Lines Matching full:and
7 For a full list of changes, see the [git commit log][log] and pick the
31 ### Changes between 3.5.0 and 3.5.1 [1 Jul 2025]
45 * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
49 have now restored the original behaviour and brought DTLS back into line with
54 ### Changes between 3.4 and 3.5.0 [8 Apr 2025]
104 *Shane Lontis and Dr Paul Dale*
109 refactored, and integrated into the OpenSSL default and FIPS providers.
113 *Michael Baentsch, Viktor Dukhovni, Shane Lontis and Paul Dale*
119 *Shane Lontis, Viktor Dukhovni and Paul Dale*
137 *Dmitry Belyavskiy and Simo Sorce*
142 This means two key shares (X25519MLKEM768 and X25519) will be sent by
143 default by the TLS client. GOST groups and FFDHE groups larger than 3072
154 Extend the server-side key exchange group selection algorithm and related
167 * New inline functions were added to support loads and stores of unsigned
168 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian
180 * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`.
187 * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
197 NULL, and then the signed data must be in p7.
207 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
210 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
245 and EVP_CipherPipelineFinal(). Cipher pipelining support allows application to
266 AVX_IFMA capable processors (Intel Sierra Forest and its successor).
285 (ignoring whitespace, carriage returns and line feeds), EVP_DecodeUpdate()
290 output buffer if a user allocates its size based on the documentation and
300 authorityAttributeIdentifier and attributeMappings X.509v3 extensions.
304 * Added a new CLI option `-provparam` and API functions for setting of
309 * Added a new trace category for PROVIDER calls and added new tracing calls
310 in provider and algorithm fetching API functions.
331 ### Changes between 3.4.1 and 3.4.2 [xx XXX xxxx]
338 ### Changes between 3.4.0 and 3.4.1 [11 Feb 2025]
364 * Reverted the behavior change of CMS_get1_certs() and CMS_get1_crls()
370 ### Changes between 3.3 and 3.4.0 [22 Oct 2024]
377 * Improved base64 BIO correctness and error reporting.
383 EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
389 EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
423 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
434 * Added support for encapsulation and decapsulation operations in the
453 * Deprecated TS_VERIFY_CTX_set_* functions and added replacement
464 * Added options `-not_before` and `-not_after` for explicit setting
465 start and end dates of certificates created with the `req` and `x509`
467 `-startdate` and `-enddate` options.
471 * The X25519 and X448 key exchange implementation in the FIPS provider
472 is unapproved and has `fips=no` property.
476 * SHAKE-128 and SHAKE-256 implementations have no default digest length
487 be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
498 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
505 * Added support for retrieving certificate request templates and CRLs in CMP,
507 `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`.
516 holderNameConstraints and targetingInformation X.509v3 extensions.
521 Certificates can be created, parsed, modified and printed via the
527 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
547 ### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
565 ### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
589 ### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
600 from the network and processed by OpenSSL, but the full record body
602 even though a record has only been partially processed and the buffer
606 data has been received and processed by OpenSSL but the application has
631 * Improved EC/DSA nonce generation routines to avoid bias and timing
634 Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
635 and Hubert Kario from Red Hat for reporting the issues.
637 *Tomáš Mráz and Paul Dale*
639 ### Changes between 3.2 and 3.3.0 [9 Apr 2024]
641 * The `-verify` option to the `openssl crl` and `openssl req` will make
660 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
662 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
667 config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
669 ignored and the configuration will still be used.
673 and the configuration will still be used.
685 * The activate and soft_load configuration settings for providers in
693 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
694 override the Issuer and Subject when creating a certificate. The `-subj`
699 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
709 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483:
710 - `certProfile` request message header and respective `-profile` CLI option
718 be less hard coded in the build file templates, and to allow easier
751 releases, and is not subject to any format stability or compatibility
759 connections, and to allow determining the number of additional streams
770 * Limited support for polling of QUIC connection and stream objects in a
775 * Added APIs to allow querying the size and utilisation of a QUIC stream's
802 * Optimized AES-CTR for ARM Neoverse V1 and V2
806 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
834 ### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
842 is being used (but not if early_data is also configured and the default
844 the session cache can get into an incorrect state and it will fail to flush
859 ### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
861 * A file in PKCS12 format can contain certificates and keys and may come from
871 and PKCS12_newpass().
883 For valid RSA keys, n is a product of two or more large primes and this
887 An application that calls EVP_PKEY_public_check() and supplies an RSA key
894 with the "-pubin" and "-check" options on untrusted data.
903 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
934 ### Changes between 3.1 and 3.2.0 [23 Nov 2023]
953 *Čestmír Kalina and Tomáš Mráz*
955 * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES.
960 and the corresponding provider-storemgmt API function
970 * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt)
972 The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and
975 applications such as "genrsa" and "pkcs8" and API's such as
978 OpenSSL command line applications for "pkcs8" and "enc" to allow the
1001 * Added multiple tutorials on the OpenSSL library and in particular
1002 on writing various clients (using TLS and QUIC protocols) with libssl.
1036 HTTP support. Provide new configure options `no-apps` and `no-docs` to
1037 disable building the openssl command line application and the documentation.
1042 X25519, X448, and EdDSA support.
1048 for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms.
1059 in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this
1073 always appear at the start of a line and cannot be escaped. The advanced
1074 command mode enables commands to be entered anywhere and there is an
1088 * Added support for modular exponentiation and CRT offloading for the
1102 * Improved support for non-default library contexts and property queries
1108 Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph.
1110 (Ed25519ph and Ed448ph).
1114 * Added SM4 optimization for ARM processors using ASIMD and AES HW
1138 the already available pluggable KEM and X.509 support, this enables
1145 This enables CMS sign and verify operations with algorithms embedded
1152 Message Layer Security (MLS) and other IETF specifications.
1155 include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod
1165 library support for Brotli and Zstandard compression.
1171 for a user specified callback and optional argument.
1185 * Add more SRTP protection profiles from RFC8723 and RFC8269.
1191 *Daiki Ueno, John Baldwin and Dmitry Podgorny*
1193 * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where
1194 supported and enabled.
1198 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
1214 * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid()
1223 * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able
1233 certificate attributes and the checks fail.
1238 DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
1239 of 160 bits and above and less than 224 bits were previously accepted by
1267 * Add X.509 certificate codeSigning purpose and related checks on key usage and
1272 * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates.
1274 `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has
1279 * Fix and extend certificate handling and the commands `x509`, `verify` etc.
1284 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app
1286 CA certificates and root CA cert updates defined in CMP Updates [RFC 9480],
1287 as well as the `-srvcertout` and `-serial` CLI options.
1293 * Fixes and extensions to the HTTP client and to the HTTP server in `apps/`
1294 like correcting the TLS and proxy support and adding tracing for debugging.
1298 * Extended the CMS API for handling `CMS_SignedData` and `CMS_EnvelopedData`.
1302 * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if
1303 a certificate to be added is already present. `CMS_sign_ex()` and
1305 and no longer throw an error for them.
1309 * Fixed and extended `util/check-format.pl` for checking adherence to the
1311 The checks are meanwhile more complete and yield fewer false positives.
1315 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
1316 BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg()
1319 *Hugo Landau, Matt Caswell and Tomáš Mráz*
1321 * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
1322 sending and receiving multiple messages in a single call. An implementation
1330 arguments. This store is built by default and can be disabled using the new
1332 default and must be loaded explicitly using the above store URI. It is
1340 and all releases since 5.16. KTLS with CCM ciphersuites should be only used
1345 * Added `-ktls` option to `s_server` and `s_client` commands to enable the
1359 pre-computed digests and new CMS API functions supporting that
1364 * OPENSSL_malloc() and other allocation functions now raise errors on
1370 * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
1375 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
1384 *Bernd Edlinger and Matt Caswell*
1398 ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
1400 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
1406 ### Changes between 3.1.2 and 3.1.3 [19 Sep 2023]
1430 ### Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
1442 DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
1453 Trying to use a very large modulus is slow and OpenSSL will not normally use
1473 with NULL pointer as the output buffer and 0 as the input buffer length.
1480 The fix changes the authentication tag value and the ciphertext for
1488 * When building with the `enable-fips` option and using the resulting
1490 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
1495 ### Changes between 3.1.0 and 3.1.1 [30 May 2023]
1507 IDENTIFIER is 586 bytes or less, and fail otherwise.
1511 most 128 sub-identifiers, and that the maximum value that each sub-
1544 code paths, and restores the previous performance level while
1552 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
1566 silently ignored by OpenSSL and other certificate policy checks are skipped
1584 ### Changes between 3.0 and 3.1.0 [14 Mar 2023]
1594 backward compatibility purposes and the "fips=yes" property query
1598 Triple DES CBC and EdDSA.
1606 * RNDR and RNDRRS support in provider functions to provide
1611 * `s_client` and `s_server` commands now explicitly say when the TLS version
1618 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
1633 `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now
1634 marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
1658 verification is not affected by this change and continues to work as before.
1668 breaking changes, and mappings for the large list of deprecated functions.
1672 ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
1685 PKCS7 data is processed by the SMIME library calls and also by the
1744 to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
1748 filter BIO onto the front of it to form a BIO chain, and then returns
1751 is freed and the function returns a NULL result indicating a failure.
1752 However, in this case, the BIO chain is not properly cleaned up and the
1762 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
1763 decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
1764 data. If the function succeeds then the "name_out", "header" and "data"
1773 The functions PEM_read_bio() and PEM_read() are simple wrappers around
1774 PEM_read_bio_ex() and therefore these functions are also directly affected.
1777 functions including PEM_X509_INFO_read_bio_ex() and
1792 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1804 client authentication and a malicious client connects.
1811 If an X.509 certificate contains a malformed policy constraint and
1821 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
1822 `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
1823 `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
1828 for legacy EC and SM2 keys is also changed similarly to honor the
1835 ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
1841 certificate chain signature verification and requires either a CA to
1848 client authentication and a malicious client connects.
1867 OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
1893 ### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
1896 EVP_CIPHER_meth_new() function and associated function calls. This function
1897 was deprecated in OpenSSL 3.0 and application authors are instead encouraged
1901 passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
1903 and decryption initialisation functions). Instead of using the custom cipher
1910 will match the NULL cipher as being equivalent and will fetch this from the
1917 EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
1948 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider
1953 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
1975 only passed to the FIPS provider and not to the default or legacy provider.
1982 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
1992 ### Changes between 3.0.4 and 3.0.5 [5 Jul 2022]
1997 incorrect on such machines and memory corruption will happen during
2015 Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
2021 ### Changes between 3.0.3 and 3.0.4 [21 Jun 2022]
2036 Use of the c_rehash script is considered obsolete and should be replaced
2047 ### Changes between 3.0.2 and 3.0.3 [3 May 2022]
2062 Use of the c_rehash script is considered obsolete and should be replaced
2084 be accompanied by error messages showing the failure and contradicting the
2098 endpoint will always be rejected by the recipient and the connection will
2104 sent in both directions. In this case both clients and servers could be
2117 OpenSSL 3.0, and is not available within the default provider or the default
2145 expand without bounds and the process might be terminated by the operating
2155 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report
2156 the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other
2162 ### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
2194 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
2218 ### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
2224 memory). Such a negative return value is mishandled by OpenSSL and will cause
2226 success and a subsequent call to SSL_get_error() to return the value
2231 totally unexpected and applications may not behave correctly as a result. The
2245 * Corrected a few file name and file reference bugs in the build,
2246 installation and setup scripts, which lead to installation verification
2265 OSSL_PARAM_INTEGER data type and return error on negative numbers
2275 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
2292 ### Changes between 1.1.1 and 3.0.0 [7 Sep 2021]
2294 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
2334 *OpenSSL team members and many third party contributors*
2337 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
2346 or not. This unpredictable behavior was removed and eventual
2375 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
2376 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
2378 Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
2383 * The signatures of the functions to get and set options on SSL and
2389 * The public definitions of conf_method_st and conf_st have been
2392 *Rich Salz and Tomáš Mráz*
2400 * Add "abspath" and "includedir" pragma's to config files, to prevent,
2406 validated. Please consult the README-FIPS and
2409 *OpenSSL team members and many third party contributors*
2411 * For the key types DH and DHX the allowed settable parameters are now different.
2415 * The openssl commands that read keys, certificates, and CRLs now
2418 *David von Oheimb, Richard Levitte, and Tomáš Mráz*
2430 *Boris Pismenny, John Baldwin and Andrew Gallatin*
2456 names. Old names are provided as macro aliases for compatibility and
2463 EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
2468 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
2485 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to
2502 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
2503 for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
2504 As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
2512 RC5, DESX and DES have been moved to the legacy provider.
2516 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
2528 EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as
2536 EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
2554 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and
2559 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
2578 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
2581 *Tomáš Mráz and Sahana Prasad*
2592 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
2599 detected and used by libssl.
2607 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
2612 SSLv2). This includes the functions RSA_padding_check_SSLv23() and
2613 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
2623 *Viktor Dukhovni and David von Oheimb*
2626 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
2636 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
2640 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
2644 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and
2645 replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
2647 *Rich Salz, Richard Levitte, and David von Oheimb*
2649 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
2669 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
2674 * The `-cipher-commands` and `-digest-commands` options
2676 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
2682 and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
2688 *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
2690 * Deprecated all the libcrypto and libssl error string loading
2695 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
2696 well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
2705 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
2714 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
2725 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
2731 list of loaded providers, their names, version and status. It optionally
2740 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
2753 *Paul Dale and Matthias St. Pierre*
2755 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
2760 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
2761 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2764 types. The same applies with the corresponding "min_protocol" and
2766 and DTLS.
2789 *Nicola Tuveri and David von Oheimb*
2791 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
2792 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
2801 *Rich Salz and Richard Levitte*
2823 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
2825 *David von Oheimb and Shane Lontis*
2833 EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
2837 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
2846 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
2855 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
2859 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
2868 * Removed FIPS_mode() and FIPS_mode_set().
2876 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
2884 the various push functions and finally convert to a passable OSSL_PARAM
2889 * The security strength of SHA1 and MD5 based signatures in TLS has been
2899 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
2918 * avoids [ATX headings][] and uses [setext headings][] instead
2919 (which works for `<h1>` and `<h2>` headings only).
2920 * avoids [inline links][] and uses [reference links][] instead.
2921 * avoids [fenced code blocks][] and uses [indented code blocks][] instead.
2938 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
2939 This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
2940 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
2945 It supports arbitrary request and response content types, GET redirection,
2946 TLS, connections via HTTP(S) proxies, connections and exchange via
2948 and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details.
2949 The legacy OCSP-focused (and only partly documented) API
2956 The checks performed are incomplete and yield some false positives.
2961 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
2972 level 1 and above.
2976 * The command line utilities dhparam, dsa, gendsa and dsaparam have been
2978 and no new features will be added to them.
2986 * The command line utilities genrsa and rsa have been modified to use PKEY
2988 maintenance mode and no new features will be added to them.
2994 *Paul Dale and Matt Caswell*
3005 * Deprecated low-level ECDH and ECDSA functions.
3009 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
3014 and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed
3026 *Paul Dale and David von Oheimb*
3030 were refactored and point to newly-enhanced descriptions in openssl.pod.
