1OpenSSL CHANGES 2=============== 3 4This is a detailed breakdown of significant changes. For a high-level overview 5of changes in each release, see [NEWS.md](./NEWS.md). 6 7For a full list of changes, see the [git commit log][log] and pick the 8appropriate release branch. 9 10 [log]: https://github.com/openssl/openssl/commits/ 11 12OpenSSL Releases 13---------------- 14 15 - [OpenSSL 3.5](#openssl-35) 16 - [OpenSSL 3.4](#openssl-34) 17 - [OpenSSL 3.3](#openssl-33) 18 - [OpenSSL 3.2](#openssl-32) 19 - [OpenSSL 3.1](#openssl-31) 20 - [OpenSSL 3.0](#openssl-30) 21 - [OpenSSL 1.1.1](#openssl-111) 22 - [OpenSSL 1.1.0](#openssl-110) 23 - [OpenSSL 1.0.2](#openssl-102) 24 - [OpenSSL 1.0.1](#openssl-101) 25 - [OpenSSL 1.0.0](#openssl-100) 26 - [OpenSSL 0.9.x](#openssl-09x) 27 28OpenSSL 3.5 29----------- 30 31### Changes between 3.5.2 and 3.5.3 [16 Sep 2025] 32 33 * Avoided a potential race condition introduced in 3.5.1, where 34 `OSSL_STORE_CTX` kept open during lookup while potentially being used 35 by multiple threads simultaneously, that could lead to potential crashes 36 when multiple concurrent TLS connections are served. 37 38 *Matt Caswell* 39 40 * The FIPS provider no longer performs a PCT on key import for RSA, DH, 41 and EC keys (that was introduced in 3.5.2), following the latest update 42 on that requirement in FIPS 140-3 IG 10.3.A additional comment 1. 43 44 *Dr Paul Dale* 45 46 * Secure memory allocation calls are no longer used for HMAC keys. 47 48 *Dr Paul Dale* 49 50 * `openssl req` no longer generates certificates with an empty extension list 51 when SKID/AKID are set to `none` during generation. 52 53 *David Benjamin* 54 55 * The man page date is now derived from the release date provided 56 in `VERSION.dat` and not the current date for the released builds. 57 58 *Enji Cooper* 59 60 * Hardened the provider implementation of the RSA public key "encrypt" 61 operation to add a missing check that the caller-indicated output buffer 62 size is at least as large as the byte count of the RSA modulus. The issue 63 was reported by Arash Ale Ebrahim from SYSPWN. 64 65 This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that 66 in fact provide a sufficiently large buffer, but fail to correctly indicate 67 its size may now encounter unexpected errors. In applications that attempt 68 RSA public encryption into a buffer that is too small, an out-of-bounds 69 write is now avoided and an error is reported instead. 70 71 *Viktor Dukhovni* 72 73 * Added FIPS 140-3 PCT on DH key generation. 74 75 *Nikola Pajkovsky* 76 77 * Fixed the synthesised `OPENSSL_VERSION_NUMBER`. 78 79 *Richard Levitte* 80 81### Changes between 3.5.1 and 3.5.2 [5 Aug 2025] 82 83 * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. 84 This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. 85 86 *Dr Paul Dale* 87 88### Changes between 3.5.0 and 3.5.1 [1 Jul 2025] 89 90 * Fix x509 application adds trusted use instead of rejected use. 91 92 Issue summary: Use of -addreject option with the openssl x509 application adds 93 a trusted use instead of a rejected use for a certificate. 94 95 Impact summary: If a user intends to make a trusted certificate rejected for 96 a particular use it will be instead marked as trusted for that use. 97 98 ([CVE-2025-4575]) 99 100 *Tomas Mraz* 101 102 * Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation 103 alert being received. Older versions of OpenSSL failed with DTLS if a 104 no_renegotiation alert was received. All versions of OpenSSL do this for TLS. 105 From 3.2 a bug was exposed that meant that DTLS ignored no_rengotiation. We 106 have now restored the original behaviour and brought DTLS back into line with 107 TLS. 108 109 *Matt Caswell* 110 111### Changes between 3.4 and 3.5.0 [8 Apr 2025] 112 113 * Added server side support for QUIC 114 115 *Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha Nedvedicky, Andrew Dinh* 116 117 * Tolerate PKCS#8 version 2 with optional public keys. The public key data 118 is currently ignored. 119 120 *Viktor Dukhovni* 121 122 * Signature schemes without an explicit signing digest in CMS are now supported. 123 Examples of such schemes are ED25519 or ML-DSA. 124 125 *Michael Schroeder* 126 127 * The TLS Signature algorithms defaults now include all three ML-DSA variants as 128 first algorithms. 129 130 *Viktor Dukhovni* 131 132 * Added a `no-tls-deprecated-ec` configuration option. 133 134 The `no-tls-deprecated-ec` option disables support for TLS elliptic curve 135 groups deprecated in RFC8422 at compile time. This does not affect use of 136 the associated curves outside TLS. By default support for these groups is 137 compiled in, but, as before, they are not included in the default run-time 138 list of supported groups. 139 140 With the `enable-tls-deprecated-ec` option these TLS groups remain enabled at 141 compile time even if the default configuration is changed, provided the 142 underlying EC curves remain implemented. 143 144 *Viktor Dukhovni* 145 146 * Added new API to enable 0-RTT for 3rd party QUIC stacks. 147 148 *Cheng Zhang* 149 150 * Added support for a new callback registration `SSL_CTX_set_new_pending_conn_cb`, 151 which allows for application notification of new connection SSL object 152 creation, which occurs independently of calls to `SSL_accept_connection()`. 153 Note: QUIC objects passed through SSL callbacks should not have their state 154 mutated via calls back into the SSL api until such time as they have been 155 received via a call to `SSL_accept_connection()`. 156 157 *Neil Horman* 158 159 * Add SLH-DSA as specified in FIPS 205. 160 161 *Shane Lontis and Dr Paul Dale* 162 163 * ML-KEM as specified in FIPS 203. 164 165 Based on the original implementation in BoringSSL, ported from C++ to C, 166 refactored, and integrated into the OpenSSL default and FIPS providers. 167 Including also the X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024 168 TLS hybrid key post-quantum/classical key agreement schemes. 169 170 *Michael Baentsch, Viktor Dukhovni, Shane Lontis and Paul Dale* 171 172 * Add ML-DSA as specified in FIPS 204. 173 174 The base code was derived from BoringSSL C++ code. 175 176 *Shane Lontis, Viktor Dukhovni and Paul Dale* 177 178 * Added new API calls to enable 3rd party QUIC stacks to use the OpenSSL TLS 179 implementation. 180 181 *Matt Caswell* 182 183 * The default DRBG implementations have been changed to prefer to fetch 184 algorithm implementations from the default provider (the provider the 185 DRBG implementation is built in) regardless of the default properties 186 set in the configuration file. The code will still fallback to find 187 an implementation, as done previously, if needed. 188 189 *Simo Sorce* 190 191 * Initial support for opaque symmetric keys objects (EVP_SKEY). These 192 replace the ad-hoc byte arrays that are pervasive throughout the library. 193 194 *Dmitry Belyavskiy and Simo Sorce* 195 196 * The default TLS group list setting is now set to: 197 `?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072` 198 199 This means two key shares (X25519MLKEM768 and X25519) will be sent by 200 default by the TLS client. GOST groups and FFDHE groups larger than 3072 201 bits are no longer enabled by default. 202 203 The group names in the group list setting are now also case insensitive. 204 205 *Viktor Dukhovni* 206 207 * For TLSv1.3: Add capability for a client to send multiple key shares. 208 Extend the scope of `SSL_OP_CIPHER_SERVER_PREFERENCE` to cover 209 server-side key exchange group selection. 210 211 Extend the server-side key exchange group selection algorithm and related 212 group list syntax to support multiple group priorities, e.g. to prioritize 213 (hybrid-)KEMs. 214 215 *David Kelsey*, *Martin Schmatz* 216 217 * A new random generation API has been introduced which modifies all 218 of the L<RAND_bytes(3)> family of calls so they are routed through a 219 specific named provider instead of being resolved via the normal DRBG 220 chaining. In a future OpenSSL release, this will obsolete RAND_METHOD. 221 222 *Dr Paul Dale* 223 224 * New inline functions were added to support loads and stores of unsigned 225 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian 226 form, regardless of the host byte-order. See the `OPENSSL_load_u16_le(3)` 227 manpage for details. 228 229 *Viktor Dukhovni* 230 231 * All the `BIO_meth_get_*()` functions allowing reuse of the internal OpenSSL 232 BIO method implementations were deprecated. The reuse is unsafe due to 233 dependency on the code of the internal methods not changing. 234 235 *Tomáš Mráz* 236 237 * Support DEFAULT keyword and '-' prefix in `SSL_CTX_set1_groups_list()`. 238 `SSL_CTX_set1_groups_list()` now supports the DEFAULT keyword which sets the 239 available groups to the default selection. The '-' prefix allows the calling 240 application to remove a group from the selection. 241 242 *Frederik Wedel-Heinen* 243 244 * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications 245 from `des-ede3-cbc` to `aes-256-cbc`. 246 247 AES-256 provides a stronger 256-bit key encryption than legacy 3DES. 248 249 *Aditya* 250 251 * Enhanced PKCS#7 inner contents verification. 252 In the `PKCS7_verify()` function, the BIO *indata parameter refers to the 253 signed data if the content is detached from p7. Otherwise, indata should be 254 NULL, and then the signed data must be in p7. 255 256 The previous OpenSSL implementation only supported MIME inner content 257 [RFC 5652, section 5.2]. 258 259 The added functionality now enables support for PKCS#7 inner content 260 [RFC 2315, section 7]. 261 262 *Małgorzata Olszówka* 263 264 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no 265 longer required) when using `-digest` or when signing or verifying with an 266 Ed25519 or Ed448 key. 267 The `-digest` and `-rawin` option may only be given with `-sign` or `verify`. 268 269 *David von Oheimb* 270 271 * `X509_PURPOSE_add()` has been modified 272 to take `sname` instead of `id` as the primary purpose identifier. 273 For its convenient use, `X509_PURPOSE_get_unused_id()` has been added. 274 275 This work was sponsored by Siemens AG. 276 277 *David von Oheimb* 278 279 * Added support for central key generation in CMP. 280 281 This work was sponsored by Siemens AG. 282 283 *Rajeev Ranjan* 284 285 * Optionally allow the FIPS provider to use the `JITTER` entropy source. 286 Note that using this option will require the resulting FIPS provider 287 to undergo entropy source validation [ESV] by the [CMVP], without this 288 the FIPS provider will not be FIPS compliant. Enable this using the 289 configuration option `enable-fips-jitter`. 290 291 *Paul Dale* 292 293 * Extended `OPENSSL_ia32cap` support to accommodate additional `CPUID` 294 feature/capability bits in leaf `0x7` (Extended Feature Flags) as well 295 as leaf `0x24` (Converged Vector ISA). 296 297 *Dan Zimmerman, Alina Elizarova* 298 299 * Cipher pipelining support for provided ciphers with new API functions 300 EVP_CIPHER_can_pipeline(), EVP_CipherPipelineEncryptInit(), 301 EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate(), 302 and EVP_CipherPipelineFinal(). Cipher pipelining support allows application to 303 submit multiple chunks of data in one cipher update call, thereby allowing the 304 provided implementation to take advantage of parallel computing. There are 305 currently no built-in ciphers that support pipelining. This new API replaces 306 the legacy pipeline API [SSL_CTX_set_max_pipelines](https://docs.openssl.org/3.3/man3/SSL_CTX_set_split_send_fragment/) used with Engines. 307 308 *Ramkumar* 309 310 * Add CMS_NO_SIGNING_TIME flag to CMS_sign(), CMS_add1_signer() 311 312 Previously there was no way to create a CMS SignedData signature without a 313 signing time attribute, because CMS_SignerInfo_sign added it unconditionally. 314 However, there is a use case (PAdES signatures [ETSI EN 319 142-1](https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf) ) 315 where this attribute is not allowed, so a new flag was added to the CMS API 316 that causes this attribute to be omitted at signing time. 317 318 The new `-no_signing_time` option of the `cms` command enables this flag. 319 320 *Juhász Péter* 321 322 * Parallel dual-prime 1024/1536/2048-bit modular exponentiation for 323 AVX_IFMA capable processors (Intel Sierra Forest and its successor). 324 325 This optimization brings performance enhancement, ranging from 1.8 to 2.2 326 times, for the sign/decryption operations of rsaz-2k/3k/4k (`openssl speed rsa`) 327 on the Intel Sierra Forest. 328 329 *Zhiguo Zhou, Wangyang Guo (Intel Corp)* 330 331 * VAES/AVX-512 support for AES-XTS. 332 333 For capable processors (>= Intel Icelake), this provides a 334 vectorized implementation of AES-XTS with a throughput improvement 335 between 1.3x to 2x, depending on the block size. 336 337 *Pablo De Lara Guarch, Dan Pittman* 338 339 * Fixed EVP_DecodeUpdate() to not write padding zeros to the decoded output. 340 341 According to the documentation, for every 4 valid base64 bytes processed 342 (ignoring whitespace, carriage returns and line feeds), EVP_DecodeUpdate() 343 produces 3 bytes of binary output data (except at the end of data 344 terminated with one or two padding characters). However, the function 345 behaved like an EVP_DecodeBlock(). It produced exactly 3 output bytes for 346 every 4 input bytes. Such behaviour could cause writes to a non-allocated 347 output buffer if a user allocates its size based on the documentation and 348 knowing the padding size. 349 350 The fix makes EVP_DecodeUpdate() produce exactly as many output bytes as 351 in the initial non-encoded message. 352 353 *Valerii Krygin* 354 355 * Added support for aAissuingDistributionPoint, allowedAttributeAssignments, 356 timeSpecification, attributeDescriptor, roleSpecCertIdentifier, 357 authorityAttributeIdentifier and attributeMappings X.509v3 extensions. 358 359 *Jonathan M. Wilbur* 360 361 * Added a new CLI option `-provparam` and API functions for setting of 362 provider configuration parameters. 363 364 *Viktor Dukhovni* 365 366 * Added a new trace category for PROVIDER calls and added new tracing calls 367 in provider and algorithm fetching API functions. 368 369 *Neil Horman* 370 371 * Fixed benchmarking for AEAD ciphers in the `openssl speed` utility. 372 373 *Mohammed Alhabib* 374 375 * Added a build configuration option `enable-sslkeylog` for enabling support 376 for SSLKEYLOGFILE environment variable to log TLS connection secrets. 377 378 *Neil Horman* 379 380 * Added EVP_get_default_properties() function to retrieve the current default 381 property query string. 382 383 *Dmitry Belyavskiy* 384 385OpenSSL 3.4 386----------- 387 388### Changes between 3.4.1 and 3.4.2 [xx XXX xxxx] 389 390 * When displaying distinguished names in the openssl application escape control 391 characters by default. 392 393 *Tomáš Mráz* 394 395### Changes between 3.4.0 and 3.4.1 [11 Feb 2025] 396 397 * Fixed RFC7250 handshakes with unauthenticated servers don't abort as expected. 398 399 Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a 400 server may fail to notice that the server was not authenticated, because 401 handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode 402 is set. 403 404 ([CVE-2024-12797]) 405 406 *Viktor Dukhovni* 407 408 * Fixed timing side-channel in ECDSA signature computation. 409 410 There is a timing signal of around 300 nanoseconds when the top word of 411 the inverted ECDSA nonce value is zero. This can happen with significant 412 probability only for some of the supported elliptic curves. In particular 413 the NIST P-521 curve is affected. To be able to measure this leak, the 414 attacker process must either be located in the same physical computer or 415 must have a very fast network connection with low latency. 416 417 ([CVE-2024-13176]) 418 419 *Tomáš Mráz* 420 421 * Reverted the behavior change of CMS_get1_certs() and CMS_get1_crls() 422 that happened in the 3.4.0 release. These functions now return NULL 423 again if there are no certs or crls in the CMS object. 424 425 *Tomáš Mráz* 426 427### Changes between 3.3 and 3.4.0 [22 Oct 2024] 428 429 * For the FIPS provider only, replaced the primary DRBG with a continuous 430 health check module. This also removes the now forbidden DRBG chaining. 431 432 *Paul Dale* 433 434 * Improved base64 BIO correctness and error reporting. 435 436 *Viktor Dukhovni* 437 438 * Added support for directly fetched composite signature algorithms such as 439 RSA-SHA2-256 including new API functions in the EVP_PKEY_sign, 440 EVP_PKEY_verify and EVP_PKEY_verify_recover groups. 441 442 *Richard Levitte* 443 444 * XOF Digest API improvements 445 446 EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to 447 EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE 448 have an output size that is not fixed, so calling EVP_MD_get_size() is not 449 sufficent. The existing macros now point to the new function 450 EVP_MD_CTX_get_size_ex() which will retrieve the "size" for a XOF digest, 451 otherwise it falls back to calling EVP_MD_get_size(). Note that the SHAKE 452 implementation did not have a context getter previously, so the "size" will 453 only be able to be retrieved with new providers. 454 455 Also added a EVP_xof() helper. 456 457 *Shane Lontis* 458 459 * Added FIPS indicators to the FIPS provider. 460 461 FIPS 140-3 requires indicators to be used if the FIPS provider allows 462 non-approved algorithms. An algorithm is approved if it passes all 463 required checks such as minimum key size. By default an error will 464 occur if any check fails. For backwards compatibility individual 465 algorithms may override the checks by using either an option in the 466 FIPS configuration OR in code using an algorithm context setter. 467 Overriding the check means that the algorithm is not FIPS compliant. 468 OSSL_INDICATOR_set_callback() can be called to register a callback 469 to log unapproved algorithms. At the end of any algorithm operation 470 the approved status can be queried using an algorithm context getter. 471 FIPS provider configuration options are set using 'openssl fipsinstall'. 472 473 Note that new FIPS 140-3 restrictions have been enforced such as 474 RSA Encryption using PKCS1 padding is no longer approved. 475 Documentation related to the changes can be found on the [fips_module(7)] 476 manual page. 477 478 [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators 479 480 *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov* 481 482 * Added support for hardware acceleration for HMAC on S390x architecture. 483 484 *Ingo Franzki* 485 486 * Added debuginfo Makefile target for unix platforms to produce 487 a separate DWARF info file from the corresponding shared libs. 488 489 *Neil Horman* 490 491 * Added support for encapsulation and decapsulation operations in the 492 pkeyutl command. 493 494 *Dmitry Belyavskiy* 495 496 * Added implementation of RFC 9579 (PBMAC1) in PKCS#12. 497 498 *Dmitry Belyavskiy* 499 500 * Add a new random seed source RNG `JITTER` using a statically linked 501 jitterentropy library. 502 503 *Dimitri John Ledkov* 504 505 * Added a feature to retrieve configured TLS signature algorithms, 506 e.g., via the openssl list command. 507 508 *Michael Baentsch* 509 510 * Deprecated TS_VERIFY_CTX_set_* functions and added replacement 511 TS_VERIFY_CTX_set0_* functions with improved semantics. 512 513 *Tobias Erbsland* 514 515 * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that 516 what were formerly build time locations can now be defined at run time 517 with registry keys. See NOTES-WINDOWS.md. 518 519 *Neil Horman* 520 521 * Added options `-not_before` and `-not_after` for explicit setting 522 start and end dates of certificates created with the `req` and `x509` 523 commands. Added the same options also to `ca` command as alias for 524 `-startdate` and `-enddate` options. 525 526 *Stephan Wurm* 527 528 * The X25519 and X448 key exchange implementation in the FIPS provider 529 is unapproved and has `fips=no` property. 530 531 *Tomáš Mráz* 532 533 * SHAKE-128 and SHAKE-256 implementations have no default digest length 534 anymore. That means these algorithms cannot be used with 535 EVP_DigestFinal/_ex() unless the `xoflen` param is set before. 536 537 This change was necessary because the preexisting default lengths were 538 half the size necessary for full collision resistance supported by these 539 algorithms. 540 541 *Tomáš Mráz* 542 543 * Setting `config_diagnostics=1` in the config file will cause errors to 544 be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error 545 in the ssl module configuration. 546 547 *Tomáš Mráz* 548 549 * An empty renegotiate extension will be used in TLS client hellos instead 550 of the empty renegotiation SCSV, for all connections with a minimum TLS 551 version > 1.0. 552 553 *Tim Perry* 554 555 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and 556 TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150. 557 558 This work was sponsored by Siemens AG. 559 560 *Rajeev Ranjan* 561 562 * Added support for retrieving certificate request templates and CRLs in CMP, 563 with the respective CLI options `-template`, 564 `-crlcert`, `-oldcrl`, `-crlout`, `-crlform>`, and `-rsp_crl`. 565 566 This work was sponsored by Siemens AG. 567 568 *Rajeev Ranjan* 569 570 * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints, 571 userNotice, acceptablePrivilegePolicies, acceptableCertPolicies, 572 subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints, 573 holderNameConstraints and targetingInformation X.509v3 extensions. 574 575 *Jonathan M. Wilbur* 576 577 * Added Attribute Certificate (RFC 5755) support. Attribute 578 Certificates can be created, parsed, modified and printed via the 579 public API. There is no command-line tool support at this time. 580 581 *Damian Hobson-Garcia* 582 583 * Added support to build Position Independent Executables (PIE). Configuration 584 option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to 585 support Address Space Layout Randomization (ASLR) in the openssl executable, 586 removes reliance on external toolchain configurations. 587 588 *Craig Lorentzen* 589 590 * SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions() have 591 been deprecated in favour of their respective ..._ex() replacement functions 592 which are Y2038-safe. 593 594 *Alexander Kanavin* 595 596 * ECC groups may now customize their initialization to save CPU by using 597 precomputed values. This is used by the P-256 implementation. 598 599 *Watson Ladd* 600 601OpenSSL 3.3 602----------- 603 604### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx] 605 606 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic 607 curve parameters. 608 609 Use of the low-level GF(2^m) elliptic curve APIs with untrusted 610 explicit values for the field polynomial can lead to out-of-bounds memory 611 reads or writes. 612 Applications working with "exotic" explicit binary (GF(2^m)) curve 613 parameters, that make it possible to represent invalid field polynomials 614 with a zero constant term, via the above or similar APIs, may terminate 615 abruptly as a result of reading or writing outside of array bounds. Remote 616 code execution cannot easily be ruled out. 617 618 ([CVE-2024-9143]) 619 620 *Viktor Dukhovni* 621 622### Changes between 3.3.1 and 3.3.2 [3 Sep 2024] 623 624 * Fixed possible denial of service in X.509 name checks. 625 626 Applications performing certificate name checks (e.g., TLS clients checking 627 server certificates) may attempt to read an invalid memory address when 628 comparing the expected name with an `otherName` subject alternative name of 629 an X.509 certificate. This may result in an exception that terminates the 630 application program. 631 632 ([CVE-2024-6119]) 633 634 *Viktor Dukhovni* 635 636 * Fixed possible buffer overread in SSL_select_next_proto(). 637 638 Calling the OpenSSL API function SSL_select_next_proto with an empty 639 supported client protocols buffer may cause a crash or memory contents 640 to be sent to the peer. 641 642 ([CVE-2024-5535]) 643 644 *Matt Caswell* 645 646### Changes between 3.3.0 and 3.3.1 [4 Jun 2024] 647 648 * Fixed potential use after free after SSL_free_buffers() is called. 649 650 The SSL_free_buffers function is used to free the internal OpenSSL 651 buffer used when processing an incoming record from the network. 652 The call is only expected to succeed if the buffer is not currently 653 in use. However, two scenarios have been identified where the buffer 654 is freed even when still in use. 655 656 The first scenario occurs where a record header has been received 657 from the network and processed by OpenSSL, but the full record body 658 has not yet arrived. In this case calling SSL_free_buffers will succeed 659 even though a record has only been partially processed and the buffer 660 is still in use. 661 662 The second scenario occurs where a full record containing application 663 data has been received and processed by OpenSSL but the application has 664 only read part of this data. Again a call to SSL_free_buffers will 665 succeed even though the buffer is still in use. 666 667 ([CVE-2024-4741]) 668 669 *Matt Caswell* 670 671 * Fixed an issue where checking excessively long DSA keys or parameters may 672 be very slow. 673 674 Applications that use the functions EVP_PKEY_param_check() or 675 EVP_PKEY_public_check() to check a DSA public key or DSA parameters may 676 experience long delays. Where the key or parameters that are being checked 677 have been obtained from an untrusted source this may lead to a Denial of 678 Service. 679 680 To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS 681 will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error 682 reason. 683 684 ([CVE-2024-4603]) 685 686 *Tomáš Mráz* 687 688 * Improved EC/DSA nonce generation routines to avoid bias and timing 689 side channel leaks. 690 691 Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis 692 and Hubert Kario from Red Hat for reporting the issues. 693 694 *Tomáš Mráz and Paul Dale* 695 696### Changes between 3.2 and 3.3.0 [9 Apr 2024] 697 698 * The `-verify` option to the `openssl crl` and `openssl req` will make 699 the program exit with 1 on failure. 700 701 *Vladimír Kotal* 702 703 * The BIO_get_new_index() function can only be called 127 times before it 704 reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an 705 error of -1 once it is exhausted. Users may need to reserve using this 706 function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE 707 or BIO_get_new_index() can be used to supply a type to BIO_meth_new(). 708 709 *Shane Lontis* 710 711 * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() 712 using time_t which is Y2038 safe on 32 bit systems when 64 bit time 713 is enabled (e.g via setting glibc macro _TIME_BITS=64). 714 715 *Ijtaba Hussain* 716 717 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and 718 related functions have been augmented to check for a minimum length of 719 the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. 720 721 *Job Snijders* 722 723 * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms 724 config options and the respective calls to SSL[_CTX]_set1_sigalgs() and 725 SSL[_CTX]_set1_client_sigalgs() that start with `?` character are 726 ignored and the configuration will still be used. 727 728 Similarly unknown entries that start with `?` character in a TLS 729 Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored 730 and the configuration will still be used. 731 732 In both cases if the resulting list is empty, an error is returned. 733 734 *Tomáš Mráz* 735 736 * The EVP_PKEY_fromdata function has been augmented to allow for the derivation 737 of CRT (Chinese Remainder Theorem) parameters when requested. See the 738 OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. 739 740 *Neil Horman* 741 742 * The activate and soft_load configuration settings for providers in 743 openssl.cnf have been updated to require a value of [1|yes|true|on] 744 (in lower or UPPER case) to enable the setting. Conversely a value 745 of [0|no|false|off] will disable the setting. All other values, or the 746 omission of a value for these settings will result in an error. 747 748 *Neil Horman* 749 750 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to 751 override the Issuer and Subject when creating a certificate. The `-subj` 752 option now is an alias for `-set_subject`. 753 754 *Job Snijders, George Michaelson* 755 756 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1 757 if called with a NULL stack argument. 758 759 *Tomáš Mráz* 760 761 * In `openssl speed`, changed the default hash function used with `hmac` from 762 `md5` to `sha256`. 763 764 *James Muir* 765 766 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483: 767 - `certProfile` request message header and respective `-profile` CLI option 768 - support for delayed delivery of all types of response messages 769 770 This work was sponsored by Siemens AG. 771 772 *David von Oheimb* 773 774 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to 775 be less hard coded in the build file templates, and to allow easier 776 addition of more exporters. With that, an exporter for CMake is also 777 added. 778 779 *Richard Levitte* 780 781 * The BLAKE2s hash algorithm matches BLAKE2b's support 782 for configurable output length. 783 784 *Ahelenia Ziemiańska* 785 786 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3 787 server to prefer session resumption using PSK-only key exchange over PSK 788 with DHE, if both are available. 789 790 *Markus Minichmayr, Tapkey GmbH* 791 792 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN) 793 condition in an optimised way when using QUIC. 794 795 *Hugo Landau* 796 797 * New atexit configuration switch, which controls whether the OPENSSL_cleanup 798 is registered when libcrypto is unloaded. This is turned off on NonStop 799 configurations because of loader differences on that platform compared to 800 Linux. 801 802 *Randall S. Becker* 803 804 * Support for qlog for tracing QUIC connections has been added. 805 806 The qlog output from OpenSSL currently uses a pre-standard draft version of 807 qlog. The output from OpenSSL will change in incompatible ways in future 808 releases, and is not subject to any format stability or compatibility 809 guarantees at this time. This functionality can be 810 disabled with the build-time option `no-unstable-qlog`. See the 811 openssl-qlog(7) manpage for details. 812 813 *Hugo Landau* 814 815 * Added APIs to allow configuring the negotiated idle timeout for QUIC 816 connections, and to allow determining the number of additional streams 817 that can currently be created for a QUIC connection. 818 819 *Hugo Landau* 820 821 * Added APIs to allow disabling implicit QUIC event processing for 822 QUIC SSL objects, allowing applications to control when event handling 823 occurs. Refer to the SSL_get_value_uint(3) manpage for details. 824 825 *Hugo Landau* 826 827 * Limited support for polling of QUIC connection and stream objects in a 828 non-blocking manner. Refer to the SSL_poll(3) manpage for details. 829 830 *Hugo Landau* 831 832 * Added APIs to allow querying the size and utilisation of a QUIC stream's 833 write buffer. Refer to the SSL_get_value_uint(3) manpage for details. 834 835 *Hugo Landau* 836 837 * New limit on HTTP response headers is introduced to HTTP client. The 838 default limit is set to 256 header lines. If limit is exceeded the 839 response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES. 840 Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3) 841 to change the default. Setting the value to 0 disables the limit. 842 843 *Alexandr Nedvedicky* 844 845 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 846 847 *Tom Cosgrove* 848 849 * Added X509_STORE_get1_objects to avoid issues with the existing 850 X509_STORE_get0_objects API in multi-threaded applications. Refer to the 851 documentation for details. 852 853 *David Benjamin* 854 855 * Added assembly implementation for md5 on loongarch64 856 857 *Min Zhou* 858 859 * Optimized AES-CTR for ARM Neoverse V1 and V2 860 861 *Fisher Yu* 862 863 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems 864 similar to M1/M2. 865 866 *Tom Cosgrove* 867 868 * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple 869 times with different output sizes. 870 871 *Shane Lontis, Holger Dengler* 872 873 * Various optimizations for cryptographic routines using RISC-V vector crypto 874 extensions 875 876 *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen, 877 Jerry Shih* 878 879 * Accept longer context for TLS 1.2 exporters 880 881 While RFC 5705 implies that the maximum length of a context for exporters is 882 65535 bytes as the length is embedded in uint16, the previous implementation 883 enforced a much smaller limit, which is less than 1024 bytes. This 884 restriction has been removed. 885 886 *Daiki Ueno* 887 888OpenSSL 3.2 889----------- 890 891### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx] 892 893 * Fixed an issue where some non-default TLS server configurations can cause 894 unbounded memory growth when processing TLSv1.3 sessions. An attacker may 895 exploit certain server configurations to trigger unbounded memory growth that 896 would lead to a Denial of Service 897 898 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option 899 is being used (but not if early_data is also configured and the default 900 anti-replay protection is in use). In this case, under certain conditions, 901 the session cache can get into an incorrect state and it will fail to flush 902 properly as it fills. The session cache will continue to grow in an unbounded 903 manner. A malicious client could deliberately create the scenario for this 904 failure to force a Denial of Service. It may also happen by accident in 905 normal operation. 906 907 ([CVE-2024-2511]) 908 909 *Matt Caswell* 910 911 * Fixed bug where SSL_export_keying_material() could not be used with QUIC 912 connections. (#23560) 913 914 *Hugo Landau* 915 916### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] 917 918 * A file in PKCS12 format can contain certificates and keys and may come from 919 an untrusted source. The PKCS12 specification allows certain fields to be 920 NULL, but OpenSSL did not correctly check for this case. A fix has been 921 applied to prevent a NULL pointer dereference that results in OpenSSL 922 crashing. If an application processes PKCS12 files from an untrusted source 923 using the OpenSSL APIs then that application will be vulnerable to this 924 issue prior to this fix. 925 926 OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), 927 PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() 928 and PKCS12_newpass(). 929 930 We have also fixed a similar issue in SMIME_write_PKCS7(). However since this 931 function is related to writing data we do not consider it security 932 significant. 933 934 ([CVE-2024-0727]) 935 936 *Matt Caswell* 937 938 * When function EVP_PKEY_public_check() is called on RSA public keys, 939 a computation is done to confirm that the RSA modulus, n, is composite. 940 For valid RSA keys, n is a product of two or more large primes and this 941 computation completes quickly. However, if n is an overly large prime, 942 then this computation would take a long time. 943 944 An application that calls EVP_PKEY_public_check() and supplies an RSA key 945 obtained from an untrusted source could be vulnerable to a Denial of Service 946 attack. 947 948 The function EVP_PKEY_public_check() is not called from other OpenSSL 949 functions however it is called from the OpenSSL pkey command line 950 application. For that reason that application is also vulnerable if used 951 with the "-pubin" and "-check" options on untrusted data. 952 953 To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will 954 now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. 955 956 ([CVE-2023-6237]) 957 958 *Tomáš Mráz* 959 960 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to 961 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey 962 rather than SM2. 963 964 *Richard Levitte* 965 966 * The POLY1305 MAC (message authentication code) implementation in OpenSSL 967 for PowerPC CPUs saves the contents of vector registers in different 968 order than they are restored. Thus the contents of some of these vector 969 registers is corrupted when returning to the caller. The vulnerable code is 970 used only on newer PowerPC processors supporting the PowerISA 2.07 971 instructions. 972 973 The consequences of this kind of internal application state corruption can 974 be various - from no consequences, if the calling application does not 975 depend on the contents of non-volatile XMM registers at all, to the worst 976 consequences, where the attacker could get complete control of the 977 application process. However unless the compiler uses the vector registers 978 for storing pointers, the most likely consequence, if any, would be an 979 incorrect result of some application dependent calculations or a crash 980 leading to a denial of service. 981 982 ([CVE-2023-6129]) 983 984 *Rohan McLure* 985 986 * Disable building QUIC server utility when OpenSSL is configured with 987 `no-apps`. 988 989 *Vitalii Koshura* 990 991### Changes between 3.1 and 3.2.0 [23 Nov 2023] 992 993 * Fix excessive time spent in DH check / generation with large Q parameter 994 value. 995 996 Applications that use the functions DH_generate_key() to generate an 997 X9.42 DH key may experience long delays. Likewise, applications that use 998 DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() 999 to check an X9.42 DH key or X9.42 DH parameters may experience long delays. 1000 Where the key or parameters that are being checked have been obtained from 1001 an untrusted source this may lead to a Denial of Service. 1002 1003 ([CVE-2023-5678]) 1004 1005 *Richard Levitte* 1006 1007 * The BLAKE2b hash algorithm supports a configurable output length 1008 by setting the "size" parameter. 1009 1010 *Čestmír Kalina and Tomáš Mráz* 1011 1012 * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. 1013 1014 *Evgeny Karpov* 1015 1016 * Added a function to delete objects from store by URI - OSSL_STORE_delete() 1017 and the corresponding provider-storemgmt API function 1018 OSSL_FUNC_store_delete(). 1019 1020 *Dmitry Belyavskiy* 1021 1022 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass 1023 a passphrase callback when opening a store. 1024 1025 *Simo Sorce* 1026 1027 * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) 1028 from 8 bytes to 16 bytes. 1029 The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and 1030 recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 1031 requires a salt length of 128 bits. This affects OpenSSL command line 1032 applications such as "genrsa" and "pkcs8" and API's such as 1033 PEM_write_bio_PrivateKey() that are reliant on the default value. 1034 The additional commandline option 'saltlen' has been added to the 1035 OpenSSL command line applications for "pkcs8" and "enc" to allow the 1036 salt length to be set to a non default value. 1037 1038 *Shane Lontis* 1039 1040 * Changed the default value of the `ess_cert_id_alg` configuration 1041 option which is used to calculate the TSA's public key certificate 1042 identifier. The default algorithm is updated to be sha256 instead 1043 of sha1. 1044 1045 *Małgorzata Olszówka* 1046 1047 * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed 1048 table for point multiplication of the base point, which increases the size of 1049 libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has 1050 been added to disable the precomputed table. 1051 1052 *Xu Yizhou* 1053 1054 * Added client side support for QUIC 1055 1056 *Hugo Landau, Matt Caswell, Paul Dale, Tomáš Mráz, Richard Levitte* 1057 1058 * Added multiple tutorials on the OpenSSL library and in particular 1059 on writing various clients (using TLS and QUIC protocols) with libssl. 1060 1061 *Matt Caswell* 1062 1063 * Added secp384r1 implementation using Solinas' reduction to improve 1064 speed of the NIST P-384 elliptic curve. To enable the implementation 1065 the build option `enable-ec_nistp_64_gcc_128` must be used. 1066 1067 *Rohan McLure* 1068 1069 * Improved RFC7468 compliance of the asn1parse command. 1070 1071 *Matthias St. Pierre* 1072 1073 * Added SHA256/192 algorithm support. 1074 1075 *Fergus Dall* 1076 1077 * Improved contention on global write locks by using more read locks where 1078 appropriate. 1079 1080 *Matt Caswell* 1081 1082 * Improved performance of OSSL_PARAM lookups in performance critical 1083 provider functions. 1084 1085 *Paul Dale* 1086 1087 * Added the SSL_get0_group_name() function to provide access to the 1088 name of the group used for the TLS key exchange. 1089 1090 *Alex Bozarth* 1091 1092 * Provide a new configure option `no-http` that can be used to disable the 1093 HTTP support. Provide new configure options `no-apps` and `no-docs` to 1094 disable building the openssl command line application and the documentation. 1095 1096 *Vladimír Kotal* 1097 1098 * Provide a new configure option `no-ecx` that can be used to disable the 1099 X25519, X448, and EdDSA support. 1100 1101 *Yi Li* 1102 1103 * When multiple OSSL_KDF_PARAM_INFO parameters are passed to 1104 the EVP_KDF_CTX_set_params() function they are now concatenated not just 1105 for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. 1106 1107 *Paul Dale* 1108 1109 * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get 1110 the provider context as a parameter. 1111 1112 *Ingo Franzki* 1113 1114 * TLS round-trip time calculation was added by a Brigham Young University 1115 Capstone team partnering with Sandia National Laboratories. A new function 1116 in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this 1117 value. 1118 1119 *Jairus Christensen* 1120 1121 * Added the "-quic" option to s_client to enable connectivity to QUIC servers. 1122 QUIC requires the use of ALPN, so this must be specified via the "-alpn" 1123 option. Use of the "advanced" s_client command command via the "-adv" option 1124 is recommended. 1125 1126 *Matt Caswell* 1127 1128 * Added an "advanced" command mode to s_client. Use this with the "-adv" 1129 option. The old "basic" command mode recognises certain letters that must 1130 always appear at the start of a line and cannot be escaped. The advanced 1131 command mode enables commands to be entered anywhere and there is an 1132 escaping mechanism. After starting s_client with "-adv" type "{help}" 1133 to show a list of available commands. 1134 1135 *Matt Caswell* 1136 1137 * Add Raw Public Key (RFC7250) support. Authentication is supported 1138 by matching keys against either local policy (TLSA records synthesised 1139 from the expected keys) or DANE (TLSA records obtained by the 1140 application from DNS). TLSA records will also match the same key in 1141 the server certificate, should RPK use not happen to be negotiated. 1142 1143 *Todd Short* 1144 1145 * Added support for modular exponentiation and CRT offloading for the 1146 S390x architecture. 1147 1148 *Juergen Christ* 1149 1150 * Added further assembler code for the RISC-V architecture. 1151 1152 *Christoph Müllner* 1153 1154 * Added EC_GROUP_to_params() which creates an OSSL_PARAM array 1155 from a given EC_GROUP. 1156 1157 *Oliver Mihatsch* 1158 1159 * Improved support for non-default library contexts and property queries 1160 when parsing PKCS#12 files. 1161 1162 *Shane Lontis* 1163 1164 * Implemented support for all five instances of EdDSA from RFC8032: 1165 Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. 1166 The streaming is not yet supported for the HashEdDSA variants 1167 (Ed25519ph and Ed448ph). 1168 1169 *James Muir* 1170 1171 * Added SM4 optimization for ARM processors using ASIMD and AES HW 1172 instructions. 1173 1174 *Xu Yizhou* 1175 1176 * Implemented SM4-XTS support. 1177 1178 *Xu Yizhou* 1179 1180 * Added platform-agnostic OSSL_sleep() function. 1181 1182 *Richard Levitte* 1183 1184 * Implemented deterministic ECDSA signatures (RFC6979) support. 1185 1186 *Shane Lontis* 1187 1188 * Implemented AES-GCM-SIV (RFC8452) support. 1189 1190 *Todd Short* 1191 1192 * Added support for pluggable (provider-based) TLS signature algorithms. 1193 This enables TLS 1.3 authentication operations with algorithms embedded 1194 in providers not included by default in OpenSSL. In combination with 1195 the already available pluggable KEM and X.509 support, this enables 1196 for example suitable providers to deliver post-quantum or quantum-safe 1197 cryptography to OpenSSL users. 1198 1199 *Michael Baentsch* 1200 1201 * Added support for pluggable (provider-based) CMS signature algorithms. 1202 This enables CMS sign and verify operations with algorithms embedded 1203 in providers not included by default in OpenSSL. 1204 1205 *Michael Baentsch* 1206 1207 * Added support for Hybrid Public Key Encryption (HPKE) as defined 1208 in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH), 1209 Message Layer Security (MLS) and other IETF specifications. 1210 HPKE can also be used by other applications that require 1211 encrypting "to" an ECDH public key. External APIs are defined in 1212 include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod 1213 1214 *Stephen Farrell* 1215 1216 * Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) 1217 API. 1218 1219 *Shane Lontis* 1220 1221 * Add support for certificate compression (RFC8879), including 1222 library support for Brotli and Zstandard compression. 1223 1224 *Todd Short* 1225 1226 * Add the ability to add custom attributes to PKCS12 files. Add a new API 1227 PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows 1228 for a user specified callback and optional argument. 1229 Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be 1230 added to the existing STACK_OF attrs. 1231 1232 *Graham Woodward* 1233 1234 * Major refactor of the libssl record layer. 1235 1236 *Matt Caswell* 1237 1238 * Add a mac salt length option for the pkcs12 command. 1239 1240 *Xinping Chen* 1241 1242 * Add more SRTP protection profiles from RFC8723 and RFC8269. 1243 1244 *Kijin Kim* 1245 1246 * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. 1247 1248 *Daiki Ueno, John Baldwin and Dmitry Podgorny* 1249 1250 * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where 1251 supported and enabled. 1252 1253 *Todd Short* 1254 1255 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 1256 to the list of ciphersuites providing Perfect Forward Secrecy as 1257 required by SECLEVEL >= 3. 1258 1259 *Dmitry Belyavskiy, Nicola Tuveri* 1260 1261 * Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. 1262 The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the 1263 SSL_get0_iana_groups() function-like macro, retrieves the list of 1264 supported groups sent by the peer. 1265 The function SSL_client_hello_get_extension_order() populates 1266 a caller-supplied array with the list of extension types present in the 1267 ClientHello, in order of appearance. 1268 1269 *Phus Lu* 1270 1271 * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() 1272 to make it possible to use empty passphrase strings. 1273 1274 *Darshan Sen* 1275 1276 * The PKCS12_parse() function now supports MAC-less PKCS12 files. 1277 1278 *Daniel Fiala* 1279 1280 * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able 1281 to change functions used for allocating the memory of asynchronous call stack. 1282 1283 *Arran Cudbard-Bell* 1284 1285 * Added support for signed BIGNUMs in the OSSL_PARAM APIs. 1286 1287 *Richard Levitte* 1288 1289 * A failure exit code is returned when using the openssl x509 command to check 1290 certificate attributes and the checks fail. 1291 1292 *Rami Khaldi* 1293 1294 * The default SSL/TLS security level has been changed from 1 to 2. RSA, 1295 DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys 1296 of 160 bits and above and less than 224 bits were previously accepted by 1297 default but are now no longer allowed. By default TLS compression was 1298 already disabled in previous OpenSSL versions. At security level 2 it cannot 1299 be enabled. 1300 1301 *Matt Caswell* 1302 1303 * The SSL_CTX_set_cipher_list family functions now accept ciphers using their 1304 IANA standard names. 1305 1306 *Erik Lax* 1307 1308 * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into 1309 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 1310 will need to load the legacy crypto provider. 1311 1312 *Paul Dale* 1313 1314 * CCM8 cipher suites in TLS have been downgraded to security level zero 1315 because they use a short authentication tag which lowers their strength. 1316 1317 *Paul Dale* 1318 1319 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings 1320 by default. Also spaces surrounding `=` in DN output are removed. 1321 1322 *Dmitry Belyavskiy* 1323 1324 * Add X.509 certificate codeSigning purpose and related checks on key usage and 1325 extended key usage of the leaf certificate according to the CA/Browser Forum. 1326 1327 * Lutz Jänicke* 1328 1329 * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates. 1330 The `-x509v1` option of `req` prefers generation of X.509 v1 certificates. 1331 `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has 1332 X.509 version 3 if the certificate information includes X.509 extensions. 1333 1334 *David von Oheimb* 1335 1336 * Fix and extend certificate handling and the commands `x509`, `verify` etc. 1337 such as adding a trace facility for debugging certificate chain building. 1338 1339 *David von Oheimb* 1340 1341 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app 1342 in particular supporting various types of genm/genp exchanges such as getting 1343 CA certificates and root CA cert updates defined in CMP Updates [RFC 9480], 1344 as well as the `-srvcertout` and `-serial` CLI options. 1345 1346 This work was sponsored by Siemens AG. 1347 1348 *David von Oheimb* 1349 1350 * Fixes and extensions to the HTTP client and to the HTTP server in `apps/` 1351 like correcting the TLS and proxy support and adding tracing for debugging. 1352 1353 *David von Oheimb* 1354 1355 * Extended the CMS API for handling `CMS_SignedData` and `CMS_EnvelopedData`. 1356 1357 *David von Oheimb* 1358 1359 * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if 1360 a certificate to be added is already present. `CMS_sign_ex()` and 1361 `CMS_sign()` now ignore any duplicate certificates in their `certs` argument 1362 and no longer throw an error for them. 1363 1364 *David von Oheimb* 1365 1366 * Fixed and extended `util/check-format.pl` for checking adherence to the 1367 coding style <https://www.openssl.org/policies/technical/coding-style.html>. 1368 The checks are meanwhile more complete and yield fewer false positives. 1369 1370 *David von Oheimb* 1371 1372 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based 1373 BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() 1374 calls. They can be used as the transport BIOs for QUIC. 1375 1376 *Hugo Landau, Matt Caswell and Tomáš Mráz* 1377 1378 * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow 1379 sending and receiving multiple messages in a single call. An implementation 1380 is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). 1381 1382 *Hugo Landau* 1383 1384 * Support for loading root certificates from the Windows certificate store 1385 has been added. The support is in the form of a store which recognises the 1386 URI string of `org.openssl.winstore://`. This URI scheme currently takes no 1387 arguments. This store is built by default and can be disabled using the new 1388 compile-time option `no-winstore`. This store is not currently used by 1389 default and must be loaded explicitly using the above store URI. It is 1390 expected to be loaded by default in the future. 1391 1392 *Hugo Landau* 1393 1394 * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux 1395 kernel versions that support KTLS have a known bug in CCM processing. That 1396 has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, 1397 and all releases since 5.16. KTLS with CCM ciphersuites should be only used 1398 on these releases. 1399 1400 *Tianjia Zhang* 1401 1402 * Added `-ktls` option to `s_server` and `s_client` commands to enable the 1403 KTLS support. 1404 1405 *Tianjia Zhang* 1406 1407 * Zerocopy KTLS sendfile() support on Linux. 1408 1409 *Maxim Mikityanskiy* 1410 1411 * The OBJ_ calls are now thread safe using a global lock. 1412 1413 *Paul Dale* 1414 1415 * New parameter `-digest` for openssl cms command allowing signing 1416 pre-computed digests and new CMS API functions supporting that 1417 functionality. 1418 1419 *Viktor Söderqvist* 1420 1421 * OPENSSL_malloc() and other allocation functions now raise errors on 1422 allocation failures. The callers do not need to explicitly raise errors 1423 unless they want to for tracing purposes. 1424 1425 *David von Oheimb* 1426 1427 * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 1428 decryption as a protection against Bleichenbacher-like attacks. 1429 The RSA decryption API will now return a randomly generated deterministic 1430 message instead of an error in case it detects an error when checking 1431 padding during PKCS#1 v1.5 decryption. This is a general protection against 1432 issues like CVE-2020-25659 and CVE-2020-25657. This protection can be 1433 disabled by calling 1434 `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` 1435 on the RSA decryption context. 1436 1437 *Hubert Kario* 1438 1439 * Added support for Brainpool curves in TLS-1.3. 1440 1441 *Bernd Edlinger and Matt Caswell* 1442 1443 * Added OpenBSD specific build targets. 1444 1445 *David Carlier* 1446 1447 * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with 1448 a basic thread pool implementation for select platforms. 1449 1450 *Čestmír Kalina* 1451 1452OpenSSL 3.1 1453----------- 1454 1455### Changes between 3.1.3 and 3.1.4 [24 Oct 2023] 1456 1457 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), 1458 EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters 1459 that alter the key or IV length ([CVE-2023-5363]). 1460 1461 *Paul Dale* 1462 1463### Changes between 3.1.2 and 3.1.3 [19 Sep 2023] 1464 1465 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. 1466 1467 The POLY1305 MAC (message authentication code) implementation in OpenSSL 1468 does not save the contents of non-volatile XMM registers on Windows 64 1469 platform when calculating the MAC of data larger than 64 bytes. Before 1470 returning to the caller all the XMM registers are set to zero rather than 1471 restoring their previous content. The vulnerable code is used only on newer 1472 x86_64 processors supporting the AVX512-IFMA instructions. 1473 1474 The consequences of this kind of internal application state corruption can 1475 be various - from no consequences, if the calling application does not 1476 depend on the contents of non-volatile XMM registers at all, to the worst 1477 consequences, where the attacker could get complete control of the 1478 application process. However given the contents of the registers are just 1479 zeroized so the attacker cannot put arbitrary values inside, the most likely 1480 consequence, if any, would be an incorrect result of some application 1481 dependent calculations or a crash leading to a denial of service. 1482 1483 ([CVE-2023-4807]) 1484 1485 *Bernd Edlinger* 1486 1487### Changes between 3.1.1 and 3.1.2 [1 Aug 2023] 1488 1489 * Fix excessive time spent checking DH q parameter value. 1490 1491 The function DH_check() performs various checks on DH parameters. After 1492 fixing CVE-2023-3446 it was discovered that a large q parameter value can 1493 also trigger an overly long computation during some of these checks. 1494 A correct q value, if present, cannot be larger than the modulus p 1495 parameter, thus it is unnecessary to perform these checks if q is larger 1496 than p. 1497 1498 If DH_check() is called with such q parameter value, 1499 DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally 1500 intensive checks are skipped. 1501 1502 ([CVE-2023-3817]) 1503 1504 *Tomáš Mráz* 1505 1506 * Fix DH_check() excessive time with over sized modulus. 1507 1508 The function DH_check() performs various checks on DH parameters. One of 1509 those checks confirms that the modulus ("p" parameter) is not too large. 1510 Trying to use a very large modulus is slow and OpenSSL will not normally use 1511 a modulus which is over 10,000 bits in length. 1512 1513 However the DH_check() function checks numerous aspects of the key or 1514 parameters that have been supplied. Some of those checks use the supplied 1515 modulus value even if it has already been found to be too large. 1516 1517 A new limit has been added to DH_check of 32,768 bits. Supplying a 1518 key/parameters with a modulus over this size will simply cause DH_check() to 1519 fail. 1520 1521 ([CVE-2023-3446]) 1522 1523 *Matt Caswell* 1524 1525 * Do not ignore empty associated data entries with AES-SIV. 1526 1527 The AES-SIV algorithm allows for authentication of multiple associated 1528 data entries along with the encryption. To authenticate empty data the 1529 application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`) 1530 with NULL pointer as the output buffer and 0 as the input buffer length. 1531 The AES-SIV implementation in OpenSSL just returns success for such call 1532 instead of performing the associated data authentication operation. 1533 The empty data thus will not be authenticated. ([CVE-2023-2975]) 1534 1535 Thanks to Juerg Wullschleger (Google) for discovering the issue. 1536 1537 The fix changes the authentication tag value and the ciphertext for 1538 applications that use empty associated data entries with AES-SIV. 1539 To decrypt data encrypted with previous versions of OpenSSL the application 1540 has to skip calls to `EVP_DecryptUpdate()` for empty associated data 1541 entries. 1542 1543 *Tomáš Mráz* 1544 1545 * When building with the `enable-fips` option and using the resulting 1546 FIPS provider, TLS 1.2 will, by default, mandate the use of an extended 1547 master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will 1548 not operate with truncated digests (FIPS 140-3 IG G.R). 1549 1550 *Paul Dale* 1551 1552### Changes between 3.1.0 and 3.1.1 [30 May 2023] 1553 1554 * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic 1555 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. 1556 1557 OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical 1558 numeric text form. For gigantic sub-identifiers, this would take a very 1559 long time, the time complexity being O(n^2) where n is the size of that 1560 sub-identifier. ([CVE-2023-2650]) 1561 1562 To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT 1563 IDENTIFIER to canonical numeric text form if the size of that OBJECT 1564 IDENTIFIER is 586 bytes or less, and fail otherwise. 1565 1566 The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT 1567 IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at 1568 most 128 sub-identifiers, and that the maximum value that each sub- 1569 identifier may have is 2^32-1 (4294967295 decimal). 1570 1571 For each byte of every sub-identifier, only the 7 lower bits are part of 1572 the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with 1573 these restrictions may occupy is 32 * 128 / 7, which is approximately 586 1574 bytes. 1575 1576 *Richard Levitte* 1577 1578 * Multiple algorithm implementation fixes for ARM BE platforms. 1579 1580 *Liu-ErMeng* 1581 1582 * Added a -pedantic option to fipsinstall that adjusts the various 1583 settings to ensure strict FIPS compliance rather than backwards 1584 compatibility. 1585 1586 *Paul Dale* 1587 1588 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which 1589 happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can 1590 trigger a crash of an application using AES-XTS decryption if the memory 1591 just after the buffer being decrypted is not mapped. 1592 Thanks to Anton Romanov (Amazon) for discovering the issue. 1593 ([CVE-2023-1255]) 1594 1595 *Nevine Ebeid* 1596 1597 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]). 1598 The previous fix for this timing side channel turned out to cause 1599 a severe 2-3x performance regression in the typical use case 1600 compared to 3.0.7. The new fix uses existing constant time 1601 code paths, and restores the previous performance level while 1602 fully eliminating all existing timing side channels. 1603 The fix was developed by Bernd Edlinger with testing support 1604 by Hubert Kario. 1605 1606 *Bernd Edlinger* 1607 1608 * Add FIPS provider configuration option to disallow the use of 1609 truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). 1610 The option '-no_drbg_truncated_digests' can optionally be 1611 supplied to 'openssl fipsinstall'. 1612 1613 *Paul Dale* 1614 1615 * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention 1616 that it does not enable policy checking. Thanks to David Benjamin for 1617 discovering this issue. 1618 ([CVE-2023-0466]) 1619 1620 *Tomáš Mráz* 1621 1622 * Fixed an issue where invalid certificate policies in leaf certificates are 1623 silently ignored by OpenSSL and other certificate policy checks are skipped 1624 for that certificate. A malicious CA could use this to deliberately assert 1625 invalid certificate policies in order to circumvent policy checking on the 1626 certificate altogether. 1627 ([CVE-2023-0465]) 1628 1629 *Matt Caswell* 1630 1631 * Limited the number of nodes created in a policy tree to mitigate 1632 against CVE-2023-0464. The default limit is set to 1000 nodes, which 1633 should be sufficient for most installations. If required, the limit 1634 can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build 1635 time define to a desired maximum number of nodes or zero to allow 1636 unlimited growth. 1637 ([CVE-2023-0464]) 1638 1639 *Paul Dale* 1640 1641### Changes between 3.0 and 3.1.0 [14 Mar 2023] 1642 1643 * Add FIPS provider configuration option to enforce the 1644 Extended Master Secret (EMS) check during the TLS1_PRF KDF. 1645 The option '-ems_check' can optionally be supplied to 1646 'openssl fipsinstall'. 1647 1648 *Shane Lontis* 1649 1650 * The FIPS provider includes a few non-approved algorithms for 1651 backward compatibility purposes and the "fips=yes" property query 1652 must be used for all algorithm fetches to ensure FIPS compliance. 1653 1654 The algorithms that are included but not approved are Triple DES ECB, 1655 Triple DES CBC and EdDSA. 1656 1657 *Paul Dale* 1658 1659 * Added support for KMAC in KBKDF. 1660 1661 *Shane Lontis* 1662 1663 * RNDR and RNDRRS support in provider functions to provide 1664 random number generation for Arm CPUs (aarch64). 1665 1666 *Orr Toledano* 1667 1668 * `s_client` and `s_server` commands now explicitly say when the TLS version 1669 does not include the renegotiation mechanism. This avoids confusion 1670 between that scenario versus when the TLS version includes secure 1671 renegotiation but the peer lacks support for it. 1672 1673 *Felipe Gasper* 1674 1675 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. 1676 1677 *Tomasz Kantecki, Andrey Matyukov* 1678 1679 * The various OBJ_* functions have been made thread safe. 1680 1681 *Paul Dale* 1682 1683 * Parallel dual-prime 1536/2048-bit modular exponentiation for 1684 AVX512_IFMA capable processors. 1685 1686 *Sergey Kirillov, Andrey Matyukov (Intel Corp)* 1687 1688 * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`, 1689 `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`, 1690 `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now 1691 marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining 1692 `OPENSSL_NO_DEPRECATED_3_1`. 1693 1694 The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro 1695 `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function 1696 definitions for these functions regardless of whether 1697 `OPENSSL_NO_DEPRECATED_3_1` is defined. 1698 1699 Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these 1700 functions regardless of whether they are using them. It is recommended that 1701 users transition to the new macro, `DEFINE_LHASH_OF_EX`. 1702 1703 *Hugo Landau* 1704 1705 * When generating safe-prime DH parameters set the recommended private key 1706 length equivalent to minimum key lengths as in RFC 7919. 1707 1708 *Tomáš Mráz* 1709 1710 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the 1711 maximum size that is smaller or equal to the digest length to comply with 1712 FIPS 186-4 section 5. This is implemented by a new option 1713 `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the 1714 `rsa_pss_saltlen` parameter, which is now the default. Signature 1715 verification is not affected by this change and continues to work as before. 1716 1717 *Clemens Lang* 1718 1719OpenSSL 3.0 1720----------- 1721 1722For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries 1723listed here are only a brief description. 1724The migration guide contains more detailed information related to new features, 1725breaking changes, and mappings for the large list of deprecated functions. 1726 1727[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod 1728 1729### Changes between 3.0.7 and 3.0.8 [7 Feb 2023] 1730 1731 * Fixed NULL dereference during PKCS7 data verification. 1732 1733 A NULL pointer can be dereferenced when signatures are being 1734 verified on PKCS7 signed or signedAndEnveloped data. In case the hash 1735 algorithm used for the signature is known to the OpenSSL library but 1736 the implementation of the hash algorithm is not available the digest 1737 initialization will fail. There is a missing check for the return 1738 value from the initialization function which later leads to invalid 1739 usage of the digest API most likely leading to a crash. 1740 ([CVE-2023-0401]) 1741 1742 PKCS7 data is processed by the SMIME library calls and also by the 1743 time stamp (TS) library calls. The TLS implementation in OpenSSL does 1744 not call these functions however third party applications would be 1745 affected if they call these functions to verify signatures on untrusted 1746 data. 1747 1748 *Tomáš Mráz* 1749 1750 * Fixed X.400 address type confusion in X.509 GeneralName. 1751 1752 There is a type confusion vulnerability relating to X.400 address processing 1753 inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING 1754 but the public structure definition for GENERAL_NAME incorrectly specified 1755 the type of the x400Address field as ASN1_TYPE. This field is subsequently 1756 interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather 1757 than an ASN1_STRING. 1758 1759 When CRL checking is enabled (i.e. the application sets the 1760 X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to 1761 pass arbitrary pointers to a memcmp call, enabling them to read memory 1762 contents or enact a denial of service. 1763 ([CVE-2023-0286]) 1764 1765 *Hugo Landau* 1766 1767 * Fixed NULL dereference validating DSA public key. 1768 1769 An invalid pointer dereference on read can be triggered when an 1770 application tries to check a malformed DSA public key by the 1771 EVP_PKEY_public_check() function. This will most likely lead 1772 to an application crash. This function can be called on public 1773 keys supplied from untrusted sources which could allow an attacker 1774 to cause a denial of service attack. 1775 1776 The TLS implementation in OpenSSL does not call this function 1777 but applications might call the function if there are additional 1778 security requirements imposed by standards such as FIPS 140-3. 1779 ([CVE-2023-0217]) 1780 1781 *Shane Lontis, Tomáš Mráz* 1782 1783 * Fixed Invalid pointer dereference in d2i_PKCS7 functions. 1784 1785 An invalid pointer dereference on read can be triggered when an 1786 application tries to load malformed PKCS7 data with the 1787 d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. 1788 1789 The result of the dereference is an application crash which could 1790 lead to a denial of service attack. The TLS implementation in OpenSSL 1791 does not call this function however third party applications might 1792 call these functions on untrusted data. 1793 ([CVE-2023-0216]) 1794 1795 *Tomáš Mráz* 1796 1797 * Fixed Use-after-free following BIO_new_NDEF. 1798 1799 The public API function BIO_new_NDEF is a helper function used for 1800 streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL 1801 to support the SMIME, CMS and PKCS7 streaming capabilities, but may also 1802 be called directly by end user applications. 1803 1804 The function receives a BIO from the caller, prepends a new BIO_f_asn1 1805 filter BIO onto the front of it to form a BIO chain, and then returns 1806 the new head of the BIO chain to the caller. Under certain conditions, 1807 for example if a CMS recipient public key is invalid, the new filter BIO 1808 is freed and the function returns a NULL result indicating a failure. 1809 However, in this case, the BIO chain is not properly cleaned up and the 1810 BIO passed by the caller still retains internal pointers to the previously 1811 freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO 1812 then a use-after-free will occur. This will most likely result in a crash. 