Otherwise while one thread is in ssleay_rand_bytes (which sets the 16474 flag), *other* threads can enter ssleay_add_bytes without obeying 16475 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock 16476 that they do not hold after the first thread unsets add_do_not_lock). 16477 16478 *Bodo Moeller* 16479 16480 * Change bctest again: '-x' expressions are not available in all 16481 versions of 'test'. 16482 16483 *Bodo Moeller* 16484 16485### Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 16486 16487 * Fix a couple of memory leaks in PKCS7_dataDecode() 16488 16489 *Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>* 16490 16491 * Change Configure and Makefiles to provide EXE_EXT, which will contain 16492 the default extension for executables, if any. Also, make the perl 16493 scripts that use symlink() to test if it really exists and use "cp" 16494 if it doesn't. All this made OpenSSL compilable and installable in 16495 CygWin. 16496 16497 *Richard Levitte* 16498 16499 * Fix for asn1_GetSequence() for indefinite length constructed data. 16500 If SEQUENCE is length is indefinite just set c->slen to the total 16501 amount of data available. 16502 16503 *Steve Henson, reported by shige@FreeBSD.org* 16504 16505 *This change does not apply to 0.9.7.* 16506 16507 * Change bctest to avoid here-documents inside command substitution 16508 (workaround for FreeBSD /bin/sh bug). 16509 For compatibility with Ultrix, avoid shell functions (introduced 16510 in the bctest version that searches along $PATH). 16511 16512 *Bodo Moeller* 16513 16514 * Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes 16515 with des_encrypt() defined on some operating systems, like Solaris 16516 and UnixWare. 16517 16518 *Richard Levitte* 16519 16520 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: 16521 On the Importance of Eliminating Errors in Cryptographic 16522 Computations, J. Cryptology 14 (2001) 2, 101-119, 16523 <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>). 16524 16525 *Ulf Moeller* 16526 16527 * MIPS assembler BIGNUM division bug fix. 16528 16529 *Andy Polyakov* 16530 16531 * Disabled incorrect Alpha assembler code. 16532 16533 *Richard Levitte* 16534 16535 * Fix PKCS#7 decode routines so they correctly update the length 16536 after reading an EOC for the EXPLICIT tag. 16537 16538 *Steve Henson* 16539 16540 *This change does not apply to 0.9.7.* 16541 16542 * Fix bug in PKCS#12 key generation routines. This was triggered 16543 if a 3DES key was generated with a 0 initial byte. Include 16544 PKCS12_BROKEN_KEYGEN compilation option to retain the old 16545 (but broken) behaviour. 16546 16547 *Steve Henson* 16548 16549 * Enhance bctest to search for a working bc along $PATH and print 16550 it when found. 16551 16552 *Tim Rice <tim@multitalents.net> via Richard Levitte* 16553 16554 * Fix memory leaks in err.c: free err_data string if necessary; 16555 don't write to the wrong index in ERR_set_error_data. 16556 16557 *Bodo Moeller* 16558 16559 * Implement ssl23_peek (analogous to ssl23_read), which previously 16560 did not exist. 16561 16562 *Bodo Moeller* 16563 16564 * Replace rdtsc with `_emit` statements for VC++ version 5. 16565 16566 *Jeremy Cooper <jeremy@baymoo.org>* 16567 16568 * Make it possible to reuse SSLv2 sessions. 16569 16570 *Richard Levitte* 16571 16572 * In copy_email() check for >= 0 as a return value for 16573 X509_NAME_get_index_by_NID() since 0 is a valid index. 16574 16575 *Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>* 16576 16577 * Avoid coredump with unsupported or invalid public keys by checking if 16578 X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when 16579 PKCS7_verify() fails with non detached data. 16580 16581 *Steve Henson* 16582 16583 * Don't use getenv in library functions when run as setuid/setgid. 16584 New function OPENSSL_issetugid(). 16585 16586 *Ulf Moeller* 16587 16588 * Avoid false positives in memory leak detection code (crypto/mem_dbg.c) 16589 due to incorrect handling of multi-threading: 16590 16591 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 16592 16593 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 16594 16595 3. Count how many times MemCheck_off() has been called so that 16596 nested use can be treated correctly. This also avoids 16597 inband-signalling in the previous code (which relied on the 16598 assumption that thread ID 0 is impossible). 16599 16600 *Bodo Moeller* 16601 16602 * Add "-rand" option also to s_client and s_server. 16603 16604 *Lutz Jaenicke* 16605 16606 * Fix CPU detection on Irix 6.x. 16607 *Kurt Hockenbury <khockenb@stevens-tech.edu> and 16608 "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 16609 16610 * Fix X509_NAME bug which produced incorrect encoding if X509_NAME 16611 was empty. 16612 16613 *Steve Henson* 16614 16615 *This change does not apply to 0.9.7.* 16616 16617 * Use the cached encoding of an X509_NAME structure rather than 16618 copying it. This is apparently the reason for the libsafe "errors" 16619 but the code is actually correct. 16620 16621 *Steve Henson* 16622 16623 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent 16624 Bleichenbacher's DSA attack. 16625 Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits 16626 to be set and top=0 forces the highest bit to be set; top=-1 is new 16627 and leaves the highest bit random. 16628 16629 *Ulf Moeller, Bodo Moeller* 16630 16631 * In the `NCONF_...`-based implementations for `CONF_...` queries 16632 (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using 16633 a temporary CONF structure with the data component set to NULL 16634 (which gives segmentation faults in lh_retrieve). 16635 Instead, use NULL for the CONF pointer in CONF_get_string and 16636 CONF_get_number (which may use environment variables) and directly 16637 return NULL from CONF_get_section. 16638 16639 *Bodo Moeller* 16640 16641 * Fix potential buffer overrun for EBCDIC. 16642 16643 *Ulf Moeller* 16644 16645 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign 16646 keyUsage if basicConstraints absent for a CA. 16647 16648 *Steve Henson* 16649 16650 * Make SMIME_write_PKCS7() write mail header values with a format that 16651 is more generally accepted (no spaces before the semicolon), since 16652 some programs can't parse those values properly otherwise. Also make 16653 sure BIO's that break lines after each write do not create invalid 16654 headers. 16655 16656 *Richard Levitte* 16657 16658 * Make the CRL encoding routines work with empty SEQUENCE OF. The 16659 macros previously used would not encode an empty SEQUENCE OF 16660 and break the signature. 16661 16662 *Steve Henson* 16663 16664 *This change does not apply to 0.9.7.* 16665 16666 * Zero the premaster secret after deriving the master secret in 16667 DH ciphersuites. 16668 16669 *Steve Henson* 16670 16671 * Add some EVP_add_digest_alias registrations (as found in 16672 OpenSSL_add_all_digests()) to SSL_library_init() 16673 aka OpenSSL_add_ssl_algorithms(). This provides improved 16674 compatibility with peers using X.509 certificates 16675 with unconventional AlgorithmIdentifier OIDs. 16676 16677 *Bodo Moeller* 16678 16679 * Fix for Irix with NO_ASM. 16680 16681 *"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 16682 16683 * ./config script fixes. 16684 16685 *Ulf Moeller, Richard Levitte* 16686 16687 * Fix 'openssl passwd -1'. 16688 16689 *Bodo Moeller* 16690 16691 * Change PKCS12_key_gen_asc() so it can cope with non null 16692 terminated strings whose length is passed in the passlen 16693 parameter, for example from PEM callbacks. This was done 16694 by adding an extra length parameter to asc2uni(). 16695 16696 *Steve Henson, reported by <oddissey@samsung.co.kr>* 16697 16698 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn 16699 call failed, free the DSA structure. 16700 16701 *Bodo Moeller* 16702 16703 * Fix to uni2asc() to cope with zero length Unicode strings. 16704 These are present in some PKCS#12 files. 16705 16706 *Steve Henson* 16707 16708 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). 16709 Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits 16710 when writing a 32767 byte record. 16711 16712 *Bodo Moeller; problem reported by Eric Day <eday@concentric.net>* 16713 16714 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c), 16715 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`. 16716 16717 (RSA objects have a reference count access to which is protected 16718 by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], 16719 so they are meant to be shared between threads.) 16720 *Bodo Moeller, Geoff Thorpe; original patch submitted by 16721 "Reddie, Steven" <Steven.Reddie@ca.com>* 16722 16723 * Fix a deadlock in CRYPTO_mem_leaks(). 16724 16725 *Bodo Moeller* 16726 16727 * Use better test patterns in bntest. 16728 16729 *Ulf Möller* 16730 16731 * rand_win.c fix for Borland C. 16732 16733 *Ulf Möller* 16734 16735 * BN_rshift bugfix for n == 0. 16736 16737 *Bodo Moeller* 16738 16739 * Add a 'bctest' script that checks for some known 'bc' bugs 16740 so that 'make test' does not abort just because 'bc' is broken. 16741 16742 *Bodo Moeller* 16743 16744 * Store verify_result within SSL_SESSION also for client side to 16745 avoid potential security hole. (Reused sessions on the client side 16746 always resulted in verify_result==X509_V_OK, not using the original 16747 result of the server certificate verification.) 16748 16749 *Lutz Jaenicke* 16750 16751 * Fix ssl3_pending: If the record in s->s3->rrec is not of type 16752 SSL3_RT_APPLICATION_DATA, return 0. 16753 Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. 16754 16755 *Bodo Moeller* 16756 16757 * Fix SSL_peek: 16758 Both ssl2_peek and ssl3_peek, which were totally broken in earlier 16759 releases, have been re-implemented by renaming the previous 16760 implementations of ssl2_read and ssl3_read to ssl2_read_internal 16761 and ssl3_read_internal, respectively, and adding 'peek' parameters 16762 to them. The new ssl[23]_{read,peek} functions are calls to 16763 ssl[23]_read_internal with the 'peek' flag set appropriately. 16764 A 'peek' parameter has also been added to ssl3_read_bytes, which 16765 does the actual work for ssl3_read_internal. 16766 16767 *Bodo Moeller* 16768 16769 * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling 16770 the method-specific "init()" handler. Also clean up ex_data after 16771 calling the method-specific "finish()" handler. Previously, this was 16772 happening the other way round. 16773 16774 *Geoff Thorpe* 16775 16776 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. 16777 The previous value, 12, was not always sufficient for BN_mod_exp(). 16778 16779 *Bodo Moeller* 16780 16781 * Make sure that shared libraries get the internal name engine with 16782 the full version number and not just 0. This should mark the 16783 shared libraries as not backward compatible. Of course, this should 16784 be changed again when we can guarantee backward binary compatibility. 16785 16786 *Richard Levitte* 16787 16788 * Fix typo in get_cert_by_subject() in by_dir.c 16789 16790 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>* 16791 16792 * Rework the system to generate shared libraries: 16793 16794 - Make note of the expected extension for the shared libraries and 16795 if there is a need for symbolic links from for example libcrypto.so.0 16796 to libcrypto.so.0.9.7. There is extended info in Configure for 16797 that. 16798 16799 - Make as few rebuilds of the shared libraries as possible. 16800 16801 - Still avoid linking the OpenSSL programs with the shared libraries. 16802 16803 - When installing, install the shared libraries separately from the 16804 static ones. 16805 16806 *Richard Levitte* 16807 16808 * Fix SSL_CTX_set_read_ahead macro to actually use its argument. 16809 16810 Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new 16811 and not in SSL_clear because the latter is also used by the 16812 accept/connect functions; previously, the settings made by 16813 SSL_set_read_ahead would be lost during the handshake. 16814 16815 *Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>* 16816 16817 * Correct util/mkdef.pl to be selective about disabled algorithms. 16818 Previously, it would create entries for disabled algorithms no 16819 matter what. 16820 16821 *Richard Levitte* 16822 16823 * Added several new manual pages for SSL_* function. 16824 16825 *Lutz Jaenicke* 16826 16827### Changes between 0.9.5a and 0.9.6 [24 Sep 2000] 16828 16829 * In ssl23_get_client_hello, generate an error message when faced 16830 with an initial SSL 3.0/TLS record that is too small to contain the 16831 first two bytes of the ClientHello message, i.e. client_version. 16832 (Note that this is a pathologic case that probably has never happened 16833 in real life.) The previous approach was to use the version number 16834 from the record header as a substitute; but our protocol choice 16835 should not depend on that one because it is not authenticated 16836 by the Finished messages. 16837 16838 *Bodo Moeller* 16839 16840 * More robust randomness gathering functions for Windows. 16841 16842 *Jeffrey Altman <jaltman@columbia.edu>* 16843 16844 * For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is 16845 not set then we don't setup the error code for issuer check errors 16846 to avoid possibly overwriting other errors which the callback does 16847 handle. If an application does set the flag then we assume it knows 16848 what it is doing and can handle the new informational codes 16849 appropriately. 16850 16851 *Steve Henson* 16852 16853 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for 16854 a general "ANY" type, as such it should be able to decode anything 16855 including tagged types. However it didn't check the class so it would 16856 wrongly interpret tagged types in the same way as their universal 16857 counterpart and unknown types were just rejected. Changed so that the 16858 tagged and unknown types are handled in the same way as a SEQUENCE: 16859 that is the encoding is stored intact. There is also a new type 16860 "V_ASN1_OTHER" which is used when the class is not universal, in this 16861 case we have no idea what the actual type is so we just lump them all 16862 together. 16863 16864 *Steve Henson* 16865 16866 * On VMS, stdout may very well lead to a file that is written to 16867 in a record-oriented fashion. That means that every write() will 16868 write a separate record, which will be read separately by the 16869 programs trying to read from it. This can be very confusing. 16870 16871 The solution is to put a BIO filter in the way that will buffer 16872 text until a linefeed is reached, and then write everything a 16873 line at a time, so every record written will be an actual line, 16874 not chunks of lines and not (usually doesn't happen, but I've 16875 seen it once) several lines in one record. BIO_f_linebuffer() is 16876 the answer. 16877 16878 Currently, it's a VMS-only method, because that's where it has 16879 been tested well enough. 16880 16881 *Richard Levitte* 16882 16883 * Remove 'optimized' squaring variant in BN_mod_mul_montgomery, 16884 it can return incorrect results. 16885 (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, 16886 but it was in 0.9.6-beta[12].) 16887 16888 *Bodo Moeller* 16889 16890 * Disable the check for content being present when verifying detached 16891 signatures in pk7_smime.c. Some versions of Netscape (wrongly) 16892 include zero length content when signing messages. 16893 16894 *Steve Henson* 16895 16896 * New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR 16897 BIO_ctrl (for BIO pairs). 16898 16899 *Bodo Möller* 16900 16901 * Add DSO method for VMS. 16902 16903 *Richard Levitte* 16904 16905 * Bug fix: Montgomery multiplication could produce results with the 16906 wrong sign. 16907 16908 *Ulf Möller* 16909 16910 * Add RPM specification openssl.spec and modify it to build three 16911 packages. The default package contains applications, application 16912 documentation and run-time libraries. The devel package contains 16913 include files, static libraries and function documentation. The 16914 doc package contains the contents of the doc directory. The original 16915 openssl.spec was provided by Damien Miller <djm@mindrot.org>. 16916 16917 *Richard Levitte* 16918 16919 * Add a large number of documentation files for many SSL routines. 16920 16921 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 16922 16923 * Add a configuration entry for Sony News 4. 16924 16925 *NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>* 16926 16927 * Don't set the two most significant bits to one when generating a 16928 random number < q in the DSA library. 16929 16930 *Ulf Möller* 16931 16932 * New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default 16933 behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if 16934 the underlying transport is blocking) if a handshake took place. 16935 (The default behaviour is needed by applications such as s_client 16936 and s_server that use select() to determine when to use SSL_read; 16937 but for applications that know in advance when to expect data, it 16938 just makes things more complicated.) 16939 16940 *Bodo Moeller* 16941 16942 * Add RAND_egd_bytes(), which gives control over the number of bytes read 16943 from EGD. 16944 16945 *Ben Laurie* 16946 16947 * Add a few more EBCDIC conditionals that make `req` and `x509` 16948 work better on such systems. 16949 16950 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 16951 16952 * Add two demo programs for PKCS12_parse() and PKCS12_create(). 16953 Update PKCS12_parse() so it copies the friendlyName and the 16954 keyid to the certificates aux info. 16955 16956 *Steve Henson* 16957 16958 * Fix bug in PKCS7_verify() which caused an infinite loop 16959 if there was more than one signature. 16960 16961 *Sven Uszpelkat <su@celocom.de>* 16962 16963 * Major change in util/mkdef.pl to include extra information 16964 about each symbol, as well as presenting variables as well 16965 as functions. This change means that there's n more need 16966 to rebuild the .num files when some algorithms are excluded. 16967 16968 *Richard Levitte* 16969 16970 * Allow the verify time to be set by an application, 16971 rather than always using the current time. 16972 16973 *Steve Henson* 16974 16975 * Phase 2 verify code reorganisation. The certificate 16976 verify code now looks up an issuer certificate by a 16977 number of criteria: subject name, authority key id 16978 and key usage. It also verifies self signed certificates 16979 by the same criteria. The main comparison function is 16980 X509_check_issued() which performs these checks. 16981 16982 Lot of changes were necessary in order to support this 16983 without completely rewriting the lookup code. 16984 16985 Authority and subject key identifier are now cached. 16986 16987 The LHASH 'certs' is X509_STORE has now been replaced 16988 by a STACK_OF(X509_OBJECT). This is mainly because an 16989 LHASH can't store or retrieve multiple objects with 16990 the same hash value. 16991 16992 As a result various functions (which were all internal 16993 use only) have changed to handle the new X509_STORE 16994 structure. This will break anything that messed round 16995 with X509_STORE internally. 16996 16997 The functions X509_STORE_add_cert() now checks for an 16998 exact match, rather than just subject name. 16999 17000 The X509_STORE API doesn't directly support the retrieval 17001 of multiple certificates matching a given criteria, however 17002 this can be worked round by performing a lookup first 17003 (which will fill the cache with candidate certificates) 17004 and then examining the cache for matches. This is probably 17005 the best we can do without throwing out X509_LOOKUP 17006 entirely (maybe later...). 17007 17008 The X509_VERIFY_CTX structure has been enhanced considerably. 17009 17010 All certificate lookup operations now go via a get_issuer() 17011 callback. Although this currently uses an X509_STORE it 17012 can be replaced by custom lookups. This is a simple way 17013 to bypass the X509_STORE hackery necessary to make this 17014 work and makes it possible to use more efficient techniques 17015 in future. A very simple version which uses a simple 17016 STACK for its trusted certificate store is also provided 17017 using X509_STORE_CTX_trusted_stack(). 17018 17019 The verify_cb() and verify() callbacks now have equivalents 17020 in the X509_STORE_CTX structure. 17021 17022 X509_STORE_CTX also has a 'flags' field which can be used 17023 to customise the verify behaviour. 17024 17025 *Steve Henson* 17026 17027 * Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 17028 excludes S/MIME capabilities. 17029 17030 *Steve Henson* 17031 17032 * When a certificate request is read in keep a copy of the 17033 original encoding of the signed data and use it when outputting 17034 again. Signatures then use the original encoding rather than 17035 a decoded, encoded version which may cause problems if the 17036 request is improperly encoded. 17037 17038 *Steve Henson* 17039 17040 * For consistency with other BIO_puts implementations, call 17041 buffer_write(b, ...) directly in buffer_puts instead of calling 17042 BIO_write(b, ...). 17043 17044 In BIO_puts, increment b->num_write as in BIO_write. 17045 17046 *Peter.Sylvester@EdelWeb.fr* 17047 17048 * Fix BN_mul_word for the case where the word is 0. (We have to use 17049 BN_zero, we may not return a BIGNUM with an array consisting of 17050 words set to zero.) 17051 17052 *Bodo Moeller* 17053 17054 * Avoid calling abort() from within the library when problems are 17055 detected, except if preprocessor symbols have been defined 17056 (such as REF_CHECK, BN_DEBUG etc.). 17057 17058 *Bodo Moeller* 17059 17060 * New openssl application 'rsautl'. This utility can be 17061 used for low-level RSA operations. DER public key 17062 BIO/fp routines also added. 17063 17064 *Steve Henson* 17065 17066 * New Configure entry and patches for compiling on QNX 4. 17067 17068 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>* 17069 17070 * A demo state-machine implementation was sponsored by 17071 Nuron (<http://www.nuron.com/>) and is now available in 17072 demos/state_machine. 17073 17074 *Ben Laurie* 17075 17076 * New options added to the 'dgst' utility for signature 17077 generation and verification. 17078 17079 *Steve Henson* 17080 17081 * Unrecognized PKCS#7 content types are now handled via a 17082 catch all ASN1_TYPE structure. This allows unsupported 17083 types to be stored as a "blob" and an application can 17084 encode and decode it manually. 17085 17086 *Steve Henson* 17087 17088 * Fix various signed/unsigned issues to make a_strex.c 17089 compile under VC++. 17090 17091 *Oscar Jacobsson <oscar.jacobsson@celocom.com>* 17092 17093 * ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct 17094 length if passed a buffer. ASN1_INTEGER_to_BN failed 17095 if passed a NULL BN and its argument was negative. 