Lines Matching +full:0169 +full:a

4 This is a high-level summary of the most important changes.
5 For a full list of changes, see the [git commit log][log] and
24 For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
25 listed here are only a brief description.
48 supported client protocols buffer may cause a crash or memory contents
65 The first scenario occurs where a record header has been received
68 even though a record has only been partially processed and the buffer
71 The second scenario occurs where a full record containing application
73 only read part of this data. Again a call to SSL_free_buffers will
84 EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
86 have been obtained from an untrusted source this may lead to a Denial of
90 will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
108 would lead to a Denial of Service
115 manner. A malicious client could deliberately create the scenario for this
116 failure to force a Denial of Service. It may also happen by accident in
131 * A file in PKCS12 format can contain certificates and keys and may come from
133 NULL, but OpenSSL did not correctly check for this case. A fix has been
134 applied to prevent a NULL pointer dereference that results in OpenSSL
143 We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
152 a computation is done to confirm that the RSA modulus, n, is composite.
153 For valid RSA keys, n is a product of two or more large primes and this
155 then this computation would take a long time.
158 obtained from an untrusted source could be vulnerable to a Denial of Service
192 incorrect result of some application dependent calculations or a crash
193 leading to a denial of service.
207 an untrusted source this may lead to a Denial of Service.
239 dependent calculations or a crash leading to a denial of service.
250 fixing CVE-2023-3446 it was discovered that a large q parameter value can
252 A correct q value, if present, cannot be larger than the modulus p
268 Trying to use a very large modulus is slow and OpenSSL will not normally use
269 a modulus which is over 10,000 bits in length.
275 A new limit has been added to DH_check of 32,768 bits. Supplying a
276 key/parameters with a modulus over this size will simply cause DH_check() to
309 numeric text form. For gigantic sub-identifiers, this would take a very
331 trigger a crash of an application using AES-XTS decryption if the memory
340 a severe 2-3x performance regression in the typical use case
358 for that certificate. A malicious CA could use this to deliberately assert
365 * Limited the number of nodes created in a policy tree to mitigate
369 time define to a desired maximum number of nodes or zero to allow
379 A NULL pointer can be dereferenced when signatures are being
383 initialization will fail. There is a missing check for the return
385 usage of the digest API most likely leading to a crash.
398 There is a type confusion vulnerability relating to X.400 address processing
407 pass arbitrary pointers to a memcmp call, enabling them to read memory
408 contents or enact a denial of service.
416 application tries to check a malformed DSA public key by the
420 to cause a denial of service attack.
436 lead to a denial of service attack. The TLS implementation in OpenSSL
445 The public API function BIO_new_NDEF is a helper function used for
446 streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
450 The function receives a BIO from the caller, prepends a new BIO_f_asn1
451 filter BIO onto the front of it to form a BIO chain, and then returns
453 for example if a CMS recipient public key is invalid, the new filter BIO
454 is freed and the function returns a NULL result indicating a failure.
458 then a use-after-free will occur. This will most likely result in a crash.
465 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
470 possible to construct a PEM file that results in 0 bytes of payload data.
471 In this case PEM_read_bio_ex() will return a failure code but will populate
472 the header argument with a pointer to a buffer that has already been freed.
473 If the caller also frees this buffer then a double free will occur. This
474 will most likely lead to a crash.
479 These functions are also called indirectly by a number of other OpenSSL
483 not free the header argument if PEM_read_bio_ex() returns a failure code.
490 A timing based side channel exists in the OpenSSL RSA Decryption
491 implementation which could be sufficient to recover a plaintext across
492 a network in a Bleichenbacher style attack. To achieve a successful
493 decryption an attacker would have to be able to send a very large number
502 A read buffer overrun can be triggered in X.509 certificate verification,
504 result in a crash which could lead to a denial of service attack.
505 In a TLS client, this can be triggered by connecting to a malicious
506 server. In a TLS server, this can be triggered if the server requests
507 client authentication and a malicious client connects.
514 If an X.509 certificate contains a malformed policy constraint and
515 policy processing is enabled, then a write lock will be taken twice
517 results in a denial of service when the affected process hangs. Policy
518 processing being enabled on a publicly facing server is not considered
519 to be a common setup.
533 `EC_KEY` object being exported to a provider, when this function is
542 A buffer overrun can be triggered in X.509 certificate verification,
544 certificate chain signature verification and requires either a CA to
546 certificate verification despite failure to construct a path to a trusted
549 In a TLS client, this can be triggered by connecting to a malicious
550 server. In a TLS server, this can be triggered if the server requests
551 client authentication and a malicious client connects.
553 An attacker can craft a malicious email address to overflow
555 on the stack. This buffer overflow could result in a crash (causing a
559 An attacker can craft a malicious email address to overflow four
561 result in a crash (causing a denial of service) or potentially remote code
577 * Fixed a regression introduced in 3.0.6 version raising errors on some stack
582 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
598 * OpenSSL supports creating a custom cipher via the legacy
609 EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a
615 loaded (or if a third party provider has been loaded that offers this
620 EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
638 * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a
643 * Correctly handle a retransmitted ClientHello in DTLS
667 shared secret without any increase of the real security. This fixes a
690 * Added a missing header for memcmp that caused compilation failure on some
697 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
701 the computation. As a consequence of the memory corruption an attacker
702 may be able to trigger a remote code execution on the machine performing
733 being hashed were possibly passed to a command executed through the shell.
735 This script is distributed by some operating systems in a manner where
759 * Fixed a bug in the c_rehash script which was not properly sanitising shell
761 some operating systems in a manner where it is automatically executed. On
771 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
773 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
774 response (meaning a successful verification) even in the case where the
779 a negative value (indicating a fatal error) in the case of a certificate
793 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
796 An attacker could exploit this issue by performing a man-in-the-middle attack
800 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
803 the client to the server first. Therefore, in such a case, only an OpenSSL
804 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
811 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
835 5) A version of SSL/TLS below TLSv1.3 must have been negotiated
843 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
846 This function is used when decoding certificates or keys. If a long lived
849 system causing a denial of service. Also traversing the empty hash table
867 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
872 parameters with a base point encoded in compressed form.
874 It is possible to trigger the infinite loop by crafting a certificate that
879 be subject to a denial of service attack. The infinite loop can also be
925 verify a certificate supplied by a server. That function may return a
927 memory). Such a negative return value is mishandled by OpenSSL and will cause
929 success and a subsequent call to SSL_get_error() to return the value
934 totally unexpected and applications may not behave correctly as a result. The
938 This issue is made more serious in combination with a separate bug in OpenSSL
940 processing a certificate chain. This will occur where a certificate does not
941 include the Subject Alternative Name extension but where a Certificate
948 * Corrected a few file name and file reference bugs in the build,
991 as a fallback if that is still allowed by the property query.
1009 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1020 beginning of a PEM-formatted file.
1042 instead to retrieve these algorithms from a provider.
1067 * Add a configurable flag to output date formats as ISO 8601. Does not
1079 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1093 deprecated. They will be made opaque in a future release.
1108 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1123 * Added enhanced PKCS#12 APIs which accept a library context.
1153 * A public key check is now performed during EVP_PKEY_derive_set_peer().
1190 This allows piping or redirection of a file BIO using stdin to be buffered
1224 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a
1237 * A number of functions handling low-level keys or engines were deprecated
1275 * Add a compile time option to prevent the caching of provider fetched
1281 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1323 * While a callback function set via `SSL_CTX_set_cert_verify_callback()`
1324 is not allowed to return a value > 1, this is no more taken as failure.
1366 switches: a validation failure triggers an early exit, returning a failure
1423 was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
1470 SSL_CTX instances that are created for a fixed protocol version (e.g.
1485 given code is a system error (true) or an OpenSSL error (false).
1500 now only a mere wrapper. All documentation is changed to only mention
1505 * Added a library context `OSSL_LIB_CTX` that applications as well as
1506 other libraries can use to form a separate context within which
1512 a non-default `OSSL_LIB_CTX`.
1584 arrays to be more easily constructed via a series of utility functions.
1585 Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
1586 the various push functions and finally convert to a passable OSSL_PARAM
1597 contain a provider side internal key.
1605 * Project text documents not yet having a proper file name extension
1614 remain well readable inside a plain text editor.
1616 To achieve this goal, a 'minimalistic' Markdown style has been applied
1635 A new directory test-runs/ with subdirectories named like the
1656 * Added `util/check-format.pl`, a tool for checking adherence to the
1717 a new formulation to include all the things it can be used for,
1734 documented all reported missing options, added a CI build to check
1767 <openssl/macros.h>. A short header include/openssl/opensslconf.h
1789 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1808 * Introduced a new method type and API, OSSL_ENCODER, to represent
1816 * Introduced a new method type and API, OSSL_DECODER, to represent
1824 * Added a .pragma directive to the syntax of configuration files, to
1825 allow varying behavior in a supported and predictable manner.
1830 This allows dollar signs to be a keyword character unless it's
1831 followed by a opening brace or parenthesis. This is useful for
1842 mean that this is a desired API compatibility level with no
1886 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
1892 for methods from providers. This takes an algorithm name and a
1923 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
1970 There is a subjectKeyIdentifier extension with a hash value of the public key
1972 with a keyIdentifier field or issuer information identifying the signing key.
1983 * If a pathlenConstraint is given the key usage keyCertSign must be allowed.
1987 * If a subjectAlternativeName extension is given it must not be empty.
2003 used even when parsing explicit parameters, when loading a encoded key
2008 By default, if a key encoded with explicit parameters is loaded and later
2010 internally a "named" EC_GROUP is used for computation.
2022 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
2029 As a work around for this potential attack the length of the decrypted
2041 a system global shared memory segment. The shared memory identifier
2058 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2068 `OPENSSL_init_crypto()` to suppress automatic loading of a config file.
2073 where the former acts as a replacement for `ERR_put_error()`, and the
2075 `ERR_raise_data()` adds more flexibility by taking a format string and
2081 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used
2082 to check if a named provider is loaded and available. When called, it
2087 * Enforce a minimum DH modulus size of 512 bits.
2107 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange
2108 algorithms. An implementation of a key exchange algorithm can be obtained
2110 used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
2116 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
2138 was a void type. If a key was set longer than the maximum possible this
2155 * Default cipher lists/suites are now available via a function, the
2193 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2198 * Added newline escaping functionality to a filename when using openssl dgst.
2205 little usage and doesn't seem to fulfill a valuable purpose.
2215 * Added a new generic trace API which provides support for enabling
2222 the public header files can be usefully included in a C++ application.
2251 a new dedicated field_inv() pointer in EC_METHOD.
2252 This also addresses a leakage affecting conversions from projective
2265 * Build devcrypto engine as a dynamic engine.
2273 * Fix a bug in the computation of the endpoint-pair shared secret used
2275 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
2280 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
2293 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
2310 * Remove the 'dist' target and add a tarball building script. The
2312 necessary to configure just to create a source distribution.
2316 * Recreate the OS390-Unix config target. It no longer relies on a
2322 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2336 implementations. This includes a generic EVP_PKEY to EVP_MAC bridge,
2400 * Added a new concept for OpenSSL plugability: providers. This
2406 With this concept comes a new core API for interaction between
2422 * Avoid loading of a dynamic engine twice.
2445 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
2446 again, but this time passing a non-NULL value for the "out" parameter.
2448 A bug in the implementation of the SM2 decryption code means that the
2451 size required by the second call. This can lead to a buffer overflow
2452 when EVP_PKEY_decrypt() is called by the application a second time with
2453 a buffer that is too small.
2455 A malicious attacker who is able present SM2 content for decryption to
2457 by up to a maximum of 62 bytes altering the contents of other data held
2468 structure which contains a buffer holding the string data and a field
2470 are repesented as a buffer for the string data which is terminated
2471 with a NUL (0) byte.