1813 ([CVE-2023-0215]) 1814 1815 *Viktor Dukhovni, Matt Caswell* 1816 1817 * Fixed Double free after calling PEM_read_bio_ex. 1818 1819 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and 1820 decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload 1821 data. If the function succeeds then the "name_out", "header" and "data" 1822 arguments are populated with pointers to buffers containing the relevant 1823 decoded data. The caller is responsible for freeing those buffers. It is 1824 possible to construct a PEM file that results in 0 bytes of payload data. 1825 In this case PEM_read_bio_ex() will return a failure code but will populate 1826 the header argument with a pointer to a buffer that has already been freed. 1827 If the caller also frees this buffer then a double free will occur. This 1828 will most likely lead to a crash. 1829 1830 The functions PEM_read_bio() and PEM_read() are simple wrappers around 1831 PEM_read_bio_ex() and therefore these functions are also directly affected. 1832 1833 These functions are also called indirectly by a number of other OpenSSL 1834 functions including PEM_X509_INFO_read_bio_ex() and 1835 SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL 1836 internal uses of these functions are not vulnerable because the caller does 1837 not free the header argument if PEM_read_bio_ex() returns a failure code. 1838 ([CVE-2022-4450]) 1839 1840 *Kurt Roeckx, Matt Caswell* 1841 1842 * Fixed Timing Oracle in RSA Decryption. 1843 1844 A timing based side channel exists in the OpenSSL RSA Decryption 1845 implementation which could be sufficient to recover a plaintext across 1846 a network in a Bleichenbacher style attack. To achieve a successful 1847 decryption an attacker would have to be able to send a very large number 1848 of trial messages for decryption. The vulnerability affects all RSA padding 1849 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. 1850 ([CVE-2022-4304]) 1851 1852 *Dmitry Belyavsky, Hubert Kario* 1853 1854 * Fixed X.509 Name Constraints Read Buffer Overflow. 1855 1856 A read buffer overrun can be triggered in X.509 certificate verification, 1857 specifically in name constraint checking. The read buffer overrun might 1858 result in a crash which could lead to a denial of service attack. 1859 In a TLS client, this can be triggered by connecting to a malicious 1860 server. In a TLS server, this can be triggered if the server requests 1861 client authentication and a malicious client connects. 1862 ([CVE-2022-4203]) 1863 1864 *Viktor Dukhovni* 1865 1866 * Fixed X.509 Policy Constraints Double Locking security issue. 1867 1868 If an X.509 certificate contains a malformed policy constraint and 1869 policy processing is enabled, then a write lock will be taken twice 1870 recursively. On some operating systems (most widely: Windows) this 1871 results in a denial of service when the affected process hangs. Policy 1872 processing being enabled on a publicly facing server is not considered 1873 to be a common setup. 1874 ([CVE-2022-3996]) 1875 1876 *Paul Dale* 1877 1878 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and 1879 `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor 1880 `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and 1881 default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting 1882 `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using 1883 `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. 1884 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` 1885 for legacy EC and SM2 keys is also changed similarly to honor the 1886 equivalent conversion format flag as specified in the underlying 1887 `EC_KEY` object being exported to a provider, when this function is 1888 called through `EVP_PKEY_export()`. 1889 1890 *Nicola Tuveri* 1891 1892### Changes between 3.0.6 and 3.0.7 [1 Nov 2022] 1893 1894 * Fixed two buffer overflows in punycode decoding functions. 1895 1896 A buffer overrun can be triggered in X.509 certificate verification, 1897 specifically in name constraint checking. Note that this occurs after 1898 certificate chain signature verification and requires either a CA to 1899 have signed the malicious certificate or for the application to continue 1900 certificate verification despite failure to construct a path to a trusted 1901 issuer. 1902 1903 In a TLS client, this can be triggered by connecting to a malicious 1904 server. In a TLS server, this can be triggered if the server requests 1905 client authentication and a malicious client connects. 1906 1907 An attacker can craft a malicious email address to overflow 1908 an arbitrary number of bytes containing the `.` character (decimal 46) 1909 on the stack. This buffer overflow could result in a crash (causing a 1910 denial of service). 1911 ([CVE-2022-3786]) 1912 1913 An attacker can craft a malicious email address to overflow four 1914 attacker-controlled bytes on the stack. This buffer overflow could 1915 result in a crash (causing a denial of service) or potentially remote code 1916 execution depending on stack layout for any given platform/compiler. 1917 ([CVE-2022-3602]) 1918 1919 *Paul Dale* 1920 1921 * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT 1922 parameters in OpenSSL code. 1923 Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, 1924 OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. 1925 Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. 1926 Using these invalid names may cause algorithms to use slower methods 1927 that ignore the CRT parameters. 1928 1929 *Shane Lontis* 1930 1931 * Fixed a regression introduced in 3.0.6 version raising errors on some stack 1932 operations. 1933 1934 *Tomáš Mráz* 1935 1936 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate 1937 data to be signed before signing the certificate. 1938 1939 *Gibeom Gwon* 1940 1941 * Added RIPEMD160 to the default provider. 1942 1943 *Paul Dale* 1944 1945 * Ensured that the key share group sent or accepted for the key exchange 1946 is allowed for the protocol version. 1947 1948 *Matt Caswell* 1949 1950### Changes between 3.0.5 and 3.0.6 [11 Oct 2022] 1951 1952 * OpenSSL supports creating a custom cipher via the legacy 1953 EVP_CIPHER_meth_new() function and associated function calls. This function 1954 was deprecated in OpenSSL 3.0 and application authors are instead encouraged 1955 to use the new provider mechanism in order to implement custom ciphers. 1956 1957 OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers 1958 passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and 1959 EVP_CipherInit_ex2() functions (as well as other similarly named encryption 1960 and decryption initialisation functions). Instead of using the custom cipher 1961 directly it incorrectly tries to fetch an equivalent cipher from the 1962 available providers. An equivalent cipher is found based on the NID passed to 1963 EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a 1964 given cipher. However it is possible for an application to incorrectly pass 1965 NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef 1966 is used in this way the OpenSSL encryption/decryption initialisation function 1967 will match the NULL cipher as being equivalent and will fetch this from the 1968 available providers. This will succeed if the default provider has been 1969 loaded (or if a third party provider has been loaded that offers this 1970 cipher). Using the NULL cipher means that the plaintext is emitted as the 1971 ciphertext. 1972 1973 Applications are only affected by this issue if they call 1974 EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an 1975 encryption/decryption initialisation function. Applications that only use 1976 SSL/TLS are not impacted by this issue. 1977 ([CVE-2022-3358]) 1978 1979 *Matt Caswell* 1980 1981 * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures 1982 on MacOS 10.11 1983 1984 *Richard Levitte* 1985 1986 * Fixed the linux-mips64 Configure target which was missing the 1987 SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that 1988 platform. 1989 1990 *Adam Joseph* 1991 1992 * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a 1993 ticket 1994 1995 *Matt Caswell* 1996 1997 * Correctly handle a retransmitted ClientHello in DTLS 1998 1999 *Matt Caswell* 2000 2001 * Fixed detection of ktls support in cross-compile environment on Linux 2002 2003 *Tomas Mraz* 2004 2005 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider 2006 against 3.0.x 2007 2008 *Paul Dale* 2009 2010 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to 2011 report correct results in some cases 2012 2013 *Matt Caswell* 2014 2015 * Fix UWP builds by defining VirtualLock 2016 2017 *Charles Milette* 2018 2019 * For known safe primes use the minimum key length according to RFC 7919. 2020 Longer private key sizes unnecessarily raise the cycles needed to compute the 2021 shared secret without any increase of the real security. This fixes a 2022 regression from 1.1.1 where these shorter keys were generated for the known 2023 safe primes. 2024 2025 *Tomas Mraz* 2026 2027 * Added the loongarch64 target 2028 2029 *Shi Pujin* 2030 2031 * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were 2032 only passed to the FIPS provider and not to the default or legacy provider. 2033 2034 *Juergen Christ* 2035 2036 * Fixed reported performance degradation on aarch64. Restored the 2037 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 2038 32-bit lane assignment in CTR mode") for 64bit targets only, since it is 2039 reportedly 2-17% slower and the silicon errata only affects 32bit targets. 2040 The new algorithm is still used for 32 bit targets. 2041 2042 *Bernd Edlinger* 2043 2044 * Added a missing header for memcmp that caused compilation failure on some 2045 platforms 2046 2047 *Gregor Jasny* 2048 2049### Changes between 3.0.4 and 3.0.5 [5 Jul 2022] 2050 2051 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA 2052 implementation for X86_64 CPUs supporting the AVX512IFMA instructions. 2053 This issue makes the RSA implementation with 2048 bit private keys 2054 incorrect on such machines and memory corruption will happen during 2055 the computation. As a consequence of the memory corruption an attacker 2056 may be able to trigger a remote code execution on the machine performing 2057 the computation. 2058 2059 SSL/TLS servers or other servers using 2048 bit RSA private keys running 2060 on machines supporting AVX512IFMA instructions of the X86_64 architecture 2061 are affected by this issue. 2062 ([CVE-2022-2274]) 2063 2064 *Xi Ruoyao* 2065 2066 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised 2067 implementation would not encrypt the entirety of the data under some 2068 circumstances. This could reveal sixteen bytes of data that was 2069 preexisting in the memory that wasn't written. In the special case of 2070 "in place" encryption, sixteen bytes of the plaintext would be revealed. 2071 2072 Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, 2073 they are both unaffected. 2074 ([CVE-2022-2097]) 2075 2076 *Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño* 2077 2078### Changes between 3.0.3 and 3.0.4 [21 Jun 2022] 2079 2080 * In addition to the c_rehash shell command injection identified in 2081 CVE-2022-1292, further bugs where the c_rehash script does not 2082 properly sanitise shell metacharacters to prevent command injection have been 2083 fixed. 2084 2085 When the CVE-2022-1292 was fixed it was not discovered that there 2086 are other places in the script where the file names of certificates 2087 being hashed were possibly passed to a command executed through the shell. 2088 2089 This script is distributed by some operating systems in a manner where 2090 it is automatically executed. On such operating systems, an attacker 2091 could execute arbitrary commands with the privileges of the script. 2092 2093 Use of the c_rehash script is considered obsolete and should be replaced 2094 by the OpenSSL rehash command line tool. 2095 (CVE-2022-2068) 2096 2097 *Daniel Fiala, Tomáš Mráz* 2098 2099 * Case insensitive string comparison no longer uses locales. It has instead 2100 been directly implemented. 2101 2102 *Paul Dale* 2103 2104### Changes between 3.0.2 and 3.0.3 [3 May 2022] 2105 2106 * Case insensitive string comparison is reimplemented via new locale-agnostic 2107 comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for 2108 comparison. The previous implementation had problems when the Turkish locale 2109 was used. 2110 2111 *Dmitry Belyavskiy* 2112 2113 * Fixed a bug in the c_rehash script which was not properly sanitising shell 2114 metacharacters to prevent command injection. This script is distributed by 2115 some operating systems in a manner where it is automatically executed. On 2116 such operating systems, an attacker could execute arbitrary commands with the 2117 privileges of the script. 2118 2119 Use of the c_rehash script is considered obsolete and should be replaced 2120 by the OpenSSL rehash command line tool. 2121 (CVE-2022-1292) 2122 2123 *Tomáš Mráz* 2124 2125 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer 2126 certificate on an OCSP response. The bug caused the function in the case 2127 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie 2128 response (meaning a successful verification) even in the case where the 2129 response signing certificate fails to verify. 2130 2131 It is anticipated that most users of `OCSP_basic_verify` will not use the 2132 OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return 2133 a negative value (indicating a fatal error) in the case of a certificate 2134 verification failure. The normal expected return value in this case would be 2135 0. 2136 2137 This issue also impacts the command line OpenSSL "ocsp" application. When 2138 verifying an ocsp response with the "-no_cert_checks" option the command line 2139 application will report that the verification is successful even though it 2140 has in fact failed. In this case the incorrect successful response will also 2141 be accompanied by error messages showing the failure and contradicting the 2142 apparently successful result. 2143 ([CVE-2022-1343]) 2144 2145 *Matt Caswell* 2146 2147 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the 2148 AAD data as the MAC key. This made the MAC key trivially predictable. 2149 2150 An attacker could exploit this issue by performing a man-in-the-middle attack 2151 to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such 2152 that the modified data would still pass the MAC integrity check. 2153 2154 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 2155 endpoint will always be rejected by the recipient and the connection will 2156 fail at that point. Many application protocols require data to be sent from 2157 the client to the server first. Therefore, in such a case, only an OpenSSL 2158 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. 2159 2160 If both endpoints are OpenSSL 3.0 then the attacker could modify data being 2161 sent in both directions. In this case both clients and servers could be 2162 affected, regardless of the application protocol. 2163 2164 Note that in the absence of an attacker this bug means that an OpenSSL 3.0 2165 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete 2166 the handshake when using this ciphersuite. 2167 2168 The confidentiality of data is not impacted by this issue, i.e. an attacker 2169 cannot decrypt data that has been encrypted using this ciphersuite - they can 2170 only modify it. 2171 2172 In order for this attack to work both endpoints must legitimately negotiate 2173 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in 2174 OpenSSL 3.0, and is not available within the default provider or the default 2175 ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been 2176 negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the 2177 following must have occurred: 2178 2179 1) OpenSSL must have been compiled with the (non-default) compile time option 2180 enable-weak-ssl-ciphers 2181 2182 2) OpenSSL must have had the legacy provider explicitly loaded (either 2183 through application code or via configuration) 2184 2185 3) The ciphersuite must have been explicitly added to the ciphersuite list 2186 2187 4) The libssl security level must have been set to 0 (default is 1) 2188 2189 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 2190 2191 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any 2192 others that both endpoints have in common 2193 (CVE-2022-1434) 2194 2195 *Matt Caswell* 2196 2197 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory 2198 occupied by the removed hash table entries. 2199 2200 This function is used when decoding certificates or keys. If a long lived 2201 process periodically decodes certificates or keys its memory usage will 2202 expand without bounds and the process might be terminated by the operating 2203 system causing a denial of service. Also traversing the empty hash table 2204 entries will take increasingly more time. 2205 2206 Typically such long lived processes might be TLS clients or TLS servers 2207 configured to accept client certificate authentication. 2208 (CVE-2022-1473) 2209 2210 *Hugo Landau, Aliaksei Levin* 2211 2212 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report 2213 the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other 2214 statistics are no longer supported. For compatibility, these statistics are 2215 still listed in the output but are now always reported as zero. 2216 2217 *Hugo Landau* 2218 2219### Changes between 3.0.1 and 3.0.2 [15 Mar 2022] 2220 2221 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever 2222 for non-prime moduli. 2223 2224 Internally this function is used when parsing certificates that contain 2225 elliptic curve public keys in compressed form or explicit elliptic curve 2226 parameters with a base point encoded in compressed form. 2227 2228 It is possible to trigger the infinite loop by crafting a certificate that 2229 has invalid explicit curve parameters. 2230 2231 Since certificate parsing happens prior to verification of the certificate 2232 signature, any process that parses an externally supplied certificate may thus 2233 be subject to a denial of service attack. The infinite loop can also be 2234 reached when parsing crafted private keys as they can contain explicit 2235 elliptic curve parameters. 2236 2237 Thus vulnerable situations include: 2238 2239 - TLS clients consuming server certificates 2240 - TLS servers consuming client certificates 2241 - Hosting providers taking certificates or private keys from customers 2242 - Certificate authorities parsing certification requests from subscribers 2243 - Anything else which parses ASN.1 elliptic curve parameters 2244 2245 Also any other applications that use the BN_mod_sqrt() where the attacker 2246 can control the parameter values are vulnerable to this DoS issue. 2247 ([CVE-2022-0778]) 2248 2249 *Tomáš Mráz* 2250 2251 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) 2252 to the list of ciphersuites providing Perfect Forward Secrecy as 2253 required by SECLEVEL >= 3. 2254 2255 *Dmitry Belyavskiy, Nicola Tuveri* 2256 2257 * Made the AES constant time code for no-asm configurations 2258 optional due to the resulting 95% performance degradation. 2259 The AES constant time code can be enabled, for no assembly 2260 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME 2261 2262 *Paul Dale* 2263 2264 * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty 2265 passphrase strings. 2266 2267 *Darshan Sen* 2268 2269 * The negative return value handling of the certificate verification callback 2270 was reverted. The replacement is to set the verification retry state with 2271 the SSL_set_retry_verify() function. 2272 2273 *Tomáš Mráz* 2274 2275### Changes between 3.0.0 and 3.0.1 [14 Dec 2021] 2276 2277 * Fixed invalid handling of X509_verify_cert() internal errors in libssl 2278 Internally libssl in OpenSSL calls X509_verify_cert() on the client side to 2279 verify a certificate supplied by a server. That function may return a 2280 negative return value to indicate an internal error (for example out of 2281 memory). Such a negative return value is mishandled by OpenSSL and will cause 2282 an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate 2283 success and a subsequent call to SSL_get_error() to return the value 2284 SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be 2285 returned by OpenSSL if the application has previously called 2286 SSL_CTX_set_cert_verify_callback(). Since most applications do not do this 2287 the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be 2288 totally unexpected and applications may not behave correctly as a result. The 2289 exact behaviour will depend on the application but it could result in 2290 crashes, infinite loops or other similar incorrect responses. 2291 2292 This issue is made more serious in combination with a separate bug in OpenSSL 2293 3.0 that will cause X509_verify_cert() to indicate an internal error when 2294 processing a certificate chain. This will occur where a certificate does not 2295 include the Subject Alternative Name extension but where a Certificate 2296 Authority has enforced name constraints. This issue can occur even with valid 2297 chains. 2298 ([CVE-2021-4044]) 2299 2300 *Matt Caswell* 2301 2302 * Corrected a few file name and file reference bugs in the build, 2303 installation and setup scripts, which lead to installation verification 2304 failures. Slightly enhanced the installation verification script. 2305 2306 *Richard Levitte* 2307 2308 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private 2309 keys. 2310 2311 *Richard Levitte* 2312 2313 * Fixed PVK encoder to properly query for the passphrase. 2314 2315 *Tomáš Mráz* 2316 2317 * Multiple fixes in the OSSL_HTTP API functions. 2318 2319 *David von Oheimb* 2320 2321 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the 2322 OSSL_PARAM_INTEGER data type and return error on negative numbers 2323 used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make 2324 OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers. 2325 2326 *Richard Levitte* 2327 2328 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex. 2329 2330 *Tomáš Mráz* 2331 2332 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD. 2333 2334 *Allan Jude* 2335 2336 * Multiple threading fixes. 2337 2338 *Matt Caswell* 2339 2340 * Added NULL digest implementation to keep compatibility with 1.1.1 version. 2341 2342 *Tomáš Mráz* 2343 2344 * Allow fetching an operation from the provider that owns an unexportable key 2345 as a fallback if that is still allowed by the property query. 2346 2347 *Richard Levitte* 2348 2349### Changes between 1.1.1 and 3.0.0 [7 Sep 2021] 2350 2351 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now 2352 deprecated. 2353 2354 *Matt Caswell* 2355 2356 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the 2357 S390X capability vector to zero. This simplifies testing of different code 2358 paths on S390X architecture. 2359 2360 *Patrick Steuer* 2361 2362 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed 2363 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from 2364 SP 800-38D". The communication will fail at this point. 2365 2366 *Paul Dale* 2367 2368 * The EC_GROUP_clear_free() function is deprecated as there is nothing 2369 confidential in EC_GROUP data. 2370 2371 *Nicola Tuveri* 2372 2373 * The byte order mark (BOM) character is ignored if encountered at the 2374 beginning of a PEM-formatted file. 2375 2376 *Dmitry Belyavskiy* 2377 2378 * Added CMS support for the Russian GOST algorithms. 2379 2380 *Dmitry Belyavskiy* 2381 2382 * Due to move of the implementation of cryptographic operations 2383 to the providers, validation of various operation parameters can 2384 be postponed until the actual operation is executed where previously 2385 it happened immediately when an operation parameter was set. 2386 2387 For example when setting an unsupported curve with 2388 EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not 2389 fail but later keygen operations with the EVP_PKEY_CTX will fail. 2390 2391 *OpenSSL team members and many third party contributors* 2392 2393 * The EVP_get_cipherbyname() function will return NULL for algorithms such as 2394 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were 2395 previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch() 2396 instead to retrieve these algorithms from a provider. 2397 2398 *Shane Lontis* 2399 2400 * On build targets where the multilib postfix is set in the build 2401 configuration the libdir directory was changing based on whether 2402 the lib directory with the multilib postfix exists on the system 2403 or not. This unpredictable behavior was removed and eventual 2404 multilib postfix is now always added to the default libdir. Use 2405 `--libdir=lib` to override the libdir if adding the postfix is 2406 undesirable. 2407 2408 *Jan Lána* 2409 2410 * The triple DES key wrap functionality now conforms to RFC 3217 but is 2411 no longer interoperable with OpenSSL 1.1.1. 2412 2413 *Paul Dale* 2414 2415 * The ERR_GET_FUNC() function was removed. With the loss of meaningful 2416 function codes, this function can only cause problems for calling 2417 applications. 2418 2419 *Paul Dale* 2420 2421 * Add a configurable flag to output date formats as ISO 8601. Does not 2422 change the default date format. 2423 2424 *William Edmisten* 2425 2426 * Version of MSVC earlier than 1300 could get link warnings, which could 2427 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. 2428 Support for this flag has been removed. 2429 2430 *Rich Salz* 2431 2432 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, 2433 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for 2434 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG 2435 Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set 2436 also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. 2437 2438 *Rich Salz* 2439 2440 * The signatures of the functions to get and set options on SSL and 2441 SSL_CTX objects changed from "unsigned long" to "uint64_t" type. 2442 Some source code changes may be required. 2443 2444 *Rich Salz* 2445 2446 * The public definitions of conf_method_st and conf_st have been 2447 deprecated. They will be made opaque in a future release. 2448 2449 *Rich Salz and Tomáš Mráz* 2450 2451 * Client-initiated renegotiation is disabled by default. To allow it, use 2452 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION 2453 flag, or the "ClientRenegotiation" config parameter as appropriate. 2454 2455 *Rich Salz* 2456 2457 * Add "abspath" and "includedir" pragma's to config files, to prevent, 2458 or modify relative pathname inclusion. 2459 2460 *Rich Salz* 2461 2462 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 2463 validated. Please consult the README-FIPS and 2464 README-PROVIDERS files, as well as the migration guide. 2465 2466 *OpenSSL team members and many third party contributors* 2467 2468 * For the key types DH and DHX the allowed settable parameters are now different. 2469 2470 *Shane Lontis* 2471 2472 * The openssl commands that read keys, certificates, and CRLs now 2473 automatically detect the PEM or DER format of the input files. 2474 2475 *David von Oheimb, Richard Levitte, and Tomáš Mráz* 2476 2477 * Added enhanced PKCS#12 APIs which accept a library context. 2478 2479 *Jon Spillett* 2480 2481 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" 2482 2483 *Matt Caswell* 2484 2485 * Added support for Kernel TLS (KTLS). 2486 2487 *Boris Pismenny, John Baldwin and Andrew Gallatin* 2488 2489 * Support for RFC 5746 secure renegotiation is now required by default for 2490 SSL or TLS connections to succeed. 2491 2492 *Benjamin Kaduk* 2493 2494 * The signature of the `copy` functional parameter of the 2495 EVP_PKEY_meth_set_copy() function has changed so its `src` argument is 2496 now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly 2497 the signature of the `pub_decode` functional parameter of the 2498 EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is 2499 now `const X509_PUBKEY *` instead of `X509_PUBKEY *`. 2500 2501 *David von Oheimb* 2502 2503 * The error return values from some control calls (ctrl) have changed. 2504 2505 *Paul Dale* 2506 2507 * A public key check is now performed during EVP_PKEY_derive_set_peer(). 2508 2509 *Shane Lontis* 2510 2511 * Many functions in the EVP_ namespace that are getters of values from 2512 implementations or contexts were renamed to include get or get0 in their 2513 names. Old names are provided as macro aliases for compatibility and 2514 are not deprecated. 2515 2516 *Tomáš Mráz* 2517 2518 * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, 2519 EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, 2520 EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations 2521 are deprecated. 2522 2523 *Tomáš Mráz* 2524 2525 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for 2526 more key types. 2527 2528 * The output from the command line applications may have minor 2529 changes. 2530 2531 *Paul Dale* 2532 2533 * The output from numerous "printing" may have minor changes. 2534 2535 *David von Oheimb* 2536 2537 * Windows thread synchronization uses read/write primitives (SRWLock) when 2538 supported by the OS, otherwise CriticalSection continues to be used. 2539 2540 *Vincent Drake* 2541 2542 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to 2543 work on read only BIO source/sinks that do not support these functions. 2544 This allows piping or redirection of a file BIO using stdin to be buffered 2545 into memory. This is used internally in OSSL_DECODER_from_bio(). 2546 2547 *Shane Lontis* 2548 2549 * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1 2550 this function would return one of the values OSSL_STORE_INFO_NAME, 2551 OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or 2552 OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported 2553 as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now 2554 reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications 2555 using this function should be amended to handle the changed return value. 2556 2557 *Richard Levitte* 2558 2559 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) 2560 for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. 2561 As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. 2562 Correct the semantics of checking the validation chain in case ESSCertID{,v2} 2563 contains more than one certificate identifier: This means that all 2564 certificates referenced there MUST be part of the validation chain. 2565 2566 *David von Oheimb* 2567 2568 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, 2569 RC5, DESX and DES have been moved to the legacy provider. 2570 2571 *Matt Caswell* 2572 2573 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and 2574 RIPEMD-160 have been moved to the legacy provider. 2575 2576 *Matt Caswell* 2577 2578 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a 2579 provided key. 2580 2581 *Dmitry Belyavskiy* 2582 2583 * The deprecated functions EVP_PKEY_get0_RSA(), 2584 EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(), 2585 EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as 2586 well as the similarly named "get1" functions behave differently in 2587 OpenSSL 3.0. 2588 2589 *Matt Caswell* 2590 2591 * A number of functions handling low-level keys or engines were deprecated 2592 including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(), 2593 EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and 2594 EVP_PKEY_get0_siphash(). 2595 2596 *Matt Caswell* 2597 2598 * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into 2599 the legacy crypto provider as an EVP_KDF. Applications requiring this KDF 2600 will need to load the legacy crypto provider. This includes these PBE 2601 algorithms which use this KDF: 2602 - NID_pbeWithMD2AndDES_CBC 2603 - NID_pbeWithMD5AndDES_CBC 2604 - NID_pbeWithSHA1AndRC2_CBC 2605 - NID_pbeWithMD2AndRC2_CBC 2606 - NID_pbeWithMD5AndRC2_CBC 2607 - NID_pbeWithSHA1AndDES_CBC 2608 2609 *Jon Spillett* 2610 2611 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and 2612 BIO_debug_callback() functions. 2613 2614 *Tomáš Mráz* 2615 2616 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and 2617 EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions. 2618 2619 *Tomáš Mráz* 2620 2621 * The RAND_METHOD APIs have been deprecated. 2622 2623 *Paul Dale* 2624 2625 * The SRP APIs have been deprecated. 2626 2627 *Matt Caswell* 2628 2629 * Add a compile time option to prevent the caching of provider fetched 2630 algorithms. This is enabled by including the no-cached-fetch option 2631 at configuration time. 2632 2633 *Paul Dale* 2634 2635 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration 2636 count of PKCS12_DEFAULT_ITER. 2637 2638 *Tomáš Mráz and Sahana Prasad* 2639 2640 * The openssl speed command does not use low-level API calls anymore. 2641 2642 *Tomáš Mráz* 2643 2644 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA 2645 capable processors. 2646 2647 *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)* 2648 2649 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. 2650 2651 *Matt Caswell* 2652 2653 * Implemented support for fully "pluggable" TLSv1.3 groups. This means that 2654 providers may supply their own group implementations (using either the "key 2655 exchange" or the "key encapsulation" methods) which will automatically be 2656 detected and used by libssl. 2657 2658 *Matt Caswell, Nicola Tuveri* 2659 2660 * The undocumented function X509_certificate_type() has been deprecated; 2661 2662 *Rich Salz* 2663 2664 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range(). 2665 2666 *Tomáš Mráz* 2667 2668 * Removed RSA padding mode for SSLv23 (which was only used for 2669 SSLv2). This includes the functions RSA_padding_check_SSLv23() and 2670 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated 2671 `rsautl` command. 2672 2673 *Rich Salz* 2674 2675 * Deprecated the obsolete X9.31 RSA key generation related functions. 2676 2677 * While a callback function set via `SSL_CTX_set_cert_verify_callback()` 2678 is not allowed to return a value > 1, this is no more taken as failure. 2679 2680 *Viktor Dukhovni and David von Oheimb* 2681 2682 * Deprecated the obsolete X9.31 RSA key generation related functions 2683 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and 2684 BN_X931_generate_prime_ex(). 2685 2686 *Tomáš Mráz* 2687 2688 * The default key generation method for the regular 2-prime RSA keys was 2689 changed to the FIPS 186-4 B.3.6 method. 2690 2691 *Shane Lontis* 2692 2693 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. 2694 2695 *Kurt Roeckx* 2696 2697 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn(). 2698 2699 *Rich Salz* 2700 2701 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and 2702 replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*(). 2703 2704 *Rich Salz, Richard Levitte, and David von Oheimb* 2705 2706 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`. 2707 2708 *David von Oheimb* 2709 2710 * Deprecated `OCSP_parse_url()`. 2711 2712 *David von Oheimb* 2713 2714 * Validation of SM2 keys has been separated from the validation of regular EC 2715 keys. 2716 2717 *Nicola Tuveri* 2718 2719 * Behavior of the `pkey` command is changed, 2720 when using the `-check` or `-pubcheck` 2721 switches: a validation failure triggers an early exit, returning a failure 2722 exit status to the parent process. 2723 2724 *Nicola Tuveri* 2725 2726 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() 2727 to ignore unknown ciphers. 2728 2729 *Otto Hollmann* 2730 2731 * The `-cipher-commands` and `-digest-commands` options 2732 of the command line utility `list` have been deprecated. 2733 Instead use the `-cipher-algorithms` and `-digest-algorithms` options. 2734 2735 *Dmitry Belyavskiy* 2736 2737 * Added convenience functions for generating asymmetric key pairs: 2738 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)> 2739 and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>. 2740 2741 *David von Oheimb* 2742 2743 * All of the low-level EC_KEY functions have been deprecated. 2744 2745 *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz* 2746 2747 * Deprecated all the libcrypto and libssl error string loading 2748 functions. 2749 2750 *Richard Levitte* 2751 2752 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as 2753 well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been 2754 deprecated. 2755 2756 *Matt Caswell* 2757 2758 * The `-crypt` option to the `passwd` command line tool has been removed. 2759 2760 *Paul Dale* 2761 2762 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands 2763 were removed. 2764 2765 *Rich Salz* 2766 2767 * Add support for AES Key Wrap inverse ciphers to the EVP layer. 2768 2769 *Shane Lontis* 2770 2771 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and 2772 EVP_PKEY_get1_tls_encodedpoint(). 2773 2774 *Matt Caswell* 2775 2776 * The security callback, which can be customised by application code, supports 2777 the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter 2778 was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases. 2779 2780 *Matt Caswell* 2781 2782 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public 2783 interface. Their functionality remains unchanged. 2784 2785 *Jordan Montgomery* 2786 2787 * Added new option for 'openssl list', '-providers', which will display the 2788 list of loaded providers, their names, version and status. It optionally 2789 displays their gettable parameters. 2790 2791 *Paul Dale* 2792 2793 * Removed EVP_PKEY_set_alias_type(). 2794 2795 *Richard Levitte* 2796 2797 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced 2798 `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred. 2799 2800 *Jeremy Walch* 2801 2802 * Changed all "STACK" functions to be macros instead of inline functions. Macro 2803 parameters are still checked for type safety at compile time via helper 2804 inline functions. 2805 2806 *Matt Caswell* 2807 2808 * Remove the RAND_DRBG API 2809 2810 *Paul Dale and Matthias St. Pierre* 2811 2812 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses 2813 as well as actual hostnames. 2814 2815 *David Woodhouse* 2816 2817 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 2818 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 2819 conversely, silently ignore DTLS protocol version bounds when configuring 2820 TLS-based contexts. The commands can be repeated to set bounds of both 2821 types. The same applies with the corresponding "min_protocol" and 2822 "max_protocol" command-line switches, in case some application uses both TLS 2823 and DTLS. 2824 2825 SSL_CTX instances that are created for a fixed protocol version (e.g. 2826 `TLSv1_server_method()`) also silently ignore version bounds. Previously 2827 attempts to apply bounds to these protocol versions would result in an 2828 error. Now only the "version-flexible" SSL_CTX instances are subject to 2829 limits in configuration files in command-line options. 2830 2831 *Viktor Dukhovni* 2832 2833 * Deprecated the `ENGINE` API. Engines should be replaced with providers 2834 going forward. 2835 2836 *Paul Dale* 2837 2838 * Reworked the recorded ERR codes to make better space for system errors. 2839 To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the 2840 given code is a system error (true) or an OpenSSL error (false). 2841 2842 *Richard Levitte* 2843 2844 * Reworked the test perl framework to better allow parallel testing. 2845 2846 *Nicola Tuveri and David von Oheimb* 2847 2848 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and 2849 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. 2850 2851 *Shane Lontis* 2852 2853 * 'Configure' has been changed to figure out the configuration target if 2854 none is given on the command line. Consequently, the 'config' script is 2855 now only a mere wrapper. All documentation is changed to only mention 2856 'Configure'. 2857 2858 *Rich Salz and Richard Levitte* 2859 2860 * Added a library context `OSSL_LIB_CTX` that applications as well as 2861 other libraries can use to form a separate context within which 2862 libcrypto operations are performed. 2863 2864 *Richard Levitte* 2865 2866 * Added various `_ex` functions to the OpenSSL API that support using 2867 a non-default `OSSL_LIB_CTX`. 2868 2869 *OpenSSL team* 2870 2871 * Handshake now fails if Extended Master Secret extension is dropped 2872 on renegotiation. 2873 2874 *Tomáš Mráz* 2875 2876 * Dropped interactive mode from the `openssl` program. 2877 2878 *Richard Levitte* 2879 2880 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`. 2881 2882 *David von Oheimb and Shane Lontis* 2883 2884 * Deprecated `EC_METHOD_get_field_type()`. 2885 2886 *Billy Bob Brumley* 2887 2888 * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(), 2889 EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method() 2890 EC_GFp_nistp256_method(), and EC_GFp_nistp521_method(). 2891 2892 *Billy Bob Brumley* 2893 2894 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of(). 2895 2896 *Billy Bob Brumley* 2897 2898 * Add CAdES-BES signature verification support, mostly derived 2899 from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein. 2900 2901 *Filipe Raimundo da Silva* 2902 2903 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API. 2904 2905 *Antonio Iacono* 2906 2907 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM 2908 parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). 2909 2910 *Jakub Zelenka* 2911 2912 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). 2913 2914 *Billy Bob Brumley* 2915 2916 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and 2917 EC_KEY_precompute_mult(). 2918 2919 *Billy Bob Brumley* 2920 2921 * Deprecated EC_POINTs_mul(). 2922 2923 *Billy Bob Brumley* 2924 2925 * Removed FIPS_mode() and FIPS_mode_set(). 2926 2927 *Shane Lontis* 2928 2929 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. 2930 2931 *Dmitry Belyavskiy* 2932 2933 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and 2934 EC_POINT_get_Jprojective_coordinates_GFp(). 2935 2936 *Billy Bob Brumley* 2937 2938 * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM 2939 arrays to be more easily constructed via a series of utility functions. 2940 Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using 2941 the various push functions and finally convert to a passable OSSL_PARAM 2942 array using OSSL_PARAM_BLD_to_param(). 2943 2944 *Paul Dale* 2945 2946 * The security strength of SHA1 and MD5 based signatures in TLS has been 2947 reduced. 2948 2949 *Kurt Roeckx* 2950 2951 * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to 2952 contain a provider side internal key. 2953 2954 *Richard Levitte* 2955 2956 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated. 2957 2958 *Richard Levitte* 2959 2960 * Project text documents not yet having a proper file name extension 2961 (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to 2962 `*.md` as far as reasonable, else `*.txt`, for better use with file managers. 2963 2964 *David von Oheimb* 2965 2966 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT) 2967 have been converted to Markdown with the goal to produce documents 2968 which not only look pretty when viewed online in the browser, but 2969 remain well readable inside a plain text editor. 2970 2971 To achieve this goal, a 'minimalistic' Markdown style has been applied 2972 which avoids formatting elements that interfere too much with the 2973 reading flow in the text file. For example, it 2974 2975 * avoids [ATX headings][] and uses [setext headings][] instead 2976 (which works for `<h1>` and `<h2>` headings only). 2977 * avoids [inline links][] and uses [reference links][] instead. 2978 * avoids [fenced code blocks][] and uses [indented code blocks][] instead. 2979 2980 [ATX headings]: https://github.github.com/gfm/#atx-headings 2981 [setext headings]: https://github.github.com/gfm/#setext-headings 2982 [inline links]: https://github.github.com/gfm/#inline-link 2983 [reference links]: https://github.github.com/gfm/#reference-link 2984 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks 2985 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks 2986 2987 *Matthias St. Pierre* 2988 2989 * The test suite is changed to preserve results of each test recipe. 2990 A new directory test-runs/ with subdirectories named like the 2991 test recipes are created in the build tree for this purpose. 2992 2993 *Richard Levitte* 2994 2995 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). 2996 This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. 2997 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points. 2998 2999 *David von Oheimb, Martin Peylo* 3000 3001 * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. 3002 It supports arbitrary request and response content types, GET redirection, 3003 TLS, connections via HTTP(S) proxies, connections and exchange via 3004 user-defined BIOs (allowing implicit connections), persistent connections, 3005 and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details. 3006 The legacy OCSP-focused (and only partly documented) API 3007 is retained for backward compatibility, while most of it is deprecated. 3008 3009 *David von Oheimb* 3010 3011 * Added `util/check-format.pl`, a tool for checking adherence to the 3012 OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>. 3013 The checks performed are incomplete and yield some false positives. 3014 Still the tool should be useful for detecting most typical glitches. 3015 3016 *David von Oheimb* 3017 3018 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended: 3019 If domain name resolution yields multiple IP addresses all of them are tried 3020 after `connect()` failures. 3021 3022 *David von Oheimb* 3023 3024 * All of the low-level RSA functions have been deprecated. 3025 3026 *Paul Dale* 3027 3028 * X509 certificates signed using SHA1 are no longer allowed at security 3029 level 1 and above. 3030 3031 *Kurt Roeckx* 3032 3033 * The command line utilities dhparam, dsa, gendsa and dsaparam have been 3034 modified to use PKEY APIs. These commands are now in maintenance mode 3035 and no new features will be added to them. 3036 3037 *Paul Dale* 3038 3039 * The command line utility rsautl has been deprecated. 3040 3041 *Paul Dale* 3042 3043 * The command line utilities genrsa and rsa have been modified to use PKEY 3044 APIs. They now write PKCS#8 keys by default. These commands are now in 3045 maintenance mode and no new features will be added to them. 3046 3047 *Paul Dale* 3048 3049 * All of the low-level DH functions have been deprecated. 3050 3051 *Paul Dale and Matt Caswell* 3052 3053 * All of the low-level DSA functions have been deprecated. 3054 3055 *Paul Dale* 3056 3057 * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to 3058 automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. 3059 3060 *Richard Levitte* 3061 3062 * Deprecated low-level ECDH and ECDSA functions. 3063 3064 *Paul Dale* 3065 3066 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old(). 3067 3068 *Richard Levitte* 3069 3070 * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits() 3071 and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed 3072 a new formulation to include all the things it can be used for, 3073 as well as words of caution. 3074 3075 *Richard Levitte* 3076 3077 * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. 3078 3079 *Paul Dale* 3080 3081 * All of the low-level HMAC functions have been deprecated. 3082 3083 *Paul Dale and David von Oheimb* 3084 3085 * Over two thousand fixes were made to the documentation, including: 3086 - Common options (such as -rand/-writerand, TLS version control, etc) 3087 were refactored and point to newly-enhanced descriptions in openssl.pod. 3088 - Added style conformance for all options (with help from Richard Levitte), 3089 documented all reported missing options, added a CI build to check 3090 that all options are documented and that no unimplemented options 3091 are documented. 3092 - Documented some internals, such as all use of environment variables. 3093 - Addressed all internal broken L<> references. 3094 3095 *Rich Salz* 3096 3097 * All of the low-level CMAC functions have been deprecated. 3098 3099 *Paul Dale* 3100 3101 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest 3102 functions have been deprecated. 3103 3104 *Paul Dale and David von Oheimb* 3105 3106 * Corrected the documentation of the return values from the `EVP_DigestSign*` 3107 set of functions. The documentation mentioned negative values for some 3108 errors, but this was never the case, so the mention of negative values 3109 was removed. 3110 3111 Code that followed the documentation and thereby check with something 3112 like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed. 3113 3114 *Richard Levitte* 3115 3116 * All of the low-level cipher functions have been deprecated. 3117 3118 *Matt Caswell and Paul Dale* 3119 3120 * Removed include/openssl/opensslconf.h.in and replaced it with 3121 include/openssl/configuration.h.in, which differs in not including 3122 <openssl/macros.h>. A short header include/openssl/opensslconf.h 3123 was added to include both. 3124 3125 This allows internal hacks where one might need to modify the set 3126 of configured macros, for example this if deprecated symbols are 3127 still supposed to be available internally: 3128 3129 #include <openssl/configuration.h> 3130 3131 #undef OPENSSL_NO_DEPRECATED 3132 #define OPENSSL_SUPPRESS_DEPRECATED 3133 3134 #include <openssl/macros.h> 3135 3136 This should not be used by applications that use the exported 3137 symbols, as that will lead to linking errors. 3138 3139 *Richard Levitte* 3140 3141 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure 3142 used in exponentiation with 512-bit moduli. No EC algorithms are 3143 affected. Analysis suggests that attacks against 2-prime RSA1024, 3144 3-prime RSA1536, and DSA1024 as a result of this defect would be very 3145 difficult to perform and are not believed likely. Attacks against DH512 3146 are considered just feasible. However, for an attack the target would 3147 have to reuse the DH512 private key, which is not recommended anyway. 3148 Also applications directly using the low-level API BN_mod_exp may be 3149 affected if they use BN_FLG_CONSTTIME. 3150 ([CVE-2019-1551]) 3151 3152 *Andy Polyakov* 3153 3154 * Most memory-debug features have been deprecated, and the functionality 3155 replaced with no-ops. 3156 3157 *Rich Salz* 3158 3159 * Added documentation for the STACK API. 3160 3161 *Rich Salz* 3162 3163 * Introduced a new method type and API, OSSL_ENCODER, to represent 3164 generic encoders. These do the same sort of job that PEM writers 3165 and d2i functions do, but with support for methods supplied by 3166 providers, and the possibility for providers to support other 3167 formats as well. 3168 3169 *Richard Levitte* 3170 3171 * Introduced a new method type and API, OSSL_DECODER, to represent 3172 generic decoders. These do the same sort of job that PEM readers 3173 and i2d functions do, but with support for methods supplied by 3174 providers, and the possibility for providers to support other 3175 formats as well. 3176 3177 *Richard Levitte* 3178 3179 * Added a .pragma directive to the syntax of configuration files, to 3180 allow varying behavior in a supported and predictable manner. 3181 Currently added pragma: 3182 3183 .pragma dollarid:on 3184 3185 This allows dollar signs to be a keyword character unless it's 3186 followed by a opening brace or parenthesis. This is useful for 3187 platforms where dollar signs are commonly used in names, such as 3188 volume names and system directory names on VMS. 3189 3190 *Richard Levitte* 3191 3192 * Added functionality to create an EVP_PKEY from user data. 3193 3194 *Richard Levitte* 3195 3196 * Change the interpretation of the '--api' configuration option to 3197 mean that this is a desired API compatibility level with no 3198 further meaning. The previous interpretation, that this would 3199 also mean to remove all deprecated symbols up to and including 3200 the given version, no requires that 'no-deprecated' is also used 3201 in the configuration. 3202 3203 When building applications, the desired API compatibility level 3204 can be set with the OPENSSL_API_COMPAT macro like before. For 3205 API compatibility version below 3.0, the old style numerical 3206 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. 3207 For version 3.0 and on, the value is expected to be the decimal 3208 value calculated from the major and minor version like this: 3209 3210 MAJOR * 10000 + MINOR * 100 3211 3212 Examples: 3213 3214 -DOPENSSL_API_COMPAT=30000 For 3.0 3215 -DOPENSSL_API_COMPAT=30200 For 3.2 3216 3217 To hide declarations that are deprecated up to and including the 3218 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be 3219 given when building the application as well. 3220 3221 *Richard Levitte* 3222 3223 * Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow 3224 access to certificate and CRL stores via URIs and OSSL_STORE 3225 loaders. 3226 3227 This adds the following functions: 3228 3229 - X509_LOOKUP_store() 3230 - X509_STORE_load_file() 3231 - X509_STORE_load_path() 3232 - X509_STORE_load_store() 3233 - SSL_add_store_cert_subjects_to_stack() 3234 - SSL_CTX_set_default_verify_store() 3235 - SSL_CTX_load_verify_file() 3236 - SSL_CTX_load_verify_dir() 3237 - SSL_CTX_load_verify_store() 3238 3239 *Richard Levitte* 3240 3241 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 3242 The presence of this system service is determined at run-time. 3243 3244 *Richard Levitte* 3245 3246 * Added functionality to create an EVP_PKEY context based on data 3247 for methods from providers. This takes an algorithm name and a 3248 property query string and simply stores them, with the intent 3249 that any operation that uses this context will use those strings 3250 to fetch the needed methods implicitly, thereby making the port 3251 of application written for pre-3.0 OpenSSL easier. 3252 3253 *Richard Levitte* 3254 3255 * The undocumented function NCONF_WIN32() has been deprecated; for 3256 conversion details see the HISTORY section of doc/man5/config.pod 3257 3258 *Rich Salz* 3259 3260 * Introduced the new functions EVP_DigestSignInit_ex() and 3261 EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and 3262 EVP_DigestVerifyUpdate() have been converted to functions. See the man 3263 pages for further details. 3264 3265 *Matt Caswell* 3266 3267 * Over two thousand fixes were made to the documentation, including: 3268 adding missing command flags, better style conformance, documentation 3269 of internals, etc. 3270 3271 *Rich Salz, Richard Levitte* 3272 3273 * s390x assembly pack: add hardware-support for P-256, P-384, P-521, 3274 X25519, X448, Ed25519 and Ed448. 3275 3276 *Patrick Steuer* 3277 3278 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 3279 the first value. 3280 3281 *Jon Spillett* 3282 3283 * Deprecated the public definition of `ERR_STATE` as well as the function 3284 `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an 3285 opaque type. 3286 3287 *Richard Levitte* 3288 3289 * Added ERR functionality to give callers access to the stored function 3290 names that have replaced the older function code based functions. 3291 3292 New functions are ERR_peek_error_func(), ERR_peek_last_error_func(), 3293 ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(), 3294 ERR_peek_error_all() and ERR_peek_last_error_all(). 3295 3296 Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(), 3297 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and 3298 ERR_func_error_string(). 3299 3300 *Richard Levitte* 3301 3302 * Extended testing to be verbose for failing tests only. The make variables 3303 VERBOSE_FAILURE or VF can be used to enable this: 3304 3305 $ make VF=1 test # Unix 3306 $ mms /macro=(VF=1) test ! OpenVMS 3307 $ nmake VF=1 test # Windows 3308 3309 *Richard Levitte* 3310 3311 * Added the `-copy_extensions` option to the `x509` command for use with 3312 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, 3313 all extensions in the request are copied to the certificate or vice versa. 3314 3315 *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>* 3316 3317 * Added the `-copy_extensions` option to the `req` command for use with 3318 `-x509`. When given with the `copy` or `copyall` argument, 3319 all extensions in the certification request are copied to the certificate. 3320 3321 *David von Oheimb* 3322 3323 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates 3324 they generate are by default RFC 5280 compliant in the following sense: 3325 There is a subjectKeyIdentifier extension with a hash value of the public key 3326 and for not self-signed certs there is an authorityKeyIdentifier extension 3327 with a keyIdentifier field or issuer information identifying the signing key. 3328 This is done unless some configuration overrides the new default behavior, 3329 such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`. 3330 3331 *David von Oheimb* 3332 3333 * Added several checks to `X509_verify_cert()` according to requirements in 3334 RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set 3335 (which may be done by using the CLI option `-x509_strict`): 3336 * The basicConstraints of CA certificates must be marked critical. 3337 * CA certificates must explicitly include the keyUsage extension. 3338 * If a pathlenConstraint is given the key usage keyCertSign must be allowed. 3339 * The issuer name of any certificate must not be empty. 3340 * The subject name of CA certs, certs with keyUsage crlSign, 3341 and certs without subjectAlternativeName must not be empty. 3342 * If a subjectAlternativeName extension is given it must not be empty. 3343 * The signatureAlgorithm field and the cert signature must be consistent. 3344 * Any given authorityKeyIdentifier and any given subjectKeyIdentifier 3345 must not be marked critical. 3346 * The authorityKeyIdentifier must be given for X.509v3 certs 3347 unless they are self-signed. 3348 * The subjectKeyIdentifier must be given for all X.509v3 CA certs. 3349 3350 *David von Oheimb* 3351 3352 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys 3353 with explicit curve parameters (specifiedCurve) as required by RFC 5480. 3354 3355 *Tomáš Mráz* 3356 3357 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 3358 used even when parsing explicit parameters, when loading a encoded key 3359 or calling `EC_GROUP_new_from_ecpkparameters()`/ 3360 `EC_GROUP_new_from_ecparameters()`. 3361 This prevents bypass of security hardening and performance gains, 3362 especially for curves with specialized EC_METHODs. 3363 By default, if a key encoded with explicit parameters is loaded and later 3364 encoded, the output is still encoded with explicit parameters, even if 3365 internally a "named" EC_GROUP is used for computation. 3366 3367 *Nicola Tuveri* 3368 3369 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 3370 this change, EC_GROUP_set_generator would accept order and/or cofactor as 3371 NULL. After this change, only the cofactor parameter can be NULL. It also 3372 does some minimal sanity checks on the passed order. 3373 ([CVE-2019-1547]) 3374 3375 *Billy Bob Brumley* 3376 3377 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 3378 An attack is simple, if the first CMS_recipientInfo is valid but the 3379 second CMS_recipientInfo is chosen ciphertext. If the second 3380 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 3381 encryption key will be replaced by garbage, and the message cannot be 3382 decoded, but if the RSA decryption fails, the correct encryption key is 3383 used and the recipient will not notice the attack. 3384 As a work around for this potential attack the length of the decrypted 3385 key must be equal to the cipher default key length, in case the 3386 certificate is not given and all recipientInfo are tried out. 3387 The old behaviour can be re-enabled in the CMS code by setting the 3388 CMS_DEBUG_DECRYPT flag. 3389 3390 *Bernd Edlinger* 3391 3392 * Early start up entropy quality from the DEVRANDOM seed source has been 3393 improved for older Linux systems. The RAND subsystem will wait for 3394 /dev/random to be producing output before seeding from /dev/urandom. 3395 The seeded state is stored for future library initialisations using 3396 a system global shared memory segment. The shared memory identifier 3397 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 3398 the desired value. The default identifier is 114. 3399 3400 *Paul Dale* 3401 3402 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 3403 when primes for RSA keys are computed. 3404 Since we previously always generated primes == 2 (mod 3) for RSA keys, 3405 the 2-prime and 3-prime RSA modules were easy to distinguish, since 3406 `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore, fingerprinting 3407 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 3408 This avoids possible fingerprinting of newly generated RSA modules. 3409 3410 *Bernd Edlinger* 3411 3412 * Correct the extended master secret constant on EBCDIC systems. Without this 3413 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 3414 negotiate EMS will fail. Unfortunately this also means that TLS connections 3415 between EBCDIC systems with this fix, and EBCDIC systems without this 3416 fix will fail if they negotiate EMS. 3417 3418 *Matt Caswell* 3419 3420 * Changed the library initialisation so that the config file is now loaded 3421 by default. This was already the case for libssl. It now occurs for both 3422 libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to 3423 `OPENSSL_init_crypto()` to suppress automatic loading of a config file. 3424 3425 *Matt Caswell* 3426 3427 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, 3428 where the former acts as a replacement for `ERR_put_error()`, and the 3429 latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. 3430 `ERR_raise_data()` adds more flexibility by taking a format string and 3431 an arbitrary number of arguments following it, to be processed with 3432 `BIO_snprintf()`. 3433 3434 *Richard Levitte* 3435 3436 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used 3437 to check if a named provider is loaded and available. When called, it 3438 will also activate all fallback providers if such are still present. 3439 3440 *Richard Levitte* 3441 3442 * Enforce a minimum DH modulus size of 512 bits. 3443 3444 *Bernd Edlinger* 3445 3446 * Changed DH parameters to generate the order q subgroup instead of 2q. 3447 Previously generated DH parameters are still accepted by DH_check 3448 but DH_generate_key works around that by clearing bit 0 of the 3449 private key for those. This avoids leaking bit 0 of the private key. 3450 3451 *Bernd Edlinger* 3452 3453 * Significantly reduce secure memory usage by the randomness pools. 3454 3455 *Paul Dale* 3456 3457 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been 3458 deprecated. 3459 3460 *Rich Salz* 3461 3462 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange 3463 algorithms. An implementation of a key exchange algorithm can be obtained 3464 by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be 3465 used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to 3466 the older EVP_PKEY_derive_init() function. See the man pages for the new 3467 functions for further details. 3468 3469 *Matt Caswell* 3470 3471 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. 3472 3473 *Matt Caswell* 3474 3475 * Removed the function names from error messages and deprecated the 3476 xxx_F_xxx define's. 3477 3478 *Richard Levitte* 3479 3480 * Removed NextStep support and the macro OPENSSL_UNISTD 3481 3482 *Rich Salz* 3483 3484 * Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, 3485 OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. 3486 Also removed "export var as function" capability; we do not export 3487 variables, only functions. 3488 3489 *Rich Salz* 3490 3491 * RC5_32_set_key has been changed to return an int type, with 0 indicating 3492 an error and 1 indicating success. In previous versions of OpenSSL this 3493 was a void type. If a key was set longer than the maximum possible this 3494 would crash. 3495 3496 *Matt Caswell* 3497 3498 * Support SM2 signing and verification schemes with X509 certificate. 3499 3500 *Paul Yang* 3501 3502 * Use SHA256 as the default digest for TS query in the `ts` app. 3503 3504 *Tomáš Mráz* 3505 3506 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. 3507 3508 *Shane Lontis* 3509 3510 * Default cipher lists/suites are now available via a function, the 3511 #defines are deprecated. 3512 3513 *Todd Short* 3514 3515 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and 3516 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries 3517 for Windows Store apps easier. Also, the "no-uplink" option has been added. 3518 3519 *Kenji Mouri* 3520 3521 * Join the directories crypto/x509 and crypto/x509v3 3522 3523 *Richard Levitte* 3524 3525 * Added command 'openssl kdf' that uses the EVP_KDF API. 3526 3527 *Shane Lontis* 3528 3529 * Added command 'openssl mac' that uses the EVP_MAC API. 3530 3531 *Shane Lontis* 3532 3533 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such 3534 as default directories. Also added the command 'openssl info' 3535 for scripting purposes. 3536 3537 *Richard Levitte* 3538 3539 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been 3540 deprecated. 3541 3542 *Matt Caswell* 3543 3544 * Add prediction resistance to the DRBG reseeding process. 3545 3546 *Paul Dale* 3547 3548 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as 3549 mandated by IEEE Std 1619-2018. 3550 3551 *Paul Dale* 3552 3553 * Added newline escaping functionality to a filename when using openssl dgst. 3554 This output format is to replicate the output format found in the `*sum` 3555 checksum programs. This aims to preserve backward compatibility. 3556 3557 *Matt Eaton, Richard Levitte, and Paul Dale* 3558 3559 * Removed the heartbeat message in DTLS feature, as it has very 3560 little usage and doesn't seem to fulfill a valuable purpose. 3561 The configuration option is now deprecated. 3562 3563 *Richard Levitte* 3564 3565 * Changed the output of 'openssl {digestname} < file' to display the 3566 digest name in its output. 3567 3568 *Richard Levitte* 3569 3570 * Added a new generic trace API which provides support for enabling 3571 instrumentation through trace output. 3572 3573 *Richard Levitte & Matthias St. Pierre* 3574 3575 * Added build tests for C++. These are generated files that only do one 3576 thing, to include one public OpenSSL head file each. This tests that 3577 the public header files can be usefully included in a C++ application. 3578 3579 This test isn't enabled by default. It can be enabled with the option 3580 'enable-buildtest-c++'. 3581 3582 *Richard Levitte* 3583 3584 * Added KB KDF (EVP_KDF_KB) to EVP_KDF. 3585 3586 *Robbie Harwood* 3587 3588 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF. 3589 3590 *Simo Sorce* 3591 3592 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF. 3593 3594 *Shane Lontis* 3595 3596 * Added KMAC to EVP_MAC. 3597 3598 *Shane Lontis* 3599 3600 * Added property based algorithm implementation selection framework to 3601 the core. 3602 3603 *Paul Dale* 3604 3605 * Added SCA hardening for modular field inversion in EC_GROUP through 3606 a new dedicated field_inv() pointer in EC_METHOD. 3607 This also addresses a leakage affecting conversions from projective 3608 to affine coordinates. 3609 3610 *Billy Bob Brumley, Nicola Tuveri* 3611 3612 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF 3613 implementations. This includes an EVP_PKEY to EVP_KDF bridge for 3614 those algorithms that were already supported through the EVP_PKEY API 3615 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 3616 and scrypt are now wrappers that call EVP_KDF. 3617 3618 *David Makepeace* 3619 3620 * Build devcrypto engine as a dynamic engine. 3621 3622 *Eneas U de Queiroz* 3623 3624 * Add keyed BLAKE2 to EVP_MAC. 3625 3626 *Antoine Salon* 3627 3628 * Fix a bug in the computation of the endpoint-pair shared secret used 3629 by DTLS over SCTP. This breaks interoperability with older versions 3630 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime 3631 switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling 3632 interoperability with such broken implementations. However, enabling 3633 this switch breaks interoperability with correct implementations. 3634 3635 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 3636 reused X509_PUBKEY object if the second PUBKEY is malformed. 3637 3638 *Bernd Edlinger* 3639 3640 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 3641 3642 *Richard Levitte* 3643 3644 * Changed the license to the Apache License v2.0. 3645 3646 *Richard Levitte* 3647 3648 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. 3649 3650 - Major releases (indicated by incrementing the MAJOR release number) 3651 may introduce incompatible API/ABI changes. 3652 - Minor releases (indicated by incrementing the MINOR release number) 3653 may introduce new features but retain API/ABI compatibility. 3654 - Patch releases (indicated by incrementing the PATCH number) 3655 are intended for bug fixes and other improvements of existing 3656 features only (like improving performance or adding documentation) 3657 and retain API/ABI compatibility. 