3033 that all options are documented and that no unimplemented options
3044 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
3047 *Paul Dale and David von Oheimb*
3054 Code that followed the documentation and thereby check with something
3061 *Matt Caswell and Paul Dale*
3063 * Removed include/openssl/opensslconf.h.in and replaced it with
3087 3-prime RSA1536, and DSA1024 as a result of this defect would be very
3088 difficult to perform and are not believed likely. Attacks against DH512
3097 * Most memory-debug features have been deprecated, and the functionality
3106 * Introduced a new method type and API, OSSL_ENCODER, to represent
3108 and d2i functions do, but with support for methods supplied by
3109 providers, and the possibility for providers to support other
3114 * Introduced a new method type and API, OSSL_DECODER, to represent
3116 and i2d functions do, but with support for methods supplied by
3117 providers, and the possibility for providers to support other
3123 allow varying behavior in a supported and predictable manner.
3131 volume names and system directory names on VMS.
3142 also mean to remove all deprecated symbols up to and including
3150 For version 3.0 and on, the value is expected to be the decimal
3151 value calculated from the major and minor version like this:
3160 To hide declarations that are deprecated up to and including the
3167 access to certificate and CRL stores via URIs and OSSL_STORE
3190 for methods from providers. This takes an algorithm name and a
3191 property query string and simply stores them, with the intent
3203 * Introduced the new functions EVP_DigestSignInit_ex() and
3204 EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
3217 X25519, X448, Ed25519 and Ed448.
3237 ERR_peek_error_all() and ERR_peek_last_error_all().
3240 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
3255 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
3266 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates
3269 and for not self-signed certs there is an authorityKeyIdentifier extension
3272 such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`.
3284 and certs without subjectAlternativeName must not be empty.
3286 * The signatureAlgorithm field and the cert signature must be consistent.
3287 * Any given authorityKeyIdentifier and any given subjectKeyIdentifier
3304 This prevents bypass of security hardening and performance gains,
3306 By default, if a key encoded with explicit parameters is loaded and later
3313 this change, EC_GROUP_set_generator would accept order and/or cofactor as
3320 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3324 encryption key will be replaced by garbage, and the message cannot be
3326 used and the recipient will not notice the attack.
3329 certificate is not given and all recipientInfo are tried out.
3348 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3356 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3358 between EBCDIC systems with this fix, and EBCDIC systems without this
3365 libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
3370 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`,
3371 where the former acts as a replacement for `ERR_put_error()`, and the
3373 `ERR_raise_data()` adds more flexibility by taking a format string and
3380 to check if a named provider is loaded and available. When called, it
3400 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
3418 * Removed the function names from error messages and deprecated the
3423 * Removed NextStep support and the macro OPENSSL_UNISTD
3435 an error and 1 indicating success. In previous versions of OpenSSL this
3441 * Support SM2 signing and verification schemes with X509 certificate.
3458 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
3464 * Join the directories crypto/x509 and crypto/x509v3
3482 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
3500 *Matt Eaton, Richard Levitte, and Paul Dale*
3503 little usage and doesn't seem to fulfill a valuable purpose.
3531 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
3535 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
3555 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
3558 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
3559 and scrypt are now wrappers that call EVP_KDF.
3573 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
3598 are intended for bug fixes and other improvements of existing
3600 and retain API/ABI compatibility.
3608 * Remove the 'dist' target and add a tarball building script. The
3609 'dist' target has fallen out of use, and it shouldn't be
3629 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
3636 functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
3644 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
3645 the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
3652 Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
3669 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
3670 allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
3676 improves application performance by removing data copies and providing
3677 applications with zero-copy system calls such as sendfile and splice.
3699 functionality is designed to replace the ENGINE API and ENGINE
3700 implementations, and to be much more dynamic, allowing provider
3705 libcrypto and provider implementations. Public libcrypto functions
3709 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
3718 ### Changes between 1.1.1m and 1.1.1n [xx XXX xxxx]
3720 ### Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
3736 ### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
3743 can be NULL and, on exit, the "outlen" parameter is populated with the
3745 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
3768 structure which contains a buffer holding the string data and a field
3774 OpenSSL's own "d2i" functions (and other similar parsing functions) as
3781 directly setting the "data" and "length" fields in the ASN1_STRING
3788 printed, and where that ASN.1 structure contains ASN1_STRINGs that have
3795 parsing functions, and the certificate contains non NUL terminated
3797 X509_REQ_get1_email() and X509_get1_ocsp() functions.
3800 ASN1_STRING and then process it through one of the affected OpenSSL
3809 ### Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
3828 strict flag has been used. A purpose is set by default in libssl client and
3833 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
3845 result, leading to a crash and a denial of service attack.
3847 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
3852 *Peter Kästle and Samuel Sapalski*
3854 ### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
3857 create a unique hash value based on the issuer and serial number data
3861 result in a NULL pointer deref and a crash leading to a potential denial of
3867 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
3874 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
3888 threat model and therefore no CVE is assigned.
3890 Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
3895 ### Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
3902 1) Comparing CRL distribution point names between an available CRL and a
3906 TS_RESP_verify_response and TS_RESP_verify_token)
3911 ### Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
3918 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
3919 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
3922 types. The same applies with the corresponding "min_protocol" and
3924 and DTLS.
3941 ### Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
3964 ### Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
3970 branch and will be present in the 3.0 release.
3977 the 2-prime and 3-prime RSA modules were easy to distinguish, since
3984 ### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
3989 an error to the stack (which means we instead return SSL_ERROR_SSL) and
3994 * Check that ed25519 and ed448 are allowed by the security level. Previously
4002 and normal handshakes, and also not quite consistent with historical
4003 behaviour. The behaviour in various scenarios has been clarified and
4010 `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas
4032 ### Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
4036 event of a fork() system call in order to ensure that the parent and child
4042 and child process sharing state is significantly reduced.
4054 This prevents bypass of security hardening and performance gains,
4056 By default, if a key encoded with explicit parameters is loaded and later
4063 this change, EC_GROUP_set_generator would accept order and/or cofactor as
4070 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
4074 encryption key will be replaced by garbage, and the message cannot be
4076 used and the recipient will not notice the attack.
4079 certificate is not given and all recipientInfo are tried out.
4097 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
4099 between EBCDIC systems with this fix, and EBCDIC systems without this
4112 * Changed DH_check to accept parameters with order q and 2q subgroups.
4131 was decided to revert this feature and leave it up to the OS
4137 ### Changes between 1.1.1b and 1.1.1c [28 May 2019]
4148 * Enable SHA3 pre-hashing for ECDSA and DSA.
4152 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
4154 It fixes an omission in earlier changes that changed all RSA, DSA and DH
4160 EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
4169 * Have commands like `s_client` and `s_server` output the signature scheme
4184 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4187 and front pads the nonce with 0 bytes if it is less than 12
4189 bytes. In this case only the last 12 bytes are significant and any
4194 serious confidentiality and integrity attacks. If an application changes
4195 the default nonce length to be longer than 12 bytes and then makes a
4205 applications that use this cipher directly and set a non-default nonce
4228 ### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
4230 * Change the info callback signals for the start and end of a post-handshake
4232 and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
4233 confused by this and assume that a TLSv1.2 renegotiation has started. This
4234 can break KeyUpdate handling. Instead we no longer signal the start and end
4242 ### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
4268 of two gigabytes and the error handling improved.
4272 automatically and is fully functional even without additional randomness
4275 ### Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
4304 differential addition-and-doubling in homogeneous projective coordinates
4306 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
4307 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
4312 * Change generating and checking of primes so that the error rate of not
4325 moving between systems, and to avoid confusion when a Windows build is
4331 * Revert blinding in ECDSA sign and instead make problematic addition
4338 differential addition-and-doubling in mixed Lopez-Dahab projective
4347 differential addition-and-doubling algorithms.
4368 different versions and bitnesses in one common archive. This allows to
4369 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
4375 * Make ec_group_do_inverse_ord() more robust and available to other
4383 * Add coordinate blinding for EC_POINT and implement projective
4389 * Add blinding to ECDSA and DSA signatures to protect against side channel
4403 Many applications do not properly handle non-application data records, and
4407 SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
4417 * Apply blinding to binary field modular inversion and remove patent
4422 * Deprecate ec2_mult.c and unify scalar multiplication code paths for
4423 binary and prime elliptic curves.
4434 when computing fixed point and variable point multiplication (which
4444 * Updated DRBG / RAND to request nonce and additional low entropy
4458 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
4466 * Added output of accepting IP address and port for 'openssl s_server'
4481 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
4490 * Added new public header file <openssl/rand_drbg.h> and documentation
4506 configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
4521 as needed, and the CA index file is automatically reloaded
4530 * Added support for X448 and Ed448. Heavily based on original work by
4535 * Extend OSSL_STORE with capabilities to search and to narrow the set of
4536 objects loaded. This adds the functions OSSL_STORE_expect() and
4537 OSSL_STORE_find() as well as needed tools to construct searches and
4555 using an AES-CTR bit stream and which seeds and reseeds itself
4561 - There is a public and private DRBG instance.
4564 - The public and private DRBG instance are per thread for lock free
4569 * Changed Configure so it only says what it does and doesn't dump
4579 * Added SHA512/224 and SHA512/256 algorithm support.
4588 * Get rid of Makefile.shared, and in the process, make the processing
4590 the ordinal files) more visible and hopefully easier to trace and
4609 * Add 'Maximum Fragment Length' TLS extension negotiation and support
4620 * Reimplement -newreq-nodes and ERR_error_string_n; the
4649 * The UI API becomes a permanent and integral part of libcrypto, i.e.
4657 possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
4661 * Add a STORE module, which implements a uniform and URI based reader of
4662 stores that can contain keys, certificates, CRLs and numerous other
4664 and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
4665 OSSL_STORE_error and OSSL_STORE_close.
4684 With this change, we claim the namespaces OSSL and OPENSSL in a manner
4688 *Richard Levitte and Tim Hudson*
4695 and only that. This can be used to prepare everything that requires
4696 things like perl for a system that lacks perl and then move everything
4697 to that system and do the rest of the build there.
4716 prohibits this altogether and other libraries (BoringSSL, NSS) do not
4718 record layer, and its removal is unlikely to cause interoperability
4723 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
4724 with Z. These are meant to replace LONG and ZLONG and to be size safe.
4725 The use of LONG and ZLONG is discouraged and scheduled for deprecation
4730 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
4731 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
4740 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4745 * The functions X509_STORE_add_cert and X509_STORE_add_crl return
4748 certificates and CRLs.
4763 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
4769 compliance with RFC 5280. Fractional seconds and timezone offsets
4790 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
4791 prevent issues where no progress is being made and the peer continually
4796 * 'openssl passwd' can now produce SHA256 and SHA512 based output,
4818 ### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
4824 This prevents bypass of security hardening and performance gains,
4826 By default, if a key encoded with explicit parameters is loaded and later
4833 this change, EC_GROUP_set_generator would accept order and/or cofactor as
4840 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
4844 encryption key will be replaced by garbage, and the message cannot be
4846 used and the recipient will not notice the attack.
4849 certificate is not given and all recipientInfo are tried out.
4864 ### Changes between 1.1.0j and 1.1.0k [28 May 2019]
4866 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
4868 It fixes an omission in earlier changes that changed all RSA, DSA and DH
4875 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4878 and front pads the nonce with 0 bytes if it is less than 12
4880 bytes. In this case only the last 12 bytes are significant and any
4885 serious confidentiality and integrity attacks. If an application changes
4886 the default nonce length to be longer than 12 bytes and then makes a
4896 applications that use this cipher directly and set a non-default nonce
4921 * Remove the 'dist' target and add a tarball building script. The
4922 'dist' target has fallen out of use, and it shouldn't be
4927 ### Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
4951 * Add coordinate blinding for EC_POINT and implement projective
4957 ### Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
4980 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
4991 * Revert blinding in ECDSA sign and instead make problematic addition
4996 * Change generating and checking of primes so that the error rate of not
5008 * Add blinding to ECDSA and DSA signatures to protect against side channel
5019 compliance with RFC 5280. Fractional seconds and timezone offsets
5029 line terminators to CRLF and removes additional trailing line terminators
5032 and removed. This is contrary to the specification (RFC5485). This fix
5037 and use the "-binary" flag (for the "cms" command line application) or set
5042 ### Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
5074 and only that. This can be used to prepare everything that requires
5075 things like perl for a system that lacks perl and then move everything
5076 to that system and do the rest of the build there.
5082 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
5103 Analysis suggests that attacks against RSA and DSA as a result of this
5104 defect would be very difficult to perform and are not believed likely.
5121 ### Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
5127 against RSA and DSA as a result of this defect would be very difficult to
5128 perform and are not believed likely. Attacks against DH are considered just
5131 of resources required for such an attack would be very significant and
5134 private key in a scenario with persistent DH parameters and a private
5137 This only affects processors that support the BMI1, BMI2 and ADX extensions
5138 like Intel Broadwell (5th generation) and later or AMD Ryzen.
5156 ### Changes between 1.1.0e and 1.1.0f [25 May 2017]
5158 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5164 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
5169 ### Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
5176 and servers are affected.
5183 ### Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
5187 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5212 against RSA and DSA as a result of this defect would be very difficult to
5213 perform and are not believed likely. Attacks against DH are considered just
5216 of resources required for such an attack would be very significant and
5219 private key in a scenario with persistent DH parameters and a private
5229 ### Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
5261 and DH private keys are impossible. This is because the subroutine in
5262 question is not used in operations with the private key itself and an input
5264 transient authentication and key negotiation failures or reproducible
5266 Among EC algorithms only Brainpool P-512 curves are affected and one
5269 multiple clients have to choose the curve in question and the server has to
5273 This issue was publicly reported as transient failures and was not
5280 * Removed automatic addition of RPATH in shared libraries and executables,
5281 as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
5285 ### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
5291 store the incoming message is reallocated and moved. Unfortunately a
5303 ### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
5331 * Excessive allocation of memory in tls_get_message_header() and
5336 this length are excessive and OpenSSL includes a check to ensure that a
5344 place, and this would cause the connection to immediately fail. Assuming
5358 connection; SSL_free() has not yet been called; and there is insufficient
5368 (CVE-2016-6307 and CVE-2016-6308)
5382 ### Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
5385 and console input. Setting OPENSSL_WIN32_UTF8 environment variable
5387 with Windows CryptoAPI and protected with non-ASCII password, as well
5394 have been disabled by default and removed from DEFAULT, just like RC4.
5401 the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
5407 to int. A return of 0 indicates and error while a return of 1 indicates
5412 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
5414 off the constant time implementation for RSA, DSA and DH have been made
5415 no-ops and deprecated.
5425 * The stack and lhash API's were renamed to start with `OPENSSL_SK_`
5426 and `OPENSSL_LH_`, respectively. The old names are available
5436 and the validity of object reference counter.
5441 alongside the installed libraries and executables. For a static
5461 256 bit AES and HMAC with SHA256.
5465 * Remove support for MIPS o32 ABI on IRIX (and IRIX only).
5473 * To enable users to have their own config files and build file templates,
5477 name and is used as is.