2473 Although not a strict requirement, ASN.1 strings that are parsed using
2490 the "data" field, then a read buffer overrun can occur.
2493 of certificates (for example if a certificate has been directly
2499 If a malicious actor can cause an application to directly construct an
2501 functions then this issue could be hit. This might result in a crash
2502 (causing a Denial of Service attack). It could also result in the
2511 * Fixed a problem with verifying a certificate chain when using the
2513 the certificates present in a certificate chain. It is not set by default.
2515 Starting from OpenSSL version 1.1.1h a check to disallow certificates in
2519 An error in the implementation of this check meant that the result of a
2524 If a "purpose" has been configured then there is a subsequent opportunity
2525 for checks that the certificate is a valid CA. All of the named "purpose"
2527 a purpose is set the certificate chain will still be rejected even when the
2528 strict flag has been used. A purpose is set by default in libssl client and
2533 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
2540 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
2541 crafted renegotiation ClientHello message from a client. If a TLSv1.2
2543 was present in the initial ClientHello), but includes a
2544 signature_algorithms_cert extension then a NULL pointer dereference will
2545 result, leading to a crash and a denial of service attack.
2547 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
2557 create a unique hash value based on the issuer and serial number data
2561 result in a NULL pointer deref and a crash leading to a potential denial of
2568 padding mode to correctly check for rollback attacks. This is considered a
2586 could be exploited in a side channel attack to recover the password. Since
2600 to a possible denial of service attack. OpenSSL itself uses the
2602 1) Comparing CRL distribution point names between an available CRL and a
2604 2) When verifying that a timestamp response token signer matches the
2626 SSL_CTX instances that are created for a fixed protocol version (e.g.
2645 during or after a TLS 1.3 handshake may crash due to a NULL pointer
2646 dereference as a result of incorrect handling of the
2649 be exploited by a malicious peer in a Denial of Service attack.
2690 therefore give a hint as to what went wrong.
2711 that the C++ compiler doesn't understand. This is a shortcoming in the
2722 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
2727 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
2734 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
2736 event of a fork() system call in order to ensure that the parent and child
2740 A partial mitigation for this issue is that the output from a high
2741 precision timer is mixed into the RNG state so the likelihood of a parent
2751 used even when parsing explicit parameters, when loading a encoded key
2756 By default, if a key encoded with explicit parameters is loaded and later
2758 internally a "named" EC_GROUP is used for computation.
2770 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
2777 As a work around for this potential attack the length of the decrypted
2790 a system global shared memory segment. The shared memory identifier
2797 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2806 Mingw isn't a POSIX environment per se, which means that Windows
2825 The DEVRANDOM_WAIT feature added a select() call to wait for the
2832 resp. the platform maintainer to ensure a proper initialization
2841 the public header files can be usefully included in a C++ application.
2884 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2886 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
2888 bytes. However it also incorrectly allows a nonce to be set of up to 16
2892 It is a requirement of using this cipher that nonce values are
2893 unique. Messages encrypted using a reused nonce value are susceptible to
2895 the default nonce length to be longer than 12 bytes and then makes a
2896 change to the leading bytes of the nonce expecting the new value to be a
2898 messages with a reused nonce.
2900 Additionally the ignored bytes in a long nonce are not covered by the
2902 integrity of these ignored leading bytes of a long nonce may be further
2904 is safe because no such use sets such a long nonce value. However user
2905 applications that use this cipher directly and set a non-default nonce
2928 ### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
2930 * Change the info callback signals for the start and end of a post-handshake
2931 message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
2933 confused by this and assume that a TLSv1.2 renegotiation has started. This
2935 of a post handshake message exchange (although the messages themselves are
2942 ### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
2946 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
2957 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
2967 if its length exceeds 4096 bytes. The limit has been raised to a buffer size
2971 categorized as a normal bug, not a security issue, because the DRBG reseeds
2977 * Add a new ClientHello callback. Provides a callback interface that gives
2996 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
2997 parameter is no longer accepted, as it leads to a corrupt table. NULL
3002 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
3005 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3025 moving between systems, and to avoid confusion when a Windows build is
3026 done with mingw vs with MSVC. For POSIX installs, there's still a
3036 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
3043 * Add a scaffold to optionally enhance the Montgomery ladder implementation
3053 This allows such sources to operate in a chroot() jail without
3084 coordinate blinding for generic prime curves as a countermeasure to
3096 a sign, verify or verifyrecover operation.
3112 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
3133 defenses: ec_wNAF_mul redirects to a constant time implementation
3170 * Added a new API for TLSv1.3 ciphersuites:
3220 on a newly accepted connection. Child processes are respawned
3223 as a long-running service, making the OpenSSL CA somewhat more
3253 a port of the default random generator from the OpenSSL FIPS 2.0
3254 object module. It is a hybrid deterministic random bit generator
3260 - The default RAND method makes use of a DRBG.
3261 - There is a public and private DRBG instance.
3270 so much data. Instead, ./configdata.pm should be used as a script
3311 Based on a patch from Tomasz Moń
3339 * Add "atfork" functions. If building on a system that without
3349 * The UI API becomes a permanent and integral part of libcrypto, i.e.
3352 as a fallback).
3361 * Add a STORE module, which implements a uniform and URI based reader of
3363 objects. The main API is loosely based on a few stdio functions,
3384 With this change, we claim the namespaces OSSL and OPENSSL in a manner
3394 * Add a build target 'build_all_generated', to build all generated files
3396 things like perl for a system that lacks perl and then move everything
3402 can be used by engines that need to retain the data for a longer time
3458 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3463 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3521 used even when parsing explicit parameters, when loading a encoded key
3526 By default, if a key encoded with explicit parameters is loaded and later
3528 internally a "named" EC_GROUP is used for computation.
3540 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3547 As a work around for this potential attack the length of the decrypted
3558 Mingw isn't a POSIX environment per se, which means that Windows
3575 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3577 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
3579 bytes. However it also incorrectly allows a nonce to be set of up to 16
3583 It is a requirement of using this cipher that nonce values are
3584 unique. Messages encrypted using a reused nonce value are susceptible to
3586 the default nonce length to be longer than 12 bytes and then makes a
3587 change to the leading bytes of the nonce expecting the new value to be a
3589 messages with a reused nonce.
3591 Additionally the ignored bytes in a long nonce are not covered by the
3593 integrity of these ignored leading bytes of a long nonce may be further
3595 is safe because no such use sets such a long nonce value. However user
3596 applications that use this cipher directly and set a non-default nonce
3606 a new dedicated field_inv() pointer in EC_METHOD.
3607 This also addresses a leakage affecting conversions from projective
3612 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
3621 * Remove the 'dist' target and add a tarball building script. The
3623 necessary to configure just to create a source distribution.
3631 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
3642 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
3652 coordinate blinding for generic prime curves as a countermeasure to
3661 During key agreement in a TLS handshake using a DH(E) based ciphersuite a
3662 malicious server can send a very large prime value to the client. This will
3663 cause the client to spend an unreasonably long period of time generating a
3664 key for this prime resulting in a hang until the client has finished. This
3665 could be exploited in a Denial Of Service attack.
3675 a cache timing side channel attack. An attacker with sufficient access to
3685 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
3686 parameter is no longer accepted, as it leads to a corrupt table. NULL
3713 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
3724 * Fixed a text canonicalisation bug in CMS
3726 Where a CMS detached signature is used with text content the text goes
3727 through a canonicalisation process first prior to signing or verifying a
3730 at the end of a file. A bug in the canonicalisation process meant that
3735 signed with a fixed OpenSSL may fail to verify with an earlier version of
3736 OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
3744 * Constructed ASN.1 types with a recursive definition could exceed the stack
3746 Constructed ASN.1 types with a recursive definition (such as can be found
3748 excessive recursion. This could result in a Denial Of Service attack. There
3773 * Add a build target 'build_all_generated', to build all generated files
3775 things like perl for a system that lacks perl and then move everything
3794 * Removed the OS390-Unix config target. It relied on a script that doesn't
3803 Analysis suggests that attacks against RSA and DSA as a result of this
3806 work necessary to deduce information about a private key may be performed
3825 There is a carry propagating bug in the x86_64 Montgomery squaring
3827 against RSA and DSA as a result of this defect would be very difficult to
3830 deduce information about a private key may be performed offline. The amount
3832 likely only accessible to a limited number of attackers. An attacker would
3834 private key in a scenario with persistent DH parameters and a private
3847 If an X.509 certificate has a malformed IPAddressFamily extension,
3848 OpenSSL could do a one-byte buffer overread. The most likely result
3864 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3873 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3887 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3888 cipher is being used, then a truncated packet can cause that host to
3889 perform an out-of-bounds read, usually resulting in a crash.
3896 * Bad (EC)DHE parameters cause a client crash
3898 If a malicious server supplies bad parameters for a DHE or ECDHE key
3899 exchange then this can result in the client attempting to dereference a
3900 NULL pointer leading to a client crash. This could be exploited in a Denial
3910 There is a carry propagating bug in the x86_64 Montgomery squaring
3912 against RSA and DSA as a result of this defect would be very difficult to
3915 deduce information about a private key may be performed offline. The amount
3917 likely only accessible to a limited number of attackers. An attacker would
3919 private key in a scenario with persistent DH parameters and a private
3922 similar to CVE-2015-3193 but must be treated as a separate problem.
3934 a DoS attack by corrupting larger payloads. This can result in an OpenSSL
3935 crash. This issue is not considered to be exploitable beyond a DoS.
3944 Applications parsing invalid CMS structures can crash with a NULL pointer
3945 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
3946 type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
3948 Only CHOICE structures using a callback which do not handle NULL value are
3958 There is a carry propagating bug in the Broadwell-specific Montgomery
3974 initially recognized as a security issue. Thanks to Richard Morgan for
3981 as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
3985 ### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
3989 The patch applied to address CVE-2016-6307 resulted in an issue where if a
3991 store the incoming message is reallocated and moved. Unfortunately a
3993 write to the previously freed location. This is likely to result in a
3996 This issue only affects OpenSSL 1.1.0a.
4003 ### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
4007 A malicious client can send an excessively large OCSP Status Request
4008 extension. If that client continually requests renegotiation, sending a
4010 memory growth on the server. This will eventually lead to a Denial Of
4011 Service attack through memory exhaustion. Servers with a default
4022 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
4023 sends an empty record. This could be exploited by a malicious peer in a
4034 A (D)TLS message includes 3 bytes for its length in the header for the
4036 this length are excessive and OpenSSL includes a check to ensure that a
4038 being consumed to service a connection. A flaw in the logic of version
4042 to service a connection. This could lead to a Denial of Service through
4045 that the application calls SSL_free() on the failed connection in a timely
4048 nature. This then means that there is only a security impact if:
4050 1) The application does not call SSL_free() in a timely manner in the event
4053 2) The application is working in a constrained environment where there is
4057 multiple connections in a state where memory has been allocated for the
4065 memory - which would then mean a more serious Denial of Service.
4107 to int. A return of 0 indicates and error while a return of 1 indicates
4141 alongside the installed libraries and executables. For a static
4151 * Automatic Darwin/OSX configuration has had a refresh, it will now
4153 to build for a different bitness with the environment variable
4176 directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
4201 Explicitly de-initing can cause problems (e.g. where a library that uses
4240 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4249 it is always safe to #include a header now.
4270 EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
4274 into libssl so that multiple records for a single connection can be
4285 * OpenSSL now uses a new threading API. It is no longer necessary to
4286 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4325 client advertises, send a fatal "no_application_protocol" alert.
4354 that of a valid user.