3658 3659 *Richard Levitte* 3660 3661 * Add support for RFC5297 SIV mode (siv128), including AES-SIV. 3662 3663 *Todd Short* 3664 3665 * Remove the 'dist' target and add a tarball building script. The 3666 'dist' target has fallen out of use, and it shouldn't be 3667 necessary to configure just to create a source distribution. 3668 3669 *Richard Levitte* 3670 3671 * Recreate the OS390-Unix config target. It no longer relies on a 3672 special script like it did for OpenSSL pre-1.1.0. 3673 3674 *Richard Levitte* 3675 3676 * Instead of having the source directories listed in Configure, add 3677 a 'build.info' keyword SUBDIRS to indicate what sub-directories to 3678 look into. 3679 3680 *Richard Levitte* 3681 3682 * Add GMAC to EVP_MAC. 3683 3684 *Paul Dale* 3685 3686 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC. 3687 3688 *Richard Levitte* 3689 3690 * Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC 3691 implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, 3692 to facilitate the continued use of MACs through raw private keys in 3693 functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`. 3694 3695 *Richard Levitte* 3696 3697 * Deprecate ECDH_KDF_X9_62(). 3698 3699 *Antoine Salon* 3700 3701 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for 3702 the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names 3703 are retained for backwards compatibility. 3704 3705 *Antoine Salon* 3706 3707 * AES-XTS mode now enforces that its two keys are different to mitigate 3708 the attacked described in "Efficient Instantiations of Tweakable 3709 Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. 3710 Details of this attack can be obtained from: 3711 <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf> 3712 3713 *Paul Dale* 3714 3715 * Rename the object files, i.e. give them other names than in previous 3716 versions. Their names now include the name of the final product, as 3717 well as its type mnemonic (bin, lib, shlib). 3718 3719 *Richard Levitte* 3720 3721 * Added new option for 'openssl list', '-objects', which will display the 3722 list of built in objects, i.e. OIDs with names. 3723 3724 *Richard Levitte* 3725 3726 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`, 3727 allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to 3728 be set explicitly. 3729 3730 *Chris Novakovic* 3731 3732 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path 3733 improves application performance by removing data copies and providing 3734 applications with zero-copy system calls such as sendfile and splice. 3735 3736 *Boris Pismenny* 3737 3738 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. 3739 3740 *Martin Elshuber* 3741 3742 * `PKCS12_parse` now maintains the order of the parsed certificates 3743 when outputting them via `*ca` (rather than reversing it). 3744 3745 *David von Oheimb* 3746 3747 * Deprecated pthread fork support methods. 3748 3749 *Randall S. Becker* 3750 3751 * Added support for FFDHE key exchange in TLS 1.3. 3752 3753 *Raja Ashok* 3754 3755 * Added a new concept for OpenSSL plugability: providers. This 3756 functionality is designed to replace the ENGINE API and ENGINE 3757 implementations, and to be much more dynamic, allowing provider 3758 authors to introduce new algorithms among other things, as long as 3759 there's an API that supports the algorithm type. 3760 3761 With this concept comes a new core API for interaction between 3762 libcrypto and provider implementations. Public libcrypto functions 3763 that want to use providers do so through this core API. 3764 3765 The main documentation for this core API is found in 3766 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn 3767 refer to other manuals describing the API specific for supported 3768 algorithm types (also called operations). 3769 3770 *The OpenSSL team* 3771 3772OpenSSL 1.1.1 3773------------- 3774 3775### Changes between 1.1.1m and 1.1.1n [xx XXX xxxx] 3776 3777### Changes between 1.1.1l and 1.1.1m [14 Dec 2021] 3778 3779 * Avoid loading of a dynamic engine twice. 3780 3781 *Bernd Edlinger* 3782 3783 * Prioritise DANE TLSA issuer certs over peer certs 3784 3785 *Viktor Dukhovni* 3786 3787 * Fixed random API for MacOS prior to 10.12 3788 3789 These MacOS versions don't support the CommonCrypto APIs 3790 3791 *Lenny Primak* 3792 3793### Changes between 1.1.1k and 1.1.1l [24 Aug 2021] 3794 3795 * Fixed an SM2 Decryption Buffer Overflow. 3796 3797 In order to decrypt SM2 encrypted data an application is expected to 3798 call the API function EVP_PKEY_decrypt(). Typically an application will 3799 call this function twice. The first time, on entry, the "out" parameter 3800 can be NULL and, on exit, the "outlen" parameter is populated with the 3801 buffer size required to hold the decrypted plaintext. The application 3802 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() 3803 again, but this time passing a non-NULL value for the "out" parameter. 3804 3805 A bug in the implementation of the SM2 decryption code means that the 3806 calculation of the buffer size required to hold the plaintext returned 3807 by the first call to EVP_PKEY_decrypt() can be smaller than the actual 3808 size required by the second call. This can lead to a buffer overflow 3809 when EVP_PKEY_decrypt() is called by the application a second time with 3810 a buffer that is too small. 3811 3812 A malicious attacker who is able present SM2 content for decryption to 3813 an application could cause attacker chosen data to overflow the buffer 3814 by up to a maximum of 62 bytes altering the contents of other data held 3815 after the buffer, possibly changing application behaviour or causing 3816 the application to crash. The location of the buffer is application 3817 dependent but is typically heap allocated. 3818 ([CVE-2021-3711]) 3819 3820 *Matt Caswell* 3821 3822 * Fixed various read buffer overruns processing ASN.1 strings 3823 3824 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING 3825 structure which contains a buffer holding the string data and a field 3826 holding the buffer length. This contrasts with normal C strings which 3827 are represented as a buffer for the string data which is terminated 3828 with a NUL (0) byte. 3829 3830 Although not a strict requirement, ASN.1 strings that are parsed using 3831 OpenSSL's own "d2i" functions (and other similar parsing functions) as 3832 well as any string whose value has been set with the ASN1_STRING_set() 3833 function will additionally NUL terminate the byte array in the 3834 ASN1_STRING structure. 3835 3836 However, it is possible for applications to directly construct valid 3837 ASN1_STRING structures which do not NUL terminate the byte array by 3838 directly setting the "data" and "length" fields in the ASN1_STRING 3839 array. This can also happen by using the ASN1_STRING_set0() function. 3840 3841 Numerous OpenSSL functions that print ASN.1 data have been found to 3842 assume that the ASN1_STRING byte array will be NUL terminated, even 3843 though this is not guaranteed for strings that have been directly 3844 constructed. Where an application requests an ASN.1 structure to be 3845 printed, and where that ASN.1 structure contains ASN1_STRINGs that have 3846 been directly constructed by the application without NUL terminating 3847 the "data" field, then a read buffer overrun can occur. 3848 3849 The same thing can also occur during name constraints processing 3850 of certificates (for example if a certificate has been directly 3851 constructed by the application instead of loading it via the OpenSSL 3852 parsing functions, and the certificate contains non NUL terminated 3853 ASN1_STRING structures). It can also occur in the X509_get1_email(), 3854 X509_REQ_get1_email() and X509_get1_ocsp() functions. 3855 3856 If a malicious actor can cause an application to directly construct an 3857 ASN1_STRING and then process it through one of the affected OpenSSL 3858 functions then this issue could be hit. This might result in a crash 3859 (causing a Denial of Service attack). It could also result in the 3860 disclosure of private memory contents (such as private keys, or 3861 sensitive plaintext). 3862 ([CVE-2021-3712]) 3863 3864 *Matt Caswell* 3865 3866### Changes between 1.1.1j and 1.1.1k [25 Mar 2021] 3867 3868 * Fixed a problem with verifying a certificate chain when using the 3869 X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of 3870 the certificates present in a certificate chain. It is not set by default. 3871 3872 Starting from OpenSSL version 1.1.1h a check to disallow certificates in 3873 the chain that have explicitly encoded elliptic curve parameters was added 3874 as an additional strict check. 3875 3876 An error in the implementation of this check meant that the result of a 3877 previous check to confirm that certificates in the chain are valid CA 3878 certificates was overwritten. This effectively bypasses the check 3879 that non-CA certificates must not be able to issue other certificates. 3880 3881 If a "purpose" has been configured then there is a subsequent opportunity 3882 for checks that the certificate is a valid CA. All of the named "purpose" 3883 values implemented in libcrypto perform this check. Therefore, where 3884 a purpose is set the certificate chain will still be rejected even when the 3885 strict flag has been used. A purpose is set by default in libssl client and 3886 server certificate verification routines, but it can be overridden or 3887 removed by an application. 3888 3889 In order to be affected, an application must explicitly set the 3890 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose 3891 for the certificate verification or, in the case of TLS client or server 3892 applications, override the default purpose. 3893 ([CVE-2021-3450]) 3894 3895 *Tomáš Mráz* 3896 3897 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously 3898 crafted renegotiation ClientHello message from a client. If a TLSv1.2 3899 renegotiation ClientHello omits the signature_algorithms extension (where it 3900 was present in the initial ClientHello), but includes a 3901 signature_algorithms_cert extension then a NULL pointer dereference will 3902 result, leading to a crash and a denial of service attack. 3903 3904 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled 3905 (which is the default configuration). OpenSSL TLS clients are not impacted by 3906 this issue. 3907 ([CVE-2021-3449]) 3908 3909 *Peter Kästle and Samuel Sapalski* 3910 3911### Changes between 1.1.1i and 1.1.1j [16 Feb 2021] 3912 3913 * Fixed the X509_issuer_and_serial_hash() function. It attempts to 3914 create a unique hash value based on the issuer and serial number data 3915 contained within an X509 certificate. However, it was failing to correctly 3916 handle any errors that may occur while parsing the issuer field (which might 3917 occur if the issuer field is maliciously constructed). This may subsequently 3918 result in a NULL pointer deref and a crash leading to a potential denial of 3919 service attack. 3920 ([CVE-2021-23841]) 3921 3922 *Matt Caswell* 3923 3924 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING 3925 padding mode to correctly check for rollback attacks. This is considered a 3926 bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is 3927 CVE-2021-23839. 3928 3929 *Matt Caswell* 3930 3931 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate 3932 functions. Previously they could overflow the output length argument in some 3933 cases where the input length is close to the maximum permissible length for 3934 an integer on the platform. In such cases the return value from the function 3935 call would be 1 (indicating success), but the output length value would be 3936 negative. This could cause applications to behave incorrectly or crash. 3937 ([CVE-2021-23840]) 3938 3939 *Matt Caswell* 3940 3941 * Fixed SRP_Calc_client_key so that it runs in constant time. The previous 3942 implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This 3943 could be exploited in a side channel attack to recover the password. Since 3944 the attack is local host only this is outside of the current OpenSSL 3945 threat model and therefore no CVE is assigned. 3946 3947 Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this 3948 issue. 3949 3950 *Matt Caswell* 3951 3952### Changes between 1.1.1h and 1.1.1i [8 Dec 2020] 3953 3954 * Fixed NULL pointer deref in the GENERAL_NAME_cmp function 3955 This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. 3956 If an attacker can control both items being compared then this could lead 3957 to a possible denial of service attack. OpenSSL itself uses the 3958 GENERAL_NAME_cmp function for two purposes: 3959 1) Comparing CRL distribution point names between an available CRL and a 3960 CRL distribution point embedded in an X509 certificate 3961 2) When verifying that a timestamp response token signer matches the 3962 timestamp authority name (exposed via the API functions 3963 TS_RESP_verify_response and TS_RESP_verify_token) 3964 ([CVE-2020-1971]) 3965 3966 *Matt Caswell* 3967 3968### Changes between 1.1.1g and 1.1.1h [22 Sep 2020] 3969 3970 * Certificates with explicit curve parameters are now disallowed in 3971 verification chains if the X509_V_FLAG_X509_STRICT flag is used. 3972 3973 *Tomáš Mráz* 3974 3975 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently 3976 ignore TLS protocol version bounds when configuring DTLS-based contexts, and 3977 conversely, silently ignore DTLS protocol version bounds when configuring 3978 TLS-based contexts. The commands can be repeated to set bounds of both 3979 types. The same applies with the corresponding "min_protocol" and 3980 "max_protocol" command-line switches, in case some application uses both TLS 3981 and DTLS. 3982 3983 SSL_CTX instances that are created for a fixed protocol version (e.g. 3984 TLSv1_server_method()) also silently ignore version bounds. Previously 3985 attempts to apply bounds to these protocol versions would result in an 3986 error. Now only the "version-flexible" SSL_CTX instances are subject to 3987 limits in configuration files in command-line options. 3988 3989 *Viktor Dukhovni* 3990 3991 * Handshake now fails if Extended Master Secret extension is dropped 3992 on renegotiation. 3993 3994 *Tomáš Mráz* 3995 3996 * The Oracle Developer Studio compiler will start reporting deprecated APIs 3997 3998### Changes between 1.1.1f and 1.1.1g [21 Apr 2020] 3999 4000 * Fixed segmentation fault in SSL_check_chain() 4001 Server or client applications that call the SSL_check_chain() function 4002 during or after a TLS 1.3 handshake may crash due to a NULL pointer 4003 dereference as a result of incorrect handling of the 4004 "signature_algorithms_cert" TLS extension. The crash occurs if an invalid 4005 or unrecognised signature algorithm is received from the peer. This could 4006 be exploited by a malicious peer in a Denial of Service attack. 4007 ([CVE-2020-1967]) 4008 4009 *Benjamin Kaduk* 4010 4011 * Added AES consttime code for no-asm configurations 4012 an optional constant time support for AES was added 4013 when building openssl for no-asm. 4014 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME 4015 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME 4016 At this time this feature is by default disabled. 4017 It will be enabled by default in 3.0. 4018 4019 *Bernd Edlinger* 4020 4021### Changes between 1.1.1e and 1.1.1f [31 Mar 2020] 4022 4023 * Revert the change of EOF detection while reading in libssl to avoid 4024 regressions in applications depending on the current way of reporting 4025 the EOF. As the existing method is not fully accurate the change to 4026 reporting the EOF via SSL_ERROR_SSL is kept on the current development 4027 branch and will be present in the 3.0 release. 4028 4029 *Tomáš Mráz* 4030 4031 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1 4032 when primes for RSA keys are computed. 4033 Since we previously always generated primes == 2 (mod 3) for RSA keys, 4034 the 2-prime and 3-prime RSA modules were easy to distinguish, since 4035 N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore, fingerprinting 4036 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. 4037 This avoids possible fingerprinting of newly generated RSA modules. 4038 4039 *Bernd Edlinger* 4040 4041### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] 4042 4043 * Properly detect EOF while reading in libssl. Previously if we hit an EOF 4044 while reading in libssl then we would report an error back to the 4045 application (SSL_ERROR_SYSCALL) but errno would be 0. We now add 4046 an error to the stack (which means we instead return SSL_ERROR_SSL) and 4047 therefore give a hint as to what went wrong. 4048 4049 *Matt Caswell* 4050 4051 * Check that ed25519 and ed448 are allowed by the security level. Previously 4052 signature algorithms not using an MD were not being checked that they were 4053 allowed by the security level. 4054 4055 *Kurt Roeckx* 4056 4057 * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() 4058 was not quite right. The behaviour was not consistent between resumption 4059 and normal handshakes, and also not quite consistent with historical 4060 behaviour. The behaviour in various scenarios has been clarified and 4061 it has been updated to make it match historical behaviour as closely as 4062 possible. 4063 4064 *Matt Caswell* 4065 4066 * *[VMS only]* The header files that the VMS compilers include automatically, 4067 `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas 4068 that the C++ compiler doesn't understand. This is a shortcoming in the 4069 compiler, but can be worked around with `__cplusplus` guards. 4070 4071 C++ applications that use OpenSSL libraries must be compiled using the 4072 qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL 4073 functions. Otherwise, only functions with symbols of less than 31 4074 characters can be used, as the linker will not be able to successfully 4075 resolve symbols with longer names. 4076 4077 *Richard Levitte* 4078 4079 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. 4080 The presence of this system service is determined at run-time. 4081 4082 *Richard Levitte* 4083 4084 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just 4085 the first value. 4086 4087 *Jon Spillett* 4088 4089### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] 4090 4091 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random 4092 number generator (RNG). This was intended to include protection in the 4093 event of a fork() system call in order to ensure that the parent and child 4094 processes did not share the same RNG state. However, this protection was not 4095 being used in the default case. 4096 4097 A partial mitigation for this issue is that the output from a high 4098 precision timer is mixed into the RNG state so the likelihood of a parent 4099 and child process sharing state is significantly reduced. 4100 4101 If an application already calls OPENSSL_init_crypto() explicitly using 4102 OPENSSL_INIT_ATFORK then this problem does not occur at all. 4103 ([CVE-2019-1549]) 4104 4105 *Matthias St. Pierre* 4106 4107 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 4108 used even when parsing explicit parameters, when loading a encoded key 4109 or calling `EC_GROUP_new_from_ecpkparameters()`/ 4110 `EC_GROUP_new_from_ecparameters()`. 4111 This prevents bypass of security hardening and performance gains, 4112 especially for curves with specialized EC_METHODs. 4113 By default, if a key encoded with explicit parameters is loaded and later 4114 encoded, the output is still encoded with explicit parameters, even if 4115 internally a "named" EC_GROUP is used for computation. 4116 4117 *Nicola Tuveri* 4118 4119 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 4120 this change, EC_GROUP_set_generator would accept order and/or cofactor as 4121 NULL. After this change, only the cofactor parameter can be NULL. It also 4122 does some minimal sanity checks on the passed order. 4123 ([CVE-2019-1547]) 4124 4125 *Billy Bob Brumley* 4126 4127 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 4128 An attack is simple, if the first CMS_recipientInfo is valid but the 4129 second CMS_recipientInfo is chosen ciphertext. If the second 4130 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 4131 encryption key will be replaced by garbage, and the message cannot be 4132 decoded, but if the RSA decryption fails, the correct encryption key is 4133 used and the recipient will not notice the attack. 4134 As a work around for this potential attack the length of the decrypted 4135 key must be equal to the cipher default key length, in case the 4136 certificate is not given and all recipientInfo are tried out. 4137 The old behaviour can be re-enabled in the CMS code by setting the 4138 CMS_DEBUG_DECRYPT flag. 4139 ([CVE-2019-1563]) 4140 4141 *Bernd Edlinger* 4142 4143 * Early start up entropy quality from the DEVRANDOM seed source has been 4144 improved for older Linux systems. The RAND subsystem will wait for 4145 /dev/random to be producing output before seeding from /dev/urandom. 4146 The seeded state is stored for future library initialisations using 4147 a system global shared memory segment. The shared memory identifier 4148 can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to 4149 the desired value. The default identifier is 114. 4150 4151 *Paul Dale* 4152 4153 * Correct the extended master secret constant on EBCDIC systems. Without this 4154 fix TLS connections between an EBCDIC system and a non-EBCDIC system that 4155 negotiate EMS will fail. Unfortunately this also means that TLS connections 4156 between EBCDIC systems with this fix, and EBCDIC systems without this 4157 fix will fail if they negotiate EMS. 4158 4159 *Matt Caswell* 4160 4161 * Use Windows installation paths in the mingw builds 4162 4163 Mingw isn't a POSIX environment per se, which means that Windows 4164 paths should be used for installation. 4165 ([CVE-2019-1552]) 4166 4167 *Richard Levitte* 4168 4169 * Changed DH_check to accept parameters with order q and 2q subgroups. 4170 With order 2q subgroups the bit 0 of the private key is not secret 4171 but DH_generate_key works around that by clearing bit 0 of the 4172 private key for those. This avoids leaking bit 0 of the private key. 4173 4174 *Bernd Edlinger* 4175 4176 * Significantly reduce secure memory usage by the randomness pools. 4177 4178 *Paul Dale* 4179 4180 * Revert the DEVRANDOM_WAIT feature for Linux systems 4181 4182 The DEVRANDOM_WAIT feature added a select() call to wait for the 4183 /dev/random device to become readable before reading from the 4184 /dev/urandom device. 4185 4186 It turned out that this change had negative side effects on 4187 performance which were not acceptable. After some discussion it 4188 was decided to revert this feature and leave it up to the OS 4189 resp. the platform maintainer to ensure a proper initialization 4190 during early boot time. 4191 4192 *Matthias St. Pierre* 4193 4194### Changes between 1.1.1b and 1.1.1c [28 May 2019] 4195 4196 * Add build tests for C++. These are generated files that only do one 4197 thing, to include one public OpenSSL head file each. This tests that 4198 the public header files can be usefully included in a C++ application. 4199 4200 This test isn't enabled by default. It can be enabled with the option 4201 'enable-buildtest-c++'. 4202 4203 *Richard Levitte* 4204 4205 * Enable SHA3 pre-hashing for ECDSA and DSA. 4206 4207 *Patrick Steuer* 4208 4209 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 4210 This changes the size when using the `genpkey` command when no size is given. 4211 It fixes an omission in earlier changes that changed all RSA, DSA and DH 4212 generation commands to use 2048 bits by default. 4213 4214 *Kurt Roeckx* 4215 4216 * Reorganize the manual pages to consistently have RETURN VALUES, 4217 EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust 4218 util/fix-doc-nits accordingly. 4219 4220 *Paul Yang, Joshua Lock* 4221 4222 * Add the missing accessor EVP_PKEY_get0_engine() 4223 4224 *Matt Caswell* 4225 4226 * Have commands like `s_client` and `s_server` output the signature scheme 4227 along with other cipher suite parameters when debugging. 4228 4229 *Lorinczy Zsigmond* 4230 4231 * Make OPENSSL_config() error agnostic again. 4232 4233 *Richard Levitte* 4234 4235 * Do the error handling in RSA decryption constant time. 4236 4237 *Bernd Edlinger* 4238 4239 * Prevent over long nonces in ChaCha20-Poly1305. 4240 4241 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 4242 for every encryption operation. RFC 7539 specifies that the nonce value 4243 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 4244 and front pads the nonce with 0 bytes if it is less than 12 4245 bytes. However it also incorrectly allows a nonce to be set of up to 16 4246 bytes. In this case only the last 12 bytes are significant and any 4247 additional leading bytes are ignored. 4248 4249 It is a requirement of using this cipher that nonce values are 4250 unique. Messages encrypted using a reused nonce value are susceptible to 4251 serious confidentiality and integrity attacks. If an application changes 4252 the default nonce length to be longer than 12 bytes and then makes a 4253 change to the leading bytes of the nonce expecting the new value to be a 4254 new unique nonce then such an application could inadvertently encrypt 4255 messages with a reused nonce. 4256 4257 Additionally the ignored bytes in a long nonce are not covered by the 4258 integrity guarantee of this cipher. Any application that relies on the 4259 integrity of these ignored leading bytes of a long nonce may be further 4260 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 4261 is safe because no such use sets such a long nonce value. However user 4262 applications that use this cipher directly and set a non-default nonce 4263 length to be longer than 12 bytes may be vulnerable. 4264 4265 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 4266 Greef of Ronomon. 4267 ([CVE-2019-1543]) 4268 4269 *Matt Caswell* 4270 4271 * Add DEVRANDOM_WAIT feature for Linux systems 4272 4273 On older Linux systems where the getrandom() system call is not available, 4274 OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG. 4275 Contrary to getrandom(), the /dev/urandom device will not block during 4276 early boot when the kernel CSPRNG has not been seeded yet. 4277 4278 To mitigate this known weakness, use select() to wait for /dev/random to 4279 become readable before reading from /dev/urandom. 4280 4281 * Ensure that SM2 only uses SM3 as digest algorithm 4282 4283 *Paul Yang* 4284 4285### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] 4286 4287 * Change the info callback signals for the start and end of a post-handshake 4288 message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START 4289 and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get 4290 confused by this and assume that a TLSv1.2 renegotiation has started. This 4291 can break KeyUpdate handling. Instead we no longer signal the start and end 4292 of a post handshake message exchange (although the messages themselves are 4293 still signalled). This could break some applications that were expecting 4294 the old signals. However without this KeyUpdate is not usable for many 4295 applications. 4296 4297 *Matt Caswell* 4298 4299### Changes between 1.1.1 and 1.1.1a [20 Nov 2018] 4300 4301 * Timing vulnerability in DSA signature generation 4302 4303 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 4304 timing side channel attack. An attacker could use variations in the signing 4305 algorithm to recover the private key. 4306 4307 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 4308 ([CVE-2018-0734]) 4309 4310 *Paul Dale* 4311 4312 * Timing vulnerability in ECDSA signature generation 4313 4314 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 4315 timing side channel attack. An attacker could use variations in the signing 4316 algorithm to recover the private key. 4317 4318 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 4319 ([CVE-2018-0735]) 4320 4321 *Paul Dale* 4322 4323 * Fixed the issue that RAND_add()/RAND_seed() silently discards random input 4324 if its length exceeds 4096 bytes. The limit has been raised to a buffer size 4325 of two gigabytes and the error handling improved. 4326 4327 This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been 4328 categorized as a normal bug, not a security issue, because the DRBG reseeds 4329 automatically and is fully functional even without additional randomness 4330 provided by the application. 4331 4332### Changes between 1.1.0i and 1.1.1 [11 Sep 2018] 4333 4334 * Add a new ClientHello callback. Provides a callback interface that gives 4335 the application the ability to adjust the nascent SSL object at the 4336 earliest stage of ClientHello processing, immediately after extensions have 4337 been collected but before they have been processed. In particular, this 4338 callback can adjust the supported TLS versions in response to the contents 4339 of the ClientHello 4340 4341 *Benjamin Kaduk* 4342 4343 * Add SM2 base algorithm support. 4344 4345 *Jack Lloyd* 4346 4347 * s390x assembly pack: add (improved) hardware-support for the following 4348 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb, 4349 aes-cfb/cfb8, aes-ecb. 4350 4351 *Patrick Steuer* 4352 4353 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 4354 parameter is no longer accepted, as it leads to a corrupt table. NULL 4355 pem_str is reserved for alias entries only. 4356 4357 *Richard Levitte* 4358 4359 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 4360 step for prime curves. The new implementation is based on formulae from 4361 differential addition-and-doubling in homogeneous projective coordinates 4362 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant 4363 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves 4364 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified 4365 to work in projective coordinates. 4366 4367 *Billy Bob Brumley, Nicola Tuveri* 4368 4369 * Change generating and checking of primes so that the error rate of not 4370 being prime depends on the intended use based on the size of the input. 4371 For larger primes this will result in more rounds of Miller-Rabin. 4372 The maximal error rate for primes with more than 1080 bits is lowered 4373 to 2^-128. 4374 4375 *Kurt Roeckx, Annie Yousar* 4376 4377 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 4378 4379 *Kurt Roeckx* 4380 4381 * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when 4382 moving between systems, and to avoid confusion when a Windows build is 4383 done with mingw vs with MSVC. For POSIX installs, there's still a 4384 symlink or copy named 'tsget' to avoid that confusion as well. 4385 4386 *Richard Levitte* 4387 4388 * Revert blinding in ECDSA sign and instead make problematic addition 4389 length-invariant. Switch even to fixed-length Montgomery multiplication. 4390 4391 *Andy Polyakov* 4392 4393 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder 4394 step for binary curves. The new implementation is based on formulae from 4395 differential addition-and-doubling in mixed Lopez-Dahab projective 4396 coordinates, modified to independently blind the operands. 4397 4398 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 4399 4400 * Add a scaffold to optionally enhance the Montgomery ladder implementation 4401 for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing 4402 EC_METHODs to implement their own specialized "ladder step", to take 4403 advantage of more favorable coordinate systems or more efficient 4404 differential addition-and-doubling algorithms. 4405 4406 *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri* 4407 4408 * Modified the random device based seed sources to keep the relevant 4409 file descriptors open rather than reopening them on each access. 4410 This allows such sources to operate in a chroot() jail without 4411 the associated device nodes being available. This behaviour can be 4412 controlled using RAND_keep_random_devices_open(). 4413 4414 *Paul Dale* 4415 4416 * Numerous side-channel attack mitigations have been applied. This may have 4417 performance impacts for some algorithms for the benefit of improved 4418 security. Specific changes are noted in this change log by their respective 4419 authors. 4420 4421 *Matt Caswell* 4422 4423 * AIX shared library support overhaul. Switch to AIX "natural" way of 4424 handling shared libraries, which means collecting shared objects of 4425 different versions and bitnesses in one common archive. This allows to 4426 mitigate conflict between 1.0 and 1.1 side-by-side installations. It 4427 doesn't affect the way 3rd party applications are linked, only how 4428 multi-version installation is managed. 4429 4430 *Andy Polyakov* 4431 4432 * Make ec_group_do_inverse_ord() more robust and available to other 4433 EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA 4434 mitigations are applied to the fallback BN_mod_inverse(). 4435 When using this function rather than BN_mod_inverse() directly, new 4436 EC cryptosystem implementations are then safer-by-default. 4437 4438 *Billy Bob Brumley* 4439 4440 * Add coordinate blinding for EC_POINT and implement projective 4441 coordinate blinding for generic prime curves as a countermeasure to 4442 chosen point SCA attacks. 4443 4444 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 4445 4446 * Add blinding to ECDSA and DSA signatures to protect against side channel 4447 attacks discovered by Keegan Ryan (NCC Group). 4448 4449 *Matt Caswell* 4450 4451 * Enforce checking in the `pkeyutl` command to ensure that the input 4452 length does not exceed the maximum supported digest length when performing 4453 a sign, verify or verifyrecover operation. 4454 4455 *Matt Caswell* 4456 4457 * SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking 4458 I/O in combination with something like select() or poll() will hang. This 4459 can be turned off again using SSL_CTX_clear_mode(). 4460 Many applications do not properly handle non-application data records, and 4461 TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works 4462 around the problems in those applications, but can also break some. 4463 It's recommended to read the manpages about SSL_read(), SSL_write(), 4464 SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and 4465 SSL_CTX_set_read_ahead() again. 4466 4467 *Kurt Roeckx* 4468 4469 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 4470 now allow empty (zero character) pass phrases. 4471 4472 *Richard Levitte* 4473 4474 * Apply blinding to binary field modular inversion and remove patent 4475 pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation. 4476 4477 *Billy Bob Brumley* 4478 4479 * Deprecate ec2_mult.c and unify scalar multiplication code paths for 4480 binary and prime elliptic curves. 4481 4482 *Billy Bob Brumley* 4483 4484 * Remove ECDSA nonce padding: EC_POINT_mul is now responsible for 4485 constant time fixed point multiplication. 4486 4487 *Billy Bob Brumley* 4488 4489 * Revise elliptic curve scalar multiplication with timing attack 4490 defenses: ec_wNAF_mul redirects to a constant time implementation 4491 when computing fixed point and variable point multiplication (which 4492 in OpenSSL are mostly used with secret scalars in keygen, sign, 4493 ECDH derive operations). 4494 *Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García, 4495 Sohaib ul Hassan* 4496 4497 * Updated CONTRIBUTING 4498 4499 *Rich Salz* 4500 4501 * Updated DRBG / RAND to request nonce and additional low entropy 4502 randomness from the system. 4503 4504 *Matthias St. Pierre* 4505 4506 * Updated 'openssl rehash' to use OpenSSL consistent default. 4507 4508 *Richard Levitte* 4509 4510 * Moved the load of the ssl_conf module to libcrypto, which helps 4511 loading engines that libssl uses before libssl is initialised. 4512 4513 *Matt Caswell* 4514 4515 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA 4516 4517 *Matt Caswell* 4518 4519 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases. 4520 4521 *Ingo Schwarze, Rich Salz* 4522 4523 * Added output of accepting IP address and port for 'openssl s_server' 4524 4525 *Richard Levitte* 4526 4527 * Added a new API for TLSv1.3 ciphersuites: 4528 SSL_CTX_set_ciphersuites() 4529 SSL_set_ciphersuites() 4530 4531 *Matt Caswell* 4532 4533 * Memory allocation failures consistently add an error to the error 4534 stack. 4535 4536 *Rich Salz* 4537 4538 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values 4539 in libcrypto when run as setuid/setgid. 4540 4541 *Bernd Edlinger* 4542 4543 * Load any config file by default when libssl is used. 4544 4545 *Matt Caswell* 4546 4547 * Added new public header file <openssl/rand_drbg.h> and documentation 4548 for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview. 4549 4550 *Matthias St. Pierre* 4551 4552 * QNX support removed (cannot find contributors to get their approval 4553 for the license change). 4554 4555 *Rich Salz* 4556 4557 * TLSv1.3 replay protection for early data has been implemented. See the 4558 SSL_read_early_data() man page for further details. 4559 4560 *Matt Caswell* 4561 4562 * Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite 4563 configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and 4564 below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3. 4565 In order to avoid issues where legacy TLSv1.2 ciphersuite configuration 4566 would otherwise inadvertently disable all TLSv1.3 ciphersuites the 4567 configuration has been separated out. See the ciphers man page or the 4568 SSL_CTX_set_ciphersuites() man page for more information. 4569 4570 *Matt Caswell* 4571 4572 * On POSIX (BSD, Linux, ...) systems the ocsp(1) command running 4573 in responder mode now supports the new "-multi" option, which 4574 spawns the specified number of child processes to handle OCSP 4575 requests. The "-timeout" option now also limits the OCSP 4576 responder's patience to wait to receive the full client request 4577 on a newly accepted connection. Child processes are respawned 4578 as needed, and the CA index file is automatically reloaded 4579 when changed. This makes it possible to run the "ocsp" responder 4580 as a long-running service, making the OpenSSL CA somewhat more 4581 feature-complete. In this mode, most diagnostic messages logged 4582 after entering the event loop are logged via syslog(3) rather than 4583 written to stderr. 4584 4585 *Viktor Dukhovni* 4586 4587 * Added support for X448 and Ed448. Heavily based on original work by 4588 Mike Hamburg. 4589 4590 *Matt Caswell* 4591 4592 * Extend OSSL_STORE with capabilities to search and to narrow the set of 4593 objects loaded. This adds the functions OSSL_STORE_expect() and 4594 OSSL_STORE_find() as well as needed tools to construct searches and 4595 get the search data out of them. 4596 4597 *Richard Levitte* 4598 4599 * Support for TLSv1.3 added. Note that users upgrading from an earlier 4600 version of OpenSSL should review their configuration settings to ensure 4601 that they are still appropriate for TLSv1.3. For further information see: 4602 <https://github.com/openssl/openssl/wiki/TLS1.3> 4603 4604 *Matt Caswell* 4605 4606 * Grand redesign of the OpenSSL random generator 4607 4608 The default RAND method now utilizes an AES-CTR DRBG according to 4609 NIST standard SP 800-90Ar1. The new random generator is essentially 4610 a port of the default random generator from the OpenSSL FIPS 2.0 4611 object module. It is a hybrid deterministic random bit generator 4612 using an AES-CTR bit stream and which seeds and reseeds itself 4613 automatically using trusted system entropy sources. 4614 4615 Some of its new features are: 4616 - Support for multiple DRBG instances with seed chaining. 4617 - The default RAND method makes use of a DRBG. 4618 - There is a public and private DRBG instance. 4619 - The DRBG instances are fork-safe. 4620 - Keep all global DRBG instances on the secure heap if it is enabled. 4621 - The public and private DRBG instance are per thread for lock free 4622 operation 4623 4624 *Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre* 4625 4626 * Changed Configure so it only says what it does and doesn't dump 4627 so much data. Instead, ./configdata.pm should be used as a script 4628 to display all sorts of configuration data. 4629 4630 *Richard Levitte* 4631 4632 * Added processing of "make variables" to Configure. 4633 4634 *Richard Levitte* 4635 4636 * Added SHA512/224 and SHA512/256 algorithm support. 4637 4638 *Paul Dale* 4639 4640 * The last traces of Netware support, first removed in 1.1.0, have 4641 now been removed. 4642 4643 *Rich Salz* 4644 4645 * Get rid of Makefile.shared, and in the process, make the processing 4646 of certain files (rc.obj, or the .def/.map/.opt files produced from 4647 the ordinal files) more visible and hopefully easier to trace and 4648 debug (or make silent). 4649 4650 *Richard Levitte* 4651 4652 * Make it possible to have environment variable assignments as 4653 arguments to config / Configure. 4654 4655 *Richard Levitte* 4656 4657 * Add multi-prime RSA (RFC 8017) support. 4658 4659 *Paul Yang* 4660 4661 * Add SM3 implemented according to GB/T 32905-2016 4662 *Jack Lloyd <jack.lloyd@ribose.com>,* 4663 *Ronald Tse <ronald.tse@ribose.com>,* 4664 *Erick Borsboom <erick.borsboom@ribose.com>* 4665 4666 * Add 'Maximum Fragment Length' TLS extension negotiation and support 4667 as documented in RFC6066. 4668 Based on a patch from Tomasz Moń 4669 4670 *Filipe Raimundo da Silva* 4671 4672 * Add SM4 implemented according to GB/T 32907-2016. 4673 *Jack Lloyd <jack.lloyd@ribose.com>,* 4674 *Ronald Tse <ronald.tse@ribose.com>,* 4675 *Erick Borsboom <erick.borsboom@ribose.com>* 4676 4677 * Reimplement -newreq-nodes and ERR_error_string_n; the 4678 original author does not agree with the license change. 4679 4680 *Rich Salz* 4681 4682 * Add ARIA AEAD TLS support. 4683 4684 *Jon Spillett* 4685 4686 * Some macro definitions to support VS6 have been removed. Visual 4687 Studio 6 has not worked since 1.1.0 4688 4689 *Rich Salz* 4690 4691 * Add ERR_clear_last_mark(), to allow callers to clear the last mark 4692 without clearing the errors. 4693 4694 *Richard Levitte* 4695 4696 * Add "atfork" functions. If building on a system that without 4697 pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application 4698 requirements. The RAND facility now uses/requires this. 4699 4700 *Rich Salz* 4701 4702 * Add SHA3. 4703 4704 *Andy Polyakov* 4705 4706 * The UI API becomes a permanent and integral part of libcrypto, i.e. 4707 not possible to disable entirely. However, it's still possible to 4708 disable the console reading UI method, UI_OpenSSL() (use UI_null() 4709 as a fallback). 4710 4711 To disable, configure with 'no-ui-console'. 'no-ui' is still 4712 possible to use as an alias. Check at compile time with the 4713 macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still 4714 possible to check and is an alias for OPENSSL_NO_UI_CONSOLE. 4715 4716 *Richard Levitte* 4717 4718 * Add a STORE module, which implements a uniform and URI based reader of 4719 stores that can contain keys, certificates, CRLs and numerous other 4720 objects. The main API is loosely based on a few stdio functions, 4721 and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof, 4722 OSSL_STORE_error and OSSL_STORE_close. 4723 The implementation uses backends called "loaders" to implement arbitrary 4724 URI schemes. There is one built in "loader" for the 'file' scheme. 4725 4726 *Richard Levitte* 4727 4728 * Add devcrypto engine. This has been implemented against cryptodev-linux, 4729 then adjusted to work on FreeBSD 8.4 as well. 4730 Enable by configuring with 'enable-devcryptoeng'. This is done by default 4731 on BSD implementations, as cryptodev.h is assumed to exist on all of them. 4732 4733 *Richard Levitte* 4734 4735 * Module names can prefixed with OSSL_ or OPENSSL_. This affects 4736 util/mkerr.pl, which is adapted to allow those prefixes, leading to 4737 error code calls like this: 4738 4739 OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER); 4740 4741 With this change, we claim the namespaces OSSL and OPENSSL in a manner 4742 that can be encoded in C. For the foreseeable future, this will only 4743 affect new modules. 4744 4745 *Richard Levitte and Tim Hudson* 4746 4747 * Removed BSD cryptodev engine. 4748 4749 *Rich Salz* 4750 4751 * Add a build target 'build_all_generated', to build all generated files 4752 and only that. This can be used to prepare everything that requires 4753 things like perl for a system that lacks perl and then move everything 4754 to that system and do the rest of the build there. 4755 4756 *Richard Levitte* 4757 4758 * In the UI interface, make it possible to duplicate the user data. This 4759 can be used by engines that need to retain the data for a longer time 4760 than just the call where this user data is passed. 4761 4762 *Richard Levitte* 4763 4764 * Ignore the '-named_curve auto' value for compatibility of applications 4765 with OpenSSL 1.0.2. 4766 4767 *Tomáš Mráz <tmraz@fedoraproject.org>* 4768 4769 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 4770 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such 4771 alerts across multiple records (some of which could be empty). In practice 4772 it make no sense to send an empty alert record, or to fragment one. TLSv1.3 4773 prohibits this altogether and other libraries (BoringSSL, NSS) do not 4774 support this at all. Supporting it adds significant complexity to the 4775 record layer, and its removal is unlikely to cause interoperability 4776 issues. 4777 4778 *Matt Caswell* 4779 4780 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed 4781 with Z. These are meant to replace LONG and ZLONG and to be size safe. 4782 The use of LONG and ZLONG is discouraged and scheduled for deprecation 4783 in OpenSSL 1.2.0. 4784 4785 *Richard Levitte* 4786 4787 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string, 4788 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t. 4789 4790 *Richard Levitte, Andy Polyakov* 4791 4792 * Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine() 4793 does for RSA, etc. 4794 4795 *Richard Levitte* 4796 4797 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 4798 platform rather than 'mingw'. 4799 4800 *Richard Levitte* 4801 4802 * The functions X509_STORE_add_cert and X509_STORE_add_crl return 4803 success if they are asked to add an object which already exists 4804 in the store. This change cascades to other functions which load 4805 certificates and CRLs. 4806 4807 *Paul Dale* 4808 4809 * x86_64 assembly pack: annotate code with DWARF CFI directives to 4810 facilitate stack unwinding even from assembly subroutines. 4811 4812 *Andy Polyakov* 4813 4814 * Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN. 4815 Also remove OPENSSL_GLOBAL entirely, as it became a no-op. 4816 4817 *Richard Levitte* 4818 4819 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 4820 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 4821 which is the minimum version we support. 4822 4823 *Richard Levitte* 4824 4825 * Certificate time validation (X509_cmp_time) enforces stricter 4826 compliance with RFC 5280. Fractional seconds and timezone offsets 4827 are no longer allowed. 4828 4829 *Emilia Käsper* 4830 4831 * Add support for ARIA 4832 4833 *Paul Dale* 4834 4835 * s_client will now send the Server Name Indication (SNI) extension by 4836 default unless the new "-noservername" option is used. The server name is 4837 based on the host provided to the "-connect" option unless overridden by 4838 using "-servername". 4839 4840 *Matt Caswell* 4841 4842 * Add support for SipHash 4843 4844 *Todd Short* 4845 4846 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 4847 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 4848 prevent issues where no progress is being made and the peer continually 4849 sends unrecognised record types, using up resources processing them. 4850 4851 *Matt Caswell* 4852 4853 * 'openssl passwd' can now produce SHA256 and SHA512 based output, 4854 using the algorithm defined in 4855 <https://www.akkadia.org/drepper/SHA-crypt.txt> 4856 4857 *Richard Levitte* 4858 4859 * Heartbeat support has been removed; the ABI is changed for now. 4860 4861 *Richard Levitte, Rich Salz* 4862 4863 * Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. 4864 4865 *Emilia Käsper* 4866 4867 * The RSA "null" method, which was partially supported to avoid patent 4868 issues, has been replaced to always returns NULL. 4869 4870 *Rich Salz* 4871 4872OpenSSL 1.1.0 4873------------- 4874 4875### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] 4876 4877 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 4878 used even when parsing explicit parameters, when loading a encoded key 4879 or calling `EC_GROUP_new_from_ecpkparameters()`/ 4880 `EC_GROUP_new_from_ecparameters()`. 4881 This prevents bypass of security hardening and performance gains, 4882 especially for curves with specialized EC_METHODs. 4883 By default, if a key encoded with explicit parameters is loaded and later 4884 encoded, the output is still encoded with explicit parameters, even if 4885 internally a "named" EC_GROUP is used for computation. 4886 4887 *Nicola Tuveri* 4888 4889 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 4890 this change, EC_GROUP_set_generator would accept order and/or cofactor as 4891 NULL. After this change, only the cofactor parameter can be NULL. It also 4892 does some minimal sanity checks on the passed order. 4893 ([CVE-2019-1547]) 4894 4895 *Billy Bob Brumley* 4896 4897 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 4898 An attack is simple, if the first CMS_recipientInfo is valid but the 4899 second CMS_recipientInfo is chosen ciphertext. If the second 4900 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 4901 encryption key will be replaced by garbage, and the message cannot be 4902 decoded, but if the RSA decryption fails, the correct encryption key is 4903 used and the recipient will not notice the attack. 4904 As a work around for this potential attack the length of the decrypted 4905 key must be equal to the cipher default key length, in case the 4906 certificate is not given and all recipientInfo are tried out. 4907 The old behaviour can be re-enabled in the CMS code by setting the 4908 CMS_DEBUG_DECRYPT flag. 4909 ([CVE-2019-1563]) 4910 4911 *Bernd Edlinger* 4912 4913 * Use Windows installation paths in the mingw builds 4914 4915 Mingw isn't a POSIX environment per se, which means that Windows 4916 paths should be used for installation. 4917 ([CVE-2019-1552]) 4918 4919 *Richard Levitte* 4920 4921### Changes between 1.1.0j and 1.1.0k [28 May 2019] 4922 4923 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 4924 This changes the size when using the `genpkey` command when no size is given. 4925 It fixes an omission in earlier changes that changed all RSA, DSA and DH 4926 generation commands to use 2048 bits by default. 4927 4928 *Kurt Roeckx* 4929 4930 * Prevent over long nonces in ChaCha20-Poly1305. 4931 4932 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input 4933 for every encryption operation. RFC 7539 specifies that the nonce value 4934 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length 4935 and front pads the nonce with 0 bytes if it is less than 12 4936 bytes. However it also incorrectly allows a nonce to be set of up to 16 4937 bytes. In this case only the last 12 bytes are significant and any 4938 additional leading bytes are ignored. 4939 4940 It is a requirement of using this cipher that nonce values are 4941 unique. Messages encrypted using a reused nonce value are susceptible to 4942 serious confidentiality and integrity attacks. If an application changes 4943 the default nonce length to be longer than 12 bytes and then makes a 4944 change to the leading bytes of the nonce expecting the new value to be a 4945 new unique nonce then such an application could inadvertently encrypt 4946 messages with a reused nonce. 4947 4948 Additionally the ignored bytes in a long nonce are not covered by the 4949 integrity guarantee of this cipher. Any application that relies on the 4950 integrity of these ignored leading bytes of a long nonce may be further 4951 affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, 4952 is safe because no such use sets such a long nonce value. However user 4953 applications that use this cipher directly and set a non-default nonce 4954 length to be longer than 12 bytes may be vulnerable. 4955 4956 This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk 4957 Greef of Ronomon. 4958 ([CVE-2019-1543]) 4959 4960 *Matt Caswell* 4961 4962 * Added SCA hardening for modular field inversion in EC_GROUP through 4963 a new dedicated field_inv() pointer in EC_METHOD. 4964 This also addresses a leakage affecting conversions from projective 4965 to affine coordinates. 4966 4967 *Billy Bob Brumley, Nicola Tuveri* 4968 4969 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a 4970 reused X509_PUBKEY object if the second PUBKEY is malformed. 4971 4972 *Bernd Edlinger* 4973 4974 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 4975 4976 *Richard Levitte* 4977 4978 * Remove the 'dist' target and add a tarball building script. The 4979 'dist' target has fallen out of use, and it shouldn't be 4980 necessary to configure just to create a source distribution. 4981 4982 *Richard Levitte* 4983 4984### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] 4985 4986 * Timing vulnerability in DSA signature generation 4987 4988 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 4989 timing side channel attack. An attacker could use variations in the signing 4990 algorithm to recover the private key. 4991 4992 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 4993 ([CVE-2018-0734]) 4994 4995 *Paul Dale* 4996 4997 * Timing vulnerability in ECDSA signature generation 4998 4999 The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a 5000 timing side channel attack. An attacker could use variations in the signing 5001 algorithm to recover the private key. 5002 5003 This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. 5004 ([CVE-2018-0735]) 5005 5006 *Paul Dale* 5007 5008 * Add coordinate blinding for EC_POINT and implement projective 5009 coordinate blinding for generic prime curves as a countermeasure to 5010 chosen point SCA attacks. 5011 5012 *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley* 5013 5014### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] 5015 5016 * Client DoS due to large DH parameter 5017 5018 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 5019 malicious server can send a very large prime value to the client. This will 5020 cause the client to spend an unreasonably long period of time generating a 5021 key for this prime resulting in a hang until the client has finished. This 5022 could be exploited in a Denial Of Service attack. 5023 5024 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 5025 ([CVE-2018-0732]) 5026 5027 *Guido Vranken* 5028 5029 * Cache timing vulnerability in RSA Key Generation 5030 5031 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 5032 a cache timing side channel attack. An attacker with sufficient access to 5033 mount cache timing attacks during the RSA key generation process could 5034 recover the private key. 5035 5036 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 5037 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 5038 ([CVE-2018-0737]) 5039 5040 *Billy Brumley* 5041 5042 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 5043 parameter is no longer accepted, as it leads to a corrupt table. NULL 5044 pem_str is reserved for alias entries only. 5045 5046 *Richard Levitte* 5047 5048 * Revert blinding in ECDSA sign and instead make problematic addition 5049 length-invariant. Switch even to fixed-length Montgomery multiplication. 5050 5051 *Andy Polyakov* 5052 5053 * Change generating and checking of primes so that the error rate of not 5054 being prime depends on the intended use based on the size of the input. 5055 For larger primes this will result in more rounds of Miller-Rabin. 5056 The maximal error rate for primes with more than 1080 bits is lowered 5057 to 2^-128. 5058 5059 *Kurt Roeckx, Annie Yousar* 5060 5061 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 5062 5063 *Kurt Roeckx* 5064 5065 * Add blinding to ECDSA and DSA signatures to protect against side channel 5066 attacks discovered by Keegan Ryan (NCC Group). 5067 5068 *Matt Caswell* 5069 5070 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 5071 now allow empty (zero character) pass phrases. 5072 5073 *Richard Levitte* 5074 5075 * Certificate time validation (X509_cmp_time) enforces stricter 5076 compliance with RFC 5280. Fractional seconds and timezone offsets 5077 are no longer allowed. 5078 5079 *Emilia Käsper* 5080 5081 * Fixed a text canonicalisation bug in CMS 5082 5083 Where a CMS detached signature is used with text content the text goes 5084 through a canonicalisation process first prior to signing or verifying a 5085 signature. This process strips trailing space at the end of lines, converts 5086 line terminators to CRLF and removes additional trailing line terminators 5087 at the end of a file. A bug in the canonicalisation process meant that 5088 some characters, such as form-feed, were incorrectly treated as whitespace 5089 and removed. This is contrary to the specification (RFC5485). This fix 5090 could mean that detached text data signed with an earlier version of 5091 OpenSSL 1.1.0 may fail to verify using the fixed version, or text data 5092 signed with a fixed OpenSSL may fail to verify with an earlier version of 5093 OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data 5094 and use the "-binary" flag (for the "cms" command line application) or set 5095 the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). 5096 5097 *Matt Caswell* 5098 5099### Changes between 1.1.0g and 1.1.0h [27 Mar 2018] 5100 5101 * Constructed ASN.1 types with a recursive definition could exceed the stack 5102 5103 Constructed ASN.1 types with a recursive definition (such as can be found 5104 in PKCS7) could eventually exceed the stack given malicious input with 5105 excessive recursion. This could result in a Denial Of Service attack. There 5106 are no such structures used within SSL/TLS that come from untrusted sources 5107 so this is considered safe. 5108 5109 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 5110 project. 5111 ([CVE-2018-0739]) 5112 5113 *Matt Caswell* 5114 5115 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC 5116 5117 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is 5118 effectively reduced to only comparing the least significant bit of each 5119 byte. This allows an attacker to forge messages that would be considered as 5120 authenticated in an amount of tries lower than that guaranteed by the 5121 security claims of the scheme. The module can only be compiled by the 5122 HP-UX assembler, so that only HP-UX PA-RISC targets are affected. 5123 5124 This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg 5125 (IBM). 5126 ([CVE-2018-0733]) 5127 5128 *Andy Polyakov* 5129 5130 * Add a build target 'build_all_generated', to build all generated files 5131 and only that. This can be used to prepare everything that requires 5132 things like perl for a system that lacks perl and then move everything 5133 to that system and do the rest of the build there. 5134 5135 *Richard Levitte* 5136 5137 * Backport SSL_OP_NO_RENGOTIATION 5138 5139 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the 5140 (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity 5141 changes this is no longer possible in 1.1.0. Therefore, the new 5142 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to 5143 1.1.0 to provide equivalent functionality. 5144 5145 Note that if an application built against 1.1.0h headers (or above) is run 5146 using an older version of 1.1.0 (prior to 1.1.0h) then the option will be 5147 accepted but nothing will happen, i.e. renegotiation will not be prevented. 5148 5149 *Matt Caswell* 5150 5151 * Removed the OS390-Unix config target. It relied on a script that doesn't 5152 exist. 5153 5154 *Rich Salz* 5155 5156 * rsaz_1024_mul_avx2 overflow bug on x86_64 5157 5158 There is an overflow bug in the AVX2 Montgomery multiplication procedure 5159 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 5160 Analysis suggests that attacks against RSA and DSA as a result of this 5161 defect would be very difficult to perform and are not believed likely. 5162 Attacks against DH1024 are considered just feasible, because most of the 5163 work necessary to deduce information about a private key may be performed 5164 offline. The amount of resources required for such an attack would be 5165 significant. However, for an attack on TLS to be meaningful, the server 5166 would have to share the DH1024 private key among multiple clients, which is 5167 no longer an option since CVE-2016-0701. 5168 5169 This only affects processors that support the AVX2 but not ADX extensions 5170 like Intel Haswell (4th generation). 5171 5172 This issue was reported to OpenSSL by David Benjamin (Google). The issue 5173 was originally found via the OSS-Fuzz project. 5174 ([CVE-2017-3738]) 5175 5176 *Andy Polyakov* 5177 5178### Changes between 1.1.0f and 1.1.0g [2 Nov 2017] 5179 5180 * bn_sqrx8x_internal carry bug on x86_64 5181 5182 There is a carry propagating bug in the x86_64 Montgomery squaring 5183 procedure. No EC algorithms are affected. Analysis suggests that attacks 5184 against RSA and DSA as a result of this defect would be very difficult to 5185 perform and are not believed likely. Attacks against DH are considered just 5186 feasible (although very difficult) because most of the work necessary to 5187 deduce information about a private key may be performed offline. The amount 5188 of resources required for such an attack would be very significant and 5189 likely only accessible to a limited number of attackers. An attacker would 5190 additionally need online access to an unpatched system using the target 5191 private key in a scenario with persistent DH parameters and a private 5192 key that is shared between multiple clients. 5193 5194 This only affects processors that support the BMI1, BMI2 and ADX extensions 5195 like Intel Broadwell (5th generation) and later or AMD Ryzen. 5196 5197 This issue was reported to OpenSSL by the OSS-Fuzz project. 5198 ([CVE-2017-3736]) 5199 5200 *Andy Polyakov* 5201 5202 * Malformed X.509 IPAddressFamily could cause OOB read 5203 5204 If an X.509 certificate has a malformed IPAddressFamily extension, 5205 OpenSSL could do a one-byte buffer overread. The most likely result 5206 would be an erroneous display of the certificate in text format. 5207 5208 This issue was reported to OpenSSL by the OSS-Fuzz project. 5209 ([CVE-2017-3735]) 5210 5211 *Rich Salz* 5212 5213### Changes between 1.1.0e and 1.1.0f [25 May 2017] 5214 5215 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 5216 platform rather than 'mingw'. 5217 5218 *Richard Levitte* 5219 5220 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. 5221 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, 5222 which is the minimum version we support. 5223 5224 *Richard Levitte* 5225 5226### Changes between 1.1.0d and 1.1.0e [16 Feb 2017] 5227 5228 * Encrypt-Then-Mac renegotiation crash 5229 5230 During a renegotiation handshake if the Encrypt-Then-Mac extension is 5231 negotiated where it was not in the original handshake (or vice-versa) then 5232 this can cause OpenSSL to crash (dependent on ciphersuite). Both clients 5233 and servers are affected. 5234 5235 This issue was reported to OpenSSL by Joe Orton (Red Hat). 5236 ([CVE-2017-3733]) 5237 5238 *Matt Caswell* 5239 5240### Changes between 1.1.0c and 1.1.0d [26 Jan 2017] 5241 5242 * Truncated packet could crash via OOB read 5243 5244 If one side of an SSL/TLS path is running on a 32-bit host and a specific 5245 cipher is being used, then a truncated packet can cause that host to 5246 perform an out-of-bounds read, usually resulting in a crash. 5247 5248 This issue was reported to OpenSSL by Robert Święcki of Google. 5249 ([CVE-2017-3731]) 5250 5251 *Andy Polyakov* 5252 5253 * Bad (EC)DHE parameters cause a client crash 5254 5255 If a malicious server supplies bad parameters for a DHE or ECDHE key 5256 exchange then this can result in the client attempting to dereference a 5257 NULL pointer leading to a client crash. This could be exploited in a Denial 5258 of Service attack. 5259 5260 This issue was reported to OpenSSL by Guido Vranken. 5261 ([CVE-2017-3730]) 5262 5263 *Matt Caswell* 5264 5265 * BN_mod_exp may produce incorrect results on x86_64 5266 5267 There is a carry propagating bug in the x86_64 Montgomery squaring 5268 procedure. No EC algorithms are affected. Analysis suggests that attacks 5269 against RSA and DSA as a result of this defect would be very difficult to 5270 perform and are not believed likely. Attacks against DH are considered just 5271 feasible (although very difficult) because most of the work necessary to 5272 deduce information about a private key may be performed offline. The amount 5273 of resources required for such an attack would be very significant and 5274 likely only accessible to a limited number of attackers. An attacker would 5275 additionally need online access to an unpatched system using the target 5276 private key in a scenario with persistent DH parameters and a private 5277 key that is shared between multiple clients. For example this can occur by 5278 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 5279 similar to CVE-2015-3193 but must be treated as a separate problem. 5280 5281 This issue was reported to OpenSSL by the OSS-Fuzz project. 5282 ([CVE-2017-3732]) 5283 5284 *Andy Polyakov* 5285 5286### Changes between 1.1.0b and 1.1.0c [10 Nov 2016] 5287 5288 * ChaCha20/Poly1305 heap-buffer-overflow 5289 5290 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to 5291 a DoS attack by corrupting larger payloads. This can result in an OpenSSL 5292 crash. This issue is not considered to be exploitable beyond a DoS. 5293 5294 This issue was reported to OpenSSL by Robert Święcki (Google Security Team) 5295 ([CVE-2016-7054]) 5296 5297 *Richard Levitte* 5298 5299 * CMS Null dereference 5300 5301 Applications parsing invalid CMS structures can crash with a NULL pointer 5302 dereference. This is caused by a bug in the handling of the ASN.1 CHOICE 5303 type in OpenSSL 1.1.0 which can result in a NULL value being passed to the 5304 structure callback if an attempt is made to free certain invalid encodings. 5305 Only CHOICE structures using a callback which do not handle NULL value are 5306 affected. 5307 5308 This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. 5309 ([CVE-2016-7053]) 5310 5311 *Stephen Henson* 5312 5313 * Montgomery multiplication may produce incorrect results 5314 5315 There is a carry propagating bug in the Broadwell-specific Montgomery 5316 multiplication procedure that handles input lengths divisible by, but 5317 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 5318 and DH private keys are impossible. This is because the subroutine in 5319 question is not used in operations with the private key itself and an input 5320 of the attacker's direct choice. Otherwise the bug can manifest itself as 5321 transient authentication and key negotiation failures or reproducible 5322 erroneous outcome of public-key operations with specially crafted input. 5323 Among EC algorithms only Brainpool P-512 curves are affected and one 5324 presumably can attack ECDH key negotiation. Impact was not analyzed in 5325 detail, because pre-requisites for attack are considered unlikely. Namely 5326 multiple clients have to choose the curve in question and the server has to 5327 share the private key among them, neither of which is default behaviour. 5328 Even then only clients that chose the curve will be affected. 5329 5330 This issue was publicly reported as transient failures and was not 5331 initially recognized as a security issue. Thanks to Richard Morgan for 5332 providing reproducible case. 5333 ([CVE-2016-7055]) 5334 5335 *Andy Polyakov* 5336 5337 * Removed automatic addition of RPATH in shared libraries and executables, 5338 as this was a remainder from OpenSSL 1.0.x and isn't needed any more. 5339 5340 *Richard Levitte* 5341 5342### Changes between 1.1.0a and 1.1.0b [26 Sep 2016] 5343 5344 * Fix Use After Free for large message sizes 5345 5346 The patch applied to address CVE-2016-6307 resulted in an issue where if a 5347 message larger than approx 16k is received then the underlying buffer to 5348 store the incoming message is reallocated and moved. Unfortunately a 5349 dangling pointer to the old location is left which results in an attempt to 5350 write to the previously freed location. This is likely to result in a 5351 crash, however it could potentially lead to execution of arbitrary code. 5352 5353 This issue only affects OpenSSL 1.1.0a. 5354 5355 This issue was reported to OpenSSL by Robert Święcki. 