5482 X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
5492 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
5493 All of these option have not worked for some while and are fundamental
5498 * Make various cleanup routines no-ops and mark them as deprecated. Most
5500 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
5505 RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
5516 * Made DH and DH_METHOD opaque. The structures for managing DH objects
5522 * Made RSA and RSA_METHOD opaque. The structures for managing RSA
5528 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
5534 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
5553 * Removed the aged BC-32 config and all its supporting scripts
5557 * Removed support for Ultrix, Netware, and OS/2.
5565 * Add support for blake2b and blake2s
5587 are two supported threading models: pthreads and windows threads. It is
5599 * Add SSL_CIPHER queries for authentication and key-exchange.
5608 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
5618 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
5632 Add ASN.1 and EVP_PKEY methods for X25519. This includes support
5633 for public and private key encoding using the format documented in
5635 key generation and key derivation.
5637 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
5652 credentials, this behaviour is not constant time and no strong
5659 without having to build shared libraries and vice versa. This
5667 presence of the DSO module and building with position independent
5671 The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
5679 libcrypto and libssl object files, and never on the application
5686 also disable building shared libraries and dynamic engines.
5690 * Removed JPAKE code. It was experimental and has no wide use.
5701 * Heartbeat for TLS has been removed and is disabled by default
5722 information for each directory with source to compile, and a
5727 and on VMS. They now have names that are closer to the standard
5728 on Unix, and include the major version number, and in certain
5736 * Added support for auto-initialisation and de-initialisation of the library.
5738 except in certain circumstances. See the OPENSSL_init_crypto() and
5747 support of IPv6, and adding it required some more extensive
5748 modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
5749 which hold all types of addresses and chains of address information.
5751 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
5752 The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
5757 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
5777 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
5794 * Configuration and writing out the results from it has changed.
5795 Files such as Makefile include/openssl/opensslconf.h and are now
5796 produced through general templates, such as Makefile.in and
5797 crypto/opensslconf.h.in and some help from the perl module
5810 --prefix and --openssldir change their semantics, and become more
5811 straightforward and less interdependent.
5814 where programs, scripts, libraries, include files and manuals are
5822 values of both the --prefix value and the --openssldir value will
5831 * The GOST engine was out of date and therefore it has been removed. An up
5842 *Ben Kaduk and Rich Salz*
5857 Obtaining and performing DNSSEC validation of TLSA records is
5859 the TLSA records of its choice to OpenSSL, and these are then
5880 support for the deprecated features from the library and
5892 The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
5893 0x10000000L and 0x00908000L, respectively. However those
5894 versions did not support the OPENSSL_API_COMPAT feature, and
5900 * Add support for setting the minimum and maximum supported protocol.
5901 It can bet set via the SSL_set_min_proto_version() and
5902 SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
5911 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
5915 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
5916 and integrates ECDSA and ECDH functionality into EC. Implementations can
5917 now redirect key generation and no longer need to convert to or from
5920 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
5925 * Remove support for all 40 and 56 bit ciphers. This includes all the export
5926 ciphers who are no longer supported and drops support the ephemeral RSA key
5931 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
5932 opaque. For HMAC_CTX, the following constructors and destructors
5938 For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
5939 destroy such methods has been added. See EVP_MD_meth_new(3) and
5943 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and
5944 `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and
5947 2) For consistency with the majority of our object creators and
5958 introduction of the new mode SSL_MODE_ASYNC and associated error
5959 SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
5964 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
5982 refactored in order to remove much duplication of code and solve issues
5985 Notably the SSL_state() function has been removed and replaced by
5988 defined in ssl.h and ssl3.h have also been removed.
6003 sureware and ubsec.
6018 This reduces memory fragmentation and make it impossible to accidentally
6032 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
6033 in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
6035 DES and RC4 ciphersuites.
6041 though the change is mostly in the more lenient direction, and
6047 *David Woodhouse <David.Woodhouse@intel.com> and also*
6051 The testing framework has been largely rewritten and is now using
6052 perl and the perl modules Test::Harness and an extended variant of
6054 test/ have been rewritten into test recipes, and all direct calls to
6065 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
6068 and others were changed. All are now documented.
6075 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
6077 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
6080 Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
6092 * Changed the default name options in the "ca", "crl", "req" and "x509"
6098 not aware of clients that still exhibit this bug, and the workaround
6103 * The return type of BIO_number_read() and BIO_number_written() as well as
6104 the corresponding num_read and num_write members in the BIO structure has
6113 the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
6119 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
6123 ciphersuites, and given "logjam" it also does not seem correct to fix them.
6128 SSLv23_client_method() and SSLv23_server_method() have been deprecated,
6129 and turned into macros which simply call the new preferred function names
6130 TLS_method(), TLS_client_method() and TLS_server_method(). All new code
6137 code and the associated standard is no longer considered fit-for-purpose.
6154 * Changed default digest for the dgst and enc commands from MD5 to
6170 files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
6212 BEOS and BEOS_R5
6226 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
6262 exporting the session id and the master key in NSS keylog format.
6266 * Harmonize version and its documentation. -f flag is used to display
6284 Thanks for Neel Mehta of Google Security for discovering this bug and to
6285 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
6292 by Yuval Yarom and Naomi Benger. Details can be obtained from:
6295 Thanks to Yuval Yarom and Naomi Benger for discovering this
6296 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
6298 *Yuval Yarom and Naomi Benger*
6322 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
6323 algorithms and include tests cases.
6327 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
6333 MGF1 digest and OAEP label.
6339 *Chris Palmer <palmer@google.com> and Ben Laurie*
6342 ASN1_TIME structures or one structure and the current time.
6347 test to induce all self test errors in sequence and check expected
6352 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
6358 test programs and fips_test_suite. Includes functionality to parse
6367 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
6371 * Use separate DRBG fields for internal and external flags. New function
6393 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
6398 * Add functions FIPS_module_version() and FIPS_module_version_text()
6399 to return numerical and string versions of the FIPS module number.
6403 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
6404 FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
6410 there is no multiple of the block length between min_len and
6418 * Add PRNG security strength checks to RSA, DSA and ECDSA using
6419 information in FIPS186-3, SP800-57 and SP800-131A.
6424 must supply all data in one chunk (i.e. no update, final) and the
6431 of POST to be monitored and/or failures induced. Modify fips_test_suite
6444 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
6447 Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
6454 shouldn't be using these directly and any that are will need to rethink
6459 * Extensive self tests and health checking required by SP800-90 DRBG.
6460 Remove strength parameter from FIPS_drbg_instantiate and always
6465 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
6473 * New function DH_compute_key_padded() to compute a DH key and pad with
6478 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
6479 anything, incomplete, subject to change and largely untested at present.
6489 fipscanister.o and FIPS or fips prefix. This will avoid
6492 and rename any affected symbols.
6496 * Add selftest checks and algorithm block of non-fips algorithms in
6503 tiny fips sign and verify functions.
6512 and (currently) associated fips utilities. Uses the file Makefile.fips
6534 including padding and finalisation. This is useful if (for example)
6539 input buffer is NULL and length 0 finalisation should be performed.
6556 new session is created, and gets to decide whether the session may be
6593 BIO_set_cipher() and some obscure PEM functions were changed so they
6606 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
6607 These allow SCTs (signed certificate timestamps) to be requested and
6620 ### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
6626 This prevents bypass of security hardening and performance gains,
6628 By default, if a key encoded with explicit parameters is loaded and later
6635 this change, EC_GROUP_set_generator would accept order and/or cofactor as
6642 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
6646 encryption key will be replaced by garbage, and the message cannot be
6648 used and the recipient will not notice the attack.
6651 certificate is not given and all recipientInfo are tried out.
6661 binaries and run-time config file.
6666 ### Changes between 1.0.2r and 1.0.2s [28 May 2019]
6668 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
6670 It fixes an omission in earlier changes that changed all RSA, DSA and DH
6685 ### Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
6689 If an application encounters a fatal protocol error and then calls
6690 SSL_shutdown() twice (once to send a close_notify, and once to receive one)
6703 This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
6704 Aviram, with additional investigation by Steven Collison and Andrew
6714 ### Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
6718 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
6724 Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
6743 development branch and hindering the use of ECC in FIPS mode.
6747 ### Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
6770 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
6781 * Revert blinding in ECDSA sign and instead make problematic addition
6786 * Change generating and checking of primes so that the error rate of not
6798 * Add blinding to ECDSA and DSA signatures to protect against side channel
6809 compliance with RFC 5280. Fractional seconds and timezone offsets
6814 ### Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
6830 ### Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
6836 then OpenSSL would move into the error state and would immediately fail if
6838 explicit handshake functions (SSL_do_handshake(), SSL_accept() and
6843 for the same SSL object then it will succeed and the data is passed without
6859 Analysis suggests that attacks against RSA and DSA as a result of this
6860 defect would be very difficult to perform and are not believed likely.
6877 ### Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
6883 against RSA and DSA as a result of this defect would be very difficult to
6884 perform and are not believed likely. Attacks against DH are considered just
6887 of resources required for such an attack would be very significant and
6890 private key in a scenario with persistent DH parameters and a private
6893 This only affects processors that support the BMI1, BMI2 and ADX extensions
6894 like Intel Broadwell (5th generation) and later or AMD Ryzen.
6911 ### Changes between 1.0.2k and 1.0.2l [25 May 2017]
6913 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
6918 ### Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
6922 If one side of an SSL/TLS path is running on a 32-bit host and a specific
6935 against RSA and DSA as a result of this defect would be very difficult to
6936 perform and are not believed likely. Attacks against DH are considered just
6939 of resources required for such an attack would be very significant and
6942 private key in a scenario with persistent DH parameters and a private
6957 and DH private keys are impossible. This is because the subroutine in
6958 question is not used in operations with the private key itself and an input
6960 transient authentication and key negotiation failures or reproducible
6962 Among EC algorithms only Brainpool P-512 curves are affected and one
6965 multiple clients have to choose the curve in question and the server has to
6969 This issue was publicly reported as transient failures and was not
6977 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
6978 prevent issues where no progress is being made and the peer continually
6983 ### Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
6996 ### Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
7016 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
7045 a custom server callback and ticket lookup mechanism.
7068 the total length the OID text representation would use and not the amount
7084 Where "p" points to some malloc'd data of SIZE bytes and
7096 values of len that are too big and therefore p + len < limit.
7112 (Tampere University of Technology), and Yuval Yarom (The University of
7113 Adelaide and NICTA).
7153 In OpenSSL 1.0.2 and earlier some missing message length checks can result
7159 and server certificate. As a result the attack can only be performed
7167 ### Changes between 1.0.2g and 1.0.2h [3 May 2016]
7172 when the connection uses an AES CBC cipher and the server support
7177 constant time by making sure that always the same bytes are read and
7179 checked that there was enough data to have both the MAC and padding
7196 from an untrusted source and outputs it as a PEM file should be considered
7213 the first called function after an EVP_EncryptInit(), and therefore that
7215 EVP_EncryptUpdate() can be seen from the code to be some small value and
7221 of these calls have also been analysed too and it is believed there are no
7267 methods are enabled and ssl2 is disabled the methods return NULL.
7271 ### Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
7273 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
7279 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
7290 explicitly uses the version-specific SSLv2_method() or its client and
7293 ciphers, and SSLv2 56-bit DES are no longer available.
7301 keys and could lead to a DoS attack or memory corruption for applications
7324 credentials, this behaviour is not constant time and no strong
7360 string and cause an OOB read when printing very long strings.
7364 memory allocation failure. In 1.0.2 and below this could be caused where
7397 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
7411 ### Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
7428 reuses the same private DH exponent for the life of the server process and
7430 applications do set this option and would therefore not be at risk.
7434 only known attack, and is the only possible defense for static DH
7438 default and cannot be disabled. This could have some performance impact.
7448 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
7453 and Sebastian Schinzel.
7458 ### Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
7464 against RSA and DSA as a result of this defect would be very difficult to
7465 perform and are not believed likely. Attacks against DH are considered just
7468 of resources required for such an attack would be very significant and
7471 private key in a scenario with persistent DH parameters and a private
7484 algorithm and absent mask generation function parameter. Since these
7486 used to crash any certificate verification operation and exploited in a
7488 vulnerable including OpenSSL clients and servers which enable client
7499 memory. This structure is used by the PKCS#7 and CMS routines so any
7511 though the change is mostly in the more lenient direction, and
7519 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
7521 ### Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
7530 certificate to act as a CA and "issue" an invalid certificate.
7537 ### Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
7545 ### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
7555 certificates. This includes TLS clients and TLS servers with
7566 string and can read a few bytes out of bounds. In addition,
7570 An attacker can use this to craft malformed certificates and CRLs of
7571 various sizes and potentially cause a segmentation fault, resulting in
7573 that verify CRLs are affected. TLS clients and servers with client
7577 This issue was reported to OpenSSL by Robert Swiecki (Google), and
7587 with missing content and trigger a NULL pointer dereference on parsing.
7590 structures from untrusted sources are affected. OpenSSL clients and
7624 ### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
7628 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
7636 *Stephen Henson and Matt Caswell*
7649 This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
7656 The DTLSv1_listen function is intended to be stateless and processes the
7676 certificate verification operation and exploited in a DoS attack. Any
7678 OpenSSL clients and servers which enable client authentication.
7687 algorithm and invalid parameters. Since these routines are used to verify
7689 certificate verification operation and exploited in a DoS attack. Any
7691 OpenSSL clients and servers which enable client authentication.
7701 memory corruption via an invalid write. Such reuse is and has been
7702 strongly discouraged and is believed to be rare.
7705 components may be affected. Certificate parsing (d2i_X509 and related
7706 functions) are however not affected. OpenSSL clients and servers are
7716 missing content and trigger a NULL pointer dereference on parsing.
7720 affected. OpenSSL clients and servers are not affected.
7730 servers that both support SSLv2 and enable export cipher suites by sending
7733 This issue was discovered by Sean Burford (Google) and Emilia Käsper
7739 * Empty CKE with client auth and DHE fix
7742 ciphersuite being selected and a zero length ClientKeyExchange message
7753 automatically, and the user has not seeded manually
7760 have been generated from a PRNG with insufficient entropy and therefore the
7776 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
7780 This issue was discovered by the BoringSSL project and fixed in their
7800 ### Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
7805 and argue that binary targeting say ARMv5 would still execute on
7816 * Add support for the SignedCertificateTimestampList certificate and
7828 This covers AES, SHA256/512 and GHASH. "Initial" means that most
7829 common cases are optimized and there still is room for further
7839 SHA1, SHA256 and GHASH. "Initial" means that most common cases
7840 are optimized and there still is room for further improvements.
7841 Both 32- and 64-bit modes are supported.
7851 SHA256/512, MD5, GHASH and modular exponentiation.
7860 * Support for new and upcoming Intel processors, including AVX2,
7861 BMI and SHA ISA extensions. This includes additional "stitched"
7862 implementations, AESNI-SHA256 and GCM, and multi-buffer support
7870 supports both DTLS 1.2 and 1.0 and should use whatever version the peer
7871 supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
7881 MGF1 digest and OAEP label.
7887 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
7888 algorithms and include tests cases.
7892 * Add functions to allocate and set the fields of an ECDSA_METHOD
7897 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
7898 difference in days and seconds between two tm or ASN1_TIME structures.