17096 17097 *Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>* 17098 17099 * Modification to PKCS#7 encoding routines to output definite 17100 length encoding. Since currently the whole structures are in 17101 memory there's not real point in using indefinite length 17102 constructed encoding. However if OpenSSL is compiled with 17103 the flag PKCS7_INDEFINITE_ENCODING the old form is used. 17104 17105 *Steve Henson* 17106 17107 * Added BIO_vprintf() and BIO_vsnprintf(). 17108 17109 *Richard Levitte* 17110 17111 * Added more prefixes to parse for in the strings written 17112 through a logging bio, to cover all the levels that are available 17113 through syslog. The prefixes are now: 17114 17115 PANIC, EMERG, EMR => LOG_EMERG 17116 ALERT, ALR => LOG_ALERT 17117 CRIT, CRI => LOG_CRIT 17118 ERROR, ERR => LOG_ERR 17119 WARNING, WARN, WAR => LOG_WARNING 17120 NOTICE, NOTE, NOT => LOG_NOTICE 17121 INFO, INF => LOG_INFO 17122 DEBUG, DBG => LOG_DEBUG 17123 17124 and as before, if none of those prefixes are present at the 17125 beginning of the string, LOG_ERR is chosen. 17126 17127 On Win32, the `LOG_*` levels are mapped according to this: 17128 17129 LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE 17130 LOG_WARNING => EVENTLOG_WARNING_TYPE 17131 LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE 17132 17133 *Richard Levitte* 17134 17135 * Made it possible to reconfigure with just the configuration 17136 argument "reconf" or "reconfigure". The command line arguments 17137 are stored in Makefile.ssl in the variable CONFIGURE_ARGS, 17138 and are retrieved from there when reconfiguring. 17139 17140 *Richard Levitte* 17141 17142 * MD4 implemented. 17143 17144 *Assar Westerlund <assar@sics.se>, Richard Levitte* 17145 17146 * Add the arguments -CAfile and -CApath to the pkcs12 utility. 17147 17148 *Richard Levitte* 17149 17150 * The obj_dat.pl script was messing up the sorting of object 17151 names. The reason was that it compared the quoted version 17152 of strings as a result "OCSP" > "OCSP Signing" because 17153 " > SPACE. Changed script to store unquoted versions of 17154 names and add quotes on output. It was also omitting some 17155 names from the lookup table if they were given a default 17156 value (that is if SN is missing it is given the same 17157 value as LN and vice versa), these are now added on the 17158 grounds that if an object has a name we should be able to 17159 look it up. Finally added warning output when duplicate 17160 short or long names are found. 17161 17162 *Steve Henson* 17163 17164 * Changes needed for Tandem NSK. 17165 17166 *Scott Uroff <scott@xypro.com>* 17167 17168 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in 17169 RSA_padding_check_SSLv23(), special padding was never detected 17170 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol 17171 version rollback attacks was not effective. 17172 17173 In s23_clnt.c, don't use special rollback-attack detection padding 17174 (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the 17175 client; similarly, in s23_srvr.c, don't do the rollback check if 17176 SSL 2.0 is the only protocol enabled in the server. 17177 17178 *Bodo Moeller* 17179 17180 * Make it possible to get hexdumps of unprintable data with 'openssl 17181 asn1parse'. By implication, the functions ASN1_parse_dump() and 17182 BIO_dump_indent() are added. 17183 17184 *Richard Levitte* 17185 17186 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() 17187 these print out strings and name structures based on various 17188 flags including RFC2253 support and proper handling of 17189 multibyte characters. Added options to the 'x509' utility 17190 to allow the various flags to be set. 17191 17192 *Steve Henson* 17193 17194 * Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. 17195 Also change the functions X509_cmp_current_time() and 17196 X509_gmtime_adj() work with an ASN1_TIME structure, 17197 this will enable certificates using GeneralizedTime in validity 17198 dates to be checked. 17199 17200 *Steve Henson* 17201 17202 * Make the NEG_PUBKEY_BUG code (which tolerates invalid 17203 negative public key encodings) on by default, 17204 NO_NEG_PUBKEY_BUG can be set to disable it. 17205 17206 *Steve Henson* 17207 17208 * New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT 17209 content octets. An i2c_ASN1_OBJECT is unnecessary because 17210 the encoding can be trivially obtained from the structure. 17211 17212 *Steve Henson* 17213 17214 * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`), 17215 not read locks (`CRYPTO_r_[un]lock`). 17216 17217 *Bodo Moeller* 17218 17219 * A first attempt at creating official support for shared 17220 libraries through configuration. I've kept it so the 17221 default is static libraries only, and the OpenSSL programs 17222 are always statically linked for now, but there are 17223 preparations for dynamic linking in place. 17224 This has been tested on Linux and Tru64. 17225 17226 *Richard Levitte* 17227 17228 * Randomness polling function for Win9x, as described in: 17229 Peter Gutmann, Software Generation of Practically Strong 17230 Random Numbers. 17231 17232 *Ulf Möller* 17233 17234 * Fix so PRNG is seeded in req if using an already existing 17235 DSA key. 17236 17237 *Steve Henson* 17238 17239 * New options to smime application. -inform and -outform 17240 allow alternative formats for the S/MIME message including 17241 PEM and DER. The -content option allows the content to be 17242 specified separately. This should allow things like Netscape 17243 form signing output easier to verify. 17244 17245 *Steve Henson* 17246 17247 * Fix the ASN1 encoding of tags using the 'long form'. 17248 17249 *Steve Henson* 17250 17251 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT 17252 STRING types. These convert content octets to and from the 17253 underlying type. The actual tag and length octets are 17254 already assumed to have been read in and checked. These 17255 are needed because all other string types have virtually 17256 identical handling apart from the tag. By having versions 17257 of the ASN1 functions that just operate on content octets 17258 IMPLICIT tagging can be handled properly. It also allows 17259 the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED 17260 and ASN1_INTEGER are identical apart from the tag. 17261 17262 *Steve Henson* 17263 17264 * Change the handling of OID objects as follows: 17265 17266 - New object identifiers are inserted in objects.txt, following 17267 the syntax given in [crypto/objects/README.md](crypto/objects/README.md). 17268 - objects.pl is used to process obj_mac.num and create a new 17269 obj_mac.h. 17270 - obj_dat.pl is used to create a new obj_dat.h, using the data in 17271 obj_mac.h. 17272 17273 This is currently kind of a hack, and the perl code in objects.pl 17274 isn't very elegant, but it works as I intended. The simplest way 17275 to check that it worked correctly is to look in obj_dat.h and 17276 check the array nid_objs and make sure the objects haven't moved 17277 around (this is important!). Additions are OK, as well as 17278 consistent name changes. 17279 17280 *Richard Levitte* 17281 17282 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). 17283 17284 *Bodo Moeller* 17285 17286 * Addition of the command line parameter '-rand file' to 'openssl req'. 17287 The given file adds to whatever has already been seeded into the 17288 random pool through the RANDFILE configuration file option or 17289 environment variable, or the default random state file. 17290 17291 *Richard Levitte* 17292 17293 * mkstack.pl now sorts each macro group into lexical order. 17294 Previously the output order depended on the order the files 17295 appeared in the directory, resulting in needless rewriting 17296 of safestack.h . 17297 17298 *Steve Henson* 17299 17300 * Patches to make OpenSSL compile under Win32 again. Mostly 17301 work arounds for the VC++ problem that it treats func() as 17302 func(void). Also stripped out the parts of mkdef.pl that 17303 added extra typesafe functions: these no longer exist. 17304 17305 *Steve Henson* 17306 17307 * Reorganisation of the stack code. The macros are now all 17308 collected in safestack.h . Each macro is defined in terms of 17309 a "stack macro" of the form `SKM_<name>(type, a, b)`. The 17310 DEBUG_SAFESTACK is now handled in terms of function casts, 17311 this has the advantage of retaining type safety without the 17312 use of additional functions. If DEBUG_SAFESTACK is not defined 17313 then the non typesafe macros are used instead. Also modified the 17314 mkstack.pl script to handle the new form. Needs testing to see 17315 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK 17316 the default if no major problems. Similar behaviour for ASN1_SET_OF 17317 and PKCS12_STACK_OF. 17318 17319 *Steve Henson* 17320 17321 * When some versions of IIS use the 'NET' form of private key the 17322 key derivation algorithm is different. Normally MD5(password) is 17323 used as a 128 bit RC4 key. In the modified case 17324 MD5(MD5(password) + "SGCKEYSALT") is used instead. Added some 17325 new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same 17326 as the old Netscape_RSA functions except they have an additional 17327 'sgckey' parameter which uses the modified algorithm. Also added 17328 an -sgckey command line option to the rsa utility. Thanks to 17329 Adrian Peck <bertie@ncipher.com> for posting details of the modified 17330 algorithm to openssl-dev. 17331 17332 *Steve Henson* 17333 17334 * The evp_local.h macros were using 'c.##kname' which resulted in 17335 invalid expansion on some systems (SCO 5.0.5 for example). 17336 Corrected to 'c.kname'. 17337 17338 *Phillip Porch <root@theporch.com>* 17339 17340 * New X509_get1_email() and X509_REQ_get1_email() functions that return 17341 a STACK of email addresses from a certificate or request, these look 17342 in the subject name and the subject alternative name extensions and 17343 omit any duplicate addresses. 17344 17345 *Steve Henson* 17346 17347 * Re-implement BN_mod_exp2_mont using independent (and larger) windows. 17348 This makes DSA verification about 2 % faster. 17349 17350 *Bodo Moeller* 17351 17352 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5 17353 (meaning that now 2^5 values will be precomputed, which is only 4 KB 17354 plus overhead for 1024 bit moduli). 17355 This makes exponentiations about 0.5 % faster for 1024 bit 17356 exponents (as measured by "openssl speed rsa2048"). 17357 17358 *Bodo Moeller* 17359 17360 * Rename memory handling macros to avoid conflicts with other 17361 software: 17362 Malloc => OPENSSL_malloc 17363 Malloc_locked => OPENSSL_malloc_locked 17364 Realloc => OPENSSL_realloc 17365 Free => OPENSSL_free 17366 17367 *Richard Levitte* 17368 17369 * New function BN_mod_exp_mont_word for small bases (roughly 15% 17370 faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). 17371 17372 *Bodo Moeller* 17373 17374 * CygWin32 support. 17375 17376 *John Jarvie <jjarvie@newsguy.com>* 17377 17378 * The type-safe stack code has been rejigged. It is now only compiled 17379 in when OpenSSL is configured with the DEBUG_SAFESTACK option and 17380 by default all type-specific stack functions are "#define"d back to 17381 standard stack functions. This results in more streamlined output 17382 but retains the type-safety checking possibilities of the original 17383 approach. 17384 17385 *Geoff Thorpe* 17386 17387 * The STACK code has been cleaned up, and certain type declarations 17388 that didn't make a lot of sense have been brought in line. This has 17389 also involved a cleanup of sorts in safestack.h to more correctly 17390 map type-safe stack functions onto their plain stack counterparts. 17391 This work has also resulted in a variety of "const"ifications of 17392 lots of the code, especially `_cmp` operations which should normally 17393 be prototyped with "const" parameters anyway. 17394 17395 *Geoff Thorpe* 17396 17397 * When generating bytes for the first time in md_rand.c, 'stir the pool' 17398 by seeding with STATE_SIZE dummy bytes (with zero entropy count). 17399 (The PRNG state consists of two parts, the large pool 'state' and 'md', 17400 where all of 'md' is used each time the PRNG is used, but 'state' 17401 is used only indexed by a cyclic counter. As entropy may not be 17402 well distributed from the beginning, 'md' is important as a 17403 chaining variable. However, the output function chains only half 17404 of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains 17405 all of 'md', and seeding with STATE_SIZE dummy bytes will result 17406 in all of 'state' being rewritten, with the new values depending 17407 on virtually all of 'md'. This overcomes the 80 bit limitation.) 17408 17409 *Bodo Moeller* 17410 17411 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when 17412 the handshake is continued after ssl_verify_cert_chain(); 17413 otherwise, if SSL_VERIFY_NONE is set, remaining error codes 17414 can lead to 'unexplainable' connection aborts later. 17415 17416 *Bodo Moeller; problem tracked down by Lutz Jaenicke* 17417 17418 * Major EVP API cipher revision. 17419 Add hooks for extra EVP features. This allows various cipher 17420 parameters to be set in the EVP interface. Support added for variable 17421 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and 17422 setting of RC2 and RC5 parameters. 17423 17424 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length 17425 ciphers. 17426 17427 Remove lots of duplicated code from the EVP library. For example *every* 17428 cipher init() function handles the 'iv' in the same way according to the 17429 cipher mode. They also all do nothing if the 'key' parameter is NULL and 17430 for CFB and OFB modes they zero ctx->num. 17431 17432 New functionality allows removal of S/MIME code RC2 hack. 17433 17434 Most of the routines have the same form and so can be declared in terms 17435 of macros. 17436 17437 By shifting this to the top level EVP_CipherInit() it can be removed from 17438 all individual ciphers. If the cipher wants to handle IVs or keys 17439 differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT 17440 flags. 17441 17442 Change lots of functions like EVP_EncryptUpdate() to now return a 17443 value: although software versions of the algorithms cannot fail 17444 any installed hardware versions can. 17445 17446 *Steve Henson* 17447 17448 * Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if 17449 this option is set, tolerate broken clients that send the negotiated 17450 protocol version number instead of the requested protocol version 17451 number. 17452 17453 *Bodo Moeller* 17454 17455 * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag; 17456 i.e. non-zero for export ciphersuites, zero otherwise. 17457 Previous versions had this flag inverted, inconsistent with 17458 rsa_tmp_cb (..._TMP_RSA_CB). 17459 17460 *Bodo Moeller; problem reported by Amit Chopra* 17461 17462 * Add missing DSA library text string. Work around for some IIS 17463 key files with invalid SEQUENCE encoding. 17464 17465 *Steve Henson* 17466 17467 * Add a document (doc/standards.txt) that list all kinds of standards 17468 and so on that are implemented in OpenSSL. 17469 17470 *Richard Levitte* 17471 17472 * Enhance c_rehash script. Old version would mishandle certificates 17473 with the same subject name hash and wouldn't handle CRLs at all. 17474 Added -fingerprint option to crl utility, to support new c_rehash 17475 features. 17476 17477 *Steve Henson* 17478 17479 * Eliminate non-ANSI declarations in crypto.h and stack.h. 17480 17481 *Ulf Möller* 17482 17483 * Fix for SSL server purpose checking. Server checking was 17484 rejecting certificates which had extended key usage present 17485 but no ssl client purpose. 17486 17487 *Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>* 17488 17489 * Make PKCS#12 code work with no password. The PKCS#12 spec 17490 is a little unclear about how a blank password is handled. 17491 Since the password in encoded as a BMPString with terminating 17492 double NULL a zero length password would end up as just the 17493 double NULL. However no password at all is different and is 17494 handled differently in the PKCS#12 key generation code. NS 17495 treats a blank password as zero length. MSIE treats it as no 17496 password on export: but it will try both on import. We now do 17497 the same: PKCS12_parse() tries zero length and no password if 17498 the password is set to "" or NULL (NULL is now a valid password: 17499 it wasn't before) as does the pkcs12 application. 17500 17501 *Steve Henson* 17502 17503 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use 17504 perror when PEM_read_bio_X509_REQ fails, the error message must 17505 be obtained from the error queue. 17506 17507 *Bodo Moeller* 17508 17509 * Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing 17510 it in ERR_remove_state if appropriate, and change ERR_get_state 17511 accordingly to avoid race conditions (this is necessary because 17512 thread_hash is no longer constant once set). 17513 17514 *Bodo Moeller* 17515 17516 * Bugfix for linux-elf makefile.one. 17517 17518 *Ulf Möller* 17519 17520 * RSA_get_default_method() will now cause a default 17521 RSA_METHOD to be chosen if one doesn't exist already. 17522 Previously this was only set during a call to RSA_new() 17523 or RSA_new_method(NULL) meaning it was possible for 17524 RSA_get_default_method() to return NULL. 17525 17526 *Geoff Thorpe* 17527 17528 * Added native name translation to the existing DSO code 17529 that will convert (if the flag to do so is set) filenames 17530 that are sufficiently small and have no path information 17531 into a canonical native form. Eg. "blah" converted to 17532 "libblah.so" or "blah.dll" etc. 17533 17534 *Geoff Thorpe* 17535 17536 * New function ERR_error_string_n(e, buf, len) which is like 17537 ERR_error_string(e, buf), but writes at most 'len' bytes 17538 including the 0 terminator. For ERR_error_string_n, 'buf' 17539 may not be NULL. 17540 17541 *Damien Miller <djm@mindrot.org>, Bodo Moeller* 17542 17543 * CONF library reworked to become more general. A new CONF 17544 configuration file reader "class" is implemented as well as a 17545 new functions (`NCONF_*`, for "New CONF") to handle it. The now 17546 old `CONF_*` functions are still there, but are reimplemented to 17547 work in terms of the new functions. Also, a set of functions 17548 to handle the internal storage of the configuration data is 17549 provided to make it easier to write new configuration file 17550 reader "classes" (I can definitely see something reading a 17551 configuration file in XML format, for example), called `_CONF_*`, 17552 or "the configuration storage API"... 17553 17554 The new configuration file reading functions are: 17555 17556 NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, 17557 NCONF_get_section, NCONF_get_string, NCONF_get_numbre 17558 17559 NCONF_default, NCONF_WIN32 17560 17561 NCONF_dump_fp, NCONF_dump_bio 17562 17563 NCONF_default and NCONF_WIN32 are method (or "class") choosers, 17564 NCONF_new creates a new CONF object. This works in the same way 17565 as other interfaces in OpenSSL, like the BIO interface. 17566 `NCONF_dump_*` dump the internal storage of the configuration file, 17567 which is useful for debugging. All other functions take the same 17568 arguments as the old `CONF_*` functions with the exception of the 17569 first that must be a `CONF *` instead of a `LHASH *`. 17570 17571 To make it easier to use the new classes with the old `CONF_*` functions, 17572 the function CONF_set_default_method is provided. 17573 17574 *Richard Levitte* 17575 17576 * Add '-tls1' option to 'openssl ciphers', which was already 17577 mentioned in the documentation but had not been implemented. 17578 (This option is not yet really useful because even the additional 17579 experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) 17580 17581 *Bodo Moeller* 17582 17583 * Initial DSO code added into libcrypto for letting OpenSSL (and 17584 OpenSSL-based applications) load shared libraries and bind to 17585 them in a portable way. 17586 17587 *Geoff Thorpe, with contributions from Richard Levitte* 17588 17589### Changes between 0.9.5 and 0.9.5a [1 Apr 2000] 17590 17591 * Make sure _lrotl and _lrotr are only used with MSVC. 17592 17593 * Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status 17594 (the default implementation of RAND_status). 17595 17596 * Rename openssl x509 option '-crlext', which was added in 0.9.5, 17597 to '-clrext' (= clear extensions), as intended and documented. 17598 *Bodo Moeller; inconsistency pointed out by Michael Attili 17599 <attili@amaxo.com>* 17600 17601 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length 17602 was larger than the MD block size. 17603 17604 *Steve Henson, pointed out by Yost William <YostW@tce.com>* 17605 17606 * Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument 17607 fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() 17608 using the passed key: if the passed key was a private key the result 17609 of X509_print(), for example, would be to print out all the private key 17610 components. 17611 17612 *Steve Henson* 17613 17614 * des_quad_cksum() byte order bug fix. 17615 *Ulf Möller, using the problem description in krb4-0.9.7, where 17616 the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>* 17617 17618 * Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly 17619 discouraged. 17620 17621 *Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>* 17622 17623 * For easily testing in shell scripts whether some command 17624 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' 17625 returns with exit code 0 iff no command of the given name is available. 17626 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, 17627 the output goes to stdout and nothing is printed to stderr. 17628 Additional arguments are always ignored. 17629 17630 Since for each cipher there is a command of the same name, 17631 the 'no-cipher' compilation switches can be tested this way. 17632 17633 ('openssl no-XXX' is not able to detect pseudo-commands such 17634 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) 17635 17636 *Bodo Moeller* 17637 17638 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration. 17639 17640 *Bodo Moeller* 17641 17642 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE 17643 is set; it will be thrown away anyway because each handshake creates 17644 its own key. 17645 ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition 17646 to parameters -- in previous versions (since OpenSSL 0.9.3) the 17647 'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning 17648 you effectively got SSL_OP_SINGLE_DH_USE when using this macro. 17649 17650 *Bodo Moeller* 17651 17652 * New s_client option -ign_eof: EOF at stdin is ignored, and 17653 'Q' and 'R' lose their special meanings (quit/renegotiate). 17654 This is part of what -quiet does; unlike -quiet, -ign_eof 17655 does not suppress any output. 17656 17657 *Richard Levitte* 17658 17659 * Add compatibility options to the purpose and trust code. The 17660 purpose X509_PURPOSE_ANY is "any purpose" which automatically 17661 accepts a certificate or CA, this was the previous behaviour, 17662 with all the associated security issues. 