5356 ([CVE-2016-6309]) 5357 5358 *Matt Caswell* 5359 5360### Changes between 1.1.0 and 1.1.0a [22 Sep 2016] 5361 5362 * OCSP Status Request extension unbounded memory growth 5363 5364 A malicious client can send an excessively large OCSP Status Request 5365 extension. If that client continually requests renegotiation, sending a 5366 large OCSP Status Request extension each time, then there will be unbounded 5367 memory growth on the server. This will eventually lead to a Denial Of 5368 Service attack through memory exhaustion. Servers with a default 5369 configuration are vulnerable even if they do not support OCSP. Builds using 5370 the "no-ocsp" build time option are not affected. 5371 5372 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5373 ([CVE-2016-6304]) 5374 5375 *Matt Caswell* 5376 5377 * SSL_peek() hang on empty record 5378 5379 OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer 5380 sends an empty record. This could be exploited by a malicious peer in a 5381 Denial Of Service attack. 5382 5383 This issue was reported to OpenSSL by Alex Gaynor. 5384 ([CVE-2016-6305]) 5385 5386 *Matt Caswell* 5387 5388 * Excessive allocation of memory in tls_get_message_header() and 5389 dtls1_preprocess_fragment() 5390 5391 A (D)TLS message includes 3 bytes for its length in the header for the 5392 message. This would allow for messages up to 16Mb in length. Messages of 5393 this length are excessive and OpenSSL includes a check to ensure that a 5394 peer is sending reasonably sized messages in order to avoid too much memory 5395 being consumed to service a connection. A flaw in the logic of version 5396 1.1.0 means that memory for the message is allocated too early, prior to 5397 the excessive message length check. Due to way memory is allocated in 5398 OpenSSL this could mean an attacker could force up to 21Mb to be allocated 5399 to service a connection. This could lead to a Denial of Service through 5400 memory exhaustion. However, the excessive message length check still takes 5401 place, and this would cause the connection to immediately fail. Assuming 5402 that the application calls SSL_free() on the failed connection in a timely 5403 manner then the 21Mb of allocated memory will then be immediately freed 5404 again. Therefore, the excessive memory allocation will be transitory in 5405 nature. This then means that there is only a security impact if: 5406 5407 1) The application does not call SSL_free() in a timely manner in the event 5408 that the connection fails 5409 or 5410 2) The application is working in a constrained environment where there is 5411 very little free memory 5412 or 5413 3) The attacker initiates multiple connection attempts such that there are 5414 multiple connections in a state where memory has been allocated for the 5415 connection; SSL_free() has not yet been called; and there is insufficient 5416 memory to service the multiple requests. 5417 5418 Except in the instance of (1) above any Denial Of Service is likely to be 5419 transitory because as soon as the connection fails the memory is 5420 subsequently freed again in the SSL_free() call. However there is an 5421 increased risk during this period of application crashes due to the lack of 5422 memory - which would then mean a more serious Denial of Service. 5423 5424 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 5425 (CVE-2016-6307 and CVE-2016-6308) 5426 5427 *Matt Caswell* 5428 5429 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler, 5430 had to be removed. Primary reason is that vendor assembler can't 5431 assemble our modules with -KPIC flag. As result it, assembly 5432 support, was not even available as option. But its lack means 5433 lack of side-channel resistant code, which is incompatible with 5434 security by todays standards. Fortunately gcc is readily available 5435 prepackaged option, which we firmly point at... 5436 5437 *Andy Polyakov* 5438 5439### Changes between 1.0.2h and 1.1.0 [25 Aug 2016] 5440 5441 * Windows command-line tool supports UTF-8 opt-in option for arguments 5442 and console input. Setting OPENSSL_WIN32_UTF8 environment variable 5443 (to any value) allows Windows user to access PKCS#12 file generated 5444 with Windows CryptoAPI and protected with non-ASCII password, as well 5445 as files generated under UTF-8 locale on Linux also protected with 5446 non-ASCII password. 5447 5448 *Andy Polyakov* 5449 5450 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites 5451 have been disabled by default and removed from DEFAULT, just like RC4. 5452 See the RC4 item below to re-enable both. 5453 5454 *Rich Salz* 5455 5456 * The method for finding the storage location for the Windows RAND seed file 5457 has changed. First we check %RANDFILE%. If that is not set then we check 5458 the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If 5459 all else fails we fall back to C:\. 5460 5461 *Matt Caswell* 5462 5463 * The EVP_EncryptUpdate() function has had its return type changed from void 5464 to int. A return of 0 indicates and error while a return of 1 indicates 5465 success. 5466 5467 *Matt Caswell* 5468 5469 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and 5470 DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch 5471 off the constant time implementation for RSA, DSA and DH have been made 5472 no-ops and deprecated. 5473 5474 *Matt Caswell* 5475 5476 * Windows RAND implementation was simplified to only get entropy by 5477 calling CryptGenRandom(). Various other RAND-related tickets 5478 were also closed. 5479 5480 *Joseph Wylie Yandle, Rich Salz* 5481 5482 * The stack and lhash API's were renamed to start with `OPENSSL_SK_` 5483 and `OPENSSL_LH_`, respectively. The old names are available 5484 with API compatibility. They new names are now completely documented. 5485 5486 *Rich Salz* 5487 5488 * Unify TYPE_up_ref(obj) methods signature. 5489 SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(), 5490 X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an 5491 int (instead of void) like all others TYPE_up_ref() methods. 5492 So now these methods also check the return value of CRYPTO_atomic_add(), 5493 and the validity of object reference counter. 5494 5495 *fdasilvayy@gmail.com* 5496 5497 * With Windows Visual Studio builds, the .pdb files are installed 5498 alongside the installed libraries and executables. For a static 5499 library installation, ossl_static.pdb is the associate compiler 5500 generated .pdb file to be used when linking programs. 5501 5502 *Richard Levitte* 5503 5504 * Remove openssl.spec. Packaging files belong with the packagers. 5505 5506 *Richard Levitte* 5507 5508 * Automatic Darwin/OSX configuration has had a refresh, it will now 5509 recognise x86_64 architectures automatically. You can still decide 5510 to build for a different bitness with the environment variable 5511 KERNEL_BITS (can be 32 or 64), for example: 5512 5513 KERNEL_BITS=32 ./config 5514 5515 *Richard Levitte* 5516 5517 * Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, 5518 256 bit AES and HMAC with SHA256. 5519 5520 *Steve Henson* 5521 5522 * Remove support for MIPS o32 ABI on IRIX (and IRIX only). 5523 5524 *Andy Polyakov* 5525 5526 * Triple-DES ciphers have been moved from HIGH to MEDIUM. 5527 5528 *Rich Salz* 5529 5530 * To enable users to have their own config files and build file templates, 5531 Configure looks in the directory indicated by the environment variable 5532 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ 5533 directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical 5534 name and is used as is. 5535 5536 *Richard Levitte* 5537 5538 * The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX, 5539 X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type 5540 X509_CERT_FILE_CTX was removed. 5541 5542 *Rich Salz* 5543 5544 * "shared" builds are now the default. To create only static libraries use 5545 the "no-shared" Configure option. 5546 5547 *Matt Caswell* 5548 5549 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options. 5550 All of these option have not worked for some while and are fundamental 5551 algorithms. 5552 5553 *Matt Caswell* 5554 5555 * Make various cleanup routines no-ops and mark them as deprecated. Most 5556 global cleanup functions are no longer required because they are handled 5557 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages). 5558 Explicitly de-initing can cause problems (e.g. where a library that uses 5559 OpenSSL de-inits, but an application is still using it). The affected 5560 functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(), 5561 EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(), 5562 RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and 5563 COMP_zlib_cleanup(). 5564 5565 *Matt Caswell* 5566 5567 * --strict-warnings no longer enables runtime debugging options 5568 such as REF_DEBUG. Instead, debug options are automatically 5569 enabled with '--debug' builds. 5570 5571 *Andy Polyakov, Emilia Käsper* 5572 5573 * Made DH and DH_METHOD opaque. The structures for managing DH objects 5574 have been moved out of the public header files. New functions for managing 5575 these have been added. 5576 5577 *Matt Caswell* 5578 5579 * Made RSA and RSA_METHOD opaque. The structures for managing RSA 5580 objects have been moved out of the public header files. New 5581 functions for managing these have been added. 5582 5583 *Richard Levitte* 5584 5585 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects 5586 have been moved out of the public header files. New functions for managing 5587 these have been added. 5588 5589 *Matt Caswell* 5590 5591 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been 5592 moved out of the public header files. New functions for managing these 5593 have been added. 5594 5595 *Matt Caswell* 5596 5597 * Removed no-rijndael as a config option. Rijndael is an old name for AES. 5598 5599 *Matt Caswell* 5600 5601 * Removed the mk1mf build scripts. 5602 5603 *Richard Levitte* 5604 5605 * Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so 5606 it is always safe to #include a header now. 5607 5608 *Rich Salz* 5609 5610 * Removed the aged BC-32 config and all its supporting scripts 5611 5612 *Richard Levitte* 5613 5614 * Removed support for Ultrix, Netware, and OS/2. 5615 5616 *Rich Salz* 5617 5618 * Add support for HKDF. 5619 5620 *Alessandro Ghedini* 5621 5622 * Add support for blake2b and blake2s 5623 5624 *Bill Cox* 5625 5626 * Added support for "pipelining". Ciphers that have the 5627 EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple 5628 encryptions/decryptions simultaneously. There are currently no built-in 5629 ciphers with this property but the expectation is that engines will be able 5630 to offer it to significantly improve throughput. Support has been extended 5631 into libssl so that multiple records for a single connection can be 5632 processed in one go (for >=TLS 1.1). 5633 5634 *Matt Caswell* 5635 5636 * Added the AFALG engine. This is an async capable engine which is able to 5637 offload work to the Linux kernel. In this initial version it only supports 5638 AES128-CBC. The kernel must be version 4.1.0 or greater. 5639 5640 *Catriona Lucey* 5641 5642 * OpenSSL now uses a new threading API. It is no longer necessary to 5643 set locking callbacks to use OpenSSL in a multi-threaded environment. There 5644 are two supported threading models: pthreads and windows threads. It is 5645 also possible to configure OpenSSL at compile time for "no-threads". The 5646 old threading API should no longer be used. The functions have been 5647 replaced with "no-op" compatibility macros. 5648 5649 *Alessandro Ghedini, Matt Caswell* 5650 5651 * Modify behavior of ALPN to invoke callback after SNI/servername 5652 callback, such that updates to the SSL_CTX affect ALPN. 5653 5654 *Todd Short* 5655 5656 * Add SSL_CIPHER queries for authentication and key-exchange. 5657 5658 *Todd Short* 5659 5660 * Changes to the DEFAULT cipherlist: 5661 - Prefer (EC)DHE handshakes over plain RSA. 5662 - Prefer AEAD ciphers over legacy ciphers. 5663 - Prefer ECDSA over RSA when both certificates are available. 5664 - Prefer TLSv1.2 ciphers/PRF. 5665 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the 5666 default cipherlist. 5667 5668 *Emilia Käsper* 5669 5670 * Change the ECC default curve list to be this, in order: x25519, 5671 secp256r1, secp521r1, secp384r1. 5672 5673 *Rich Salz* 5674 5675 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are 5676 disabled by default. They can be re-enabled using the 5677 enable-weak-ssl-ciphers option to Configure. 5678 5679 *Matt Caswell* 5680 5681 * If the server has ALPN configured, but supports no protocols that the 5682 client advertises, send a fatal "no_application_protocol" alert. 5683 This behaviour is SHALL in RFC 7301, though it isn't universally 5684 implemented by other servers. 5685 5686 *Emilia Käsper* 5687 5688 * Add X25519 support. 5689 Add ASN.1 and EVP_PKEY methods for X25519. This includes support 5690 for public and private key encoding using the format documented in 5691 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports 5692 key generation and key derivation. 5693 5694 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses 5695 X25519(29). 5696 5697 *Steve Henson* 5698 5699 * Deprecate SRP_VBASE_get_by_user. 5700 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 5701 In order to fix an unavoidable memory leak ([CVE-2016-0798]), 5702 SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP 5703 seed, even if the seed is configured. 5704 5705 Users should use SRP_VBASE_get1_by_user instead. Note that in 5706 SRP_VBASE_get1_by_user, caller must free the returned value. Note 5707 also that even though configuring the SRP seed attempts to hide 5708 invalid usernames by continuing the handshake with fake 5709 credentials, this behaviour is not constant time and no strong 5710 guarantees are made that the handshake is indistinguishable from 5711 that of a valid user. 5712 5713 *Emilia Käsper* 5714 5715 * Configuration change; it's now possible to build dynamic engines 5716 without having to build shared libraries and vice versa. This 5717 only applies to the engines in `engines/`, those in `crypto/engine/` 5718 will always be built into libcrypto (i.e. "static"). 5719 5720 Building dynamic engines is enabled by default; to disable, use 5721 the configuration option "disable-dynamic-engine". 5722 5723 The only requirements for building dynamic engines are the 5724 presence of the DSO module and building with position independent 5725 code, so they will also automatically be disabled if configuring 5726 with "disable-dso" or "disable-pic". 5727 5728 The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE 5729 are also taken away from openssl/opensslconf.h, as they are 5730 irrelevant. 5731 5732 *Richard Levitte* 5733 5734 * Configuration change; if there is a known flag to compile 5735 position independent code, it will always be applied on the 5736 libcrypto and libssl object files, and never on the application 5737 object files. This means other libraries that use routines from 5738 libcrypto / libssl can be made into shared libraries regardless 5739 of how OpenSSL was configured. 5740 5741 If this isn't desirable, the configuration options "disable-pic" 5742 or "no-pic" can be used to disable the use of PIC. This will 5743 also disable building shared libraries and dynamic engines. 5744 5745 *Richard Levitte* 5746 5747 * Removed JPAKE code. It was experimental and has no wide use. 5748 5749 *Rich Salz* 5750 5751 * The INSTALL_PREFIX Makefile variable has been renamed to 5752 DESTDIR. That makes for less confusion on what this variable 5753 is for. Also, the configuration option --install_prefix is 5754 removed. 5755 5756 *Richard Levitte* 5757 5758 * Heartbeat for TLS has been removed and is disabled by default 5759 for DTLS; configure with enable-heartbeats. Code that uses the 5760 old #define's might need to be updated. 5761 5762 *Emilia Käsper, Rich Salz* 5763 5764 * Rename REF_CHECK to REF_DEBUG. 5765 5766 *Rich Salz* 5767 5768 * New "unified" build system 5769 5770 The "unified" build system is aimed to be a common system for all 5771 platforms we support. With it comes new support for VMS. 5772 5773 This system builds supports building in a different directory tree 5774 than the source tree. It produces one Makefile (for unix family 5775 or lookalikes), or one descrip.mms (for VMS). 5776 5777 The source of information to make the Makefile / descrip.mms is 5778 small files called 'build.info', holding the necessary 5779 information for each directory with source to compile, and a 5780 template in Configurations, like unix-Makefile.tmpl or 5781 descrip.mms.tmpl. 5782 5783 With this change, the library names were also renamed on Windows 5784 and on VMS. They now have names that are closer to the standard 5785 on Unix, and include the major version number, and in certain 5786 cases, the architecture they are built for. See "Notes on shared 5787 libraries" in INSTALL. 5788 5789 We rely heavily on the perl module Text::Template. 5790 5791 *Richard Levitte* 5792 5793 * Added support for auto-initialisation and de-initialisation of the library. 5794 OpenSSL no longer requires explicit init or deinit routines to be called, 5795 except in certain circumstances. See the OPENSSL_init_crypto() and 5796 OPENSSL_init_ssl() man pages for further information. 5797 5798 *Matt Caswell* 5799 5800 * The arguments to the DTLSv1_listen function have changed. Specifically the 5801 "peer" argument is now expected to be a BIO_ADDR object. 5802 5803 * Rewrite of BIO networking library. The BIO library lacked consistent 5804 support of IPv6, and adding it required some more extensive 5805 modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types, 5806 which hold all types of addresses and chains of address information. 5807 It also introduces a new API, with functions like BIO_socket, 5808 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept. 5809 The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram 5810 have been adapted accordingly. 5811 5812 *Richard Levitte* 5813 5814 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without 5815 the leading 0-byte. 5816 5817 *Emilia Käsper* 5818 5819 * CRIME protection: disable compression by default, even if OpenSSL is 5820 compiled with zlib enabled. Applications can still enable compression 5821 by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by 5822 using the SSL_CONF library to configure compression. 5823 5824 *Emilia Käsper* 5825 5826 * The signature of the session callback configured with 5827 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer 5828 was explicitly marked as `const unsigned char*` instead of 5829 `unsigned char*`. 5830 5831 *Emilia Käsper* 5832 5833 * Always DPURIFY. Remove the use of uninitialized memory in the 5834 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op. 5835 5836 *Emilia Käsper* 5837 5838 * Removed many obsolete configuration items, including 5839 DES_PTR, DES_RISC1, DES_RISC2, DES_INT 5840 MD2_CHAR, MD2_INT, MD2_LONG 5841 BF_PTR, BF_PTR2 5842 IDEA_SHORT, IDEA_LONG 5843 RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX 5844 5845 *Rich Salz, with advice from Andy Polyakov* 5846 5847 * Many BN internals have been moved to an internal header file. 5848 5849 *Rich Salz with help from Andy Polyakov* 5850 5851 * Configuration and writing out the results from it has changed. 5852 Files such as Makefile include/openssl/opensslconf.h and are now 5853 produced through general templates, such as Makefile.in and 5854 crypto/opensslconf.h.in and some help from the perl module 5855 Text::Template. 5856 5857 Also, the center of configuration information is no longer 5858 Makefile. Instead, Configure produces a perl module in 5859 configdata.pm which holds most of the config data (in the hash 5860 table %config), the target data that comes from the target 5861 configuration in one of the `Configurations/*.conf` files (in 5862 %target). 5863 5864 *Richard Levitte* 5865 5866 * To clarify their intended purposes, the Configure options 5867 --prefix and --openssldir change their semantics, and become more 5868 straightforward and less interdependent. 5869 5870 --prefix shall be used exclusively to give the location INSTALLTOP 5871 where programs, scripts, libraries, include files and manuals are 5872 going to be installed. The default is now /usr/local. 5873 5874 --openssldir shall be used exclusively to give the default 5875 location OPENSSLDIR where certificates, private keys, CRLs are 5876 managed. This is also where the default openssl.cnf gets 5877 installed. 5878 If the directory given with this option is a relative path, the 5879 values of both the --prefix value and the --openssldir value will 5880 be combined to become OPENSSLDIR. 5881 The default for --openssldir is INSTALLTOP/ssl. 5882 5883 Anyone who uses --openssldir to specify where OpenSSL is to be 5884 installed MUST change to use --prefix instead. 5885 5886 *Richard Levitte* 5887 5888 * The GOST engine was out of date and therefore it has been removed. An up 5889 to date GOST engine is now being maintained in an external repository. 5890 See: <https://github.com/openssl/openssl/wiki/Binaries>. Libssl still retains 5891 support for GOST ciphersuites (these are only activated if a GOST engine 5892 is present). 5893 5894 *Matt Caswell* 5895 5896 * EGD is no longer supported by default; use enable-egd when 5897 configuring. 5898 5899 *Ben Kaduk and Rich Salz* 5900 5901 * The distribution now has Makefile.in files, which are used to 5902 create Makefile's when Configure is run. *Configure must be run 5903 before trying to build now.* 5904 5905 *Rich Salz* 5906 5907 * The return value for SSL_CIPHER_description() for error conditions 5908 has changed. 5909 5910 *Rich Salz* 5911 5912 * Support for RFC6698/RFC7671 DANE TLSA peer authentication. 5913 5914 Obtaining and performing DNSSEC validation of TLSA records is 5915 the application's responsibility. The application provides 5916 the TLSA records of its choice to OpenSSL, and these are then 5917 used to authenticate the peer. 5918 5919 The TLSA records need not even come from DNS. They can, for 5920 example, be used to implement local end-entity certificate or 5921 trust-anchor "pinning", where the "pin" data takes the form 5922 of TLSA records, which can augment or replace verification 5923 based on the usual WebPKI public certification authorities. 5924 5925 *Viktor Dukhovni* 5926 5927 * Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL 5928 continues to support deprecated interfaces in default builds. 5929 However, applications are strongly advised to compile their 5930 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides 5931 the declarations of all interfaces deprecated in 0.9.8, 1.0.0 5932 or the 1.1.0 releases. 5933 5934 In environments in which all applications have been ported to 5935 not use any deprecated interfaces OpenSSL's Configure script 5936 should be used with the --api=1.1.0 option to entirely remove 5937 support for the deprecated features from the library and 5938 unconditionally disable them in the installed headers. 5939 Essentially the same effect can be achieved with the "no-deprecated" 5940 argument to Configure, except that this will always restrict 5941 the build to just the latest API, rather than a fixed API 5942 version. 5943 5944 As applications are ported to future revisions of the API, 5945 they should update their compile-time OPENSSL_API_COMPAT define 5946 accordingly, but in most cases should be able to continue to 5947 compile with later releases. 5948 5949 The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are 5950 0x10000000L and 0x00908000L, respectively. However those 5951 versions did not support the OPENSSL_API_COMPAT feature, and 5952 so applications are not typically tested for explicit support 5953 of just the undeprecated features of either release. 5954 5955 *Viktor Dukhovni* 5956 5957 * Add support for setting the minimum and maximum supported protocol. 5958 It can bet set via the SSL_set_min_proto_version() and 5959 SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and 5960 MaxProtocol. It's recommended to use the new APIs to disable 5961 protocols instead of disabling individual protocols using 5962 SSL_set_options() or SSL_CONF's Protocol. This change also 5963 removes support for disabling TLS 1.2 in the OpenSSL TLS 5964 client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. 5965 5966 *Kurt Roeckx* 5967 5968 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl. 5969 5970 *Andy Polyakov* 5971 5972 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD 5973 and integrates ECDSA and ECDH functionality into EC. Implementations can 5974 now redirect key generation and no longer need to convert to or from 5975 ECDSA_SIG format. 5976 5977 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just 5978 include the ec.h header file instead. 5979 5980 *Steve Henson* 5981 5982 * Remove support for all 40 and 56 bit ciphers. This includes all the export 5983 ciphers who are no longer supported and drops support the ephemeral RSA key 5984 exchange. The LOW ciphers currently doesn't have any ciphers in it. 5985 5986 *Kurt Roeckx* 5987 5988 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX 5989 opaque. For HMAC_CTX, the following constructors and destructors 5990 were added: 5991 5992 HMAC_CTX *HMAC_CTX_new(void); 5993 void HMAC_CTX_free(HMAC_CTX *ctx); 5994 5995 For EVP_MD and EVP_CIPHER, complete APIs to create, fill and 5996 destroy such methods has been added. See EVP_MD_meth_new(3) and 5997 EVP_CIPHER_meth_new(3) for documentation. 5998 5999 Additional changes: 6000 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and 6001 `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and 6002 `EVP_MD_CTX_reset()` should be called instead to reinitialise 6003 an already created structure. 6004 2) For consistency with the majority of our object creators and 6005 destructors, `EVP_MD_CTX_(create|destroy)` were renamed to 6006 `EVP_MD_CTX_(new|free)`. The old names are retained as macros 6007 for deprecated builds. 6008 6009 *Richard Levitte* 6010 6011 * Added ASYNC support. Libcrypto now includes the async sub-library to enable 6012 cryptographic operations to be performed asynchronously as long as an 6013 asynchronous capable engine is used. See the ASYNC_start_job() man page for 6014 further details. Libssl has also had this capability integrated with the 6015 introduction of the new mode SSL_MODE_ASYNC and associated error 6016 SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man 6017 pages. This work was developed in partnership with Intel Corp. 6018 6019 *Matt Caswell* 6020 6021 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is 6022 always enabled now. If you want to disable the support you should 6023 exclude it using the list of supported ciphers. This also means that the 6024 "-no_ecdhe" option has been removed from s_server. 6025 6026 *Kurt Roeckx* 6027 6028 * SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls 6029 SSL_{CTX_}set1_curves() which can set a list. 6030 6031 *Kurt Roeckx* 6032 6033 * Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the 6034 curve you want to support using SSL_{CTX_}set1_curves(). 6035 6036 *Kurt Roeckx* 6037 6038 * State machine rewrite. The state machine code has been significantly 6039 refactored in order to remove much duplication of code and solve issues 6040 with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for 6041 further details). This change does have some associated API changes. 6042 Notably the SSL_state() function has been removed and replaced by 6043 SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int. 6044 SSL_set_state() has been removed altogether. The previous handshake states 6045 defined in ssl.h and ssl3.h have also been removed. 6046 6047 *Matt Caswell* 6048 6049 * All instances of the string "ssleay" in the public API were replaced 6050 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's) 6051 Some error codes related to internal RSA_eay API's were renamed. 6052 6053 *Rich Salz* 6054 6055 * The demo files in crypto/threads were moved to demo/threads. 6056 6057 *Rich Salz* 6058 6059 * Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, 6060 sureware and ubsec. 6061 6062 *Matt Caswell, Rich Salz* 6063 6064 * New ASN.1 embed macro. 6065 6066 New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the 6067 structure is not allocated: it is part of the parent. That is instead of 6068 6069 FOO *x; 6070 6071 it must be: 6072 6073 FOO x; 6074 6075 This reduces memory fragmentation and make it impossible to accidentally 6076 set a mandatory field to NULL. 6077 6078 This currently only works for some fields specifically a SEQUENCE, CHOICE, 6079 or ASN1_STRING type which is part of a parent SEQUENCE. Since it is 6080 equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or 6081 SEQUENCE OF. 6082 6083 *Steve Henson* 6084 6085 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled. 6086 6087 *Emilia Käsper* 6088 6089 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although 6090 in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also 6091 an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add 6092 DES and RC4 ciphersuites. 6093 6094 *Matt Caswell* 6095 6096 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 6097 This changes the decoding behaviour for some invalid messages, 6098 though the change is mostly in the more lenient direction, and 6099 legacy behaviour is preserved as much as possible. 6100 6101 *Emilia Käsper* 6102 6103 * Fix no-stdio build. 6104 *David Woodhouse <David.Woodhouse@intel.com> and also* 6105 *Ivan Nestlerode <ivan.nestlerode@sonos.com>* 6106 6107 * New testing framework 6108 The testing framework has been largely rewritten and is now using 6109 perl and the perl modules Test::Harness and an extended variant of 6110 Test::More called OpenSSL::Test to do its work. All test scripts in 6111 test/ have been rewritten into test recipes, and all direct calls to 6112 executables in test/Makefile have become individual recipes using the 6113 simplified testing OpenSSL::Test::Simple. 6114 6115 For documentation on our testing modules, do: 6116 6117 perldoc test/testlib/OpenSSL/Test/Simple.pm 6118 perldoc test/testlib/OpenSSL/Test.pm 6119 6120 *Richard Levitte* 6121 6122 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT 6123 are used; the latter aborts on memory leaks (usually checked on exit). 6124 Some undocumented "set malloc, etc., hooks" functions were removed 6125 and others were changed. All are now documented. 6126 6127 *Rich Salz* 6128 6129 * In DSA_generate_parameters_ex, if the provided seed is too short, 6130 return an error 6131 6132 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 6133 6134 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites 6135 from RFC4279, RFC4785, RFC5487, RFC5489. 6136 6137 Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the 6138 original RSA_PSK patch. 6139 6140 *Steve Henson* 6141 6142 * Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay 6143 era flag was never set throughout the codebase (only read). Also removed 6144 SSL3_FLAGS_POP_BUFFER which was only used if 6145 SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. 6146 6147 *Matt Caswell* 6148 6149 * Changed the default name options in the "ca", "crl", "req" and "x509" 6150 to be "oneline" instead of "compat". 6151 6152 *Richard Levitte* 6153 6154 * Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're 6155 not aware of clients that still exhibit this bug, and the workaround 6156 hasn't been working properly for a while. 6157 6158 *Emilia Käsper* 6159 6160 * The return type of BIO_number_read() and BIO_number_written() as well as 6161 the corresponding num_read and num_write members in the BIO structure has 6162 changed from unsigned long to uint64_t. On platforms where an unsigned 6163 long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is 6164 transferred. 6165 6166 *Matt Caswell* 6167 6168 * Given the pervasive nature of TLS extensions it is inadvisable to run 6169 OpenSSL without support for them. It also means that maintaining 6170 the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably 6171 not well tested). Therefore, the OPENSSL_NO_TLSEXT option has been removed. 6172 6173 *Matt Caswell* 6174 6175 * Removed support for the two export grade static DH ciphersuites 6176 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites 6177 were newly added (along with a number of other static DH ciphersuites) to 6178 1.0.2. However the two export ones have *never* worked since they were 6179 introduced. It seems strange in any case to be adding new export 6180 ciphersuites, and given "logjam" it also does not seem correct to fix them. 6181 6182 *Matt Caswell* 6183 6184 * Version negotiation has been rewritten. In particular SSLv23_method(), 6185 SSLv23_client_method() and SSLv23_server_method() have been deprecated, 6186 and turned into macros which simply call the new preferred function names 6187 TLS_method(), TLS_client_method() and TLS_server_method(). All new code 6188 should use the new names instead. Also as part of this change the ssl23.h 6189 header file has been removed. 6190 6191 *Matt Caswell* 6192 6193 * Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This 6194 code and the associated standard is no longer considered fit-for-purpose. 6195 6196 *Matt Caswell* 6197 6198 * RT2547 was closed. When generating a private key, try to make the 6199 output file readable only by the owner. This behavior change might 6200 be noticeable when interacting with other software. 6201 6202 * Documented all exdata functions. Added CRYPTO_free_ex_index. 6203 Added a test. 6204 6205 *Rich Salz* 6206 6207 * Added HTTP GET support to the ocsp command. 6208 6209 *Rich Salz* 6210 6211 * Changed default digest for the dgst and enc commands from MD5 to 6212 sha256 6213 6214 *Rich Salz* 6215 6216 * RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. 6217 6218 *Matt Caswell* 6219 6220 * Added support for TLS extended master secret from 6221 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an 6222 initial patch which was a great help during development. 6223 6224 *Steve Henson* 6225 6226 * All libssl internal structures have been removed from the public header 6227 files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is 6228 now redundant). Users should not attempt to access internal structures 6229 directly. Instead they should use the provided API functions. 6230 6231 *Matt Caswell* 6232 6233 * config has been changed so that by default OPENSSL_NO_DEPRECATED is used. 6234 Access to deprecated functions can be re-enabled by running config with 6235 "enable-deprecated". In addition applications wishing to use deprecated 6236 functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour 6237 will, by default, disable some transitive includes that previously existed 6238 in the header files (e.g. ec.h will no longer, by default, include bn.h) 6239 6240 *Matt Caswell* 6241 6242 * Added support for OCB mode. OpenSSL has been granted a patent license 6243 compatible with the OpenSSL license for use of OCB. Details are available 6244 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support 6245 for OCB can be removed by calling config with no-ocb. 6246 6247 *Matt Caswell* 6248 6249 * SSLv2 support has been removed. It still supports receiving an SSLv2 6250 compatible client hello. 6251 6252 *Kurt Roeckx* 6253 6254 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], 6255 done while fixing the error code for the key-too-small case. 6256 6257 *Annie Yousar <a.yousar@informatik.hu-berlin.de>* 6258 6259 * CA.sh has been removed; use CA.pl instead. 6260 6261 *Rich Salz* 6262 6263 * Removed old DES API. 6264 6265 *Rich Salz* 6266 6267 * Remove various unsupported platforms: 6268 Sony NEWS4 6269 BEOS and BEOS_R5 6270 NeXT 6271 SUNOS 6272 MPE/iX 6273 Sinix/ReliantUNIX RM400 6274 DGUX 6275 NCR 6276 Tandem 6277 Cray 6278 16-bit platforms such as WIN16 6279 6280 *Rich Salz* 6281 6282 * Clean up OPENSSL_NO_xxx #define's 6283 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF 6284 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx 6285 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC 6286 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 6287 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO 6288 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY 6289 OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP 6290 OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK 6291 OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY 6292 - Remove MS_STATIC; it's a relic from platforms <32 bits. 6293 6294 *Rich Salz* 6295 6296 * Cleaned up dead code 6297 Remove all but one '#ifdef undef' which is to be looked at. 6298 6299 *Rich Salz* 6300 6301 * Clean up calling of xxx_free routines. 6302 Just like free(), fix most of the xxx_free routines to accept 6303 NULL. Remove the non-null checks from callers. Save much code. 6304 6305 *Rich Salz* 6306 6307 * Add secure heap for storage of private keys (when possible). 6308 Add BIO_s_secmem(), CBIGNUM, etc. 6309 Contributed by Akamai Technologies under our Corporate CLA. 6310 6311 *Rich Salz* 6312 6313 * Experimental support for a new, fast, unbiased prime candidate generator, 6314 bn_probable_prime_dh_coprime(). Not currently used by any prime generator. 6315 6316 *Felix Laurie von Massenbach <felix@erbridge.co.uk>* 6317 6318 * New output format NSS in the sess_id command line tool. This allows 6319 exporting the session id and the master key in NSS keylog format. 6320 6321 *Martin Kaiser <martin@kaiser.cx>* 6322 6323 * Harmonize version and its documentation. -f flag is used to display 6324 compilation flags. 6325 6326 *mancha <mancha1@zoho.com>* 6327 6328 * Fix eckey_priv_encode so it immediately returns an error upon a failure 6329 in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. 6330 6331 *mancha <mancha1@zoho.com>* 6332 6333 * Fix some double frees. These are not thought to be exploitable. 6334 6335 *mancha <mancha1@zoho.com>* 6336 6337 * A missing bounds check in the handling of the TLS heartbeat extension 6338 can be used to reveal up to 64k of memory to a connected client or 6339 server. 6340 6341 Thanks for Neel Mehta of Google Security for discovering this bug and to 6342 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 6343 preparing the fix ([CVE-2014-0160]) 6344 6345 *Adam Langley, Bodo Moeller* 6346 6347 * Fix for the attack described in the paper "Recovering OpenSSL 6348 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 6349 by Yuval Yarom and Naomi Benger. Details can be obtained from: 6350 <http://eprint.iacr.org/2014/140> 6351 6352 Thanks to Yuval Yarom and Naomi Benger for discovering this 6353 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 6354 6355 *Yuval Yarom and Naomi Benger* 6356 6357 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 6358 this fixes a limitation in previous versions of OpenSSL. 6359 6360 *Steve Henson* 6361 6362 * Experimental encrypt-then-mac support. 6363 6364 Experimental support for encrypt then mac from 6365 draft-gutmann-tls-encrypt-then-mac-02.txt 6366 6367 To enable it set the appropriate extension number (0x42 for the test 6368 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 6369 6370 For non-compliant peers (i.e. just about everything) this should have no 6371 effect. 6372 6373 WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. 6374 6375 *Steve Henson* 6376 6377 * Add EVP support for key wrapping algorithms, to avoid problems with 6378 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 6379 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 6380 algorithms and include tests cases. 6381 6382 *Steve Henson* 6383 6384 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for 6385 enveloped data. 6386 6387 *Steve Henson* 6388 6389 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 6390 MGF1 digest and OAEP label. 6391 6392 *Steve Henson* 6393 6394 * Make openssl verify return errors. 6395 6396 *Chris Palmer <palmer@google.com> and Ben Laurie* 6397 6398 * New function ASN1_TIME_diff to calculate the difference between two 6399 ASN1_TIME structures or one structure and the current time. 6400 6401 *Steve Henson* 6402 6403 * Update fips_test_suite to support multiple command line options. New 6404 test to induce all self test errors in sequence and check expected 6405 failures. 6406 6407 *Steve Henson* 6408 6409 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and 6410 sign or verify all in one operation. 6411 6412 *Steve Henson* 6413 6414 * Add fips_algvs: a multicall fips utility incorporating all the algorithm 6415 test programs and fips_test_suite. Includes functionality to parse 6416 the minimal script output of fipsalgest.pl directly. 6417 6418 *Steve Henson* 6419 6420 * Add authorisation parameter to FIPS_module_mode_set(). 6421 6422 *Steve Henson* 6423 6424 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. 6425 6426 *Steve Henson* 6427 6428 * Use separate DRBG fields for internal and external flags. New function 6429 FIPS_drbg_health_check() to perform on demand health checking. Add 6430 generation tests to fips_test_suite with reduced health check interval to 6431 demonstrate periodic health checking. Add "nodh" option to 6432 fips_test_suite to skip very slow DH test. 6433 6434 *Steve Henson* 6435 6436 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers 6437 based on NID. 6438 6439 *Steve Henson* 6440 6441 * More extensive health check for DRBG checking many more failure modes. 6442 New function FIPS_selftest_drbg_all() to handle every possible DRBG 6443 combination: call this in fips_test_suite. 6444 6445 *Steve Henson* 6446 6447 * Add support for canonical generation of DSA parameter 'g'. See 6448 FIPS 186-3 A.2.3. 6449 6450 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and 6451 POST to handle HMAC cases. 6452 6453 *Steve Henson* 6454 6455 * Add functions FIPS_module_version() and FIPS_module_version_text() 6456 to return numerical and string versions of the FIPS module number. 6457 6458 *Steve Henson* 6459 6460 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and 6461 FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented 6462 outside the validated module in the FIPS capable OpenSSL. 6463 6464 *Steve Henson* 6465 6466 * Minor change to DRBG entropy callback semantics. In some cases 6467 there is no multiple of the block length between min_len and 6468 max_len. Allow the callback to return more than max_len bytes 6469 of entropy but discard any extra: it is the callback's responsibility 6470 to ensure that the extra data discarded does not impact the 6471 requested amount of entropy. 6472 6473 *Steve Henson* 6474 6475 * Add PRNG security strength checks to RSA, DSA and ECDSA using 6476 information in FIPS186-3, SP800-57 and SP800-131A. 6477 6478 *Steve Henson* 6479 6480 * CCM support via EVP. Interface is very similar to GCM case except we 6481 must supply all data in one chunk (i.e. no update, final) and the 6482 message length must be supplied if AAD is used. Add algorithm test 6483 support. 6484 6485 *Steve Henson* 6486 6487 * Initial version of POST overhaul. Add POST callback to allow the status 6488 of POST to be monitored and/or failures induced. Modify fips_test_suite 6489 to use callback. Always run all selftests even if one fails. 6490 6491 *Steve Henson* 6492 6493 * XTS support including algorithm test driver in the fips_gcmtest program. 6494 Note: this does increase the maximum key length from 32 to 64 bytes but 6495 there should be no binary compatibility issues as existing applications 6496 will never use XTS mode. 6497 6498 *Steve Henson* 6499 6500 * Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies 6501 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also 6502 performs algorithm blocking for unapproved PRNG types. Also do not 6503 set PRNG type in FIPS_mode_set(): leave this to the application. 6504 Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with 6505 the standard OpenSSL PRNG: set additional data to a date time vector. 6506 6507 *Steve Henson* 6508 6509 * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`. 6510 This shouldn't present any incompatibility problems because applications 6511 shouldn't be using these directly and any that are will need to rethink 6512 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 6513 6514 *Steve Henson* 6515 6516 * Extensive self tests and health checking required by SP800-90 DRBG. 6517 Remove strength parameter from FIPS_drbg_instantiate and always 6518 instantiate at maximum supported strength. 6519 6520 *Steve Henson* 6521 6522 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing. 6523 6524 *Steve Henson* 6525 6526 * New algorithm test program fips_dhvs to handle DH primitives only testing. 6527 6528 *Steve Henson* 6529 6530 * New function DH_compute_key_padded() to compute a DH key and pad with 6531 leading zeroes if needed: this complies with SP800-56A et al. 6532 6533 *Steve Henson* 6534 6535 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by 6536 anything, incomplete, subject to change and largely untested at present. 6537 6538 *Steve Henson* 6539 6540 * Modify fipscanisteronly build option to only build the necessary object 6541 files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. 6542 6543 *Steve Henson* 6544 6545 * Add experimental option FIPSSYMS to give all symbols in 6546 fipscanister.o and FIPS or fips prefix. This will avoid 6547 conflicts with future versions of OpenSSL. Add perl script 6548 util/fipsas.pl to preprocess assembly language source files 6549 and rename any affected symbols. 6550 6551 *Steve Henson* 6552 6553 * Add selftest checks and algorithm block of non-fips algorithms in 6554 FIPS mode. Remove DES2 from selftests. 6555 6556 *Steve Henson* 6557 6558 * Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just 6559 return internal method without any ENGINE dependencies. Add new 6560 tiny fips sign and verify functions. 6561 6562 *Steve Henson* 6563 6564 * New build option no-ec2m to disable characteristic 2 code. 6565 6566 *Steve Henson* 6567 6568 * New build option "fipscanisteronly". This only builds fipscanister.o 6569 and (currently) associated fips utilities. Uses the file Makefile.fips 6570 instead of Makefile.org as the prototype. 6571 6572 *Steve Henson* 6573 6574 * Add some FIPS mode restrictions to GCM. Add internal IV generator. 6575 Update fips_gcmtest to use IV generator. 6576 6577 *Steve Henson* 6578 6579 * Initial, experimental EVP support for AES-GCM. AAD can be input by 6580 setting output buffer to NULL. The `*Final` function must be 6581 called although it will not retrieve any additional data. The tag 6582 can be set or retrieved with a ctrl. The IV length is by default 12 6583 bytes (96 bits) but can be set to an alternative value. If the IV 6584 length exceeds the maximum IV length (currently 16 bytes) it cannot be 6585 set before the key. 6586 6587 *Steve Henson* 6588 6589 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the 6590 underlying do_cipher function handles all cipher semantics itself 6591 including padding and finalisation. This is useful if (for example) 6592 an ENGINE cipher handles block padding itself. The behaviour of 6593 do_cipher is subtly changed if this flag is set: the return value 6594 is the number of characters written to the output buffer (zero is 6595 no longer an error code) or a negative error code. Also if the 6596 input buffer is NULL and length 0 finalisation should be performed. 6597 6598 *Steve Henson* 6599 6600 * If a candidate issuer certificate is already part of the constructed 6601 path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. 6602 6603 *Steve Henson* 6604 6605 * Improve forward-security support: add functions 6606 6607 void SSL_CTX_set_not_resumable_session_callback( 6608 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) 6609 void SSL_set_not_resumable_session_callback( 6610 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) 6611 6612 for use by SSL/TLS servers; the callback function will be called whenever a 6613 new session is created, and gets to decide whether the session may be 6614 cached to make it resumable (return 0) or not (return 1). (As by the 6615 SSL/TLS protocol specifications, the session_id sent by the server will be 6616 empty to indicate that the session is not resumable; also, the server will 6617 not generate RFC 4507 (RFC 5077) session tickets.) 6618 6619 A simple reasonable callback implementation is to return is_forward_secure. 6620 This parameter will be set to 1 or 0 depending on the ciphersuite selected 6621 by the SSL/TLS server library, indicating whether it can provide forward 6622 security. 6623 6624 *Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)* 6625 6626 * New -verify_name option in command line utilities to set verification 6627 parameters by name. 6628 6629 *Steve Henson* 6630 6631 * Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. 6632 Add CMAC pkey methods. 6633 6634 *Steve Henson* 6635 6636 * Experimental renegotiation in s_server -www mode. If the client 6637 browses /reneg connection is renegotiated. If /renegcert it is 6638 renegotiated requesting a certificate. 6639 6640 *Steve Henson* 6641 6642 * Add an "external" session cache for debugging purposes to s_server. This 6643 should help trace issues which normally are only apparent in deployed 6644 multi-process servers. 6645 6646 *Steve Henson* 6647 6648 * Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where 6649 return value is ignored. NB. The functions RAND_add(), RAND_seed(), 6650 BIO_set_cipher() and some obscure PEM functions were changed so they 6651 can now return an error. The RAND changes required a change to the 6652 RAND_METHOD structure. 6653 6654 *Steve Henson* 6655 6656 * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of 6657 a gcc attribute to warn if the result of a function is ignored. This 6658 is enable if DEBUG_UNUSED is set. Add to several functions in evp.h 6659 whose return value is often ignored. 6660 6661 *Steve Henson* 6662 6663 * New -noct, -requestct, -requirect and -ctlogfile options for s_client. 6664 These allow SCTs (signed certificate timestamps) to be requested and 6665 validated when establishing a connection. 6666 6667 *Rob Percival <robpercival@google.com>* 6668 6669 * SSLv3 is by default disabled at build-time. Builds that are not 6670 configured with "enable-ssl3" will not support SSLv3. 6671 6672 *Kurt Roeckx* 6673 6674OpenSSL 1.0.2 6675------------- 6676 6677### Changes between 1.0.2s and 1.0.2t [10 Sep 2019] 6678 6679 * For built-in EC curves, ensure an EC_GROUP built from the curve name is 6680 used even when parsing explicit parameters, when loading a encoded key 6681 or calling `EC_GROUP_new_from_ecpkparameters()`/ 6682 `EC_GROUP_new_from_ecparameters()`. 6683 This prevents bypass of security hardening and performance gains, 6684 especially for curves with specialized EC_METHODs. 6685 By default, if a key encoded with explicit parameters is loaded and later 6686 encoded, the output is still encoded with explicit parameters, even if 6687 internally a "named" EC_GROUP is used for computation. 6688 6689 *Nicola Tuveri* 6690 6691 * Compute ECC cofactors if not provided during EC_GROUP construction. Before 6692 this change, EC_GROUP_set_generator would accept order and/or cofactor as 6693 NULL. After this change, only the cofactor parameter can be NULL. It also 6694 does some minimal sanity checks on the passed order. 6695 ([CVE-2019-1547]) 6696 6697 *Billy Bob Brumley* 6698 6699 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 6700 An attack is simple, if the first CMS_recipientInfo is valid but the 6701 second CMS_recipientInfo is chosen ciphertext. If the second 6702 recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 6703 encryption key will be replaced by garbage, and the message cannot be 6704 decoded, but if the RSA decryption fails, the correct encryption key is 6705 used and the recipient will not notice the attack. 6706 As a work around for this potential attack the length of the decrypted 6707 key must be equal to the cipher default key length, in case the 6708 certificate is not given and all recipientInfo are tried out. 6709 The old behaviour can be re-enabled in the CMS code by setting the 6710 CMS_DEBUG_DECRYPT flag. 6711 ([CVE-2019-1563]) 6712 6713 *Bernd Edlinger* 6714 6715 * Document issue with installation paths in diverse Windows builds 6716 6717 '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL 6718 binaries and run-time config file. 6719 ([CVE-2019-1552]) 6720 6721 *Richard Levitte* 6722 6723### Changes between 1.0.2r and 1.0.2s [28 May 2019] 6724 6725 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 6726 This changes the size when using the `genpkey` command when no size is given. 6727 It fixes an omission in earlier changes that changed all RSA, DSA and DH 6728 generation commands to use 2048 bits by default. 6729 6730 *Kurt Roeckx* 6731 6732 * Add FIPS support for Android Arm 64-bit 6733 6734 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object 6735 Module in Version 2.0.10. For some reason, the corresponding target 6736 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be 6737 built with FIPS support on Android Arm 64-bit. This omission has been 6738 fixed. 6739 6740 *Matthias St. Pierre* 6741 6742### Changes between 1.0.2q and 1.0.2r [26 Feb 2019] 6743 6744 * 0-byte record padding oracle 6745 6746 If an application encounters a fatal protocol error and then calls 6747 SSL_shutdown() twice (once to send a close_notify, and once to receive one) 6748 then OpenSSL can respond differently to the calling application if a 0 byte 6749 record is received with invalid padding compared to if a 0 byte record is 6750 received with an invalid MAC. If the application then behaves differently 6751 based on that in a way that is detectable to the remote peer, then this 6752 amounts to a padding oracle that could be used to decrypt data. 6753 6754 In order for this to be exploitable "non-stitched" ciphersuites must be in 6755 use. Stitched ciphersuites are optimised implementations of certain 6756 commonly used ciphersuites. Also the application must call SSL_shutdown() 6757 twice even if a protocol error has occurred (applications should not do 6758 this but some do anyway). 6759 6760 This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod 6761 Aviram, with additional investigation by Steven Collison and Andrew 6762 Hourselt. It was reported to OpenSSL on 10th December 2018. 6763 ([CVE-2019-1559]) 6764 6765 *Matt Caswell* 6766 6767 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 6768 6769 *Richard Levitte* 6770 6771### Changes between 1.0.2p and 1.0.2q [20 Nov 2018] 6772 6773 * Microarchitecture timing vulnerability in ECC scalar multiplication 6774 6775 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been 6776 shown to be vulnerable to a microarchitecture timing side channel attack. 6777 An attacker with sufficient access to mount local timing attacks during 6778 ECDSA signature generation could recover the private key. 6779 6780 This issue was reported to OpenSSL on 26th October 2018 by Alejandro 6781 Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and 6782 Nicola Tuveri. 6783 ([CVE-2018-5407]) 6784 6785 *Billy Brumley* 6786 6787 * Timing vulnerability in DSA signature generation 6788 6789 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 6790 timing side channel attack. An attacker could use variations in the signing 6791 algorithm to recover the private key. 6792 6793 This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 6794 ([CVE-2018-0734]) 6795 6796 *Paul Dale* 6797 6798 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object 6799 Module, accidentally introduced while backporting security fixes from the 6800 development branch and hindering the use of ECC in FIPS mode. 6801 6802 *Nicola Tuveri* 6803 6804### Changes between 1.0.2o and 1.0.2p [14 Aug 2018] 6805 6806 * Client DoS due to large DH parameter 6807 6808 During key agreement in a TLS handshake using a DH(E) based ciphersuite a 6809 malicious server can send a very large prime value to the client. This will 6810 cause the client to spend an unreasonably long period of time generating a 6811 key for this prime resulting in a hang until the client has finished. This 6812 could be exploited in a Denial Of Service attack. 6813 6814 This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 6815 ([CVE-2018-0732]) 6816 6817 *Guido Vranken* 6818 6819 * Cache timing vulnerability in RSA Key Generation 6820 6821 The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 6822 a cache timing side channel attack. An attacker with sufficient access to 6823 mount cache timing attacks during the RSA key generation process could 6824 recover the private key. 6825 6826 This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 6827 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 6828 ([CVE-2018-0737]) 6829 6830 *Billy Brumley* 6831 6832 * Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 6833 parameter is no longer accepted, as it leads to a corrupt table. NULL 6834 pem_str is reserved for alias entries only. 6835 6836 *Richard Levitte* 6837 6838 * Revert blinding in ECDSA sign and instead make problematic addition 6839 length-invariant. Switch even to fixed-length Montgomery multiplication. 6840 6841 *Andy Polyakov* 6842 6843 * Change generating and checking of primes so that the error rate of not 6844 being prime depends on the intended use based on the size of the input. 6845 For larger primes this will result in more rounds of Miller-Rabin. 6846 The maximal error rate for primes with more than 1080 bits is lowered 6847 to 2^-128. 6848 6849 *Kurt Roeckx, Annie Yousar* 6850 6851 * Increase the number of Miller-Rabin rounds for DSA key generating to 64. 6852 6853 *Kurt Roeckx* 6854 6855 * Add blinding to ECDSA and DSA signatures to protect against side channel 6856 attacks discovered by Keegan Ryan (NCC Group). 6857 6858 *Matt Caswell* 6859 6860 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we 6861 now allow empty (zero character) pass phrases. 6862 6863 *Richard Levitte* 6864 6865 * Certificate time validation (X509_cmp_time) enforces stricter 6866 compliance with RFC 5280. Fractional seconds and timezone offsets 6867 are no longer allowed. 6868 6869 *Emilia Käsper* 6870 6871### Changes between 1.0.2n and 1.0.2o [27 Mar 2018] 6872 6873 * Constructed ASN.1 types with a recursive definition could exceed the stack 6874 6875 Constructed ASN.1 types with a recursive definition (such as can be found 6876 in PKCS7) could eventually exceed the stack given malicious input with 6877 excessive recursion. This could result in a Denial Of Service attack. There 6878 are no such structures used within SSL/TLS that come from untrusted sources 6879 so this is considered safe. 6880 6881 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 6882 project. 6883 ([CVE-2018-0739]) 6884 6885 *Matt Caswell* 6886 6887### Changes between 1.0.2m and 1.0.2n [7 Dec 2017] 6888 6889 * Read/write after SSL object in error state 6890 6891 OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" 6892 mechanism. The intent was that if a fatal error occurred during a handshake 6893 then OpenSSL would move into the error state and would immediately fail if 6894 you attempted to continue the handshake. This works as designed for the 6895 explicit handshake functions (SSL_do_handshake(), SSL_accept() and 6896 SSL_connect()), however due to a bug it does not work correctly if 6897 SSL_read() or SSL_write() is called directly. In that scenario, if the 6898 handshake fails then a fatal error will be returned in the initial function 6899 call. If SSL_read()/SSL_write() is subsequently called by the application 6900 for the same SSL object then it will succeed and the data is passed without 6901 being decrypted/encrypted directly from the SSL/TLS record layer. 6902 6903 In order to exploit this issue an application bug would have to be present 6904 that resulted in a call to SSL_read()/SSL_write() being issued after having 6905 already received a fatal error. 6906 6907 This issue was reported to OpenSSL by David Benjamin (Google). 6908 ([CVE-2017-3737]) 6909 6910 *Matt Caswell* 6911 6912 * rsaz_1024_mul_avx2 overflow bug on x86_64 6913 6914 There is an overflow bug in the AVX2 Montgomery multiplication procedure 6915 used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 6916 Analysis suggests that attacks against RSA and DSA as a result of this 6917 defect would be very difficult to perform and are not believed likely. 6918 Attacks against DH1024 are considered just feasible, because most of the 6919 work necessary to deduce information about a private key may be performed 6920 offline. The amount of resources required for such an attack would be 6921 significant. However, for an attack on TLS to be meaningful, the server 6922 would have to share the DH1024 private key among multiple clients, which is 6923 no longer an option since CVE-2016-0701. 6924 6925 This only affects processors that support the AVX2 but not ADX extensions 6926 like Intel Haswell (4th generation). 6927 6928 This issue was reported to OpenSSL by David Benjamin (Google). The issue 6929 was originally found via the OSS-Fuzz project. 6930 ([CVE-2017-3738]) 6931 6932 *Andy Polyakov* 6933 6934### Changes between 1.0.2l and 1.0.2m [2 Nov 2017] 6935 6936 * bn_sqrx8x_internal carry bug on x86_64 6937 6938 There is a carry propagating bug in the x86_64 Montgomery squaring 6939 procedure. No EC algorithms are affected. Analysis suggests that attacks 6940 against RSA and DSA as a result of this defect would be very difficult to 6941 perform and are not believed likely. Attacks against DH are considered just 6942 feasible (although very difficult) because most of the work necessary to 6943 deduce information about a private key may be performed offline. The amount 6944 of resources required for such an attack would be very significant and 6945 likely only accessible to a limited number of attackers. An attacker would 6946 additionally need online access to an unpatched system using the target 6947 private key in a scenario with persistent DH parameters and a private 6948 key that is shared between multiple clients. 6949 6950 This only affects processors that support the BMI1, BMI2 and ADX extensions 6951 like Intel Broadwell (5th generation) and later or AMD Ryzen. 6952 6953 This issue was reported to OpenSSL by the OSS-Fuzz project. 6954 ([CVE-2017-3736]) 6955 6956 *Andy Polyakov* 6957 6958 * Malformed X.509 IPAddressFamily could cause OOB read 6959 6960 If an X.509 certificate has a malformed IPAddressFamily extension, 6961 OpenSSL could do a one-byte buffer overread. The most likely result 6962 would be an erroneous display of the certificate in text format. 6963 6964 This issue was reported to OpenSSL by the OSS-Fuzz project. 6965 6966 *Rich Salz* 6967 6968### Changes between 1.0.2k and 1.0.2l [25 May 2017] 6969 6970 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 6971 platform rather than 'mingw'. 6972 6973 *Richard Levitte* 6974 6975### Changes between 1.0.2j and 1.0.2k [26 Jan 2017] 6976 6977 * Truncated packet could crash via OOB read 6978 6979 If one side of an SSL/TLS path is running on a 32-bit host and a specific 6980 cipher is being used, then a truncated packet can cause that host to 6981 perform an out-of-bounds read, usually resulting in a crash. 6982 6983 This issue was reported to OpenSSL by Robert Święcki of Google. 6984 ([CVE-2017-3731]) 6985 6986 *Andy Polyakov* 6987 6988 * BN_mod_exp may produce incorrect results on x86_64 6989 6990 There is a carry propagating bug in the x86_64 Montgomery squaring 6991 procedure. No EC algorithms are affected. Analysis suggests that attacks 6992 against RSA and DSA as a result of this defect would be very difficult to 6993 perform and are not believed likely. Attacks against DH are considered just 6994 feasible (although very difficult) because most of the work necessary to 6995 deduce information about a private key may be performed offline. The amount 6996 of resources required for such an attack would be very significant and 6997 likely only accessible to a limited number of attackers. An attacker would 6998 additionally need online access to an unpatched system using the target 6999 private key in a scenario with persistent DH parameters and a private 7000 key that is shared between multiple clients. For example this can occur by 7001 default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 7002 similar to CVE-2015-3193 but must be treated as a separate problem. 7003 7004 This issue was reported to OpenSSL by the OSS-Fuzz project. 7005 ([CVE-2017-3732]) 7006 7007 *Andy Polyakov* 7008 7009 * Montgomery multiplication may produce incorrect results 7010 7011 There is a carry propagating bug in the Broadwell-specific Montgomery 7012 multiplication procedure that handles input lengths divisible by, but 7013 longer than 256 bits. Analysis suggests that attacks against RSA, DSA 7014 and DH private keys are impossible. This is because the subroutine in 7015 question is not used in operations with the private key itself and an input 7016 of the attacker's direct choice. Otherwise the bug can manifest itself as 7017 transient authentication and key negotiation failures or reproducible 7018 erroneous outcome of public-key operations with specially crafted input. 7019 Among EC algorithms only Brainpool P-512 curves are affected and one 7020 presumably can attack ECDH key negotiation. Impact was not analyzed in 7021 detail, because pre-requisites for attack are considered unlikely. Namely 7022 multiple clients have to choose the curve in question and the server has to 7023 share the private key among them, neither of which is default behaviour. 7024 Even then only clients that chose the curve will be affected. 7025 7026 This issue was publicly reported as transient failures and was not 7027 initially recognized as a security issue. Thanks to Richard Morgan for 7028 providing reproducible case. 7029 ([CVE-2016-7055]) 7030 7031 *Andy Polyakov* 7032 7033 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0 7034 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 7035 prevent issues where no progress is being made and the peer continually 7036 sends unrecognised record types, using up resources processing them. 7037 7038 *Matt Caswell* 7039 7040### Changes between 1.0.2i and 1.0.2j [26 Sep 2016] 7041 7042 * Missing CRL sanity check 7043 7044 A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 7045 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use 7046 CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. 7047 7048 This issue only affects the OpenSSL 1.0.2i 7049 ([CVE-2016-7052]) 7050 7051 *Matt Caswell* 7052 7053### Changes between 1.0.2h and 1.0.2i [22 Sep 2016] 7054 7055 * OCSP Status Request extension unbounded memory growth 7056 7057 A malicious client can send an excessively large OCSP Status Request 7058 extension. If that client continually requests renegotiation, sending a 7059 large OCSP Status Request extension each time, then there will be unbounded 7060 memory growth on the server. This will eventually lead to a Denial Of 7061 Service attack through memory exhaustion. Servers with a default 7062 configuration are vulnerable even if they do not support OCSP. Builds using 7063 the "no-ocsp" build time option are not affected. 7064 7065 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7066 ([CVE-2016-6304]) 7067 7068 *Matt Caswell* 7069 7070 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 7071 HIGH to MEDIUM. 7072 7073 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 7074 Leurent (INRIA) 7075 ([CVE-2016-2183]) 7076 7077 *Rich Salz* 7078 7079 * OOB write in MDC2_Update() 7080 7081 An overflow can occur in MDC2_Update() either if called directly or 7082 through the EVP_DigestUpdate() function using MDC2. If an attacker 7083 is able to supply very large amounts of input data after a previous 7084 call to EVP_EncryptUpdate() with a partial block then a length check 7085 can overflow resulting in a heap corruption. 7086 7087 The amount of data needed is comparable to SIZE_MAX which is impractical 7088 on most platforms. 7089 7090 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7091 ([CVE-2016-6303]) 7092 7093 *Stephen Henson* 7094 7095 * Malformed SHA512 ticket DoS 7096 7097 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 7098 DoS attack where a malformed ticket will result in an OOB read which will 7099 ultimately crash. 7100 7101 The use of SHA512 in TLS session tickets is comparatively rare as it requires 7102 a custom server callback and ticket lookup mechanism. 7103 7104 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7105 ([CVE-2016-6302]) 7106 7107 *Stephen Henson* 7108 7109 * OOB write in BN_bn2dec() 7110 7111 The function BN_bn2dec() does not check the return value of BN_div_word(). 7112 This can cause an OOB write if an application uses this function with an 7113 overly large BIGNUM. This could be a problem if an overly large certificate 7114 or CRL is printed out from an untrusted source. TLS is not affected because 7115 record limits will reject an oversized certificate before it is parsed. 