7903 received by client and send back to server. Also prints an abbreviated
7908 * New option -brief for s_client and s_server to print out a brief summary
7915 *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
7922 * New options -CRL and -CRLform for s_client and s_server for CRLs.
7931 * New functions to set lookup_crls function and to retrieve
7936 * Print out deprecated issuer and subject unique ID fields in
7957 message callback and prints the results. Needs compile time option
7958 "enable-ssl-trace". New options to s_client and s_server to enable
7963 * New ctrl and macro to retrieve supported points extensions.
7964 Print out extension in s_server and s_client.
7968 * New functions to retrieve certificate signature and signature
7973 * Add functions to retrieve and manipulate the raw cipherlist sent by a
7978 * New Suite B modes for TLS code. These use and enforce the requirements
7979 of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
7992 certificates: checks for matching certificate type and issuer name
8011 verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
8012 to build and store a certificate chain in CERT structure: returning
8023 hello and checking the requested ciphersuite.
8027 * New ctrls to retrieve and set certificate types in a certificate
8034 * Support for distinct client and server supported signature algorithms.
8042 This fixes many of the problems and restrictions of the existing client
8044 certificate and specify the whole chain.
8053 Add new "cert_flags" field to CERT structure and include a "strict mode".
8061 * Update and tidy signature algorithm extension processing. Work out
8062 shared signature algorithms based on preferences and peer algorithms
8063 and print them out in s_client and s_server. Abort handshake if no
8069 for SSL and SSL_CTX structures. Add options to s_client and s_server
8080 * Integrate hostname, email address and IP address checking with certificate
8085 * Fixes and wildcard matching support to hostname and email checking
8098 *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
8113 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
8114 platform support for Linux and Android.
8148 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
8149 support ECDH and use the most appropriate parameters.
8153 * Enhance and tidy EC curve and point format TLS extension code. Use
8155 New ctrls to set curves we wish to support and to retrieve shared curves.
8156 Print out shared curves in s_server. New options to s_server and s_client
8161 * New ctrls to retrieve supported signature algorithms and
8167 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
8168 between NIDs and the more common NIST names such as "P-256". Enhance
8169 ecparam utility and ECC method to recognise the NIST names for curves.
8179 server and client use DH certificates with common parameters.
8191 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
8197 ### Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
8217 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
8246 a custom server callback and ticket lookup mechanism.
8269 the total length the OID text representation would use and not the amount
8285 Where "p" points to some malloc'd data of SIZE bytes and
8297 values of len that are too big and therefore p + len < limit.
8313 (Tampere University of Technology), and Yuval Yarom (The University of
8314 Adelaide and NICTA).
8354 In OpenSSL 1.0.2 and earlier some missing message length checks can result
8360 and server certificate. As a result the attack can only be performed
8368 ### Changes between 1.0.1s and 1.0.1t [3 May 2016]
8373 when the connection uses an AES CBC cipher and the server support
8378 constant time by making sure that always the same bytes are read and
8380 checked that there was enough data to have both the MAC and padding
8398 from an untrusted source and outputs it as a PEM file should be considered
8415 the first called function after an EVP_EncryptInit(), and therefore that
8417 EVP_EncryptUpdate() can be seen from the code to be some small value and
8423 of these calls have also been analysed too and it is believed there are no
8469 methods are enabled and ssl2 is disabled the methods return NULL.
8473 ### Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
8475 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
8481 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
8492 explicitly uses the version-specific SSLv2_method() or its client and
8495 ciphers, and SSLv2 56-bit DES are no longer available.
8503 keys and could lead to a DoS attack or memory corruption for applications
8526 credentials, this behaviour is not constant time and no strong
8562 string and cause an OOB read when printing very long strings.
8566 memory allocation failure. In 1.0.2 and below this could be caused where
8599 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
8613 ### Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
8618 switched on by default and cannot be disabled. This could have some
8626 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
8631 and Sebastian Schinzel.
8640 ### Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
8646 algorithm and absent mask generation function parameter. Since these
8648 used to crash any certificate verification operation and exploited in a
8650 vulnerable including OpenSSL clients and servers which enable client
8661 memory. This structure is used by the PKCS#7 and CMS routines so any
8673 though the change is mostly in the more lenient direction, and
8681 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
8683 ### Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
8692 certificate to act as a CA and "issue" an invalid certificate.
8710 ### Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
8716 ### Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
8726 certificates. This includes TLS clients and TLS servers with
8737 string and can read a few bytes out of bounds. In addition,
8741 An attacker can use this to craft malformed certificates and CRLs of
8742 various sizes and potentially cause a segmentation fault, resulting in
8744 that verify CRLs are affected. TLS clients and servers with client
8748 This issue was reported to OpenSSL by Robert Swiecki (Google), and
8758 with missing content and trigger a NULL pointer dereference on parsing.
8761 structures from untrusted sources are affected. OpenSSL clients and
8791 *Kurt Roeckx and Emilia Kasper*
8795 *Kurt Roeckx and Emilia Kasper*
8797 ### Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
8804 certificate verification operation and exploited in a DoS attack. Any
8806 OpenSSL clients and servers which enable client authentication.
8814 memory corruption via an invalid write. Such reuse is and has been
8815 strongly discouraged and is believed to be rare.
8818 components may be affected. Certificate parsing (d2i_X509 and related
8819 functions) are however not affected. OpenSSL clients and servers are
8829 missing content and trigger a NULL pointer dereference on parsing.
8833 affected. OpenSSL clients and servers are not affected.
8843 servers that both support SSLv2 and enable export cipher suites by sending
8846 This issue was discovered by Sean Burford (Google) and Emilia Käsper
8857 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
8861 This issue was discovered by the BoringSSL project and fixed in their
8881 ### Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
8883 * Build fixes for the Windows and OpenVMS platforms
8885 *Matt Caswell and Richard Levitte*
8887 ### Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
8908 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
8924 * Remove non-export ephemeral RSA code on client and server. This code
8926 non-export ciphersuites and could be used by a server to effectively
8939 containing DH keys: these are extremely rare and hardly ever encountered.
8950 and can vary with the CTX.
8977 Re-encode DSA/ECDSA signatures and compare with the original received
8981 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
8982 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
8985 Further analysis was conducted and fixes were developed by Stephen Henson
8994 with a very low probability, and is not known to be exploitable in any
8996 Wuille (Blockstream) who reported this issue and also suggested an initial
8997 fix. Further analysis was conducted by the OpenSSL development team and
9007 sanity and breaks all known clients.
9020 reuse the old extension state and thus accept a session ticket if one was
9029 ### Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
9037 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
9061 could accept and complete an SSL 3.0 handshake, and clients could be
9065 *Akamai and the OpenSSL team*
9076 Re-encode DigestInto in DER and check against the original when
9080 Note: this is a precautionary measure and no attacks are currently known.
9084 ### Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
9090 Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
9099 downgrade to TLS 1.0 even if both the server and the client support a
9102 Thanks to David Benjamin and Adam Langley (Google) for discovering and
9111 ciphersuite and sending carefully crafted handshake messages.
9113 Thanks to Felix Gröbert (Google) for discovering and researching this
9121 Thanks to Adam Langley for discovering and researching this issue.
9129 Thanks to Adam Langley for discovering and researching this issue.
9137 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
9144 session and the server sends an ec point format extension it could write
9147 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
9158 Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
9159 discovering and researching this issue.
9172 *Emilia Käsper, and Steve Henson*
9180 ### Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
9184 SSL/TLS clients and servers.
9186 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
9212 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
9217 * Harmonize version and its documentation. -f flag is used to display
9231 ### Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
9237 Thanks for Neel Mehta of Google Security for discovering this bug and to
9238 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
9245 by Yuval Yarom and Naomi Benger. Details can be obtained from:
9248 Thanks to Yuval Yarom and Naomi Benger for discovering this
9249 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
9251 *Yuval Yarom and Naomi Benger*
9255 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
9256 TLS client Hello record length value would otherwise be > 255 and
9262 ### Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
9269 * Keep original DTLS digest and encryption contexts in retransmission
9280 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
9284 ### Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
9291 ### Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
9293 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
9296 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
9299 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
9301 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
9307 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
9309 Thanks go to and to Adam Langley <agl@chromium.org> for discovering
9310 and detecting this bug and to Wolfgang Ettlinger
9323 *Chris Palmer <palmer@google.com> and Ben Laurie*
9341 ### Changes between 1.0.1b and 1.0.1c [10 May 2012]
9344 1.2, 1.1 and DTLS to fix DoS attack.
9362 ### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
9364 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
9370 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
9372 inability to disable specifically TLS 1.1 and in client context,
9380 that if application wants to disable TLS1.0 in favor of TLS1.1 and
9387 ### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
9390 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
9394 issue and to Adam Langley <agl@chromium.org> for fixing it.
9422 ### Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
9430 and the RSA_sign/RSA_verify functions. This was made more apparent when
9432 those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
9438 support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
9441 and still work with previous versions of OpenSSL.
9464 - `*`: GHASH and GF(2^m) multiplication implementations;
9486 *Adam Langley <agl@google.com> and Ben Laurie*
9491 required to use this (present in gcc 4.4 and later, for 64-bit builds).
9495 line to include this in your build of OpenSSL, and run "make depend" (or
9514 * New -sigopt option to the ca, req and x509 utilities. Additional
9515 signature parameters can be passed using this option and in
9520 * Add RSA PSS signing function. This will generate and set the
9528 EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
9559 * Split password based encryption into PBES2 and PBKDF2 functions. This
9560 neatly separates the code into cipher and PBE sections and is required
9581 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
9588 the IV between the fixed (from PRF) and explicit (from TLS record)
9589 portions. This adds all GCM ciphersuites supported by RFC5288 and
9590 RFC5289. Generalise some `AES*` cipherstrings to include GCM and
9596 field on decrypt and retrieval of invocation field only on encrypt.
9607 as unset and return the appropriate default but do *not* set the default.
9609 switch between FIPS and non-FIPS modes.
9613 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
9621 *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
9623 * Redirect DSA and DH operations to FIPS module in FIPS mode.
9627 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
9642 encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
9665 for static and shared library builds embedding a signature if needed.
9680 and enable MD5.
9684 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
9705 support yet and no support for client certificates.
9710 to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
9712 TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
9714 and version checking.
9726 Sylvester and Christophe Renou) was integrated.
9728 <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
9731 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
9764 ### Changes between 1.0.0s and 1.0.0t [3 Dec 2015]
9769 memory. This structure is used by the PKCS#7 and CMS routines so any
9789 ### Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
9799 certificates. This includes TLS clients and TLS servers with
9810 string and can read a few bytes out of bounds. In addition,
9814 An attacker can use this to craft malformed certificates and CRLs of
9815 various sizes and potentially cause a segmentation fault, resulting in
9817 that verify CRLs are affected. TLS clients and servers with client
9821 This issue was reported to OpenSSL by Robert Swiecki (Google), and
9831 with missing content and trigger a NULL pointer dereference on parsing.
9834 structures from untrusted sources are affected. OpenSSL clients and
9862 ### Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
9869 certificate verification operation and exploited in a DoS attack. Any
9871 OpenSSL clients and servers which enable client authentication.
9879 memory corruption via an invalid write. Such reuse is and has been
9880 strongly discouraged and is believed to be rare.
9883 components may be affected. Certificate parsing (d2i_X509 and related
9884 functions) are however not affected. OpenSSL clients and servers are
9894 missing content and trigger a NULL pointer dereference on parsing.
9898 affected. OpenSSL clients and servers are not affected.
9908 servers that both support SSLv2 and enable export cipher suites by sending
9911 This issue was discovered by Sean Burford (Google) and Emilia Käsper
9922 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
9926 This issue was discovered by the BoringSSL project and fixed in their
9946 ### Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
9948 * Build fixes for the Windows and OpenVMS platforms
9950 *Matt Caswell and Richard Levitte*
9952 ### Changes between 1.0.0o and 1.0.0p [8 Jan 2015]
9973 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
9989 * Remove non-export ephemeral RSA code on client and server. This code
9991 non-export ciphersuites and could be used by a server to effectively
10004 containing DH keys: these are extremely rare and hardly ever encountered.
10013 with a very low probability, and is not known to be exploitable in any
10015 Wuille (Blockstream) who reported this issue and also suggested an initial
10016 fix. Further analysis was conducted by the OpenSSL development team and
10046 Re-encode DSA/ECDSA signatures and compare with the original received
10050 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
10051 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
10054 Further analysis was conducted and fixes were developed by Stephen Henson
10061 ### Changes between 1.0.0n and 1.0.0o [15 Oct 2014]
10078 could accept and complete an SSL 3.0 handshake, and clients could be
10082 *Akamai and the OpenSSL team*
10093 Re-encode DigestInto in DER and check against the original when
10097 Note: this is a precautionary measure and no attacks are currently known.
10101 ### Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
10106 ciphersuite and sending carefully crafted handshake messages.
10108 Thanks to Felix Gröbert (Google) for discovering and researching this
10116 Thanks to Adam Langley for discovering and researching this issue.
10124 Thanks to Adam Langley for discovering and researching this issue.
10132 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
10139 session and the server sends an ec point format extension it could write
10142 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
10156 *Emilia Käsper, and Steve Henson*
10164 ### Changes between 1.0.0l and 1.0.0m [5 Jun 2014]
10168 SSL/TLS clients and servers.
10170 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
10196 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
10201 * Harmonize version and its documentation. -f flag is used to display
10217 by Yuval Yarom and Naomi Benger. Details can be obtained from:
10220 Thanks to Yuval Yarom and Naomi Benger for discovering this
10221 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
10223 *Yuval Yarom and Naomi Benger*
10225 ### Changes between 1.0.0k and 1.0.0l [6 Jan 2014]
10227 * Keep original DTLS digest and encryption contexts in retransmission
10238 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
10242 ### Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
10244 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
10247 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
10250 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
10252 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
10275 ### Changes between 1.0.0i and 1.0.0j [10 May 2012]
10277 [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
10294 ### Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
10297 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
10301 issue and to Adam Langley <agl@chromium.org> for fixing it.
10306 ### Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
10309 in CMS and PKCS7 code. When RSA decryption fails use a random key for
10310 content decryption and always return the same error. Note: this attack
10313 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
10326 ### Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
10329 Thanks to Antonio Martin, Enterprise Secure Access Research and
10330 Development, Cisco Systems, Inc. for discovering this bug and
10335 ### Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
10337 * Nadhem Alfardan and Kenny Paterson have discovered an extension
10344 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
10346 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
10347 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
10358 Kadianakis <desnacked@gmail.com> for discovering this issue and
10369 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
10395 lock to call BN_BLINDING_invert_ex, and avoids one use of
10405 ### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
10421 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
10428 by Billy Bob Brumley and Nicola Tuveri, see:
10431 *Billy Bob Brumley and Nicola Tuveri*
10433 ### Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
10445 ### Changes between 1.0.0b and 1.0.0c [2 Dec 2010]
10447 * Disable code workaround for ancient and obsolete Netscape browsers
10448 and servers: an attacker can use it in a ciphersuite downgrade attack.