17663 17664 X509_TRUST_COMPAT is the old trust behaviour: only and 17665 automatically trust self signed roots in certificate store. A 17666 new trust setting X509_TRUST_DEFAULT is used to specify that 17667 a purpose has no associated trust setting and it should instead 17668 use the value in the default purpose. 17669 17670 *Steve Henson* 17671 17672 * Fix the PKCS#8 DSA private key code so it decodes keys again 17673 and fix a memory leak. 17674 17675 *Steve Henson* 17676 17677 * In util/mkerr.pl (which implements 'make errors'), preserve 17678 reason strings from the previous version of the .c file, as 17679 the default to have only downcase letters (and digits) in 17680 automatically generated reasons codes is not always appropriate. 17681 17682 *Bodo Moeller* 17683 17684 * In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table 17685 using strerror. Previously, ERR_reason_error_string() returned 17686 library names as reason strings for SYSerr; but SYSerr is a special 17687 case where small numbers are errno values, not library numbers. 17688 17689 *Bodo Moeller* 17690 17691 * Add '-dsaparam' option to 'openssl dhparam' application. This 17692 converts DSA parameters into DH parameters. (When creating parameters, 17693 DSA_generate_parameters is used.) 17694 17695 *Bodo Moeller* 17696 17697 * Include 'length' (recommended exponent length) in C code generated 17698 by 'openssl dhparam -C'. 17699 17700 *Bodo Moeller* 17701 17702 * The second argument to set_label in perlasm was already being used 17703 so couldn't be used as a "file scope" flag. Moved to third argument 17704 which was free. 17705 17706 *Steve Henson* 17707 17708 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes 17709 instead of RAND_bytes for encryption IVs and salts. 17710 17711 *Bodo Moeller* 17712 17713 * Include RAND_status() into RAND_METHOD instead of implementing 17714 it only for md_rand.c Otherwise replacing the PRNG by calling 17715 RAND_set_rand_method would be impossible. 17716 17717 *Bodo Moeller* 17718 17719 * Don't let DSA_generate_key() enter an infinite loop if the random 17720 number generation fails. 17721 17722 *Bodo Moeller* 17723 17724 * New 'rand' application for creating pseudo-random output. 17725 17726 *Bodo Moeller* 17727 17728 * Added configuration support for Linux/IA64 17729 17730 *Rolf Haberrecker <rolf@suse.de>* 17731 17732 * Assembler module support for Mingw32. 17733 17734 *Ulf Möller* 17735 17736 * Shared library support for HPUX (in shlib/). 17737 17738 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous* 17739 17740 * Shared library support for Solaris gcc. 17741 17742 *Lutz Behnke <behnke@trustcenter.de>* 17743 17744### Changes between 0.9.4 and 0.9.5 [28 Feb 2000] 17745 17746 * PKCS7_encrypt() was adding text MIME headers twice because they 17747 were added manually and by SMIME_crlf_copy(). 17748 17749 *Steve Henson* 17750 17751 * In bntest.c don't call BN_rand with zero bits argument. 17752 17753 *Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>* 17754 17755 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] 17756 case was implemented. This caused BN_div_recp() to fail occasionally. 17757 17758 *Ulf Möller* 17759 17760 * Add an optional second argument to the set_label() in the perl 17761 assembly language builder. If this argument exists and is set 17762 to 1 it signals that the assembler should use a symbol whose 17763 scope is the entire file, not just the current function. This 17764 is needed with MASM which uses the format label:: for this scope. 17765 17766 *Steve Henson, pointed out by Peter Runestig <peter@runestig.com>* 17767 17768 * Change the ASN1 types so they are typedefs by default. Before 17769 almost all types were #define'd to ASN1_STRING which was causing 17770 STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) 17771 for example. 17772 17773 *Steve Henson* 17774 17775 * Change names of new functions to the new get1/get0 naming 17776 convention: After 'get1', the caller owns a reference count 17777 and has to call `..._free`; 'get0' returns a pointer to some 17778 data structure without incrementing reference counters. 17779 (Some of the existing 'get' functions increment a reference 17780 counter, some don't.) 17781 Similarly, 'set1' and 'add1' functions increase reference 17782 counters or duplicate objects. 17783 17784 *Steve Henson* 17785 17786 * Allow for the possibility of temp RSA key generation failure: 17787 the code used to assume it always worked and crashed on failure. 17788 17789 *Steve Henson* 17790 17791 * Fix potential buffer overrun problem in BIO_printf(). 17792 *Ulf Möller, using public domain code by Patrick Powell; problem 17793 pointed out by David Sacerdote <das33@cornell.edu>* 17794 17795 * Support EGD <http://www.lothar.com/tech/crypto/>. New functions 17796 RAND_egd() and RAND_status(). In the command line application, 17797 the EGD socket can be specified like a seed file using RANDFILE 17798 or -rand. 17799 17800 *Ulf Möller* 17801 17802 * Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. 17803 Some CAs (e.g. Verisign) distribute certificates in this form. 17804 17805 *Steve Henson* 17806 17807 * Remove the SSL_ALLOW_ADH compile option and set the default cipher 17808 list to exclude them. This means that no special compilation option 17809 is needed to use anonymous DH: it just needs to be included in the 17810 cipher list. 17811 17812 *Steve Henson* 17813 17814 * Change the EVP_MD_CTX_type macro so its meaning consistent with 17815 EVP_MD_type. The old functionality is available in a new macro called 17816 EVP_MD_md(). Change code that uses it and update docs. 17817 17818 *Steve Henson* 17819 17820 * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions 17821 where the `void *` argument is replaced by a function pointer argument. 17822 Previously `void *` was abused to point to functions, which works on 17823 many platforms, but is not correct. As these functions are usually 17824 called by macros defined in OpenSSL header files, most source code 17825 should work without changes. 17826 17827 *Richard Levitte* 17828 17829 * `<openssl/opensslconf.h>` (which is created by Configure) now contains 17830 sections with information on -D... compiler switches used for 17831 compiling the library so that applications can see them. To enable 17832 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES` 17833 must be defined. E.g., 17834 #define OPENSSL_ALGORITHM_DEFINES 17835 #include <openssl/opensslconf.h> 17836 defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc. 17837 17838 *Richard Levitte, Ulf and Bodo Möller* 17839 17840 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS 17841 record layer. 17842 17843 *Bodo Moeller* 17844 17845 * Change the 'other' type in certificate aux info to a STACK_OF 17846 X509_ALGOR. Although not an AlgorithmIdentifier as such it has 17847 the required ASN1 format: arbitrary types determined by an OID. 17848 17849 *Steve Henson* 17850 17851 * Add some PEM_write_X509_REQ_NEW() functions and a command line 17852 argument to 'req'. This is not because the function is newer or 17853 better than others it just uses the work 'NEW' in the certificate 17854 request header lines. Some software needs this. 17855 17856 *Steve Henson* 17857 17858 * Reorganise password command line arguments: now passwords can be 17859 obtained from various sources. Delete the PEM_cb function and make 17860 it the default behaviour: i.e. if the callback is NULL and the 17861 usrdata argument is not NULL interpret it as a null terminated pass 17862 phrase. If usrdata and the callback are NULL then the pass phrase 17863 is prompted for as usual. 17864 17865 *Steve Henson* 17866 17867 * Add support for the Compaq Atalla crypto accelerator. If it is installed, 17868 the support is automatically enabled. The resulting binaries will 17869 autodetect the card and use it if present. 17870 17871 *Ben Laurie and Compaq Inc.* 17872 17873 * Work around for Netscape hang bug. This sends certificate request 17874 and server done in one record. Since this is perfectly legal in the 17875 SSL/TLS protocol it isn't a "bug" option and is on by default. See 17876 the bugs/SSLv3 entry for more info. 17877 17878 *Steve Henson* 17879 17880 * HP-UX tune-up: new unified configs, HP C compiler bug workaround. 17881 17882 *Andy Polyakov* 17883 17884 * Add -rand argument to smime and pkcs12 applications and read/write 17885 of seed file. 17886 17887 *Steve Henson* 17888 17889 * New 'passwd' tool for crypt(3) and apr1 password hashes. 17890 17891 *Bodo Moeller* 17892 17893 * Add command line password options to the remaining applications. 17894 17895 *Steve Henson* 17896 17897 * Bug fix for BN_div_recp() for numerators with an even number of 17898 bits. 17899 17900 *Ulf Möller* 17901 17902 * More tests in bntest.c, and changed test_bn output. 17903 17904 *Ulf Möller* 17905 17906 * ./config recognizes MacOS X now. 17907 17908 *Andy Polyakov* 17909 17910 * Bug fix for BN_div() when the first words of num and divisor are 17911 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`. 17912 17913 *Ulf Möller* 17914 17915 * Add support for various broken PKCS#8 formats, and command line 17916 options to produce them. 17917 17918 *Steve Henson* 17919 17920 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to 17921 get temporary BIGNUMs from a BN_CTX. 17922 17923 *Ulf Möller* 17924 17925 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() 17926 for p == 0. 17927 17928 *Ulf Möller* 17929 17930 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and 17931 include a #define from the old name to the new. The original intent 17932 was that statically linked binaries could for example just call 17933 SSLeay_add_all_ciphers() to just add ciphers to the table and not 17934 link with digests. This never worked because SSLeay_add_all_digests() 17935 and SSLeay_add_all_ciphers() were in the same source file so calling 17936 one would link with the other. They are now in separate source files. 17937 17938 *Steve Henson* 17939 17940 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. 17941 17942 *Steve Henson* 17943 17944 * Use a less unusual form of the Miller-Rabin primality test (it used 17945 a binary algorithm for exponentiation integrated into the Miller-Rabin 17946 loop, our standard modexp algorithms are faster). 17947 17948 *Bodo Moeller* 17949 17950 * Support for the EBCDIC character set completed. 17951 17952 *Martin Kraemer <Martin.Kraemer@Mch.SNI.De>* 17953 17954 * Source code cleanups: use const where appropriate, eliminate casts, 17955 use `void *` instead of `char *` in lhash. 17956 17957 *Ulf Möller* 17958 17959 * Bugfix: ssl3_send_server_key_exchange was not restartable 17960 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of 17961 this the server could overwrite ephemeral keys that the client 17962 has already seen). 17963 17964 *Bodo Moeller* 17965 17966 * Turn DSA_is_prime into a macro that calls BN_is_prime, 17967 using 50 iterations of the Rabin-Miller test. 17968 17969 DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 17970 iterations of the Rabin-Miller test as required by the appendix 17971 to FIPS PUB 186[-1]) instead of DSA_is_prime. 17972 As BN_is_prime_fasttest includes trial division, DSA parameter 17973 generation becomes much faster. 17974 17975 This implies a change for the callback functions in DSA_is_prime 17976 and DSA_generate_parameters: The callback function is called once 17977 for each positive witness in the Rabin-Miller test, not just 17978 occasionally in the inner loop; and the parameters to the 17979 callback function now provide an iteration count for the outer 17980 loop rather than for the current invocation of the inner loop. 17981 DSA_generate_parameters additionally can call the callback 17982 function with an 'iteration count' of -1, meaning that a 17983 candidate has passed the trial division test (when q is generated 17984 from an application-provided seed, trial division is skipped). 17985 17986 *Bodo Moeller* 17987 17988 * New function BN_is_prime_fasttest that optionally does trial 17989 division before starting the Rabin-Miller test and has 17990 an additional BN_CTX * argument (whereas BN_is_prime always 17991 has to allocate at least one BN_CTX). 17992 'callback(1, -1, cb_arg)' is called when a number has passed the 17993 trial division stage. 17994 17995 *Bodo Moeller* 17996 17997 * Fix for bug in CRL encoding. The validity dates weren't being handled 17998 as ASN1_TIME. 17999 18000 *Steve Henson* 18001 18002 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file. 18003 18004 *Steve Henson* 18005 18006 * New function BN_pseudo_rand(). 18007 18008 *Ulf Möller* 18009 18010 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) 18011 bignum version of BN_from_montgomery() with the working code from 18012 SSLeay 0.9.0 (the word based version is faster anyway), and clean up 18013 the comments. 18014 18015 *Ulf Möller* 18016 18017 * Avoid a race condition in s2_clnt.c (function get_server_hello) that 18018 made it impossible to use the same SSL_SESSION data structure in 18019 SSL2 clients in multiple threads. 18020 18021 *Bodo Moeller* 18022 18023 * The return value of RAND_load_file() no longer counts bytes obtained 18024 by stat(). RAND_load_file(..., -1) is new and uses the complete file 18025 to seed the PRNG (previously an explicit byte count was required). 18026 18027 *Ulf Möller, Bodo Möller* 18028 18029 * Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes 18030 used `char *` instead of `void *` and had casts all over the place. 18031 18032 *Steve Henson* 18033 18034 * Make BN_generate_prime() return NULL on error if ret!=NULL. 18035 18036 *Ulf Möller* 18037 18038 * Retain source code compatibility for BN_prime_checks macro: 18039 BN_is_prime(..., BN_prime_checks, ...) now uses 18040 BN_prime_checks_for_size to determine the appropriate number of 18041 Rabin-Miller iterations. 18042 18043 *Ulf Möller* 18044 18045 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to 18046 DH_CHECK_P_NOT_SAFE_PRIME. 18047 (Check if this is true? OpenPGP calls them "strong".) 18048 18049 *Ulf Möller* 18050 18051 * Merge the functionality of "dh" and "gendh" programs into a new program 18052 "dhparam". The old programs are retained for now but will handle DH keys 18053 (instead of parameters) in future. 18054 18055 *Steve Henson* 18056 18057 * Make the ciphers, s_server and s_client programs check the return values 18058 when a new cipher list is set. 18059 18060 *Steve Henson* 18061 18062 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit 18063 ciphers. Before when the 56bit ciphers were enabled the sorting was 18064 wrong. 18065 18066 The syntax for the cipher sorting has been extended to support sorting by 18067 cipher-strength (using the strength_bits hard coded in the tables). 18068 The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`). 18069 18070 Fix a bug in the cipher-command parser: when supplying a cipher command 18071 string with an "undefined" symbol (neither command nor alphanumeric 18072 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now 18073 an error is flagged. 18074 18075 Due to the strength-sorting extension, the code of the 18076 ssl_create_cipher_list() function was completely rearranged. I hope that 18077 the readability was also increased :-) 18078 18079 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 18080 18081 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1 18082 for the first serial number and places 2 in the serial number file. This 18083 avoids problems when the root CA is created with serial number zero and 18084 the first user certificate has the same issuer name and serial number 18085 as the root CA. 18086 18087 *Steve Henson* 18088 18089 * Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses 18090 the new code. Add documentation for this stuff. 18091 18092 *Steve Henson* 18093 18094 * Changes to X509_ATTRIBUTE utilities. These have been renamed from 18095 `X509_*()` to `X509at_*()` on the grounds that they don't handle X509 18096 structures and behave in an analogous way to the X509v3 functions: 18097 they shouldn't be called directly but wrapper functions should be used 18098 instead. 18099 18100 So we also now have some wrapper functions that call the X509at functions 18101 when passed certificate requests. (TO DO: similar things can be done with 18102 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other 18103 things. Some of these need some d2i or i2d and print functionality 18104 because they handle more complex structures.) 18105 18106 *Steve Henson* 18107 18108 * Add missing #ifndefs that caused missing symbols when building libssl 18109 as a shared library without RSA. Use #ifndef NO_SSL2 instead of 18110 NO_RSA in `ssl/s2*.c`. 18111 18112 *Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller* 18113 18114 * Precautions against using the PRNG uninitialized: RAND_bytes() now 18115 has a return value which indicates the quality of the random data 18116 (1 = ok, 0 = not seeded). Also an error is recorded on the thread's 18117 error queue. New function RAND_pseudo_bytes() generates output that is 18118 guaranteed to be unique but not unpredictable. RAND_add is like 18119 RAND_seed, but takes an extra argument for an entropy estimate 18120 (RAND_seed always assumes full entropy). 18121 18122 *Ulf Möller* 18123 18124 * Do more iterations of Rabin-Miller probable prime test (specifically, 18125 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes 18126 instead of only 2 for all lengths; see BN_prime_checks_for_size definition 18127 in crypto/bn/bn_prime.c for the complete table). This guarantees a 18128 false-positive rate of at most 2^-80 for random input. 18129 18130 *Bodo Moeller* 18131 18132 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. 18133 18134 *Bodo Moeller* 18135 18136 * New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain 18137 in the 0.9.5 release), this returns the chain 18138 from an X509_CTX structure with a dup of the stack and all 18139 the X509 reference counts upped: so the stack will exist 18140 after X509_CTX_cleanup() has been called. Modify pkcs12.c 18141 to use this. 18142 18143 Also make SSL_SESSION_print() print out the verify return 18144 code. 18145 18146 *Steve Henson* 18147 18148 * Add manpage for the pkcs12 command. Also change the default 18149 behaviour so MAC iteration counts are used unless the new 18150 -nomaciter option is used. This improves file security and 18151 only older versions of MSIE (4.0 for example) need it. 18152 18153 *Steve Henson* 18154 18155 * Honor the no-xxx Configure options when creating .DEF files. 18156 18157 *Ulf Möller* 18158 18159 * Add PKCS#10 attributes to field table: challengePassword, 18160 unstructuredName and unstructuredAddress. These are taken from 18161 draft PKCS#9 v2.0 but are compatible with v1.2 provided no 18162 international characters are used. 18163 18164 More changes to X509_ATTRIBUTE code: allow the setting of types 18165 based on strings. Remove the 'loc' parameter when adding 18166 attributes because these will be a SET OF encoding which is sorted 18167 in ASN1 order. 18168 18169 *Steve Henson* 18170 18171 * Initial changes to the 'req' utility to allow request generation 18172 automation. This will allow an application to just generate a template 18173 file containing all the field values and have req construct the 18174 request. 18175 18176 Initial support for X509_ATTRIBUTE handling. Stacks of these are 18177 used all over the place including certificate requests and PKCS#7 18178 structures. They are currently handled manually where necessary with 18179 some primitive wrappers for PKCS#7. The new functions behave in a 18180 manner analogous to the X509 extension functions: they allow 18181 attributes to be looked up by NID and added. 18182 18183 Later something similar to the X509V3 code would be desirable to 18184 automatically handle the encoding, decoding and printing of the 18185 more complex types. The string types like challengePassword can 18186 be handled by the string table functions. 18187 18188 Also modified the multi byte string table handling. Now there is 18189 a 'global mask' which masks out certain types. The table itself 18190 can use the flag STABLE_NO_MASK to ignore the mask setting: this 18191 is useful when for example there is only one permissible type 18192 (as in countryName) and using the mask might result in no valid 18193 types at all. 18194 18195 *Steve Henson* 18196 18197 * Clean up 'Finished' handling, and add functions SSL_get_finished and 18198 SSL_get_peer_finished to allow applications to obtain the latest 18199 Finished messages sent to the peer or expected from the peer, 18200 respectively. (SSL_get_peer_finished is usually the Finished message 18201 actually received from the peer, otherwise the protocol will be aborted.) 18202 18203 As the Finished message are message digests of the complete handshake 18204 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can 18205 be used for external authentication procedures when the authentication 18206 provided by SSL/TLS is not desired or is not enough. 18207 18208 *Bodo Moeller* 18209 18210 * Enhanced support for Alpha Linux is added. Now ./config checks if 18211 the host supports BWX extension and if Compaq C is present on the 18212 $PATH. Just exploiting of the BWX extension results in 20-30% 18213 performance kick for some algorithms, e.g. DES and RC4 to mention 18214 a couple. Compaq C in turn generates ~20% faster code for MD5 and 18215 SHA1. 18216 18217 *Andy Polyakov* 18218 18219 * Add support for MS "fast SGC". This is arguably a violation of the 18220 SSL3/TLS protocol. Netscape SGC does two handshakes: the first with 18221 weak crypto and after checking the certificate is SGC a second one 18222 with strong crypto. MS SGC stops the first handshake after receiving 18223 the server certificate message and sends a second client hello. Since 18224 a server will typically do all the time consuming operations before 18225 expecting any further messages from the client (server key exchange 18226 is the most expensive) there is little difference between the two. 18227 18228 To get OpenSSL to support MS SGC we have to permit a second client 18229 hello message after we have sent server done. In addition we have to 18230 reset the MAC if we do get this second client hello. 18231 18232 *Steve Henson* 18233 18234 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide 18235 if a DER encoded private key is RSA or DSA traditional format. Changed 18236 d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" 18237 format DER encoded private key. Newer code should use PKCS#8 format which 18238 has the key type encoded in the ASN1 structure. Added DER private key 18239 support to pkcs8 application. 