7116 7117 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7118 ([CVE-2016-2182]) 7119 7120 *Stephen Henson* 7121 7122 * OOB read in TS_OBJ_print_bio() 7123 7124 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 7125 the total length the OID text representation would use and not the amount 7126 of data written. This will result in OOB reads when large OIDs are 7127 presented. 7128 7129 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7130 ([CVE-2016-2180]) 7131 7132 *Stephen Henson* 7133 7134 * Pointer arithmetic undefined behaviour 7135 7136 Avoid some undefined pointer arithmetic 7137 7138 A common idiom in the codebase is to check limits in the following manner: 7139 "p + len > limit" 7140 7141 Where "p" points to some malloc'd data of SIZE bytes and 7142 limit == p + SIZE 7143 7144 "len" here could be from some externally supplied data (e.g. from a TLS 7145 message). 7146 7147 The rules of C pointer arithmetic are such that "p + len" is only well 7148 defined where len <= SIZE. Therefore the above idiom is actually 7149 undefined behaviour. 7150 7151 For example this could cause problems if some malloc implementation 7152 provides an address for "p" such that "p + len" actually overflows for 7153 values of len that are too big and therefore p + len < limit. 7154 7155 This issue was reported to OpenSSL by Guido Vranken 7156 ([CVE-2016-2177]) 7157 7158 *Matt Caswell* 7159 7160 * Constant time flag not preserved in DSA signing 7161 7162 Operations in the DSA signing algorithm should run in constant time in 7163 order to avoid side channel attacks. A flaw in the OpenSSL DSA 7164 implementation means that a non-constant time codepath is followed for 7165 certain operations. This has been demonstrated through a cache-timing 7166 attack to be sufficient for an attacker to recover the private DSA key. 7167 7168 This issue was reported by César Pereida (Aalto University), Billy Brumley 7169 (Tampere University of Technology), and Yuval Yarom (The University of 7170 Adelaide and NICTA). 7171 ([CVE-2016-2178]) 7172 7173 *César Pereida* 7174 7175 * DTLS buffered message DoS 7176 7177 In a DTLS connection where handshake messages are delivered out-of-order 7178 those messages that OpenSSL is not yet ready to process will be buffered 7179 for later use. Under certain circumstances, a flaw in the logic means that 7180 those messages do not get removed from the buffer even though the handshake 7181 has been completed. An attacker could force up to approx. 15 messages to 7182 remain in the buffer when they are no longer required. These messages will 7183 be cleared when the DTLS connection is closed. The default maximum size for 7184 a message is 100k. Therefore, the attacker could force an additional 1500k 7185 to be consumed per connection. By opening many simultaneous connections an 7186 attacker could cause a DoS attack through memory exhaustion. 7187 7188 This issue was reported to OpenSSL by Quan Luo. 7189 ([CVE-2016-2179]) 7190 7191 *Matt Caswell* 7192 7193 * DTLS replay protection DoS 7194 7195 A flaw in the DTLS replay attack protection mechanism means that records 7196 that arrive for future epochs update the replay protection "window" before 7197 the MAC for the record has been validated. This could be exploited by an 7198 attacker by sending a record for the next epoch (which does not have to 7199 decrypt or have a valid MAC), with a very large sequence number. This means 7200 that all subsequent legitimate packets are dropped causing a denial of 7201 service for a specific DTLS connection. 7202 7203 This issue was reported to OpenSSL by the OCAP audit team. 7204 ([CVE-2016-2181]) 7205 7206 *Matt Caswell* 7207 7208 * Certificate message OOB reads 7209 7210 In OpenSSL 1.0.2 and earlier some missing message length checks can result 7211 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 7212 theoretical DoS risk but this has not been observed in practice on common 7213 platforms. 7214 7215 The messages affected are client certificate, client certificate request 7216 and server certificate. As a result the attack can only be performed 7217 against a client or a server which enables client authentication. 7218 7219 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 7220 ([CVE-2016-6306]) 7221 7222 *Stephen Henson* 7223 7224### Changes between 1.0.2g and 1.0.2h [3 May 2016] 7225 7226 * Prevent padding oracle in AES-NI CBC MAC check 7227 7228 A MITM attacker can use a padding oracle attack to decrypt traffic 7229 when the connection uses an AES CBC cipher and the server support 7230 AES-NI. 7231 7232 This issue was introduced as part of the fix for Lucky 13 padding 7233 attack ([CVE-2013-0169]). The padding check was rewritten to be in 7234 constant time by making sure that always the same bytes are read and 7235 compared against either the MAC or padding bytes. But it no longer 7236 checked that there was enough data to have both the MAC and padding 7237 bytes. 7238 7239 This issue was reported by Juraj Somorovsky using TLS-Attacker. 7240 7241 *Kurt Roeckx* 7242 7243 * Fix EVP_EncodeUpdate overflow 7244 7245 An overflow can occur in the EVP_EncodeUpdate() function which is used for 7246 Base64 encoding of binary data. If an attacker is able to supply very large 7247 amounts of input data then a length check can overflow resulting in a heap 7248 corruption. 7249 7250 Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by 7251 the `PEM_write_bio*` family of functions. These are mainly used within the 7252 OpenSSL command line applications, so any application which processes data 7253 from an untrusted source and outputs it as a PEM file should be considered 7254 vulnerable to this issue. User applications that call these APIs directly 7255 with large amounts of untrusted data may also be vulnerable. 7256 7257 This issue was reported by Guido Vranken. 7258 ([CVE-2016-2105]) 7259 7260 *Matt Caswell* 7261 7262 * Fix EVP_EncryptUpdate overflow 7263 7264 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 7265 is able to supply very large amounts of input data after a previous call to 7266 EVP_EncryptUpdate() with a partial block then a length check can overflow 7267 resulting in a heap corruption. Following an analysis of all OpenSSL 7268 internal usage of the EVP_EncryptUpdate() function all usage is one of two 7269 forms. The first form is where the EVP_EncryptUpdate() call is known to be 7270 the first called function after an EVP_EncryptInit(), and therefore that 7271 specific call must be safe. The second form is where the length passed to 7272 EVP_EncryptUpdate() can be seen from the code to be some small value and 7273 therefore there is no possibility of an overflow. Since all instances are 7274 one of these two forms, it is believed that there can be no overflows in 7275 internal code due to this problem. It should be noted that 7276 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 7277 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 7278 of these calls have also been analysed too and it is believed there are no 7279 instances in internal usage where an overflow could occur. 7280 7281 This issue was reported by Guido Vranken. 7282 ([CVE-2016-2106]) 7283 7284 *Matt Caswell* 7285 7286 * Prevent ASN.1 BIO excessive memory allocation 7287 7288 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 7289 a short invalid encoding can cause allocation of large amounts of memory 7290 potentially consuming excessive resources or exhausting memory. 7291 7292 Any application parsing untrusted data through d2i BIO functions is 7293 affected. The memory based functions such as d2i_X509() are *not* affected. 7294 Since the memory based functions are used by the TLS library, TLS 7295 applications are not affected. 7296 7297 This issue was reported by Brian Carpenter. 7298 ([CVE-2016-2109]) 7299 7300 *Stephen Henson* 7301 7302 * EBCDIC overread 7303 7304 ASN1 Strings that are over 1024 bytes can cause an overread in applications 7305 using the X509_NAME_oneline() function on EBCDIC systems. This could result 7306 in arbitrary stack data being returned in the buffer. 7307 7308 This issue was reported by Guido Vranken. 7309 ([CVE-2016-2176]) 7310 7311 *Matt Caswell* 7312 7313 * Modify behavior of ALPN to invoke callback after SNI/servername 7314 callback, such that updates to the SSL_CTX affect ALPN. 7315 7316 *Todd Short* 7317 7318 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 7319 default. 7320 7321 *Kurt Roeckx* 7322 7323 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 7324 methods are enabled and ssl2 is disabled the methods return NULL. 7325 7326 *Kurt Roeckx* 7327 7328### Changes between 1.0.2f and 1.0.2g [1 Mar 2016] 7329 7330* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 7331 Builds that are not configured with "enable-weak-ssl-ciphers" will not 7332 provide any "EXPORT" or "LOW" strength ciphers. 7333 7334 *Viktor Dukhovni* 7335 7336* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 7337 is by default disabled at build-time. Builds that are not configured with 7338 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 7339 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 7340 will need to explicitly call either of: 7341 7342 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 7343 or 7344 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 7345 7346 as appropriate. Even if either of those is used, or the application 7347 explicitly uses the version-specific SSLv2_method() or its client and 7348 server variants, SSLv2 ciphers vulnerable to exhaustive search key 7349 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 7350 ciphers, and SSLv2 56-bit DES are no longer available. 7351 ([CVE-2016-0800]) 7352 7353 *Viktor Dukhovni* 7354 7355 * Fix a double-free in DSA code 7356 7357 A double free bug was discovered when OpenSSL parses malformed DSA private 7358 keys and could lead to a DoS attack or memory corruption for applications 7359 that receive DSA private keys from untrusted sources. This scenario is 7360 considered rare. 7361 7362 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 7363 libFuzzer. 7364 ([CVE-2016-0705]) 7365 7366 *Stephen Henson* 7367 7368 * Disable SRP fake user seed to address a server memory leak. 7369 7370 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 7371 7372 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 7373 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 7374 was changed to ignore the "fake user" SRP seed, even if the seed 7375 is configured. 7376 7377 Users should use SRP_VBASE_get1_by_user instead. Note that in 7378 SRP_VBASE_get1_by_user, caller must free the returned value. Note 7379 also that even though configuring the SRP seed attempts to hide 7380 invalid usernames by continuing the handshake with fake 7381 credentials, this behaviour is not constant time and no strong 7382 guarantees are made that the handshake is indistinguishable from 7383 that of a valid user. 7384 ([CVE-2016-0798]) 7385 7386 *Emilia Käsper* 7387 7388 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 7389 7390 In the BN_hex2bn function the number of hex digits is calculated using an 7391 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 7392 large values of `i` this can result in `bn_expand` not allocating any 7393 memory because `i * 4` is negative. This can leave the internal BIGNUM data 7394 field as NULL leading to a subsequent NULL ptr deref. For very large values 7395 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 7396 In this case memory is allocated to the internal BIGNUM data field, but it 7397 is insufficiently sized leading to heap corruption. A similar issue exists 7398 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 7399 is ever called by user applications with very large untrusted hex/dec data. 7400 This is anticipated to be a rare occurrence. 7401 7402 All OpenSSL internal usage of these functions use data that is not expected 7403 to be untrusted, e.g. config file data or application command line 7404 arguments. If user developed applications generate config file data based 7405 on untrusted data then it is possible that this could also lead to security 7406 consequences. This is also anticipated to be rare. 7407 7408 This issue was reported to OpenSSL by Guido Vranken. 7409 ([CVE-2016-0797]) 7410 7411 *Matt Caswell* 7412 7413 * Fix memory issues in `BIO_*printf` functions 7414 7415 The internal `fmtstr` function used in processing a "%s" format string in 7416 the `BIO_*printf` functions could overflow while calculating the length of a 7417 string and cause an OOB read when printing very long strings. 7418 7419 Additionally the internal `doapr_outch` function can attempt to write to an 7420 OOB memory location (at an offset from the NULL pointer) in the event of a 7421 memory allocation failure. In 1.0.2 and below this could be caused where 7422 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 7423 could be in processing a very long "%s" format string. Memory leaks can 7424 also occur. 7425 7426 The first issue may mask the second issue dependent on compiler behaviour. 7427 These problems could enable attacks where large amounts of untrusted data 7428 is passed to the `BIO_*printf` functions. If applications use these functions 7429 in this way then they could be vulnerable. OpenSSL itself uses these 7430 functions when printing out human-readable dumps of ASN.1 data. Therefore 7431 applications that print this data could be vulnerable if the data is from 7432 untrusted sources. OpenSSL command line applications could also be 7433 vulnerable where they print out ASN.1 data, or if untrusted data is passed 7434 as command line arguments. 7435 7436 Libssl is not considered directly vulnerable. Additionally certificates etc 7437 received via remote connections via libssl are also unlikely to be able to 7438 trigger these issues because of message size limits enforced within libssl. 7439 7440 This issue was reported to OpenSSL Guido Vranken. 7441 ([CVE-2016-0799]) 7442 7443 *Matt Caswell* 7444 7445 * Side channel attack on modular exponentiation 7446 7447 A side-channel attack was found which makes use of cache-bank conflicts on 7448 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 7449 of RSA keys. The ability to exploit this issue is limited as it relies on 7450 an attacker who has control of code in a thread running on the same 7451 hyper-threaded core as the victim thread which is performing decryptions. 7452 7453 This issue was reported to OpenSSL by Yuval Yarom, The University of 7454 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 7455 Nadia Heninger, University of Pennsylvania with more information at 7456 <http://cachebleed.info>. 7457 ([CVE-2016-0702]) 7458 7459 *Andy Polyakov* 7460 7461 * Change the `req` command to generate a 2048-bit RSA/DSA key by default, 7462 if no keysize is specified with default_bits. This fixes an 7463 omission in an earlier change that changed all RSA/DSA key generation 7464 commands to use 2048 bits by default. 7465 7466 *Emilia Käsper* 7467 7468### Changes between 1.0.2e and 1.0.2f [28 Jan 2016] 7469 7470 * DH small subgroups 7471 7472 Historically OpenSSL only ever generated DH parameters based on "safe" 7473 primes. More recently (in version 1.0.2) support was provided for 7474 generating X9.42 style parameter files such as those required for RFC 5114 7475 support. The primes used in such files may not be "safe". Where an 7476 application is using DH configured with parameters based on primes that are 7477 not "safe" then an attacker could use this fact to find a peer's private 7478 DH exponent. This attack requires that the attacker complete multiple 7479 handshakes in which the peer uses the same private DH exponent. For example 7480 this could be used to discover a TLS server's private DH exponent if it's 7481 reusing the private DH exponent or it's using a static DH ciphersuite. 7482 7483 OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in 7484 TLS. It is not on by default. If the option is not set then the server 7485 reuses the same private DH exponent for the life of the server process and 7486 would be vulnerable to this attack. It is believed that many popular 7487 applications do set this option and would therefore not be at risk. 7488 7489 The fix for this issue adds an additional check where a "q" parameter is 7490 available (as is the case in X9.42 based parameters). This detects the 7491 only known attack, and is the only possible defense for static DH 7492 ciphersuites. This could have some performance impact. 7493 7494 Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by 7495 default and cannot be disabled. This could have some performance impact. 7496 7497 This issue was reported to OpenSSL by Antonio Sanso (Adobe). 7498 ([CVE-2016-0701]) 7499 7500 *Matt Caswell* 7501 7502 * SSLv2 doesn't block disabled ciphers 7503 7504 A malicious client can negotiate SSLv2 ciphers that have been disabled on 7505 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 7506 been disabled, provided that the SSLv2 protocol was not also disabled via 7507 SSL_OP_NO_SSLv2. 7508 7509 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 7510 and Sebastian Schinzel. 7511 ([CVE-2015-3197]) 7512 7513 *Viktor Dukhovni* 7514 7515### Changes between 1.0.2d and 1.0.2e [3 Dec 2015] 7516 7517 * BN_mod_exp may produce incorrect results on x86_64 7518 7519 There is a carry propagating bug in the x86_64 Montgomery squaring 7520 procedure. No EC algorithms are affected. Analysis suggests that attacks 7521 against RSA and DSA as a result of this defect would be very difficult to 7522 perform and are not believed likely. Attacks against DH are considered just 7523 feasible (although very difficult) because most of the work necessary to 7524 deduce information about a private key may be performed offline. The amount 7525 of resources required for such an attack would be very significant and 7526 likely only accessible to a limited number of attackers. An attacker would 7527 additionally need online access to an unpatched system using the target 7528 private key in a scenario with persistent DH parameters and a private 7529 key that is shared between multiple clients. For example this can occur by 7530 default in OpenSSL DHE based SSL/TLS ciphersuites. 7531 7532 This issue was reported to OpenSSL by Hanno Böck. 7533 ([CVE-2015-3193]) 7534 7535 *Andy Polyakov* 7536 7537 * Certificate verify crash with missing PSS parameter 7538 7539 The signature verification routines will crash with a NULL pointer 7540 dereference if presented with an ASN.1 signature using the RSA PSS 7541 algorithm and absent mask generation function parameter. Since these 7542 routines are used to verify certificate signature algorithms this can be 7543 used to crash any certificate verification operation and exploited in a 7544 DoS attack. Any application which performs certificate verification is 7545 vulnerable including OpenSSL clients and servers which enable client 7546 authentication. 7547 7548 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 7549 ([CVE-2015-3194]) 7550 7551 *Stephen Henson* 7552 7553 * X509_ATTRIBUTE memory leak 7554 7555 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 7556 memory. This structure is used by the PKCS#7 and CMS routines so any 7557 application which reads PKCS#7 or CMS data from untrusted sources is 7558 affected. SSL/TLS is not affected. 7559 7560 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 7561 libFuzzer. 7562 ([CVE-2015-3195]) 7563 7564 *Stephen Henson* 7565 7566 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 7567 This changes the decoding behaviour for some invalid messages, 7568 though the change is mostly in the more lenient direction, and 7569 legacy behaviour is preserved as much as possible. 7570 7571 *Emilia Käsper* 7572 7573 * In DSA_generate_parameters_ex, if the provided seed is too short, 7574 return an error 7575 7576 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 7577 7578### Changes between 1.0.2c and 1.0.2d [9 Jul 2015] 7579 7580 * Alternate chains certificate forgery 7581 7582 During certificate verification, OpenSSL will attempt to find an 7583 alternative certificate chain if the first attempt to build such a chain 7584 fails. An error in the implementation of this logic can mean that an 7585 attacker could cause certain checks on untrusted certificates to be 7586 bypassed, such as the CA flag, enabling them to use a valid leaf 7587 certificate to act as a CA and "issue" an invalid certificate. 7588 7589 This issue was reported to OpenSSL by Adam Langley/David Benjamin 7590 (Google/BoringSSL). 7591 7592 *Matt Caswell* 7593 7594### Changes between 1.0.2b and 1.0.2c [12 Jun 2015] 7595 7596 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 7597 incompatibility in the handling of HMAC. The previous ABI has now been 7598 restored. 7599 7600 *Matt Caswell* 7601 7602### Changes between 1.0.2a and 1.0.2b [11 Jun 2015] 7603 7604 * Malformed ECParameters causes infinite loop 7605 7606 When processing an ECParameters structure OpenSSL enters an infinite loop 7607 if the curve specified is over a specially malformed binary polynomial 7608 field. 7609 7610 This can be used to perform denial of service against any 7611 system which processes public keys, certificate requests or 7612 certificates. This includes TLS clients and TLS servers with 7613 client authentication enabled. 7614 7615 This issue was reported to OpenSSL by Joseph Barr-Pixton. 7616 ([CVE-2015-1788]) 7617 7618 *Andy Polyakov* 7619 7620 * Exploitable out-of-bounds read in X509_cmp_time 7621 7622 X509_cmp_time does not properly check the length of the ASN1_TIME 7623 string and can read a few bytes out of bounds. In addition, 7624 X509_cmp_time accepts an arbitrary number of fractional seconds in the 7625 time string. 7626 7627 An attacker can use this to craft malformed certificates and CRLs of 7628 various sizes and potentially cause a segmentation fault, resulting in 7629 a DoS on applications that verify certificates or CRLs. TLS clients 7630 that verify CRLs are affected. TLS clients and servers with client 7631 authentication enabled may be affected if they use custom verification 7632 callbacks. 7633 7634 This issue was reported to OpenSSL by Robert Swiecki (Google), and 7635 independently by Hanno Böck. 7636 ([CVE-2015-1789]) 7637 7638 *Emilia Käsper* 7639 7640 * PKCS7 crash with missing EnvelopedContent 7641 7642 The PKCS#7 parsing code does not handle missing inner EncryptedContent 7643 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 7644 with missing content and trigger a NULL pointer dereference on parsing. 7645 7646 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 7647 structures from untrusted sources are affected. OpenSSL clients and 7648 servers are not affected. 7649 7650 This issue was reported to OpenSSL by Michal Zalewski (Google). 7651 ([CVE-2015-1790]) 7652 7653 *Emilia Käsper* 7654 7655 * CMS verify infinite loop with unknown hash function 7656 7657 When verifying a signedData message the CMS code can enter an infinite loop 7658 if presented with an unknown hash function OID. This can be used to perform 7659 denial of service against any system which verifies signedData messages using 7660 the CMS code. 7661 This issue was reported to OpenSSL by Johannes Bauer. 7662 ([CVE-2015-1792]) 7663 7664 *Stephen Henson* 7665 7666 * Race condition handling NewSessionTicket 7667 7668 If a NewSessionTicket is received by a multi-threaded client when attempting to 7669 reuse a previous ticket then a race condition can occur potentially leading to 7670 a double free of the ticket data. 7671 ([CVE-2015-1791]) 7672 7673 *Matt Caswell* 7674 7675 * Only support 256-bit or stronger elliptic curves with the 7676 'ecdh_auto' setting (server) or by default (client). Of supported 7677 curves, prefer P-256 (both). 7678 7679 *Emilia Kasper* 7680 7681### Changes between 1.0.2 and 1.0.2a [19 Mar 2015] 7682 7683 * ClientHello sigalgs DoS fix 7684 7685 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an 7686 invalid signature algorithms extension a NULL pointer dereference will 7687 occur. This can be exploited in a DoS attack against the server. 7688 7689 This issue was was reported to OpenSSL by David Ramos of Stanford 7690 University. 7691 ([CVE-2015-0291]) 7692 7693 *Stephen Henson and Matt Caswell* 7694 7695 * Multiblock corrupted pointer fix 7696 7697 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This 7698 feature only applies on 64 bit x86 architecture platforms that support AES 7699 NI instructions. A defect in the implementation of "multiblock" can cause 7700 OpenSSL's internal write buffer to become incorrectly set to NULL when 7701 using non-blocking IO. Typically, when the user application is using a 7702 socket BIO for writing, this will only result in a failed connection. 7703 However if some other BIO is used then it is likely that a segmentation 7704 fault will be triggered, thus enabling a potential DoS attack. 7705 7706 This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. 7707 ([CVE-2015-0290]) 7708 7709 *Matt Caswell* 7710 7711 * Segmentation fault in DTLSv1_listen fix 7712 7713 The DTLSv1_listen function is intended to be stateless and processes the 7714 initial ClientHello from many peers. It is common for user code to loop 7715 over the call to DTLSv1_listen until a valid ClientHello is received with 7716 an associated cookie. A defect in the implementation of DTLSv1_listen means 7717 that state is preserved in the SSL object from one invocation to the next 7718 that can lead to a segmentation fault. Errors processing the initial 7719 ClientHello can trigger this scenario. An example of such an error could be 7720 that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only 7721 server. 7722 7723 This issue was reported to OpenSSL by Per Allansson. 7724 ([CVE-2015-0207]) 7725 7726 *Matt Caswell* 7727 7728 * Segmentation fault in ASN1_TYPE_cmp fix 7729 7730 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 7731 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 7732 certificate signature algorithm consistency this can be used to crash any 7733 certificate verification operation and exploited in a DoS attack. Any 7734 application which performs certificate verification is vulnerable including 7735 OpenSSL clients and servers which enable client authentication. 7736 ([CVE-2015-0286]) 7737 7738 *Stephen Henson* 7739 7740 * Segmentation fault for invalid PSS parameters fix 7741 7742 The signature verification routines will crash with a NULL pointer 7743 dereference if presented with an ASN.1 signature using the RSA PSS 7744 algorithm and invalid parameters. Since these routines are used to verify 7745 certificate signature algorithms this can be used to crash any 7746 certificate verification operation and exploited in a DoS attack. Any 7747 application which performs certificate verification is vulnerable including 7748 OpenSSL clients and servers which enable client authentication. 7749 7750 This issue was was reported to OpenSSL by Brian Carpenter. 7751 ([CVE-2015-0208]) 7752 7753 *Stephen Henson* 7754 7755 * ASN.1 structure reuse memory corruption fix 7756 7757 Reusing a structure in ASN.1 parsing may allow an attacker to cause 7758 memory corruption via an invalid write. Such reuse is and has been 7759 strongly discouraged and is believed to be rare. 7760 7761 Applications that parse structures containing CHOICE or ANY DEFINED BY 7762 components may be affected. Certificate parsing (d2i_X509 and related 7763 functions) are however not affected. OpenSSL clients and servers are 7764 not affected. 7765 ([CVE-2015-0287]) 7766 7767 *Stephen Henson* 7768 7769 * PKCS7 NULL pointer dereferences fix 7770 7771 The PKCS#7 parsing code does not handle missing outer ContentInfo 7772 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 7773 missing content and trigger a NULL pointer dereference on parsing. 7774 7775 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 7776 otherwise parse PKCS#7 structures from untrusted sources are 7777 affected. OpenSSL clients and servers are not affected. 7778 7779 This issue was reported to OpenSSL by Michal Zalewski (Google). 7780 ([CVE-2015-0289]) 7781 7782 *Emilia Käsper* 7783 7784 * DoS via reachable assert in SSLv2 servers fix 7785 7786 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 7787 servers that both support SSLv2 and enable export cipher suites by sending 7788 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 7789 7790 This issue was discovered by Sean Burford (Google) and Emilia Käsper 7791 (OpenSSL development team). 7792 ([CVE-2015-0293]) 7793 7794 *Emilia Käsper* 7795 7796 * Empty CKE with client auth and DHE fix 7797 7798 If client auth is used then a server can seg fault in the event of a DHE 7799 ciphersuite being selected and a zero length ClientKeyExchange message 7800 being sent by the client. This could be exploited in a DoS attack. 7801 ([CVE-2015-1787]) 7802 7803 *Matt Caswell* 7804 7805 * Handshake with unseeded PRNG fix 7806 7807 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake 7808 with an unseeded PRNG. The conditions are: 7809 - The client is on a platform where the PRNG has not been seeded 7810 automatically, and the user has not seeded manually 7811 - A protocol specific client method version has been used (i.e. not 7812 SSL_client_methodv23) 7813 - A ciphersuite is used that does not require additional random data from 7814 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). 7815 7816 If the handshake succeeds then the client random that has been used will 7817 have been generated from a PRNG with insufficient entropy and therefore the 7818 output may be predictable. 7819 7820 For example using the following command with an unseeded openssl will 7821 succeed on an unpatched platform: 7822 7823 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA 7824 ([CVE-2015-0285]) 7825 7826 *Matt Caswell* 7827 7828 * Use After Free following d2i_ECPrivatekey error fix 7829 7830 A malformed EC private key file consumed via the d2i_ECPrivateKey function 7831 could cause a use after free condition. This, in turn, could cause a double 7832 free in several private key parsing functions (such as d2i_PrivateKey 7833 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 7834 for applications that receive EC private keys from untrusted 7835 sources. This scenario is considered rare. 7836 7837 This issue was discovered by the BoringSSL project and fixed in their 7838 commit 517073cd4b. 7839 ([CVE-2015-0209]) 7840 7841 *Matt Caswell* 7842 7843 * X509_to_X509_REQ NULL pointer deref fix 7844 7845 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 7846 the certificate key is invalid. This function is rarely used in practice. 7847 7848 This issue was discovered by Brian Carpenter. 7849 ([CVE-2015-0288]) 7850 7851 *Stephen Henson* 7852 7853 * Removed the export ciphers from the DEFAULT ciphers 7854 7855 *Kurt Roeckx* 7856 7857### Changes between 1.0.1l and 1.0.2 [22 Jan 2015] 7858 7859 * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. 7860 ARMv5 through ARMv8, as opposite to "locking" it to single one. 7861 So far those who have to target multiple platforms would compromise 7862 and argue that binary targeting say ARMv5 would still execute on 7863 ARMv8. "Universal" build resolves this compromise by providing 7864 near-optimal performance even on newer platforms. 7865 7866 *Andy Polyakov* 7867 7868 * Accelerated NIST P-256 elliptic curve implementation for x86_64 7869 (other platforms pending). 7870 7871 *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov* 7872 7873 * Add support for the SignedCertificateTimestampList certificate and 7874 OCSP response extensions from RFC6962. 7875 7876 *Rob Stradling* 7877 7878 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 7879 for corner cases. (Certain input points at infinity could lead to 7880 bogus results, with non-infinity inputs mapped to infinity too.) 7881 7882 *Bodo Moeller* 7883 7884 * Initial support for PowerISA 2.0.7, first implemented in POWER8. 7885 This covers AES, SHA256/512 and GHASH. "Initial" means that most 7886 common cases are optimized and there still is room for further 7887 improvements. Vector Permutation AES for Altivec is also added. 7888 7889 *Andy Polyakov* 7890 7891 * Add support for little-endian ppc64 Linux target. 7892 7893 *Marcelo Cerri (IBM)* 7894 7895 * Initial support for AMRv8 ISA crypto extensions. This covers AES, 7896 SHA1, SHA256 and GHASH. "Initial" means that most common cases 7897 are optimized and there still is room for further improvements. 7898 Both 32- and 64-bit modes are supported. 7899 7900 *Andy Polyakov, Ard Biesheuvel (Linaro)* 7901 7902 * Improved ARMv7 NEON support. 7903 7904 *Andy Polyakov* 7905 7906 * Support for SPARC Architecture 2011 crypto extensions, first 7907 implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, 7908 SHA256/512, MD5, GHASH and modular exponentiation. 7909 7910 *Andy Polyakov, David Miller* 7911 7912 * Accelerated modular exponentiation for Intel processors, a.k.a. 7913 RSAZ. 7914 7915 *Shay Gueron & Vlad Krasnov (Intel Corp)* 7916 7917 * Support for new and upcoming Intel processors, including AVX2, 7918 BMI and SHA ISA extensions. This includes additional "stitched" 7919 implementations, AESNI-SHA256 and GCM, and multi-buffer support 7920 for TLS encrypt. 7921 7922 This work was sponsored by Intel Corp. 7923 7924 *Andy Polyakov* 7925 7926 * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() 7927 supports both DTLS 1.2 and 1.0 and should use whatever version the peer 7928 supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. 7929 7930 *Steve Henson* 7931 7932 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 7933 this fixes a limitation in previous versions of OpenSSL. 7934 7935 *Steve Henson* 7936 7937 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 7938 MGF1 digest and OAEP label. 7939 7940 *Steve Henson* 7941 7942 * Add EVP support for key wrapping algorithms, to avoid problems with 7943 existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 7944 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 7945 algorithms and include tests cases. 7946 7947 *Steve Henson* 7948 7949 * Add functions to allocate and set the fields of an ECDSA_METHOD 7950 structure. 7951 7952 *Douglas E. Engert, Steve Henson* 7953 7954 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the 7955 difference in days and seconds between two tm or ASN1_TIME structures. 7956 7957 *Steve Henson* 7958 7959 * Add -rev test option to s_server to just reverse order of characters 7960 received by client and send back to server. Also prints an abbreviated 7961 summary of the connection parameters. 7962 7963 *Steve Henson* 7964 7965 * New option -brief for s_client and s_server to print out a brief summary 7966 of connection parameters. 7967 7968 *Steve Henson* 7969 7970 * Add callbacks for arbitrary TLS extensions. 7971 7972 *Trevor Perrin <trevp@trevp.net> and Ben Laurie* 7973 7974 * New option -crl_download in several openssl utilities to download CRLs 7975 from CRLDP extension in certificates. 7976 7977 *Steve Henson* 7978 7979 * New options -CRL and -CRLform for s_client and s_server for CRLs. 7980 7981 *Steve Henson* 7982 7983 * New function X509_CRL_diff to generate a delta CRL from the difference 7984 of two full CRLs. Add support to "crl" utility. 7985 7986 *Steve Henson* 7987 7988 * New functions to set lookup_crls function and to retrieve 7989 X509_STORE from X509_STORE_CTX. 7990 7991 *Steve Henson* 7992 7993 * Print out deprecated issuer and subject unique ID fields in 7994 certificates. 7995 7996 *Steve Henson* 7997 7998 * Extend OCSP I/O functions so they can be used for simple general purpose 7999 HTTP as well as OCSP. New wrapper function which can be used to download 8000 CRLs using the OCSP API. 8001 8002 *Steve Henson* 8003 8004 * Delegate command line handling in s_client/s_server to SSL_CONF APIs. 8005 8006 *Steve Henson* 8007 8008 * `SSL_CONF*` functions. These provide a common framework for application 8009 configuration using configuration files or command lines. 8010 8011 *Steve Henson* 8012 8013 * SSL/TLS tracing code. This parses out SSL/TLS records using the 8014 message callback and prints the results. Needs compile time option 8015 "enable-ssl-trace". New options to s_client and s_server to enable 8016 tracing. 8017 8018 *Steve Henson* 8019 8020 * New ctrl and macro to retrieve supported points extensions. 8021 Print out extension in s_server and s_client. 8022 8023 *Steve Henson* 8024 8025 * New functions to retrieve certificate signature and signature 8026 OID NID. 8027 8028 *Steve Henson* 8029 8030 * Add functions to retrieve and manipulate the raw cipherlist sent by a 8031 client to OpenSSL. 8032 8033 *Steve Henson* 8034 8035 * New Suite B modes for TLS code. These use and enforce the requirements 8036 of RFC6460: restrict ciphersuites, only permit Suite B algorithms and 8037 only use Suite B curves. The Suite B modes can be set by using the 8038 strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. 8039 8040 *Steve Henson* 8041 8042 * New chain verification flags for Suite B levels of security. Check 8043 algorithms are acceptable when flags are set in X509_verify_cert. 8044 8045 *Steve Henson* 8046 8047 * Make tls1_check_chain return a set of flags indicating checks passed 8048 by a certificate chain. Add additional tests to handle client 8049 certificates: checks for matching certificate type and issuer name 8050 comparison. 8051 8052 *Steve Henson* 8053 8054 * If an attempt is made to use a signature algorithm not in the peer 8055 preference list abort the handshake. If client has no suitable 8056 signature algorithms in response to a certificate request do not 8057 use the certificate. 8058 8059 *Steve Henson* 8060 8061 * If server EC tmp key is not in client preference list abort handshake. 8062 8063 *Steve Henson* 8064 8065 * Add support for certificate stores in CERT structure. This makes it 8066 possible to have different stores per SSL structure or one store in 8067 the parent SSL_CTX. Include distinct stores for certificate chain 8068 verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN 8069 to build and store a certificate chain in CERT structure: returning 8070 an error if the chain cannot be built: this will allow applications 8071 to test if a chain is correctly configured. 8072 8073 Note: if the CERT based stores are not set then the parent SSL_CTX 8074 store is used to retain compatibility with existing behaviour. 8075 8076 *Steve Henson* 8077 8078 * New function ssl_set_client_disabled to set a ciphersuite disabled 8079 mask based on the current session, check mask when sending client 8080 hello and checking the requested ciphersuite. 8081 8082 *Steve Henson* 8083 8084 * New ctrls to retrieve and set certificate types in a certificate 8085 request message. Print out received values in s_client. If certificate 8086 types is not set with custom values set sensible values based on 8087 supported signature algorithms. 8088 8089 *Steve Henson* 8090 8091 * Support for distinct client and server supported signature algorithms. 8092 8093 *Steve Henson* 8094 8095 * Add certificate callback. If set this is called whenever a certificate 8096 is required by client or server. An application can decide which 8097 certificate chain to present based on arbitrary criteria: for example 8098 supported signature algorithms. Add very simple example to s_server. 8099 This fixes many of the problems and restrictions of the existing client 8100 certificate callback: for example you can now clear an existing 8101 certificate and specify the whole chain. 8102 8103 *Steve Henson* 8104 8105 * Add new "valid_flags" field to CERT_PKEY structure which determines what 8106 the certificate can be used for (if anything). Set valid_flags field 8107 in new tls1_check_chain function. Simplify ssl_set_cert_masks which used 8108 to have similar checks in it. 8109 8110 Add new "cert_flags" field to CERT structure and include a "strict mode". 8111 This enforces some TLS certificate requirements (such as only permitting 8112 certificate signature algorithms contained in the supported algorithms 8113 extension) which some implementations ignore: this option should be used 8114 with caution as it could cause interoperability issues. 8115 8116 *Steve Henson* 8117 8118 * Update and tidy signature algorithm extension processing. Work out 8119 shared signature algorithms based on preferences and peer algorithms 8120 and print them out in s_client and s_server. Abort handshake if no 8121 shared signature algorithms. 8122 8123 *Steve Henson* 8124 8125 * Add new functions to allow customised supported signature algorithms 8126 for SSL and SSL_CTX structures. Add options to s_client and s_server 8127 to support them. 8128 8129 *Steve Henson* 8130 8131 * New function SSL_certs_clear() to delete all references to certificates 8132 from an SSL structure. Before this once a certificate had been added 8133 it couldn't be removed. 8134 8135 *Steve Henson* 8136 8137 * Integrate hostname, email address and IP address checking with certificate 8138 verification. New verify options supporting checking in openssl utility. 8139 8140 *Steve Henson* 8141 8142 * Fixes and wildcard matching support to hostname and email checking 8143 functions. Add manual page. 8144 8145 *Florian Weimer (Red Hat Product Security Team)* 8146 8147 * New functions to check a hostname email or IP address against a 8148 certificate. Add options x509 utility to print results of checks against 8149 a certificate. 8150 8151 *Steve Henson* 8152 8153 * Fix OCSP checking. 8154 8155 *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie* 8156 8157 * Initial experimental support for explicitly trusted non-root CAs. 8158 OpenSSL still tries to build a complete chain to a root but if an 8159 intermediate CA has a trust setting included that is used. The first 8160 setting is used: whether to trust (e.g., -addtrust option to the x509 8161 utility) or reject. 8162 8163 *Steve Henson* 8164 8165 * Add -trusted_first option which attempts to find certificates in the 8166 trusted store even if an untrusted chain is also supplied. 8167 8168 *Steve Henson* 8169 8170 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, 8171 platform support for Linux and Android. 8172 8173 *Andy Polyakov* 8174 8175 * Support for linux-x32, ILP32 environment in x86_64 framework. 8176 8177 *Andy Polyakov* 8178 8179 * Experimental multi-implementation support for FIPS capable OpenSSL. 8180 When in FIPS mode the approved implementations are used as normal, 8181 when not in FIPS mode the internal unapproved versions are used instead. 8182 This means that the FIPS capable OpenSSL isn't forced to use the 8183 (often lower performance) FIPS implementations outside FIPS mode. 8184 8185 *Steve Henson* 8186 8187 * Transparently support X9.42 DH parameters when calling 8188 PEM_read_bio_DHparameters. This means existing applications can handle 8189 the new parameter format automatically. 8190 8191 *Steve Henson* 8192 8193 * Initial experimental support for X9.42 DH parameter format: mainly 8194 to support use of 'q' parameter for RFC5114 parameters. 8195 8196 *Steve Henson* 8197 8198 * Add DH parameters from RFC5114 including test data to dhtest. 8199 8200 *Steve Henson* 8201 8202 * Support for automatic EC temporary key parameter selection. If enabled 8203 the most preferred EC parameters are automatically used instead of 8204 hardcoded fixed parameters. Now a server just has to call: 8205 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 8206 support ECDH and use the most appropriate parameters. 8207 8208 *Steve Henson* 8209 8210 * Enhance and tidy EC curve and point format TLS extension code. Use 8211 static structures instead of allocation if default values are used. 8212 New ctrls to set curves we wish to support and to retrieve shared curves. 8213 Print out shared curves in s_server. New options to s_server and s_client 8214 to set list of supported curves. 8215 8216 *Steve Henson* 8217 8218 * New ctrls to retrieve supported signature algorithms and 8219 supported curve values as an array of NIDs. Extend openssl utility 8220 to print out received values. 8221 8222 *Steve Henson* 8223 8224 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 8225 between NIDs and the more common NIST names such as "P-256". Enhance 8226 ecparam utility and ECC method to recognise the NIST names for curves. 8227 8228 *Steve Henson* 8229 8230 * Enhance SSL/TLS certificate chain handling to support different 8231 chains for each certificate instead of one chain in the parent SSL_CTX. 8232 8233 *Steve Henson* 8234 8235 * Support for fixed DH ciphersuite client authentication: where both 8236 server and client use DH certificates with common parameters. 8237 8238 *Steve Henson* 8239 8240 * Support for fixed DH ciphersuites: those requiring DH server 8241 certificates. 8242 8243 *Steve Henson* 8244 8245 * New function i2d_re_X509_tbs for re-encoding the TBS portion of 8246 the certificate. 8247 Note: Related 1.0.2-beta specific macros X509_get_cert_info, 8248 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and 8249 X509_CINF_get_signature were reverted post internal team review. 8250 8251OpenSSL 1.0.1 8252------------- 8253 8254### Changes between 1.0.1t and 1.0.1u [22 Sep 2016] 8255 8256 * OCSP Status Request extension unbounded memory growth 8257 8258 A malicious client can send an excessively large OCSP Status Request 8259 extension. If that client continually requests renegotiation, sending a 8260 large OCSP Status Request extension each time, then there will be unbounded 8261 memory growth on the server. This will eventually lead to a Denial Of 8262 Service attack through memory exhaustion. Servers with a default 8263 configuration are vulnerable even if they do not support OCSP. Builds using 8264 the "no-ocsp" build time option are not affected. 8265 8266 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8267 ([CVE-2016-6304]) 8268 8269 *Matt Caswell* 8270 8271 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from 8272 HIGH to MEDIUM. 8273 8274 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 8275 Leurent (INRIA) 8276 ([CVE-2016-2183]) 8277 8278 *Rich Salz* 8279 8280 * OOB write in MDC2_Update() 8281 8282 An overflow can occur in MDC2_Update() either if called directly or 8283 through the EVP_DigestUpdate() function using MDC2. If an attacker 8284 is able to supply very large amounts of input data after a previous 8285 call to EVP_EncryptUpdate() with a partial block then a length check 8286 can overflow resulting in a heap corruption. 8287 8288 The amount of data needed is comparable to SIZE_MAX which is impractical 8289 on most platforms. 8290 8291 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8292 ([CVE-2016-6303]) 8293 8294 *Stephen Henson* 8295 8296 * Malformed SHA512 ticket DoS 8297 8298 If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 8299 DoS attack where a malformed ticket will result in an OOB read which will 8300 ultimately crash. 8301 8302 The use of SHA512 in TLS session tickets is comparatively rare as it requires 8303 a custom server callback and ticket lookup mechanism. 8304 8305 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8306 ([CVE-2016-6302]) 8307 8308 *Stephen Henson* 8309 8310 * OOB write in BN_bn2dec() 8311 8312 The function BN_bn2dec() does not check the return value of BN_div_word(). 8313 This can cause an OOB write if an application uses this function with an 8314 overly large BIGNUM. This could be a problem if an overly large certificate 8315 or CRL is printed out from an untrusted source. TLS is not affected because 8316 record limits will reject an oversized certificate before it is parsed. 8317 8318 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8319 ([CVE-2016-2182]) 8320 8321 *Stephen Henson* 8322 8323 * OOB read in TS_OBJ_print_bio() 8324 8325 The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 8326 the total length the OID text representation would use and not the amount 8327 of data written. This will result in OOB reads when large OIDs are 8328 presented. 8329 8330 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8331 ([CVE-2016-2180]) 8332 8333 *Stephen Henson* 8334 8335 * Pointer arithmetic undefined behaviour 8336 8337 Avoid some undefined pointer arithmetic 8338 8339 A common idiom in the codebase is to check limits in the following manner: 8340 "p + len > limit" 8341 8342 Where "p" points to some malloc'd data of SIZE bytes and 8343 limit == p + SIZE 8344 8345 "len" here could be from some externally supplied data (e.g. from a TLS 8346 message). 8347 8348 The rules of C pointer arithmetic are such that "p + len" is only well 8349 defined where len <= SIZE. Therefore, the above idiom is actually 8350 undefined behaviour. 8351 8352 For example this could cause problems if some malloc implementation 8353 provides an address for "p" such that "p + len" actually overflows for 8354 values of len that are too big and therefore p + len < limit. 8355 8356 This issue was reported to OpenSSL by Guido Vranken 8357 ([CVE-2016-2177]) 8358 8359 *Matt Caswell* 8360 8361 * Constant time flag not preserved in DSA signing 8362 8363 Operations in the DSA signing algorithm should run in constant time in 8364 order to avoid side channel attacks. A flaw in the OpenSSL DSA 8365 implementation means that a non-constant time codepath is followed for 8366 certain operations. This has been demonstrated through a cache-timing 8367 attack to be sufficient for an attacker to recover the private DSA key. 8368 8369 This issue was reported by César Pereida (Aalto University), Billy Brumley 8370 (Tampere University of Technology), and Yuval Yarom (The University of 8371 Adelaide and NICTA). 8372 ([CVE-2016-2178]) 8373 8374 *César Pereida* 8375 8376 * DTLS buffered message DoS 8377 8378 In a DTLS connection where handshake messages are delivered out-of-order 8379 those messages that OpenSSL is not yet ready to process will be buffered 8380 for later use. Under certain circumstances, a flaw in the logic means that 8381 those messages do not get removed from the buffer even though the handshake 8382 has been completed. An attacker could force up to approx. 15 messages to 8383 remain in the buffer when they are no longer required. These messages will 8384 be cleared when the DTLS connection is closed. The default maximum size for 8385 a message is 100k. Therefore, the attacker could force an additional 1500k 8386 to be consumed per connection. By opening many simultaneous connections an 8387 attacker could cause a DoS attack through memory exhaustion. 8388 8389 This issue was reported to OpenSSL by Quan Luo. 8390 ([CVE-2016-2179]) 8391 8392 *Matt Caswell* 8393 8394 * DTLS replay protection DoS 8395 8396 A flaw in the DTLS replay attack protection mechanism means that records 8397 that arrive for future epochs update the replay protection "window" before 8398 the MAC for the record has been validated. This could be exploited by an 8399 attacker by sending a record for the next epoch (which does not have to 8400 decrypt or have a valid MAC), with a very large sequence number. This means 8401 that all subsequent legitimate packets are dropped causing a denial of 8402 service for a specific DTLS connection. 8403 8404 This issue was reported to OpenSSL by the OCAP audit team. 8405 ([CVE-2016-2181]) 8406 8407 *Matt Caswell* 8408 8409 * Certificate message OOB reads 8410 8411 In OpenSSL 1.0.2 and earlier some missing message length checks can result 8412 in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 8413 theoretical DoS risk but this has not been observed in practice on common 8414 platforms. 8415 8416 The messages affected are client certificate, client certificate request 8417 and server certificate. As a result the attack can only be performed 8418 against a client or a server which enables client authentication. 8419 8420 This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 8421 ([CVE-2016-6306]) 8422 8423 *Stephen Henson* 8424 8425### Changes between 1.0.1s and 1.0.1t [3 May 2016] 8426 8427 * Prevent padding oracle in AES-NI CBC MAC check 8428 8429 A MITM attacker can use a padding oracle attack to decrypt traffic 8430 when the connection uses an AES CBC cipher and the server support 8431 AES-NI. 8432 8433 This issue was introduced as part of the fix for Lucky 13 padding 8434 attack ([CVE-2013-0169]). The padding check was rewritten to be in 8435 constant time by making sure that always the same bytes are read and 8436 compared against either the MAC or padding bytes. But it no longer 8437 checked that there was enough data to have both the MAC and padding 8438 bytes. 8439 8440 This issue was reported by Juraj Somorovsky using TLS-Attacker. 8441 ([CVE-2016-2107]) 8442 8443 *Kurt Roeckx* 8444 8445 * Fix EVP_EncodeUpdate overflow 8446 8447 An overflow can occur in the EVP_EncodeUpdate() function which is used for 8448 Base64 encoding of binary data. If an attacker is able to supply very large 8449 amounts of input data then a length check can overflow resulting in a heap 8450 corruption. 8451 8452 Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by 8453 the `PEM_write_bio*` family of functions. These are mainly used within the 8454 OpenSSL command line applications, so any application which processes data 8455 from an untrusted source and outputs it as a PEM file should be considered 8456 vulnerable to this issue. User applications that call these APIs directly 8457 with large amounts of untrusted data may also be vulnerable. 8458 8459 This issue was reported by Guido Vranken. 8460 ([CVE-2016-2105]) 8461 8462 *Matt Caswell* 8463 8464 * Fix EVP_EncryptUpdate overflow 8465 8466 An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 8467 is able to supply very large amounts of input data after a previous call to 8468 EVP_EncryptUpdate() with a partial block then a length check can overflow 8469 resulting in a heap corruption. Following an analysis of all OpenSSL 8470 internal usage of the EVP_EncryptUpdate() function all usage is one of two 8471 forms. The first form is where the EVP_EncryptUpdate() call is known to be 8472 the first called function after an EVP_EncryptInit(), and therefore that 8473 specific call must be safe. The second form is where the length passed to 8474 EVP_EncryptUpdate() can be seen from the code to be some small value and 8475 therefore there is no possibility of an overflow. Since all instances are 8476 one of these two forms, it is believed that there can be no overflows in 8477 internal code due to this problem. It should be noted that 8478 EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 8479 Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 8480 of these calls have also been analysed too and it is believed there are no 8481 instances in internal usage where an overflow could occur. 8482 8483 This issue was reported by Guido Vranken. 8484 ([CVE-2016-2106]) 8485 8486 *Matt Caswell* 8487 8488 * Prevent ASN.1 BIO excessive memory allocation 8489 8490 When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 8491 a short invalid encoding can casuse allocation of large amounts of memory 8492 potentially consuming excessive resources or exhausting memory. 8493 8494 Any application parsing untrusted data through d2i BIO functions is 8495 affected. The memory based functions such as d2i_X509() are *not* affected. 8496 Since the memory based functions are used by the TLS library, TLS 8497 applications are not affected. 8498 8499 This issue was reported by Brian Carpenter. 8500 ([CVE-2016-2109]) 8501 8502 *Stephen Henson* 8503 8504 * EBCDIC overread 8505 8506 ASN1 Strings that are over 1024 bytes can cause an overread in applications 8507 using the X509_NAME_oneline() function on EBCDIC systems. This could result 8508 in arbitrary stack data being returned in the buffer. 8509 8510 This issue was reported by Guido Vranken. 8511 ([CVE-2016-2176]) 8512 8513 *Matt Caswell* 8514 8515 * Modify behavior of ALPN to invoke callback after SNI/servername 8516 callback, such that updates to the SSL_CTX affect ALPN. 8517 8518 *Todd Short* 8519 8520 * Remove LOW from the DEFAULT cipher list. This removes singles DES from the 8521 default. 8522 8523 *Kurt Roeckx* 8524 8525 * Only remove the SSLv2 methods with the no-ssl2-method option. When the 8526 methods are enabled and ssl2 is disabled the methods return NULL. 8527 8528 *Kurt Roeckx* 8529 8530### Changes between 1.0.1r and 1.0.1s [1 Mar 2016] 8531 8532* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 8533 Builds that are not configured with "enable-weak-ssl-ciphers" will not 8534 provide any "EXPORT" or "LOW" strength ciphers. 8535 8536 *Viktor Dukhovni* 8537 8538* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 8539 is by default disabled at build-time. Builds that are not configured with 8540 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 8541 users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 8542 will need to explicitly call either of: 8543 8544 SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 8545 or 8546 SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 8547 8548 as appropriate. Even if either of those is used, or the application 8549 explicitly uses the version-specific SSLv2_method() or its client and 8550 server variants, SSLv2 ciphers vulnerable to exhaustive search key 8551 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 8552 ciphers, and SSLv2 56-bit DES are no longer available. 8553 ([CVE-2016-0800]) 8554 8555 *Viktor Dukhovni* 8556 8557 * Fix a double-free in DSA code 8558 8559 A double free bug was discovered when OpenSSL parses malformed DSA private 8560 keys and could lead to a DoS attack or memory corruption for applications 8561 that receive DSA private keys from untrusted sources. This scenario is 8562 considered rare. 8563 8564 This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 8565 libFuzzer. 8566 ([CVE-2016-0705]) 8567 8568 *Stephen Henson* 8569 8570 * Disable SRP fake user seed to address a server memory leak. 8571 8572 Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 8573 8574 SRP_VBASE_get_by_user had inconsistent memory management behaviour. 8575 In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 8576 was changed to ignore the "fake user" SRP seed, even if the seed 8577 is configured. 8578 8579 Users should use SRP_VBASE_get1_by_user instead. Note that in 8580 SRP_VBASE_get1_by_user, caller must free the returned value. Note 8581 also that even though configuring the SRP seed attempts to hide 8582 invalid usernames by continuing the handshake with fake 8583 credentials, this behaviour is not constant time and no strong 8584 guarantees are made that the handshake is indistinguishable from 8585 that of a valid user. 8586 ([CVE-2016-0798]) 8587 8588 *Emilia Käsper* 8589 8590 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 8591 8592 In the BN_hex2bn function the number of hex digits is calculated using an 8593 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For 8594 large values of `i` this can result in `bn_expand` not allocating any 8595 memory because `i * 4` is negative. This can leave the internal BIGNUM data 8596 field as NULL leading to a subsequent NULL ptr deref. For very large values 8597 of `i`, the calculation `i * 4` could be a positive value smaller than `i`. 8598 In this case memory is allocated to the internal BIGNUM data field, but it 8599 is insufficiently sized leading to heap corruption. A similar issue exists 8600 in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 8601 is ever called by user applications with very large untrusted hex/dec data. 8602 This is anticipated to be a rare occurrence. 8603 8604 All OpenSSL internal usage of these functions use data that is not expected 8605 to be untrusted, e.g. config file data or application command line 8606 arguments. If user developed applications generate config file data based 8607 on untrusted data then it is possible that this could also lead to security 8608 consequences. This is also anticipated to be rare. 8609 8610 This issue was reported to OpenSSL by Guido Vranken. 8611 ([CVE-2016-0797]) 8612 8613 *Matt Caswell* 8614 8615 * Fix memory issues in `BIO_*printf` functions 8616 8617 The internal `fmtstr` function used in processing a "%s" format string in 8618 the `BIO_*printf` functions could overflow while calculating the length of a 8619 string and cause an OOB read when printing very long strings. 8620 8621 Additionally the internal `doapr_outch` function can attempt to write to an 8622 OOB memory location (at an offset from the NULL pointer) in the event of a 8623 memory allocation failure. In 1.0.2 and below this could be caused where 8624 the size of a buffer to be allocated is greater than INT_MAX. E.g. this 8625 could be in processing a very long "%s" format string. Memory leaks can 8626 also occur. 8627 8628 The first issue may mask the second issue dependent on compiler behaviour. 8629 These problems could enable attacks where large amounts of untrusted data 8630 is passed to the `BIO_*printf` functions. If applications use these functions 8631 in this way then they could be vulnerable. OpenSSL itself uses these 8632 functions when printing out human-readable dumps of ASN.1 data. Therefore 8633 applications that print this data could be vulnerable if the data is from 8634 untrusted sources. OpenSSL command line applications could also be 8635 vulnerable where they print out ASN.1 data, or if untrusted data is passed 8636 as command line arguments. 8637 8638 Libssl is not considered directly vulnerable. Additionally certificates etc 8639 received via remote connections via libssl are also unlikely to be able to 8640 trigger these issues because of message size limits enforced within libssl. 8641 8642 This issue was reported to OpenSSL Guido Vranken. 8643 ([CVE-2016-0799]) 8644 8645 *Matt Caswell* 8646 8647 * Side channel attack on modular exponentiation 8648 8649 A side-channel attack was found which makes use of cache-bank conflicts on 8650 the Intel Sandy-Bridge microarchitecture which could lead to the recovery 8651 of RSA keys. The ability to exploit this issue is limited as it relies on 8652 an attacker who has control of code in a thread running on the same 8653 hyper-threaded core as the victim thread which is performing decryptions. 8654 8655 This issue was reported to OpenSSL by Yuval Yarom, The University of 8656 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 8657 Nadia Heninger, University of Pennsylvania with more information at 8658 <http://cachebleed.info>. 8659 ([CVE-2016-0702]) 8660 8661 *Andy Polyakov* 8662 8663 * Change the req command to generate a 2048-bit RSA/DSA key by default, 8664 if no keysize is specified with default_bits. This fixes an 8665 omission in an earlier change that changed all RSA/DSA key generation 8666 commands to use 2048 bits by default. 8667 8668 *Emilia Käsper* 8669 8670### Changes between 1.0.1q and 1.0.1r [28 Jan 2016] 8671 8672 * Protection for DH small subgroup attacks 8673 8674 As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been 8675 switched on by default and cannot be disabled. This could have some 8676 performance impact. 8677 8678 *Matt Caswell* 8679 8680 * SSLv2 doesn't block disabled ciphers 8681 8682 A malicious client can negotiate SSLv2 ciphers that have been disabled on 8683 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 8684 been disabled, provided that the SSLv2 protocol was not also disabled via 8685 SSL_OP_NO_SSLv2. 8686 8687 This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 8688 and Sebastian Schinzel. 8689 ([CVE-2015-3197]) 8690 8691 *Viktor Dukhovni* 8692 8693 * Reject DH handshakes with parameters shorter than 1024 bits. 8694 8695 *Kurt Roeckx* 8696 8697### Changes between 1.0.1p and 1.0.1q [3 Dec 2015] 8698 8699 * Certificate verify crash with missing PSS parameter 8700 8701 The signature verification routines will crash with a NULL pointer 8702 dereference if presented with an ASN.1 signature using the RSA PSS 8703 algorithm and absent mask generation function parameter. Since these 8704 routines are used to verify certificate signature algorithms this can be 8705 used to crash any certificate verification operation and exploited in a 8706 DoS attack. Any application which performs certificate verification is 8707 vulnerable including OpenSSL clients and servers which enable client 8708 authentication. 8709 8710 This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). 8711 ([CVE-2015-3194]) 8712 8713 *Stephen Henson* 8714 8715 * X509_ATTRIBUTE memory leak 8716 8717 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 8718 memory. This structure is used by the PKCS#7 and CMS routines so any 8719 application which reads PKCS#7 or CMS data from untrusted sources is 8720 affected. SSL/TLS is not affected. 8721 8722 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 8723 libFuzzer. 8724 ([CVE-2015-3195]) 8725 8726 *Stephen Henson* 8727 8728 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 8729 This changes the decoding behaviour for some invalid messages, 8730 though the change is mostly in the more lenient direction, and 8731 legacy behaviour is preserved as much as possible. 8732 8733 *Emilia Käsper* 8734 8735 * In DSA_generate_parameters_ex, if the provided seed is too short, 8736 use a random seed, as already documented. 8737 8738 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>* 8739 8740### Changes between 1.0.1o and 1.0.1p [9 Jul 2015] 8741 8742 * Alternate chains certificate forgery 8743 8744 During certificate verification, OpenSSL will attempt to find an 8745 alternative certificate chain if the first attempt to build such a chain 8746 fails. An error in the implementation of this logic can mean that an 8747 attacker could cause certain checks on untrusted certificates to be 8748 bypassed, such as the CA flag, enabling them to use a valid leaf 8749 certificate to act as a CA and "issue" an invalid certificate. 8750 8751 This issue was reported to OpenSSL by Adam Langley/David Benjamin 8752 (Google/BoringSSL). 8753 ([CVE-2015-1793]) 8754 8755 *Matt Caswell* 8756 8757 * Race condition handling PSK identify hint 8758 8759 If PSK identity hints are received by a multi-threaded client then 8760 the values are wrongly updated in the parent SSL_CTX structure. This can 8761 result in a race condition potentially leading to a double free of the 8762 identify hint data. 8763 ([CVE-2015-3196]) 8764 8765 *Stephen Henson* 8766 8767### Changes between 1.0.1n and 1.0.1o [12 Jun 2015] 8768 8769 * Fix HMAC ABI incompatibility. The previous version introduced an ABI 8770 incompatibility in the handling of HMAC. The previous ABI has now been 8771 restored. 8772 8773### Changes between 1.0.1m and 1.0.1n [11 Jun 2015] 8774 8775 * Malformed ECParameters causes infinite loop 8776 8777 When processing an ECParameters structure OpenSSL enters an infinite loop 8778 if the curve specified is over a specially malformed binary polynomial 8779 field. 8780 8781 This can be used to perform denial of service against any 8782 system which processes public keys, certificate requests or 8783 certificates. This includes TLS clients and TLS servers with 8784 client authentication enabled. 8785 8786 This issue was reported to OpenSSL by Joseph Barr-Pixton. 8787 ([CVE-2015-1788]) 8788 8789 *Andy Polyakov* 8790 8791 * Exploitable out-of-bounds read in X509_cmp_time 8792 8793 X509_cmp_time does not properly check the length of the ASN1_TIME 8794 string and can read a few bytes out of bounds. In addition, 8795 X509_cmp_time accepts an arbitrary number of fractional seconds in the 8796 time string. 8797 8798 An attacker can use this to craft malformed certificates and CRLs of 8799 various sizes and potentially cause a segmentation fault, resulting in 8800 a DoS on applications that verify certificates or CRLs. TLS clients 8801 that verify CRLs are affected. TLS clients and servers with client 8802 authentication enabled may be affected if they use custom verification 8803 callbacks. 8804 8805 This issue was reported to OpenSSL by Robert Swiecki (Google), and 8806 independently by Hanno Böck. 8807 ([CVE-2015-1789]) 8808 8809 *Emilia Käsper* 8810 8811 * PKCS7 crash with missing EnvelopedContent 8812 8813 The PKCS#7 parsing code does not handle missing inner EncryptedContent 8814 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 8815 with missing content and trigger a NULL pointer dereference on parsing. 8816 8817 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 8818 structures from untrusted sources are affected. OpenSSL clients and 8819 servers are not affected. 8820 8821 This issue was reported to OpenSSL by Michal Zalewski (Google). 8822 ([CVE-2015-1790]) 8823 8824 *Emilia Käsper* 8825 8826 * CMS verify infinite loop with unknown hash function 8827 8828 When verifying a signedData message the CMS code can enter an infinite loop 8829 if presented with an unknown hash function OID. This can be used to perform 8830 denial of service against any system which verifies signedData messages using 8831 the CMS code. 8832 This issue was reported to OpenSSL by Johannes Bauer. 