10454 Sebastien Martini, further info and confirmation from Stefan
10455 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
10459 ### Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
10472 ### Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
10479 ### Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
10491 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
10517 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it
10518 needlessly dereferenced structures, used obsolete functions and
10527 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
10530 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
10531 it handles reference counts correctly and doesn't zero out the I/O bio
10544 * Add ECDHE and PSK support to DTLS.
10555 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
10563 this allows the use of compression and extensions. Change default cipher
10570 key ids to find matching certificates and keys but some PKCS#12 files
10571 don't follow the (somewhat unwritten) rules and this strategy fails.
10572 Now just gather all certificates together and the first private key
10577 * Support use of registered digest and cipher names for dgst and cipher
10587 and this works for ENGINE based algorithms too.
10601 even if they aren't identical) and uses SHA1 instead of MD5. This form
10602 is incompatible with the older format and as a result c_rehash should
10608 traditional format. This form is standardised, more secure and doesn't
10638 * New function OPENSSL_gmtime_adj() to add a specific number of days and
10642 and X509_time_adj_ex() to cover the extended range. The existing
10643 X509_time_adj() is still usable and will no longer have any date issues.
10648 and search any appropriate delta CRLs available.
10655 code and add additional score elements. Validate alternate CRL paths
10656 as part of the CRL checking and indicate a new error "CRL path validation
10658 the verify callback and check the new "parent" field. If this is not
10674 passed directly and not via lookup. Process certificate issuer
10675 CRL entry extension and lookup CRL entries by bother issuer name
10676 and serial number. Check and process CRL issuer entry in IDP extension.
10682 * Add support for distinct certificate and CRL paths. The CRL issuer
10698 policy processing to align with RFC3280 and PKITS tests.
10705 and URI types are currently supported.
10712 than numeric, deprecate the current numeric thread ID mechanism and
10713 replace it with a structure and associated callback type. This
10715 either case, and on platforms where pointers are larger than 'long',
10730 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
10731 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
10742 simple case where the self issued certificates in the chain exist and
10770 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
10771 support for data, signedData, compressedData, digestedData and
10773 RFC4134 examples draft and interop and consistency checks of many
10774 content types and variants.
10782 * Extend mk1mf to support importing of options and assembly language
10798 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
10805 official specification yet and no extension type assignment by
10814 and unofficial assignment based on the MD5 hash of the Internet
10821 an internal copy of the length-'len' string at 'src', and will
10824 To get more control and flexibility, provide a callback function
10835 Callback function 'cb' will be called in handshakes, and is
10845 Arguments 'peerinput' and 'len' given to the callback function
10846 will always be NULL and 0 in the case of a client. A server will
10848 available (NULL and 0 otherwise). Note that if the server
10854 previously negotiated), and will not be called in SSL 2.0
10901 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
10902 to output in BER and PEM format.
10909 ENGINE support for HMAC keys which are unextractable. New -mac and
10957 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
10962 categories, so there is no longer a need to coagulate AES128 and
10963 AES256 into a single algorithm bit, and to coagulate Camellia128
10964 and Camellia256 into a single algorithm bit, which has led to all
10967 Thus, among other things, the kludge introduced in 0.9.7m and
10972 so far were missing: "AES128", "AES256", "CAMELLIA128", and
10977 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
10984 it yet and it is largely untested.
10993 some compilers (gcc 4.2 and later) reject their use. Safestack is
11011 -verify_return_error to s_client and s_server. This causes real errors
11017 * GOST engine, supporting several GOST algorithms and public key formats.
11025 selected via a scoring technique which handles IDP and AKID in CRLs.
11029 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
11031 X509_STORE dependency on certificate verification and allow alternative
11044 extensions in X509_CRL structure and cache CRLDP in X509.
11065 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
11066 ctrl. It can then customise the structure before and/or after signing
11078 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
11079 digest and cipher tables. New options added to openssl utility:
11080 list-message-digest-algorithms and list-cipher-algorithms.
11093 * Various modifications and fixes to SSL/TLS cipher string
11095 with RSA certificates on the one hand and with ECDSA certificates
11103 merely the CA's signing algorithm and not actively used in the
11107 available, and ECC ciphersuites are no longer excluded from "ALL"
11108 and "DEFAULT". The following aliases now exist for RFC 4492
11126 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
11137 an engine to register a method. Add ENGINE lookups for methods and
11154 * Tidy up PKCS#7 routines and add new functions to make it easier to
11189 return value indicates how strong the preference is 1 means optional and
11197 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
11200 between digests and public key types.
11204 * Add an OID cross reference table and utility functions. Its purpose is to
11205 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
11217 * Add provisional EC pkey method with support for ECDSA and ECDH.
11221 * Add support for key derivation (agreement) in the API, DH method and
11226 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
11227 public and private key formats. As a side effect these add additional
11229 generated and verified using pkeyutl and DH key support and generation in
11244 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
11245 support key and parameter generation and add initial key generation
11277 * New utilities pkey and pkeyparam. These are similar to algorithm specific
11291 De-spaghettify the public key ASN1 handling. Move public and private
11295 of public and private key structures.
11305 for the psk identity [hint] and the psk callback functions to the
11306 SSL_SESSION, SSL and SSL_CTX structure.
11318 *Mika Kousa and Pasi Eronen of Nokia Corporation*
11321 and response verification functionality.
11326 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
11339 New CTRL codes and macros (subject to change):
11352 and '-key' remain fallbacks for handshakes without HostName
11367 implementations, between 32- and 64-bit builds without hassle.
11372 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
11397 ASN1 structures. This currently produces rather ugly output and doesn't
11402 * Integrated support for PVK file format and some related formats such
11403 as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
11404 these in the 'rsa' and 'dsa' utilities.
11419 pointer and make the SSL_METHOD parameter in SSL_CTX_new,
11420 SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
11430 * Add print and set support for Issuing Distribution Point CRL extension.
11441 ### Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
11458 ### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
11484 * Handle TLS versions 2.0 and later properly and correctly use the
11494 This results in significant per-connection memory leaks and
11495 has caused some security issues including CVE-2008-1678 and
11506 connect and renegotiate with servers which do not support RI.
11511 * Add "missing" ssl ctrls to clear options and mode.
11515 * If client attempts to renegotiate and doesn't support RI respond with
11518 the alert. Unfortunately OpenSSL mishandled this alert and would hang
11522 and would have no code in place to handle the server denying it so the
11528 peer supports secure renegotiation and 0 otherwise. Print out peer
11533 * Replace the highly broken and deprecated SPKAC certification method with
11548 issuing and attempting to decrypt tickets in case it has changed during
11558 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
11569 * Add support for --libdir option and LIBDIR variable in makefiles. This
11577 X690 8.9.12 and can produce some misleading textual output of OIDs.
11589 and restored.
11593 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
11617 sequence number made no sense and would be part of another handshake.
11628 the size of a buffer and limits the record buffer to 100 entries.
11646 ### Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
11657 ### Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
11671 * Reject UniversalString and BMPString types with invalid lengths. This
11697 * Print out UTF8String and NumericString when parsing ASN1.
11711 ### Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
11713 * Properly check EVP_VerifyFinal() and similar return values
11733 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
11738 s_client and s_server.
11758 ### Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
11765 * Fix a state transition in s3_srvr.c and d1_srvr.c
11799 *Ben Laurie and the FreeBSD team*
11815 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
11825 attribute creation routines such as certificate requests and PKCS#12
11830 ### Changes between 0.9.8g and 0.9.8h [28 May 2008]
11852 The OpenSSL project does not recommend any specific CA and does not
11873 x86_64 is available by default here in the 0.9.8 branch, and
11888 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
11899 behaviour and the documentation. With this fix, when an ENGINE is
11917 CMS support is disabled by default and must be explicitly enabled
11922 * Update the GMP engine glue to do direct copies between BIGNUM and
11923 mpz_t when openssl and GMP use the same limb size. Otherwise the
11928 * Zlib compression BIO. This is a filter BIO which compressed and
11933 * Add AES_wrap_key() and AES_unwrap_key() functions to implement
11939 sets string data without copying. X509_ALGOR_set0() and
11940 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
11943 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
11948 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
11967 - added AES, WHIRLPOOL and CPUID assembler code to build files
11974 A client can set the appropriate parameters and receive the encoded
11976 and set the encoded OCSP response in the callback. Add simplified examples
11977 to s_client and s_server.
11981 ### Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
11991 ### Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
12005 (gcc 4.2 and later) reject their use.
12033 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
12046 New CTRL codes and macros (subject to change):
12059 and '-key' remain fallbacks for handshakes without HostName
12066 * Add AES and SSE2 assembly language support to VC++ build.
12088 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and
12107 and Necessary Software Countermeasures"). The core of the change
12108 are new versions BN_div_no_branch() and
12109 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
12112 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
12131 BN_BLINDING_new() and to BN_BLINDING_create_param() now
12158 not complete and could lead to a possible single byte overflow
12161 ### Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
12163 * Since AES128 and AES256 (and similarly Camellia128 and
12166 kludge to work properly if AES128 is available and AES256 isn't
12167 (or if Camellia128 is available and Camellia256 isn't).
12193 static variable. This allows them to be cleanly unloaded and reloaded.
12198 * extend SMTP and IMAP protocol emulation in s_client to use EHLO
12203 ### Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
12214 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12219 *Tavis Ormandy and Will Drewry, Google Security Team*
12223 as a pattern and match "AES128-SHA" too (since AES128-SHA got
12232 ciphersuite selects this one ciphersuite, and any other similar
12235 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
12239 The proper fix will be to use different bits for AES128 and
12248 ### Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
12251 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12253 * Add AES IGE and biIGE modes.
12261 *Darryl Miles via Richard Levitte and Bodo Moeller*
12268 support, which is required for curve and point format negotiation
12285 unofficial, and the ID has long expired.
12290 dual-core machines) and other potential thread-safety issues.
12307 necessarily true if compression is enabled and can result in false
12314 ### Changes between 0.9.8a and 0.9.8b [04 May 2006]
12317 cipher suite and only match that one cipher suite if it is.
12332 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
12337 * Fixes and enhancements to zlib compression code. We now only use
12338 "zlib1.dll" and use the default `__cdecl` calling convention on Win32
12341 Static zlib linking now works on Windows and the new --with-zlib-include
12343 of the headers and library. Gracefully handle case where zlib library
12348 * Several fixes and enhancements to the OID generation code. The old code
12350 handle numbers larger than ULONG_MAX, truncated printing and had a
12365 ### Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
12375 Science and Technology [AIST], Japan)*
12377 * Add two function to clear and return the verify parameter flags.
12388 *Nick Mathewson and Ben Laurie*
12396 *Satoshi Nakamura and Andy Polyakov*
12409 ### Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
12411 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
12414 * Add libcrypto.pc and libssl.pc for those who feel they need them.
12418 * Change CA.sh and CA.pl so they don't bundle the CSR and the private
12423 * Add initial support for Win64, both IA64 and AMD64/x64 flavors.
12427 * Add -utf8 command line and config file option to 'ca'.
12436 * Correct naming of the 'chil' and '4758cca' ENGINEs. This
12437 involves renaming the source and generated shared-libs for
12439 ('ncipher' and '4758_cca' respectively) when binding. NB,
12442 *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe*
12445 PKCS12_create() to recognize a CSP name attribute and
12465 *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie*
12468 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
12472 * Remove buggy and incomplete DH cert support from
12473 ssl/ssl_rsa.c and ssl/s3_both.c
12491 The patented RC5 and MDC2 algorithms will now be disabled unless
12492 "enable-rc5" and "enable-mdc2", respectively, are specified.
12495 is frequently required for interoperability, and there is no license
12502 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
12508 as Intel P4, IA-64 and AMD64.
12523 * New arguments -certform, -keyform and -pass for s_client and s_server
12524 to allow alternative format key and certificate files and passphrase
12530 update associated structures and add various utility functions.
12534 to support policy checking and print out.
12550 *Andy Polyakov and a number of other people*
12579 developers should define this symbol when building and using openssl to
12589 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
12592 routine to support keys of a specific form. This is used in the des and
12594 code to use new functions and hence generate correct parity DES keys.
12617 information can now expand as required, and rather than having a single
12629 * Preliminary support for certificate policy evaluation and checking. This
12635 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
12636 remained unused and not that useful. A variety of other little bignum
12637 tweaks and fixes have also been made continuing on from the audit (see
12642 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with
12643 associated ASN1, EVP and SSL functions and old ASN1 macros.
12647 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
12648 and this should never fail. So the return value from the use of
12665 is considered valid when processing BIGNUMs, and causes execution to
12668 structures to try and expose faulty code further on. For now, openssl will
12670 forms that it has tolerated in the past, but authors and packagers should
12671 consider trying openssl and their own applications when compiled with
12673 their own code, and will improve the test coverage for OpenSSL itself. At
12675 maintainability, though the assert()s and other overheads will remain only
12683 to overwrite an existing structure (and cause memory leaks).
12688 template type, lh_insert() adds opaque objects to hash-tables and
12691 (and losing the object pointers). So some over-zealous constifications in
12693 objects as "const" and the `lh_doall[_arg]` callback wrappers are not
12695 given (and so aren't required to cast them away any more).
12699 * The tmdiff.h API was so ugly and minimal that our own timing utility
12703 `char *`. This may still change yet if someone realises MS_TM and
12711 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
12721 digestedData type and add support for this type in PKCS7 initialization
12732 sure the loop does correctly stop and breaking ("division by zero")
12749 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
12758 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
12768 to certificate and key stores, be they simple file-based stores, or
12770 NOTE: The code is currently UNTESTED and isn't really used anywhere.
12780 * Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup()
12813 CA database and uses the same mechanisms for serial number generation
12815 this functionality. Adapt CA.sh and CA.pl.in.
12835 req and dirName.
12852 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
12853 and change its own handlers to be NULL so as to remove unnecessary
12872 and the signed data does not need to be all held in memory.
12875 PKCS7_sign() only initializes the PKCS7 structure and the actual signing
12876 is done after the data is output (and digests calculated) in
12881 * Add full support for -rpath/-R, both in shared libraries and
12904 exponentiations with the GMP library. The conversions to and from
12906 cached, and on x86 it appears OpenSSL's own performance has caught up.
12909 specified at Configure time and should be accompanied by the necessary
12923 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
12929 and DH_METHOD (eg. by ENGINE implementations) to override the normal
12930 software implementations. For DSA and DH, parameter generation can
12935 * Change the "progress" mechanism used in key-generation and
12938 postfixes and the older functions are reimplemented as wrappers for
12942 functions operate on a caller-supplied key-structure and return
12964 * Change the ZLIB compression method to be stateful, and make it
12970 * Add the ASN.1 structures and functions for CertificatePair, which
12978 Also implement the PEM functions to read and write certificate
12979 pairs, and defined the PEM tag as "CERTIFICATE PAIR".
12994 and a macro that behave like
13022 the usual use of --prefix and/or --openssldir, and at run
13025 *Geoff Thorpe and Richard Levitte*
13036 * Add new 'medium level' PKCS#12 API. Certificates and keys
13040 New options to PKCS12_create(), key or cert can be NULL and
13045 Enhance pkcs12 utility by making the -nokeys and -nocerts
13054 encoding. This can output sequences tags and octet strings in
13056 encoding. This is experimental and needs additional code to
13057 be useful, such as an ASN1 bio and some enhanced streaming
13074 *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)*
13078 *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)*
13096 and WAP/WTLS; add OIDs that were still missing.