18240 18241 *Steve Henson* 18242 18243 * SSL 3/TLS 1 servers now don't request certificates when an anonymous 18244 ciphersuites has been selected (as required by the SSL 3/TLS 1 18245 specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT 18246 is set, we interpret this as a request to violate the specification 18247 (the worst that can happen is a handshake failure, and 'correct' 18248 behaviour would result in a handshake failure anyway). 18249 18250 *Bodo Moeller* 18251 18252 * In SSL_CTX_add_session, take into account that there might be multiple 18253 SSL_SESSION structures with the same session ID (e.g. when two threads 18254 concurrently obtain them from an external cache). 18255 The internal cache can handle only one SSL_SESSION with a given ID, 18256 so if there's a conflict, we now throw out the old one to achieve 18257 consistency. 18258 18259 *Bodo Moeller* 18260 18261 * Add OIDs for idea and blowfish in CBC mode. This will allow both 18262 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to 18263 some routines that use cipher OIDs: some ciphers do not have OIDs 18264 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for 18265 example. 18266 18267 *Steve Henson* 18268 18269 * Simplify the trust setting structure and code. Now we just have 18270 two sequences of OIDs for trusted and rejected settings. These will 18271 typically have values the same as the extended key usage extension 18272 and any application specific purposes. 18273 18274 The trust checking code now has a default behaviour: it will just 18275 check for an object with the same NID as the passed id. Functions can 18276 be provided to override either the default behaviour or the behaviour 18277 for a given id. SSL client, server and email already have functions 18278 in place for compatibility: they check the NID and also return "trusted" 18279 if the certificate is self signed. 18280 18281 *Steve Henson* 18282 18283 * Add d2i,i2d bio/fp functions for PrivateKey: these convert the 18284 traditional format into an EVP_PKEY structure. 18285 18286 *Steve Henson* 18287 18288 * Add a password callback function PEM_cb() which either prompts for 18289 a password if usr_data is NULL or otherwise assumes it is a null 18290 terminated password. Allow passwords to be passed on command line 18291 environment or config files in a few more utilities. 18292 18293 *Steve Henson* 18294 18295 * Add a bunch of DER and PEM functions to handle PKCS#8 format private 18296 keys. Add some short names for PKCS#8 PBE algorithms and allow them 18297 to be specified on the command line for the pkcs8 and pkcs12 utilities. 18298 Update documentation. 18299 18300 *Steve Henson* 18301 18302 * Support for ASN1 "NULL" type. This could be handled before by using 18303 ASN1_TYPE but there wasn't any function that would try to read a NULL 18304 and produce an error if it couldn't. For compatibility we also have 18305 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and 18306 don't allocate anything because they don't need to. 18307 18308 *Steve Henson* 18309 18310 * Initial support for MacOS is now provided. Examine INSTALL.MacOS 18311 for details. 18312 18313 *Andy Polyakov, Roy Woods <roy@centicsystems.ca>* 18314 18315 * Rebuild of the memory allocation routines used by OpenSSL code and 18316 possibly others as well. The purpose is to make an interface that 18317 provide hooks so anyone can build a separate set of allocation and 18318 deallocation routines to be used by OpenSSL, for example memory 18319 pool implementations, or something else, which was previously hard 18320 since Malloc(), Realloc() and Free() were defined as macros having 18321 the values malloc, realloc and free, respectively (except for Win32 18322 compilations). The same is provided for memory debugging code. 18323 OpenSSL already comes with functionality to find memory leaks, but 18324 this gives people a chance to debug other memory problems. 18325 18326 With these changes, a new set of functions and macros have appeared: 18327 18328 CRYPTO_set_mem_debug_functions() [F] 18329 CRYPTO_get_mem_debug_functions() [F] 18330 CRYPTO_dbg_set_options() [F] 18331 CRYPTO_dbg_get_options() [F] 18332 CRYPTO_malloc_debug_init() [M] 18333 18334 The memory debug functions are NULL by default, unless the library 18335 is compiled with CRYPTO_MDEBUG or friends is defined. If someone 18336 wants to debug memory anyway, CRYPTO_malloc_debug_init() (which 18337 gives the standard debugging functions that come with OpenSSL) or 18338 CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions 18339 provided by the library user) must be used. When the standard 18340 debugging functions are used, CRYPTO_dbg_set_options can be used to 18341 request additional information: 18342 CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting 18343 the CRYPTO_MDEBUG_xxx macro when compiling the library. 18344 18345 Also, things like CRYPTO_set_mem_functions will always give the 18346 expected result (the new set of functions is used for allocation 18347 and deallocation) at all times, regardless of platform and compiler 18348 options. 18349 18350 To finish it up, some functions that were never use in any other 18351 way than through macros have a new API and new semantic: 18352 18353 CRYPTO_dbg_malloc() 18354 CRYPTO_dbg_realloc() 18355 CRYPTO_dbg_free() 18356 18357 All macros of value have retained their old syntax. 18358 18359 *Richard Levitte and Bodo Moeller* 18360 18361 * Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the 18362 ordering of SMIMECapabilities wasn't in "strength order" and there 18363 was a missing NULL in the AlgorithmIdentifier for the SHA1 signature 18364 algorithm. 18365 18366 *Steve Henson* 18367 18368 * Some ASN1 types with illegal zero length encoding (INTEGER, 18369 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. 18370 18371 *Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson* 18372 18373 * Merge in my S/MIME library for OpenSSL. This provides a simple 18374 S/MIME API on top of the PKCS#7 code, a MIME parser (with enough 18375 functionality to handle multipart/signed properly) and a utility 18376 called 'smime' to call all this stuff. This is based on code I 18377 originally wrote for Celo who have kindly allowed it to be 18378 included in OpenSSL. 18379 18380 *Steve Henson* 18381 18382 * Add variants des_set_key_checked and des_set_key_unchecked of 18383 des_set_key (aka des_key_sched). Global variable des_check_key 18384 decides which of these is called by des_set_key; this way 18385 des_check_key behaves as it always did, but applications and 18386 the library itself, which was buggy for des_check_key == 1, 18387 have a cleaner way to pick the version they need. 18388 18389 *Bodo Moeller* 18390 18391 * New function PKCS12_newpass() which changes the password of a 18392 PKCS12 structure. 18393 18394 *Steve Henson* 18395 18396 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and 18397 dynamic mix. In both cases the ids can be used as an index into the 18398 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() 18399 functions so they accept a list of the field values and the 18400 application doesn't need to directly manipulate the X509_TRUST 18401 structure. 18402 18403 *Steve Henson* 18404 18405 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't 18406 need initialising. 18407 18408 *Steve Henson* 18409 18410 * Modify the way the V3 extension code looks up extensions. This now 18411 works in a similar way to the object code: we have some "standard" 18412 extensions in a static table which is searched with OBJ_bsearch() 18413 and the application can add dynamic ones if needed. The file 18414 crypto/x509v3/ext_dat.h now has the info: this file needs to be 18415 updated whenever a new extension is added to the core code and kept 18416 in ext_nid order. There is a simple program 'tabtest.c' which checks 18417 this. New extensions are not added too often so this file can readily 18418 be maintained manually. 18419 18420 There are two big advantages in doing things this way. The extensions 18421 can be looked up immediately and no longer need to be "added" using 18422 X509V3_add_standard_extensions(): this function now does nothing. 18423 Side note: I get *lots* of email saying the extension code doesn't 18424 work because people forget to call this function. 18425 Also no dynamic allocation is done unless new extensions are added: 18426 so if we don't add custom extensions there is no need to call 18427 X509V3_EXT_cleanup(). 18428 18429 *Steve Henson* 18430 18431 * Modify enc utility's salting as follows: make salting the default. Add a 18432 magic header, so unsalted files fail gracefully instead of just decrypting 18433 to garbage. This is because not salting is a big security hole, so people 18434 should be discouraged from doing it. 18435 18436 *Ben Laurie* 18437 18438 * Fixes and enhancements to the 'x509' utility. It allowed a message 18439 digest to be passed on the command line but it only used this 18440 parameter when signing a certificate. Modified so all relevant 18441 operations are affected by the digest parameter including the 18442 -fingerprint and -x509toreq options. Also -x509toreq choked if a 18443 DSA key was used because it didn't fix the digest. 18444 18445 *Steve Henson* 18446 18447 * Initial certificate chain verify code. Currently tests the untrusted 18448 certificates for consistency with the verify purpose (which is set 18449 when the X509_STORE_CTX structure is set up) and checks the pathlength. 18450 18451 There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: 18452 this is because it will reject chains with invalid extensions whereas 18453 every previous version of OpenSSL and SSLeay made no checks at all. 18454 18455 Trust code: checks the root CA for the relevant trust settings. Trust 18456 settings have an initial value consistent with the verify purpose: e.g. 18457 if the verify purpose is for SSL client use it expects the CA to be 18458 trusted for SSL client use. However the default value can be changed to 18459 permit custom trust settings: one example of this would be to only trust 18460 certificates from a specific "secure" set of CAs. 18461 18462 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions 18463 which should be used for version portability: especially since the 18464 verify structure is likely to change more often now. 18465 18466 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions 18467 to set them. If not set then assume SSL clients will verify SSL servers 18468 and vice versa. 18469 18470 Two new options to the verify program: -untrusted allows a set of 18471 untrusted certificates to be passed in and -purpose which sets the 18472 intended purpose of the certificate. If a purpose is set then the 18473 new chain verify code is used to check extension consistency. 18474 18475 *Steve Henson* 18476 18477 * Support for the authority information access extension. 18478 18479 *Steve Henson* 18480 18481 * Modify RSA and DSA PEM read routines to transparently handle 18482 PKCS#8 format private keys. New *_PUBKEY_* functions that handle 18483 public keys in a format compatible with certificate 18484 SubjectPublicKeyInfo structures. Unfortunately there were already 18485 functions called *_PublicKey_* which used various odd formats so 18486 these are retained for compatibility: however the DSA variants were 18487 never in a public release so they have been deleted. Changed dsa/rsa 18488 utilities to handle the new format: note no releases ever handled public 18489 keys so we should be OK. 18490 18491 The primary motivation for this change is to avoid the same fiasco 18492 that dogs private keys: there are several incompatible private key 18493 formats some of which are standard and some OpenSSL specific and 18494 require various evil hacks to allow partial transparent handling and 18495 even then it doesn't work with DER formats. Given the option anything 18496 other than PKCS#8 should be dumped: but the other formats have to 18497 stay in the name of compatibility. 18498 18499 With public keys and the benefit of hindsight one standard format 18500 is used which works with EVP_PKEY, RSA or DSA structures: though 18501 it clearly returns an error if you try to read the wrong kind of key. 18502 18503 Added a -pubkey option to the 'x509' utility to output the public key. 18504 Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()` 18505 (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add 18506 `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`) 18507 that do the same as the `EVP_PKEY_assign_*()` except they up the 18508 reference count of the added key (they don't "swallow" the 18509 supplied key). 18510 18511 *Steve Henson* 18512 18513 * Fixes to crypto/x509/by_file.c the code to read in certificates and 18514 CRLs would fail if the file contained no certificates or no CRLs: 18515 added a new function to read in both types and return the number 18516 read: this means that if none are read it will be an error. The 18517 DER versions of the certificate and CRL reader would always fail 18518 because it isn't possible to mix certificates and CRLs in DER format 18519 without choking one or the other routine. Changed this to just read 18520 a certificate: this is the best we can do. Also modified the code 18521 in `apps/verify.c` to take notice of return codes: it was previously 18522 attempting to read in certificates from NULL pointers and ignoring 18523 any errors: this is one reason why the cert and CRL reader seemed 18524 to work. It doesn't check return codes from the default certificate 18525 routines: these may well fail if the certificates aren't installed. 18526 18527 *Steve Henson* 18528 18529 * Code to support otherName option in GeneralName. 18530 18531 *Steve Henson* 18532 18533 * First update to verify code. Change the verify utility 18534 so it warns if it is passed a self signed certificate: 18535 for consistency with the normal behaviour. X509_verify 18536 has been modified to it will now verify a self signed 18537 certificate if *exactly* the same certificate appears 18538 in the store: it was previously impossible to trust a 18539 single self signed certificate. This means that: 18540 openssl verify ss.pem 18541 now gives a warning about a self signed certificate but 18542 openssl verify -CAfile ss.pem ss.pem 18543 is OK. 18544 18545 *Steve Henson* 18546 18547 * For servers, store verify_result in SSL_SESSION data structure 18548 (and add it to external session representation). 18549 This is needed when client certificate verifications fails, 18550 but an application-provided verification callback (set by 18551 SSL_CTX_set_cert_verify_callback) allows accepting the session 18552 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK 18553 but returns 1): When the session is reused, we have to set 18554 ssl->verify_result to the appropriate error code to avoid 18555 security holes. 18556 18557 *Bodo Moeller, problem pointed out by Lutz Jaenicke* 18558 18559 * Fix a bug in the new PKCS#7 code: it didn't consider the 18560 case in PKCS7_dataInit() where the signed PKCS7 structure 18561 didn't contain any existing data because it was being created. 18562 18563 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson* 18564 18565 * Add a salt to the key derivation routines in enc.c. This 18566 forms the first 8 bytes of the encrypted file. Also add a 18567 -S option to allow a salt to be input on the command line. 18568 18569 *Steve Henson* 18570 18571 * New function X509_cmp(). Oddly enough there wasn't a function 18572 to compare two certificates. We do this by working out the SHA1 18573 hash and comparing that. X509_cmp() will be needed by the trust 18574 code. 18575 18576 *Steve Henson* 18577 18578 * SSL_get1_session() is like SSL_get_session(), but increments 18579 the reference count in the SSL_SESSION returned. 18580 18581 *Geoff Thorpe <geoff@eu.c2.net>* 18582 18583 * Fix for 'req': it was adding a null to request attributes. 18584 Also change the X509_LOOKUP and X509_INFO code to handle 18585 certificate auxiliary information. 18586 18587 *Steve Henson* 18588 18589 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document 18590 the 'enc' command. 18591 18592 *Steve Henson* 18593 18594 * Add the possibility to add extra information to the memory leak 18595 detecting output, to form tracebacks, showing from where each 18596 allocation was originated: CRYPTO_push_info("constant string") adds 18597 the string plus current file name and line number to a per-thread 18598 stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() 18599 is like calling CYRPTO_pop_info() until the stack is empty. 18600 Also updated memory leak detection code to be multi-thread-safe. 18601 18602 *Richard Levitte* 18603 18604 * Add options -text and -noout to pkcs7 utility and delete the 18605 encryption options which never did anything. Update docs. 18606 18607 *Steve Henson* 18608 18609 * Add options to some of the utilities to allow the pass phrase 18610 to be included on either the command line (not recommended on 18611 OSes like Unix) or read from the environment. Update the 18612 manpages and fix a few bugs. 18613 18614 *Steve Henson* 18615 18616 * Add a few manpages for some of the openssl commands. 18617 18618 *Steve Henson* 18619 18620 * Fix the -revoke option in ca. It was freeing up memory twice, 18621 leaking and not finding already revoked certificates. 18622 18623 *Steve Henson* 18624 18625 * Extensive changes to support certificate auxiliary information. 18626 This involves the use of X509_CERT_AUX structure and X509_AUX 18627 functions. An X509_AUX function such as PEM_read_X509_AUX() 18628 can still read in a certificate file in the usual way but it 18629 will also read in any additional "auxiliary information". By 18630 doing things this way a fair degree of compatibility can be 18631 retained: existing certificates can have this information added 18632 using the new 'x509' options. 18633 18634 Current auxiliary information includes an "alias" and some trust 18635 settings. The trust settings will ultimately be used in enhanced 18636 certificate chain verification routines: currently a certificate 18637 can only be trusted if it is self signed and then it is trusted 18638 for all purposes. 18639 18640 *Steve Henson* 18641 18642 * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`). 18643 The problem was that one of the replacement routines had not been working 18644 since SSLeay releases. For now the offending routine has been replaced 18645 with non-optimised assembler. Even so, this now gives around 95% 18646 performance improvement for 1024 bit RSA signs. 18647 18648 *Mark Cox* 18649 18650 * Hack to fix PKCS#7 decryption when used with some unorthodox RC2 18651 handling. Most clients have the effective key size in bits equal to 18652 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. 18653 A few however don't do this and instead use the size of the decrypted key 18654 to determine the RC2 key length and the AlgorithmIdentifier to determine 18655 the effective key length. In this case the effective key length can still 18656 be 40 bits but the key length can be 168 bits for example. This is fixed 18657 by manually forcing an RC2 key into the EVP_PKEY structure because the 18658 EVP code can't currently handle unusual RC2 key sizes: it always assumes 18659 the key length and effective key length are equal. 18660 18661 *Steve Henson* 18662 18663 * Add a bunch of functions that should simplify the creation of 18664 X509_NAME structures. Now you should be able to do: 18665 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); 18666 and have it automatically work out the correct field type and fill in 18667 the structures. The more adventurous can try: 18668 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); 18669 and it will (hopefully) work out the correct multibyte encoding. 18670 18671 *Steve Henson* 18672 18673 * Change the 'req' utility to use the new field handling and multibyte 18674 copy routines. Before the DN field creation was handled in an ad hoc 18675 way in req, ca, and x509 which was rather broken and didn't support 18676 BMPStrings or UTF8Strings. Since some software doesn't implement 18677 BMPStrings or UTF8Strings yet, they can be enabled using the config file 18678 using the dirstring_type option. See the new comment in the default 18679 openssl.cnf for more info. 18680 18681 *Steve Henson* 18682 18683 * Make crypto/rand/md_rand.c more robust: 18684 - Assure unique random numbers after fork(). 18685 - Make sure that concurrent threads access the global counter and 18686 md serializably so that we never lose entropy in them 18687 or use exactly the same state in multiple threads. 18688 Access to the large state is not always serializable because 18689 the additional locking could be a performance killer, and 18690 md should be large enough anyway. 18691 18692 *Bodo Moeller* 18693 18694 * New file `apps/app_rand.c` with commonly needed functionality 18695 for handling the random seed file. 18696 18697 Use the random seed file in some applications that previously did not: 18698 ca, 18699 dsaparam -genkey (which also ignored its '-rand' option), 18700 s_client, 18701 s_server, 18702 x509 (when signing). 18703 Except on systems with /dev/urandom, it is crucial to have a random 18704 seed file at least for key creation, DSA signing, and for DH exchanges; 18705 for RSA signatures we could do without one. 18706 18707 gendh and gendsa (unlike genrsa) used to read only the first byte 18708 of each file listed in the '-rand' option. The function as previously 18709 found in genrsa is now in app_rand.c and is used by all programs 18710 that support '-rand'. 18711 18712 *Bodo Moeller* 18713 18714 * In RAND_write_file, use mode 0600 for creating files; 18715 don't just chmod when it may be too late. 18716 18717 *Bodo Moeller* 18718 18719 * Report an error from X509_STORE_load_locations 18720 when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. 18721 18722 *Bill Perry* 18723 18724 * New function ASN1_mbstring_copy() this copies a string in either 18725 ASCII, Unicode, Universal (4 bytes per character) or UTF8 format 18726 into an ASN1_STRING type. A mask of permissible types is passed 18727 and it chooses the "minimal" type to use or an error if not type 18728 is suitable. 18729 18730 *Steve Henson* 18731 18732 * Add function equivalents to the various macros in asn1.h. The old 18733 macros are retained with an `M_` prefix. Code inside the library can 18734 use the `M_` macros. External code (including the openssl utility) 18735 should *NOT* in order to be "shared library friendly". 18736 18737 *Steve Henson* 18738 18739 * Add various functions that can check a certificate's extensions 18740 to see if it usable for various purposes such as SSL client, 18741 server or S/MIME and CAs of these types. This is currently 18742 VERY EXPERIMENTAL but will ultimately be used for certificate chain 18743 verification. Also added a -purpose flag to x509 utility to 18744 print out all the purposes. 18745 18746 *Steve Henson* 18747 18748 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated 18749 functions. 