8833 ([CVE-2015-1792]) 8834 8835 *Stephen Henson* 8836 8837 * Race condition handling NewSessionTicket 8838 8839 If a NewSessionTicket is received by a multi-threaded client when attempting to 8840 reuse a previous ticket then a race condition can occur potentially leading to 8841 a double free of the ticket data. 8842 ([CVE-2015-1791]) 8843 8844 *Matt Caswell* 8845 8846 * Reject DH handshakes with parameters shorter than 768 bits. 8847 8848 *Kurt Roeckx and Emilia Kasper* 8849 8850 * dhparam: generate 2048-bit parameters by default. 8851 8852 *Kurt Roeckx and Emilia Kasper* 8853 8854### Changes between 1.0.1l and 1.0.1m [19 Mar 2015] 8855 8856 * Segmentation fault in ASN1_TYPE_cmp fix 8857 8858 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 8859 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 8860 certificate signature algorithm consistency this can be used to crash any 8861 certificate verification operation and exploited in a DoS attack. Any 8862 application which performs certificate verification is vulnerable including 8863 OpenSSL clients and servers which enable client authentication. 8864 ([CVE-2015-0286]) 8865 8866 *Stephen Henson* 8867 8868 * ASN.1 structure reuse memory corruption fix 8869 8870 Reusing a structure in ASN.1 parsing may allow an attacker to cause 8871 memory corruption via an invalid write. Such reuse is and has been 8872 strongly discouraged and is believed to be rare. 8873 8874 Applications that parse structures containing CHOICE or ANY DEFINED BY 8875 components may be affected. Certificate parsing (d2i_X509 and related 8876 functions) are however not affected. OpenSSL clients and servers are 8877 not affected. 8878 ([CVE-2015-0287]) 8879 8880 *Stephen Henson* 8881 8882 * PKCS7 NULL pointer dereferences fix 8883 8884 The PKCS#7 parsing code does not handle missing outer ContentInfo 8885 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 8886 missing content and trigger a NULL pointer dereference on parsing. 8887 8888 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 8889 otherwise parse PKCS#7 structures from untrusted sources are 8890 affected. OpenSSL clients and servers are not affected. 8891 8892 This issue was reported to OpenSSL by Michal Zalewski (Google). 8893 ([CVE-2015-0289]) 8894 8895 *Emilia Käsper* 8896 8897 * DoS via reachable assert in SSLv2 servers fix 8898 8899 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 8900 servers that both support SSLv2 and enable export cipher suites by sending 8901 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 8902 8903 This issue was discovered by Sean Burford (Google) and Emilia Käsper 8904 (OpenSSL development team). 8905 ([CVE-2015-0293]) 8906 8907 *Emilia Käsper* 8908 8909 * Use After Free following d2i_ECPrivatekey error fix 8910 8911 A malformed EC private key file consumed via the d2i_ECPrivateKey function 8912 could cause a use after free condition. This, in turn, could cause a double 8913 free in several private key parsing functions (such as d2i_PrivateKey 8914 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 8915 for applications that receive EC private keys from untrusted 8916 sources. This scenario is considered rare. 8917 8918 This issue was discovered by the BoringSSL project and fixed in their 8919 commit 517073cd4b. 8920 ([CVE-2015-0209]) 8921 8922 *Matt Caswell* 8923 8924 * X509_to_X509_REQ NULL pointer deref fix 8925 8926 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 8927 the certificate key is invalid. This function is rarely used in practice. 8928 8929 This issue was discovered by Brian Carpenter. 8930 ([CVE-2015-0288]) 8931 8932 *Stephen Henson* 8933 8934 * Removed the export ciphers from the DEFAULT ciphers 8935 8936 *Kurt Roeckx* 8937 8938### Changes between 1.0.1k and 1.0.1l [15 Jan 2015] 8939 8940 * Build fixes for the Windows and OpenVMS platforms 8941 8942 *Matt Caswell and Richard Levitte* 8943 8944### Changes between 1.0.1j and 1.0.1k [8 Jan 2015] 8945 8946 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 8947 message can cause a segmentation fault in OpenSSL due to a NULL pointer 8948 dereference. This could lead to a Denial Of Service attack. Thanks to 8949 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 8950 ([CVE-2014-3571]) 8951 8952 *Steve Henson* 8953 8954 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 8955 dtls1_buffer_record function under certain conditions. In particular this 8956 could occur if an attacker sent repeated DTLS records with the same 8957 sequence number but for the next epoch. The memory leak could be exploited 8958 by an attacker in a Denial of Service attack through memory exhaustion. 8959 Thanks to Chris Mueller for reporting this issue. 8960 ([CVE-2015-0206]) 8961 8962 *Matt Caswell* 8963 8964 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 8965 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl 8966 method would be set to NULL which could later result in a NULL pointer 8967 dereference. Thanks to Frank Schmirler for reporting this issue. 8968 ([CVE-2014-3569]) 8969 8970 *Kurt Roeckx* 8971 8972 * Abort handshake if server key exchange message is omitted for ephemeral 8973 ECDH ciphersuites. 8974 8975 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 8976 reporting this issue. 8977 ([CVE-2014-3572]) 8978 8979 *Steve Henson* 8980 8981 * Remove non-export ephemeral RSA code on client and server. This code 8982 violated the TLS standard by allowing the use of temporary RSA keys in 8983 non-export ciphersuites and could be used by a server to effectively 8984 downgrade the RSA key length used to a value smaller than the server 8985 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 8986 INRIA or reporting this issue. 8987 ([CVE-2015-0204]) 8988 8989 *Steve Henson* 8990 8991 * Fixed issue where DH client certificates are accepted without verification. 8992 An OpenSSL server will accept a DH certificate for client authentication 8993 without the certificate verify message. This effectively allows a client to 8994 authenticate without the use of a private key. This only affects servers 8995 which trust a client certificate authority which issues certificates 8996 containing DH keys: these are extremely rare and hardly ever encountered. 8997 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 8998 this issue. 8999 ([CVE-2015-0205]) 9000 9001 *Steve Henson* 9002 9003 * Ensure that the session ID context of an SSL is updated when its 9004 SSL_CTX is updated via SSL_set_SSL_CTX. 9005 9006 The session ID context is typically set from the parent SSL_CTX, 9007 and can vary with the CTX. 9008 9009 *Adam Langley* 9010 9011 * Fix various certificate fingerprint issues. 9012 9013 By using non-DER or invalid encodings outside the signed portion of a 9014 certificate the fingerprint can be changed without breaking the signature. 9015 Although no details of the signed portion of the certificate can be changed 9016 this can cause problems with some applications: e.g. those using the 9017 certificate fingerprint for blacklists. 9018 9019 1. Reject signatures with non zero unused bits. 9020 9021 If the BIT STRING containing the signature has non zero unused bits reject 9022 the signature. All current signature algorithms require zero unused bits. 9023 9024 2. Check certificate algorithm consistency. 9025 9026 Check the AlgorithmIdentifier inside TBS matches the one in the 9027 certificate signature. NB: this will result in signature failure 9028 errors for some broken certificates. 9029 9030 Thanks to Konrad Kraszewski from Google for reporting this issue. 9031 9032 3. Check DSA/ECDSA signatures use DER. 9033 9034 Re-encode DSA/ECDSA signatures and compare with the original received 9035 signature. Return an error if there is a mismatch. 9036 9037 This will reject various cases including garbage after signature 9038 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 9039 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 9040 (negative or with leading zeroes). 9041 9042 Further analysis was conducted and fixes were developed by Stephen Henson 9043 of the OpenSSL core team. 9044 9045 ([CVE-2014-8275]) 9046 9047 *Steve Henson* 9048 9049 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 9050 results on some platforms, including x86_64. This bug occurs at random 9051 with a very low probability, and is not known to be exploitable in any 9052 way, though its exact impact is difficult to determine. Thanks to Pieter 9053 Wuille (Blockstream) who reported this issue and also suggested an initial 9054 fix. Further analysis was conducted by the OpenSSL development team and 9055 Adam Langley of Google. The final fix was developed by Andy Polyakov of 9056 the OpenSSL core team. 9057 ([CVE-2014-3570]) 9058 9059 *Andy Polyakov* 9060 9061 * Do not resume sessions on the server if the negotiated protocol 9062 version does not match the session's version. Resuming with a different 9063 version, while not strictly forbidden by the RFC, is of questionable 9064 sanity and breaks all known clients. 9065 9066 *David Benjamin, Emilia Käsper* 9067 9068 * Tighten handling of the ChangeCipherSpec (CCS) message: reject 9069 early CCS messages during renegotiation. (Note that because 9070 renegotiation is encrypted, this early CCS was not exploitable.) 9071 9072 *Emilia Käsper* 9073 9074 * Tighten client-side session ticket handling during renegotiation: 9075 ensure that the client only accepts a session ticket if the server sends 9076 the extension anew in the ServerHello. Previously, a TLS client would 9077 reuse the old extension state and thus accept a session ticket if one was 9078 announced in the initial ServerHello. 9079 9080 Similarly, ensure that the client requires a session ticket if one 9081 was advertised in the ServerHello. Previously, a TLS client would 9082 ignore a missing NewSessionTicket message. 9083 9084 *Emilia Käsper* 9085 9086### Changes between 1.0.1i and 1.0.1j [15 Oct 2014] 9087 9088 * SRTP Memory Leak. 9089 9090 A flaw in the DTLS SRTP extension parsing code allows an attacker, who 9091 sends a carefully crafted handshake message, to cause OpenSSL to fail 9092 to free up to 64k of memory causing a memory leak. This could be 9093 exploited in a Denial Of Service attack. This issue affects OpenSSL 9094 1.0.1 server implementations for both SSL/TLS and DTLS regardless of 9095 whether SRTP is used or configured. Implementations of OpenSSL that 9096 have been compiled with OPENSSL_NO_SRTP defined are not affected. 9097 9098 The fix was developed by the OpenSSL team. 9099 ([CVE-2014-3513]) 9100 9101 *OpenSSL team* 9102 9103 * Session Ticket Memory Leak. 9104 9105 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 9106 integrity of that ticket is first verified. In the event of a session 9107 ticket integrity check failing, OpenSSL will fail to free memory 9108 causing a memory leak. By sending a large number of invalid session 9109 tickets an attacker could exploit this issue in a Denial Of Service 9110 attack. 9111 ([CVE-2014-3567]) 9112 9113 *Steve Henson* 9114 9115 * Build option no-ssl3 is incomplete. 9116 9117 When OpenSSL is configured with "no-ssl3" as a build option, servers 9118 could accept and complete an SSL 3.0 handshake, and clients could be 9119 configured to send them. 9120 ([CVE-2014-3568]) 9121 9122 *Akamai and the OpenSSL team* 9123 9124 * Add support for TLS_FALLBACK_SCSV. 9125 Client applications doing fallback retries should call 9126 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 9127 ([CVE-2014-3566]) 9128 9129 *Adam Langley, Bodo Moeller* 9130 9131 * Add additional DigestInfo checks. 9132 9133 Re-encode DigestInto in DER and check against the original when 9134 verifying RSA signature: this will reject any improperly encoded 9135 DigestInfo structures. 9136 9137 Note: this is a precautionary measure and no attacks are currently known. 9138 9139 *Steve Henson* 9140 9141### Changes between 1.0.1h and 1.0.1i [6 Aug 2014] 9142 9143 * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the 9144 SRP code can be overrun an internal buffer. Add sanity check that 9145 g, A, B < N to SRP code. 9146 9147 Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC 9148 Group for discovering this issue. 9149 ([CVE-2014-3512]) 9150 9151 *Steve Henson* 9152 9153 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate 9154 TLS 1.0 instead of higher protocol versions when the ClientHello message 9155 is badly fragmented. This allows a man-in-the-middle attacker to force a 9156 downgrade to TLS 1.0 even if both the server and the client support a 9157 higher protocol version, by modifying the client's TLS records. 9158 9159 Thanks to David Benjamin and Adam Langley (Google) for discovering and 9160 researching this issue. 9161 ([CVE-2014-3511]) 9162 9163 *David Benjamin* 9164 9165 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 9166 to a denial of service attack. A malicious server can crash the client 9167 with a null pointer dereference (read) by specifying an anonymous (EC)DH 9168 ciphersuite and sending carefully crafted handshake messages. 9169 9170 Thanks to Felix Gröbert (Google) for discovering and researching this 9171 issue. 9172 ([CVE-2014-3510]) 9173 9174 *Emilia Käsper* 9175 9176 * By sending carefully crafted DTLS packets an attacker could cause openssl 9177 to leak memory. This can be exploited through a Denial of Service attack. 9178 Thanks to Adam Langley for discovering and researching this issue. 9179 ([CVE-2014-3507]) 9180 9181 *Adam Langley* 9182 9183 * An attacker can force openssl to consume large amounts of memory whilst 9184 processing DTLS handshake messages. This can be exploited through a 9185 Denial of Service attack. 9186 Thanks to Adam Langley for discovering and researching this issue. 9187 ([CVE-2014-3506]) 9188 9189 *Adam Langley* 9190 9191 * An attacker can force an error condition which causes openssl to crash 9192 whilst processing DTLS packets due to memory being freed twice. This 9193 can be exploited through a Denial of Service attack. 9194 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 9195 this issue. 9196 ([CVE-2014-3505]) 9197 9198 *Adam Langley* 9199 9200 * If a multithreaded client connects to a malicious server using a resumed 9201 session and the server sends an ec point format extension it could write 9202 up to 255 bytes to freed memory. 9203 9204 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 9205 issue. 9206 ([CVE-2014-3509]) 9207 9208 *Gabor Tyukasz* 9209 9210 * A malicious server can crash an OpenSSL client with a null pointer 9211 dereference (read) by specifying an SRP ciphersuite even though it was not 9212 properly negotiated with the client. This can be exploited through a 9213 Denial of Service attack. 9214 9215 Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for 9216 discovering and researching this issue. 9217 ([CVE-2014-5139]) 9218 9219 *Steve Henson* 9220 9221 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 9222 X509_name_oneline, X509_name_print_ex et al. to leak some information 9223 from the stack. Applications may be affected if they echo pretty printing 9224 output to the attacker. 9225 9226 Thanks to Ivan Fratric (Google) for discovering this issue. 9227 ([CVE-2014-3508]) 9228 9229 *Emilia Käsper, and Steve Henson* 9230 9231 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 9232 for corner cases. (Certain input points at infinity could lead to 9233 bogus results, with non-infinity inputs mapped to infinity too.) 9234 9235 *Bodo Moeller* 9236 9237### Changes between 1.0.1g and 1.0.1h [5 Jun 2014] 9238 9239 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 9240 handshake can force the use of weak keying material in OpenSSL 9241 SSL/TLS clients and servers. 9242 9243 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 9244 researching this issue. ([CVE-2014-0224]) 9245 9246 *KIKUCHI Masashi, Steve Henson* 9247 9248 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 9249 OpenSSL DTLS client the code can be made to recurse eventually crashing 9250 in a DoS attack. 9251 9252 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 9253 ([CVE-2014-0221]) 9254 9255 *Imre Rad, Steve Henson* 9256 9257 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 9258 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 9259 client or server. This is potentially exploitable to run arbitrary 9260 code on a vulnerable client or server. 9261 9262 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 9263 9264 *Jüri Aedla, Steve Henson* 9265 9266 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 9267 are subject to a denial of service attack. 9268 9269 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 9270 this issue. ([CVE-2014-3470]) 9271 9272 *Felix Gröbert, Ivan Fratric, Steve Henson* 9273 9274 * Harmonize version and its documentation. -f flag is used to display 9275 compilation flags. 9276 9277 *mancha <mancha1@zoho.com>* 9278 9279 * Fix eckey_priv_encode so it immediately returns an error upon a failure 9280 in i2d_ECPrivateKey. 9281 9282 *mancha <mancha1@zoho.com>* 9283 9284 * Fix some double frees. These are not thought to be exploitable. 9285 9286 *mancha <mancha1@zoho.com>* 9287 9288### Changes between 1.0.1f and 1.0.1g [7 Apr 2014] 9289 9290 * A missing bounds check in the handling of the TLS heartbeat extension 9291 can be used to reveal up to 64k of memory to a connected client or 9292 server. 9293 9294 Thanks for Neel Mehta of Google Security for discovering this bug and to 9295 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 9296 preparing the fix ([CVE-2014-0160]) 9297 9298 *Adam Langley, Bodo Moeller* 9299 9300 * Fix for the attack described in the paper "Recovering OpenSSL 9301 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 9302 by Yuval Yarom and Naomi Benger. Details can be obtained from: 9303 <http://eprint.iacr.org/2014/140> 9304 9305 Thanks to Yuval Yarom and Naomi Benger for discovering this 9306 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 9307 9308 *Yuval Yarom and Naomi Benger* 9309 9310 * TLS pad extension: draft-agl-tls-padding-03 9311 9312 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the 9313 TLS client Hello record length value would otherwise be > 255 and 9314 less that 512 pad with a dummy extension containing zeroes so it 9315 is at least 512 bytes long. 9316 9317 *Adam Langley, Steve Henson* 9318 9319### Changes between 1.0.1e and 1.0.1f [6 Jan 2014] 9320 9321 * Fix for TLS record tampering bug. A carefully crafted invalid 9322 handshake could crash OpenSSL with a NULL pointer exception. 9323 Thanks to Anton Johansson for reporting this issues. 9324 ([CVE-2013-4353]) 9325 9326 * Keep original DTLS digest and encryption contexts in retransmission 9327 structures so we can use the previous session parameters if they need 9328 to be resent. ([CVE-2013-6450]) 9329 9330 *Steve Henson* 9331 9332 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 9333 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 9334 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 9335 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 9336 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 9337 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 9338 9339 *Rob Stradling, Adam Langley* 9340 9341### Changes between 1.0.1d and 1.0.1e [11 Feb 2013] 9342 9343 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI 9344 supporting platforms or when small records were transferred. 9345 9346 *Andy Polyakov, Steve Henson* 9347 9348### Changes between 1.0.1c and 1.0.1d [5 Feb 2013] 9349 9350 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 9351 9352 This addresses the flaw in CBC record processing discovered by 9353 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 9354 at: <http://www.isg.rhul.ac.uk/tls/> 9355 9356 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 9357 Security Group at Royal Holloway, University of London 9358 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 9359 Emilia Käsper for the initial patch. 9360 ([CVE-2013-0169]) 9361 9362 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 9363 9364 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode 9365 ciphersuites which can be exploited in a denial of service attack. 9366 Thanks go to and to Adam Langley <agl@chromium.org> for discovering 9367 and detecting this bug and to Wolfgang Ettlinger 9368 <wolfgang.ettlinger@gmail.com> for independently discovering this issue. 9369 ([CVE-2012-2686]) 9370 9371 *Adam Langley* 9372 9373 * Return an error when checking OCSP signatures when key is NULL. 9374 This fixes a DoS attack. ([CVE-2013-0166]) 9375 9376 *Steve Henson* 9377 9378 * Make openssl verify return errors. 9379 9380 *Chris Palmer <palmer@google.com> and Ben Laurie* 9381 9382 * Call OCSP Stapling callback after ciphersuite has been chosen, so 9383 the right response is stapled. Also change SSL_get_certificate() 9384 so it returns the certificate actually sent. 9385 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 9386 9387 *Rob Stradling <rob.stradling@comodo.com>* 9388 9389 * Fix possible deadlock when decoding public keys. 9390 9391 *Steve Henson* 9392 9393 * Don't use TLS 1.0 record version number in initial client hello 9394 if renegotiating. 9395 9396 *Steve Henson* 9397 9398### Changes between 1.0.1b and 1.0.1c [10 May 2012] 9399 9400 * Sanity check record length before skipping explicit IV in TLS 9401 1.2, 1.1 and DTLS to fix DoS attack. 9402 9403 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 9404 fuzzing as a service testing platform. 9405 ([CVE-2012-2333]) 9406 9407 *Steve Henson* 9408 9409 * Initialise tkeylen properly when encrypting CMS messages. 9410 Thanks to Solar Designer of Openwall for reporting this issue. 9411 9412 *Steve Henson* 9413 9414 * In FIPS mode don't try to use composite ciphers as they are not 9415 approved. 9416 9417 *Steve Henson* 9418 9419### Changes between 1.0.1a and 1.0.1b [26 Apr 2012] 9420 9421 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 9422 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately 9423 mean any application compiled against OpenSSL 1.0.0 headers setting 9424 SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling 9425 TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 9426 0x10000000L Any application which was previously compiled against 9427 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 9428 will need to be recompiled as a result. Letting be results in 9429 inability to disable specifically TLS 1.1 and in client context, 9430 in unlike event, limit maximum offered version to TLS 1.0 [see below]. 9431 9432 *Steve Henson* 9433 9434 * In order to ensure interoperability SSL_OP_NO_protocolX does not 9435 disable just protocol X, but all protocols above X *if* there are 9436 protocols *below* X still enabled. In more practical terms it means 9437 that if application wants to disable TLS1.0 in favor of TLS1.1 and 9438 above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass 9439 `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to 9440 client side. 9441 9442 *Andy Polyakov* 9443 9444### Changes between 1.0.1 and 1.0.1a [19 Apr 2012] 9445 9446 * Check for potentially exploitable overflows in asn1_d2i_read_bio 9447 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 9448 in CRYPTO_realloc_clean. 9449 9450 Thanks to Tavis Ormandy, Google Security Team, for discovering this 9451 issue and to Adam Langley <agl@chromium.org> for fixing it. 9452 ([CVE-2012-2110]) 9453 9454 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 9455 9456 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. 9457 9458 *Adam Langley* 9459 9460 * Workarounds for some broken servers that "hang" if a client hello 9461 record length exceeds 255 bytes. 9462 9463 1. Do not use record version number > TLS 1.0 in initial client 9464 hello: some (but not all) hanging servers will now work. 9465 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate 9466 the number of ciphers sent in the client hello. This should be 9467 set to an even number, such as 50, for example by passing: 9468 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. 9469 Most broken servers should now work. 9470 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable 9471 TLS 1.2 client support entirely. 9472 9473 *Steve Henson* 9474 9475 * Fix SEGV in Vector Permutation AES module observed in OpenSSH. 9476 9477 *Andy Polyakov* 9478 9479### Changes between 1.0.0h and 1.0.1 [14 Mar 2012] 9480 9481 * Add compatibility with old MDC2 signatures which use an ASN1 OCTET 9482 STRING form instead of a DigestInfo. 9483 9484 *Steve Henson* 9485 9486 * The format used for MDC2 RSA signatures is inconsistent between EVP 9487 and the RSA_sign/RSA_verify functions. This was made more apparent when 9488 OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular 9489 those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 9490 the correct format in RSA_verify so both forms transparently work. 9491 9492 *Steve Henson* 9493 9494 * Some servers which support TLS 1.0 can choke if we initially indicate 9495 support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA 9496 encrypted premaster secret. As a workaround use the maximum permitted 9497 client version in client hello, this should keep such servers happy 9498 and still work with previous versions of OpenSSL. 9499 9500 *Steve Henson* 9501 9502 * Add support for TLS/DTLS heartbeats. 9503 9504 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9505 9506 * Add support for SCTP. 9507 9508 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9509 9510 * Improved PRNG seeding for VOS. 9511 9512 *Paul Green <Paul.Green@stratus.com>* 9513 9514 * Extensive assembler packs updates, most notably: 9515 9516 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; 9517 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); 9518 - x86_64: bit-sliced AES implementation; 9519 - ARM: NEON support, contemporary platforms optimizations; 9520 - s390x: z196 support; 9521 - `*`: GHASH and GF(2^m) multiplication implementations; 9522 9523 *Andy Polyakov* 9524 9525 * Make TLS-SRP code conformant with RFC 5054 API cleanup 9526 (removal of unnecessary code) 9527 9528 *Peter Sylvester <peter.sylvester@edelweb.fr>* 9529 9530 * Add TLS key material exporter from RFC 5705. 9531 9532 *Eric Rescorla* 9533 9534 * Add DTLS-SRTP negotiation from RFC 5764. 9535 9536 *Eric Rescorla* 9537 9538 * Add Next Protocol Negotiation, 9539 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be 9540 disabled with a no-npn flag to config or Configure. Code donated 9541 by Google. 9542 9543 *Adam Langley <agl@google.com> and Ben Laurie* 9544 9545 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224, 9546 NIST-P256, NIST-P521, with constant-time single point multiplication on 9547 typical inputs. Compiler support for the nonstandard type `__uint128_t` is 9548 required to use this (present in gcc 4.4 and later, for 64-bit builds). 9549 Code made available under Apache License version 2.0. 9550 9551 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command 9552 line to include this in your build of OpenSSL, and run "make depend" (or 9553 "make update"). This enables the following EC_METHODs: 9554 9555 EC_GFp_nistp224_method() 9556 EC_GFp_nistp256_method() 9557 EC_GFp_nistp521_method() 9558 9559 EC_GROUP_new_by_curve_name() will automatically use these (while 9560 EC_GROUP_new_curve_GFp() currently prefers the more flexible 9561 implementations). 9562 9563 *Emilia Käsper, Adam Langley, Bodo Moeller (Google)* 9564 9565 * Use type ossl_ssize_t instead of ssize_t which isn't available on 9566 all platforms. Move ssize_t definition from e_os.h to the public 9567 header file e_os2.h as it now appears in public header file cms.h 9568 9569 *Steve Henson* 9570 9571 * New -sigopt option to the ca, req and x509 utilities. Additional 9572 signature parameters can be passed using this option and in 9573 particular PSS. 9574 9575 *Steve Henson* 9576 9577 * Add RSA PSS signing function. This will generate and set the 9578 appropriate AlgorithmIdentifiers for PSS based on those in the 9579 corresponding EVP_MD_CTX structure. No application support yet. 9580 9581 *Steve Henson* 9582 9583 * Support for companion algorithm specific ASN1 signing routines. 9584 New function ASN1_item_sign_ctx() signs a pre-initialised 9585 EVP_MD_CTX structure and sets AlgorithmIdentifiers based on 9586 the appropriate parameters. 9587 9588 *Steve Henson* 9589 9590 * Add new algorithm specific ASN1 verification initialisation function 9591 to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 9592 handling will be the same no matter what EVP_PKEY_METHOD is used. 9593 Add a PSS handler to support verification of PSS signatures: checked 9594 against a number of sample certificates. 9595 9596 *Steve Henson* 9597 9598 * Add signature printing for PSS. Add PSS OIDs. 9599 9600 *Steve Henson, Martin Kaiser <lists@kaiser.cx>* 9601 9602 * Add algorithm specific signature printing. An individual ASN1 method 9603 can now print out signatures instead of the standard hex dump. 9604 9605 More complex signatures (e.g. PSS) can print out more meaningful 9606 information. Include DSA version that prints out the signature 9607 parameters r, s. 9608 9609 *Steve Henson* 9610 9611 * Password based recipient info support for CMS library: implementing 9612 RFC3211. 9613 9614 *Steve Henson* 9615 9616 * Split password based encryption into PBES2 and PBKDF2 functions. This 9617 neatly separates the code into cipher and PBE sections and is required 9618 for some algorithms that split PBES2 into separate pieces (such as 9619 password based CMS). 9620 9621 *Steve Henson* 9622 9623 * Session-handling fixes: 9624 - Fix handling of connections that are resuming with a session ID, 9625 but also support Session Tickets. 9626 - Fix a bug that suppressed issuing of a new ticket if the client 9627 presented a ticket with an expired session. 9628 - Try to set the ticket lifetime hint to something reasonable. 9629 - Make tickets shorter by excluding irrelevant information. 9630 - On the client side, don't ignore renewed tickets. 9631 9632 *Adam Langley, Bodo Moeller (Google)* 9633 9634 * Fix PSK session representation. 9635 9636 *Bodo Moeller* 9637 9638 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. 9639 9640 This work was sponsored by Intel. 9641 9642 *Andy Polyakov* 9643 9644 * Add GCM support to TLS library. Some custom code is needed to split 9645 the IV between the fixed (from PRF) and explicit (from TLS record) 9646 portions. This adds all GCM ciphersuites supported by RFC5288 and 9647 RFC5289. Generalise some `AES*` cipherstrings to include GCM and 9648 add a special AESGCM string for GCM only. 9649 9650 *Steve Henson* 9651 9652 * Expand range of ctrls for AES GCM. Permit setting invocation 9653 field on decrypt and retrieval of invocation field only on encrypt. 9654 9655 *Steve Henson* 9656 9657 * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. 9658 As required by RFC5289 these ciphersuites cannot be used if for 9659 versions of TLS earlier than 1.2. 9660 9661 *Steve Henson* 9662 9663 * For FIPS capable OpenSSL interpret a NULL default public key method 9664 as unset and return the appropriate default but do *not* set the default. 9665 This means we can return the appropriate method in applications that 9666 switch between FIPS and non-FIPS modes. 9667 9668 *Steve Henson* 9669 9670 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an 9671 ENGINE is used then we cannot handle that in the FIPS module so we 9672 keep original code iff non-FIPS operations are allowed. 9673 9674 *Steve Henson* 9675 9676 * Add -attime option to openssl utilities. 9677 9678 *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson* 9679 9680 * Redirect DSA and DH operations to FIPS module in FIPS mode. 9681 9682 *Steve Henson* 9683 9684 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use 9685 FIPS EC methods unconditionally for now. 9686 9687 *Steve Henson* 9688 9689 * New build option no-ec2m to disable characteristic 2 code. 9690 9691 *Steve Henson* 9692 9693 * Backport libcrypto audit of return value checking from 1.1.0-dev; not 9694 all cases can be covered as some introduce binary incompatibilities. 9695 9696 *Steve Henson* 9697 9698 * Redirect RSA operations to FIPS module including keygen, 9699 encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. 9700 9701 *Steve Henson* 9702 9703 * Add similar low-level API blocking to ciphers. 9704 9705 *Steve Henson* 9706 9707 * low-level digest APIs are not approved in FIPS mode: any attempt 9708 to use these will cause a fatal error. Applications that *really* want 9709 to use them can use the `private_*` version instead. 9710 9711 *Steve Henson* 9712 9713 * Redirect cipher operations to FIPS module for FIPS builds. 9714 9715 *Steve Henson* 9716 9717 * Redirect digest operations to FIPS module for FIPS builds. 9718 9719 *Steve Henson* 9720 9721 * Update build system to add "fips" flag which will link in fipscanister.o 9722 for static and shared library builds embedding a signature if needed. 9723 9724 *Steve Henson* 9725 9726 * Output TLS supported curves in preference order instead of numerical 9727 order. This is currently hardcoded for the highest order curves first. 9728 This should be configurable so applications can judge speed vs strength. 9729 9730 *Steve Henson* 9731 9732 * Add TLS v1.2 server support for client authentication. 9733 9734 *Steve Henson* 9735 9736 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers 9737 and enable MD5. 9738 9739 *Steve Henson* 9740 9741 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying 9742 FIPS modules versions. 9743 9744 *Steve Henson* 9745 9746 * Add TLS v1.2 client side support for client authentication. Keep cache 9747 of handshake records longer as we don't know the hash algorithm to use 9748 until after the certificate request message is received. 9749 9750 *Steve Henson* 9751 9752 * Initial TLS v1.2 client support. Add a default signature algorithms 9753 extension including all the algorithms we support. Parse new signature 9754 format in client key exchange. Relax some ECC signing restrictions for 9755 TLS v1.2 as indicated in RFC5246. 9756 9757 *Steve Henson* 9758 9759 * Add server support for TLS v1.2 signature algorithms extension. Switch 9760 to new signature format when needed using client digest preference. 9761 All server ciphersuites should now work correctly in TLS v1.2. No client 9762 support yet and no support for client certificates. 9763 9764 *Steve Henson* 9765 9766 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch 9767 to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based 9768 ciphersuites. At present only RSA key exchange ciphersuites work with 9769 TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete 9770 SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods 9771 and version checking. 9772 9773 *Steve Henson* 9774 9775 * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 9776 with this defined it will not be affected by any changes to ssl internal 9777 structures. Add several utility functions to allow openssl application 9778 to work with OPENSSL_NO_SSL_INTERN defined. 9779 9780 *Steve Henson* 9781 9782 * A long standing patch to add support for SRP from EdelWeb (Peter 9783 Sylvester and Christophe Renou) was integrated. 9784 *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester 9785 <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and 9786 Ben Laurie* 9787 9788 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. 9789 9790 *Steve Henson* 9791 9792 * Permit abbreviated handshakes when renegotiating using the function 9793 SSL_renegotiate_abbreviated(). 9794 9795 *Robin Seggelmann <seggelmann@fh-muenster.de>* 9796 9797 * Add call to ENGINE_register_all_complete() to 9798 ENGINE_load_builtin_engines(), so some implementations get used 9799 automatically instead of needing explicit application support. 9800 9801 *Steve Henson* 9802 9803 * Add support for TLS key exporter as described in RFC5705. 9804 9805 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson* 9806 9807 * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only 9808 a few changes are required: 9809 9810 Add SSL_OP_NO_TLSv1_1 flag. 9811 Add TLSv1_1 methods. 9812 Update version checking logic to handle version 1.1. 9813 Add explicit IV handling (ported from DTLS code). 9814 Add command line options to s_client/s_server. 9815 9816 *Steve Henson* 9817 9818OpenSSL 1.0.0 9819------------- 9820 9821### Changes between 1.0.0s and 1.0.0t [3 Dec 2015] 9822 9823 * X509_ATTRIBUTE memory leak 9824 9825 When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 9826 memory. This structure is used by the PKCS#7 and CMS routines so any 9827 application which reads PKCS#7 or CMS data from untrusted sources is 9828 affected. SSL/TLS is not affected. 9829 9830 This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 9831 libFuzzer. 9832 ([CVE-2015-3195]) 9833 9834 *Stephen Henson* 9835 9836 * Race condition handling PSK identify hint 9837 9838 If PSK identity hints are received by a multi-threaded client then 9839 the values are wrongly updated in the parent SSL_CTX structure. This can 9840 result in a race condition potentially leading to a double free of the 9841 identify hint data. 9842 ([CVE-2015-3196]) 9843 9844 *Stephen Henson* 9845 9846### Changes between 1.0.0r and 1.0.0s [11 Jun 2015] 9847 9848 * Malformed ECParameters causes infinite loop 9849 9850 When processing an ECParameters structure OpenSSL enters an infinite loop 9851 if the curve specified is over a specially malformed binary polynomial 9852 field. 9853 9854 This can be used to perform denial of service against any 9855 system which processes public keys, certificate requests or 9856 certificates. This includes TLS clients and TLS servers with 9857 client authentication enabled. 9858 9859 This issue was reported to OpenSSL by Joseph Barr-Pixton. 9860 ([CVE-2015-1788]) 9861 9862 *Andy Polyakov* 9863 9864 * Exploitable out-of-bounds read in X509_cmp_time 9865 9866 X509_cmp_time does not properly check the length of the ASN1_TIME 9867 string and can read a few bytes out of bounds. In addition, 9868 X509_cmp_time accepts an arbitrary number of fractional seconds in the 9869 time string. 9870 9871 An attacker can use this to craft malformed certificates and CRLs of 9872 various sizes and potentially cause a segmentation fault, resulting in 9873 a DoS on applications that verify certificates or CRLs. TLS clients 9874 that verify CRLs are affected. TLS clients and servers with client 9875 authentication enabled may be affected if they use custom verification 9876 callbacks. 9877 9878 This issue was reported to OpenSSL by Robert Swiecki (Google), and 9879 independently by Hanno Böck. 9880 ([CVE-2015-1789]) 9881 9882 *Emilia Käsper* 9883 9884 * PKCS7 crash with missing EnvelopedContent 9885 9886 The PKCS#7 parsing code does not handle missing inner EncryptedContent 9887 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 9888 with missing content and trigger a NULL pointer dereference on parsing. 9889 9890 Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 9891 structures from untrusted sources are affected. OpenSSL clients and 9892 servers are not affected. 9893 9894 This issue was reported to OpenSSL by Michal Zalewski (Google). 9895 ([CVE-2015-1790]) 9896 9897 *Emilia Käsper* 9898 9899 * CMS verify infinite loop with unknown hash function 9900 9901 When verifying a signedData message the CMS code can enter an infinite loop 9902 if presented with an unknown hash function OID. This can be used to perform 9903 denial of service against any system which verifies signedData messages using 9904 the CMS code. 9905 This issue was reported to OpenSSL by Johannes Bauer. 9906 ([CVE-2015-1792]) 9907 9908 *Stephen Henson* 9909 9910 * Race condition handling NewSessionTicket 9911 9912 If a NewSessionTicket is received by a multi-threaded client when attempting to 9913 reuse a previous ticket then a race condition can occur potentially leading to 9914 a double free of the ticket data. 9915 ([CVE-2015-1791]) 9916 9917 *Matt Caswell* 9918 9919### Changes between 1.0.0q and 1.0.0r [19 Mar 2015] 9920 9921 * Segmentation fault in ASN1_TYPE_cmp fix 9922 9923 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 9924 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 9925 certificate signature algorithm consistency this can be used to crash any 9926 certificate verification operation and exploited in a DoS attack. Any 9927 application which performs certificate verification is vulnerable including 9928 OpenSSL clients and servers which enable client authentication. 9929 ([CVE-2015-0286]) 9930 9931 *Stephen Henson* 9932 9933 * ASN.1 structure reuse memory corruption fix 9934 9935 Reusing a structure in ASN.1 parsing may allow an attacker to cause 9936 memory corruption via an invalid write. Such reuse is and has been 9937 strongly discouraged and is believed to be rare. 9938 9939 Applications that parse structures containing CHOICE or ANY DEFINED BY 9940 components may be affected. Certificate parsing (d2i_X509 and related 9941 functions) are however not affected. OpenSSL clients and servers are 9942 not affected. 9943 ([CVE-2015-0287]) 9944 9945 *Stephen Henson* 9946 9947 * PKCS7 NULL pointer dereferences fix 9948 9949 The PKCS#7 parsing code does not handle missing outer ContentInfo 9950 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 9951 missing content and trigger a NULL pointer dereference on parsing. 9952 9953 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 9954 otherwise parse PKCS#7 structures from untrusted sources are 9955 affected. OpenSSL clients and servers are not affected. 9956 9957 This issue was reported to OpenSSL by Michal Zalewski (Google). 9958 ([CVE-2015-0289]) 9959 9960 *Emilia Käsper* 9961 9962 * DoS via reachable assert in SSLv2 servers fix 9963 9964 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 9965 servers that both support SSLv2 and enable export cipher suites by sending 9966 a specially crafted SSLv2 CLIENT-MASTER-KEY message. 9967 9968 This issue was discovered by Sean Burford (Google) and Emilia Käsper 9969 (OpenSSL development team). 9970 ([CVE-2015-0293]) 9971 9972 *Emilia Käsper* 9973 9974 * Use After Free following d2i_ECPrivatekey error fix 9975 9976 A malformed EC private key file consumed via the d2i_ECPrivateKey function 9977 could cause a use after free condition. This, in turn, could cause a double 9978 free in several private key parsing functions (such as d2i_PrivateKey 9979 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 9980 for applications that receive EC private keys from untrusted 9981 sources. This scenario is considered rare. 9982 9983 This issue was discovered by the BoringSSL project and fixed in their 9984 commit 517073cd4b. 9985 ([CVE-2015-0209]) 9986 9987 *Matt Caswell* 9988 9989 * X509_to_X509_REQ NULL pointer deref fix 9990 9991 The function X509_to_X509_REQ will crash with a NULL pointer dereference if 9992 the certificate key is invalid. This function is rarely used in practice. 9993 9994 This issue was discovered by Brian Carpenter. 9995 ([CVE-2015-0288]) 9996 9997 *Stephen Henson* 9998 9999 * Removed the export ciphers from the DEFAULT ciphers 10000 10001 *Kurt Roeckx* 10002 10003### Changes between 1.0.0p and 1.0.0q [15 Jan 2015] 10004 10005 * Build fixes for the Windows and OpenVMS platforms 10006 10007 *Matt Caswell and Richard Levitte* 10008 10009### Changes between 1.0.0o and 1.0.0p [8 Jan 2015] 10010 10011 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 10012 message can cause a segmentation fault in OpenSSL due to a NULL pointer 10013 dereference. This could lead to a Denial Of Service attack. Thanks to 10014 Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 10015 ([CVE-2014-3571]) 10016 10017 *Steve Henson* 10018 10019 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 10020 dtls1_buffer_record function under certain conditions. In particular this 10021 could occur if an attacker sent repeated DTLS records with the same 10022 sequence number but for the next epoch. The memory leak could be exploited 10023 by an attacker in a Denial of Service attack through memory exhaustion. 10024 Thanks to Chris Mueller for reporting this issue. 10025 ([CVE-2015-0206]) 10026 10027 *Matt Caswell* 10028 10029 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 10030 built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl 10031 method would be set to NULL which could later result in a NULL pointer 10032 dereference. Thanks to Frank Schmirler for reporting this issue. 10033 ([CVE-2014-3569]) 10034 10035 *Kurt Roeckx* 10036 10037 * Abort handshake if server key exchange message is omitted for ephemeral 10038 ECDH ciphersuites. 10039 10040 Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 10041 reporting this issue. 10042 ([CVE-2014-3572]) 10043 10044 *Steve Henson* 10045 10046 * Remove non-export ephemeral RSA code on client and server. This code 10047 violated the TLS standard by allowing the use of temporary RSA keys in 10048 non-export ciphersuites and could be used by a server to effectively 10049 downgrade the RSA key length used to a value smaller than the server 10050 certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 10051 INRIA or reporting this issue. 10052 ([CVE-2015-0204]) 10053 10054 *Steve Henson* 10055 10056 * Fixed issue where DH client certificates are accepted without verification. 10057 An OpenSSL server will accept a DH certificate for client authentication 10058 without the certificate verify message. This effectively allows a client to 10059 authenticate without the use of a private key. This only affects servers 10060 which trust a client certificate authority which issues certificates 10061 containing DH keys: these are extremely rare and hardly ever encountered. 10062 Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 10063 this issue. 10064 ([CVE-2015-0205]) 10065 10066 *Steve Henson* 10067 10068 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 10069 results on some platforms, including x86_64. This bug occurs at random 10070 with a very low probability, and is not known to be exploitable in any 10071 way, though its exact impact is difficult to determine. Thanks to Pieter 10072 Wuille (Blockstream) who reported this issue and also suggested an initial 10073 fix. Further analysis was conducted by the OpenSSL development team and 10074 Adam Langley of Google. The final fix was developed by Andy Polyakov of 10075 the OpenSSL core team. 10076 ([CVE-2014-3570]) 10077 10078 *Andy Polyakov* 10079 10080 * Fix various certificate fingerprint issues. 10081 10082 By using non-DER or invalid encodings outside the signed portion of a 10083 certificate the fingerprint can be changed without breaking the signature. 10084 Although no details of the signed portion of the certificate can be changed 10085 this can cause problems with some applications: e.g. those using the 10086 certificate fingerprint for blacklists. 10087 10088 1. Reject signatures with non zero unused bits. 10089 10090 If the BIT STRING containing the signature has non zero unused bits reject 10091 the signature. All current signature algorithms require zero unused bits. 10092 10093 2. Check certificate algorithm consistency. 10094 10095 Check the AlgorithmIdentifier inside TBS matches the one in the 10096 certificate signature. NB: this will result in signature failure 10097 errors for some broken certificates. 10098 10099 Thanks to Konrad Kraszewski from Google for reporting this issue. 10100 10101 3. Check DSA/ECDSA signatures use DER. 10102 10103 Re-encode DSA/ECDSA signatures and compare with the original received 10104 signature. Return an error if there is a mismatch. 10105 10106 This will reject various cases including garbage after signature 10107 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 10108 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 10109 (negative or with leading zeroes). 10110 10111 Further analysis was conducted and fixes were developed by Stephen Henson 10112 of the OpenSSL core team. 10113 10114 ([CVE-2014-8275]) 10115 10116 *Steve Henson* 10117 10118### Changes between 1.0.0n and 1.0.0o [15 Oct 2014] 10119 10120 * Session Ticket Memory Leak. 10121 10122 When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 10123 integrity of that ticket is first verified. In the event of a session 10124 ticket integrity check failing, OpenSSL will fail to free memory 10125 causing a memory leak. By sending a large number of invalid session 10126 tickets an attacker could exploit this issue in a Denial Of Service 10127 attack. 10128 ([CVE-2014-3567]) 10129 10130 *Steve Henson* 10131 10132 * Build option no-ssl3 is incomplete. 10133 10134 When OpenSSL is configured with "no-ssl3" as a build option, servers 10135 could accept and complete an SSL 3.0 handshake, and clients could be 10136 configured to send them. 10137 ([CVE-2014-3568]) 10138 10139 *Akamai and the OpenSSL team* 10140 10141 * Add support for TLS_FALLBACK_SCSV. 10142 Client applications doing fallback retries should call 10143 SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 10144 ([CVE-2014-3566]) 10145 10146 *Adam Langley, Bodo Moeller* 10147 10148 * Add additional DigestInfo checks. 10149 10150 Re-encode DigestInto in DER and check against the original when 10151 verifying RSA signature: this will reject any improperly encoded 10152 DigestInfo structures. 10153 10154 Note: this is a precautionary measure and no attacks are currently known. 10155 10156 *Steve Henson* 10157 10158### Changes between 1.0.0m and 1.0.0n [6 Aug 2014] 10159 10160 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 10161 to a denial of service attack. A malicious server can crash the client 10162 with a null pointer dereference (read) by specifying an anonymous (EC)DH 10163 ciphersuite and sending carefully crafted handshake messages. 10164 10165 Thanks to Felix Gröbert (Google) for discovering and researching this 10166 issue. 10167 ([CVE-2014-3510]) 10168 10169 *Emilia Käsper* 10170 10171 * By sending carefully crafted DTLS packets an attacker could cause openssl 10172 to leak memory. This can be exploited through a Denial of Service attack. 10173 Thanks to Adam Langley for discovering and researching this issue. 10174 ([CVE-2014-3507]) 10175 10176 *Adam Langley* 10177 10178 * An attacker can force openssl to consume large amounts of memory whilst 10179 processing DTLS handshake messages. This can be exploited through a 10180 Denial of Service attack. 10181 Thanks to Adam Langley for discovering and researching this issue. 10182 ([CVE-2014-3506]) 10183 10184 *Adam Langley* 10185 10186 * An attacker can force an error condition which causes openssl to crash 10187 whilst processing DTLS packets due to memory being freed twice. This 10188 can be exploited through a Denial of Service attack. 10189 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 10190 this issue. 10191 ([CVE-2014-3505]) 10192 10193 *Adam Langley* 10194 10195 * If a multithreaded client connects to a malicious server using a resumed 10196 session and the server sends an ec point format extension it could write 10197 up to 255 bytes to freed memory. 10198 10199 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 10200 issue. 10201 ([CVE-2014-3509]) 10202 10203 *Gabor Tyukasz* 10204 10205 * A flaw in OBJ_obj2txt may cause pretty printing functions such as 10206 X509_name_oneline, X509_name_print_ex et al. to leak some information 10207 from the stack. Applications may be affected if they echo pretty printing 10208 output to the attacker. 10209 10210 Thanks to Ivan Fratric (Google) for discovering this issue. 10211 ([CVE-2014-3508]) 10212 10213 *Emilia Käsper, and Steve Henson* 10214 10215 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 10216 for corner cases. (Certain input points at infinity could lead to 10217 bogus results, with non-infinity inputs mapped to infinity too.) 10218 10219 *Bodo Moeller* 10220 10221### Changes between 1.0.0l and 1.0.0m [5 Jun 2014] 10222 10223 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 10224 handshake can force the use of weak keying material in OpenSSL 10225 SSL/TLS clients and servers. 10226 10227 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 10228 researching this issue. ([CVE-2014-0224]) 10229 10230 *KIKUCHI Masashi, Steve Henson* 10231 10232 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 10233 OpenSSL DTLS client the code can be made to recurse eventually crashing 10234 in a DoS attack. 10235 10236 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 10237 ([CVE-2014-0221]) 10238 10239 *Imre Rad, Steve Henson* 10240 10241 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 10242 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 10243 client or server. This is potentially exploitable to run arbitrary 10244 code on a vulnerable client or server. 10245 10246 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195]) 10247 10248 *Jüri Aedla, Steve Henson* 10249 10250 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 10251 are subject to a denial of service attack. 10252 10253 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering 10254 this issue. ([CVE-2014-3470]) 10255 10256 *Felix Gröbert, Ivan Fratric, Steve Henson* 10257 10258 * Harmonize version and its documentation. -f flag is used to display 10259 compilation flags. 10260 10261 *mancha <mancha1@zoho.com>* 10262 10263 * Fix eckey_priv_encode so it immediately returns an error upon a failure 10264 in i2d_ECPrivateKey. 10265 10266 *mancha <mancha1@zoho.com>* 10267 10268 * Fix some double frees. These are not thought to be exploitable. 10269 10270 *mancha <mancha1@zoho.com>* 10271 10272 * Fix for the attack described in the paper "Recovering OpenSSL 10273 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 10274 by Yuval Yarom and Naomi Benger. Details can be obtained from: 10275 <http://eprint.iacr.org/2014/140> 10276 10277 Thanks to Yuval Yarom and Naomi Benger for discovering this 10278 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076]) 10279 10280 *Yuval Yarom and Naomi Benger* 10281 10282### Changes between 1.0.0k and 1.0.0l [6 Jan 2014] 10283 10284 * Keep original DTLS digest and encryption contexts in retransmission 10285 structures so we can use the previous session parameters if they need 10286 to be resent. ([CVE-2013-6450]) 10287 10288 *Steve Henson* 10289 10290 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 10291 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 10292 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 10293 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 10294 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10295 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 10296 10297 *Rob Stradling, Adam Langley* 10298 10299### Changes between 1.0.0j and 1.0.0k [5 Feb 2013] 10300 10301 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 10302 10303 This addresses the flaw in CBC record processing discovered by 10304 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 10305 at: <http://www.isg.rhul.ac.uk/tls/> 10306 10307 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 10308 Security Group at Royal Holloway, University of London 10309 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 10310 Emilia Käsper for the initial patch. 10311 ([CVE-2013-0169]) 10312 10313 *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson* 10314 10315 * Return an error when checking OCSP signatures when key is NULL. 10316 This fixes a DoS attack. ([CVE-2013-0166]) 10317 10318 *Steve Henson* 10319 10320 * Call OCSP Stapling callback after ciphersuite has been chosen, so 10321 the right response is stapled. Also change SSL_get_certificate() 10322 so it returns the certificate actually sent. 10323 See <http://rt.openssl.org/Ticket/Display.html?id=2836>. 10324 (This is a backport) 10325 10326 *Rob Stradling <rob.stradling@comodo.com>* 10327 10328 * Fix possible deadlock when decoding public keys. 10329 10330 *Steve Henson* 10331 10332### Changes between 1.0.0i and 1.0.0j [10 May 2012] 10333 10334[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after 10335OpenSSL 1.0.1.] 10336 10337 * Sanity check record length before skipping explicit IV in DTLS 10338 to fix DoS attack. 10339 10340 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 10341 fuzzing as a service testing platform. 10342 ([CVE-2012-2333]) 10343 10344 *Steve Henson* 10345 10346 * Initialise tkeylen properly when encrypting CMS messages. 10347 Thanks to Solar Designer of Openwall for reporting this issue. 10348 10349 *Steve Henson* 10350 10351### Changes between 1.0.0h and 1.0.0i [19 Apr 2012] 10352 10353 * Check for potentially exploitable overflows in asn1_d2i_read_bio 10354 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 10355 in CRYPTO_realloc_clean. 10356 10357 Thanks to Tavis Ormandy, Google Security Team, for discovering this 10358 issue and to Adam Langley <agl@chromium.org> for fixing it. 10359 ([CVE-2012-2110]) 10360 10361 *Adam Langley (Google), Tavis Ormandy, Google Security Team* 10362 10363### Changes between 1.0.0g and 1.0.0h [12 Mar 2012] 10364 10365 * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness 10366 in CMS and PKCS7 code. When RSA decryption fails use a random key for 10367 content decryption and always return the same error. Note: this attack 10368 needs on average 2^20 messages so it only affects automated senders. The 10369 old behaviour can be re-enabled in the CMS code by setting the 10370 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where 10371 an MMA defence is not necessary. 10372 Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering 10373 this issue. ([CVE-2012-0884]) 10374 10375 *Steve Henson* 10376 10377 * Fix CVE-2011-4619: make sure we really are receiving a 10378 client hello before rejecting multiple SGC restarts. Thanks to 10379 Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. 10380 10381 *Steve Henson* 10382 10383### Changes between 1.0.0f and 1.0.0g [18 Jan 2012] 10384 10385 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 10386 Thanks to Antonio Martin, Enterprise Secure Access Research and 10387 Development, Cisco Systems, Inc. for discovering this bug and 10388 preparing a fix. ([CVE-2012-0050]) 10389 10390 *Antonio Martin* 10391 10392### Changes between 1.0.0e and 1.0.0f [4 Jan 2012] 10393 10394 * Nadhem Alfardan and Kenny Paterson have discovered an extension 10395 of the Vaudenay padding oracle attack on CBC mode encryption 10396 which enables an efficient plaintext recovery attack against 10397 the OpenSSL implementation of DTLS. Their attack exploits timing 10398 differences arising during decryption processing. A research 10399 paper describing this attack can be found at: 10400 <http://www.isg.rhul.ac.uk/~kp/dtls.pdf> 10401 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 10402 Security Group at Royal Holloway, University of London 10403 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann 10404 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> 10405 for preparing the fix. ([CVE-2011-4108]) 10406 10407 *Robin Seggelmann, Michael Tuexen* 10408 10409 * Clear bytes used for block padding of SSL 3.0 records. 10410 ([CVE-2011-4576]) 10411 10412 *Adam Langley (Google)* 10413 10414 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George 10415 Kadianakis <desnacked@gmail.com> for discovering this issue and 10416 Adam Langley for preparing the fix. ([CVE-2011-4619]) 10417 10418 *Adam Langley (Google)* 10419 10420 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027]) 10421 10422 *Andrey Kulikov <amdeich@gmail.com>* 10423 10424 * Prevent malformed RFC3779 data triggering an assertion failure. 10425 Thanks to Andrew Chi, BBN Technologies, for discovering the flaw 10426 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577]) 10427 10428 *Rob Austein <sra@hactrn.net>* 10429 10430 * Improved PRNG seeding for VOS. 10431 10432 *Paul Green <Paul.Green@stratus.com>* 10433 10434 * Fix ssl_ciph.c set-up race. 10435 10436 *Adam Langley (Google)* 10437 10438 * Fix spurious failures in ecdsatest.c. 10439 10440 *Emilia Käsper (Google)* 10441 10442 * Fix the BIO_f_buffer() implementation (which was mixing different 10443 interpretations of the `..._len` fields). 10444 10445 *Adam Langley (Google)* 10446 10447 * Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than 10448 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent 10449 threads won't reuse the same blinding coefficients. 10450 10451 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING 10452 lock to call BN_BLINDING_invert_ex, and avoids one use of 10453 BN_BLINDING_update for each BN_BLINDING structure (previously, 10454 the last update always remained unused). 10455 10456 *Emilia Käsper (Google)* 10457 10458 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 10459 10460 *Bob Buckholz (Google)* 10461 10462### Changes between 1.0.0d and 1.0.0e [6 Sep 2011] 10463 10464 * Fix bug where CRLs with nextUpdate in the past are sometimes accepted 10465 by initialising X509_STORE_CTX properly. ([CVE-2011-3207]) 10466 10467 *Kaspar Brand <ossl@velox.ch>* 10468 10469 * Fix SSL memory handling for (EC)DH ciphersuites, in particular 10470 for multi-threaded use of ECDH. ([CVE-2011-3210]) 10471 10472 *Adam Langley (Google)* 10473 10474 * Fix x509_name_ex_d2i memory leak on bad inputs. 10475 10476 *Bodo Moeller* 10477 10478 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check 10479 signature public key algorithm by using OID xref utilities instead. 10480 Before this you could only use some ECC ciphersuites with SHA1 only. 10481 10482 *Steve Henson* 10483 10484 * Add protection against ECDSA timing attacks as mentioned in the paper 10485 by Billy Bob Brumley and Nicola Tuveri, see: 10486 <http://eprint.iacr.org/2011/232.pdf> 10487 10488 *Billy Bob Brumley and Nicola Tuveri* 10489 10490### Changes between 1.0.0c and 1.0.0d [8 Feb 2011] 10491 10492 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 10493 10494 *Neel Mehta, Adam Langley, Bodo Moeller (Google)* 10495 10496 * Fix bug in string printing code: if *any* escaping is enabled we must 10497 escape the escape character (backslash) or the resulting string is 10498 ambiguous. 10499 10500 *Steve Henson* 10501 10502### Changes between 1.0.0b and 1.0.0c [2 Dec 2010] 10503 10504 * Disable code workaround for ancient and obsolete Netscape browsers 10505 and servers: an attacker can use it in a ciphersuite downgrade attack. 10506 Thanks to Martin Rex for discovering this bug. CVE-2010-4180 10507 10508 *Steve Henson* 10509 10510 * Fixed J-PAKE implementation error, originally discovered by 10511 Sebastien Martini, further info and confirmation from Stefan 10512 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 10513 10514 *Ben Laurie* 10515 10516### Changes between 1.0.0a and 1.0.0b [16 Nov 2010] 10517 10518 * Fix extension code to avoid race conditions which can result in a buffer 10519 overrun vulnerability: resumed sessions must not be modified as they can 10520 be shared by multiple threads. CVE-2010-3864 10521 10522 *Steve Henson* 10523 10524 * Fix WIN32 build system to correctly link an ENGINE directory into 10525 a DLL. 10526 10527 *Steve Henson* 10528 10529### Changes between 1.0.0 and 1.0.0a [01 Jun 2010] 10530 10531 * Check return value of int_rsa_verify in pkey_rsa_verifyrecover 10532 ([CVE-2010-1633]) 10533 10534 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>* 10535 10536### Changes between 0.9.8n and 1.0.0 [29 Mar 2010] 10537 10538 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher 10539 context. The operation can be customised via the ctrl mechanism in 10540 case ENGINEs want to include additional functionality. 10541 10542 *Steve Henson* 10543 10544 * Tolerate yet another broken PKCS#8 key format: private key value negative. 10545 10546 *Steve Henson* 10547 10548 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to 10549 output hashes compatible with older versions of OpenSSL. 10550 10551 *Willy Weisz <weisz@vcpc.univie.ac.at>* 10552 10553 * Fix compression algorithm handling: if resuming a session use the 10554 compression algorithm of the resumed session instead of determining 10555 it from client hello again. Don't allow server to change algorithm. 10556 10557 *Steve Henson* 10558 10559 * Add load_crls() function to commands tidying load_certs() too. Add option 10560 to verify utility to allow additional CRLs to be included. 10561 10562 *Steve Henson* 10563 10564 * Update OCSP request code to permit adding custom headers to the request: 10565 some responders need this. 10566 10567 *Steve Henson* 10568 10569 * The function EVP_PKEY_sign() returns <=0 on error: check return code 10570 correctly. 10571 10572 *Julia Lawall <julia@diku.dk>* 10573 10574 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it 10575 needlessly dereferenced structures, used obsolete functions and 10576 didn't handle all updated verify codes correctly. 10577 10578 *Steve Henson* 10579 10580 * Disable MD2 in the default configuration. 10581 10582 *Steve Henson* 10583 10584 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to 10585 indicate the initial BIO being pushed or popped. This makes it possible 10586 to determine whether the BIO is the one explicitly called or as a result 10587 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so 10588 it handles reference counts correctly and doesn't zero out the I/O bio 10589 when it is not being explicitly popped. WARNING: applications which 10590 included workarounds for the old buggy behaviour will need to be modified 10591 or they could free up already freed BIOs. 10592 10593 *Steve Henson* 10594 10595 * Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni 10596 renaming to all platforms (within the 0.9.8 branch, this was 10597 done conditionally on Netware platforms to avoid a name clash). 10598 10599 *Guenter <lists@gknw.net>* 10600 10601 * Add ECDHE and PSK support to DTLS. 10602 10603 *Michael Tuexen <tuexen@fh-muenster.de>* 10604 10605 * Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't 10606 be used on C++. 10607 10608 *Steve Henson* 10609 10610 * Add "missing" function EVP_MD_flags() (without this the only way to 10611 retrieve a digest flags is by accessing the structure directly. Update 10612 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest 10613 or cipher is registered as in the "from" argument. Print out all 10614 registered digests in the dgst usage message instead of manually 10615 attempting to work them out. 10616 10617 *Steve Henson* 10618 10619 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: 10620 this allows the use of compression and extensions. Change default cipher 10621 string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 10622 by default unless an application cipher string requests it. 10623 10624 *Steve Henson* 10625 10626 * Alter match criteria in PKCS12_parse(). It used to try to use local 10627 key ids to find matching certificates and keys but some PKCS#12 files 10628 don't follow the (somewhat unwritten) rules and this strategy fails. 10629 Now just gather all certificates together and the first private key 10630 then look for the first certificate that matches the key. 10631 10632 *Steve Henson* 10633 10634 * Support use of registered digest and cipher names for dgst and cipher 10635 commands instead of having to add each one as a special case. So now 10636 you can do: 10637 10638 openssl sha256 foo 10639 10640 as well as: 10641 10642 openssl dgst -sha256 foo 10643 10644 and this works for ENGINE based algorithms too. 10645 10646 *Steve Henson* 10647 10648 * Update Gost ENGINE to support parameter files. 10649 10650 *Victor B. Wagner <vitus@cryptocom.ru>* 10651 10652 * Support GeneralizedTime in ca utility. 10653 10654 *Oliver Martin <oliver@volatilevoid.net>, Steve Henson* 10655 10656 * Enhance the hash format used for certificate directory links. The new 10657 form uses the canonical encoding (meaning equivalent names will work 10658 even if they aren't identical) and uses SHA1 instead of MD5. This form 10659 is incompatible with the older format and as a result c_rehash should 10660 be used to rebuild symbolic links. 10661 10662 *Steve Henson* 10663 10664 * Make PKCS#8 the default write format for private keys, replacing the 10665 traditional format. This form is standardised, more secure and doesn't 10666 include an implicit MD5 dependency. 10667 10668 *Steve Henson* 10669 10670 * Add a $gcc_devteam_warn option to Configure. The idea is that any code 10671 committed to OpenSSL should pass this lot as a minimum. 10672 10673 *Steve Henson* 10674 10675 * Add session ticket override functionality for use by EAP-FAST. 10676 10677 *Jouni Malinen <j@w1.fi>* 10678 10679 * Modify HMAC functions to return a value. Since these can be implemented 10680 in an ENGINE errors can occur. 10681 10682 *Steve Henson* 10683 10684 * Type-checked OBJ_bsearch_ex. 10685 10686 *Ben Laurie* 10687 10688 * Type-checked OBJ_bsearch. Also some constification necessitated 10689 by type-checking. Still to come: TXT_DB, bsearch(?), 10690 OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, 10691 CONF_VALUE. 10692 10693 *Ben Laurie* 10694 10695 * New function OPENSSL_gmtime_adj() to add a specific number of days and 10696 seconds to a tm structure directly, instead of going through OS 10697 specific date routines. This avoids any issues with OS routines such 10698 as the year 2038 bug. New `*_adj()` functions for ASN1 time structures 10699 and X509_time_adj_ex() to cover the extended range. The existing 10700 X509_time_adj() is still usable and will no longer have any date issues. 