13098 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13120 of the EC_GROUP and EC_POINT data structures can be shared
13121 between the implementations for prime fields and binary fields;
13127 An internal 'field_div' method (similar to 'field_mul' and
13130 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13136 and 'ec_wNAF_precomputed_mult') remain the default if these
13139 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13145 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13148 (These simply call ..._new and ..._copy).
13150 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13198 The default algorithm simply uses BN_GF2m_mod_inv() and
13203 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
13220 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
13235 Also add 'seed' and 'seed_len' members to EC_GROUP with access
13255 providing useful interfaces to EC_POINT_point2oct() and
13265 are implemented directly in crypto/ec/ec_lib.c and not dispatched
13272 arithmetic, and such that modified wNAFs are generated
13281 on a EC_GROUP, its generator and order. This includes
13288 Add applications 'openssl ecparam' and 'openssl ecdsa'
13289 (these are based on 'openssl dsaparam' and 'openssl dsa').
13295 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
13303 * Include some named elliptic curves, and add OIDs from X9.62,
13304 SECG, and WAP/WTLS. Each curve can be obtained from the new
13307 and the list of available named curves can be obtained with
13317 was actually never needed) and in BN_mul(). The removal in BN_mul()
13318 required a small change in bn_mul_part_recursive() and the addition
13319 of the functions bn_cmp_part_words(), bn_sub_part_words() and
13321 bn_sub_words() and bn_add_words() except they take arrays with
13326 ### Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
13339 * Since AES128 and AES256 share a single mask bit in the logic of
13341 kludge to work properly if AES128 is available and AES256 isn't.
13372 static variable. This allows them to be cleanly unloaded and reloaded.
13376 ### Changes between 0.9.7k and 0.9.7l [28 Sep 2006]
13387 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
13392 *Tavis Ormandy and Will Drewry, Google Security Team*
13396 will no longer include "AES128-SHA"), and any other similar
13398 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
13400 changes from 0.9.8b and 0.9.8d.
13404 ### Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
13407 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
13413 *Darryl Miles via Richard Levitte and Bodo Moeller*
13427 unofficial, and the ID has long expired.
13432 dual-core machines) and other potential thread-safety issues.
13436 ### Changes between 0.9.7i and 0.9.7j [04 May 2006]
13438 * Adapt fipsld and the build system to link against the validated FIPS
13454 ### Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
13464 ### Changes between 0.9.7g and 0.9.7h [11 Oct 2005]
13474 Science and Technology [AIST, Japan)]*
13476 * Minimal support for X9.31 signatures and PSS padding modes. This is
13477 mainly for FIPS compliance and not fully integrated at this stage.
13490 RSA, DSA, and DH private-key operations so that the sequence of
13491 squares and multiplies and the memory access pattern are
13493 cache-timing and potential related attacks.
13496 and this is automatically used by BN_mod_exp_mont() if the new flag
13497 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH
13504 * Change the client implementation for SSLv23_method() and
13518 a threadsafe manner. Modify rsa code to use new function and add calls
13519 to dsa and dh code (which had race conditions before).
13529 ### Changes between 0.9.7f and 0.9.7g [11 Apr 2005]
13531 [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
13535 the 'length' field is signed on one version and unsigned on another
13554 ### Changes between 0.9.7e and 0.9.7f [22 Mar 2005]
13557 server and client random values. Previously
13563 1. Server and client random values still have 24 bytes of pseudo random
13566 2. Server and client random values are sent in the clear in the initial
13570 size for static RSA ciphersuites) as well as client server and random
13597 failure and freeing up memory if a failure occurs.
13607 (in violation of RFC3280) and can't or won't issue name rollover
13625 ### Changes between 0.9.7d and 0.9.7e [25 Oct 2004]
13629 entries during signature checking and serial number lookup. Now the
13630 encoding is cached and the serial number sort performed under a lock.
13643 * Reduce the chances of duplicate issuer name and serial numbers (in
13653 ### Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
13684 A clarification of RFC2560 will require the use of OCTET STRINGs and
13686 copies and compares OCSP nonces as opaque blobs without any attempt at
13693 this HMAC (and other) operations are several times slower than OpenSSL
13698 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
13706 ### Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
13711 invalid tags (CVE-2003-0543 and CVE-2003-0544).
13726 if the server requested one: as stated in TLS 1.0 and SSL 3.0
13747 * Various fixes to base64 BIO and non blocking I/O. On write
13749 data was not being buffered properly and had various logic bugs.
13755 * Various S/MIME bugfixes and compatibility changes:
13764 ### Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
13784 by remembering the creator's thread ID in rsa->blinding and
13787 avoids excessive locking; and if an RSA object is not shared
13804 ### Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
13810 between bad padding and a MAC verification error. ([CVE-2003-0078])
13813 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
13818 libcrypto, it's only intended to remove all the function name and
13837 *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte*
13852 present and it might also want a means of sending no additional
13853 certificates (for example the chain has two certificates and the
13869 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
13895 ### Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
13897 [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
13901 code (06) was taken as the first octet of the session ID and the last
13904 client and server.
13911 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
13939 warnings and a request that patches get sent to openssl-dev.
13943 * Add the VC-CE target, introduce the WINCE sysname, and add
13944 INSTALL.WCE and appropriate conditionals to make it build.
13948 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
13949 cygssl-x.y.z.dll, where x, y and z are the major, minor and
13952 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
13954 * Introduce safe string copy and catenation functions
13955 (BUF_strlcpy() and BUF_strlcat()).
13957 *Ben Laurie (CHATS) and Richard Levitte*
13964 resizing buffers containing secrets, and use where appropriate.
14000 resizing buffers containing secrets, and use where appropriate.
14032 * Eliminate unused and incorrectly sized buffers for IV in pem.h.
14044 * Eliminate unused and incorrectly sized X.509 structure
14049 * Eliminate unused and dangerous function knumber().
14053 * Eliminate unused and dangerous structure, KSSL_ERR.
14076 * Make -nameopt work fully for req and add -reqopt switch.
14080 * The "block size" for block ciphers in CFB and OFB mode should be 1.
14090 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
14128 * Improve diagnostics in file reading and command-line digests.
14130 *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>*
14132 * Add AES modes CFB and OFB to the object database. Correct an
14140 BIOs and some applications. This has the side effect that
14146 * Check the values of dna and dnb in bn_mul_recursive before calling
14148 n2 elements) and fallback to bn_mul_normal if either is not zero.
14167 * Add an "init" command to the ENGINE config module and auto initialize
14171 on the uninitialized ENGINE and after on the initialized one). If
14197 * Add and OPENSSL_LOAD_CONF define which will cause
14200 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
14202 load the config file and OPENSSL_add_all_algorithms_conf() which will
14207 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
14208 Adjust NIDs and EVP layer.
14210 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
14218 In the case of ca and req the config file used is
14232 and move code to CONF_modules_load_file().
14238 The support was copied from 0.9.6c [engine] and adapted/corrected
14241 *AEP Inc. and Richard Levitte*
14245 The support was copied from 0.9.6c [engine] and adapted
14250 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
14253 *Toomas Kiisk <vix@cyber.ee> and Richard Levitte*
14261 implemented in `apps.c`, and make those routines able to
14262 handle the key format FORMAT_NETSCAPE and the variant
14267 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
14271 * Add -keyform to rsautl, and document -engine.
14310 symmetric ciphers, and behave the same way. Move everything to
14313 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
14317 *Ben Laurie and Theo de Raadt*
14324 (up to about 10% better than before for P-192 and P-224).
14347 'buf' and 'len' point to the actual message, 'ssl' to the
14348 SSL object, and 'arg' is the application-defined value set by
14351 'openssl s_client' and 'openssl s_server' have new '-msg' options
14357 soon as the corresponding static library is finished, and thereby get
14358 openssl and the test programs linked against the shared library.
14362 NOTE: shared library support is still an experimental thing, and
14365 *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte*
14377 * New command line and configuration option 'utf8' for the req command.
14382 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
14383 runs for the former and machine-readable output for the latter.
14407 There are also macros that enable and disable the support of old
14409 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those
14418 time in the future, des_old.h and the libdes compatibility functions
14420 default), and then completely removed.
14439 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
14441 not have to be to be initialized before the call to EVP_DigestInit() and
14445 initialized valid and new function EVP_MD_CTX_copy_ex() added which
14449 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
14453 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it
14455 instead of overwriting 'msg_type' and 'length' with 'body' data.
14467 support for symmetric ciphers and digest implementations - so ENGINEs
14468 can now accelerate these by providing EVP_CIPHER and EVP_MD
14472 API changes worth noting - some RSA, DSA, DH, and RAND functions that
14475 deal more passive and at run-time, operations deal directly with
14480 BIGNUM_METHOD and they could not be generalised to the new
14492 and make sure the automatically generated functions `ERR_load_*`
14499 or HelloRequest/ClientHello received from the peer) and becomes
14519 * Add some demos for certificate and certificate request creation.
14537 functions to "get" and "set" this destroy handler in an ENGINE.
14541 * Alter all existing ENGINE implementations (except "openssl" and
14544 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
14553 commands that can be used to configure what shared-library to load and
14556 that brings its information up-to-date and
14557 provides some information and instructions on the "dynamic" ENGINE
14576 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
14580 is only going to provide a single chunk of data, and hence the
14586 functions. This change also alters the storage and management of global
14587 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
14588 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14591 and counter, and there is now an API function to dynamically create new
14593 thread-safety problems that existed, and (b) makes it possible to clean
14595 such data would previously have always leaked in application code and
14608 global state (2 LHASH tables and 2 locks) is only used by the "default"
14609 implementation. This change also adds two functions to "get" and "set"
14612 pass the return value to a module it has just loaded, and that module
14614 module's "ERR" operations will use (and modify) the error state in the
14615 application and not in its own statically linked copy of OpenSSL code.
14619 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
14621 the operation, and provides a more encapsulated way for external code
14622 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
14639 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
14650 for their choice and can explicitly enable this option.
14688 ASN1 code. Grouping together similar functions and splitting unrelated
14697 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the
14720 and authenticator structs; see crypto/krb5/.
14729 parameters (and 'speed' generating keys each time).
14754 *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
14767 and with possibilities to have yes/no kind of prompts.
14771 * Change all calls to low-level digest routines in the library and
14772 applications to use EVP. Add missing calls to HMAC_cleanup() and
14782 Adapt the nCipher code for these new conditions and add a card insertion
14790 and interrupts/cancellations.
14833 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
14834 setting of purpose and trust fields. New X509_STORE trust and
14835 purpose functions and tidy up setting in other SSL functions.
14839 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
14842 X509_STORE structure (such as flags for CRL checking and custom
14846 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
14848 purposes and trust (in S/MIME for example) to override any set by default.
14850 Add command line options for CRL checking to smime, s_client and s_server
14856 are set then the CRL is looked up in the X509_STORE structure and
14857 its validity and signature checked, then if the certificate is found
14866 by subject name) and ultimately more complete V2 CRL extension
14872 to replace things like des_read_password and friends (backward
14876 a window system and the like.
14891 this case have no functional references and the return value is the single
14898 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
14905 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
14908 '-pre' and '-post' switches. '-post' is only used if '-t' is
14909 specified and the ENGINE is successfully initialised. The syntax for
14917 and input types for run-time discovery by calling applications. A
14919 depending on their input type, and only these can be invoked through
14923 result and can only support numeric or string input, whereas some
14928 unambiguously defined by ENGINEs and used consistently across any
14951 - "atalla" and "ubsec" string definitions were moved from header files
14959 - Constified various get/set functions as appropriate and added
14965 and doesn't justify the extra error symbols and code.
14966 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
14994 * Allow multiple 'certopt' and 'nameopt' options to be separated
14995 by commas. Add 'namopt' and 'certopt' options to the 'ca' config
14998 or excluded and extension details. The old system didn't display
15000 and couldn't display additional details such as extensions.
15018 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
15019 operations and provides various method functions that can also
15025 *Bodo Moeller; point addition and point doubling
15048 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
15049 change the def and num file printf format specifier from "%-40sXXX"
15056 * Constify the cipher and digest 'method' functions and structures
15057 and modify related functions to take constant EVP_MD and EVP_CIPHER
15073 * Clean up crypto/err/err.h and change some error codes to avoid conflicts:
15075 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
15097 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
15101 and
15104 Add options '-batch' and '-verbose' to 'openssl req'.
15122 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
15129 The #defines are very important, and therefore so is including the
15136 better and easier to understand logic to choose which symbols should
15137 go into the Windows .def files as well as a number of fixes and code
15145 and produce the wrong result if 'num' is negative: this caused
15146 problems with BN_mod() and BN_nnmod().
15151 OCSP request and verifies the signer certificate. The signer
15152 certificate is just checked for a generic purpose and OCSP request
15158 responses. OCSP responses are prepared in real time and may only
15160 between thisUpdate and nextUpdate max reject otherwise valid responses
15162 we allow thisUpdate and nextUpdate to fall within a certain period of
15164 checked. Two new options -validity_period and -status_age added to
15174 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
15199 command-line switch for testing this (and any client code that wishes
15204 * Modify mkdef.pl to recognise and parse preprocessor conditionals
15205 of the form `#if defined(...) || defined(...) || ...` and
15213 with `OPENSSL_` to avoid conflicts with other packages and by making
15225 * New option -set_serial to 'req' and 'x509' this allows the serial
15227 signed certificates were hard coded with serial number 0 and the
15234 Currently CRL reason, invalidity date and hold instruction are
15235 supported. Add new CRL extensions to V3 code and some new objects.
15242 not padded in any way and so the total length much be a multiple
15252 port and path components: primarily to parse OCSP URLs. New -url
15273 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
15280 the clients preferred ciphersuites and rather use its own preferences.
15288 to aes and add a new 'exist' option to print out symbols that don't
15293 * Additional options to ocsp utility to allow flags to be set and
15304 * Update Rijndael code to version 3.0 and change EVP AES ciphers to
15311 not enabled by default and were not part of the "ALL" ciphersuite
15315 alias is called "AES" and is part of "ALL".)
15325 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
15327 creates a response and optionally adds a basic response structure.
15329 response and returns the OCSP_SINGLERESP structure just added (to allow
15331 certificate to a basic response and OCSP_basic_sign() signs a basic
15333 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
15351 response then it is assumed to be valid and is not verified.
15357 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
15361 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
15363 Fix leaks in PKCS12 and PKCS7 routines.
15371 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
15379 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
15380 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
15387 OCSP_response_status_str(), OCSP_cert_status_str() and
15388 OCSP_crl_reason_str() and are no longer static. New options
15389 to verify nonce values and to disable verification. OCSP response
15400 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
15406 and related routines. This uses the standard OpenSSL certificate
15407 verify routines to perform initial checks (just CA validity) and
15425 read. The request can be sent to a responder and the output
15451 certificate and verifies the signature on the response.
15457 to 'openssl version', and is also included in 'openssl version -a'.