18750 18751 *Steve Henson* 18752 18753 * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search 18754 for, obtain and decode and extension and obtain its critical flag. 18755 This allows all the necessary extension code to be handled in a 18756 single function call. 18757 18758 *Steve Henson* 18759 18760 * RC4 tune-up featuring 30-40% performance improvement on most RISC 18761 platforms. See crypto/rc4/rc4_enc.c for further details. 18762 18763 *Andy Polyakov* 18764 18765 * New -noout option to asn1parse. This causes no output to be produced 18766 its main use is when combined with -strparse and -out to extract data 18767 from a file (which may not be in ASN.1 format). 18768 18769 *Steve Henson* 18770 18771 * Fix for pkcs12 program. It was hashing an invalid certificate pointer 18772 when producing the local key id. 18773 18774 *Richard Levitte <levitte@stacken.kth.se>* 18775 18776 * New option -dhparam in s_server. This allows a DH parameter file to be 18777 stated explicitly. If it is not stated then it tries the first server 18778 certificate file. The previous behaviour hard coded the filename 18779 "server.pem". 18780 18781 *Steve Henson* 18782 18783 * Add -pubin and -pubout options to the rsa and dsa commands. These allow 18784 a public key to be input or output. For example: 18785 openssl rsa -in key.pem -pubout -out pubkey.pem 18786 Also added necessary DSA public key functions to handle this. 18787 18788 *Steve Henson* 18789 18790 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained 18791 in the message. This was handled by allowing 18792 X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. 18793 18794 *Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>* 18795 18796 * Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null 18797 to the end of the strings whereas this didn't. This would cause problems 18798 if strings read with d2i_ASN1_bytes() were later modified. 18799 18800 *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>* 18801 18802 * Fix for base64 decode bug. When a base64 bio reads only one line of 18803 data and it contains EOF it will end up returning an error. This is 18804 caused by input 46 bytes long. The cause is due to the way base64 18805 BIOs find the start of base64 encoded data. They do this by trying a 18806 trial decode on each line until they find one that works. When they 18807 do a flag is set and it starts again knowing it can pass all the 18808 data directly through the decoder. Unfortunately it doesn't reset 18809 the context it uses. This means that if EOF is reached an attempt 18810 is made to pass two EOFs through the context and this causes the 18811 resulting error. This can also cause other problems as well. As is 18812 usual with these problems it takes *ages* to find and the fix is 18813 trivial: move one line. 18814 18815 *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)* 18816 18817 * Ugly workaround to get s_client and s_server working under Windows. The 18818 old code wouldn't work because it needed to select() on sockets and the 18819 tty (for keypresses and to see if data could be written). Win32 only 18820 supports select() on sockets so we select() with a 1s timeout on the 18821 sockets and then see if any characters are waiting to be read, if none 18822 are present then we retry, we also assume we can always write data to 18823 the tty. This isn't nice because the code then blocks until we've 18824 received a complete line of data and it is effectively polling the 18825 keyboard at 1s intervals: however it's quite a bit better than not 18826 working at all :-) A dedicated Windows application might handle this 18827 with an event loop for example. 18828 18829 *Steve Henson* 18830 18831 * Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign 18832 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions 18833 will be called when RSA_sign() and RSA_verify() are used. This is useful 18834 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. 18835 For this to work properly RSA_public_decrypt() and RSA_private_encrypt() 18836 should *not* be used: RSA_sign() and RSA_verify() must be used instead. 18837 This necessitated the support of an extra signature type NID_md5_sha1 18838 for SSL signatures and modifications to the SSL library to use it instead 18839 of calling RSA_public_decrypt() and RSA_private_encrypt(). 18840 18841 *Steve Henson* 18842 18843 * Add new -verify -CAfile and -CApath options to the crl program, these 18844 will lookup a CRL issuers certificate and verify the signature in a 18845 similar way to the verify program. Tidy up the crl program so it 18846 no longer accesses structures directly. Make the ASN1 CRL parsing a bit 18847 less strict. It will now permit CRL extensions even if it is not 18848 a V2 CRL: this will allow it to tolerate some broken CRLs. 18849 18850 *Steve Henson* 18851 18852 * Initialize all non-automatic variables each time one of the openssl 18853 sub-programs is started (this is necessary as they may be started 18854 multiple times from the "OpenSSL>" prompt). 18855 18856 *Lennart Bang, Bodo Moeller* 18857 18858 * Preliminary compilation option RSA_NULL which disables RSA crypto without 18859 removing all other RSA functionality (this is what NO_RSA does). This 18860 is so (for example) those in the US can disable those operations covered 18861 by the RSA patent while allowing storage and parsing of RSA keys and RSA 18862 key generation. 18863 18864 *Steve Henson* 18865 18866 * Non-copying interface to BIO pairs. 18867 (still largely untested) 18868 18869 *Bodo Moeller* 18870 18871 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive 18872 ASCII string. This was handled independently in various places before. 18873 18874 *Steve Henson* 18875 18876 * New functions UTF8_getc() and UTF8_putc() that parse and generate 18877 UTF8 strings a character at a time. 18878 18879 *Steve Henson* 18880 18881 * Use client_version from client hello to select the protocol 18882 (s23_srvr.c) and for RSA client key exchange verification 18883 (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. 18884 18885 *Bodo Moeller* 18886 18887 * Add various utility functions to handle SPKACs, these were previously 18888 handled by poking round in the structure internals. Added new function 18889 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to 18890 print, verify and generate SPKACs. Based on an original idea from 18891 Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. 18892 18893 *Steve Henson* 18894 18895 * RIPEMD160 is operational on all platforms and is back in 'make test'. 18896 18897 *Andy Polyakov* 18898 18899 * Allow the config file extension section to be overwritten on the 18900 command line. Based on an original idea from Massimiliano Pala 18901 <madwolf@comune.modena.it>. The new option is called -extensions 18902 and can be applied to ca, req and x509. Also -reqexts to override 18903 the request extensions in req and -crlexts to override the crl extensions 18904 in ca. 18905 18906 *Steve Henson* 18907 18908 * Add new feature to the SPKAC handling in ca. Now you can include 18909 the same field multiple times by preceding it by "XXXX." for example: 18910 1.OU="Unit name 1" 18911 2.OU="Unit name 2" 18912 this is the same syntax as used in the req config file. 18913 18914 *Steve Henson* 18915 18916 * Allow certificate extensions to be added to certificate requests. These 18917 are specified in a 'req_extensions' option of the req section of the 18918 config file. They can be printed out with the -text option to req but 18919 are otherwise ignored at present. 18920 18921 *Steve Henson* 18922 18923 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first 18924 data read consists of only the final block it would not decrypted because 18925 EVP_CipherUpdate() would correctly report zero bytes had been decrypted. 18926 A misplaced 'break' also meant the decrypted final block might not be 18927 copied until the next read. 18928 18929 *Steve Henson* 18930 18931 * Initial support for DH_METHOD. Again based on RSA_METHOD. Also added 18932 a few extra parameters to the DH structure: these will be useful if 18933 for example we want the value of 'q' or implement X9.42 DH. 18934 18935 *Steve Henson* 18936 18937 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and 18938 provides hooks that allow the default DSA functions or functions on a 18939 "per key" basis to be replaced. This allows hardware acceleration and 18940 hardware key storage to be handled without major modification to the 18941 library. Also added low-level modexp hooks and CRYPTO_EX structure and 18942 associated functions. 18943 18944 *Steve Henson* 18945 18946 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO 18947 as "read only": it can't be written to and the buffer it points to will 18948 not be freed. Reading from a read only BIO is much more efficient than 18949 a normal memory BIO. This was added because there are several times when 18950 an area of memory needs to be read from a BIO. The previous method was 18951 to create a memory BIO and write the data to it, this results in two 18952 copies of the data and an O(n^2) reading algorithm. There is a new 18953 function BIO_new_mem_buf() which creates a read only memory BIO from 18954 an area of memory. Also modified the PKCS#7 routines to use read only 18955 memory BIOs. 18956 18957 *Steve Henson* 18958 18959 * Bugfix: ssl23_get_client_hello did not work properly when called in 18960 state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of 18961 an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, 18962 but a retry condition occurred while trying to read the rest. 18963 18964 *Bodo Moeller* 18965 18966 * The PKCS7_ENC_CONTENT_new() function was setting the content type as 18967 NID_pkcs7_encrypted by default: this was wrong since this should almost 18968 always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle 18969 the encrypted data type: this is a more sensible place to put it and it 18970 allows the PKCS#12 code to be tidied up that duplicated this 18971 functionality. 18972 18973 *Steve Henson* 18974 18975 * Changed obj_dat.pl script so it takes its input and output files on 18976 the command line. This should avoid shell escape redirection problems 18977 under Win32. 18978 18979 *Steve Henson* 18980 18981 * Initial support for certificate extension requests, these are included 18982 in things like Xenroll certificate requests. Included functions to allow 18983 extensions to be obtained and added. 18984 18985 *Steve Henson* 18986 18987 * -crlf option to s_client and s_server for sending newlines as 18988 CRLF (as required by many protocols). 18989 18990 *Bodo Moeller* 18991 18992### Changes between 0.9.3a and 0.9.4 [09 Aug 1999] 18993 18994 * Install libRSAglue.a when OpenSSL is built with RSAref. 18995 18996 *Ralf S. Engelschall* 18997 18998 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency. 18999 19000 *Andrija Antonijevic <TheAntony2@bigfoot.com>* 19001 19002 * Fix -startdate and -enddate (which was missing) arguments to 'ca' 19003 program. 19004 19005 *Steve Henson* 19006 19007 * New function DSA_dup_DH, which duplicates DSA parameters/keys as 19008 DH parameters/keys (q is lost during that conversion, but the resulting 19009 DH parameters contain its length). 19010 19011 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is 19012 much faster than DH_generate_parameters (which creates parameters 19013 where `p = 2*q + 1`), and also the smaller q makes DH computations 19014 much more efficient (160-bit exponentiation instead of 1024-bit 19015 exponentiation); so this provides a convenient way to support DHE 19016 ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of 19017 utter importance to use 19018 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 19019 or 19020 SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 19021 when such DH parameters are used, because otherwise small subgroup 19022 attacks may become possible! 19023 19024 *Bodo Moeller* 19025 19026 * Avoid memory leak in i2d_DHparams. 19027 19028 *Bodo Moeller* 19029 19030 * Allow the -k option to be used more than once in the enc program: 19031 this allows the same encrypted message to be read by multiple recipients. 19032 19033 *Steve Henson* 19034 19035 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts 19036 an ASN1_OBJECT to a text string. If the "no_name" parameter is set then 19037 it will always use the numerical form of the OID, even if it has a short 19038 or long name. 19039 19040 *Steve Henson* 19041 19042 * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp 19043 method only got called if p,q,dmp1,dmq1,iqmp components were present, 19044 otherwise bn_mod_exp was called. In the case of hardware keys for example 19045 no private key components need be present and it might store extra data 19046 in the RSA structure, which cannot be accessed from bn_mod_exp. 19047 By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for 19048 private key operations. 19049 19050 *Steve Henson* 19051 19052 * Added support for SPARC Linux. 19053 19054 *Andy Polyakov* 19055 19056 * pem_password_cb function type incompatibly changed from 19057 typedef int pem_password_cb(char *buf, int size, int rwflag); 19058 to 19059 ....(char *buf, int size, int rwflag, void *userdata); 19060 so that applications can pass data to their callbacks: 19061 The `PEM[_ASN1]_{read,write}...` functions and macros now take an 19062 additional void * argument, which is just handed through whenever 19063 the password callback is called. 19064 19065 *Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller* 19066 19067 New function SSL_CTX_set_default_passwd_cb_userdata. 19068 19069 Compatibility note: As many C implementations push function arguments 19070 onto the stack in reverse order, the new library version is likely to 19071 interoperate with programs that have been compiled with the old 19072 pem_password_cb definition (PEM_whatever takes some data that 19073 happens to be on the stack as its last argument, and the callback 19074 just ignores this garbage); but there is no guarantee whatsoever that 19075 this will work. 19076 19077 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... 19078 (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused 19079 problems not only on Windows, but also on some Unix platforms. 19080 To avoid problematic command lines, these definitions are now in an 19081 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl 19082 for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). 19083 19084 *Bodo Moeller* 19085 19086 * MIPS III/IV assembler module is reimplemented. 19087 19088 *Andy Polyakov* 19089 19090 * More DES library cleanups: remove references to srand/rand and 19091 delete an unused file. 19092 19093 *Ulf Möller* 19094 19095 * Add support for the free Netwide assembler (NASM) under Win32, 19096 since not many people have MASM (ml) and it can be hard to obtain. 19097 This is currently experimental but it seems to work OK and pass all 19098 the tests. Check out INSTALL.W32 for info. 19099 19100 *Steve Henson* 19101 19102 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections 19103 without temporary keys kept an extra copy of the server key, 19104 and connections with temporary keys did not free everything in case 19105 of an error. 19106 19107 *Bodo Moeller* 19108 19109 * New function RSA_check_key and new openssl rsa option -check 19110 for verifying the consistency of RSA keys. 19111 19112 *Ulf Moeller, Bodo Moeller* 19113 19114 * Various changes to make Win32 compile work: 19115 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 19116 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned 19117 comparison" warnings. 19118 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update. 19119 19120 *Steve Henson* 19121 19122 * Add a debugging option to PKCS#5 v2 key generation function: when 19123 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and 19124 derived keys are printed to stderr. 19125 19126 *Steve Henson* 19127 19128 * Copy the flags in ASN1_STRING_dup(). 19129 19130 *Roman E. Pavlov <pre@mo.msk.ru>* 19131 19132 * The x509 application mishandled signing requests containing DSA 19133 keys when the signing key was also DSA and the parameters didn't match. 19134 19135 It was supposed to omit the parameters when they matched the signing key: 19136 the verifying software was then supposed to automatically use the CA's 19137 parameters if they were absent from the end user certificate. 19138 19139 Omitting parameters is no longer recommended. The test was also 19140 the wrong way round! This was probably due to unusual behaviour in 19141 EVP_cmp_parameters() which returns 1 if the parameters match. 19142 This meant that parameters were omitted when they *didn't* match and 19143 the certificate was useless. Certificates signed with 'ca' didn't have 19144 this bug. 19145 19146 *Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>* 19147 19148 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems. 19149 The interface is as follows: 19150 Applications can use 19151 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), 19152 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); 19153 "off" is now the default. 19154 The library internally uses 19155 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), 19156 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() 19157 to disable memory-checking temporarily. 19158 19159 Some inconsistent states that previously were possible (and were 19160 even the default) are now avoided. 19161 19162 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time 19163 with each memory chunk allocated; this is occasionally more helpful 19164 than just having a counter. 19165 19166 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. 19167 19168 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future 19169 extensions. 19170 19171 *Bodo Moeller* 19172 19173 * Introduce "mode" for SSL structures (with defaults in SSL_CTX), 19174 which largely parallels "options", but is for changing API behaviour, 19175 whereas "options" are about protocol behaviour. 19176 Initial "mode" flags are: 19177 19178 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 19179 a single record has been written. 19180 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 19181 retries use the same buffer location. 19182 (But all of the contents must be 19183 copied!) 19184 19185 *Bodo Moeller* 19186 19187 * Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options 19188 worked. 19189 19190 * Fix problems with no-hmac etc. 19191 19192 *Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>* 19193 19194 * New functions RSA_get_default_method(), RSA_set_method() and 19195 RSA_get_method(). These allows replacement of RSA_METHODs without having 19196 to mess around with the internals of an RSA structure. 19197 19198 *Steve Henson* 19199 19200 * Fix memory leaks in DSA_do_sign and DSA_is_prime. 19201 Also really enable memory leak checks in openssl.c and in some 19202 test programs. 19203 19204 *Chad C. Mulligan, Bodo Moeller* 19205 19206 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess 19207 up the length of negative integers. This has now been simplified to just 19208 store the length when it is first determined and use it later, rather 19209 than trying to keep track of where data is copied and updating it to 19210 point to the end. 19211 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>* 19212 19213 * Add a new function PKCS7_signatureVerify. This allows the verification 19214 of a PKCS#7 signature but with the signing certificate passed to the 19215 function itself. This contrasts with PKCS7_dataVerify which assumes the 19216 certificate is present in the PKCS#7 structure. This isn't always the 19217 case: certificates can be omitted from a PKCS#7 structure and be 19218 distributed by "out of band" means (such as a certificate database). 19219 19220 *Steve Henson* 19221 19222 * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the 19223 function prototypes in pem.h, also change util/mkdef.pl to add the 19224 necessary function names. 19225 19226 *Steve Henson* 19227 19228 * mk1mf.pl (used by Windows builds) did not properly read the 19229 options set by Configure in the top level Makefile, and Configure 19230 was not even able to write more than one option correctly. 19231 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. 19232 19233 *Bodo Moeller* 19234 19235 * New functions CONF_load_bio() and CONF_load_fp() to allow a config 19236 file to be loaded from a BIO or FILE pointer. The BIO version will 19237 for example allow memory BIOs to contain config info. 19238 19239 *Steve Henson* 19240 19241 * New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. 19242 Whoever hopes to achieve shared-library compatibility across versions 19243 must use this, not the compile-time macro. 19244 (Exercise 0.9.4: Which is the minimum library version required by 19245 such programs?) 19246 Note: All this applies only to multi-threaded programs, others don't 19247 need locks. 19248 19249 *Bodo Moeller* 19250 19251 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests 19252 through a BIO pair triggered the default case, i.e. 19253 SSLerr(...,SSL_R_UNKNOWN_STATE). 19254 19255 *Bodo Moeller* 19256 19257 * New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications 19258 can use the SSL library even if none of the specific BIOs is 19259 appropriate. 19260 19261 *Bodo Moeller* 19262 19263 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value 19264 for the encoded length. 19265 19266 *Jeon KyoungHo <khjeon@sds.samsung.co.kr>* 19267 19268 * Add initial documentation of the X509V3 functions. 19269 19270 *Steve Henson* 19271 19272 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and 19273 PEM_write_bio_PKCS8PrivateKey() that are equivalent to 19274 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more 19275 secure PKCS#8 private key format with a high iteration count. 19276 19277 *Steve Henson* 19278 19279 * Fix determination of Perl interpreter: A perl or perl5 19280 *directory* in $PATH was also accepted as the interpreter. 19281 19282 *Ralf S. Engelschall* 19283 19284 * Fix demos/sign/sign.c: well there wasn't anything strictly speaking 19285 wrong with it but it was very old and did things like calling 19286 PEM_ASN1_read() directly and used MD5 for the hash not to mention some 19287 unusual formatting. 19288 19289 *Steve Henson* 19290 19291 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed 19292 to use the new extension code. 19293 19294 *Steve Henson* 19295 19296 * Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c 19297 with macros. This should make it easier to change their form, add extra 19298 arguments etc. Fix a few PEM prototypes which didn't have cipher as a 19299 constant. 19300 19301 *Steve Henson* 19302 19303 * Add to configuration table a new entry that can specify an alternative 19304 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, 19305 according to Mark Crispin <MRC@Panda.COM>. 19306 19307 *Bodo Moeller* 19308 19309 * DES CBC did not update the IV. Weird. 