4377 * Configuration change; if there is a known flag to compile
4413 The "unified" build system is aimed to be a common system for all
4416 This system builds supports building in a different directory tree
4422 information for each directory with source to compile, and a
4444 "peer" argument is now expected to be a BIO_ADDR object.
4450 It also introduces a new API, with functions like BIO_socket,
4451 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
4477 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4501 Makefile. Instead, Configure produces a perl module in
4521 If the directory given with this option is a relative path, the
4534 support for GOST ciphersuites (these are only activated if a GOST engine
4584 the build to just the latest API, rather than a fixed API
4672 SSL_{CTX_}set1_curves() which can set a list.
4719 set a mandatory field to NULL.
4721 This currently only works for some fields specifically a SEQUENCE, CHOICE,
4722 or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
4728 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4799 hasn't been working properly for a while.
4820 were newly added (along with a number of other static DH ciphersuites) to
4841 * RT2547 was closed. When generating a private key, try to make the
4846 Added a test.
4865 initial patch which was a great help during development.
4885 * Added support for OCB mode. OpenSSL has been granted a patent license
4892 * SSLv2 support has been removed. It still supports receiving a SSLv2
4900 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4935 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4956 * Experimental support for a new, fast, unbiased prime candidate generator,
4971 * Fix eckey_priv_encode so it immediately returns an error upon a failure
4980 * A missing bounds check in the handling of the TLS heartbeat extension
4981 can be used to reveal up to 64k of memory to a connected client or
4996 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
5001 this fixes a limitation in previous versions of OpenSSL.
5057 * Add fips_algvs: a multicall fips utility incorporating all the algorithm
5091 FIPS 186-3 A.2.3.
5119 information in FIPS186-3, SP800-57 and SP800-131A.
5144 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
5148 the standard OpenSSL PRNG: set additional data to a date time vector.
5173 * New function DH_compute_key_padded() to compute a DH key and pad with
5174 leading zeroes if needed: this complies with SP800-56A et al.
5184 files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
5225 can be set or retrieved with a ctrl. The IV length is by default 12
5238 no longer an error code) or a negative error code. Also if the
5243 * If a candidate issuer certificate is already part of the constructed
5255 for use by SSL/TLS servers; the callback function will be called whenever a
5262 A simple reasonable callback implementation is to return is_forward_secure.
5281 renegotiated requesting a certificate.
5294 can now return an error. The RAND changes required a change to the
5300 a gcc attribute to warn if the result of a function is ignored. This
5308 validated when establishing a connection.
5318 used even when parsing explicit parameters, when loading a encoded key
5323 By default, if a key encoded with explicit parameters is loaded and later
5325 internally a "named" EC_GROUP is used for computation.
5337 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
5344 As a work around for this potential attack the length of the decrypted
5384 If an application encounters a fatal protocol error and then calls
5385 SSL_shutdown() twice (once to send a close_notify, and once to receive one)
5386 then OpenSSL can respond differently to the calling application if a 0 byte
5387 record is received with invalid padding compared to if a 0 byte record is
5389 based on that in a way that is detectable to the remote peer, then this
5390 amounts to a padding oracle that could be used to decrypt data.
5395 twice even if a protocol error has occurred (applications should not do
5414 shown to be vulnerable to a microarchitecture timing side channel attack.
5427 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
5436 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
5446 During key agreement in a TLS handshake using a DH(E) based ciphersuite a
5447 malicious server can send a very large prime value to the client. This will
5448 cause the client to spend an unreasonably long period of time generating a
5449 key for this prime resulting in a hang until the client has finished. This
5450 could be exploited in a Denial Of Service attack.
5460 a cache timing side channel attack. An attacker with sufficient access to
5470 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
5471 parameter is no longer accepted, as it leads to a corrupt table. NULL
5498 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
5511 * Constructed ASN.1 types with a recursive definition could exceed the stack
5513 Constructed ASN.1 types with a recursive definition (such as can be found
5515 excessive recursion. This could result in a Denial Of Service attack. There
5530 mechanism. The intent was that if a fatal error occurred during a handshake
5534 SSL_connect()), however due to a bug it does not work correctly if
5536 handshake fails then a fatal error will be returned in the initial function
5542 that resulted in a call to SSL_read()/SSL_write() being issued after having
5543 already received a fatal error.
5554 Analysis suggests that attacks against RSA and DSA as a result of this
5557 work necessary to deduce information about a private key may be performed
5576 There is a carry propagating bug in the x86_64 Montgomery squaring
5578 against RSA and DSA as a result of this defect would be very difficult to
5581 deduce information about a private key may be performed offline. The amount
5583 likely only accessible to a limited number of attackers. An attacker would
5585 private key in a scenario with persistent DH parameters and a private
5598 If an X.509 certificate has a malformed IPAddressFamily extension,
5599 OpenSSL could do a one-byte buffer overread. The most likely result
5617 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5618 cipher is being used, then a truncated packet can cause that host to
5619 perform an out-of-bounds read, usually resulting in a crash.
5628 There is a carry propagating bug in the x86_64 Montgomery squaring
5630 against RSA and DSA as a result of this defect would be very difficult to
5633 deduce information about a private key may be performed offline. The amount
5635 likely only accessible to a limited number of attackers. An attacker would
5637 private key in a scenario with persistent DH parameters and a private
5640 similar to CVE-2015-3193 but must be treated as a separate problem.
5649 There is a carry propagating bug in the Broadwell-specific Montgomery
5665 initially recognized as a security issue. Thanks to Richard Morgan for
5682 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
5683 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
5684 CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
5695 A malicious client can send an excessively large OCSP Status Request
5696 extension. If that client continually requests renegotiation, sending a
5698 memory growth on the server. This will eventually lead to a Denial Of
5699 Service attack through memory exhaustion. Servers with a default
5721 is able to supply very large amounts of input data after a previous
5722 call to EVP_EncryptUpdate() with a partial block then a length check
5723 can overflow resulting in a heap corruption.
5735 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
5736 DoS attack where a malformed ticket will result in an OOB read which will
5740 a custom server callback and ticket lookup mechanism.
5751 overly large BIGNUM. This could be a problem if an overly large certificate
5776 A common idiom in the codebase is to check limits in the following manner:
5782 "len" here could be from some externally supplied data (e.g. from a TLS
5801 order to avoid side channel attacks. A flaw in the OpenSSL DSA
5802 implementation means that a non-constant time codepath is followed for
5803 certain operations. This has been demonstrated through a cache-timing
5815 In a DTLS connection where handshake messages are delivered out-of-order
5817 for later use. Under certain circumstances, a flaw in the logic means that
5822 a message is 100k. Therefore the attacker could force an additional 1500k
5824 attacker could cause a DoS attack through memory exhaustion.
5833 A flaw in the DTLS replay attack protection mechanism means that records
5836 attacker by sending a record for the next epoch (which does not have to
5837 decrypt or have a valid MAC), with a very large sequence number. This means
5838 that all subsequent legitimate packets are dropped causing a denial of
5839 service for a specific DTLS connection.
5849 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
5854 and server certificate. As a result the attack can only be performed
5855 against a client or a server which enables client authentication.
5866 A MITM attacker can use a padding oracle attack to decrypt traffic
5871 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5885 amounts of input data then a length check can overflow resulting in a heap
5891 from an untrusted source and outputs it as a PEM file should be considered
5903 is able to supply very large amounts of input data after a previous call to
5904 EVP_EncryptUpdate() with a partial block then a length check can overflow
5905 resulting in a heap corruption. Following an analysis of all OpenSSL
5915 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
5926 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
5927 a short invalid encoding can cause allocation of large amounts of memory
5993 * Fix a double-free in DSA code
5995 A double free bug was discovered when OpenSSL parses malformed DSA private
5996 keys and could lead to a DoS attack or memory corruption for applications
6006 * Disable SRP fake user seed to address a server memory leak.
6008 Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
6021 that of a valid user.
6029 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
6032 field as NULL leading to a subsequent NULL ptr deref. For very large values
6033 of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
6035 is insufficiently sized leading to heap corruption. A similar issue exists
6038 This is anticipated to be a rare occurrence.
6053 The internal `fmtstr` function used in processing a "%s" format string in
6054 the `BIO_*printf` functions could overflow while calculating the length of a
6058 OOB memory location (at an offset from the NULL pointer) in the event of a
6060 the size of a buffer to be allocated is greater than INT_MAX. E.g. this
6061 could be in processing a very long "%s" format string. Memory leaks can
6085 A side-channel attack was found which makes use of cache-bank conflicts on
6088 an attacker who has control of code in a thread running on the same
6099 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6115 not "safe" then an attacker could use this fact to find a peer's private
6118 this could be used to discover a TLS server's private DH exponent if it's
6119 reusing the private DH exponent or it's using a static DH ciphersuite.
6127 The fix for this issue adds an additional check where a "q" parameter is
6142 A malicious client can negotiate SSLv2 ciphers that have been disabled on
6157 There is a carry propagating bug in the x86_64 Montgomery squaring
6159 against RSA and DSA as a result of this defect would be very difficult to
6162 deduce information about a private key may be performed offline. The amount
6164 likely only accessible to a limited number of attackers. An attacker would
6166 private key in a scenario with persistent DH parameters and a private
6177 The signature verification routines will crash with a NULL pointer
6181 used to crash any certificate verification operation and exploited in a
6193 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
6221 alternative certificate chain if the first attempt to build such a chain
6224 bypassed, such as the CA flag, enabling them to use a valid leaf
6225 certificate to act as a CA and "issue" an invalid certificate.
6240 ### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
6245 if the curve specified is over a specially malformed binary polynomial
6261 string and can read a few bytes out of bounds. In addition,
6266 various sizes and potentially cause a segmentation fault, resulting in
6267 a DoS on applications that verify certificates or CRLs. TLS clients
6282 with missing content and trigger a NULL pointer dereference on parsing.
6295 When verifying a signedData message the CMS code can enter an infinite loop
6306 If a NewSessionTicket is received by a multi-threaded client when attempting to
6307 reuse a previous ticket then a race condition can occur potentially leading to
6308 a double free of the ticket data.
6319 ### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
6323 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
6324 invalid signature algorithms extension a NULL pointer dereference will
6325 occur. This can be exploited in a DoS attack against the server.
6337 NI instructions. A defect in the implementation of "multiblock" can cause
6339 using non-blocking IO. Typically, when the user application is using a
6340 socket BIO for writing, this will only result in a failed connection.
6341 However if some other BIO is used then it is likely that a segmentation
6342 fault will be triggered, thus enabling a potential DoS attack.
6353 over the call to DTLSv1_listen until a valid ClientHello is received with
6354 an associated cookie. A defect in the implementation of DTLSv1_listen means
6356 that can lead to a segmentation fault. Errors processing the initial
6358 that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
6371 certificate verification operation and exploited in a DoS attack. Any
6380 The signature verification routines will crash with a NULL pointer
6384 certificate verification operation and exploited in a DoS attack. Any
6395 Reusing a structure in ASN.1 parsing may allow an attacker to cause
6411 missing content and trigger a NULL pointer dereference on parsing.
6424 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
6426 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6436 If client auth is used then a server can seg fault in the event of a DHE
6437 ciphersuite being selected and a zero length ClientKeyExchange message
6438 being sent by the client. This could be exploited in a DoS attack.
6445 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
6447 - The client is on a platform where the PRNG has not been seeded
6449 - A protocol specific client method version has been used (i.e. not
6451 - A ciphersuite is used that does not require additional random data from
6455 have been generated from a PRNG with insufficient entropy and therefore the
6468 A malformed EC private key file consumed via the d2i_ECPrivateKey function
6469 could cause a use after free condition. This, in turn, could cause a double
6471 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
6483 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
6550 * Accelerated modular exponentiation for Intel processors, a.k.a.
6571 this fixes a limitation in previous versions of OpenSSL.