10701 10702 *Steve Henson* 10703 10704 * Delta CRL support. New use deltas option which will attempt to locate 10705 and search any appropriate delta CRLs available. 10706 10707 This work was sponsored by Google. 10708 10709 *Steve Henson* 10710 10711 * Support for CRLs partitioned by reason code. Reorganise CRL processing 10712 code and add additional score elements. Validate alternate CRL paths 10713 as part of the CRL checking and indicate a new error "CRL path validation 10714 error" in this case. Applications wanting additional details can use 10715 the verify callback and check the new "parent" field. If this is not 10716 NULL CRL path validation is taking place. Existing applications won't 10717 see this because it requires extended CRL support which is off by 10718 default. 10719 10720 This work was sponsored by Google. 10721 10722 *Steve Henson* 10723 10724 * Support for freshest CRL extension. 10725 10726 This work was sponsored by Google. 10727 10728 *Steve Henson* 10729 10730 * Initial indirect CRL support. Currently only supported in the CRLs 10731 passed directly and not via lookup. Process certificate issuer 10732 CRL entry extension and lookup CRL entries by bother issuer name 10733 and serial number. Check and process CRL issuer entry in IDP extension. 10734 10735 This work was sponsored by Google. 10736 10737 *Steve Henson* 10738 10739 * Add support for distinct certificate and CRL paths. The CRL issuer 10740 certificate is validated separately in this case. Only enabled if 10741 an extended CRL support flag is set: this flag will enable additional 10742 CRL functionality in future. 10743 10744 This work was sponsored by Google. 10745 10746 *Steve Henson* 10747 10748 * Add support for policy mappings extension. 10749 10750 This work was sponsored by Google. 10751 10752 *Steve Henson* 10753 10754 * Fixes to pathlength constraint, self issued certificate handling, 10755 policy processing to align with RFC3280 and PKITS tests. 10756 10757 This work was sponsored by Google. 10758 10759 *Steve Henson* 10760 10761 * Support for name constraints certificate extension. DN, email, DNS 10762 and URI types are currently supported. 10763 10764 This work was sponsored by Google. 10765 10766 *Steve Henson* 10767 10768 * To cater for systems that provide a pointer-based thread ID rather 10769 than numeric, deprecate the current numeric thread ID mechanism and 10770 replace it with a structure and associated callback type. This 10771 mechanism allows a numeric "hash" to be extracted from a thread ID in 10772 either case, and on platforms where pointers are larger than 'long', 10773 mixing is done to help ensure the numeric 'hash' is usable even if it 10774 can't be guaranteed unique. The default mechanism is to use "&errno" 10775 as a pointer-based thread ID to distinguish between threads. 10776 10777 Applications that want to provide their own thread IDs should now use 10778 CRYPTO_THREADID_set_callback() to register a callback that will call 10779 either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). 10780 10781 Note that ERR_remove_state() is now deprecated, because it is tied 10782 to the assumption that thread IDs are numeric. ERR_remove_state(0) 10783 to free the current thread's error state should be replaced by 10784 ERR_remove_thread_state(NULL). 10785 10786 (This new approach replaces the functions CRYPTO_set_idptr_callback(), 10787 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in 10788 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an 10789 application was previously providing a numeric thread callback that 10790 was inappropriate for distinguishing threads, then uniqueness might 10791 have been obtained with &errno that happened immediately in the 10792 intermediate development versions of OpenSSL; this is no longer the 10793 case, the numeric thread callback will now override the automatic use 10794 of &errno.) 10795 10796 *Geoff Thorpe, with help from Bodo Moeller* 10797 10798 * Initial support for different CRL issuing certificates. This covers a 10799 simple case where the self issued certificates in the chain exist and 10800 the real CRL issuer is higher in the existing chain. 10801 10802 This work was sponsored by Google. 10803 10804 *Steve Henson* 10805 10806 * Removed effectively defunct crypto/store from the build. 10807 10808 *Ben Laurie* 10809 10810 * Revamp of STACK to provide stronger type-checking. Still to come: 10811 TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, 10812 ASN1_STRING, CONF_VALUE. 10813 10814 *Ben Laurie* 10815 10816 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer 10817 RAM on SSL connections. This option can save about 34k per idle SSL. 10818 10819 *Nick Mathewson* 10820 10821 * Revamp of LHASH to provide stronger type-checking. Still to come: 10822 STACK, TXT_DB, bsearch, qsort. 10823 10824 *Ben Laurie* 10825 10826 * Initial support for Cryptographic Message Syntax (aka CMS) based 10827 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, 10828 support for data, signedData, compressedData, digestedData and 10829 encryptedData, envelopedData types included. Scripts to check against 10830 RFC4134 examples draft and interop and consistency checks of many 10831 content types and variants. 10832 10833 *Steve Henson* 10834 10835 * Add options to enc utility to support use of zlib compression BIO. 10836 10837 *Steve Henson* 10838 10839 * Extend mk1mf to support importing of options and assembly language 10840 files from Configure script, currently only included in VC-WIN32. 10841 The assembly language rules can now optionally generate the source 10842 files from the associated perl scripts. 10843 10844 *Steve Henson* 10845 10846 * Implement remaining functionality needed to support GOST ciphersuites. 10847 Interop testing has been performed using CryptoPro implementations. 10848 10849 *Victor B. Wagner <vitus@cryptocom.ru>* 10850 10851 * s390x assembler pack. 10852 10853 *Andy Polyakov* 10854 10855 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU 10856 "family." 10857 10858 *Andy Polyakov* 10859 10860 * Implement Opaque PRF Input TLS extension as specified in 10861 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an 10862 official specification yet and no extension type assignment by 10863 IANA exists, this extension (for now) will have to be explicitly 10864 enabled when building OpenSSL by providing the extension number 10865 to use. For example, specify an option 10866 10867 -DTLSEXT_TYPE_opaque_prf_input=0x9527 10868 10869 to the "config" or "Configure" script to enable the extension, 10870 assuming extension number 0x9527 (which is a completely arbitrary 10871 and unofficial assignment based on the MD5 hash of the Internet 10872 Draft). Note that by doing so, you potentially lose 10873 interoperability with other TLS implementations since these might 10874 be using the same extension number for other purposes. 10875 10876 SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the 10877 opaque PRF input value to use in the handshake. This will create 10878 an internal copy of the length-'len' string at 'src', and will 10879 return non-zero for success. 10880 10881 To get more control and flexibility, provide a callback function 10882 by using 10883 10884 SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) 10885 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) 10886 10887 where 10888 10889 int (*cb)(SSL *, void *peerinput, size_t len, void *arg); 10890 void *arg; 10891 10892 Callback function 'cb' will be called in handshakes, and is 10893 expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. 10894 Argument 'arg' is for application purposes (the value as given to 10895 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly 10896 be provided to the callback function). The callback function 10897 has to return non-zero to report success: usually 1 to use opaque 10898 PRF input just if possible, or 2 to enforce use of the opaque PRF 10899 input. In the latter case, the library will abort the handshake 10900 if opaque PRF input is not successfully negotiated. 10901 10902 Arguments 'peerinput' and 'len' given to the callback function 10903 will always be NULL and 0 in the case of a client. A server will 10904 see the client's opaque PRF input through these variables if 10905 available (NULL and 0 otherwise). Note that if the server 10906 provides an opaque PRF input, the length must be the same as the 10907 length of the client's opaque PRF input. 10908 10909 Note that the callback function will only be called when creating 10910 a new session (session resumption can resume whatever was 10911 previously negotiated), and will not be called in SSL 2.0 10912 handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or 10913 SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended 10914 for applications that need to enforce opaque PRF input. 10915 10916 *Bodo Moeller* 10917 10918 * Update ssl code to support digests other than SHA1+MD5 for handshake 10919 MAC. 10920 10921 *Victor B. Wagner <vitus@cryptocom.ru>* 10922 10923 * Add RFC4507 support to OpenSSL. This includes the corrections in 10924 RFC4507bis. The encrypted ticket format is an encrypted encoded 10925 SSL_SESSION structure, that way new session features are automatically 10926 supported. 10927 10928 If a client application caches session in an SSL_SESSION structure 10929 support is transparent because tickets are now stored in the encoded 10930 SSL_SESSION. 10931 10932 The SSL_CTX structure automatically generates keys for ticket 10933 protection in servers so again support should be possible 10934 with no application modification. 10935 10936 If a client or server wishes to disable RFC4507 support then the option 10937 SSL_OP_NO_TICKET can be set. 10938 10939 Add a TLS extension debugging callback to allow the contents of any client 10940 or server extensions to be examined. 10941 10942 This work was sponsored by Google. 10943 10944 *Steve Henson* 10945 10946 * Final changes to avoid use of pointer pointer casts in OpenSSL. 10947 OpenSSL should now compile cleanly on gcc 4.2 10948 10949 *Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson* 10950 10951 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC 10952 support including streaming MAC support: this is required for GOST 10953 ciphersuite support. 10954 10955 *Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson* 10956 10957 * Add option -stream to use PKCS#7 streaming in smime utility. New 10958 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() 10959 to output in BER and PEM format. 10960 10961 *Steve Henson* 10962 10963 * Experimental support for use of HMAC via EVP_PKEY interface. This 10964 allows HMAC to be handled via the `EVP_DigestSign*()` interface. The 10965 EVP_PKEY "key" in this case is the HMAC key, potentially allowing 10966 ENGINE support for HMAC keys which are unextractable. New -mac and 10967 -macopt options to dgst utility. 10968 10969 *Steve Henson* 10970 10971 * New option -sigopt to dgst utility. Update dgst to use 10972 `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use 10973 alternative signing parameters such as X9.31 or PSS in the dgst 10974 utility. 10975 10976 *Steve Henson* 10977 10978 * Change ssl_cipher_apply_rule(), the internal function that does 10979 the work each time a ciphersuite string requests enabling 10980 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or 10981 removing ("!foo+bar") a class of ciphersuites: Now it maintains 10982 the order of disabled ciphersuites such that those ciphersuites 10983 that most recently went from enabled to disabled not only stay 10984 in order with respect to each other, but also have higher priority 10985 than other disabled ciphersuites the next time ciphersuites are 10986 enabled again. 10987 10988 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable 10989 the same ciphersuites as with "HIGH" alone, but in a specific 10990 order where the PSK ciphersuites come first (since they are the 10991 most recently disabled ciphersuites when "HIGH" is parsed). 10992 10993 Also, change ssl_create_cipher_list() (using this new 10994 functionality) such that between otherwise identical 10995 ciphersuites, ephemeral ECDH is preferred over ephemeral DH in 10996 the default order. 10997 10998 *Bodo Moeller* 10999 11000 * Change ssl_create_cipher_list() so that it automatically 11001 arranges the ciphersuites in reasonable order before starting 11002 to process the rule string. Thus, the definition for "DEFAULT" 11003 (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but 11004 remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`. 11005 This makes it much easier to arrive at a reasonable default order 11006 in applications for which anonymous ciphers are OK (meaning 11007 that you can't actually use DEFAULT). 11008 11009 *Bodo Moeller; suggested by Victor Duchovni* 11010 11011 * Split the SSL/TLS algorithm mask (as used for ciphersuite string 11012 processing) into multiple integers instead of setting 11013 "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", 11014 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. 11015 (These masks as well as the individual bit definitions are hidden 11016 away into the non-exported interface ssl/ssl_locl.h, so this 11017 change to the definition of the SSL_CIPHER structure shouldn't 11018 affect applications.) This give us more bits for each of these 11019 categories, so there is no longer a need to coagulate AES128 and 11020 AES256 into a single algorithm bit, and to coagulate Camellia128 11021 and Camellia256 into a single algorithm bit, which has led to all 11022 kinds of kludges. 11023 11024 Thus, among other things, the kludge introduced in 0.9.7m and 11025 0.9.8e for masking out AES256 independently of AES128 or masking 11026 out Camellia256 independently of AES256 is not needed here in 0.9.9. 11027 11028 With the change, we also introduce new ciphersuite aliases that 11029 so far were missing: "AES128", "AES256", "CAMELLIA128", and 11030 "CAMELLIA256". 11031 11032 *Bodo Moeller* 11033 11034 * Add support for dsa-with-SHA224 and dsa-with-SHA256. 11035 Use the leftmost N bytes of the signature input if the input is 11036 larger than the prime q (with N being the size in bytes of q). 11037 11038 *Nils Larsch* 11039 11040 * Very *very* experimental PKCS#7 streaming encoder support. Nothing uses 11041 it yet and it is largely untested. 11042 11043 *Steve Henson* 11044 11045 * Add support for the ecdsa-with-SHA224/256/384/512 signature types. 11046 11047 *Nils Larsch* 11048 11049 * Initial incomplete changes to avoid need for function casts in OpenSSL 11050 some compilers (gcc 4.2 and later) reject their use. Safestack is 11051 reimplemented. Update ASN1 to avoid use of legacy functions. 11052 11053 *Steve Henson* 11054 11055 * Win32/64 targets are linked with Winsock2. 11056 11057 *Andy Polyakov* 11058 11059 * Add an X509_CRL_METHOD structure to allow CRL processing to be redirected 11060 to external functions. This can be used to increase CRL handling 11061 efficiency especially when CRLs are very large by (for example) storing 11062 the CRL revoked certificates in a database. 11063 11064 *Steve Henson* 11065 11066 * Overhaul of by_dir code. Add support for dynamic loading of CRLs so 11067 new CRLs added to a directory can be used. New command line option 11068 -verify_return_error to s_client and s_server. This causes real errors 11069 to be returned by the verify callback instead of carrying on no matter 11070 what. This reflects the way a "real world" verify callback would behave. 11071 11072 *Steve Henson* 11073 11074 * GOST engine, supporting several GOST algorithms and public key formats. 11075 Kindly donated by Cryptocom. 11076 11077 *Cryptocom* 11078 11079 * Partial support for Issuing Distribution Point CRL extension. CRLs 11080 partitioned by DP are handled but no indirect CRL or reason partitioning 11081 (yet). Complete overhaul of CRL handling: now the most suitable CRL is 11082 selected via a scoring technique which handles IDP and AKID in CRLs. 11083 11084 *Steve Henson* 11085 11086 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which 11087 will ultimately be used for all verify operations: this will remove the 11088 X509_STORE dependency on certificate verification and allow alternative 11089 lookup methods. X509_STORE based implementations of these two callbacks. 11090 11091 *Steve Henson* 11092 11093 * Allow multiple CRLs to exist in an X509_STORE with matching issuer names. 11094 Modify get_crl() to find a valid (unexpired) CRL if possible. 11095 11096 *Steve Henson* 11097 11098 * New function X509_CRL_match() to check if two CRLs are identical. Normally 11099 this would be called X509_CRL_cmp() but that name is already used by 11100 a function that just compares CRL issuer names. Cache several CRL 11101 extensions in X509_CRL structure and cache CRLDP in X509. 11102 11103 *Steve Henson* 11104 11105 * Store a "canonical" representation of X509_NAME structure (ASN1 Name) 11106 this maps equivalent X509_NAME structures into a consistent structure. 11107 Name comparison can then be performed rapidly using memcmp(). 11108 11109 *Steve Henson* 11110 11111 * Non-blocking OCSP request processing. Add -timeout option to ocsp 11112 utility. 11113 11114 *Steve Henson* 11115 11116 * Allow digests to supply their own micalg string for S/MIME type using 11117 the ctrl EVP_MD_CTRL_MICALG. 11118 11119 *Steve Henson* 11120 11121 * During PKCS7 signing pass the PKCS7 SignerInfo structure to the 11122 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN 11123 ctrl. It can then customise the structure before and/or after signing 11124 if necessary. 11125 11126 *Steve Henson* 11127 11128 * New function OBJ_add_sigid() to allow application defined signature OIDs 11129 to be added to OpenSSLs internal tables. New function OBJ_sigid_free() 11130 to free up any added signature OIDs. 11131 11132 *Steve Henson* 11133 11134 * New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), 11135 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal 11136 digest and cipher tables. New options added to openssl utility: 11137 list-message-digest-algorithms and list-cipher-algorithms. 11138 11139 *Steve Henson* 11140 11141 * Change the array representation of binary polynomials: the list 11142 of degrees of non-zero coefficients is now terminated with -1. 11143 Previously it was terminated with 0, which was also part of the 11144 value; thus, the array representation was not applicable to 11145 polynomials where t^0 has coefficient zero. This change makes 11146 the array representation useful in a more general context. 11147 11148 *Douglas Stebila* 11149 11150 * Various modifications and fixes to SSL/TLS cipher string 11151 handling. For ECC, the code now distinguishes between fixed ECDH 11152 with RSA certificates on the one hand and with ECDSA certificates 11153 on the other hand, since these are separate ciphersuites. The 11154 unused code for Fortezza ciphersuites has been removed. 11155 11156 For consistency with EDH, ephemeral ECDH is now called "EECDH" 11157 (not "ECDHE"). For consistency with the code for DH 11158 certificates, use of ECDH certificates is now considered ECDH 11159 authentication, not RSA or ECDSA authentication (the latter is 11160 merely the CA's signing algorithm and not actively used in the 11161 protocol). 11162 11163 The temporary ciphersuite alias "ECCdraft" is no longer 11164 available, and ECC ciphersuites are no longer excluded from "ALL" 11165 and "DEFAULT". The following aliases now exist for RFC 4492 11166 ciphersuites, most of these by analogy with the DH case: 11167 11168 kECDHr - ECDH cert, signed with RSA 11169 kECDHe - ECDH cert, signed with ECDSA 11170 kECDH - ECDH cert (signed with either RSA or ECDSA) 11171 kEECDH - ephemeral ECDH 11172 ECDH - ECDH cert or ephemeral ECDH 11173 11174 aECDH - ECDH cert 11175 aECDSA - ECDSA cert 11176 ECDSA - ECDSA cert 11177 11178 AECDH - anonymous ECDH 11179 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") 11180 11181 *Bodo Moeller* 11182 11183 * Add additional S/MIME capabilities for AES and GOST ciphers if supported. 11184 Use correct micalg parameters depending on digest(s) in signed message. 11185 11186 *Steve Henson* 11187 11188 * Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process 11189 an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. 11190 11191 *Steve Henson* 11192 11193 * Initial engine support for EVP_PKEY_METHOD. New functions to permit 11194 an engine to register a method. Add ENGINE lookups for methods and 11195 functional reference processing. 11196 11197 *Steve Henson* 11198 11199 * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of 11200 `EVP_{Sign,Verify}*` which allow an application to customise the signature 11201 process. 11202 11203 *Steve Henson* 11204 11205 * New -resign option to smime utility. This adds one or more signers 11206 to an existing PKCS#7 signedData structure. Also -md option to use an 11207 alternative message digest algorithm for signing. 11208 11209 *Steve Henson* 11210 11211 * Tidy up PKCS#7 routines and add new functions to make it easier to 11212 create PKCS7 structures containing multiple signers. Update smime 11213 application to support multiple signers. 11214 11215 *Steve Henson* 11216 11217 * New -macalg option to pkcs12 utility to allow setting of an alternative 11218 digest MAC. 11219 11220 *Steve Henson* 11221 11222 * Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. 11223 Reorganize PBE internals to lookup from a static table using NIDs, 11224 add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: 11225 EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative 11226 PRF which will be automatically used with PBES2. 11227 11228 *Steve Henson* 11229 11230 * Replace the algorithm specific calls to generate keys in "req" with the 11231 new API. 11232 11233 *Steve Henson* 11234 11235 * Update PKCS#7 enveloped data routines to use new API. This is now 11236 supported by any public key method supporting the encrypt operation. A 11237 ctrl is added to allow the public key algorithm to examine or modify 11238 the PKCS#7 RecipientInfo structure if it needs to: for RSA this is 11239 a no op. 11240 11241 *Steve Henson* 11242 11243 * Add a ctrl to asn1 method to allow a public key algorithm to express 11244 a default digest type to use. In most cases this will be SHA1 but some 11245 algorithms (such as GOST) need to specify an alternative digest. The 11246 return value indicates how strong the preference is 1 means optional and 11247 2 is mandatory (that is it is the only supported type). Modify 11248 ASN1_item_sign() to accept a NULL digest argument to indicate it should 11249 use the default md. Update openssl utilities to use the default digest 11250 type for signing if it is not explicitly indicated. 11251 11252 *Steve Henson* 11253 11254 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 11255 EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant 11256 signing method from the key type. This effectively removes the link 11257 between digests and public key types. 11258 11259 *Steve Henson* 11260 11261 * Add an OID cross reference table and utility functions. Its purpose is to 11262 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, 11263 rsaEncryption. This will allow some of the algorithm specific hackery 11264 needed to use the correct OID to be removed. 11265 11266 *Steve Henson* 11267 11268 * Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO 11269 structures for PKCS7_sign(). They are now set up by the relevant public 11270 key ASN1 method. 11271 11272 *Steve Henson* 11273 11274 * Add provisional EC pkey method with support for ECDSA and ECDH. 11275 11276 *Steve Henson* 11277 11278 * Add support for key derivation (agreement) in the API, DH method and 11279 pkeyutl. 11280 11281 *Steve Henson* 11282 11283 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support 11284 public and private key formats. As a side effect these add additional 11285 command line functionality not previously available: DSA signatures can be 11286 generated and verified using pkeyutl and DH key support and generation in 11287 pkey, genpkey. 11288 11289 *Steve Henson* 11290 11291 * BeOS support. 11292 11293 *Oliver Tappe <zooey@hirschkaefer.de>* 11294 11295 * New make target "install_html_docs" installs HTML renditions of the 11296 manual pages. 11297 11298 *Oliver Tappe <zooey@hirschkaefer.de>* 11299 11300 * New utility "genpkey" this is analogous to "genrsa" etc except it can 11301 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to 11302 support key and parameter generation and add initial key generation 11303 functionality for RSA. 11304 11305 *Steve Henson* 11306 11307 * Add functions for main EVP_PKEY_method operations. The undocumented 11308 functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to 11309 `EVP_PKEY_{encrypt,decrypt}_old`. 11310 11311 *Steve Henson* 11312 11313 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public 11314 key API, doesn't do much yet. 11315 11316 *Steve Henson* 11317 11318 * New function EVP_PKEY_asn1_get0_info() to retrieve information about 11319 public key algorithms. New option to openssl utility: 11320 "list-public-key-algorithms" to print out info. 11321 11322 *Steve Henson* 11323 11324 * Implement the Supported Elliptic Curves Extension for 11325 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 11326 11327 *Douglas Stebila* 11328 11329 * Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or 11330 EVP_CIPHER structures to avoid later problems in EVP_cleanup(). 11331 11332 *Steve Henson* 11333 11334 * New utilities pkey and pkeyparam. These are similar to algorithm specific 11335 utilities such as rsa, dsa, dsaparam etc except they process any key 11336 type. 11337 11338 *Steve Henson* 11339 11340 * Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 11341 functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), 11342 EVP_PKEY_print_param() to print public key data from an EVP_PKEY 11343 structure. 11344 11345 *Steve Henson* 11346 11347 * Initial support for pluggable public key ASN1. 11348 De-spaghettify the public key ASN1 handling. Move public and private 11349 key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate 11350 algorithm specific handling to a single module within the relevant 11351 algorithm directory. Add functions to allow (near) opaque processing 11352 of public and private key structures. 11353 11354 *Steve Henson* 11355 11356 * Implement the Supported Point Formats Extension for 11357 ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 11358 11359 *Douglas Stebila* 11360 11361 * Add initial support for RFC 4279 PSK TLS ciphersuites. Add members 11362 for the psk identity [hint] and the psk callback functions to the 11363 SSL_SESSION, SSL and SSL_CTX structure. 11364 11365 New ciphersuites: 11366 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, 11367 PSK-AES256-CBC-SHA 11368 11369 New functions: 11370 SSL_CTX_use_psk_identity_hint 11371 SSL_get_psk_identity_hint 11372 SSL_get_psk_identity 11373 SSL_use_psk_identity_hint 11374 11375 *Mika Kousa and Pasi Eronen of Nokia Corporation* 11376 11377 * Add RFC 3161 compliant time stamp request creation, response generation 11378 and response verification functionality. 11379 11380 *Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project* 11381 11382 * Add initial support for TLS extensions, specifically for the server_name 11383 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 11384 have new members for a hostname. The SSL data structure has an 11385 additional member `SSL_CTX *initial_ctx` so that new sessions can be 11386 stored in that context to allow for session resumption, even after the 11387 SSL has been switched to a new SSL_CTX in reaction to a client's 11388 server_name extension. 11389 11390 New functions (subject to change): 11391 11392 SSL_get_servername() 11393 SSL_get_servername_type() 11394 SSL_set_SSL_CTX() 11395 11396 New CTRL codes and macros (subject to change): 11397 11398 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 11399 - SSL_CTX_set_tlsext_servername_callback() 11400 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 11401 - SSL_CTX_set_tlsext_servername_arg() 11402 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 11403 11404 openssl s_client has a new '-servername ...' option. 11405 11406 openssl s_server has new options '-servername_host ...', '-cert2 ...', 11407 '-key2 ...', '-servername_fatal' (subject to change). This allows 11408 testing the HostName extension for a specific single hostname ('-cert' 11409 and '-key' remain fallbacks for handshakes without HostName 11410 negotiation). If the unrecognized_name alert has to be sent, this by 11411 default is a warning; it becomes fatal with the '-servername_fatal' 11412 option. 11413 11414 *Peter Sylvester, Remy Allais, Christophe Renou* 11415 11416 * Whirlpool hash implementation is added. 11417 11418 *Andy Polyakov* 11419 11420 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to 11421 bn(64,32). Because of instruction set limitations it doesn't have 11422 any negative impact on performance. This was done mostly in order 11423 to make it possible to share assembler modules, such as bn_mul_mont 11424 implementations, between 32- and 64-bit builds without hassle. 11425 11426 *Andy Polyakov* 11427 11428 * Move code previously exiled into file crypto/ec/ec2_smpt.c 11429 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP 11430 macro. 11431 11432 *Bodo Moeller* 11433 11434 * New candidate for BIGNUM assembler implementation, bn_mul_mont, 11435 dedicated Montgomery multiplication procedure, is introduced. 11436 BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher 11437 "64-bit" performance on certain 32-bit targets. 11438 11439 *Andy Polyakov* 11440 11441 * New option SSL_OP_NO_COMP to disable use of compression selectively 11442 in SSL structures. New SSL ctrl to set maximum send fragment size. 11443 Save memory by setting the I/O buffer sizes dynamically instead of 11444 using the maximum available value. 11445 11446 *Steve Henson* 11447 11448 * New option -V for 'openssl ciphers'. This prints the ciphersuite code 11449 in addition to the text details. 11450 11451 *Bodo Moeller* 11452 11453 * Very, very preliminary EXPERIMENTAL support for printing of general 11454 ASN1 structures. This currently produces rather ugly output and doesn't 11455 handle several customised structures at all. 11456 11457 *Steve Henson* 11458 11459 * Integrated support for PVK file format and some related formats such 11460 as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support 11461 these in the 'rsa' and 'dsa' utilities. 11462 11463 *Steve Henson* 11464 11465 * Support for PKCS#1 RSAPublicKey format on rsa utility command line. 11466 11467 *Steve Henson* 11468 11469 * Remove the ancient ASN1_METHOD code. This was only ever used in one 11470 place for the (very old) "NETSCAPE" format certificates which are now 11471 handled using new ASN1 code equivalents. 11472 11473 *Steve Henson* 11474 11475 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD 11476 pointer and make the SSL_METHOD parameter in SSL_CTX_new, 11477 SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. 11478 11479 *Nils Larsch* 11480 11481 * Modify CRL distribution points extension code to print out previously 11482 unsupported fields. Enhance extension setting code to allow setting of 11483 all fields. 11484 11485 *Steve Henson* 11486 11487 * Add print and set support for Issuing Distribution Point CRL extension. 11488 11489 *Steve Henson* 11490 11491 * Change 'Configure' script to enable Camellia by default. 11492 11493 *NTT* 11494 11495OpenSSL 0.9.x 11496------------- 11497 11498### Changes between 0.9.8m and 0.9.8n [24 Mar 2010] 11499 11500 * When rejecting SSL/TLS records due to an incorrect version number, never 11501 update s->server with a new major version number. As of 11502 - OpenSSL 0.9.8m if 'short' is a 16-bit type, 11503 - OpenSSL 0.9.8f if 'short' is longer than 16 bits, 11504 the previous behavior could result in a read attempt at NULL when 11505 receiving specific incorrect SSL/TLS records once record payload 11506 protection is active. ([CVE-2010-0740]) 11507 11508 *Bodo Moeller, Adam Langley <agl@chromium.org>* 11509 11510 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 11511 could be crashed if the relevant tables were not present (e.g. chrooted). 11512 11513 *Tomas Hoger <thoger@redhat.com>* 11514 11515### Changes between 0.9.8l and 0.9.8m [25 Feb 2010] 11516 11517 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245]) 11518 11519 *Martin Olsson, Neel Mehta* 11520 11521 * Fix X509_STORE locking: Every 'objs' access requires a lock (to 11522 accommodate for stack sorting, always a write lock!). 11523 11524 *Bodo Moeller* 11525 11526 * On some versions of WIN32 Heap32Next is very slow. This can cause 11527 excessive delays in the RAND_poll(): over a minute. As a workaround 11528 include a time check in the inner Heap32Next loop too. 11529 11530 *Steve Henson* 11531 11532 * The code that handled flushing of data in SSL/TLS originally used the 11533 BIO_CTRL_INFO ctrl to see if any data was pending first. This caused 11534 the problem outlined in PR#1949. The fix suggested there however can 11535 trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions 11536 of Apache). So instead simplify the code to flush unconditionally. 11537 This should be fine since flushing with no data to flush is a no op. 11538 11539 *Steve Henson* 11540 11541 * Handle TLS versions 2.0 and later properly and correctly use the 11542 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way 11543 off ancient servers have a habit of sticking around for a while... 11544 11545 *Steve Henson* 11546 11547 * Modify compression code so it frees up structures without using the 11548 ex_data callbacks. This works around a problem where some applications 11549 call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when 11550 restarting) then use compression (e.g. SSL with compression) later. 11551 This results in significant per-connection memory leaks and 11552 has caused some security issues including CVE-2008-1678 and 11553 CVE-2009-4355. 11554 11555 *Steve Henson* 11556 11557 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't 11558 change when encrypting or decrypting. 11559 11560 *Bodo Moeller* 11561 11562 * Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to 11563 connect and renegotiate with servers which do not support RI. 11564 Until RI is more widely deployed this option is enabled by default. 11565 11566 *Steve Henson* 11567 11568 * Add "missing" ssl ctrls to clear options and mode. 11569 11570 *Steve Henson* 11571 11572 * If client attempts to renegotiate and doesn't support RI respond with 11573 a no_renegotiation alert as required by RFC5746. Some renegotiating 11574 TLS clients will continue a connection gracefully when they receive 11575 the alert. Unfortunately OpenSSL mishandled this alert and would hang 11576 waiting for a server hello which it will never receive. Now we treat a 11577 received no_renegotiation alert as a fatal error. This is because 11578 applications requesting a renegotiation might well expect it to succeed 11579 and would have no code in place to handle the server denying it so the 11580 only safe thing to do is to terminate the connection. 11581 11582 *Steve Henson* 11583 11584 * Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if 11585 peer supports secure renegotiation and 0 otherwise. Print out peer 11586 renegotiation support in s_client/s_server. 11587 11588 *Steve Henson* 11589 11590 * Replace the highly broken and deprecated SPKAC certification method with 11591 the updated NID creation version. This should correctly handle UTF8. 11592 11593 *Steve Henson* 11594 11595 * Implement RFC5746. Re-enable renegotiation but require the extension 11596 as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 11597 turns out to be a bad idea. It has been replaced by 11598 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with 11599 SSL_CTX_set_options(). This is really not recommended unless you 11600 know what you are doing. 11601 11602 *Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson* 11603 11604 * Fixes to stateless session resumption handling. Use initial_ctx when 11605 issuing and attempting to decrypt tickets in case it has changed during 11606 servername handling. Use a non-zero length session ID when attempting 11607 stateless session resumption: this makes it possible to determine if 11608 a resumption has occurred immediately after receiving server hello 11609 (several places in OpenSSL subtly assume this) instead of later in 11610 the handshake. 11611 11612 *Steve Henson* 11613 11614 * The functions ENGINE_ctrl(), OPENSSL_isservice(), 11615 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error 11616 fixes for a few places where the return code is not checked 11617 correctly. 11618 11619 *Julia Lawall <julia@diku.dk>* 11620 11621 * Add --strict-warnings option to Configure script to include devteam 11622 warnings in other configurations. 11623 11624 *Steve Henson* 11625 11626 * Add support for --libdir option and LIBDIR variable in makefiles. This 11627 makes it possible to install openssl libraries in locations which 11628 have names other than "lib", for example "/usr/lib64" which some 11629 systems need. 11630 11631 *Steve Henson, based on patch from Jeremy Utley* 11632 11633 * Don't allow the use of leading 0x80 in OIDs. This is a violation of 11634 X690 8.9.12 and can produce some misleading textual output of OIDs. 11635 11636 *Steve Henson, reported by Dan Kaminsky* 11637 11638 * Delete MD2 from algorithm tables. This follows the recommendation in 11639 several standards that it is not used in new applications due to 11640 several cryptographic weaknesses. For binary compatibility reasons 11641 the MD2 API is still compiled in by default. 11642 11643 *Steve Henson* 11644 11645 * Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved 11646 and restored. 11647 11648 *Steve Henson* 11649 11650 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and 11651 OPENSSL_asc2uni conditionally on Netware platforms to avoid a name 11652 clash. 11653 11654 *Guenter <lists@gknw.net>* 11655 11656 * Fix the server certificate chain building code to use X509_verify_cert(), 11657 it used to have an ad-hoc builder which was unable to cope with anything 11658 other than a simple chain. 11659 11660 *David Woodhouse <dwmw2@infradead.org>, Steve Henson* 11661 11662 * Don't check self signed certificate signatures in X509_verify_cert() 11663 by default (a flag can override this): it just wastes time without 11664 adding any security. As a useful side effect self signed root CAs 11665 with non-FIPS digests are now usable in FIPS mode. 11666 11667 *Steve Henson* 11668 11669 * In dtls1_process_out_of_seq_message() the check if the current message 11670 is already buffered was missing. For every new message was memory 11671 allocated, allowing an attacker to perform an denial of service attack 11672 with sending out of seq handshake messages until there is no memory 11673 left. Additionally every future message was buffered, even if the 11674 sequence number made no sense and would be part of another handshake. 11675 So only messages with sequence numbers less than 10 in advance will be 11676 buffered. ([CVE-2009-1378]) 11677 11678 *Robin Seggelmann, discovered by Daniel Mentz* 11679 11680 * Records are buffered if they arrive with a future epoch to be 11681 processed after finishing the corresponding handshake. There is 11682 currently no limitation to this buffer allowing an attacker to perform 11683 a DOS attack with sending records with future epochs until there is no 11684 memory left. This patch adds the pqueue_size() function to determine 11685 the size of a buffer and limits the record buffer to 100 entries. 11686 ([CVE-2009-1377]) 11687 11688 *Robin Seggelmann, discovered by Daniel Mentz* 11689 11690 * Keep a copy of frag->msg_header.frag_len so it can be used after the 11691 parent structure is freed. ([CVE-2009-1379]) 11692 11693 *Daniel Mentz* 11694 11695 * Handle non-blocking I/O properly in SSL_shutdown() call. 11696 11697 *Darryl Miles <darryl-mailinglists@netbauds.net>* 11698 11699 * Add `2.5.4.*` OIDs 11700 11701 *Ilya O. <vrghost@gmail.com>* 11702 11703### Changes between 0.9.8k and 0.9.8l [5 Nov 2009] 11704 11705 * Disable renegotiation completely - this fixes a severe security 11706 problem ([CVE-2009-3555]) at the cost of breaking all 11707 renegotiation. Renegotiation can be re-enabled by setting 11708 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at 11709 run-time. This is really not recommended unless you know what 11710 you're doing. 11711 11712 *Ben Laurie* 11713 11714### Changes between 0.9.8j and 0.9.8k [25 Mar 2009] 11715 11716 * Don't set val to NULL when freeing up structures, it is freed up by 11717 underlying code. If `sizeof(void *) > sizeof(long)` this can result in 11718 zeroing past the valid field. ([CVE-2009-0789]) 11719 11720 *Paolo Ganci <Paolo.Ganci@AdNovum.CH>* 11721 11722 * Fix bug where return value of CMS_SignerInfo_verify_content() was not 11723 checked correctly. This would allow some invalid signed attributes to 11724 appear to verify correctly. ([CVE-2009-0591]) 11725 11726 *Ivan Nestlerode <inestlerode@us.ibm.com>* 11727 11728 * Reject UniversalString and BMPString types with invalid lengths. This 11729 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have 11730 a legal length. ([CVE-2009-0590]) 11731 11732 *Steve Henson* 11733 11734 * Set S/MIME signing as the default purpose rather than setting it 11735 unconditionally. This allows applications to override it at the store 11736 level. 11737 11738 *Steve Henson* 11739 11740 * Permit restricted recursion of ASN1 strings. This is needed in practice 11741 to handle some structures. 11742 11743 *Steve Henson* 11744 11745 * Improve efficiency of mem_gets: don't search whole buffer each time 11746 for a '\n' 11747 11748 *Jeremy Shapiro <jnshapir@us.ibm.com>* 11749 11750 * New -hex option for openssl rand. 11751 11752 *Matthieu Herrb* 11753 11754 * Print out UTF8String and NumericString when parsing ASN1. 11755 11756 *Steve Henson* 11757 11758 * Support NumericString type for name components. 11759 11760 *Steve Henson* 11761 11762 * Allow CC in the environment to override the automatically chosen 11763 compiler. Note that nothing is done to ensure flags work with the 11764 chosen compiler. 11765 11766 *Ben Laurie* 11767 11768### Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 11769 11770 * Properly check EVP_VerifyFinal() and similar return values 11771 ([CVE-2008-5077]). 11772 11773 *Ben Laurie, Bodo Moeller, Google Security Team* 11774 11775 * Enable TLS extensions by default. 11776 11777 *Ben Laurie* 11778 11779 * Allow the CHIL engine to be loaded, whether the application is 11780 multithreaded or not. (This does not release the developer from the 11781 obligation to set up the dynamic locking callbacks.) 11782 11783 *Sander Temme <sander@temme.net>* 11784 11785 * Use correct exit code if there is an error in dgst command. 11786 11787 *Steve Henson; problem pointed out by Roland Dirlewanger* 11788 11789 * Tweak Configure so that you need to say "experimental-jpake" to enable 11790 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. 11791 11792 *Bodo Moeller* 11793 11794 * Add experimental JPAKE support, including demo authentication in 11795 s_client and s_server. 11796 11797 *Ben Laurie* 11798 11799 * Set the comparison function in v3_addr_canonize(). 11800 11801 *Rob Austein <sra@hactrn.net>* 11802 11803 * Add support for XMPP STARTTLS in s_client. 11804 11805 *Philip Paeps <philip@freebsd.org>* 11806 11807 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior 11808 to ensure that even with this option, only ciphersuites in the 11809 server's preference list will be accepted. (Note that the option 11810 applies only when resuming a session, so the earlier behavior was 11811 just about the algorithm choice for symmetric cryptography.) 11812 11813 *Bodo Moeller* 11814 11815### Changes between 0.9.8h and 0.9.8i [15 Sep 2008] 11816 11817 * Fix NULL pointer dereference if a DTLS server received 11818 ChangeCipherSpec as first record ([CVE-2009-1386]). 11819 11820 *PR #1679* 11821 11822 * Fix a state transition in s3_srvr.c and d1_srvr.c 11823 (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`). 11824 11825 *Nagendra Modadugu* 11826 11827 * The fix in 0.9.8c that supposedly got rid of unsafe 11828 double-checked locking was incomplete for RSA blinding, 11829 addressing just one layer of what turns out to have been 11830 doubly unsafe triple-checked locking. 11831 11832 So now fix this for real by retiring the MONT_HELPER macro 11833 in crypto/rsa/rsa_eay.c. 11834 11835 *Bodo Moeller; problem pointed out by Marius Schilder* 11836 11837 * Various precautionary measures: 11838 11839 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). 11840 11841 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). 11842 (NB: This would require knowledge of the secret session ticket key 11843 to exploit, in which case you'd be SOL either way.) 11844 11845 - Change bn_nist.c so that it will properly handle input BIGNUMs 11846 outside the expected range. 11847 11848 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG 11849 builds. 11850 11851 *Neel Mehta, Bodo Moeller* 11852 11853 * Allow engines to be "soft loaded" - i.e. optionally don't die if 11854 the load fails. Useful for distros. 11855 11856 *Ben Laurie and the FreeBSD team* 11857 11858 * Add support for Local Machine Keyset attribute in PKCS#12 files. 11859 11860 *Steve Henson* 11861 11862 * Fix BN_GF2m_mod_arr() top-bit cleanup code. 11863 11864 *Huang Ying* 11865 11866 * Expand ENGINE to support engine supplied SSL client certificate functions. 11867 11868 This work was sponsored by Logica. 11869 11870 *Steve Henson* 11871 11872 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows 11873 keystores. Support for SSL/TLS client authentication too. 11874 Not compiled unless enable-capieng specified to Configure. 11875 11876 This work was sponsored by Logica. 11877 11878 *Steve Henson* 11879 11880 * Fix bug in X509_ATTRIBUTE creation: don't set attribute using 11881 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain 11882 attribute creation routines such as certificate requests and PKCS#12 11883 files. 11884 11885 *Steve Henson* 11886 11887### Changes between 0.9.8g and 0.9.8h [28 May 2008] 11888 11889 * Fix flaw if 'Server Key exchange message' is omitted from a TLS 11890 handshake which could lead to a client crash as found using the 11891 Codenomicon TLS test suite ([CVE-2008-1672]) 11892 11893 *Steve Henson, Mark Cox* 11894 11895 * Fix double free in TLS server name extensions which could lead to 11896 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891]) 11897 11898 *Joe Orton* 11899 11900 * Clear error queue in SSL_CTX_use_certificate_chain_file() 11901 11902 Clear the error queue to ensure that error entries left from 11903 older function calls do not interfere with the correct operation. 11904 11905 *Lutz Jaenicke, Erik de Castro Lopo* 11906 11907 * Remove root CA certificates of commercial CAs: 11908 11909 The OpenSSL project does not recommend any specific CA and does not 11910 have any policy with respect to including or excluding any CA. 11911 Therefore, it does not make any sense to ship an arbitrary selection 11912 of root CA certificates with the OpenSSL software. 11913 11914 *Lutz Jaenicke* 11915 11916 * RSA OAEP patches to fix two separate invalid memory reads. 11917 The first one involves inputs when 'lzero' is greater than 11918 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes 11919 before the beginning of from). The second one involves inputs where 11920 the 'db' section contains nothing but zeroes (there is a one-byte 11921 invalid read after the end of 'db'). 11922 11923 *Ivan Nestlerode <inestlerode@us.ibm.com>* 11924 11925 * Partial backport from 0.9.9-dev: 11926 11927 Introduce bn_mul_mont (dedicated Montgomery multiplication 11928 procedure) as a candidate for BIGNUM assembler implementation. 11929 While 0.9.9-dev uses assembler for various architectures, only 11930 x86_64 is available by default here in the 0.9.8 branch, and 11931 32-bit x86 is available through a compile-time setting. 11932 11933 To try the 32-bit x86 assembler implementation, use Configure 11934 option "enable-montasm" (which exists only for this backport). 11935 11936 As "enable-montasm" for 32-bit x86 disclaims code stability 11937 anyway, in this constellation we activate additional code 11938 backported from 0.9.9-dev for further performance improvements, 11939 namely BN_from_montgomery_word. (To enable this otherwise, 11940 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.) 11941 11942 *Andy Polyakov (backport partially by Bodo Moeller)* 11943 11944 * Add TLS session ticket callback. This allows an application to set 11945 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed 11946 values. This is useful for key rollover for example where several key 11947 sets may exist with different names. 11948 11949 *Steve Henson* 11950 11951 * Reverse ENGINE-internal logic for caching default ENGINE handles. 11952 This was broken until now in 0.9.8 releases, such that the only way 11953 a registered ENGINE could be used (assuming it initialises 11954 successfully on the host) was to explicitly set it as the default 11955 for the relevant algorithms. This is in contradiction with 0.9.7 11956 behaviour and the documentation. With this fix, when an ENGINE is 11957 registered into a given algorithm's table of implementations, the 11958 'uptodate' flag is reset so that auto-discovery will be used next 11959 time a new context for that algorithm attempts to select an 11960 implementation. 11961 11962 *Ian Lister (tweaked by Geoff Thorpe)* 11963 11964 * Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 11965 implementation in the following ways: 11966 11967 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be 11968 hard coded. 11969 11970 Lack of BER streaming support means one pass streaming processing is 11971 only supported if data is detached: setting the streaming flag is 11972 ignored for embedded content. 11973 11974 CMS support is disabled by default and must be explicitly enabled 11975 with the enable-cms configuration option. 11976 11977 *Steve Henson* 11978 11979 * Update the GMP engine glue to do direct copies between BIGNUM and 11980 mpz_t when openssl and GMP use the same limb size. Otherwise the 11981 existing "conversion via a text string export" trick is still used. 11982 11983 *Paul Sheer <paulsheer@gmail.com>* 11984 11985 * Zlib compression BIO. This is a filter BIO which compressed and 11986 uncompresses any data passed through it. 11987 11988 *Steve Henson* 11989 11990 * Add AES_wrap_key() and AES_unwrap_key() functions to implement 11991 RFC3394 compatible AES key wrapping. 11992 11993 *Steve Henson* 11994 11995 * Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): 11996 sets string data without copying. X509_ALGOR_set0() and 11997 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) 11998 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data 11999 from an X509_ATTRIBUTE structure optionally checking it occurs only 12000 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied 12001 data. 12002 12003 *Steve Henson* 12004 12005 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() 12006 to get the expected BN_FLG_CONSTTIME behavior. 12007 12008 *Bodo Moeller (Google)* 12009 12010 * Netware support: 12011 12012 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets 12013 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) 12014 - added some more tests to do_tests.pl 12015 - fixed RunningProcess usage so that it works with newer LIBC NDKs too 12016 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency 12017 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, 12018 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc 12019 - various changes to netware.pl to enable gcc-cross builds on Win32 12020 platform 12021 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) 12022 - various changes to fix missing prototype warnings 12023 - fixed x86nasm.pl to create correct asm files for NASM COFF output 12024 - added AES, WHIRLPOOL and CPUID assembler code to build files 12025 - added missing AES assembler make rules to mk1mf.pl 12026 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply 12027 12028 *Guenter Knauf <eflash@gmx.net>* 12029 12030 * Implement certificate status request TLS extension defined in RFC3546. 12031 A client can set the appropriate parameters and receive the encoded 12032 OCSP response via a callback. A server can query the supplied parameters 12033 and set the encoded OCSP response in the callback. Add simplified examples 12034 to s_client and s_server. 12035 12036 *Steve Henson* 12037 12038### Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 12039 12040 * Fix various bugs: 12041 + Binary incompatibility of ssl_ctx_st structure 12042 + DTLS interoperation with non-compliant servers 12043 + Don't call get_session_cb() without proposed session 12044 + Fix ia64 assembler code 12045 12046 *Andy Polyakov, Steve Henson* 12047 12048### Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 12049 12050 * DTLS Handshake overhaul. There were longstanding issues with 12051 OpenSSL DTLS implementation, which were making it impossible for 12052 RFC 4347 compliant client to communicate with OpenSSL server. 12053 Unfortunately just fixing these incompatibilities would "cut off" 12054 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 12055 server keeps tolerating non RFC compliant syntax. The opposite is 12056 not true, 0.9.8f client can not communicate with earlier server. 12057 This update even addresses CVE-2007-4995. 12058 12059 *Andy Polyakov* 12060 12061 * Changes to avoid need for function casts in OpenSSL: some compilers 12062 (gcc 4.2 and later) reject their use. 12063 *Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 12064 Steve Henson* 12065 12066 * Add RFC4507 support to OpenSSL. This includes the corrections in 12067 RFC4507bis. The encrypted ticket format is an encrypted encoded 12068 SSL_SESSION structure, that way new session features are automatically 12069 supported. 12070 12071 If a client application caches session in an SSL_SESSION structure 12072 support is transparent because tickets are now stored in the encoded 12073 SSL_SESSION. 12074 12075 The SSL_CTX structure automatically generates keys for ticket 12076 protection in servers so again support should be possible 12077 with no application modification. 12078 12079 If a client or server wishes to disable RFC4507 support then the option 12080 SSL_OP_NO_TICKET can be set. 12081 12082 Add a TLS extension debugging callback to allow the contents of any client 12083 or server extensions to be examined. 12084 12085 This work was sponsored by Google. 12086 12087 *Steve Henson* 12088 12089 * Add initial support for TLS extensions, specifically for the server_name 12090 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 12091 have new members for a hostname. The SSL data structure has an 12092 additional member `SSL_CTX *initial_ctx` so that new sessions can be 12093 stored in that context to allow for session resumption, even after the 12094 SSL has been switched to a new SSL_CTX in reaction to a client's 12095 server_name extension. 12096 12097 New functions (subject to change): 12098 12099 SSL_get_servername() 12100 SSL_get_servername_type() 12101 SSL_set_SSL_CTX() 12102 12103 New CTRL codes and macros (subject to change): 12104 12105 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 12106 - SSL_CTX_set_tlsext_servername_callback() 12107 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 12108 - SSL_CTX_set_tlsext_servername_arg() 12109 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 12110 12111 openssl s_client has a new '-servername ...' option. 12112 12113 openssl s_server has new options '-servername_host ...', '-cert2 ...', 12114 '-key2 ...', '-servername_fatal' (subject to change). This allows 12115 testing the HostName extension for a specific single hostname ('-cert' 12116 and '-key' remain fallbacks for handshakes without HostName 12117 negotiation). If the unrecognized_name alert has to be sent, this by 12118 default is a warning; it becomes fatal with the '-servername_fatal' 12119 option. 12120 12121 *Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson* 12122 12123 * Add AES and SSE2 assembly language support to VC++ build. 12124 12125 *Steve Henson* 12126 12127 * Mitigate attack on final subtraction in Montgomery reduction. 12128 12129 *Andy Polyakov* 12130 12131 * Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 12132 (which previously caused an internal error). 12133 12134 *Bodo Moeller* 12135 12136 * Squeeze another 10% out of IGE mode when in != out. 12137 12138 *Ben Laurie* 12139 12140 * AES IGE mode speedup. 12141 12142 *Dean Gaudet (Google)* 12143 12144 * Add the Korean symmetric 128-bit cipher SEED (see 12145 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and 12146 add SEED ciphersuites from RFC 4162: 12147 12148 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 12149 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 12150 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 12151 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 12152 12153 To minimize changes between patchlevels in the OpenSSL 0.9.8 12154 series, SEED remains excluded from compilation unless OpenSSL 12155 is configured with 'enable-seed'. 12156 12157 *KISA, Bodo Moeller* 12158 12159 * Mitigate branch prediction attacks, which can be practical if a 12160 single processor is shared, allowing a spy process to extract 12161 information. For detailed background information, see 12162 <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron, 12163 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 12164 and Necessary Software Countermeasures"). The core of the change 12165 are new versions BN_div_no_branch() and 12166 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 12167 respectively, which are slower, but avoid the security-relevant 12168 conditional branches. These are automatically called by BN_div() 12169 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 12170 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 12171 remove a conditional branch. 12172 12173 BN_FLG_CONSTTIME is the new name for the previous 12174 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 12175 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 12176 in the exponent causes BN_mod_exp_mont() to use the alternative 12177 implementation in BN_mod_exp_mont_consttime().) The old name 12178 remains as a deprecated alias. 12179 12180 Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 12181 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 12182 constant-time implementations for more than just exponentiation. 12183 Here too the old name is kept as a deprecated alias. 12184 12185 BN_BLINDING_new() will now use BN_dup() for the modulus so that 12186 the BN_BLINDING structure gets an independent copy of the 12187 modulus. This means that the previous `BIGNUM *m` argument to 12188 BN_BLINDING_new() and to BN_BLINDING_create_param() now 12189 essentially becomes `const BIGNUM *m`, although we can't actually 12190 change this in the header file before 0.9.9. It allows 12191 RSA_setup_blinding() to use BN_with_flags() on the modulus to 12192 enable BN_FLG_CONSTTIME. 12193 12194 *Matthew D Wood (Intel Corp)* 12195 12196 * In the SSL/TLS server implementation, be strict about session ID 12197 context matching (which matters if an application uses a single 12198 external cache for different purposes). Previously, 12199 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 12200 set. This did ensure strict client verification, but meant that, 12201 with applications using a single external cache for quite 12202 different requirements, clients could circumvent ciphersuite 12203 restrictions for a given session ID context by starting a session 12204 in a different context. 12205 12206 *Bodo Moeller* 12207 12208 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 12209 a ciphersuite string such as "DEFAULT:RSA" cannot enable 12210 authentication-only ciphersuites. 12211 12212 *Bodo Moeller* 12213 12214 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was 12215 not complete and could lead to a possible single byte overflow 12216 ([CVE-2007-5135]) [Ben Laurie] 12217 12218### Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 12219 12220 * Since AES128 and AES256 (and similarly Camellia128 and 12221 Camellia256) share a single mask bit in the logic of 12222 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 12223 kludge to work properly if AES128 is available and AES256 isn't 12224 (or if Camellia128 is available and Camellia256 isn't). 12225 12226 *Victor Duchovni* 12227 12228 * Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 12229 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 12230 When a point or a seed is encoded in a BIT STRING, we need to 12231 prevent the removal of trailing zero bits to get the proper DER 12232 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 12233 of a NamedBitList, for which trailing 0 bits need to be removed.) 12234 12235 *Bodo Moeller* 12236 12237 * Have SSL/TLS server implementation tolerate "mismatched" record 12238 protocol version while receiving ClientHello even if the 12239 ClientHello is fragmented. (The server can't insist on the 12240 particular protocol version it has chosen before the ServerHello 12241 message has informed the client about his choice.) 12242 12243 *Bodo Moeller* 12244 12245 * Add RFC 3779 support. 12246 12247 *Rob Austein for ARIN, Ben Laurie* 12248 12249 * Load error codes if they are not already present instead of using a 12250 static variable. This allows them to be cleanly unloaded and reloaded. 12251 Improve header file function name parsing. 12252 12253 *Steve Henson* 12254 12255 * extend SMTP and IMAP protocol emulation in s_client to use EHLO 12256 or CAPABILITY handshake as required by RFCs. 12257 12258 *Goetz Babin-Ebell* 12259 12260### Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 12261 12262 * Introduce limits to prevent malicious keys being able to 12263 cause a denial of service. ([CVE-2006-2940]) 12264 12265 *Steve Henson, Bodo Moeller* 12266 12267 * Fix ASN.1 parsing of certain invalid structures that can result 12268 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 12269 12270 * Fix buffer overflow in SSL_get_shared_ciphers() function. 12271 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 12272 12273 * Fix SSL client code which could crash if connecting to a 12274 malicious SSLv2 server. ([CVE-2006-4343]) 12275 12276 *Tavis Ormandy and Will Drewry, Google Security Team* 12277 12278 * Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 12279 match only those. Before that, "AES256-SHA" would be interpreted 12280 as a pattern and match "AES128-SHA" too (since AES128-SHA got 12281 the same strength classification in 0.9.7h) as we currently only 12282 have a single AES bit in the ciphersuite description bitmap. 12283 That change, however, also applied to ciphersuite strings such as 12284 "RC4-MD5" that intentionally matched multiple ciphersuites -- 12285 namely, SSL 2.0 ciphersuites in addition to the more common ones 12286 from SSL 3.0/TLS 1.0. 12287 12288 So we change the selection algorithm again: Naming an explicit 12289 ciphersuite selects this one ciphersuite, and any other similar 12290 ciphersuite (same bitmap) from *other* protocol versions. 12291 Thus, "RC4-MD5" again will properly select both the SSL 2.0 12292 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 12293 12294 Since SSL 2.0 does not have any ciphersuites for which the 12295 128/256 bit distinction would be relevant, this works for now. 12296 The proper fix will be to use different bits for AES128 and 12297 AES256, which would have avoided the problems from the beginning; 12298 however, bits are scarce, so we can only do this in a new release 12299 (not just a patchlevel) when we can change the SSL_CIPHER 12300 definition to split the single 'unsigned long mask' bitmap into 12301 multiple values to extend the available space. 12302 12303 *Bodo Moeller* 12304 12305### Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 12306 12307 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 12308 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 12309 12310 * Add AES IGE and biIGE modes. 12311 12312 *Ben Laurie* 12313 12314 * Change the Unix randomness entropy gathering to use poll() when 12315 possible instead of select(), since the latter has some 12316 undesirable limitations. 12317 12318 *Darryl Miles via Richard Levitte and Bodo Moeller* 12319 12320 * Disable "ECCdraft" ciphersuites more thoroughly. Now special 12321 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 12322 cannot be implicitly activated as part of, e.g., the "AES" alias. 12323 However, please upgrade to OpenSSL 0.9.9[-dev] for 12324 non-experimental use of the ECC ciphersuites to get TLS extension 12325 support, which is required for curve and point format negotiation 12326 to avoid potential handshake problems. 12327 12328 *Bodo Moeller* 12329 12330 * Disable rogue ciphersuites: 12331 12332 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 12333 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 12334 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 12335 12336 The latter two were purportedly from 12337 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 12338 appear there. 12339 12340 Also deactivate the remaining ciphersuites from 12341 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 12342 unofficial, and the ID has long expired. 12343 12344 *Bodo Moeller* 12345 12346 * Fix RSA blinding Heisenbug (problems sometimes occurred on 12347 dual-core machines) and other potential thread-safety issues. 12348 12349 *Bodo Moeller* 12350 12351 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 12352 versions), which is now available for royalty-free use 12353 (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>). 12354 Also, add Camellia TLS ciphersuites from RFC 4132. 12355 12356 To minimize changes between patchlevels in the OpenSSL 0.9.8 12357 series, Camellia remains excluded from compilation unless OpenSSL 12358 is configured with 'enable-camellia'. 12359 12360 *NTT* 12361 12362 * Disable the padding bug check when compression is in use. The padding 12363 bug check assumes the first packet is of even length, this is not 12364 necessarily true if compression is enabled and can result in false 12365 positives causing handshake failure. The actual bug test is ancient 12366 code so it is hoped that implementations will either have fixed it by 12367 now or any which still have the bug do not support compression. 12368 12369 *Steve Henson* 12370 12371### Changes between 0.9.8a and 0.9.8b [04 May 2006] 12372 12373 * When applying a cipher rule check to see if string match is an explicit 12374 cipher suite and only match that one cipher suite if it is. 12375 12376 *Steve Henson* 12377 12378 * Link in manifests for VC++ if needed. 12379 12380 *Austin Ziegler <halostatue@gmail.com>* 12381 12382 * Update support for ECC-based TLS ciphersuites according to 12383 draft-ietf-tls-ecc-12.txt with proposed changes (but without 12384 TLS extensions, which are supported starting with the 0.9.9 12385 branch, not in the OpenSSL 0.9.8 branch). 12386 12387 *Douglas Stebila* 12388 12389 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 12390 opaque EVP_CIPHER_CTX handling. 12391 12392 *Steve Henson* 12393 12394 * Fixes and enhancements to zlib compression code. We now only use 12395 "zlib1.dll" and use the default `__cdecl` calling convention on Win32 12396 to conform with the standards mentioned here: 12397 <http://www.zlib.net/DLL_FAQ.txt> 12398 Static zlib linking now works on Windows and the new --with-zlib-include 12399 --with-zlib-lib options to Configure can be used to supply the location 12400 of the headers and library. Gracefully handle case where zlib library 12401 can't be loaded. 12402 12403 *Steve Henson* 12404 12405 * Several fixes and enhancements to the OID generation code. The old code 12406 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 12407 handle numbers larger than ULONG_MAX, truncated printing and had a 12408 non standard OBJ_obj2txt() behaviour. 12409 12410 *Steve Henson* 12411 12412 * Add support for building of engines under engine/ as shared libraries 12413 under VC++ build system. 