19310 19311 *Ben Laurie* 19312lse 19313 des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. 19314 Changing the behaviour of the former might break existing programs -- 19315 where IV updating is needed, des_ncbc_encrypt can be used. 19316ndif 19317 19318 * When bntest is run from "make test" it drives bc to check its 19319 calculations, as well as internally checking them. If an internal check 19320 fails, it needs to cause bc to give a non-zero result or make test carries 19321 on without noticing the failure. Fixed. 19322 19323 *Ben Laurie* 19324 19325 * DES library cleanups. 19326 19327 *Ulf Möller* 19328 19329 * Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be 19330 used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit 19331 ciphers. NOTE: although the key derivation function has been verified 19332 against some published test vectors it has not been extensively tested 19333 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use 19334 of v2.0. 19335 19336 *Steve Henson* 19337 19338 * Instead of "mkdir -p", which is not fully portable, use new 19339 Perl script "util/mkdir-p.pl". 19340 19341 *Bodo Moeller* 19342 19343 * Rewrite the way password based encryption (PBE) is handled. It used to 19344 assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter 19345 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms 19346 but doesn't apply to PKCS#5 v2.0 where it can be something else. Now 19347 the 'parameter' field of the AlgorithmIdentifier is passed to the 19348 underlying key generation function so it must do its own ASN1 parsing. 19349 This has also changed the EVP_PBE_CipherInit() function which now has a 19350 'parameter' argument instead of literal salt and iteration count values 19351 and the function EVP_PBE_ALGOR_CipherInit() has been deleted. 19352 19353 *Steve Henson* 19354 19355 * Support for PKCS#5 v1.5 compatible password based encryption algorithms 19356 and PKCS#8 functionality. New 'pkcs8' application linked to openssl. 19357 Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE 19358 KEY" because this clashed with PKCS#8 unencrypted string. Since this 19359 value was just used as a "magic string" and not used directly its 19360 value doesn't matter. 19361 19362 *Steve Henson* 19363 19364 * Introduce some semblance of const correctness to BN. Shame C doesn't 19365 support mutable. 19366 19367 *Ben Laurie* 19368 19369 * "linux-sparc64" configuration (ultrapenguin). 19370 19371 *Ray Miller <ray.miller@oucs.ox.ac.uk>* 19372 "linux-sparc" configuration. 19373 19374 *Christian Forster <fo@hawo.stw.uni-erlangen.de>* 19375 19376 * config now generates no-xxx options for missing ciphers. 19377 19378 *Ulf Möller* 19379 19380 * Support the EBCDIC character set (work in progress). 19381 File ebcdic.c not yet included because it has a different license. 19382 19383 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 19384 19385 * Support BS2000/OSD-POSIX. 19386 19387 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 19388 19389 * Make callbacks for key generation use `void *` instead of `char *`. 19390 19391 *Ben Laurie* 19392 19393 * Make S/MIME samples compile (not yet tested). 19394 19395 *Ben Laurie* 19396 19397 * Additional typesafe stacks. 19398 19399 *Ben Laurie* 19400 19401 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). 19402 19403 *Bodo Moeller* 19404 19405### Changes between 0.9.3 and 0.9.3a [29 May 1999] 19406 19407 * New configuration variant "sco5-gcc". 19408 19409 * Updated some demos. 19410 19411 *Sean O Riordain, Wade Scholine* 19412 19413 * Add missing BIO_free at exit of pkcs12 application. 19414 19415 *Wu Zhigang* 19416 19417 * Fix memory leak in conf.c. 19418 19419 *Steve Henson* 19420 19421 * Updates for Win32 to assembler version of MD5. 19422 19423 *Steve Henson* 19424 19425 * Set #! path to perl in `apps/der_chop` to where we found it 19426 instead of using a fixed path. 19427 19428 *Bodo Moeller* 19429 19430 * SHA library changes for irix64-mips4-cc. 19431 19432 *Andy Polyakov* 19433 19434 * Improvements for VMS support. 19435 19436 *Richard Levitte* 19437 19438### Changes between 0.9.2b and 0.9.3 [24 May 1999] 19439 19440 * Bignum library bug fix. IRIX 6 passes "make test" now! 19441 This also avoids the problems with SC4.2 and unpatched SC5. 19442 19443 *Andy Polyakov <appro@fy.chalmers.se>* 19444 19445 * New functions sk_num, sk_value and sk_set to replace the previous macros. 19446 These are required because of the typesafe stack would otherwise break 19447 existing code. If old code used a structure member which used to be STACK 19448 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with 19449 sk_num or sk_value it would produce an error because the num, data members 19450 are not present in STACK_OF. Now it just produces a warning. sk_set 19451 replaces the old method of assigning a value to sk_value 19452 (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code 19453 that does this will no longer work (and should use sk_set instead) but 19454 this could be regarded as a "questionable" behaviour anyway. 19455 19456 *Steve Henson* 19457 19458 * Fix most of the other PKCS#7 bugs. The "experimental" code can now 19459 correctly handle encrypted S/MIME data. 19460 19461 *Steve Henson* 19462 19463 * Change type of various DES function arguments from des_cblock 19464 (which means, in function argument declarations, pointer to char) 19465 to des_cblock * (meaning pointer to array with 8 char elements), 19466 which allows the compiler to do more typechecking; it was like 19467 that back in SSLeay, but with lots of ugly casts. 19468 19469 Introduce new type const_des_cblock. 19470 19471 *Bodo Moeller* 19472 19473 * Reorganise the PKCS#7 library and get rid of some of the more obvious 19474 problems: find RecipientInfo structure that matches recipient certificate 19475 and initialise the ASN1 structures properly based on passed cipher. 19476 19477 *Steve Henson* 19478 19479 * Belatedly make the BN tests actually check the results. 19480 19481 *Ben Laurie* 19482 19483 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion 19484 to and from BNs: it was completely broken. New compilation option 19485 NEG_PUBKEY_BUG to allow for some broken certificates that encode public 19486 key elements as negative integers. 19487 19488 *Steve Henson* 19489 19490 * Reorganize and speed up MD5. 19491 19492 *Andy Polyakov <appro@fy.chalmers.se>* 19493 19494 * VMS support. 19495 19496 *Richard Levitte <richard@levitte.org>* 19497 19498 * New option -out to asn1parse to allow the parsed structure to be 19499 output to a file. This is most useful when combined with the -strparse 19500 option to examine the output of things like OCTET STRINGS. 19501 19502 *Steve Henson* 19503 19504 * Make SSL library a little more fool-proof by not requiring any longer 19505 that `SSL_set_{accept,connect}_state` be called before 19506 `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted 19507 in many applications because usually everything *appeared* to work as 19508 intended anyway -- now it really works as intended). 19509 19510 *Bodo Moeller* 19511 19512 * Move openssl.cnf out of lib/. 19513 19514 *Ulf Möller* 19515 19516 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall 19517 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes 19518 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+ 19519 19520 *Ralf S. Engelschall* 19521 19522 * Various fixes to the EVP and PKCS#7 code. It may now be able to 19523 handle PKCS#7 enveloped data properly. 19524 19525 *Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve* 19526 19527 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of 19528 copying pointers. The cert_st handling is changed by this in 19529 various ways (and thus what used to be known as ctx->default_cert 19530 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert` 19531 any longer when s->cert does not give us what we need). 19532 ssl_cert_instantiate becomes obsolete by this change. 19533 As soon as we've got the new code right (possibly it already is?), 19534 we have solved a couple of bugs of the earlier code where s->cert 19535 was used as if it could not have been shared with other SSL structures. 19536 19537 Note that using the SSL API in certain dirty ways now will result 19538 in different behaviour than observed with earlier library versions: 19539 Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx) 19540 does not influence s as it used to. 19541 19542 In order to clean up things more thoroughly, inside SSL_SESSION 19543 we don't use CERT any longer, but a new structure SESS_CERT 19544 that holds per-session data (if available); currently, this is 19545 the peer's certificate chain and, for clients, the server's certificate 19546 and temporary key. CERT holds only those values that can have 19547 meaningful defaults in an SSL_CTX. 19548 19549 *Bodo Moeller* 19550 19551 * New function X509V3_EXT_i2d() to create an X509_EXTENSION structure 19552 from the internal representation. Various PKCS#7 fixes: remove some 19553 evil casts and set the enc_dig_alg field properly based on the signing 19554 key type. 19555 19556 *Steve Henson* 19557 19558 * Allow PKCS#12 password to be set from the command line or the 19559 environment. Let 'ca' get its config file name from the environment 19560 variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' 19561 and 'x509'). 19562 19563 *Steve Henson* 19564 19565 * Allow certificate policies extension to use an IA5STRING for the 19566 organization field. This is contrary to the PKIX definition but 19567 VeriSign uses it and IE5 only recognises this form. Document 'x509' 19568 extension option. 19569 19570 *Steve Henson* 19571 19572 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, 19573 without disallowing inline assembler and the like for non-pedantic builds. 19574 19575 *Ben Laurie* 19576 19577 * Support Borland C++ builder. 19578 19579 *Janez Jere <jj@void.si>, modified by Ulf Möller* 19580 19581 * Support Mingw32. 19582 19583 *Ulf Möller* 19584 19585 * SHA-1 cleanups and performance enhancements. 19586 19587 *Andy Polyakov <appro@fy.chalmers.se>* 19588 19589 * Sparc v8plus assembler for the bignum library. 19590 19591 *Andy Polyakov <appro@fy.chalmers.se>* 19592 19593 * Accept any -xxx and +xxx compiler options in Configure. 19594 19595 *Ulf Möller* 19596 19597 * Update HPUX configuration. 19598 19599 *Anonymous* 19600 19601 * Add missing `sk_<type>_unshift()` function to safestack.h 19602 19603 *Ralf S. Engelschall* 19604 19605 * New function SSL_CTX_use_certificate_chain_file that sets the 19606 "extra_cert"s in addition to the certificate. (This makes sense 19607 only for "PEM" format files, as chains as a whole are not 19608 DER-encoded.) 19609 19610 *Bodo Moeller* 19611 19612 * Support verify_depth from the SSL API. 19613 x509_vfy.c had what can be considered an off-by-one-error: 19614 Its depth (which was not part of the external interface) 19615 was actually counting the number of certificates in a chain; 19616 now it really counts the depth. 19617 19618 *Bodo Moeller* 19619 19620 * Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used 19621 instead of X509err, which often resulted in confusing error 19622 messages since the error codes are not globally unique 19623 (e.g. an alleged error in ssl3_accept when a certificate 19624 didn't match the private key). 19625 19626 * New function SSL_CTX_set_session_id_context that allows to set a default 19627 value (so that you don't need SSL_set_session_id_context for each 19628 connection using the SSL_CTX). 19629 19630 *Bodo Moeller* 19631 19632 * OAEP decoding bug fix. 19633 19634 *Ulf Möller* 19635 19636 * Support INSTALL_PREFIX for package builders, as proposed by 19637 David Harris. 19638 19639 *Bodo Moeller* 19640 19641 * New Configure options "threads" and "no-threads". For systems 19642 where the proper compiler options are known (currently Solaris 19643 and Linux), "threads" is the default. 19644 19645 *Bodo Moeller* 19646 19647 * New script util/mklink.pl as a faster substitute for util/mklink.sh. 19648 19649 *Bodo Moeller* 19650 19651 * Install various scripts to $(OPENSSLDIR)/misc, not to 19652 $(INSTALLTOP)/bin -- they shouldn't clutter directories 19653 such as /usr/local/bin. 19654 19655 *Bodo Moeller* 19656 19657 * "make linux-shared" to build shared libraries. 19658 19659 *Niels Poppe <niels@netbox.org>* 19660 19661 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...). 19662 19663 *Ulf Möller* 19664 19665 * Add the PKCS#12 API documentation to openssl.txt. Preliminary support for 19666 extension adding in x509 utility. 19667 19668 *Steve Henson* 19669 19670 * Remove NOPROTO sections and error code comments. 19671 19672 *Ulf Möller* 19673 19674 * Partial rewrite of the DEF file generator to now parse the ANSI 19675 prototypes. 19676 19677 *Steve Henson* 19678 19679 * New Configure options --prefix=DIR and --openssldir=DIR. 19680 19681 *Ulf Möller* 19682 19683 * Complete rewrite of the error code script(s). It is all now handled 19684 by one script at the top level which handles error code gathering, 19685 header rewriting and C source file generation. It should be much better 19686 than the old method: it now uses a modified version of Ulf's parser to 19687 read the ANSI prototypes in all header files (thus the old K&R definitions 19688 aren't needed for error creation any more) and do a better job of 19689 translating function codes into names. The old 'ASN1 error code embedded 19690 in a comment' is no longer necessary and it doesn't use .err files which 19691 have now been deleted. Also the error code call doesn't have to appear all 19692 on one line (which resulted in some large lines...). 19693 19694 *Steve Henson* 19695 19696 * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`. 19697 19698 *Bodo Moeller* 19699 19700 * Change behaviour of ssl2_read when facing length-0 packets: Don't return 19701 0 (which usually indicates a closed connection), but continue reading. 19702 19703 *Bodo Moeller* 19704 19705 * Fix some race conditions. 19706 19707 *Bodo Moeller* 19708 19709 * Add support for CRL distribution points extension. Add Certificate 19710 Policies and CRL distribution points documentation. 19711 19712 *Steve Henson* 19713 19714 * Move the autogenerated header file parts to crypto/opensslconf.h. 19715 19716 *Ulf Möller* 19717 19718 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 19719 8 of keying material. Merlin has also confirmed interop with this fix 19720 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. 19721 19722 *Merlin Hughes <merlin@baltimore.ie>* 19723 19724 * Fix lots of warnings. 19725 19726 *Richard Levitte <levitte@stacken.kth.se>* 19727 19728 * In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if 19729 the directory spec didn't end with a LIST_SEPARATOR_CHAR. 19730 19731 *Richard Levitte <levitte@stacken.kth.se>* 19732 19733 * Fix problems with sizeof(long) == 8. 19734 19735 *Andy Polyakov <appro@fy.chalmers.se>* 19736 19737 * Change functions to ANSI C. 19738 19739 *Ulf Möller* 19740 19741 * Fix typos in error codes. 19742 19743 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller* 19744 19745 * Remove defunct assembler files from Configure. 19746 19747 *Ulf Möller* 19748 19749 * SPARC v8 assembler BIGNUM implementation. 19750 19751 *Andy Polyakov <appro@fy.chalmers.se>* 19752 19753 * Support for Certificate Policies extension: both print and set. 19754 Various additions to support the r2i method this uses. 19755 19756 *Steve Henson* 19757 19758 * A lot of constification, and fix a bug in X509_NAME_oneline() that could 19759 return a const string when you are expecting an allocated buffer. 19760 19761 *Ben Laurie* 19762 19763 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE 19764 types DirectoryString and DisplayText. 19765 19766 *Steve Henson* 19767 19768 * Add code to allow r2i extensions to access the configuration database, 19769 add an LHASH database driver and add several ctx helper functions. 19770 19771 *Steve Henson* 19772 19773 * Fix an evil bug in bn_expand2() which caused various BN functions to 19774 fail when they extended the size of a BIGNUM. 19775 19776 *Steve Henson* 19777 19778 * Various utility functions to handle SXNet extension. Modify mkdef.pl to 19779 support typesafe stack. 19780 19781 *Steve Henson* 19782 19783 * Fix typo in SSL_[gs]et_options(). 19784 19785 *Nils Frostberg <nils@medcom.se>* 19786 19787 * Delete various functions and files that belonged to the (now obsolete) 19788 old X509V3 handling code. 19789 19790 *Steve Henson* 19791 19792 * New Configure option "rsaref". 19793 19794 *Ulf Möller* 19795 19796 * Don't auto-generate pem.h. 19797 19798 *Bodo Moeller* 19799 19800 * Introduce type-safe ASN.1 SETs. 19801 19802 *Ben Laurie* 19803 19804 * Convert various additional casted stacks to type-safe STACK_OF() variants. 19805 19806 *Ben Laurie, Ralf S. Engelschall, Steve Henson* 19807 19808 * Introduce type-safe STACKs. This will almost certainly break lots of code 19809 that links with OpenSSL (well at least cause lots of warnings), but fear 19810 not: the conversion is trivial, and it eliminates loads of evil casts. A 19811 few STACKed things have been converted already. Feel free to convert more. 19812 In the fullness of time, I'll do away with the STACK type altogether. 19813 19814 *Ben Laurie* 19815 19816 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate 19817 specified in `<certfile>` by updating the entry in the index.txt file. 19818 This way one no longer has to edit the index.txt file manually for 19819 revoking a certificate. The -revoke option does the gory details now. 19820 19821 *Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall* 19822 19823 * Fix `openssl crl -noout -text` combination where `-noout` killed the 19824 `-text` option at all and this way the `-noout -text` combination was 19825 inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`. 19826 19827 *Ralf S. Engelschall* 19828 19829 * Make sure a corresponding plain text error message exists for the 19830 X509_V_ERR_CERT_REVOKED/23 error number which can occur when a 19831 verify callback function determined that a certificate was revoked. 19832 19833 *Ralf S. Engelschall* 19834 19835 * Bugfix: In test/testenc, don't test `openssl <cipher>` for 19836 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test 19837 all available ciphers including rc5, which was forgotten until now. 19838 In order to let the testing shell script know which algorithms 19839 are available, a new (up to now undocumented) command 19840 `openssl list-cipher-commands` is used. 19841 19842 *Bodo Moeller* 19843 19844 * Bugfix: s_client occasionally would sleep in select() when 19845 it should have checked SSL_pending() first. 19846 19847 *Bodo Moeller* 19848 19849 * New functions DSA_do_sign and DSA_do_verify to provide access to 19850 the raw DSA values prior to ASN.1 encoding. 19851 19852 *Ulf Möller* 19853 19854 * Tweaks to Configure 19855 19856 *Niels Poppe <niels@netbox.org>* 19857 19858 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, 19859 yet... 19860 19861 *Steve Henson* 19862 19863 * New variables $(RANLIB) and $(PERL) in the Makefiles. 19864 19865 *Ulf Möller* 19866 19867 * New config option to avoid instructions that are illegal on the 80386. 19868 The default code is faster, but requires at least a 486. 19869 19870 *Ulf Möller* 19871 19872 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and 19873 SSL2_SERVER_VERSION (not used at all) macros, which are now the 19874 same as SSL2_VERSION anyway. 19875 19876 *Bodo Moeller* 19877 19878 * New "-showcerts" option for s_client. 19879 19880 *Bodo Moeller* 19881 19882 * Still more PKCS#12 integration. Add pkcs12 application to openssl 19883 application. Various cleanups and fixes. 19884 19885 *Steve Henson* 19886 19887 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and 19888 modify error routines to work internally. Add error codes and PBE init 19889 to library startup routines. 19890 19891 *Steve Henson* 19892 19893 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and 19894 packing functions to asn1 and evp. Changed function names and error 19895 codes along the way. 19896 19897 *Steve Henson* 19898 19899 * PKCS12 integration: and so it begins... First of several patches to 19900 slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 19901 objects to objects.h 19902 19903 *Steve Henson* 19904 19905 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1 19906 and display support for Thawte strong extranet extension. 19907 19908 *Steve Henson* 19909 19910 * Add LinuxPPC support. 19911 19912 *Jeff Dubrule <igor@pobox.org>* 19913 19914 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to 19915 bn_div_words in alpha.s. 19916 19917 *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie* 19918 19919 * Make sure the RSA OAEP test is skipped under -DRSAref because 19920 OAEP isn't supported when OpenSSL is built with RSAref. 19921 19922 *Ulf Moeller <ulf@fitug.de>* 19923 19924 * Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 19925 so they no longer are missing under -DNOPROTO. 19926 19927 *Soren S. Jorvang <soren@t.dk>* 19928 19929### Changes between 0.9.1c and 0.9.2b [22 Mar 1999] 19930 19931 * Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still 19932 doesn't work when the session is reused. Coming soon! 19933 19934 *Ben Laurie* 19935 19936 * Fix a security hole, that allows sessions to be reused in the wrong 19937 context thus bypassing client cert protection! All software that uses 19938 client certs and session caches in multiple contexts NEEDS PATCHING to 19939 allow session reuse! A fuller solution is in the works. 19940 19941 *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)* 19942 19943 * Some more source tree cleanups (removed obsolete files 19944 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed 19945 permission on "config" script to be executable) and a fix for the INSTALL 19946 document. 19947 19948 *Ulf Moeller <ulf@fitug.de>* 19949 19950 * Remove some legacy and erroneous uses of malloc, free instead of 19951 Malloc, Free. 19952 19953 *Lennart Bang <lob@netstream.se>, with minor changes by Steve* 19954 19955 * Make rsa_oaep_test return non-zero on error. 19956 19957 *Ulf Moeller <ulf@fitug.de>* 19958 19959 * Add support for native Solaris shared libraries. Configure 19960 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice 19961 if someone would make that last step automatic. 19962 19963 *Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>* 19964 19965 * ctx_size was not built with the right compiler during "make links". Fixed. 19966 19967 *Ben Laurie* 19968 19969 * Change the meaning of 'ALL' in the cipher list. It now means "everything 19970 except NULL ciphers". This means the default cipher list will no longer 19971 enable NULL ciphers. They need to be specifically enabled e.g. with 19972 the string "DEFAULT:eNULL". 