6603 * New option -brief for s_client and s_server to print out a brief summary
6621 * New function X509_CRL_diff to generate a delta CRL from the difference
6646 * `SSL_CONF*` functions. These provide a common framework for application
6668 * Add functions to retrieve and manipulate the raw cipherlist sent by a
6685 * Make tls1_check_chain return a set of flags indicating checks passed
6686 by a certificate chain. Add additional tests to handle client
6692 * If an attempt is made to use a signature algorithm not in the peer
6694 signature algorithms in response to a certificate request do not
6707 to build and store a certificate chain in CERT structure: returning
6709 to test if a chain is correctly configured.
6716 * New function ssl_set_client_disabled to set a ciphersuite disabled
6722 * New ctrls to retrieve and set certificate types in a certificate
6733 * Add certificate callback. If set this is called whenever a certificate
6748 Add new "cert_flags" field to CERT structure and include a "strict mode".
6770 from an SSL structure. Before this once a certificate had been added
6785 * New functions to check a hostname email or IP address against a
6787 a certificate.
6796 OpenSSL still tries to build a complete chain to a root but if an
6797 intermediate CA has a trust setting included that is used. The first
6842 hardcoded fixed parameters. Now a server just has to call:
6896 A malicious client can send an excessively large OCSP Status Request
6897 extension. If that client continually requests renegotiation, sending a
6899 memory growth on the server. This will eventually lead to a Denial Of
6900 Service attack through memory exhaustion. Servers with a default
6922 is able to supply very large amounts of input data after a previous
6923 call to EVP_EncryptUpdate() with a partial block then a length check
6924 can overflow resulting in a heap corruption.
6936 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
6937 DoS attack where a malformed ticket will result in an OOB read which will
6941 a custom server callback and ticket lookup mechanism.
6952 overly large BIGNUM. This could be a problem if an overly large certificate
6977 A common idiom in the codebase is to check limits in the following manner:
6983 "len" here could be from some externally supplied data (e.g. from a TLS
7002 order to avoid side channel attacks. A flaw in the OpenSSL DSA
7003 implementation means that a non-constant time codepath is followed for
7004 certain operations. This has been demonstrated through a cache-timing
7016 In a DTLS connection where handshake messages are delivered out-of-order
7018 for later use. Under certain circumstances, a flaw in the logic means that
7023 a message is 100k. Therefore the attacker could force an additional 1500k
7025 attacker could cause a DoS attack through memory exhaustion.
7034 A flaw in the DTLS replay attack protection mechanism means that records
7037 attacker by sending a record for the next epoch (which does not have to
7038 decrypt or have a valid MAC), with a very large sequence number. This means
7039 that all subsequent legitimate packets are dropped causing a denial of
7040 service for a specific DTLS connection.
7050 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
7055 and server certificate. As a result the attack can only be performed
7056 against a client or a server which enables client authentication.
7067 A MITM attacker can use a padding oracle attack to decrypt traffic
7072 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7087 amounts of input data then a length check can overflow resulting in a heap
7093 from an untrusted source and outputs it as a PEM file should be considered
7105 is able to supply very large amounts of input data after a previous call to
7106 EVP_EncryptUpdate() with a partial block then a length check can overflow
7107 resulting in a heap corruption. Following an analysis of all OpenSSL
7117 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
7128 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
7129 a short invalid encoding can casuse allocation of large amounts of memory
7195 * Fix a double-free in DSA code
7197 A double free bug was discovered when OpenSSL parses malformed DSA private
7198 keys and could lead to a DoS attack or memory corruption for applications
7208 * Disable SRP fake user seed to address a server memory leak.
7210 Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
7223 that of a valid user.
7231 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
7234 field as NULL leading to a subsequent NULL ptr deref. For very large values
7235 of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
7237 is insufficiently sized leading to heap corruption. A similar issue exists
7240 This is anticipated to be a rare occurrence.
7255 The internal `fmtstr` function used in processing a "%s" format string in
7256 the `BIO_*printf` functions could overflow while calculating the length of a
7260 OOB memory location (at an offset from the NULL pointer) in the event of a
7262 the size of a buffer to be allocated is greater than INT_MAX. E.g. this
7263 could be in processing a very long "%s" format string. Memory leaks can
7287 A side-channel attack was found which makes use of cache-bank conflicts on
7290 an attacker who has control of code in a thread running on the same
7301 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7312 As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
7320 A malicious client can negotiate SSLv2 ciphers that have been disabled on
7339 The signature verification routines will crash with a NULL pointer
7343 used to crash any certificate verification operation and exploited in a
7355 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
7374 use a random seed, as already documented.
7383 alternative certificate chain if the first attempt to build such a chain
7386 bypassed, such as the CA flag, enabling them to use a valid leaf
7387 certificate to act as a CA and "issue" an invalid certificate.
7397 If PSK identity hints are received by a multi-threaded client then
7399 result in a race condition potentially leading to a double free of the
7416 if the curve specified is over a specially malformed binary polynomial
7432 string and can read a few bytes out of bounds. In addition,
7437 various sizes and potentially cause a segmentation fault, resulting in
7438 a DoS on applications that verify certificates or CRLs. TLS clients
7453 with missing content and trigger a NULL pointer dereference on parsing.
7466 When verifying a signedData message the CMS code can enter an infinite loop
7477 If a NewSessionTicket is received by a multi-threaded client when attempting to
7478 reuse a previous ticket then a race condition can occur potentially leading to
7479 a double free of the ticket data.
7499 certificate verification operation and exploited in a DoS attack. Any
7508 Reusing a structure in ASN.1 parsing may allow an attacker to cause
7524 missing content and trigger a NULL pointer dereference on parsing.
7537 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
7539 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7549 A malformed EC private key file consumed via the d2i_ECPrivateKey function
7550 could cause a use after free condition. This, in turn, could cause a double
7552 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
7564 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
7584 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
7585 message can cause a segmentation fault in OpenSSL due to a NULL pointer
7586 dereference. This could lead to a Denial Of Service attack. Thanks to
7592 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
7596 by an attacker in a Denial of Service attack through memory exhaustion.
7603 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7604 method would be set to NULL which could later result in a NULL pointer
7621 non-export ciphersuites and could be used by a server to effectively
7622 downgrade the RSA key length used to a value smaller than the server
7630 An OpenSSL server will accept a DH certificate for client authentication
7631 without the certificate verify message. This effectively allows a client to
7632 authenticate without the use of a private key. This only affects servers
7633 which trust a client certificate authority which issues certificates
7651 By using non-DER or invalid encodings outside the signed portion of a
7673 signature. Return an error if there is a mismatch.
7689 with a very low probability, and is not known to be exploitable in any
7700 version does not match the session's version. Resuming with a different
7713 ensure that the client only accepts a session ticket if the server sends
7714 the extension anew in the ServerHello. Previously, a TLS client would
7715 reuse the old extension state and thus accept a session ticket if one was
7718 Similarly, ensure that the client requires a session ticket if one
7719 was advertised in the ServerHello. Previously, a TLS client would
7720 ignore a missing NewSessionTicket message.
7728 A flaw in the DTLS SRTP extension parsing code allows an attacker, who
7729 sends a carefully crafted handshake message, to cause OpenSSL to fail
7730 to free up to 64k of memory causing a memory leak. This could be
7731 exploited in a Denial Of Service attack. This issue affects OpenSSL
7743 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
7744 integrity of that ticket is first verified. In the event of a session
7746 causing a memory leak. By sending a large number of invalid session
7747 tickets an attacker could exploit this issue in a Denial Of Service
7755 When OpenSSL is configured with "no-ssl3" as a build option, servers
7756 could accept and complete a SSL 3.0 handshake, and clients could be
7775 Note: this is a precautionary measure and no attacks are currently known.
7783 g, A, B < N to SRP code.
7791 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
7793 is badly fragmented. This allows a man-in-the-middle attacker to force a
7794 downgrade to TLS 1.0 even if both the server and the client support a
7804 to a denial of service attack. A malicious server can crash the client
7805 with a null pointer dereference (read) by specifying an anonymous (EC)DH
7815 to leak memory. This can be exploited through a Denial of Service attack.
7822 processing DTLS handshake messages. This can be exploited through a
7831 can be exploited through a Denial of Service attack.
7838 * If a multithreaded client connects to a malicious server using a resumed
7848 * A malicious server can crash an OpenSSL client with a null pointer
7850 properly negotiated with the client. This can be exploited through a
7859 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
7877 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
7888 in a DoS attack.
7895 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
7898 code on a vulnerable client or server.
7905 are subject to a denial of service attack.
7917 * Fix eckey_priv_encode so it immediately returns an error upon a failure
7928 * A missing bounds check in the handling of the TLS heartbeat extension
7929 can be used to reveal up to 64k of memory to a connected client or
7944 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7952 less that 512 pad with a dummy extension containing zeroes so it
7959 * Fix for TLS record tampering bug. A carefully crafted invalid
7960 handshake could crash OpenSSL with a NULL pointer exception.
7981 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7998 ([CVE-2013-0169])
8003 ciphersuites which can be exploited in a denial of service attack.
8012 This fixes a DoS attack. ([CVE-2013-0166])
8042 fuzzing as a service testing platform.
8057 ### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
8060 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
8065 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
8066 will need to be recompiled as a result. Letting be results in
8082 ### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
8098 * Workarounds for some broken servers that "hang" if a client hello
8120 STRING form instead of a DigestInfo.
8134 encrypted premaster secret. As a workaround use the maximum permitted
8178 disabled with a no-npn flag to config or Configure. Code donated
8222 New function ASN1_item_sign_ctx() signs a pre-initialised
8231 Add a PSS handler to support verification of PSS signatures: checked
8232 against a number of sample certificates.
8262 - Fix handling of connections that are resuming with a session ID,
8264 - Fix a bug that suppressed issuing of a new ticket if the client
8265 presented a ticket with an expired session.
8286 add a special AESGCM string for GCM only.
8301 * For FIPS capable OpenSSL interpret a NULL default public key method
8346 to use these will cause a fatal error. Applications that *really* want
8360 for static and shared library builds embedding a signature if needed.
8390 * Initial TLS v1.2 client support. Add a default signature algorithms
8420 * A long standing patch to add support for SRP from EdelWeb (Peter
8446 a few changes are required:
8463 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
8476 If PSK identity hints are received by a multi-threaded client then
8478 result in a race condition potentially leading to a double free of the
8489 if the curve specified is over a specially malformed binary polynomial
8505 string and can read a few bytes out of bounds. In addition,
8510 various sizes and potentially cause a segmentation fault, resulting in
8511 a DoS on applications that verify certificates or CRLs. TLS clients
8526 with missing content and trigger a NULL pointer dereference on parsing.
8539 When verifying a signedData message the CMS code can enter an infinite loop
8550 If a NewSessionTicket is received by a multi-threaded client when attempting to
8551 reuse a previous ticket then a race condition can occur potentially leading to
8552 a double free of the ticket data.
8564 certificate verification operation and exploited in a DoS attack. Any
8573 Reusing a structure in ASN.1 parsing may allow an attacker to cause
8589 missing content and trigger a NULL pointer dereference on parsing.
8602 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
8604 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8614 A malformed EC private key file consumed via the d2i_ECPrivateKey function
8615 could cause a use after free condition. This, in turn, could cause a double
8617 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
8629 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
8649 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
8650 message can cause a segmentation fault in OpenSSL due to a NULL pointer
8651 dereference. This could lead to a Denial Of Service attack. Thanks to
8657 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
8661 by an attacker in a Denial of Service attack through memory exhaustion.