15462 file name and line number information in additional arguments
15463 (a `const char*` and an int). The basic functionality remains, as
15465 realloc() and free() by functions that do not know about these
15466 additional arguments. To register and find out the current
15475 These work the same way as CRYPTO_set_mem_functions and friends.
15485 the LHASH abstraction, and any casts that remain are "bugs". See
15486 the callback types and macros at the head of lhash.h for details
15487 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
15495 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
15504 (select timeout) and read in non-blocking mode. DEVRANDOM now
15515 to issue a request to an OCSP responder and analyse the
15522 from response. OCSP_resp_find_status(): finds and extracts status
15530 OCSP_request_add1_nonce() adds a nonce value and optionally
15537 This doesn't copy the supplied OCSP_CERTID and avoids the
15542 is now in OCSP_REQUEST_new() (and the case insensitive name
15551 can be used to send requests and parse the response.
15556 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
15558 and reorder them to match the encoded order. This resolves a long
15569 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
15570 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
15578 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
15580 ASN1_ITEM and no wrapper functions.
15584 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
15586 the `*_d2i_bio()` and `*_d2i_fp()` functions to use these.
15591 lines, recognize more "algorithms" that can be deselected, and make
15596 * New ASN1 functions to handle dup, sign, verify, digest, pack and
15605 same conventions as certificates and CRLs.
15609 * New function X509V3_add1_i2d(). This automatically encodes and
15612 certificates and CRLs.
15622 * Make mkdef.pl parse some of the ASN1 macros and add appropriate
15636 ssl_verify_cert_chain() and thus can be called at any time
15645 *Broadcom, tweaked and integrated by Geoff Thorpe*
15648 X509V3_print_extensions(). Reorganise OCSP print routines and
15658 * Add a special meaning when SET OF and SEQUENCE OF flags are both
15679 encoder and decoder which interprets an ASN1_ITEM structure describing
15688 so that BN_mod_exp_mont and BN_mod_exp_mont_word work
15693 * Fix BN_uadd and BN_usub: Always return non-negative results instead
15703 * Changed the LHASH code to use prototypes for callbacks, and created
15704 macros to declare and implement thin (optionally static) functions
15705 that provide type-safety and avoid function pointer casting for the
15715 * Reformat the FAQ so the different questions and answers can be divided
15750 * Fix BN_is_word() and BN_is_one() macros to take into account the
15759 BN_is_one(), and BN_is_word().
15781 and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`)
15782 and add new functions:
15801 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`]
15812 was actually never needed) and in BN_mul(). The removal in BN_mul()
15813 required a small change in bn_mul_part_recursive() and the addition
15814 of the functions bn_cmp_part_words(), bn_sub_part_words() and
15816 bn_sub_words() and bn_add_words() except they take arrays with
15830 line, '-stdin' option, '-in ...' option) and thus should not
15845 Also constify the RSA code and most things related to it. In a
15891 * Add engine application. It can currently list engines by name and
15892 identity, and test if they are actually available.
15896 * Improve RPM specification file by forcing symbolic linking and making
15925 depending on the operating environment and any oddities about the
15943 NCONF_get_number_e() is defined (`_e` for "error checking") and is
15966 X509_NAME_print_ex() in 'req' and X509_print_ex() function
15977 ### Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
15984 ### Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
15993 ### Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
15998 invalid tags (CVE-2003-0543 and CVE-2003-0544).
16006 if the server requested one: as stated in TLS 1.0 and SSL 3.0
16022 ### Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
16042 by remembering the creator's thread ID in rsa->blinding and
16045 avoids excessive locking; and if an RSA object is not shared
16050 ### Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
16056 between bad padding and a MAC verification error. ([CVE-2003-0078])
16059 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
16062 ### Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
16068 compilers, and 2) cleansing with other values than 0, since those can
16087 repeated calls to OpenSSL_add_all_ciphers() and
16108 wanting this behaviour, and update the docs. The documented
16109 behaviour and actual behaviour were inconsistent and had been
16116 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
16142 ### Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
16149 ### Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
16152 and get fix the header length calculation.
16154 Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson*
16162 ### Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
16172 for the cipher strength set and where therefore not handled correctly
16189 implementations is desired (e.g. '-bugs' option to 's_client' and
16198 Research Projects Agency (DARPA) and Air Force Research Laboratory,
16216 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
16228 ### Changes between 0.9.6c and 0.9.6d [9 May 2002]
16243 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
16244 <ptsekov@syntrex.com> and Nedelcho Stanev.
16267 * Fix object definitions for Private and Enterprise: they were not
16276 generators, i.e. generators other than 2 and 5. (Previously, the
16277 code did not properly initialise the 'add' and 'rem' values to
16287 * Map new X509 verification errors to alerts. Discovered and submitted by
16307 * Add information about CygWin 1.3 and on, and preserve proper
16310 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
16313 check whether we deal with a copy of a session and do not delete from
16331 Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
16371 ### Changes between 0.9.6b and 0.9.6c [21 dec 2001]
16375 worked incorrectly for those cases where range = `10..._2` and
16406 *Cryptographic Appliances and Geoff Thorpe*
16425 *Baltimore Technologies and Mark Cox*
16431 *AEP Inc. and Mark Cox*
16437 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
16438 messages are stored in a single piece (fixed-length part and
16439 variable-length part combined) and fix various bugs found on the way.
16459 * Fix SSL handshake functions and SSL_clear() such that SSL_clear()
16495 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
16503 and the extra bytes are just ignored. However ssl/s2_pkt.c
16518 encoding parameters and hence was not vulnerable.
16548 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
16553 * Rework the configuration and shared library support for Tru64 Unix.
16554 The configuration part makes use of modern compiler features and
16557 uses the RPATH feature, and is available through the special
16570 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
16577 ignored and the verify_callback() set in the SSL_CTX at the time of
16583 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
16590 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
16591 dh->length and always used
16595 BN_rand_range() is not necessary for Diffie-Hellman, and this
16641 * Add configuration option to build on Linux on both big-endian and
16650 ### Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
16691 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
16692 positive and less than q.
16697 used: it isn't thread safe and the add_lock_callback should handle
16703 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
16715 SSL 3.0 and TLS 1.0 anyway because length and version checking
16744 parameters in DSA public key structures and return an error in the
16765 combination of a flag and a thread ID variable.
16768 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
16778 ### Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
16784 * Change Configure and Makefiles to provide EXE_EXT, which will contain
16786 scripts that use symlink() to test if it really exists and use "cp"
16787 if it doesn't. All this made OpenSSL compilable and installable in
16809 and UnixWare.
16842 * Enhance bctest to search for a working bc along $PATH and print
16895 * Add "-rand" option also to s_client and s_server.
16900 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
16916 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
16919 to be set and top=0 forces the highest bit to be set; top=-1 is new
16920 and leaves the highest bit random.
16928 Instead, use NULL for the CONF pointer in CONF_get_string and
16929 CONF_get_number (which may use environment variables) and directly
16938 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign
16953 and break the signature.
17007 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c),
17051 Both ssl2_peek and ssl3_peek, which were totally broken in earlier
17053 implementations of ssl2_read and ssl3_read to ssl2_read_internal
17054 and ssl3_read_internal, respectively, and adding 'peek' parameters
17075 the full version number and not just 0. This should mark the
17087 - Make note of the expected extension for the shared libraries and
17104 and not in SSL_clear because the latter is also used by the
17120 ### Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
17141 what it is doing and can handle the new informational codes
17150 counterpart and unknown types were just rejected. Changed so that the
17151 tagged and unknown types are handled in the same way as a SEQUENCE:
17165 text until a linefeed is reached, and then write everything a
17167 not chunks of lines and not (usually doesn't happen, but I've
17203 * Add RPM specification openssl.spec and modify it to build three
17205 documentation and run-time libraries. The devel package contains
17206 include files, static libraries and function documentation. The
17229 and s_server that use select() to determine when to use SSL_read;
17240 * Add a few more EBCDIC conditionals that make `req` and `x509`
17245 * Add two demo programs for PKCS12_parse() and PKCS12_create().
17246 Update PKCS12_parse() so it copies the friendlyName and the
17271 and key usage. It also verifies self signed certificates
17278 Authority and subject key identifier are now cached.
17297 and then examining the cache for matches. This is probably
17307 work and makes it possible to use more efficient techniques
17312 The verify_cb() and verify() callbacks now have equivalents
17326 original encoding of the signed data and use it when outputting
17359 * New Configure entry and patches for compiling on QNX 4.
17364 Nuron (<http://www.nuron.com/>) and is now available in
17370 generation and verification.
17376 types to be stored as a "blob" and an application can
17377 encode and decode it manually.
17388 if passed a NULL BN and its argument was negative.
17400 * Added BIO_vprintf() and BIO_vsnprintf().
17417 and as before, if none of those prefixes are present at the
17431 and are retrieved from there when reconfiguring.
17439 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
17447 names and add quotes on output. It was also omitting some
17450 value as LN and vice versa), these are now added on the
17463 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
17474 asn1parse'. By implication, the functions ASN1_parse_dump() and
17479 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
17480 these print out strings and name structures based on various
17481 flags including RFC2253 support and proper handling of
17488 Also change the functions X509_cmp_current_time() and
17514 default is static libraries only, and the OpenSSL programs
17517 This has been tested on Linux and Tru64.
17532 * New options to smime application. -inform and -outform
17534 PEM and DER. The -content option allows the content to be
17544 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT
17545 STRING types. These convert content octets to and from the
17546 underlying type. The actual tag and length octets are
17547 already assumed to have been read in and checked. These
17553 and ASN1_INTEGER are identical apart from the tag.
17561 - objects.pl is used to process obj_mac.num and create a new
17566 This is currently kind of a hack, and the perl code in objects.pl
17568 to check that it worked correctly is to look in obj_dat.h and
17569 check the array nid_objs and make sure the objects haven't moved
17608 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
17610 and PKCS12_STACK_OF.
17633 * New X509_get1_email() and X509_REQ_get1_email() functions that return
17635 in the subject name and the subject alternative name extensions and
17640 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
17672 in when OpenSSL is configured with the DEBUG_SAFESTACK option and
17680 * The STACK code has been cleaned up, and certain type declarations
17692 (The PRNG state consists of two parts, the large pool 'state' and 'md',
17698 all of 'md', and seeding with STATE_SIZE dummy bytes will result
17704 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
17714 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
17715 setting of RC2 and RC5 parameters.
17717 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
17722 cipher mode. They also all do nothing if the 'key' parameter is NULL and
17723 for CFB and OFB modes they zero ctx->num.
17727 Most of the routines have the same form and so can be declared in terms
17761 and so on that are implemented in OpenSSL.
17766 with the same subject name hash and wouldn't handle CRLs at all.
17772 * Eliminate non-ANSI declarations in crypto.h and stack.h.
17786 double NULL. However no password at all is different and is
17790 the same: PKCS12_parse() tries zero length and no password if
17796 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
17803 it in ERR_remove_state if appropriate, and change ERR_get_state
17823 that are sufficiently small and have no path information
17856 NCONF_default and NCONF_WIN32 are method (or "class") choosers,
17876 * Initial DSO code added into libcrypto for letting OpenSSL (and
17877 OpenSSL-based applications) load shared libraries and bind to
17882 ### Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
17884 * Make sure _lrotl and _lrotr are only used with MSVC.
17890 to '-clrext' (= clear extensions), as intended and documented.
17920 the output goes to stdout and nothing is printed to stderr.
17945 * New s_client option -ign_eof: EOF at stdin is ignored, and
17946 'Q' and 'R' lose their special meanings (quit/renegotiate).
17952 * Add compatibility options to the purpose and trust code. The
17957 X509_TRUST_COMPAT is the old trust behaviour: only and
17960 a purpose has no associated trust setting and it should instead
17966 and fix a memory leak.
17972 the default to have only downcase letters (and digits) in
18001 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
18002 instead of RAND_bytes for encryption IVs and salts.
18031 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
18037 ### Changes between 0.9.4 and 0.9.5 [28 Feb 2000]
18040 were added manually and by SMIME_crlf_copy().
18054 assembly language builder. If this argument exists and is set
18070 and has to call `..._free`; 'get0' returns a pointer to some
18074 Similarly, 'set1' and 'add1' functions increase reference
18080 the code used to assume it always worked and crashed on failure.
18089 RAND_egd() and RAND_status(). In the command line application,
18100 * Remove the SSL_ALLOW_ADH compile option and set the default cipher
18109 EVP_MD_md(). Change code that uses it and update docs.
18131 *Richard Levitte, Ulf and Bodo Möller*
18133 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
18144 * Add some PEM_write_X509_REQ_NEW() functions and a command line
18152 obtained from various sources. Delete the PEM_cb function and make
18153 it the default behaviour: i.e. if the callback is NULL and the
18155 phrase. If usrdata and the callback are NULL then the pass phrase
18162 autodetect the card and use it if present.
18164 *Ben Laurie and Compaq Inc.*
18167 and server done in one record. Since this is perfectly legal in the
18168 SSL/TLS protocol it isn't a "bug" option and is on by default. See
18177 * Add -rand argument to smime and pkcs12 applications and read/write
18182 * New 'passwd' tool for crypt(3) and apr1 password hashes.
18195 * More tests in bntest.c, and changed test_bn output.
18203 * Bug fix for BN_div() when the first words of num and divisor are
18208 * Add support for various broken PKCS#8 formats, and command line
18213 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
18218 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
18223 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and
18226 SSLeay_add_all_ciphers() to just add ciphers to the table and not
18228 and SSLeay_add_all_ciphers() were in the same source file so calling
18233 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
18253 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
18269 and DSA_generate_parameters: The callback function is called once
18271 occasionally in the inner loop; and the parameters to the
18282 division before starting the Rabin-Miller test and has
18303 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
18305 SSLeay 0.9.0 (the word based version is faster anyway), and clean up
18317 by stat(). RAND_load_file(..., -1) is new and uses the complete file
18323 used `char *` instead of `void *` and had casts all over the place.
18344 * Merge the functionality of "dh" and "gendh" programs into a new program
18350 * Make the ciphers, s_server and s_client programs check the return values
18375 for the first serial number and places 2 in the serial number file. This
18376 avoids problems when the root CA is created with serial number zero and
18377 the first user certificate has the same issuer name and serial number
18389 structures and behave in an analogous way to the X509v3 functions:
18395 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
18396 things. Some of these need some d2i or i2d and print functionality
18431 from an X509_CTX structure with a dup of the stack and all
18443 -nomaciter option is used. This improves file security and
18453 unstructuredName and unstructuredAddress. These are taken from
18466 file containing all the field values and have req construct the
18470 used all over the place including certificate requests and PKCS#7
18474 attributes to be looked up by NID and added.
18477 automatically handle the encoding, decoding and printing of the
18485 (as in countryName) and using the mask might result in no valid
18490 * Clean up 'Finished' handling, and add functions SSL_get_finished and
18497 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
18504 the host supports BWX extension and if Compaq C is present on the
18506 performance kick for some algorithms, e.g. DES and RC4 to mention
18507 a couple. Compaq C in turn generates ~20% faster code for MD5 and
18514 weak crypto and after checking the certificate is SGC a second one
18516 the server certificate message and sends a second client hello. Since
18540 (the worst that can happen is a handshake failure, and 'correct'
18554 * Add OIDs for idea and blowfish in CBC mode. This will allow both
18555 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to
18557 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
18562 * Simplify the trust setting structure and code. Now we just have
18563 two sequences of OIDs for trusted and rejected settings. These will
18565 and any application specific purposes.