19973 19974 *Steve Henson* 19975 19976 * Fix to RSA private encryption routines: if p < q then it would 19977 occasionally produce an invalid result. This will only happen with 19978 externally generated keys because OpenSSL (and SSLeay) ensure p > q. 19979 19980 *Steve Henson* 19981 19982 * Be less restrictive and allow also `perl util/perlpath.pl 19983 /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`, 19984 because this way one can also use an interpreter named `perl5` (which is 19985 usually the name of Perl 5.xxx on platforms where an Perl 4.x is still 19986 installed as `perl`). 19987 19988 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 19989 19990 * Let util/clean-depend.pl work also with older Perl 5.00x versions. 19991 19992 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 19993 19994 * Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add 19995 advapi32.lib to Win32 build and change the pem test comparison 19996 to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the 19997 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h 19998 and crypto/des/ede_cbcm_enc.c. 19999 20000 *Steve Henson* 20001 20002 * DES quad checksum was broken on big-endian architectures. Fixed. 20003 20004 *Ben Laurie* 20005 20006 * Comment out two functions in bio.h that aren't implemented. Fix up the 20007 Win32 test batch file so it (might) work again. The Win32 test batch file 20008 is horrible: I feel ill.... 20009 20010 *Steve Henson* 20011 20012 * Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected 20013 in e_os.h. Audit of header files to check ANSI and non ANSI 20014 sections: 10 functions were absent from non ANSI section and not exported 20015 from Windows DLLs. Fixed up libeay.num for new functions. 20016 20017 *Steve Henson* 20018 20019 * Make `openssl version` output lines consistent. 20020 20021 *Ralf S. Engelschall* 20022 20023 * Fix Win32 symbol export lists for BIO functions: Added 20024 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data 20025 to ms/libeay{16,32}.def. 20026 20027 *Ralf S. Engelschall* 20028 20029 * Second round of fixing the OpenSSL perl/ stuff. It now at least compiled 20030 fine under Unix and passes some trivial tests I've now added. But the 20031 whole stuff is horribly incomplete, so a README.1ST with a disclaimer was 20032 added to make sure no one expects that this stuff really works in the 20033 OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources 20034 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and 20035 openssl_bio.xs. 20036 20037 *Ralf S. Engelschall* 20038 20039 * Fix the generation of two part addresses in perl. 20040 20041 *Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie* 20042 20043 * Add config entry for Linux on MIPS. 20044 20045 *John Tobey <jtobey@channel1.com>* 20046 20047 * Make links whenever Configure is run, unless we are on Windoze. 20048 20049 *Ben Laurie* 20050 20051 * Permit extensions to be added to CRLs using crl_section in openssl.cnf. 20052 Currently only issuerAltName and AuthorityKeyIdentifier make any sense 20053 in CRLs. 20054 20055 *Steve Henson* 20056 20057 * Add a useful kludge to allow package maintainers to specify compiler and 20058 other platforms details on the command line without having to patch the 20059 Configure script every time: One now can use 20060 `perl Configure <id>:<details>`, 20061 i.e. platform ids are allowed to have details appended 20062 to them (separated by colons). This is treated as there would be a static 20063 pre-configured entry in Configure's %table under key `<id>` with value 20064 `<details>` and `perl Configure <id>` is called. So, when you want to 20065 perform a quick test-compile under FreeBSD 3.1 with pgcc and without 20066 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"` 20067 now, which overrides the FreeBSD-elf entry on-the-fly. 20068 20069 *Ralf S. Engelschall* 20070 20071 * Disable new TLS1 ciphersuites by default: they aren't official yet. 20072 20073 *Ben Laurie* 20074 20075 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified 20076 on the `perl Configure ...` command line. This way one can compile 20077 OpenSSL libraries with Position Independent Code (PIC) which is needed 20078 for linking it into DSOs. 20079 20080 *Ralf S. Engelschall* 20081 20082 * Remarkably, export ciphers were totally broken and no-one had noticed! 20083 Fixed. 20084 20085 *Ben Laurie* 20086 20087 * Cleaned up the LICENSE document: The official contact for any license 20088 questions now is the OpenSSL core team under openssl-core@openssl.org. 20089 And add a paragraph about the dual-license situation to make sure people 20090 recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply 20091 to the OpenSSL toolkit. 20092 20093 *Ralf S. Engelschall* 20094 20095 * General source tree makefile cleanups: Made `making xxx in yyy...` 20096 display consistent in the source tree and replaced `/bin/rm` by `rm`. 20097 Additionally cleaned up the `make links` target: Remove unnecessary 20098 semicolons, subsequent redundant removes, inline point.sh into mklink.sh 20099 to speed processing and no longer clutter the display with confusing 20100 stuff. Instead only the actually done links are displayed. 20101 20102 *Ralf S. Engelschall* 20103 20104 * Permit null encryption ciphersuites, used for authentication only. It used 20105 to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. 20106 It is now necessary to set SSL_FORBID_ENULL to prevent the use of null 20107 encryption. 20108 20109 *Ben Laurie* 20110 20111 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder 20112 signed attributes when verifying signatures (this would break them), 20113 the detached data encoding was wrong and public keys obtained using 20114 X509_get_pubkey() weren't freed. 20115 20116 *Steve Henson* 20117 20118 * Add text documentation for the BUFFER functions. Also added a work around 20119 to a Win95 console bug. This was triggered by the password read stuff: the 20120 last character typed gets carried over to the next fread(). If you were 20121 generating a new cert request using 'req' for example then the last 20122 character of the passphrase would be CR which would then enter the first 20123 field as blank. 20124 20125 *Steve Henson* 20126 20127 * Added the new 'Includes OpenSSL Cryptography Software' button as 20128 doc/openssl_button.{gif,html} which is similar in style to the old SSLeay 20129 button and can be used by applications based on OpenSSL to show the 20130 relationship to the OpenSSL project. 20131 20132 *Ralf S. Engelschall* 20133 20134 * Remove confusing variables in function signatures in files 20135 ssl/ssl_lib.c and ssl/ssl.h. 20136 20137 *Lennart Bong <lob@kulthea.stacken.kth.se>* 20138 20139 * Don't install bss_file.c under PREFIX/include/ 20140 20141 *Lennart Bong <lob@kulthea.stacken.kth.se>* 20142 20143 * Get the Win32 compile working again. Modify mkdef.pl so it can handle 20144 functions that return function pointers and has support for NT specific 20145 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various 20146 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from 20147 unsigned to signed types: this was killing the Win32 compile. 20148 20149 *Steve Henson* 20150 20151 * Add new certificate file to stack functions, 20152 SSL_add_dir_cert_subjects_to_stack() and 20153 SSL_add_file_cert_subjects_to_stack(). These largely supplant 20154 SSL_load_client_CA_file(), and can be used to add multiple certs easily 20155 to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). 20156 This means that Apache-SSL and similar packages don't have to mess around 20157 to add as many CAs as they want to the preferred list. 20158 20159 *Ben Laurie* 20160 20161 * Experiment with doxygen documentation. Currently only partially applied to 20162 ssl/ssl_lib.c. 20163 See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with 20164 openssl.doxy as the configuration file. 20165 20166 *Ben Laurie* 20167 20168 * Get rid of remaining C++-style comments which strict C compilers hate. 20169 20170 *Ralf S. Engelschall, pointed out by Carlos Amengual* 20171 20172 * Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not 20173 compiled in by default: it has problems with large keys. 20174 20175 *Steve Henson* 20176 20177 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and 20178 DH private keys and/or callback functions which directly correspond to 20179 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This 20180 is needed for applications which have to configure certificates on a 20181 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis 20182 (e.g. s_server). 20183 For the RSA certificate situation is makes no difference, but 20184 for the DSA certificate situation this fixes the "no shared cipher" 20185 problem where the OpenSSL cipher selection procedure failed because the 20186 temporary keys were not overtaken from the context and the API provided 20187 no way to reconfigure them. 20188 The new functions now let applications reconfigure the stuff and they 20189 are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, 20190 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new 20191 non-public-API function ssl_cert_instantiate() is used as a helper 20192 function and also to reduce code redundancy inside ssl_rsa.c. 20193 20194 *Ralf S. Engelschall* 20195 20196 * Move s_server -dcert and -dkey options out of the undocumented feature 20197 area because they are useful for the DSA situation and should be 20198 recognized by the users. 20199 20200 *Ralf S. Engelschall* 20201 20202 * Fix the cipher decision scheme for export ciphers: the export bits are 20203 *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within 20204 SSL_EXP_MASK. So, the original variable has to be used instead of the 20205 already masked variable. 20206 20207 *Richard Levitte <levitte@stacken.kth.se>* 20208 20209 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c 20210 20211 *Richard Levitte <levitte@stacken.kth.se>* 20212 20213 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() 20214 from `int` to `unsigned int` because it is a length and initialized by 20215 EVP_DigestFinal() which expects an `unsigned int *`. 20216 20217 *Richard Levitte <levitte@stacken.kth.se>* 20218 20219 * Don't hard-code path to Perl interpreter on shebang line of Configure 20220 script. Instead use the usual Shell->Perl transition trick. 20221 20222 *Ralf S. Engelschall* 20223 20224 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates 20225 (in addition to RSA certificates) to match the behaviour of `openssl dsa 20226 -noout -modulus` as it's already the case for `openssl rsa -noout 20227 -modulus`. For RSA the -modulus is the real "modulus" while for DSA 20228 currently the public key is printed (a decision which was already done by 20229 `openssl dsa -modulus` in the past) which serves a similar purpose. 20230 Additionally the NO_RSA no longer completely removes the whole -modulus 20231 option; it now only avoids using the RSA stuff. Same applies to NO_DSA 20232 now, too. 20233 20234 *Ralf S. Engelschall* 20235 20236 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested 20237 BIO. See the source (crypto/evp/bio_ok.c) for more info. 20238 20239 *Arne Ansper <arne@ats.cyber.ee>* 20240 20241 * Dump the old yucky req code that tried (and failed) to allow raw OIDs 20242 to be added. Now both 'req' and 'ca' can use new objects defined in the 20243 config file. 20244 20245 *Steve Henson* 20246 20247 * Add cool BIO that does syslog (or event log on NT). 20248 20249 *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie* 20250 20251 * Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, 20252 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and 20253 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher 20254 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. 20255 20256 *Ben Laurie* 20257 20258 * Add preliminary config info for new extension code. 20259 20260 *Steve Henson* 20261 20262 * Make RSA_NO_PADDING really use no padding. 20263 20264 *Ulf Moeller <ulf@fitug.de>* 20265 20266 * Generate errors when private/public key check is done. 20267 20268 *Ben Laurie* 20269 20270 * Overhaul for 'crl' utility. New function X509_CRL_print. Partial support 20271 for some CRL extensions and new objects added. 20272 20273 *Steve Henson* 20274 20275 * Really fix the ASN1 IMPLICIT bug this time... Partial support for private 20276 key usage extension and fuller support for authority key id. 20277 20278 *Steve Henson* 20279 20280 * Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved 20281 padding method for RSA, which is recommended for new applications in PKCS 20282 #1 v2.0 (RFC 2437, October 1998). 20283 OAEP (Optimal Asymmetric Encryption Padding) has better theoretical 20284 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure 20285 against Bleichbacher's attack on RSA. 20286 *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by 20287 Ben Laurie* 20288 20289 * Updates to the new SSL compression code 20290 20291 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20292 20293 * Fix so that the version number in the master secret, when passed 20294 via RSA, checks that if TLS was proposed, but we roll back to SSLv3 20295 (because the server will not accept higher), that the version number 20296 is 0x03,0x01, not 0x03,0x00 20297 20298 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20299 20300 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory 20301 leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes 20302 in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`. 20303 20304 *Steve Henson* 20305 20306 * Support for RAW extensions where an arbitrary extension can be 20307 created by including its DER encoding. See `apps/openssl.cnf` for 20308 an example. 20309 20310 *Steve Henson* 20311 20312 * Make sure latest Perl versions don't interpret some generated C array 20313 code as Perl array code in the crypto/err/err_genc.pl script. 20314 20315 *Lars Weber <3weber@informatik.uni-hamburg.de>* 20316 20317 * Modify ms/do_ms.bat to not generate assembly language makefiles since 20318 not many people have the assembler. Various Win32 compilation fixes and 20319 update to the INSTALL.W32 file with (hopefully) more accurate Win32 20320 build instructions. 20321 20322 *Steve Henson* 20323 20324 * Modify configure script 'Configure' to automatically create crypto/date.h 20325 file under Win32 and also build pem.h from pem.org. New script 20326 util/mkfiles.pl to create the MINFO file on environments that can't do a 20327 'make files': perl util/mkfiles.pl >MINFO should work. 20328 20329 *Steve Henson* 20330 20331 * Major rework of DES function declarations, in the pursuit of correctness 20332 and purity. As a result, many evil casts evaporated, and some weirdness, 20333 too. You may find this causes warnings in your code. Zapping your evil 20334 casts will probably fix them. Mostly. 20335 20336 *Ben Laurie* 20337 20338 * Fix for a typo in asn1.h. Bug fix to object creation script 20339 obj_dat.pl. It considered a zero in an object definition to mean 20340 "end of object": none of the objects in objects.h have any zeros 20341 so it wasn't spotted. 20342 20343 *Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>* 20344 20345 * Add support for Triple DES Cipher Block Chaining with Output Feedback 20346 Masking (CBCM). In the absence of test vectors, the best I have been able 20347 to do is check that the decrypt undoes the encrypt, so far. Send me test 20348 vectors if you have them. 20349 20350 *Ben Laurie* 20351 20352 * Correct calculation of key length for export ciphers (too much space was 20353 allocated for null ciphers). This has not been tested! 20354 20355 *Ben Laurie* 20356 20357 * Modifications to the mkdef.pl for Win32 DEF file creation. The usage 20358 message is now correct (it understands "crypto" and "ssl" on its 20359 command line). There is also now an "update" option. This will update 20360 the util/ssleay.num and util/libeay.num files with any new functions. 20361 If you do a: 20362 perl util/mkdef.pl crypto ssl update 20363 it will update them. 20364 20365 *Steve Henson* 20366 20367 * Overhauled the Perl interface: 20368 - ported BN stuff to OpenSSL's different BN library 20369 - made the perl/ source tree CVS-aware 20370 - renamed the package from SSLeay to OpenSSL (the files still contain 20371 their history because I've copied them in the repository) 20372 - removed obsolete files (the test scripts will be replaced 20373 by better Test::Harness variants in the future) 20374 20375 *Ralf S. Engelschall* 20376 20377 * First cut for a very conservative source tree cleanup: 20378 1. merge various obsolete readme texts into doc/ssleay.txt 20379 where we collect the old documents and readme texts. 20380 2. remove the first part of files where I'm already sure that we no 20381 longer need them because of three reasons: either they are just temporary 20382 files which were left by Eric or they are preserved original files where 20383 I've verified that the diff is also available in the CVS via "cvs diff 20384 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for 20385 the crypto/md/ stuff). 20386 20387 *Ralf S. Engelschall* 20388 20389 * More extension code. Incomplete support for subject and issuer alt 20390 name, issuer and authority key id. Change the i2v function parameters 20391 and add an extra 'crl' parameter in the X509V3_CTX structure: guess 20392 what that's for :-) Fix to ASN1 macro which messed up 20393 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. 20394 20395 *Steve Henson* 20396 20397 * Preliminary support for ENUMERATED type. This is largely copied from the 20398 INTEGER code. 20399 20400 *Steve Henson* 20401 20402 * Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. 20403 20404 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20405 20406 * Make sure `make rehash` target really finds the `openssl` program. 20407 20408 *Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 20409 20410 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd 20411 like to hear about it if this slows down other processors. 20412 20413 *Ben Laurie* 20414 20415 * Add CygWin32 platform information to Configure script. 20416 20417 *Alan Batie <batie@aahz.jf.intel.com>* 20418 20419 * Fixed ms/32all.bat script: `no_asm` -> `no-asm` 20420 20421 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>* 20422 20423 * New program nseq to manipulate netscape certificate sequences 20424 20425 *Steve Henson* 20426 20427 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a 20428 few typos. 20429 20430 *Steve Henson* 20431 20432 * Fixes to BN code. Previously the default was to define BN_RECURSION 20433 but the BN code had some problems that would cause failures when 20434 doing certificate verification and some other functions. 20435 20436 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20437 20438 * Add ASN1 and PEM code to support netscape certificate sequences. 20439 20440 *Steve Henson* 20441 20442 * Add ASN1 and PEM code to support netscape certificate sequences. 20443 20444 *Steve Henson* 20445 20446 * Add several PKIX and private extended key usage OIDs. 20447 20448 *Steve Henson* 20449 20450 * Modify the 'ca' program to handle the new extension code. Modify 20451 openssl.cnf for new extension format, add comments. 20452 20453 *Steve Henson* 20454 20455 * More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' 20456 and add a sample to openssl.cnf so req -x509 now adds appropriate 20457 CA extensions. 20458 20459 *Steve Henson* 20460 20461 * Continued X509 V3 changes. Add to other makefiles, integrate with the 20462 error code, add initial support to X509_print() and x509 application. 20463 20464 *Steve Henson* 20465 20466 * Takes a deep breath and start adding X509 V3 extension support code. Add 20467 files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this 20468 stuff is currently isolated and isn't even compiled yet. 20469 20470 *Steve Henson* 20471 20472 * Continuing patches for GeneralizedTime. Fix up certificate and CRL 20473 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. 20474 Removed the versions check from X509 routines when loading extensions: 20475 this allows certain broken certificates that don't set the version 20476 properly to be processed. 20477 20478 *Steve Henson* 20479 20480 * Deal with irritating shit to do with dependencies, in YAAHW (Yet Another 20481 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which 20482 can still be regenerated with "make depend". 20483 20484 *Ben Laurie* 20485 20486 * Spelling mistake in C version of CAST-128. 20487 20488 *Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>* 20489 20490 * Changes to the error generation code. The perl script err-code.pl 20491 now reads in the old error codes and retains the old numbers, only 20492 adding new ones if necessary. It also only changes the .err files if new 20493 codes are added. The makefiles have been modified to only insert errors 20494 when needed (to avoid needlessly modifying header files). This is done 20495 by only inserting errors if the .err file is newer than the auto generated 20496 C file. To rebuild all the error codes from scratch (the old behaviour) 20497 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl 20498 or delete all the .err files. 20499 20500 *Steve Henson* 20501 20502 * CAST-128 was incorrectly implemented for short keys. The C version has 20503 been fixed, but is untested. The assembler versions are also fixed, but 20504 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing 20505 to regenerate it if needed. 20506 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun 20507 Hagino <itojun@kame.net>* 20508 20509 * File was opened incorrectly in randfile.c. 20510 20511 *Ulf Möller <ulf@fitug.de>* 20512 20513 * Beginning of support for GeneralizedTime. d2i, i2d, check and print 20514 functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or 20515 GeneralizedTime. ASN1_TIME is the proper type used in certificates et 20516 al: it's just almost always a UTCTime. Note this patch adds new error 20517 codes so do a "make errors" if there are problems. 20518 20519 *Steve Henson* 20520 20521 * Correct Linux 1 recognition in config. 20522 20523 *Ulf Möller <ulf@fitug.de>* 20524 20525 * Remove pointless MD5 hash when using DSA keys in ca. 20526 20527 *Anonymous <nobody@replay.com>* 20528 20529 * Generate an error if given an empty string as a cert directory. Also 20530 generate an error if handed NULL (previously returned 0 to indicate an 20531 error, but didn't set one). 20532 20533 *Ben Laurie, reported by Anonymous <nobody@replay.com>* 20534 20535 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last. 20536 20537 *Ben Laurie* 20538 20539 * Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct 20540 parameters. This was causing a warning which killed off the Win32 compile. 20541 20542 *Steve Henson* 20543 20544 * Remove C++ style comments from crypto/bn/bn_local.h. 20545 20546 *Neil Costigan <neil.costigan@celocom.com>* 20547 20548 * The function OBJ_txt2nid was broken. It was supposed to return a nid 20549 based on a text string, looking up short and long names and finally 20550 "dot" format. The "dot" format stuff didn't work. Added new function 20551 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 20552 OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the 20553 OID is not part of the table. 