8668 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8669 method would be set to NULL which could later result in a NULL pointer
8686 non-export ciphersuites and could be used by a server to effectively
8687 downgrade the RSA key length used to a value smaller than the server
8695 An OpenSSL server will accept a DH certificate for client authentication
8696 without the certificate verify message. This effectively allows a client to
8697 authenticate without the use of a private key. This only affects servers
8698 which trust a client certificate authority which issues certificates
8708 with a very low probability, and is not known to be exploitable in any
8720 By using non-DER or invalid encodings outside the signed portion of a
8742 signature. Return an error if there is a mismatch.
8760 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
8761 integrity of that ticket is first verified. In the event of a session
8763 causing a memory leak. By sending a large number of invalid session
8764 tickets an attacker could exploit this issue in a Denial Of Service
8772 When OpenSSL is configured with "no-ssl3" as a build option, servers
8773 could accept and complete a SSL 3.0 handshake, and clients could be
8792 Note: this is a precautionary measure and no attacks are currently known.
8799 to a denial of service attack. A malicious server can crash the client
8800 with a null pointer dereference (read) by specifying an anonymous (EC)DH
8810 to leak memory. This can be exploited through a Denial of Service attack.
8817 processing DTLS handshake messages. This can be exploited through a
8826 can be exploited through a Denial of Service attack.
8833 * If a multithreaded client connects to a malicious server using a resumed
8843 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
8861 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
8872 in a DoS attack.
8879 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
8882 code on a vulnerable client or server.
8889 are subject to a denial of service attack.
8901 * Fix eckey_priv_encode so it immediately returns an error upon a failure
8916 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8949 ([CVE-2013-0169])
8954 This fixes a DoS attack. ([CVE-2013-0166])
8962 (This is a backport)
8979 fuzzing as a service testing platform.
9004 in CMS and PKCS7 code. When RSA decryption fails use a random key for
9015 * Fix CVE-2011-4619: make sure we really are receiving a
9026 preparing a fix. ([CVE-2012-0050])
9036 differences arising during decryption processing. A research
9143 and servers: an attacker can use it in a ciphersuite downgrade attack.
9150 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9154 ### Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
9156 * Fix extension code to avoid race conditions which can result in a buffer
9163 a DLL.
9167 ### Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
9176 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
9191 * Fix compression algorithm handling: if resuming a session use the
9224 to determine whether the BIO is the one explicitly called or as a result
9235 done conditionally on Netware platforms to avoid a name clash).
9249 retrieve a digest flags is by accessing the structure directly. Update
9250 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
9273 commands instead of having to add each one as a special case. So now
9297 is incompatible with the older format and as a result c_rehash should
9308 * Add a $gcc_devteam_warn option to Configure. The idea is that any code
9309 committed to OpenSSL should pass this lot as a minimum.
9317 * Modify HMAC functions to return a value. Since these can be implemented
9333 * New function OPENSSL_gmtime_adj() to add a specific number of days and
9334 seconds to a tm structure directly, instead of going through OS
9351 as part of the CRL checking and indicate a new error "CRL path validation
9406 * To cater for systems that provide a pointer-based thread ID rather
9408 replace it with a structure and associated callback type. This
9409 mechanism allows a numeric "hash" to be extracted from a thread ID in
9413 as a pointer-based thread ID to distinguish between threads.
9416 CRYPTO_THREADID_set_callback() to register a callback that will call
9427 application was previously providing a numeric thread callback that
9436 * Initial support for different CRL issuing certificates. This covers a
9454 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
9508 assuming extension number 0x9527 (which is a completely arbitrary
9519 To get more control and flexibility, provide a callback function
9541 will always be NULL and 0 in the case of a client. A server will
9548 a new session (session resumption can resume whatever was
9566 If a client application caches session in an SSL_SESSION structure
9574 If a client or server wishes to disable RFC4507 support then the option
9577 Add a TLS extension debugging callback to allow the contents of any client
9617 the work each time a ciphersuite string requests enabling
9619 removing ("!foo+bar") a class of ciphersuites: Now it maintains
9627 the same ciphersuites as with "HIGH" alone, but in a specific
9643 This makes it much easier to arrive at a reasonable default order
9652 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
9657 categories, so there is no longer a need to coagulate AES128 and
9658 AES256 into a single algorithm bit, and to coagulate Camellia128
9659 and Camellia256 into a single algorithm bit, which has led to all
9700 the CRL revoked certificates in a database.
9705 new CRLs added to a directory can be used. New command line option
9708 what. This reflects the way a "real world" verify callback would behave.
9720 selected via a scoring technique which handles IDP and AKID in CRLs.
9732 Modify get_crl() to find a valid (unexpired) CRL if possible.
9738 a function that just compares CRL issuer names. Cache several CRL
9743 * Store a "canonical" representation of X509_NAME structure (ASN1 Name)
9744 this maps equivalent X509_NAME structures into a consistent structure.
9784 the array representation useful in a more general context.
9832 an engine to register a method. Add ENGINE lookups for methods and
9861 Reorganize PBE internals to lookup from a static table using NIDs,
9862 add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
9863 EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
9874 supported by any public key method supporting the encrypt operation. A
9877 a no op.
9881 * Add a ctrl to asn1 method to allow a public key algorithm to express
9882 a default digest type to use. In most cases this will be SHA1 but some
9886 ASN1_item_sign() to accept a NULL digest argument to indicate it should
9922 public and private key formats. As a side effect these add additional
9951 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public
9987 key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
9988 algorithm specific handling to a single module within the relevant
10022 have new members for a host name. The SSL data structure has an
10025 SSL has been switched to a new SSL_CTX in reaction to a client's
10042 openssl s_client has a new '-servername ...' option.
10046 testing the HostName extension for a specific single host name ('-cert'
10049 default is a warning; it becomes fatal with the '-servername_fatal'
10113 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
10139 update s->server with a new major version number. As of
10140 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10142 the previous behavior could result in a read attempt at NULL when
10159 * Fix X509_STORE locking: Every 'objs' access requires a lock (to
10160 accommodate for stack sorting, always a write lock!).
10165 excessive delays in the RAND_poll(): over a minute. As a workaround
10166 include a time check in the inner Heap32Next loop too.
10175 This should be fine since flushing with no data to flush is a no op.
10181 off ancient servers have a habit of sticking around for a while...
10186 ex_data callbacks. This works around a problem where some applications
10195 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
10211 a no_renegotiation alert as required by RFC5746. Some renegotiating
10212 TLS clients will continue a connection gracefully when they receive
10214 waiting for a server hello which it will never receive. Now we treat a
10215 received no_renegotiation alert as a fatal error. This is because
10216 applications requesting a renegotiation might well expect it to succeed
10235 turns out to be a bad idea. It has been replaced by
10244 servername handling. Use a non-zero length session ID when attempting
10246 a resumption has occurred immediately after receiving server hello
10254 fixes for a few places where the return code is not checked
10271 * Don't allow the use of leading 0x80 in OIDs. This is a violation of
10289 OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
10296 other than a simple chain.
10301 by default (a flag can override this): it just wastes time without
10302 adding any security. As a useful side effect self signed root CAs
10318 * Records are buffered if they arrive with a future epoch to be
10321 a DOS attack with sending records with future epochs until there is no
10323 the size of a buffer and limits the record buffer to 100 entries.
10328 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10343 * Disable renegotiation completely - this fixes a severe security
10367 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
10368 a legal length. ([CVE-2009-0590])
10384 for a '\n'
10448 applies only when resuming a session, so the earlier behavior was
10455 * Fix NULL pointer dereference if a DTLS server received
10460 * Fix a state transition in s3_srvr.c and d1_srvr.c
10479 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10527 * Fix flaw if 'Server Key exchange message' is omitted from a TLS
10528 handshake which could lead to a client crash as found using the
10534 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10558 the 'db' section contains nothing but zeroes (there is a one-byte
10566 procedure) as a candidate for BIGNUM assembler implementation.
10569 32-bit x86 is available through a compile-time setting.
10591 a registered ENGINE could be used (assuming it initialises
10595 registered into a given algorithm's table of implementations, the
10597 time a new context for that algorithm attempts to select an
10619 existing "conversion via a text string export" trick is still used.
10623 * Zlib compression BIO. This is a filter BIO which compressed and
10669 A client can set the appropriate parameters and receive the encoded
10670 OCSP response via a callback. A server can query the supplied parameters
10709 If a client application caches session in an SSL_SESSION structure
10717 If a client or server wishes to disable RFC4507 support then the option
10720 Add a TLS extension debugging callback to allow the contents of any client
10729 have new members for a host name. The SSL data structure has an
10732 SSL has been switched to a new SSL_CTX in reaction to a client's
10749 openssl s_client has a new '-servername ...' option.
10753 testing the HostName extension for a specific single host name ('-cert'
10756 default is a warning; it becomes fatal with the '-servername_fatal'
10797 * Mitigate branch prediction attacks, which can be practical if a
10798 single processor is shared, allowing a spy process to extract
10809 remove a conditional branch.
10816 remains as a deprecated alias.
10818 Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
10821 Here too the old name is kept as a deprecated alias.
10835 context matching (which matters if an application uses a single
10839 with applications using a single external cache for quite
10841 restrictions for a given session ID context by starting a session
10842 in a different context.
10847 a ciphersuite string such as "DEFAULT:RSA" cannot enable
10853 not complete and could lead to a possible single byte overflow
10859 Camellia256) share a single mask bit in the logic of
10860 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
10868 When a point or a seed is encoded in a BIT STRING, we need to
10871 of a NamedBitList, for which trailing 0 bits need to be removed.)
10887 * Load error codes if they are not already present instead of using a
10901 cause a denial of service. ([CVE-2006-2940])
10906 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10911 * Fix SSL client code which could crash if connecting to a
10918 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10920 have a single AES bit in the ciphersuite description bitmap.
10936 however, bits are scarce, so we can only do this in a new release
10937 (not just a patchlevel) when we can change the SSL_CIPHER
11009 ### Changes between 0.9.8a and 0.9.8b [04 May 2006]
11011 * When applying a cipher rule check to see if string match is an explicit
11045 handle numbers larger than ULONG_MAX, truncated printing and had a
11060 ### Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
11065 rollback in the SSL 2.0 server implementation, which is a bad
11077 runtime, thus removing the need for a lock.
11094 runtime, thus removing the need for a lock.
11140 PKCS12_create() to recognize a CSP name attribute and
11147 a fixed number of uses (currently 32)
11152 Add a second BN_BLINDING slot to the RSA structure to improve
11153 performance when a single RSA object is shared among several
11208 section number in a pod file instead of having to treat each file as
11209 a separate case in Makefile. This can be done by adding two lines to the
11233 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3
11245 *Andy Polyakov and a number of other people*
11252 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
11253 exponent rather than 'unsigned long'. There is a corresponding change to
11259 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11271 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
11285 This will generate a random key of the appropriate length based on the
11287 routine to support keys of a specific form. This is used in the des and
11288 3des routines to generate a key of the correct parity. Update S/MIME
11295 * Add a local set of CRLs that can be used by X509_verify_cert() as well
11312 information can now expand as required, and rather than having a single
11313 static array of bignums, BN_CTX now uses a linked-list of such arrays
11319 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
11320 to allow all RSA operations to function using a single BN_CTX.
11331 remained unused and not that useful. A variety of other little bignum
11345 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
11361 assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
11382 * Because of the callback-based approach for implementing LHASH as a
11384 lh_doall() or lh_doall_arg() are typically used with a destructor callback
11406 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
11421 * New function PKCS7_set0_type_other() this initializes a PKCS7
11438 representation of a field element takes up to 24 bytes); for
11462 * Add the STORE type. The intention is to provide a common interface
11469 * Add a generic structure called OPENSSL_ITEM. This can be used to
11470 pass a list of arguments to any function as well as provide a way
11471 for a function to pass data back to the caller.
11476 works like BUF_strdup() but can be used to duplicate a portion of
11477 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11478 a memory area.