18570 for a given id. SSL client, server and email already have functions
18571 in place for compatibility: they check the NID and also return "trusted"
18588 * Add a bunch of DER and PEM functions to handle PKCS#8 format private
18589 keys. Add some short names for PKCS#8 PBE algorithms and allow them
18590 to be specified on the command line for the pkcs8 and pkcs12 utilities.
18597 and produce an error if it couldn't. For compatibility we also have
18598 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
18608 * Rebuild of the memory allocation routines used by OpenSSL code and
18610 provide hooks so anyone can build a separate set of allocation and
18613 since Malloc(), Realloc() and Free() were defined as macros having
18614 the values malloc, realloc and free, respectively (except for Win32
18619 With these changes, a new set of functions and macros have appeared:
18640 and deallocation) at all times, regardless of platform and compiler
18644 way than through macros have a new API and new semantic:
18652 *Richard Levitte and Bodo Moeller*
18655 ordering of SMIMECapabilities wasn't in "strength order" and there
18662 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
18668 functionality to handle multipart/signed properly) and a utility
18675 * Add variants des_set_key_checked and des_set_key_unchecked of
18678 des_check_key behaves as it always did, but applications and
18689 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and
18691 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
18692 functions so they accept a list of the field values and the
18698 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
18706 and the application can add dynamic ones if needed. The file
18708 updated whenever a new extension is added to the core code and kept
18714 can be looked up immediately and no longer need to be "added" using
18731 * Fixes and enhancements to the 'x509' utility. It allowed a message
18735 -fingerprint and -x509toreq options. Also -x509toreq choked if a
18742 when the X509_STORE_CTX structure is set up) and checks the pathlength.
18746 every previous version of OpenSSL and SSLeay made no checks at all.
18755 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
18759 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
18761 and vice versa.
18764 untrusted certificates to be passed in and -purpose which sets the
18774 * Modify RSA and DSA PEM read routines to transparently handle
18786 formats some of which are standard and some OpenSSL specific and
18787 require various evil hacks to allow partial transparent handling and
18792 With public keys and the benefit of hindsight one standard format
18798 (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add
18806 * Fixes to crypto/x509/by_file.c the code to read in certificates and
18808 added a new function to read in both types and return the number
18810 DER versions of the certificate and CRL reader would always fail
18811 because it isn't possible to mix certificates and CRLs in DER format
18815 attempting to read in certificates from NULL pointers and ignoring
18816 any errors: this is one reason why the cert and CRL reader seemed
18841 (and add it to external session representation).
18866 hash and comparing that. X509_cmp() will be needed by the trust
18877 Also change the X509_LOOKUP and X509_INFO code to handle
18882 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document
18890 the string plus current file name and line number to a per-thread
18897 * Add options -text and -noout to pkcs7 utility and delete the
18905 manpages and fix a few bugs.
18914 leaking and not finding already revoked certificates.
18919 This involves the use of X509_CERT_AUX structure and X509_AUX
18927 Current auxiliary information includes an "alias" and some trust
18930 can only be trusted if it is self signed and then it is trusted
18946 A few however don't do this and instead use the size of the decrypted key
18947 to determine the RC2 key length and the AlgorithmIdentifier to determine
18952 the key length and effective key length are equal.
18959 and have it automatically work out the correct field type and fill in
18962 and it will (hopefully) work out the correct multibyte encoding.
18966 * Change the 'req' utility to use the new field handling and multibyte
18968 way in req, ca, and x509 which was rather broken and didn't support
18978 - Make sure that concurrent threads access the global counter and
18982 the additional locking could be a performance killer, and
18997 seed file at least for key creation, DSA signing, and for DH exchanges;
19000 gendh and gendsa (unlike genrsa) used to read only the first byte
19002 found in genrsa is now in app_rand.c and is used by all programs
19020 and it chooses the "minimal" type to use or an error if not type
19034 server or S/MIME and CAs of these types. This is currently
19041 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated
19047 for, obtain and decode and extension and obtain its critical flag.
19059 its main use is when combined with -strparse and -out to extract data
19076 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
19096 data and it contains EOF it will end up returning an error. This is
19100 do a flag is set and it starts again knowing it can pass all the
19103 is made to pass two EOFs through the context and this causes the
19105 usual with these problems it takes *ages* to find and the fix is
19110 * Ugly workaround to get s_client and s_server working under Windows. The
19111 old code wouldn't work because it needed to select() on sockets and the
19112 tty (for keypresses and to see if data could be written). Win32 only
19114 sockets and then see if any characters are waiting to be read, if none
19117 received a complete line of data and it is effectively polling the
19125 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
19126 will be called when RSA_sign() and RSA_verify() are used. This is useful
19127 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
19128 For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
19129 should *not* be used: RSA_sign() and RSA_verify() must be used instead.
19131 for SSL signatures and modifications to the SSL library to use it instead
19132 of calling RSA_public_decrypt() and RSA_private_encrypt().
19136 * Add new -verify -CAfile and -CApath options to the crl program, these
19137 will lookup a CRL issuers certificate and verify the signature in a
19154 by the RSA patent while allowing storage and parsing of RSA keys and RSA
19169 * New functions UTF8_getc() and UTF8_putc() that parse and generate
19175 (s23_srvr.c) and for RSA client key exchange verification
19182 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
19183 print, verify and generate SPKACs. Based on an original idea from
19188 * RIPEMD160 is operational on all platforms and is back in 'make test'.
19195 and can be applied to ca, req and x509. Also -reqexts to override
19196 the request extensions in req and -crlexts to override the crl extensions
19230 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and
19232 "per key" basis to be replaced. This allows hardware acceleration and
19234 library. Also added low-level modexp hooks and CRYPTO_EX structure and
19240 as "read only": it can't be written to and the buffer it points to will
19244 to create a memory BIO and write the data to it, this results in two
19245 copies of the data and an O(n^2) reading algorithm. There is a new
19262 the encrypted data type: this is a more sensible place to put it and it
19268 * Changed obj_dat.pl script so it takes its input and output files on
19276 extensions to be obtained and added.
19280 * -crlf option to s_client and s_server for sending newlines as
19285 ### Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
19295 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
19306 where `p = 2*q + 1`), and also the smaller q makes DH computations
19338 no private key components need be present and it might store extra data
19354 The `PEM[_ASN1]_{read,write}...` functions and macros now take an
19366 happens to be on the stack as its last argument, and the callback
19370 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
19383 * More DES library cleanups: remove references to srand/rand and
19389 since not many people have MASM (ml) and it can be hard to obtain.
19390 This is currently experimental but it seems to work OK and pass all
19397 and connections with temporary keys did not free everything in case
19402 * New function RSA_check_key and new openssl rsa option -check
19411 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update.
19416 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
19426 keys when the signing key was also DSA and the parameters didn't match.
19435 This meant that parameters were omitted when they *didn't* match and
19452 Some inconsistent states that previously were possible (and were
19455 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
19459 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
19487 * New functions RSA_get_default_method(), RSA_set_method() and
19493 * Fix memory leaks in DSA_do_sign and DSA_is_prime.
19494 Also really enable memory leak checks in openssl.c and in some
19499 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
19501 store the length when it is first determined and use it later, rather
19502 than trying to keep track of where data is copied and updating it to
19510 case: certificates can be omitted from a PKCS#7 structure and be
19522 options set by Configure in the top level Makefile, and Configure
19528 * New functions CONF_load_bio() and CONF_load_fp() to allow a config
19565 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and
19567 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
19578 wrong with it but it was very old and did things like calling
19579 PEM_ASN1_read() directly and used MD5 for the hash not to mention some
19584 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed
19638 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
19643 'parameter' argument instead of literal salt and iteration count values
19644 and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
19649 and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
19652 value was just used as a "magic string" and not used directly its
19698 ### Changes between 0.9.3 and 0.9.3a [29 May 1999]
19731 ### Changes between 0.9.2b and 0.9.3 [24 May 1999]
19734 This also avoids the problems with SC4.2 and unpatched SC5.
19738 * New functions sk_num, sk_value and sk_set to replace the previous macros.
19741 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
19746 that does this will no longer work (and should use sk_set instead) but
19766 * Reorganise the PKCS#7 library and get rid of some of the more obvious
19768 and initialise the ASN1 structures properly based on passed cipher.
19776 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
19777 to and from BNs: it was completely broken. New compilation option
19783 * Reorganize and speed up MD5.
19815 * Various fixes to the EVP and PKCS#7 code. It may now be able to
19822 various ways (and thus what used to be known as ctx->default_cert
19838 the peer's certificate chain and, for clients, the server's certificate
19839 and temporary key. CERT holds only those values that can have
19846 evil casts and set the enc_dig_alg field properly based on the signing
19854 and 'x509').
19860 VeriSign uses it and IE5 only recognises this form. Document 'x509'
19866 without disallowing inline assembler and the like for non-pedantic builds.
19878 * SHA-1 cleanups and performance enhancements.
19886 * Accept any -xxx and +xxx compiler options in Configure.
19934 * New Configure options "threads" and "no-threads". For systems
19936 and Linux), "threads" is the default.
19963 * Remove NOPROTO sections and error code comments.
19972 * New Configure options --prefix=DIR and --openssldir=DIR.
19978 header rewriting and C source file generation. It should be much better
19981 aren't needed for error creation any more) and do a better job of
19983 in a comment' is no longer necessary and it doesn't use .err files which
20003 Policies and CRL distribution points documentation.
20013 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
20046 * Support for Certificate Policies extension: both print and set.
20051 * A lot of constification, and fix a bug in X509_NAME_oneline() that could
20056 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
20057 types DirectoryString and DisplayText.
20062 add an LHASH database driver and add several ctx helper functions.
20080 * Delete various functions and files that belonged to the (now obsolete)
20103 not: the conversion is trivial, and it eliminates loads of evil casts. A
20117 `-text` option at all and this way the `-noout -text` combination was
20142 * New functions DSA_do_sign and DSA_do_verify to provide access to
20156 * New variables $(RANLIB) and $(PERL) in the Makefiles.
20165 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
20176 application. Various cleanups and fixes.
20180 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
20181 modify error routines to work internally. Add error codes and PBE init
20186 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and
20187 packing functions to asn1 and evp. Changed function names and error
20192 * PKCS12 integration: and so it begins... First of several patches to
20199 and display support for Thawte strong extranet extension.
20207 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
20210 *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie*
20222 ### Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
20231 client certs and session caches in multiple contexts NEEDS PATCHING to
20234 *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)*
20237 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
20238 permission on "config" script to be executable) and a fix for the INSTALL
20243 * Remove some legacy and erroneous uses of malloc, free instead of
20271 externally generated keys because OpenSSL (and SSLeay) ensure p > q.
20275 * Be less restrictive and allow also `perl util/perlpath.pl
20288 advapi32.lib to Win32 build and change the pem test comparison
20290 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
20291 and crypto/des/ede_cbcm_enc.c.
20306 in e_os.h. Audit of header files to check ANSI and non ANSI
20307 sections: 10 functions were absent from non ANSI section and not exported
20317 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
20323 fine under Unix and passes some trivial tests I've now added. But the
20327 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
20345 Currently only issuerAltName and AuthorityKeyIdentifier make any sense
20350 * Add a useful kludge to allow package maintainers to specify compiler and
20357 `<details>` and `perl Configure <id>` is called. So, when you want to
20358 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
20375 * Remarkably, export ciphers were totally broken and no-one had noticed!
20382 And add a paragraph about the dual-license situation to make sure people
20389 display consistent in the source tree and replaced `/bin/rm` by `rm`.
20392 to speed processing and no longer clutter the display with confusing
20406 the detached data encoding was wrong and public keys obtained using
20422 button and can be used by applications based on OpenSSL to show the
20428 ssl/ssl_lib.c and ssl/ssl.h.
20437 functions that return function pointers and has support for NT specific
20438 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
20439 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
20445 SSL_add_dir_cert_subjects_to_stack() and
20447 SSL_load_client_CA_file(), and can be used to add multiple certs easily
20449 This means that Apache-SSL and similar packages don't have to mess around
20456 See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with
20470 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
20471 DH private keys and/or callback functions which directly correspond to
20479 temporary keys were not overtaken from the context and the API provided
20481 The new functions now let applications reconfigure the stuff and they
20483 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
20485 function and also to reduce code redundancy inside ssl_rsa.c.
20489 * Move s_server -dcert and -dkey options out of the undocumented feature
20490 area because they are useful for the DSA situation and should be
20507 from `int` to `unsigned int` because it is a length and initialized by
20534 * Dump the old yucky req code that tried (and failed) to allow raw OIDs
20535 to be added. Now both 'req' and 'ca' can use new objects defined in the
20545 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
20564 for some CRL extensions and new objects added.
20569 key usage extension and fuller support for authority key id.
20579 *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
20595 in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`.
20611 not many people have the assembler. Various Win32 compilation fixes and
20618 file under Win32 and also build pem.h from pem.org. New script
20625 and purity. As a result, many evil casts evaporated, and some weirdness,
20651 message is now correct (it understands "crypto" and "ssl" on its
20653 the util/ssleay.num and util/libeay.num files with any new functions.
20672 where we collect the old documents and readme texts.
20682 * More extension code. Incomplete support for subject and issuer alt
20683 name, issuer and authority key id. Change the i2v function parameters
20684 and add an extra 'crl' parameter in the X509V3_CTX structure: guess
20686 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
20727 doing certificate verification and some other functions.
20731 * Add ASN1 and PEM code to support netscape certificate sequences.
20735 * Add ASN1 and PEM code to support netscape certificate sequences.
20739 * Add several PKIX and private extended key usage OIDs.
20749 and add a sample to openssl.cnf so req -x509 now adds appropriate
20755 error code, add initial support to X509_print() and x509 application.
20759 * Takes a deep breath and start adding X509 V3 extension support code. Add
20761 stuff is currently isolated and isn't even compiled yet.
20765 * Continuing patches for GeneralizedTime. Fix up certificate and CRL
20766 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
20784 now reads in the old error codes and retains the old numbers, only
20806 * Beginning of support for GeneralizedTime. d2i, i2d, check and print
20842 based on a text string, looking up short and long names and finally
20844 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
20859 * Get the `gendsa` command working and add it to the `list` command. Remove
20891 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
20918 * Fix the various library and `apps/` files to free up pkeys obtained from
20926 *Steve Henson and Ben Laurie*
20929 `openssl` and second, the shortcut symlinks for the `openssl <command>`
20930 are no longer created. This way we have a single and consistent command
20933 *Ralf S. Engelschall, Paul Sutton and Ben Laurie*
20955 * Fix build order of pem and err to allow for generated pem.h.
20964 global and can add a library name. This is needed for external ASN1 and
21024 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
21026 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
21063 * Recompiled the error-definition header files and added
21069 o new files: CHANGES and LICENSE
21070 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
21092 Young and Tim J. Hudson created while they were working for C2Net until
21097 ### Changes between 0.9.0b and 0.9.1b [not released]
21113 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
21123 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
21219 * Fixed various code and comment typos.