20554 20555 *Steve Henson* 20556 20557 * Add prototypes to X509 lookup/verify methods, fixing a bug in 20558 X509_LOOKUP_by_alias(). 20559 20560 *Ben Laurie* 20561 20562 * Sort openssl functions by name. 20563 20564 *Ben Laurie* 20565 20566 * Get the `gendsa` command working and add it to the `list` command. Remove 20567 encryption from sample DSA keys (in case anyone is interested the password 20568 was "1234"). 20569 20570 *Steve Henson* 20571 20572 * Make *all* `*_free` functions accept a NULL pointer. 20573 20574 *Frans Heymans <fheymans@isaserver.be>* 20575 20576 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use 20577 NULL pointers. 20578 20579 *Anonymous <nobody@replay.com>* 20580 20581 * s_server should send the CAfile as acceptable CAs, not its own cert. 20582 20583 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 20584 20585 * Don't blow it for numeric `-newkey` arguments to `apps/req`. 20586 20587 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 20588 20589 * Temp key "for export" tests were wrong in s3_srvr.c. 20590 20591 *Anonymous <nobody@replay.com>* 20592 20593 * Add prototype for temp key callback functions 20594 SSL_CTX_set_tmp_{rsa,dh}_callback(). 20595 20596 *Ben Laurie* 20597 20598 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and 20599 DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). 20600 20601 *Steve Henson* 20602 20603 * X509_name_add_entry() freed the wrong thing after an error. 20604 20605 *Arne Ansper <arne@ats.cyber.ee>* 20606 20607 * rsa_eay.c would attempt to free a NULL context. 20608 20609 *Arne Ansper <arne@ats.cyber.ee>* 20610 20611 * BIO_s_socket() had a broken should_retry() on Windoze. 20612 20613 *Arne Ansper <arne@ats.cyber.ee>* 20614 20615 * BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. 20616 20617 *Arne Ansper <arne@ats.cyber.ee>* 20618 20619 * Make sure the already existing X509_STORE->depth variable is initialized 20620 in X509_STORE_new(), but document the fact that this variable is still 20621 unused in the certificate verification process. 20622 20623 *Ralf S. Engelschall* 20624 20625 * Fix the various library and `apps/` files to free up pkeys obtained from 20626 X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. 20627 20628 *Steve Henson* 20629 20630 * Fix reference counting in X509_PUBKEY_get(). This makes 20631 demos/maurice/example2.c work, amongst others, probably. 20632 20633 *Steve Henson and Ben Laurie* 20634 20635 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named 20636 `openssl` and second, the shortcut symlinks for the `openssl <command>` 20637 are no longer created. This way we have a single and consistent command 20638 line interface `openssl <command>`, similar to `cvs <command>`. 20639 20640 *Ralf S. Engelschall, Paul Sutton and Ben Laurie* 20641 20642 * ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey 20643 BIT STRING wrapper always have zero unused bits. 20644 20645 *Steve Henson* 20646 20647 * Add CA.pl, perl version of CA.sh, add extended key usage OID. 20648 20649 *Steve Henson* 20650 20651 * Make the top-level INSTALL documentation easier to understand. 20652 20653 *Paul Sutton* 20654 20655 * Makefiles updated to exit if an error occurs in a sub-directory 20656 make (including if user presses ^C) [Paul Sutton] 20657 20658 * Make Montgomery context stuff explicit in RSA data structure. 20659 20660 *Ben Laurie* 20661 20662 * Fix build order of pem and err to allow for generated pem.h. 20663 20664 *Ben Laurie* 20665 20666 * Fix renumbering bug in X509_NAME_delete_entry(). 20667 20668 *Ben Laurie* 20669 20670 * Enhanced the err-ins.pl script so it makes the error library number 20671 global and can add a library name. This is needed for external ASN1 and 20672 other error libraries. 20673 20674 *Steve Henson* 20675 20676 * Fixed sk_insert which never worked properly. 20677 20678 *Steve Henson* 20679 20680 * Fix ASN1 macros so they can handle indefinite length constructed 20681 EXPLICIT tags. Some non standard certificates use these: they can now 20682 be read in. 20683 20684 *Steve Henson* 20685 20686 * Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) 20687 into a single doc/ssleay.txt bundle. This way the information is still 20688 preserved but no longer messes up this directory. Now it's new room for 20689 the new set of documentation files. 20690 20691 *Ralf S. Engelschall* 20692 20693 * SETs were incorrectly DER encoded. This was a major pain, because they 20694 shared code with SEQUENCEs, which aren't coded the same. This means that 20695 almost everything to do with SETs or SEQUENCEs has either changed name or 20696 number of arguments. 20697 20698 *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>* 20699 20700 * Fix test data to work with the above. 20701 20702 *Ben Laurie* 20703 20704 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but 20705 was already fixed by Eric for 0.9.1 it seems. 20706 20707 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>* 20708 20709 * Autodetect FreeBSD3. 20710 20711 *Ben Laurie* 20712 20713 * Fix various bugs in Configure. This affects the following platforms: 20714 nextstep 20715 ncr-scde 20716 unixware-2.0 20717 unixware-2.0-pentium 20718 sco5-cc. 20719 20720 *Ben Laurie* 20721 20722 * Eliminate generated files from CVS. Reorder tests to regenerate files 20723 before they are needed. 20724 20725 *Ben Laurie* 20726 20727 * Generate Makefile.ssl from Makefile.org (to keep CVS happy). 20728 20729 *Ben Laurie* 20730 20731### Changes between 0.9.1b and 0.9.1c [23-Dec-1998] 20732 20733 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 20734 changed SSLeay to OpenSSL in version strings. 20735 20736 *Ralf S. Engelschall* 20737 20738 * Some fixups to the top-level documents. 20739 20740 *Paul Sutton* 20741 20742 * Fixed the nasty bug where rsaref.h was not found under compile-time 20743 because the symlink to include/ was missing. 20744 20745 *Ralf S. Engelschall* 20746 20747 * Incorporated the popular no-RSA/DSA-only patches 20748 which allow to compile an RSA-free SSLeay. 20749 20750 *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall* 20751 20752 * Fixed nasty rehash problem under `make -f Makefile.ssl links` 20753 when "ssleay" is still not found. 20754 20755 *Ralf S. Engelschall* 20756 20757 * Added more platforms to Configure: Cray T3E, HPUX 11, 20758 20759 *Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>* 20760 20761 * Updated the README file. 20762 20763 *Ralf S. Engelschall* 20764 20765 * Added various .cvsignore files in the CVS repository subdirs 20766 to make a "cvs update" really silent. 20767 20768 *Ralf S. Engelschall* 20769 20770 * Recompiled the error-definition header files and added 20771 missing symbols to the Win32 linker tables. 20772 20773 *Ralf S. Engelschall* 20774 20775 * Cleaned up the top-level documents; 20776 o new files: CHANGES and LICENSE 20777 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 20778 o merged COPYRIGHT into LICENSE 20779 o removed obsolete TODO file 20780 o renamed MICROSOFT to INSTALL.W32 20781 20782 *Ralf S. Engelschall* 20783 20784 * Removed dummy files from the 0.9.1b source tree: 20785 crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi 20786 crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f 20787 crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f 20788 crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f 20789 util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f 20790 20791 *Ralf S. Engelschall* 20792 20793 * Added various platform portability fixes. 20794 20795 *Mark J. Cox* 20796 20797 * The Genesis of the OpenSSL rpject: 20798 We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. 20799 Young and Tim J. Hudson created while they were working for C2Net until 20800 summer 1998. 20801 20802 *The OpenSSL Project* 20803 20804### Changes between 0.9.0b and 0.9.1b [not released] 20805 20806 * Updated a few CA certificates under certs/ 20807 20808 *Eric A. Young* 20809 20810 * Changed some BIGNUM api stuff. 20811 20812 *Eric A. Young* 20813 20814 * Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 20815 DGUX x86, Linux Alpha, etc. 20816 20817 *Eric A. Young* 20818 20819 * New COMP library [crypto/comp/] for SSL Record Layer Compression: 20820 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is 20821 available). 20822 20823 *Eric A. Young* 20824 20825 * Add -strparse option to asn1pars program which parses nested 20826 binary structures 20827 20828 *Dr Stephen Henson <shenson@bigfoot.com>* 20829 20830 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs. 20831 20832 *Eric A. Young* 20833 20834 * DSA fix for "ca" program. 20835 20836 *Eric A. Young* 20837 20838 * Added "-genkey" option to "dsaparam" program. 20839 20840 *Eric A. Young* 20841 20842 * Added RIPE MD160 (rmd160) message digest. 20843 20844 *Eric A. Young* 20845 20846 * Added -a (all) option to "ssleay version" command. 20847 20848 *Eric A. Young* 20849 20850 * Added PLATFORM define which is the id given to Configure. 20851 20852 *Eric A. Young* 20853 20854 * Added MemCheck_XXXX functions to crypto/mem.c for memory checking. 20855 20856 *Eric A. Young* 20857 20858 * Extended the ASN.1 parser routines. 20859 20860 *Eric A. Young* 20861 20862 * Extended BIO routines to support REUSEADDR, seek, tell, etc. 20863 20864 *Eric A. Young* 20865 20866 * Added a BN_CTX to the BN library. 20867 20868 *Eric A. Young* 20869 20870 * Fixed the weak key values in DES library 20871 20872 *Eric A. Young* 20873 20874 * Changed API in EVP library for cipher aliases. 20875 20876 *Eric A. Young* 20877 20878 * Added support for RC2/64bit cipher. 20879 20880 *Eric A. Young* 20881 20882 * Converted the lhash library to the crypto/mem.c functions. 20883 20884 *Eric A. Young* 20885 20886 * Added more recognized ASN.1 object ids. 20887 20888 *Eric A. Young* 20889 20890 * Added more RSA padding checks for SSL/TLS. 20891 20892 *Eric A. Young* 20893 20894 * Added BIO proxy/filter functionality. 20895 20896 *Eric A. Young* 20897 20898 * Added extra_certs to SSL_CTX which can be used 20899 send extra CA certificates to the client in the CA cert chain sending 20900 process. It can be configured with SSL_CTX_add_extra_chain_cert(). 20901 20902 *Eric A. Young* 20903 20904 * Now Fortezza is denied in the authentication phase because 20905 this is key exchange mechanism is not supported by SSLeay at all. 20906 20907 *Eric A. Young* 20908 20909 * Additional PKCS1 checks. 20910 20911 *Eric A. Young* 20912 20913 * Support the string "TLSv1" for all TLS v1 ciphers. 20914 20915 *Eric A. Young* 20916 20917 * Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the 20918 ex_data index of the SSL context in the X509_STORE_CTX ex_data. 20919 20920 *Eric A. Young* 20921 20922 * Fixed a few memory leaks. 20923 20924 *Eric A. Young* 20925 20926 * Fixed various code and comment typos. 20927 20928 *Eric A. Young* 20929 20930 * A minor bug in ssl/s3_clnt.c where there would always be 4 0 20931 bytes sent in the client random. 20932 20933 *Edward Bishop <ebishop@spyglass.com>* 20934 20935<!-- Links --> 20936 20937[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 20938[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 20939[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 20940[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 20941[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 20942[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 20943[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 20944[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 20945[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 20946[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 20947[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 20948[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 20949[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 20950[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 20951[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 20952[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 20953[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 20954[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 20955[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 20956[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 20957[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 20958[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 20959[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 20960[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 20961[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 20962[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 20963[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 20964[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 20965[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 20966[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 20967[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 20968[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 20969[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 20970[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 20971[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 20972[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 20973[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 20974[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 20975[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 20976[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 20977[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 20978[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 20979[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 20980[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 20981[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 20982[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 20983[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 20984[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 20985[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 20986[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 20987[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 20988[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 20989[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 20990[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 20991[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 20992[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 20993[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 20994[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 20995[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 20996[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 20997[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 20998[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 20999[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 21000[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 21001[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 21002[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 21003[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 21004[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 21005[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 21006[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 21007[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 21008[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 21009[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 21010[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 21011[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 21012[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 21013[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 21014[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 21015[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 21016[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 21017[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 21018[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 21019[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 21020[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 21021[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 21022[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 21023[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 21024[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 21025[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 21026[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 21027[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 21028[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 21029[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 21030[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 21031[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 21032[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 21033[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 21034[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 21035[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 21036[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 21037[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 21038[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 21039[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 21040[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 21041[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 21042[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 21043[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 21044[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 21045[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 21046[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 21047[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 21048[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 21049[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 21050[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 21051[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 21052[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 21053[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 21054[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 21055[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 21056[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 21057[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 21058[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 21059[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 21060[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 21061[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 21062[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 21063[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 21064[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 21065[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 21066[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 21067[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 21068[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 21069[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 21070[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 21071[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 21072[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 21073[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 21074[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 21075[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 21076[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 21077[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 21078[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 21079[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 21080[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 21081[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 21082[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 21083[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 21084[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 21085[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 21086[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 21087[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109 21088[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 21089[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 21090[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 21091[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 21092[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 21093[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 21094[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 21095[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 21096[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 21097[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 21098[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355 21099[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 21100[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245 21101[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386 21102[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379 21103[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378 21104[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377 21105[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 21106[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 21107[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 21108[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 21109[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678 21110[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672 21111[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891 21112[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135 21113[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995 21114[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 21115[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 21116[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738 21117[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 21118[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 21119[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 21120[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112 21121[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079 21122[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851 21123[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545 21124[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544 21125[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543 21126[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078 21127[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659 21128[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657 21129[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656 21130[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655 21131[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program 21132[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations 21133