11494 This one gets OBJ_bsearch_ex() to return a pointer to the first
11495 element where the comparing function returns a negative or zero
11499 This one gets OBJ_bsearch_ex() to return a pointer to the first
11507 in such a way that the self-signed certificate becomes part of the
11514 * Add functionality to check the public key of a certificate request
11515 against a given private. This is useful to check that a certificate
11524 with the database itself in a separate index attribute file,
11565 means that S/MIME signing can be done from a pipe, in addition
11569 This is done with a new flag PKCS7_STREAM. When this flag is set
11584 will now compute a table of multiples of the generator that
11586 faster (notably in the case of a single point multiplication,
11592 which use the IP:a.b.c.d can now take IPv6 addresses using the
11603 provide a boost. This ENGINE is not built in by default, but it can be
11631 primality testing to functions that take a new BN_GENCB pointer in
11637 functions operate on a caller-supplied key-structure and return
11638 success/failure rather than returning a key or NULL - this is to
11643 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
11650 /* For the meaning of a, b in calls to my_callback(), see the
11687 * Extend the BIGNUM API by creating a function
11688 void BN_set_negative(BIGNUM *a, int neg);
11689 and a macro that behave like
11690 int BN_is_negative(const BIGNUM *a);
11692 to avoid the need to access 'a->neg' directly in applications.
11710 current engines except for the cryptodev one to a new
11714 Otherwise, they are inserted in libcrypto.a.
11722 * Add Makefile.shared, a helper makefile to build shared
11741 options work when creating a PKCS#12 file. New option -nomac
11761 recognized instead of using RSA as a default.
11780 without success (which indicates a broken PRNG).
11865 For some functions, an the irreducible polynomial defining a
11906 information is visible when viewing, e.g., a certificate:
11909 mode the content of non-printable OCTET STRINGs is output in a
11911 avoid the appearance of a printable string.
11972 * Add a function EC_GROUP_check_discriminant() (defined via
11975 Add a function EC_GROUP_check() that makes some sanity tests
11976 on a EC_GROUP, its generator and order. This includes
11988 - 'openssl req' now has a '-newkey ecdsa:file' option;
12004 Also add a 'curve_name' member to EC_GROUP objects, which can be
12011 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
12013 required a small change in bn_mul_part_recursive() and the addition
12029 a ciphersuite string such as "DEFAULT:RSA" cannot enable
12034 * Since AES128 and AES256 share a single mask bit in the logic of
12035 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
12066 * Load error codes if they are not already present instead of using a
12074 cause a denial of service. ([CVE-2006-2940])
12079 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12084 * Fix SSL client code which could crash if connecting to a
12094 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining
12143 from a Windows bash shell such as MSYS. It is autodetected from the
12144 "config" script when run from a VC++ environment. Modify standard VC++
12151 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
12153 BEWARE! A program linked with a shared FIPSed libcrypto can't be
12154 safely run with a non-FIPSed libcrypto, as it may crash because of
12164 rollback in the SSL 2.0 server implementation, which is a bad
12177 the exponentiation using a fixed-length exponent. (Otherwise,
12184 * Make a new fixed-window mod_exp implementation the default for
12213 a threadsafe manner. Modify rsa code to use new function and add calls
12243 Because they may be a security thread to unaware applications,
12292 failure and freeing up memory if a failure occurs.
12308 the CA setting in each certificate on the chain is correct. As a
12322 * Avoid a race condition when CRLs are checked in a multi threaded
12325 encoding is cached and the serial number sort performed under a lock.
12340 This is done by creating a random 64 bit value for the initial serial
12341 number when a serial number file is created or when a self signed
12364 with the database itself in a separate index attribute file,
12373 rejects a CRL with *any* critical extensions. Add new verify error codes
12379 A clarification of RFC2560 will require the use of OCTET STRINGs and
12416 exiting on the first error in a request.
12420 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
12445 This also affects blocking I/O when the data being decoded is a
12459 ### Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
12463 a protocol version number mismatch like a decryption error
12469 to avoid a timing attack. Applications that don't want it can call
12487 * Fixed a typo bug that would cause ENGINE_set_default() to set an
12499 ### Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
12502 via timing by performing a MAC computation even if incorrect
12503 block cipher padding has been found. This is a countermeasure
12505 between bad padding and a MAC verification error. ([CVE-2003-0078])
12535 Before this a rather primitive chain build was always performed in
12547 present and it might also want a means of sending no additional
12571 could still fail with a "ssl session id is different" error. This
12584 * Add support for FreeBSD on sparc64. As a consequence, support for
12597 octet was ignored consequently. As a result SSLv2 client side session
12612 seems that in spite of existing for more than a year, many application
12615 This is a very unfortunate situation which forces us, in the name
12616 of usability, to give the hw_ncipher.c a static lock, which is part
12634 warnings and a request that patches get sent to openssl-dev.
12685 potentially lead to a spoofing attack).
12690 representations in a platform independent manner.
12787 which may be activated as a side-effect of selecting a single cipher.
12796 directories. The recommended way to make a platform-dependent
12810 To be absolutely sure not to disturb the source tree, a "make clean"
12811 is a good thing. If it isn't successful, don't worry about it,
12819 data when a later ENGINE operation tries to use the stored values.
12842 bn_mul_comba (a non zero value means the a or b arrays do not contain
12884 a dummy argument can be added to their callback functions.
12910 though in a few (such as version) this isn't done
12926 config section name. Add a new flag to tolerate a missing config file
12962 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
13030 to request calling a callback function
13035 whenever a protocol message has been completely received
13047 to enable a callback that displays all protocol messages.
13083 of the e-mail address in the DN (i.e., it will go into a certificate
13111 NOTE: This is a major break of an old API into a new one. Software
13120 If such a certificate is found during a verify operation it is
13123 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
13124 X509_supported_extension() has also been added which returns 1 if a
13137 it is tidied up after a call to EVP_DigestFinal(). New function
13166 as it couldn't be adequately described here. However, there are a few
13169 reverted back - the hooking from this code to ENGINE is now a good
13174 they were not being used by the framework as there is no concept of a
13195 false once a handshake has been completed.
13197 sends a HelloRequest, but does not ensure that a handshake takes
13229 * Add a "destroy" handler to ENGINEs that allows structural cleanup to
13245 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
13257 * Make it possible to unload ranges of ERR strings with a new
13262 * Add a copy() function to EVP_MD.
13266 * Make EVP_MD routines take a context pointer instead of just the
13272 that the digest can only process a single chunk of data
13273 (typically because it is provided by a piece of
13275 is only going to provide a single chunk of data, and hence the
13285 to take a "class_index" rather than pointers to the class's local STACK
13287 classes. This centralisation allows us to (a) plug a lot of the
13291 workarounds were in place to make the memory debugging turn a blind eye
13298 has a return value to indicate success or failure.
13307 pass the return value to a module it has just loaded, and that module
13316 the operation, and provides a more encapsulated way for external code
13335 These allow a CRL to be built without having to access X509_CRL fields
13341 bug workarounds. Rollback attack detection is a security feature.
13349 * Rationalise EVP so it can be extended: don't include a union of
13366 now have to pass a pointer to a des_key_schedule instead of a
13367 plain des_key_schedule (which was actually always a pointer
13375 (Note that a later change renames 'des_...' into 'DES_...'.)
13382 which has a knock on effect of linking in large amounts of (unused)
13401 via a CGI script) or using an internal minimal server.
13457 code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack.
13473 arbitrary arguments instead of just a string.
13474 Change the key loaders to take a UI_METHOD instead of a callback
13477 Adapt the nCipher code for these new conditions and add a card insertion
13494 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
13553 in the CRL the verify fails with a revoked error.
13566 * Add a general user interface API (crypto/ui/). This is designed
13571 a window system and the like.
13575 * Add "ex_data" support to ENGINE so implementations can add state at a
13581 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
13582 This causes the "original" ENGINE structure to act like a template,
13612 and input types for run-time discovery by calling applications. A
13617 that "executable" commands cannot return anything other than a boolean
13638 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
13639 'const' value. Any code that should be able to modify a RAND_METHOD
13645 * Made a variety of little tweaks to the ENGINE code.
13655 missing functions (including a catch-all ENGINE_cpy that duplicates
13656 all ENGINE values onto a new ENGINE except reference counts/state).
13657 - Removed NULL parameter checks in get/set functions. Setting a method
13658 or function to NULL is a way of cancelling out a previously set
13659 value. Passing a NULL ENGINE parameter is just plain stupid anyway
13684 * Add a 'copy_extensions' option to the 'ca' utility. This copies
13685 extensions from a certificate request to the certificate.
13705 EC_POINT_mul is a simple wrapper function for the typical case
13739 that the file contains a complete HTTP response.
13745 to "%-39s XXX". The latter will always guarantee a space after the
13793 sets the subject name for a new request or supersedes the
13794 subject name in a given request. Formats that can be parsed are
13810 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
13816 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
13828 of ASN.1 items, but that structure is a bit different.
13832 go into the Windows .def files as well as a number of fixes and code
13838 * In BN_div() keep a copy of the sign of 'num' before writing the
13847 certificate is just checked for a generic purpose and OCSP request
13854 be a few seconds old. Simply checking that the current time lies
13857 we allow thisUpdate and nextUpdate to fall within a certain period of
13869 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
13870 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
13880 be accessed transparently. As a result code should not use ASN1_ITEM
13893 can be useful for session caching in multiple-server environments. A
13895 to use such a feature) has been added to "s_server".
13923 CA options of 'x509' had to use a serial number in a file which was
13937 not padded in any way and so the total length much be a multiple
13946 * New function OCSP_parse_url(). This splits up a URL into its host,
13955 in a response when one was present in a request: the ocsp application
13956 just prints out a warning. New function OCSP_add1_basic_nonce()
13957 this is to allow responders to include a nonce in a response even if
13963 skipped when using openssl x509 multiple times on a single input file,
13983 to aes and add a new 'exist' option to print out symbols that don't
13994 OCSP client a number of certificate to only verify the response
14021 extract information from a certificate request. OCSP_response_create()
14022 creates a response and optionally adds a basic response structure.
14023 OCSP_basic_add1_status() adds a complete single response to a basic
14025 extensions to be included for example). OCSP_basic_add1_cert() adds a
14026 certificate to a basic response and OCSP_basic_sign() signs a basic
14034 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
14035 structure from a certificate. X509_pubkey_digest() digests the public_key
14040 * Make sk_sort() tolerate a NULL argument.
14072 result in a zero length in the ASN1_INTEGER structure which was
14076 where it did not print out a minus for negative ASN1_INTEGER.
14106 a root CA as a global signing root: that is any certificate that
14112 extensions from a separate configuration file.
14120 read. The request can be sent to a responder and the output
14152 to 'openssl version', and is also included in 'openssl version -a'.
14158 (a `const char*` and an int). The basic functionality remains, as
14174 a conventional allocation function is enabled.
14197 random devices, as specified by DEVRANDOM, until a sufficient amount
14204 For VMS, there's a currently-empty rand_vms.c.
14210 to issue a request to an OCSP responder and analyse the
14224 Replace nonce routines with a pair of functions.
14225 OCSP_request_add1_nonce() adds a nonce value and optionally
14226 generates a random value. OCSP_check_nonce() checks the
14253 and reorder them to match the encoded order. This resolves a long
14254 standing problem: a verify on a PKCS7 structure just after signing
14259 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
14312 an extension cannot be parsed. Correct a typo in the
14324 to do is register a locking callback using an array for
14329 * Use a lock around the call to CRYPTO_get_ex_new_index() in
14353 * Add a special meaning when SET OF and SEQUENCE OF flags are both
14356 encoding. This will be used to get round a problem where a PKCS7
14373 completely replaces the old ASN1 functionality with a table driven
14420 * New function BN_mod_sqrt for computing square roots modulo a prime
14448 Fix BN_is_word(a,w) to work correctly for w == 0.
14450 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
14451 because its test if the absolute value of 'a' equals 'w'.
14492 `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r`
14495 `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as
14496 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`]
14506 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
14508 required a small change in bn_mul_part_recursive() and the addition
14534 * Make DSO load along a path given through an environment variable
14539 * Constify the ENGINE code as a result of BIGNUM constification.
14540 Also constify the RSA code and most things related to it. In a
14542 casts back to non-const were required (to be solved at a later
14551 * Constify the BIGNUM routines a little more.
14619 have far greater control over how a "name" is turned into a filename
14637 NCONF_get_number() has no error checking at all. As a replacement,
14641 Make it possible for methods to load from something other than a BIO,
14642 by providing a function pointer that is given a name instead of a BIO.
14700 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
14721 a protocol version number mismatch like a decryption error
14727 to avoid a timing attack. Applications that don't want it can call
14748 via timing by performing a MAC computation even if incorrect
14749 block cipher padding has been found. This is a countermeasure
14751 between bad padding and a MAC verification error. ([CVE-2003-0078])
14759 * New function OPENSSL_cleanse(), which is used to cleanse a section of
14760 memory from its contents. This is done with a counter that will
14764 be read through on certain media, for example a swap space on disk.
14799 * Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
14801 doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
14805 changing anyway, so this is more a bug-fix than a behavioural
14810 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14914 supply an oversized session ID to a client. ([CVE-2002-0656])
14936 was just at the end of a processed block. The bug was discovered when
14937 processing data through a buffering memory BIO handing the data to a
14943 * Implement a countermeasure against a vulnerability recently found
14976 actually a primitive root: This requirement is rather pointless;
14977 a generator of the order-q subgroup is just as good, if not
15008 check whether we deal with a copy of a session and do not delete from
15020 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
15026 Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
15035 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
15036 variable as an indication that a ClientHello message has been
15039 function may not be aware that a handshake has actually taken
15040 place, thus preventing a new session from being added to the
15044 using a local variable.
15103 * Add a configuration entry for OS/390 Unix. The C compiler 'c89'
15128 * Add a configuration entry for gcc on UnixWare.
15133 messages are stored in a single piece (fixed-length part and
15145 faced with a pathologically small ClientHello fragment that does
15160 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
15174 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
15175 client receives HelloRequest while in a handshake.
15182 must be disabled for SSL_ST_OK in the case that we just sent a
15186 before just sending a HelloRequest.
15191 reveal whether illegal block cipher padding was found or a MAC
15233 This function was broken, as the check for a new client hello message
15251 of the OS. The shared library support part includes a variant that
15271 used. Before the change, a verify_callback set with this function was
15285 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
15319 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15328 a race condition if 0 is a valid thread ID.
15334 *Albert Chin-A-Young <china@thewrittenword.com>*
15345 ### Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
15348 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
15411 means that the probability of guessing a valid ciphertext is
15415 Before 0.9.5, the countermeasure (hide the error by generating a
15434 * Fix for blowfish EVP: its a variable length cipher.
15446 RAND_file_name() in 0.9.6a returned NULL in this case. This has
15448 Thus RAND_file_name() is changed again: e_os.h can define a
15459 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
15460 combination of a flag and a thread ID variable.
15473 ### Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
15475 * Fix a couple of memory leaks in PKCS7_dataDecode()
15531 if a 3DES key was generated with a 0 initial byte. Include
15537 * Enhance bctest to search for a working bc along $PATH and print
15560 * In copy_email() check for >= 0 as a return value for
15561 X509_NAME_get_index_by_NID() since 0 is a valid index.
15621 a temporary CONF structure with the data component set to NULL
15634 keyUsage if basicConstraints absent for a CA.
15638 * Make SMIME_write_PKCS7() write mail header values with a format that
15686 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15698 when writing a 32767 byte record.
15705 (RSA objects have a reference count access to which is protected
15711 * Fix a deadlock in CRYPTO_mem_leaks().
15727 * Add a 'bctest' script that checks for some known 'bc' bugs
15752 A 'peek' parameter has also been added to ssl3_read_bytes, which
15764 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
15783 if there is a need for symbolic links from for example libcrypto.so.0
15815 ### Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
15820 (Note that this is a pathologic case that probably has never happened
15822 from the record header as a substitute; but our protocol choice
15841 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
15842 a general "ANY" type, as such it should be able to decode anything
15846 tagged and unknown types are handled in the same way as a SEQUENCE:
15847 that is the encoding is stored intact. There is also a new type
15854 * On VMS, stdout may very well lead to a file that is written to
15855 in a record-oriented fashion. That means that every write() will
15856 write a separate record, which will be read separately by the
15859 The solution is to put a BIO filter in the way that will buffer
15860 text until a linefeed is reached, and then write everything a
15861 line at a time, so every record written will be an actual line,
15866 Currently, it's a VMS-only method, because that's where it has
15873 (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
15907 * Add a large number of documentation files for many SSL routines.
15911 * Add a configuration entry for Sony News 4.
15915 * Don't set the two most significant bits to one when generating a
15922 the underlying transport is blocking) if a handshake took place.
15935 * Add a few more EBCDIC conditionals that make `req` and `x509`
15964 verify code now looks up an issuer certificate by a
15976 by a STACK_OF(X509_OBJECT). This is mainly because an
15980 As a result various functions (which were all internal
15989 of multiple certificates matching a given criteria, however
15990 this can be worked round by performing a lookup first
15998 All certificate lookup operations now go via a get_issuer()
16000 can be replaced by custom lookups. This is a simple way
16003 in future. A very simple version which uses a simple
16010 X509_STORE_CTX also has a 'flags' field which can be used
16020 * When a certificate request is read in keep a copy of the
16023 a decoded, encoded version which may cause problems if the
16037 BN_zero, we may not return a BIGNUM with an array consisting of
16058 * A demo state-machine implementation was sponsored by
16069 * Unrecognized PKCS#7 content types are now handled via a
16071 types to be stored as a "blob" and an application can
16082 length if passed a buffer. ASN1_INTEGER_to_BN failed
16083 if passed a NULL BN and its argument was negative.
16100 through a logging bio, to cover all the levels that are available
16140 of strings as a result "OCSP" > "OCSP Signing" because
16143 names from the lookup table if they were given a default
16146 grounds that if an object has a name we should be able to
16207 * A first attempt at creating official support for shared
16256 - objects.pl is used to process obj_mac.num and create a new
16258 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16261 This is currently kind of a hack, and the perl code in objects.pl
16297 a "stack macro" of the form `SKM_<name>(type, a, b)`. The
16311 used as a 128 bit RC4 key. In the modified case
16329 a STACK of email addresses from a certificate or request, these look
16358 faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
16376 that didn't make a lot of sense have been brought in line. This has
16377 also involved a cleanup of sorts in safestack.h to more correctly
16379 This work has also resulted in a variety of "const"ifications of
16389 is used only indexed by a cyclic counter. As entropy may not be
16390 well distributed from the beginning, 'md' is important as a
16430 Change lots of functions like EVP_EncryptUpdate() to now return a
16455 * Add a document (doc/standards.txt) that list all kinds of standards
16478 is a little unclear about how a blank password is handled.
16479 Since the password in encoded as a BMPString with terminating
16480 double NULL a zero length password would end up as just the
16483 treats a blank password as zero length. MSIE treats it as no
16486 the password is set to "" or NULL (NULL is now a valid password:
16491 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
16508 * RSA_get_default_method() will now cause a default
16510 Previously this was only set during a call to RSA_new()
16519 into a canonical native form. Eg. "blah" converted to
16531 * CONF library reworked to become more general. A new CONF
16532 configuration file reader "class" is implemented as well as a
16535 work in terms of the new functions. Also, a set of functions
16538 reader "classes" (I can definitely see something reading a
16552 NCONF_new creates a new CONF object. This works in the same way
16557 first that must be a `CONF *` instead of a `LHASH *`.
16573 them in a portable way.
16577 ### Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
16595 fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
16596 using the passed key: if the passed key was a private key the result
16618 Since for each cipher there is a command of the same name,
16630 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
16649 accepts a certificate or CA, this was the previous behaviour,
16653 automatically trust self signed roots in certificate store. A
16655 a purpose has no associated trust setting and it should instead
16661 and fix a memory leak.
16674 library names as reason strings for SYSerr; but SYSerr is a special
16691 so couldn't be used as a "file scope" flag. Moved to third argument
16743 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
16750 to 1 it signals that the assembler should use a symbol whose
16764 convention: After 'get1', the caller owns a reference count
16765 and has to call `..._free`; 'get0' returns a pointer to some
16767 (Some of the existing 'get' functions increment a reference
16785 the EGD socket can be specified like a seed file using RANDFILE
16803 EVP_MD_type. The old functionality is available in a new macro called
16809 where the `void *` argument is replaced by a function pointer argument.
16820 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16833 * Change the 'other' type in certificate aux info to a STACK_OF
16839 * Add some PEM_write_X509_REQ_NEW() functions and a command line
16849 usrdata argument is not NULL interpret it as a null terminated pass
16863 SSL/TLS protocol it isn't a "bug" option and is on by default. See
16909 get temporary BIGNUMs from a BN_CTX.
16919 include a #define from the old name to the new. The original intent
16928 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16932 * Use a less unusual form of the Miller-Rabin primality test (it used
16933 a binary algorithm for exponentiation integrated into the Miller-Rabin
16954 * Turn DSA_is_prime into a macro that calls BN_is_prime,
16963 This implies a change for the callback functions in DSA_is_prime
16970 function with an 'iteration count' of -1, meaning that a
16980 'callback(1, -1, cb_arg)' is called when a number has passed the
16990 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17005 * Avoid a race condition in s2_clnt.c (function get_server_hello) that
17039 * Merge the functionality of "dh" and "gendh" programs into a new program
17046 when a new cipher list is set.
17058 Fix a bug in the cipher-command parser: when supplying a cipher command
17060 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17090 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
17097 as a shared library without RSA. Use #ifndef NO_SSL2 instead of
17103 has a return value which indicates the quality of the random data
17115 in crypto/bn/bn_prime.c for the complete table). This guarantees a
17120 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
17126 from an X509_CTX structure with a dup of the stack and all
17154 attributes because these will be a SET OF encoding which is sorted
17160 automation. This will allow an application to just generate a template
17167 some primitive wrappers for PKCS#7. The new functions behave in a
17177 a 'global mask' which masks out certain types. The table itself
17192 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
17202 a couple. Compaq C in turn generates ~20% faster code for MD5 and
17207 * Add support for MS "fast SGC". This is arguably a violation of the
17209 weak crypto and after checking the certificate is SGC a second one
17211 the server certificate message and sends a second client hello. Since
17212 a server will typically do all the time consuming operations before
17216 To get OpenSSL to support MS SGC we have to permit a second client
17222 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide
17223 if a DER encoded private key is RSA or DSA traditional format. Changed
17234 is set, we interpret this as a request to violate the specification
17235 (the worst that can happen is a handshake failure, and 'correct'
17236 behaviour would result in a handshake failure anyway).
17243 The internal cache can handle only one SSL_SESSION with a given ID,
17244 so if there's a conflict, we now throw out the old one to achieve
17262 The trust checking code now has a default behaviour: it will just
17265 for a given id. SSL client, server and email already have functions
17276 * Add a password callback function PEM_cb() which either prompts for
17277 a password if usr_data is NULL or otherwise assumes it is a null
17279 environment or config files in a few more utilities.
17283 * Add a bunch of DER and PEM functions to handle PKCS#8 format private
17291 ASN1_TYPE but there wasn't any function that would try to read a NULL
17305 provide hooks so anyone can build a separate set of allocation and
17312 this gives people a chance to debug other memory problems.
17314 With these changes, a new set of functions and macros have appeared:
17339 way than through macros have a new API and new semantic:
17351 was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
17361 * Merge in my S/MIME library for OpenSSL. This provides a simple
17362 S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
17363 functionality to handle multipart/signed properly) and a utility
17375 have a cleaner way to pick the version they need.
17379 * New function PKCS12_newpass() which changes the password of a
17384 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and
17387 functions so they accept a list of the field values and the
17399 works in a similar way to the object code: we have some "standard"
17400 extensions in a static table which is searched with OBJ_bsearch()
17403 updated whenever a new extension is added to the core code and kept
17404 in ext_nid order. There is a simple program 'tabtest.c' which checks
17419 * Modify enc utility's salting as follows: make salting the default. Add a
17421 to garbage. This is because not salting is a big security hole, so people
17426 * Fixes and enhancements to the 'x509' utility. It allowed a message
17428 parameter when signing a certificate. Modified so all relevant
17430 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17439 There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
17448 certificates from a specific "secure" set of CAs.
17458 Two new options to the verify program: -untrusted allows a set of
17460 intended purpose of the certificate. If a purpose is set then the
17471 public keys in a format compatible with certificate
17475 never in a public release so they have been deleted. Changed dsa/rsa
17491 Added a -pubkey option to the 'x509' utility to output the public key.
17503 added a new function to read in both types and return the number
17508 a certificate: this is the best we can do. Also modified the code
17522 so it warns if it is passed a self signed certificate:
17524 has been modified to it will now verify a self signed
17526 in the store: it was previously impossible to trust a
17529 now gives a warning about a self signed certificate but
17547 * Fix a bug in the new PKCS#7 code: it didn't consider the
17553 * Add a salt to the key derivation routines in enc.c. This
17554 forms the first 8 bytes of the encrypted file. Also add a
17555 -S option to allow a salt to be input on the command line.
17559 * New function X509_cmp(). Oddly enough there wasn't a function
17571 * Fix for 'req': it was adding a null to request attributes.
17585 the string plus current file name and line number to a per-thread
17600 manpages and fix a few bugs.
17604 * Add a few manpages for some of the openssl commands.
17616 can still read in a certificate file in the usual way but it
17618 doing things this way a fair degree of compatibility can be
17624 certificate chain verification routines: currently a certificate
17640 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
17641 A few however don't do this and instead use the size of the decrypted key
17651 * Add a bunch of functions that should simplify the creation of
17677 the additional locking could be a performance killer, and
17691 Except on systems with /dev/urandom, it is crucial to have a random
17712 * New function ASN1_mbstring_copy() this copies a string in either
17714 into an ASN1_STRING type. A mask of permissible types is passed
17727 * Add various functions that can check a certificate's extensions
17731 verification. Also added a -purpose flag to x509 utility to
17736 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated
17743 This allows all the necessary extension code to be handled in a
17755 from a file (which may not be in ASN.1 format).
17764 * New option -dhparam in s_server. This allows a DH parameter file to be
17772 a public key to be input or output. For example:
17780 X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
17790 * Fix for base64 decode bug. When a base64 bio reads only one line of
17793 BIOs find the start of base64 encoded data. They do this by trying a
17795 do a flag is set and it starts again knowing it can pass all the
17808 supports select() on sockets so we select() with a 1s timeout on the
17812 received a complete line of data and it is effectively polling the
17813 keyboard at 1s intervals: however it's quite a bit better than not
17814 working at all :-) A dedicated Windows application might handle this
17832 will lookup a CRL issuers certificate and verify the signature in a
17834 no longer accesses structures directly. Make the ASN1 CRL parsing a bit
17836 a V2 CRL: this will allow it to tolerate some broken CRLs.
17859 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive
17865 UTF8 strings a character at a time.
17877 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
17905 are specified in a 'req_extensions' option of the req section of the
17911 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
17914 A misplaced 'break' also meant the decrypted final block might not be
17920 a few extra parameters to the DH structure: these will be useful if
17926 provides hooks that allow the default DSA functions or functions on a
17934 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
17936 not be freed. Reading from a read only BIO is much more efficient than
17937 a normal memory BIO. This was added because there are several times when
17938 an area of memory needs to be read from a BIO. The previous method was
17939 to create a memory BIO and write the data to it, this results in two
17940 copies of the data and an O(n^2) reading algorithm. There is a new
17941 function BIO_new_mem_buf() which creates a read only memory BIO from
17949 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17950 but a retry condition occurred while trying to read the rest.
17957 the encrypted data type: this is a more sensible place to put it and it
17980 ### Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
17982 * Install libRSAglue.a when OpenSSL is built with RSAref.
17986 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency.
18003 exponentiation); so this provides a convenient way to support DHE
18023 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
18024 an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
18025 it will always use the numerical form of the OID, even if it has a short
18110 * Add a debugging option to PKCS#5 v2 key generation function: when
18152 than just having a counter.
18167 a single record has been written.
18194 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
18201 * Add a new function PKCS7_signatureVerify. This allows the verification
18202 of a PKCS#7 signature but with the signing certificate passed to the
18205 case: certificates can be omitted from a PKCS#7 structure and be
18206 distributed by "out of band" means (such as a certificate database).
18223 * New functions CONF_load_bio() and CONF_load_fp() to allow a config
18224 file to be loaded from a BIO or FILE pointer. The BIO version will
18240 through a BIO pair triggered the default case, i.e.
18251 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
18260 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and
18263 secure PKCS#8 private key format with a high iteration count.
18267 * Fix determination of Perl interpreter: A perl or perl5
18286 arguments etc. Fix a few PEM prototypes which didn't have cipher as a
18291 * Add to configuration table a new entry that can specify an alternative
18308 fails, it needs to cause bc to give a non-zero result or make test carries
18321 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18332 assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
18337 This has also changed the EVP_PBE_CipherInit() function which now has a
18347 value was just used as a "magic string" and not used directly its
18369 File ebcdic.c not yet included because it has a different license.
18393 ### Changes between 0.9.3 and 0.9.3a [29 May 1999]
18414 instead of using a fixed path.
18435 existing code. If old code used a structure member which used to be STACK
18436 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
18438 are not present in STACK_OF. Now it just produces a warning. sk_set
18439 replaces the old method of assigning a value to sk_value
18440 (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
18442 this could be regarded as a "questionable" behaviour anyway.
18487 output to a file. This is most useful when combined with the -strparse
18492 * Make SSL library a little more fool-proof by not requiring any longer
18515 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
18522 we have solved a couple of bugs of the earlier code where s->cert
18531 we don't use CERT any longer, but a new structure SESS_CERT
18595 only for "PEM" format files, as chains as a whole are not
18603 was actually counting the number of certificates in a chain;
18611 (e.g. an alleged error in ssl3_accept when a certificate
18614 * New function SSL_CTX_set_session_id_context that allows to set a default
18635 * New script util/mklink.pl as a faster substitute for util/mklink.sh.
18674 than the old method: it now uses a modified version of Ulf's parser to
18676 aren't needed for error creation any more) and do a better job of
18678 in a comment' is no longer necessary and it doesn't use .err files which
18689 0 (which usually indicates a closed connection), but continue reading.
18717 the directory spec didn't end with a LIST_SEPARATOR_CHAR.
18746 * A lot of constification, and fix a bug in X509_NAME_oneline() that could
18747 return a const string when you are expecting an allocated buffer.
18762 fail when they extended the size of a BIGNUM.
18798 not: the conversion is trivial, and it eliminates loads of evil casts. A
18804 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18807 revoking a certificate. The -revoke option does the gory details now.
18817 * Make sure a corresponding plain text error message exists for the
18818 X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
18819 verify callback function determined that a certificate was revoked.
18827 are available, a new (up to now undocumented) command
18856 The default code is faster, but requires at least a 486.
18893 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1
18924 * Fix a security hole, that allows sessions to be reused in the wrong
18927 allow session reuse! A fuller solution is in the works.
18933 permission on "config" script to be executable) and a fix for the INSTALL
19019 whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
19022 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
19045 * Add a useful kludge to allow package maintainers to specify compiler and
19050 to them (separated by colons). This is treated as there would be a static
19053 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19077 And add a paragraph about the dual-license situation to make sure people
19099 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
19106 * Add text documentation for the BUFFER functions. Also added a work around
19107 to a Win95 console bug. This was triggered by the password read stuff: the
19109 generating a new cert request using 'req' for example then the last
19143 to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
19165 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
19167 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19168 is needed for applications which have to configure certificates on a
19169 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19178 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
19179 non-public-API function ssl_cert_instantiate() is used as a helper
19202 from `int` to `unsigned int` because it is a length and initialized by
19216 currently the public key is printed (a decision which was already done by
19217 `openssl dsa -modulus` in the past) which serves a similar purpose.
19279 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19286 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19314 util/mkfiles.pl to create the MINFO file on environments that can't do a
19320 and purity. As a result, many evil casts evaporated, and some weirdness,
19326 * Fix for a typo in asn1.h. Bug fix to object creation script
19327 obj_dat.pl. It considered a zero in an object definition to mean
19349 If you do a:
19365 * First cut for a very conservative source tree cleanup:
19392 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19398 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
19415 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19424 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19444 and add a sample to openssl.cnf so req -x509 now adds appropriate
19454 * Takes a deep breath and start adding X509 V3 extension support code. Add
19502 functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
19504 al: it's just almost always a UTCTime. Note this patch adds new error
19505 codes so do a "make errors" if there are problems.
19517 * Generate an error if given an empty string as a cert directory. Also
19528 parameters. This was causing a warning which killed off the Win32 compile.
19536 * The function OBJ_txt2nid was broken. It was supposed to return a nid
19537 based on a text string, looking up short and long names and finally
19545 * Add prototypes to X509 lookup/verify methods, fixing a bug in
19560 * Make *all* `*_free` functions accept a NULL pointer.
19564 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use
19586 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
19595 * rsa_eay.c would attempt to free a NULL context.
19599 * BIO_s_socket() had a broken should_retry() on Windoze.
19623 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named
19625 are no longer created. This way we have a single and consistent command
19643 * Makefiles updated to exit if an error occurs in a sub-directory
19659 global and can add a library name. This is needed for external ASN1 and
19675 into a single doc/ssleay.txt bundle. This way the information is still
19681 * SETs were incorrectly DER encoded. This was a major pain, because they
19686 *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>*
19692 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
19754 to make a "cvs update" really silent.
19765 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
19774 crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
19786 We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
19794 * Updated a few CA certificates under certs/
19796 *Eric A. Young*
19800 *Eric A. Young*
19805 *Eric A. Young*
19811 *Eric A. Young*
19820 *Eric A. Young*
19824 *Eric A. Young*
19828 *Eric A. Young*
19832 *Eric A. Young*
19834 * Added -a (all) option to "ssleay version" command.
19836 *Eric A. Young*
19840 *Eric A. Young*
19844 *Eric A. Young*
19848 *Eric A. Young*
19852 *Eric A. Young*
19854 * Added a BN_CTX to the BN library.
19856 *Eric A. Young*
19860 *Eric A. Young*
19864 *Eric A. Young*
19868 *Eric A. Young*
19872 *Eric A. Young*
19876 *Eric A. Young*
19880 *Eric A. Young*
19884 *Eric A. Young*
19890 *Eric A. Young*
19895 *Eric A. Young*
19899 *Eric A. Young*
19903 *Eric A. Young*
19908 *Eric A. Young*
19910 * Fixed a few memory leaks.
19912 *Eric A. Young*
19916 *Eric A. Young*
19918 * A minor bug in ssl/s3_clnt.c where there would always be 4 0
20063 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169