12414 12415 *Steve Henson* 12416 12417 * Corrected the numerous bugs in the Win32 path splitter in DSO. 12418 Hopefully, we will not see any false combination of paths any more. 12419 12420 *Richard Levitte* 12421 12422### Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 12423 12424 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 12425 (part of SSL_OP_ALL). This option used to disable the 12426 countermeasure against man-in-the-middle protocol-version 12427 rollback in the SSL 2.0 server implementation, which is a bad 12428 idea. ([CVE-2005-2969]) 12429 12430 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 12431 for Information Security, National Institute of Advanced Industrial 12432 Science and Technology [AIST], Japan)* 12433 12434 * Add two function to clear and return the verify parameter flags. 12435 12436 *Steve Henson* 12437 12438 * Keep cipherlists sorted in the source instead of sorting them at 12439 runtime, thus removing the need for a lock. 12440 12441 *Nils Larsch* 12442 12443 * Avoid some small subgroup attacks in Diffie-Hellman. 12444 12445 *Nick Mathewson and Ben Laurie* 12446 12447 * Add functions for well-known primes. 12448 12449 *Nick Mathewson* 12450 12451 * Extended Windows CE support. 12452 12453 *Satoshi Nakamura and Andy Polyakov* 12454 12455 * Initialize SSL_METHOD structures at compile time instead of during 12456 runtime, thus removing the need for a lock. 12457 12458 *Steve Henson* 12459 12460 * Make PKCS7_decrypt() work even if no certificate is supplied by 12461 attempting to decrypt each encrypted key in turn. Add support to 12462 smime utility. 12463 12464 *Steve Henson* 12465 12466### Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 12467 12468[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 12469OpenSSL 0.9.8.] 12470 12471 * Add libcrypto.pc and libssl.pc for those who feel they need them. 12472 12473 *Richard Levitte* 12474 12475 * Change CA.sh and CA.pl so they don't bundle the CSR and the private 12476 key into the same file any more. 12477 12478 *Richard Levitte* 12479 12480 * Add initial support for Win64, both IA64 and AMD64/x64 flavors. 12481 12482 *Andy Polyakov* 12483 12484 * Add -utf8 command line and config file option to 'ca'. 12485 12486 *Stefan <stf@udoma.org* 12487 12488 * Removed the macro des_crypt(), as it seems to conflict with some 12489 libraries. Use DES_crypt(). 12490 12491 *Richard Levitte* 12492 12493 * Correct naming of the 'chil' and '4758cca' ENGINEs. This 12494 involves renaming the source and generated shared-libs for 12495 both. The engines will accept the corrected or legacy ids 12496 ('ncipher' and '4758_cca' respectively) when binding. NB, 12497 this only applies when building 'shared'. 12498 12499 *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe* 12500 12501 * Add attribute functions to EVP_PKEY structure. Modify 12502 PKCS12_create() to recognize a CSP name attribute and 12503 use it. Make -CSP option work again in pkcs12 utility. 12504 12505 *Steve Henson* 12506 12507 * Add new functionality to the bn blinding code: 12508 - automatic re-creation of the BN_BLINDING parameters after 12509 a fixed number of uses (currently 32) 12510 - add new function for parameter creation 12511 - introduce flags to control the update behaviour of the 12512 BN_BLINDING parameters 12513 - hide BN_BLINDING structure 12514 Add a second BN_BLINDING slot to the RSA structure to improve 12515 performance when a single RSA object is shared among several 12516 threads. 12517 12518 *Nils Larsch* 12519 12520 * Add support for DTLS. 12521 12522 *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie* 12523 12524 * Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 12525 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 12526 12527 *Walter Goulet* 12528 12529 * Remove buggy and incomplete DH cert support from 12530 ssl/ssl_rsa.c and ssl/s3_both.c 12531 12532 *Nils Larsch* 12533 12534 * Use SHA-1 instead of MD5 as the default digest algorithm for 12535 the `apps/openssl` commands. 12536 12537 *Nils Larsch* 12538 12539 * Compile clean with "-Wall -Wmissing-prototypes 12540 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 12541 DEBUG_SAFESTACK must also be set. 12542 12543 *Ben Laurie* 12544 12545 * Change ./Configure so that certain algorithms can be disabled by default. 12546 The new counterpiece to "no-xxx" is "enable-xxx". 12547 12548 The patented RC5 and MDC2 algorithms will now be disabled unless 12549 "enable-rc5" and "enable-mdc2", respectively, are specified. 12550 12551 (IDEA remains enabled despite being patented. This is because IDEA 12552 is frequently required for interoperability, and there is no license 12553 fee for non-commercial use. As before, "no-idea" can be used to 12554 avoid this algorithm.) 12555 12556 *Bodo Moeller* 12557 12558 * Add processing of proxy certificates (see RFC 3820). This work was 12559 sponsored by KTH (The Royal Institute of Technology in Stockholm) and 12560 EGEE (Enabling Grids for E-science in Europe). 12561 12562 *Richard Levitte* 12563 12564 * RC4 performance overhaul on modern architectures/implementations, such 12565 as Intel P4, IA-64 and AMD64. 12566 12567 *Andy Polyakov* 12568 12569 * New utility extract-section.pl. This can be used specify an alternative 12570 section number in a pod file instead of having to treat each file as 12571 a separate case in Makefile. This can be done by adding two lines to the 12572 pod file: 12573 12574 =for comment openssl_section:XXX 12575 12576 The blank line is mandatory. 12577 12578 *Steve Henson* 12579 12580 * New arguments -certform, -keyform and -pass for s_client and s_server 12581 to allow alternative format key and certificate files and passphrase 12582 sources. 12583 12584 *Steve Henson* 12585 12586 * New structure X509_VERIFY_PARAM which combines current verify parameters, 12587 update associated structures and add various utility functions. 12588 12589 Add new policy related verify parameters, include policy checking in 12590 standard verify code. Enhance 'smime' application with extra parameters 12591 to support policy checking and print out. 12592 12593 *Steve Henson* 12594 12595 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3 12596 Nehemiah processors. These extensions support AES encryption in hardware 12597 as well as RNG (though RNG support is currently disabled). 12598 12599 *Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov* 12600 12601 * Deprecate `BN_[get|set]_params()` functions (they were ignored internally). 12602 12603 *Geoff Thorpe* 12604 12605 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 12606 12607 *Andy Polyakov and a number of other people* 12608 12609 * Improved PowerPC platform support. Most notably BIGNUM assembler 12610 implementation contributed by IBM. 12611 12612 *Suresh Chari, Peter Waltenberg, Andy Polyakov* 12613 12614 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 12615 exponent rather than 'unsigned long'. There is a corresponding change to 12616 the new 'rsa_keygen' element of the RSA_METHOD structure. 12617 12618 *Jelte Jansen, Geoff Thorpe* 12619 12620 * Functionality for creating the initial serial number file is now 12621 moved from CA.pl to the 'ca' utility with a new option -create_serial. 12622 12623 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 12624 number file to 1, which is bound to cause problems. To avoid 12625 the problems while respecting compatibility between different 0.9.7 12626 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 12627 CA.pl for serial number initialization. With the new release 0.9.8, 12628 we can fix the problem directly in the 'ca' utility.) 12629 12630 *Steve Henson* 12631 12632 * Reduced header interdependencies by declaring more opaque objects in 12633 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 12634 give fewer recursive includes, which could break lazy source code - so 12635 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 12636 developers should define this symbol when building and using openssl to 12637 ensure they track the recommended behaviour, interfaces, [etc], but 12638 backwards-compatible behaviour prevails when this isn't defined. 12639 12640 *Geoff Thorpe* 12641 12642 * New function X509_POLICY_NODE_print() which prints out policy nodes. 12643 12644 *Steve Henson* 12645 12646 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 12647 This will generate a random key of the appropriate length based on the 12648 cipher context. The EVP_CIPHER can provide its own random key generation 12649 routine to support keys of a specific form. This is used in the des and 12650 3des routines to generate a key of the correct parity. Update S/MIME 12651 code to use new functions and hence generate correct parity DES keys. 12652 Add EVP_CHECK_DES_KEY #define to return an error if the key is not 12653 valid (weak or incorrect parity). 12654 12655 *Steve Henson* 12656 12657 * Add a local set of CRLs that can be used by X509_verify_cert() as well 12658 as looking them up. This is useful when the verified structure may contain 12659 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 12660 present unless the new PKCS7_NO_CRL flag is asserted. 12661 12662 *Steve Henson* 12663 12664 * Extend ASN1 oid configuration module. It now additionally accepts the 12665 syntax: 12666 12667 shortName = some long name, 1.2.3.4 12668 12669 *Steve Henson* 12670 12671 * Reimplemented the BN_CTX implementation. There is now no more static 12672 limitation on the number of variables it can handle nor the depth of the 12673 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 12674 information can now expand as required, and rather than having a single 12675 static array of bignums, BN_CTX now uses a linked-list of such arrays 12676 allowing it to expand on demand whilst maintaining the usefulness of 12677 BN_CTX's "bundling". 12678 12679 *Geoff Thorpe* 12680 12681 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 12682 to allow all RSA operations to function using a single BN_CTX. 12683 12684 *Geoff Thorpe* 12685 12686 * Preliminary support for certificate policy evaluation and checking. This 12687 is initially intended to pass the tests outlined in "Conformance Testing 12688 of Relying Party Client Certificate Path Processing Logic" v1.07. 12689 12690 *Steve Henson* 12691 12692 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 12693 remained unused and not that useful. A variety of other little bignum 12694 tweaks and fixes have also been made continuing on from the audit (see 12695 below). 12696 12697 *Geoff Thorpe* 12698 12699 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with 12700 associated ASN1, EVP and SSL functions and old ASN1 macros. 12701 12702 *Richard Levitte* 12703 12704 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 12705 and this should never fail. So the return value from the use of 12706 BN_set_word() (which can fail due to needless expansion) is now deprecated; 12707 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 12708 12709 *Geoff Thorpe* 12710 12711 * BN_CTX_get() should return zero-valued bignums, providing the same 12712 initialised value as BN_new(). 12713 12714 *Geoff Thorpe, suggested by Ulf Möller* 12715 12716 * Support for inhibitAnyPolicy certificate extension. 12717 12718 *Steve Henson* 12719 12720 * An audit of the BIGNUM code is underway, for which debugging code is 12721 enabled when BN_DEBUG is defined. This makes stricter enforcements on what 12722 is considered valid when processing BIGNUMs, and causes execution to 12723 assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 12724 further steps are taken to deliberately pollute unused data in BIGNUM 12725 structures to try and expose faulty code further on. For now, openssl will 12726 (in its default mode of operation) continue to tolerate the inconsistent 12727 forms that it has tolerated in the past, but authors and packagers should 12728 consider trying openssl and their own applications when compiled with 12729 these debugging symbols defined. It will help highlight potential bugs in 12730 their own code, and will improve the test coverage for OpenSSL itself. At 12731 some point, these tighter rules will become openssl's default to improve 12732 maintainability, though the assert()s and other overheads will remain only 12733 in debugging configurations. See bn.h for more details. 12734 12735 *Geoff Thorpe, Nils Larsch, Ulf Möller* 12736 12737 * BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 12738 that can only be obtained through BN_CTX_new() (which implicitly 12739 initialises it). The presence of this function only made it possible 12740 to overwrite an existing structure (and cause memory leaks). 12741 12742 *Geoff Thorpe* 12743 12744 * Because of the callback-based approach for implementing LHASH as a 12745 template type, lh_insert() adds opaque objects to hash-tables and 12746 lh_doall() or lh_doall_arg() are typically used with a destructor callback 12747 to clean up those corresponding objects before destroying the hash table 12748 (and losing the object pointers). So some over-zealous constifications in 12749 LHASH have been relaxed so that lh_insert() does not take (nor store) the 12750 objects as "const" and the `lh_doall[_arg]` callback wrappers are not 12751 prototyped to have "const" restrictions on the object pointers they are 12752 given (and so aren't required to cast them away any more). 12753 12754 *Geoff Thorpe* 12755 12756 * The tmdiff.h API was so ugly and minimal that our own timing utility 12757 (speed) prefers to use its own implementation. The two implementations 12758 haven't been consolidated as yet (volunteers?) but the tmdiff API has had 12759 its object type properly exposed (MS_TM) instead of casting to/from 12760 `char *`. This may still change yet if someone realises MS_TM and 12761 `ms_time_***` 12762 aren't necessarily the greatest nomenclatures - but this is what was used 12763 internally to the implementation so I've used that for now. 12764 12765 *Geoff Thorpe* 12766 12767 * Ensure that deprecated functions do not get compiled when 12768 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 12769 the self-tests were still using deprecated key-generation functions so 12770 these have been updated also. 12771 12772 *Geoff Thorpe* 12773 12774 * Reorganise PKCS#7 code to separate the digest location functionality 12775 into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest(). 12776 New function PKCS7_set_digest() to set the digest type for PKCS#7 12777 digestedData type. Add additional code to correctly generate the 12778 digestedData type and add support for this type in PKCS7 initialization 12779 functions. 12780 12781 *Steve Henson* 12782 12783 * New function PKCS7_set0_type_other() this initializes a PKCS7 12784 structure of type "other". 12785 12786 *Steve Henson* 12787 12788 * Fix prime generation loop in crypto/bn/bn_prime.pl by making 12789 sure the loop does correctly stop and breaking ("division by zero") 12790 modulus operations are not performed. The (pre-generated) prime 12791 table crypto/bn/bn_prime.h was already correct, but it could not be 12792 re-generated on some platforms because of the "division by zero" 12793 situation in the script. 12794 12795 *Ralf S. Engelschall* 12796 12797 * Update support for ECC-based TLS ciphersuites according to 12798 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 12799 SHA-1 now is only used for "small" curves (where the 12800 representation of a field element takes up to 24 bytes); for 12801 larger curves, the field element resulting from ECDH is directly 12802 used as premaster secret. 12803 12804 *Douglas Stebila (Sun Microsystems Laboratories)* 12805 12806 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 12807 curve secp160r1 to the tests. 12808 12809 *Douglas Stebila (Sun Microsystems Laboratories)* 12810 12811 * Add the possibility to load symbols globally with DSO. 12812 12813 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte* 12814 12815 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 12816 control of the error stack. 12817 12818 *Richard Levitte* 12819 12820 * Add support for STORE in ENGINE. 12821 12822 *Richard Levitte* 12823 12824 * Add the STORE type. The intention is to provide a common interface 12825 to certificate and key stores, be they simple file-based stores, or 12826 HSM-type store, or LDAP stores, or... 12827 NOTE: The code is currently UNTESTED and isn't really used anywhere. 12828 12829 *Richard Levitte* 12830 12831 * Add a generic structure called OPENSSL_ITEM. This can be used to 12832 pass a list of arguments to any function as well as provide a way 12833 for a function to pass data back to the caller. 12834 12835 *Richard Levitte* 12836 12837 * Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 12838 works like BUF_strdup() but can be used to duplicate a portion of 12839 a string. The copy gets NUL-terminated. BUF_memdup() duplicates 12840 a memory area. 12841 12842 *Richard Levitte* 12843 12844 * Add the function sk_find_ex() which works like sk_find(), but will 12845 return an index to an element even if an exact match couldn't be 12846 found. The index is guaranteed to point at the element where the 12847 searched-for key would be inserted to preserve sorting order. 12848 12849 *Richard Levitte* 12850 12851 * Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 12852 takes an extra flags argument for optional functionality. Currently, 12853 the following flags are defined: 12854 12855 OBJ_BSEARCH_VALUE_ON_NOMATCH 12856 This one gets OBJ_bsearch_ex() to return a pointer to the first 12857 element where the comparing function returns a negative or zero 12858 number. 12859 12860 OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 12861 This one gets OBJ_bsearch_ex() to return a pointer to the first 12862 element where the comparing function returns zero. This is useful 12863 if there are more than one element where the comparing function 12864 returns zero. 12865 12866 *Richard Levitte* 12867 12868 * Make it possible to create self-signed certificates with 'openssl ca' 12869 in such a way that the self-signed certificate becomes part of the 12870 CA database and uses the same mechanisms for serial number generation 12871 as all other certificate signing. The new flag '-selfsign' enables 12872 this functionality. Adapt CA.sh and CA.pl.in. 12873 12874 *Richard Levitte* 12875 12876 * Add functionality to check the public key of a certificate request 12877 against a given private. This is useful to check that a certificate 12878 request can be signed by that key (self-signing). 12879 12880 *Richard Levitte* 12881 12882 * Make it possible to have multiple active certificates with the same 12883 subject in the CA index file. This is done only if the keyword 12884 'unique_subject' is set to 'no' in the main CA section (default 12885 if 'CA_default') of the configuration file. The value is saved 12886 with the database itself in a separate index attribute file, 12887 named like the index file with '.attr' appended to the name. 12888 12889 *Richard Levitte* 12890 12891 * Generate multi-valued AVAs using '+' notation in config files for 12892 req and dirName. 12893 12894 *Steve Henson* 12895 12896 * Support for nameConstraints certificate extension. 12897 12898 *Steve Henson* 12899 12900 * Support for policyConstraints certificate extension. 12901 12902 *Steve Henson* 12903 12904 * Support for policyMappings certificate extension. 12905 12906 *Steve Henson* 12907 12908 * Make sure the default DSA_METHOD implementation only uses its 12909 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, 12910 and change its own handlers to be NULL so as to remove unnecessary 12911 indirection. This lets alternative implementations fallback to the 12912 default implementation more easily. 12913 12914 *Geoff Thorpe* 12915 12916 * Support for directoryName in GeneralName related extensions 12917 in config files. 12918 12919 *Steve Henson* 12920 12921 * Make it possible to link applications using Makefile.shared. 12922 Make that possible even when linking against static libraries! 12923 12924 *Richard Levitte* 12925 12926 * Support for single pass processing for S/MIME signing. This now 12927 means that S/MIME signing can be done from a pipe, in addition 12928 cleartext signing (multipart/signed type) is effectively streaming 12929 and the signed data does not need to be all held in memory. 12930 12931 This is done with a new flag PKCS7_STREAM. When this flag is set 12932 PKCS7_sign() only initializes the PKCS7 structure and the actual signing 12933 is done after the data is output (and digests calculated) in 12934 SMIME_write_PKCS7(). 12935 12936 *Steve Henson* 12937 12938 * Add full support for -rpath/-R, both in shared libraries and 12939 applications, at least on the platforms where it's known how 12940 to do it. 12941 12942 *Richard Levitte* 12943 12944 * In crypto/ec/ec_mult.c, implement fast point multiplication with 12945 precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() 12946 will now compute a table of multiples of the generator that 12947 makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() 12948 faster (notably in the case of a single point multiplication, 12949 scalar * generator). 12950 12951 *Nils Larsch, Bodo Moeller* 12952 12953 * IPv6 support for certificate extensions. The various extensions 12954 which use the IP:a.b.c.d can now take IPv6 addresses using the 12955 formats of RFC1884 2.2 . IPv6 addresses are now also displayed 12956 correctly. 12957 12958 *Steve Henson* 12959 12960 * Added an ENGINE that implements RSA by performing private key 12961 exponentiations with the GMP library. The conversions to and from 12962 GMP's mpz_t format aren't optimised nor are any montgomery forms 12963 cached, and on x86 it appears OpenSSL's own performance has caught up. 12964 However there are likely to be other architectures where GMP could 12965 provide a boost. This ENGINE is not built in by default, but it can be 12966 specified at Configure time and should be accompanied by the necessary 12967 linker additions, eg; 12968 ./config -DOPENSSL_USE_GMP -lgmp 12969 12970 *Geoff Thorpe* 12971 12972 * "openssl engine" will not display ENGINE/DSO load failure errors when 12973 testing availability of engines with "-t" - the old behaviour is 12974 produced by increasing the feature's verbosity with "-tt". 12975 12976 *Geoff Thorpe* 12977 12978 * ECDSA routines: under certain error conditions uninitialized BN objects 12979 could be freed. Solution: make sure initialization is performed early 12980 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> 12981 via PR#459) 12982 12983 *Lutz Jaenicke* 12984 12985 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD 12986 and DH_METHOD (eg. by ENGINE implementations) to override the normal 12987 software implementations. For DSA and DH, parameter generation can 12988 also be overridden by providing the appropriate method callbacks. 12989 12990 *Geoff Thorpe* 12991 12992 * Change the "progress" mechanism used in key-generation and 12993 primality testing to functions that take a new BN_GENCB pointer in 12994 place of callback/argument pairs. The new API functions have `_ex` 12995 postfixes and the older functions are reimplemented as wrappers for 12996 the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide 12997 declarations of the old functions to help (graceful) attempts to 12998 migrate to the new functions. Also, the new key-generation API 12999 functions operate on a caller-supplied key-structure and return 13000 success/failure rather than returning a key or NULL - this is to 13001 help make "keygen" another member function of RSA_METHOD etc. 13002 13003 Example for using the new callback interface: 13004 13005 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; 13006 void *my_arg = ...; 13007 BN_GENCB my_cb; 13008 13009 BN_GENCB_set(&my_cb, my_callback, my_arg); 13010 13011 return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); 13012 /* For the meaning of a, b in calls to my_callback(), see the 13013 * documentation of the function that calls the callback. 13014 * cb will point to my_cb; my_arg can be retrieved as cb->arg. 13015 * my_callback should return 1 if it wants BN_is_prime_ex() 13016 * to continue, or 0 to stop. 13017 */ 13018 13019 *Geoff Thorpe* 13020 13021 * Change the ZLIB compression method to be stateful, and make it 13022 available to TLS with the number defined in 13023 draft-ietf-tls-compression-04.txt. 13024 13025 *Richard Levitte* 13026 13027 * Add the ASN.1 structures and functions for CertificatePair, which 13028 is defined as follows (according to X.509_4thEditionDraftV6.pdf): 13029 13030 CertificatePair ::= SEQUENCE { 13031 forward [0] Certificate OPTIONAL, 13032 reverse [1] Certificate OPTIONAL, 13033 -- at least one of the pair shall be present -- } 13034 13035 Also implement the PEM functions to read and write certificate 13036 pairs, and defined the PEM tag as "CERTIFICATE PAIR". 13037 13038 This needed to be defined, mostly for the sake of the LDAP 13039 attribute crossCertificatePair, but may prove useful elsewhere as 13040 well. 13041 13042 *Richard Levitte* 13043 13044 * Make it possible to inhibit symlinking of shared libraries in 13045 Makefile.shared, for Cygwin's sake. 13046 13047 *Richard Levitte* 13048 13049 * Extend the BIGNUM API by creating a function 13050 void BN_set_negative(BIGNUM *a, int neg); 13051 and a macro that behave like 13052 int BN_is_negative(const BIGNUM *a); 13053 13054 to avoid the need to access 'a->neg' directly in applications. 13055 13056 *Nils Larsch* 13057 13058 * Implement fast modular reduction for pseudo-Mersenne primes 13059 used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). 13060 EC_GROUP_new_curve_GFp() will now automatically use this 13061 if applicable. 13062 13063 *Nils Larsch <nla@trustcenter.de>* 13064 13065 * Add new lock type (CRYPTO_LOCK_BN). 13066 13067 *Bodo Moeller* 13068 13069 * Change the ENGINE framework to automatically load engines 13070 dynamically from specific directories unless they could be 13071 found to already be built in or loaded. Move all the 13072 current engines except for the cryptodev one to a new 13073 directory engines/. 13074 The engines in engines/ are built as shared libraries if 13075 the "shared" options was given to ./Configure or ./config. 13076 Otherwise, they are inserted in libcrypto.a. 13077 /usr/local/ssl/engines is the default directory for dynamic 13078 engines, but that can be overridden at configure time through 13079 the usual use of --prefix and/or --openssldir, and at run 13080 time with the environment variable OPENSSL_ENGINES. 13081 13082 *Geoff Thorpe and Richard Levitte* 13083 13084 * Add Makefile.shared, a helper makefile to build shared 13085 libraries. Adapt Makefile.org. 13086 13087 *Richard Levitte* 13088 13089 * Add version info to Win32 DLLs. 13090 13091 *Peter 'Luna' Runestig" <peter@runestig.com>* 13092 13093 * Add new 'medium level' PKCS#12 API. Certificates and keys 13094 can be added using this API to created arbitrary PKCS#12 13095 files while avoiding the low-level API. 13096 13097 New options to PKCS12_create(), key or cert can be NULL and 13098 will then be omitted from the output file. The encryption 13099 algorithm NIDs can be set to -1 for no encryption, the mac 13100 iteration count can be set to 0 to omit the mac. 13101 13102 Enhance pkcs12 utility by making the -nokeys and -nocerts 13103 options work when creating a PKCS#12 file. New option -nomac 13104 to omit the mac, NONE can be set for an encryption algorithm. 13105 New code is modified to use the enhanced PKCS12_create() 13106 instead of the low-level API. 13107 13108 *Steve Henson* 13109 13110 * Extend ASN1 encoder to support indefinite length constructed 13111 encoding. This can output sequences tags and octet strings in 13112 this form. Modify pk7_asn1.c to support indefinite length 13113 encoding. This is experimental and needs additional code to 13114 be useful, such as an ASN1 bio and some enhanced streaming 13115 PKCS#7 code. 13116 13117 Extend template encode functionality so that tagging is passed 13118 down to the template encoder. 13119 13120 *Steve Henson* 13121 13122 * Let 'openssl req' fail if an argument to '-newkey' is not 13123 recognized instead of using RSA as a default. 13124 13125 *Bodo Moeller* 13126 13127 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. 13128 As these are not official, they are not included in "ALL"; 13129 the "ECCdraft" ciphersuite group alias can be used to select them. 13130 13131 *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)* 13132 13133 * Add ECDH engine support. 13134 13135 *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)* 13136 13137 * Add ECDH in new directory crypto/ecdh/. 13138 13139 *Douglas Stebila (Sun Microsystems Laboratories)* 13140 13141 * Let BN_rand_range() abort with an error after 100 iterations 13142 without success (which indicates a broken PRNG). 13143 13144 *Bodo Moeller* 13145 13146 * Change BN_mod_sqrt() so that it verifies that the input value 13147 is really the square of the return value. (Previously, 13148 BN_mod_sqrt would show GIGO behaviour.) 13149 13150 *Bodo Moeller* 13151 13152 * Add named elliptic curves over binary fields from X9.62, SECG, 13153 and WAP/WTLS; add OIDs that were still missing. 13154 13155 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13156 13157 * Extend the EC library for elliptic curves over binary fields 13158 (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). 13159 New EC_METHOD: 13160 13161 EC_GF2m_simple_method 13162 13163 New API functions: 13164 13165 EC_GROUP_new_curve_GF2m 13166 EC_GROUP_set_curve_GF2m 13167 EC_GROUP_get_curve_GF2m 13168 EC_POINT_set_affine_coordinates_GF2m 13169 EC_POINT_get_affine_coordinates_GF2m 13170 EC_POINT_set_compressed_coordinates_GF2m 13171 13172 Point compression for binary fields is disabled by default for 13173 patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to 13174 enable it). 13175 13176 As binary polynomials are represented as BIGNUMs, various members 13177 of the EC_GROUP and EC_POINT data structures can be shared 13178 between the implementations for prime fields and binary fields; 13179 the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m) 13180 are essentially identical to their `..._GFp` counterparts. 13181 (For simplicity, the `..._GFp` prefix has been dropped from 13182 various internal method names.) 13183 13184 An internal 'field_div' method (similar to 'field_mul' and 13185 'field_sqr') has been added; this is used only for binary fields. 13186 13187 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13188 13189 * Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() 13190 through methods ('mul', 'precompute_mult'). 13191 13192 The generic implementations (now internally called 'ec_wNAF_mul' 13193 and 'ec_wNAF_precomputed_mult') remain the default if these 13194 methods are undefined. 13195 13196 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13197 13198 * New function EC_GROUP_get_degree, which is defined through 13199 EC_METHOD. For curves over prime fields, this returns the bit 13200 length of the modulus. 13201 13202 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13203 13204 * New functions EC_GROUP_dup, EC_POINT_dup. 13205 (These simply call ..._new and ..._copy). 13206 13207 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13208 13209 * Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. 13210 Polynomials are represented as BIGNUMs (where the sign bit is not 13211 used) in the following functions [macros]: 13212 13213 BN_GF2m_add 13214 BN_GF2m_sub [= BN_GF2m_add] 13215 BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] 13216 BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] 13217 BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] 13218 BN_GF2m_mod_inv 13219 BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] 13220 BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] 13221 BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] 13222 BN_GF2m_cmp [= BN_ucmp] 13223 13224 (Note that only the 'mod' functions are actually for fields GF(2^m). 13225 BN_GF2m_add() is misnomer, but this is for the sake of consistency.) 13226 13227 For some functions, an the irreducible polynomial defining a 13228 field can be given as an 'unsigned int[]' with strictly 13229 decreasing elements giving the indices of those bits that are set; 13230 i.e., p[] represents the polynomial 13231 f(t) = t^p[0] + t^p[1] + ... + t^p[k] 13232 where 13233 p[0] > p[1] > ... > p[k] = 0. 13234 This applies to the following functions: 13235 13236 BN_GF2m_mod_arr 13237 BN_GF2m_mod_mul_arr 13238 BN_GF2m_mod_sqr_arr 13239 BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] 13240 BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] 13241 BN_GF2m_mod_exp_arr 13242 BN_GF2m_mod_sqrt_arr 13243 BN_GF2m_mod_solve_quad_arr 13244 BN_GF2m_poly2arr 13245 BN_GF2m_arr2poly 13246 13247 Conversion can be performed by the following functions: 13248 13249 BN_GF2m_poly2arr 13250 BN_GF2m_arr2poly 13251 13252 bntest.c has additional tests for binary polynomial arithmetic. 13253 13254 Two implementations for BN_GF2m_mod_div() are available. 13255 The default algorithm simply uses BN_GF2m_mod_inv() and 13256 BN_GF2m_mod_mul(). The alternative algorithm is compiled in only 13257 if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the 13258 copyright notice in crypto/bn/bn_gf2m.c before enabling it). 13259 13260 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)* 13261 13262 * Add new error code 'ERR_R_DISABLED' that can be used when some 13263 functionality is disabled at compile-time. 13264 13265 *Douglas Stebila <douglas.stebila@sun.com>* 13266 13267 * Change default behaviour of 'openssl asn1parse' so that more 13268 information is visible when viewing, e.g., a certificate: 13269 13270 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' 13271 mode the content of non-printable OCTET STRINGs is output in a 13272 style similar to INTEGERs, but with '[HEX DUMP]' prepended to 13273 avoid the appearance of a printable string. 13274 13275 *Nils Larsch <nla@trustcenter.de>* 13276 13277 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access 13278 functions 13279 EC_GROUP_set_asn1_flag() 13280 EC_GROUP_get_asn1_flag() 13281 EC_GROUP_set_point_conversion_form() 13282 EC_GROUP_get_point_conversion_form() 13283 These control ASN1 encoding details: 13284 - Curves (i.e., groups) are encoded explicitly unless asn1_flag 13285 has been set to OPENSSL_EC_NAMED_CURVE. 13286 - Points are encoded in uncompressed form by default; options for 13287 asn1_for are as for point2oct, namely 13288 POINT_CONVERSION_COMPRESSED 13289 POINT_CONVERSION_UNCOMPRESSED 13290 POINT_CONVERSION_HYBRID 13291 13292 Also add 'seed' and 'seed_len' members to EC_GROUP with access 13293 functions 13294 EC_GROUP_set_seed() 13295 EC_GROUP_get0_seed() 13296 EC_GROUP_get_seed_len() 13297 This is used only for ASN1 purposes (so far). 13298 13299 *Nils Larsch <nla@trustcenter.de>* 13300 13301 * Add 'field_type' member to EC_METHOD, which holds the NID 13302 of the appropriate field type OID. The new function 13303 EC_METHOD_get_field_type() returns this value. 13304 13305 *Nils Larsch <nla@trustcenter.de>* 13306 13307 * Add functions 13308 EC_POINT_point2bn() 13309 EC_POINT_bn2point() 13310 EC_POINT_point2hex() 13311 EC_POINT_hex2point() 13312 providing useful interfaces to EC_POINT_point2oct() and 13313 EC_POINT_oct2point(). 13314 13315 *Nils Larsch <nla@trustcenter.de>* 13316 13317 * Change internals of the EC library so that the functions 13318 EC_GROUP_set_generator() 13319 EC_GROUP_get_generator() 13320 EC_GROUP_get_order() 13321 EC_GROUP_get_cofactor() 13322 are implemented directly in crypto/ec/ec_lib.c and not dispatched 13323 to methods, which would lead to unnecessary code duplication when 13324 adding different types of curves. 13325 13326 *Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller* 13327 13328 * Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM 13329 arithmetic, and such that modified wNAFs are generated 13330 (which avoid length expansion in many cases). 13331 13332 *Bodo Moeller* 13333 13334 * Add a function EC_GROUP_check_discriminant() (defined via 13335 EC_METHOD) that verifies that the curve discriminant is non-zero. 13336 13337 Add a function EC_GROUP_check() that makes some sanity tests 13338 on a EC_GROUP, its generator and order. This includes 13339 EC_GROUP_check_discriminant(). 13340 13341 *Nils Larsch <nla@trustcenter.de>* 13342 13343 * Add ECDSA in new directory crypto/ecdsa/. 13344 13345 Add applications 'openssl ecparam' and 'openssl ecdsa' 13346 (these are based on 'openssl dsaparam' and 'openssl dsa'). 13347 13348 ECDSA support is also included in various other files across the 13349 library. Most notably, 13350 - 'openssl req' now has a '-newkey ecdsa:file' option; 13351 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; 13352 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and 13353 d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make 13354 them suitable for ECDSA where domain parameters must be 13355 extracted before the specific public key; 13356 - ECDSA engine support has been added. 13357 13358 *Nils Larsch <nla@trustcenter.de>* 13359 13360 * Include some named elliptic curves, and add OIDs from X9.62, 13361 SECG, and WAP/WTLS. Each curve can be obtained from the new 13362 function 13363 EC_GROUP_new_by_curve_name(), 13364 and the list of available named curves can be obtained with 13365 EC_get_builtin_curves(). 13366 Also add a 'curve_name' member to EC_GROUP objects, which can be 13367 accessed via 13368 EC_GROUP_set_curve_name() 13369 EC_GROUP_get_curve_name() 13370 13371 *Nils Larsch <larsch@trustcenter.de, Bodo Moeller* 13372 13373 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 13374 was actually never needed) and in BN_mul(). The removal in BN_mul() 13375 required a small change in bn_mul_part_recursive() and the addition 13376 of the functions bn_cmp_part_words(), bn_sub_part_words() and 13377 bn_add_part_words(), which do the same thing as bn_cmp_words(), 13378 bn_sub_words() and bn_add_words() except they take arrays with 13379 differing sizes. 13380 13381 *Richard Levitte* 13382 13383### Changes between 0.9.7l and 0.9.7m [23 Feb 2007] 13384 13385 * Cleanse PEM buffers before freeing them since they may contain 13386 sensitive data. 13387 13388 *Benjamin Bennett <ben@psc.edu>* 13389 13390 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 13391 a ciphersuite string such as "DEFAULT:RSA" cannot enable 13392 authentication-only ciphersuites. 13393 13394 *Bodo Moeller* 13395 13396 * Since AES128 and AES256 share a single mask bit in the logic of 13397 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 13398 kludge to work properly if AES128 is available and AES256 isn't. 13399 13400 *Victor Duchovni* 13401 13402 * Expand security boundary to match 1.1.1 module. 13403 13404 *Steve Henson* 13405 13406 * Remove redundant features: hash file source, editing of test vectors 13407 modify fipsld to use external fips_premain.c signature. 13408 13409 *Steve Henson* 13410 13411 * New perl script mkfipsscr.pl to create shell scripts or batch files to 13412 run algorithm test programs. 13413 13414 *Steve Henson* 13415 13416 * Make algorithm test programs more tolerant of whitespace. 13417 13418 *Steve Henson* 13419 13420 * Have SSL/TLS server implementation tolerate "mismatched" record 13421 protocol version while receiving ClientHello even if the 13422 ClientHello is fragmented. (The server can't insist on the 13423 particular protocol version it has chosen before the ServerHello 13424 message has informed the client about his choice.) 13425 13426 *Bodo Moeller* 13427 13428 * Load error codes if they are not already present instead of using a 13429 static variable. This allows them to be cleanly unloaded and reloaded. 13430 13431 *Steve Henson* 13432 13433### Changes between 0.9.7k and 0.9.7l [28 Sep 2006] 13434 13435 * Introduce limits to prevent malicious keys being able to 13436 cause a denial of service. ([CVE-2006-2940]) 13437 13438 *Steve Henson, Bodo Moeller* 13439 13440 * Fix ASN.1 parsing of certain invalid structures that can result 13441 in a denial of service. ([CVE-2006-2937]) [Steve Henson] 13442 13443 * Fix buffer overflow in SSL_get_shared_ciphers() function. 13444 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team] 13445 13446 * Fix SSL client code which could crash if connecting to a 13447 malicious SSLv2 server. ([CVE-2006-4343]) 13448 13449 *Tavis Ormandy and Will Drewry, Google Security Team* 13450 13451 * Change ciphersuite string processing so that an explicit 13452 ciphersuite selects this one ciphersuite (so that "AES256-SHA" 13453 will no longer include "AES128-SHA"), and any other similar 13454 ciphersuite (same bitmap) from *other* protocol versions (so that 13455 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the 13456 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining 13457 changes from 0.9.8b and 0.9.8d. 13458 13459 *Bodo Moeller* 13460 13461### Changes between 0.9.7j and 0.9.7k [05 Sep 2006] 13462 13463 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 13464 ([CVE-2006-4339]) [Ben Laurie and Google Security Team] 13465 13466 * Change the Unix randomness entropy gathering to use poll() when 13467 possible instead of select(), since the latter has some 13468 undesirable limitations. 13469 13470 *Darryl Miles via Richard Levitte and Bodo Moeller* 13471 13472 * Disable rogue ciphersuites: 13473 13474 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 13475 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 13476 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 13477 13478 The latter two were purportedly from 13479 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 13480 appear there. 13481 13482 Also deactivate the remaining ciphersuites from 13483 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 13484 unofficial, and the ID has long expired. 13485 13486 *Bodo Moeller* 13487 13488 * Fix RSA blinding Heisenbug (problems sometimes occurred on 13489 dual-core machines) and other potential thread-safety issues. 13490 13491 *Bodo Moeller* 13492 13493### Changes between 0.9.7i and 0.9.7j [04 May 2006] 13494 13495 * Adapt fipsld and the build system to link against the validated FIPS 13496 module in FIPS mode. 13497 13498 *Steve Henson* 13499 13500 * Fixes for VC++ 2005 build under Windows. 13501 13502 *Steve Henson* 13503 13504 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 13505 from a Windows bash shell such as MSYS. It is autodetected from the 13506 "config" script when run from a VC++ environment. Modify standard VC++ 13507 build to use fipscanister.o from the GNU make build. 13508 13509 *Steve Henson* 13510 13511### Changes between 0.9.7h and 0.9.7i [14 Oct 2005] 13512 13513 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. 13514 The value now differs depending on if you build for FIPS or not. 13515 BEWARE! A program linked with a shared FIPSed libcrypto can't be 13516 safely run with a non-FIPSed libcrypto, as it may crash because of 13517 the difference induced by this change. 13518 13519 *Andy Polyakov* 13520 13521### Changes between 0.9.7g and 0.9.7h [11 Oct 2005] 13522 13523 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 13524 (part of SSL_OP_ALL). This option used to disable the 13525 countermeasure against man-in-the-middle protocol-version 13526 rollback in the SSL 2.0 server implementation, which is a bad 13527 idea. ([CVE-2005-2969]) 13528 13529 *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 13530 for Information Security, National Institute of Advanced Industrial 13531 Science and Technology [AIST, Japan)]* 13532 13533 * Minimal support for X9.31 signatures and PSS padding modes. This is 13534 mainly for FIPS compliance and not fully integrated at this stage. 13535 13536 *Steve Henson* 13537 13538 * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform 13539 the exponentiation using a fixed-length exponent. (Otherwise, 13540 the information leaked through timing could expose the secret key 13541 after many signatures; cf. Bleichenbacher's attack on DSA with 13542 biased k.) 13543 13544 *Bodo Moeller* 13545 13546 * Make a new fixed-window mod_exp implementation the default for 13547 RSA, DSA, and DH private-key operations so that the sequence of 13548 squares and multiplies and the memory access pattern are 13549 independent of the particular secret key. This will mitigate 13550 cache-timing and potential related attacks. 13551 13552 BN_mod_exp_mont_consttime() is the new exponentiation implementation, 13553 and this is automatically used by BN_mod_exp_mont() if the new flag 13554 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH 13555 will use this BN flag for private exponents unless the flag 13556 RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or 13557 DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. 13558 13559 *Matthew D Wood (Intel Corp), with some changes by Bodo Moeller* 13560 13561 * Change the client implementation for SSLv23_method() and 13562 SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 13563 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. 13564 (Previously, the SSL 2.0 backwards compatible Client Hello 13565 message format would be used even with SSL_OP_NO_SSLv2.) 13566 13567 *Bodo Moeller* 13568 13569 * Add support for smime-type MIME parameter in S/MIME messages which some 13570 clients need. 13571 13572 *Steve Henson* 13573 13574 * New function BN_MONT_CTX_set_locked() to set montgomery parameters in 13575 a threadsafe manner. Modify rsa code to use new function and add calls 13576 to dsa and dh code (which had race conditions before). 13577 13578 *Steve Henson* 13579 13580 * Include the fixed error library code in the C error file definitions 13581 instead of fixing them up at runtime. This keeps the error code 13582 structures constant. 13583 13584 *Steve Henson* 13585 13586### Changes between 0.9.7f and 0.9.7g [11 Apr 2005] 13587 13588[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after 13589OpenSSL 0.9.8.] 13590 13591 * Fixes for newer kerberos headers. NB: the casts are needed because 13592 the 'length' field is signed on one version and unsigned on another 13593 with no (?) obvious way to tell the difference, without these VC++ 13594 complains. Also the "definition" of FAR (blank) is no longer included 13595 nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up 13596 some needed definitions. 13597 13598 *Steve Henson* 13599 13600 * Undo Cygwin change. 13601 13602 *Ulf Möller* 13603 13604 * Added support for proxy certificates according to RFC 3820. 13605 Because they may be a security thread to unaware applications, 13606 they must be explicitly allowed in run-time. See 13607 docs/HOWTO/proxy_certificates.txt for further information. 13608 13609 *Richard Levitte* 13610 13611### Changes between 0.9.7e and 0.9.7f [22 Mar 2005] 13612 13613 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating 13614 server and client random values. Previously 13615 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in 13616 less random data when sizeof(time_t) > 4 (some 64 bit platforms). 13617 13618 This change has negligible security impact because: 13619 13620 1. Server and client random values still have 24 bytes of pseudo random 13621 data. 13622 13623 2. Server and client random values are sent in the clear in the initial 13624 handshake. 13625 13626 3. The master secret is derived using the premaster secret (48 bytes in 13627 size for static RSA ciphersuites) as well as client server and random 13628 values. 13629 13630 The OpenSSL team would like to thank the UK NISCC for bringing this issue 13631 to our attention. 13632 13633 *Stephen Henson, reported by UK NISCC* 13634 13635 * Use Windows randomness collection on Cygwin. 13636 13637 *Ulf Möller* 13638 13639 * Fix hang in EGD/PRNGD query when communication socket is closed 13640 prematurely by EGD/PRNGD. 13641 13642 *Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014* 13643 13644 * Prompt for pass phrases when appropriate for PKCS12 input format. 13645 13646 *Steve Henson* 13647 13648 * Back-port of selected performance improvements from development 13649 branch, as well as improved support for PowerPC platforms. 13650 13651 *Andy Polyakov* 13652 13653 * Add lots of checks for memory allocation failure, error codes to indicate 13654 failure and freeing up memory if a failure occurs. 13655 13656 *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson* 13657 13658 * Add new -passin argument to dgst. 13659 13660 *Steve Henson* 13661 13662 * Perform some character comparisons of different types in X509_NAME_cmp: 13663 this is needed for some certificates that re-encode DNs into UTF8Strings 13664 (in violation of RFC3280) and can't or won't issue name rollover 13665 certificates. 13666 13667 *Steve Henson* 13668 13669 * Make an explicit check during certificate validation to see that 13670 the CA setting in each certificate on the chain is correct. As a 13671 side effect always do the following basic checks on extensions, 13672 not just when there's an associated purpose to the check: 13673 13674 - if there is an unhandled critical extension (unless the user 13675 has chosen to ignore this fault) 13676 - if the path length has been exceeded (if one is set at all) 13677 - that certain extensions fit the associated purpose (if one has 13678 been given) 13679 13680 *Richard Levitte* 13681 13682### Changes between 0.9.7d and 0.9.7e [25 Oct 2004] 13683 13684 * Avoid a race condition when CRLs are checked in a multi threaded 13685 environment. This would happen due to the reordering of the revoked 13686 entries during signature checking and serial number lookup. Now the 13687 encoding is cached and the serial number sort performed under a lock. 13688 Add new STACK function sk_is_sorted(). 13689 13690 *Steve Henson* 13691 13692 * Add Delta CRL to the extension code. 13693 13694 *Steve Henson* 13695 13696 * Various fixes to s3_pkt.c so alerts are sent properly. 13697 13698 *David Holmes <d.holmes@f5.com>* 13699 13700 * Reduce the chances of duplicate issuer name and serial numbers (in 13701 violation of RFC3280) using the OpenSSL certificate creation utilities. 13702 This is done by creating a random 64 bit value for the initial serial 13703 number when a serial number file is created or when a self signed 13704 certificate is created using 'openssl req -x509'. The initial serial 13705 number file is created using 'openssl x509 -next_serial' in CA.pl 13706 rather than being initialized to 1. 13707 13708 *Steve Henson* 13709 13710### Changes between 0.9.7c and 0.9.7d [17 Mar 2004] 13711 13712 * Fix null-pointer assignment in do_change_cipher_spec() revealed 13713 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 13714 13715 *Joe Orton, Steve Henson* 13716 13717 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites 13718 ([CVE-2004-0112]) 13719 13720 *Joe Orton, Steve Henson* 13721 13722 * Make it possible to have multiple active certificates with the same 13723 subject in the CA index file. This is done only if the keyword 13724 'unique_subject' is set to 'no' in the main CA section (default 13725 if 'CA_default') of the configuration file. The value is saved 13726 with the database itself in a separate index attribute file, 13727 named like the index file with '.attr' appended to the name. 13728 13729 *Richard Levitte* 13730 13731 * X509 verify fixes. Disable broken certificate workarounds when 13732 X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if 13733 keyUsage extension present. Don't accept CRLs with unhandled critical 13734 extensions: since verify currently doesn't process CRL extensions this 13735 rejects a CRL with *any* critical extensions. Add new verify error codes 13736 for these cases. 13737 13738 *Steve Henson* 13739 13740 * When creating an OCSP nonce use an OCTET STRING inside the extnValue. 13741 A clarification of RFC2560 will require the use of OCTET STRINGs and 13742 some implementations cannot handle the current raw format. Since OpenSSL 13743 copies and compares OCSP nonces as opaque blobs without any attempt at 13744 parsing them this should not create any compatibility issues. 13745 13746 *Steve Henson* 13747 13748 * New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when 13749 calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without 13750 this HMAC (and other) operations are several times slower than OpenSSL 13751 < 0.9.7. 13752 13753 *Steve Henson* 13754 13755 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). 13756 13757 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 13758 13759 * Use the correct content when signing type "other". 13760 13761 *Steve Henson* 13762 13763### Changes between 0.9.7b and 0.9.7c [30 Sep 2003] 13764 13765 * Fix various bugs revealed by running the NISCC test suite: 13766 13767 Stop out of bounds reads in the ASN1 code when presented with 13768 invalid tags (CVE-2003-0543 and CVE-2003-0544). 13769 13770 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]). 13771 13772 If verify callback ignores invalid public key errors don't try to check 13773 certificate signature with the NULL public key. 13774 13775 *Steve Henson* 13776 13777 * New -ignore_err option in ocsp application to stop the server 13778 exiting on the first error in a request. 13779 13780 *Steve Henson* 13781 13782 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 13783 if the server requested one: as stated in TLS 1.0 and SSL 3.0 13784 specifications. 13785 13786 *Steve Henson* 13787 13788 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 13789 extra data after the compression methods not only for TLS 1.0 13790 but also for SSL 3.0 (as required by the specification). 13791 13792 *Bodo Moeller; problem pointed out by Matthias Loepfe* 13793 13794 * Change X509_certificate_type() to mark the key as exported/exportable 13795 when it's 512 *bits* long, not 512 bytes. 13796 13797 *Richard Levitte* 13798 13799 * Change AES_cbc_encrypt() so it outputs exact multiple of 13800 blocks during encryption. 13801 13802 *Richard Levitte* 13803 13804 * Various fixes to base64 BIO and non blocking I/O. On write 13805 flushes were not handled properly if the BIO retried. On read 13806 data was not being buffered properly and had various logic bugs. 13807 This also affects blocking I/O when the data being decoded is a 13808 certain size. 13809 13810 *Steve Henson* 13811 13812 * Various S/MIME bugfixes and compatibility changes: 13813 output correct application/pkcs7 MIME type if 13814 PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. 13815 Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening 13816 of files as .eml work). Correctly handle very long lines in MIME 13817 parser. 13818 13819 *Steve Henson* 13820 13821### Changes between 0.9.7a and 0.9.7b [10 Apr 2003] 13822 13823 * Countermeasure against the Klima-Pokorny-Rosa extension of 13824 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 13825 a protocol version number mismatch like a decryption error 13826 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 13827 13828 *Bodo Moeller* 13829 13830 * Turn on RSA blinding by default in the default implementation 13831 to avoid a timing attack. Applications that don't want it can call 13832 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 13833 They would be ill-advised to do so in most cases. 13834 13835 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 13836 13837 * Change RSA blinding code so that it works when the PRNG is not 13838 seeded (in this case, the secret RSA exponent is abused as 13839 an unpredictable seed -- if it is not unpredictable, there 13840 is no point in blinding anyway). Make RSA blinding thread-safe 13841 by remembering the creator's thread ID in rsa->blinding and 13842 having all other threads use local one-time blinding factors 13843 (this requires more computation than sharing rsa->blinding, but 13844 avoids excessive locking; and if an RSA object is not shared 13845 between threads, blinding will still be very fast). 13846 13847 *Bodo Moeller* 13848 13849 * Fixed a typo bug that would cause ENGINE_set_default() to set an 13850 ENGINE as defaults for all supported algorithms irrespective of 13851 the 'flags' parameter. 'flags' is now honoured, so applications 13852 should make sure they are passing it correctly. 13853 13854 *Geoff Thorpe* 13855 13856 * Target "mingw" now allows native Windows code to be generated in 13857 the Cygwin environment as well as with the MinGW compiler. 13858 13859 *Ulf Moeller* 13860 13861### Changes between 0.9.7 and 0.9.7a [19 Feb 2003] 13862 13863 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 13864 via timing by performing a MAC computation even if incorrect 13865 block cipher padding has been found. This is a countermeasure 13866 against active attacks where the attacker has to distinguish 13867 between bad padding and a MAC verification error. ([CVE-2003-0078]) 13868 13869 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 13870 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 13871 Martin Vuagnoux (EPFL, Ilion)* 13872 13873 * Make the no-err option work as intended. The intention with no-err 13874 is not to have the whole error stack handling routines removed from 13875 libcrypto, it's only intended to remove all the function name and 13876 reason texts, thereby removing some of the footprint that may not 13877 be interesting if those errors aren't displayed anyway. 13878 13879 NOTE: it's still possible for any application or module to have its 13880 own set of error texts inserted. The routines are there, just not 13881 used by default when no-err is given. 13882 13883 *Richard Levitte* 13884 13885 * Add support for FreeBSD on IA64. 13886 13887 *dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454* 13888 13889 * Adjust DES_cbc_cksum() so it returns the same value as the MIT 13890 Kerberos function mit_des_cbc_cksum(). Before this change, 13891 the value returned by DES_cbc_cksum() was like the one from 13892 mit_des_cbc_cksum(), except the bytes were swapped. 13893 13894 *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte* 13895 13896 * Allow an application to disable the automatic SSL chain building. 13897 Before this a rather primitive chain build was always performed in 13898 ssl3_output_cert_chain(): an application had no way to send the 13899 correct chain if the automatic operation produced an incorrect result. 13900 13901 Now the chain builder is disabled if either: 13902 13903 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 13904 13905 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. 13906 13907 The reasoning behind this is that an application would not want the 13908 auto chain building to take place if extra chain certificates are 13909 present and it might also want a means of sending no additional 13910 certificates (for example the chain has two certificates and the 13911 root is omitted). 13912 13913 *Steve Henson* 13914 13915 * Add the possibility to build without the ENGINE framework. 13916 13917 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 13918 13919 * Under Win32 gmtime() can return NULL: check return value in 13920 OPENSSL_gmtime(). Add error code for case where gmtime() fails. 13921 13922 *Steve Henson* 13923 13924 * DSA routines: under certain error conditions uninitialized BN objects 13925 could be freed. Solution: make sure initialization is performed early 13926 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, 13927 Nils Larsch <nla@trustcenter.de> via PR#459) 13928 13929 *Lutz Jaenicke* 13930 13931 * Another fix for SSLv2 session ID handling: the session ID was incorrectly 13932 checked on reconnect on the client side, therefore session resumption 13933 could still fail with a "ssl session id is different" error. This 13934 behaviour is masked when SSL_OP_ALL is used due to 13935 SSL_OP_MICROSOFT_SESS_ID_BUG being set. 13936 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 13937 followup to PR #377. 13938 13939 *Lutz Jaenicke* 13940 13941 * IA-32 assembler support enhancements: unified ELF targets, support 13942 for SCO/Caldera platforms, fix for Cygwin shared build. 13943 13944 *Andy Polyakov* 13945 13946 * Add support for FreeBSD on sparc64. As a consequence, support for 13947 FreeBSD on non-x86 processors is separate from x86 processors on 13948 the config script, much like the NetBSD support. 13949 13950 *Richard Levitte & Kris Kennaway <kris@obsecurity.org>* 13951 13952### Changes between 0.9.6h and 0.9.7 [31 Dec 2002] 13953 13954[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after 13955OpenSSL 0.9.7.] 13956 13957 * Fix session ID handling in SSLv2 client code: the SERVER FINISHED 13958 code (06) was taken as the first octet of the session ID and the last 13959 octet was ignored consequently. As a result SSLv2 client side session 13960 caching could not have worked due to the session ID mismatch between 13961 client and server. 13962 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 13963 PR #377. 13964 13965 *Lutz Jaenicke* 13966 13967 * Change the declaration of needed Kerberos libraries to use EX_LIBS 13968 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is 13969 removed entirely. 13970 13971 *Richard Levitte* 13972 13973 * The hw_ncipher.c engine requires dynamic locks. Unfortunately, it 13974 seems that in spite of existing for more than a year, many application 13975 author have done nothing to provide the necessary callbacks, which 13976 means that this particular engine will not work properly anywhere. 13977 This is a very unfortunate situation which forces us, in the name 13978 of usability, to give the hw_ncipher.c a static lock, which is part 13979 of libcrypto. 13980 NOTE: This is for the 0.9.7 series ONLY. This hack will never 13981 appear in 0.9.8 or later. We EXPECT application authors to have 13982 dealt properly with this when 0.9.8 is released (unless we actually 13983 make such changes in the libcrypto locking code that changes will 13984 have to be made anyway). 13985 13986 *Richard Levitte* 13987 13988 * In asn1_d2i_read_bio() repeatedly call BIO_read() until all content 13989 octets have been read, EOF or an error occurs. Without this change 13990 some truncated ASN1 structures will not produce an error. 13991 13992 *Steve Henson* 13993 13994 * Disable Heimdal support, since it hasn't been fully implemented. 13995 Still give the possibility to force the use of Heimdal, but with 13996 warnings and a request that patches get sent to openssl-dev. 13997 13998 *Richard Levitte* 13999 14000 * Add the VC-CE target, introduce the WINCE sysname, and add 14001 INSTALL.WCE and appropriate conditionals to make it build. 14002 14003 *Steven Reddie <smr@essemer.com.au> via Richard Levitte* 14004 14005 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and 14006 cygssl-x.y.z.dll, where x, y and z are the major, minor and 14007 edit numbers of the version. 14008 14009 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 14010 14011 * Introduce safe string copy and catenation functions 14012 (BUF_strlcpy() and BUF_strlcat()). 14013 14014 *Ben Laurie (CHATS) and Richard Levitte* 14015 14016 * Avoid using fixed-size buffers for one-line DNs. 14017 14018 *Ben Laurie (CHATS)* 14019 14020 * Add BUF_MEM_grow_clean() to avoid information leakage when 14021 resizing buffers containing secrets, and use where appropriate. 14022 14023 *Ben Laurie (CHATS)* 14024 14025 * Avoid using fixed size buffers for configuration file location. 14026 14027 *Ben Laurie (CHATS)* 14028 14029 * Avoid filename truncation for various CA files. 14030 14031 *Ben Laurie (CHATS)* 14032 14033 * Use sizeof in preference to magic numbers. 14034 14035 *Ben Laurie (CHATS)* 14036 14037 * Avoid filename truncation in cert requests. 14038 14039 *Ben Laurie (CHATS)* 14040 14041 * Add assertions to check for (supposedly impossible) buffer 14042 overflows. 14043 14044 *Ben Laurie (CHATS)* 14045 14046 * Don't cache truncated DNS entries in the local cache (this could 14047 potentially lead to a spoofing attack). 14048 14049 *Ben Laurie (CHATS)* 14050 14051 * Fix various buffers to be large enough for hex/decimal 14052 representations in a platform independent manner. 14053 14054 *Ben Laurie (CHATS)* 14055 14056 * Add CRYPTO_realloc_clean() to avoid information leakage when 14057 resizing buffers containing secrets, and use where appropriate. 14058 14059 *Ben Laurie (CHATS)* 14060 14061 * Add BIO_indent() to avoid much slightly worrying code to do 14062 indents. 14063 14064 *Ben Laurie (CHATS)* 14065 14066 * Convert sprintf()/BIO_puts() to BIO_printf(). 14067 14068 *Ben Laurie (CHATS)* 14069 14070 * buffer_gets() could terminate with the buffer only half 14071 full. Fixed. 14072 14073 *Ben Laurie (CHATS)* 14074 14075 * Add assertions to prevent user-supplied crypto functions from 14076 overflowing internal buffers by having large block sizes, etc. 14077 14078 *Ben Laurie (CHATS)* 14079 14080 * New OPENSSL_assert() macro (similar to assert(), but enabled 14081 unconditionally). 14082 14083 *Ben Laurie (CHATS)* 14084 14085 * Eliminate unused copy of key in RC4. 14086 14087 *Ben Laurie (CHATS)* 14088 14089 * Eliminate unused and incorrectly sized buffers for IV in pem.h. 14090 14091 *Ben Laurie (CHATS)* 14092 14093 * Fix off-by-one error in EGD path. 14094 14095 *Ben Laurie (CHATS)* 14096 14097 * If RANDFILE path is too long, ignore instead of truncating. 14098 14099 *Ben Laurie (CHATS)* 14100 14101 * Eliminate unused and incorrectly sized X.509 structure 14102 CBCParameter. 14103 14104 *Ben Laurie (CHATS)* 14105 14106 * Eliminate unused and dangerous function knumber(). 14107 14108 *Ben Laurie (CHATS)* 14109 14110 * Eliminate unused and dangerous structure, KSSL_ERR. 14111 14112 *Ben Laurie (CHATS)* 14113 14114 * Protect against overlong session ID context length in an encoded 14115 session object. Since these are local, this does not appear to be 14116 exploitable. 14117 14118 *Ben Laurie (CHATS)* 14119 14120 * Change from security patch (see 0.9.6e below) that did not affect 14121 the 0.9.6 release series: 14122 14123 Remote buffer overflow in SSL3 protocol - an attacker could 14124 supply an oversized master key in Kerberos-enabled versions. 14125 ([CVE-2002-0657]) 14126 14127 *Ben Laurie (CHATS)* 14128 14129 * Change the SSL kerb5 codes to match RFC 2712. 14130 14131 *Richard Levitte* 14132 14133 * Make -nameopt work fully for req and add -reqopt switch. 14134 14135 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson* 14136 14137 * The "block size" for block ciphers in CFB and OFB mode should be 1. 14138 14139 *Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>* 14140 14141 * Make sure tests can be performed even if the corresponding algorithms 14142 have been removed entirely. This was also the last step to make 14143 OpenSSL compilable with DJGPP under all reasonable conditions. 14144 14145 *Richard Levitte, Doug Kaufman <dkaufman@rahul.net>* 14146 14147 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT 14148 to allow version independent disabling of normally unselected ciphers, 14149 which may be activated as a side-effect of selecting a single cipher. 14150 14151 (E.g., cipher list string "RSA" enables ciphersuites that are left 14152 out of "ALL" because they do not provide symmetric encryption. 14153 "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) 14154 14155 *Lutz Jaenicke, Bodo Moeller* 14156 14157 * Add appropriate support for separate platform-dependent build 14158 directories. The recommended way to make a platform-dependent 14159 build directory is the following (tested on Linux), maybe with 14160 some local tweaks: 14161 14162 # Place yourself outside of the OpenSSL source tree. In 14163 # this example, the environment variable OPENSSL_SOURCE 14164 # is assumed to contain the absolute OpenSSL source directory. 14165 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 14166 cd objtree/"`uname -s`-`uname -r`-`uname -m`" 14167 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 14168 mkdir -p `dirname $F` 14169 ln -s $OPENSSL_SOURCE/$F $F 14170 done 14171 14172 To be absolutely sure not to disturb the source tree, a "make clean" 14173 is a good thing. If it isn't successful, don't worry about it, 14174 it probably means the source directory is very clean. 14175 14176 *Richard Levitte* 14177 14178 * Make sure any ENGINE control commands make local copies of string 14179 pointers passed to them whenever necessary. Otherwise it is possible 14180 the caller may have overwritten (or deallocated) the original string 14181 data when a later ENGINE operation tries to use the stored values. 14182 14183 *Götz Babin-Ebell <babinebell@trustcenter.de>* 14184 14185 * Improve diagnostics in file reading and command-line digests. 14186 14187 *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>* 14188 14189 * Add AES modes CFB and OFB to the object database. Correct an 14190 error in AES-CFB decryption. 14191 14192 *Richard Levitte* 14193 14194 * Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 14195 allows existing EVP_CIPHER_CTX structures to be reused after 14196 calling `EVP_*Final()`. This behaviour is used by encryption 14197 BIOs and some applications. This has the side effect that 14198 applications must explicitly clean up cipher contexts with 14199 EVP_CIPHER_CTX_cleanup() or they will leak memory. 14200 14201 *Steve Henson* 14202 14203 * Check the values of dna and dnb in bn_mul_recursive before calling 14204 bn_mul_comba (a non zero value means the a or b arrays do not contain 14205 n2 elements) and fallback to bn_mul_normal if either is not zero. 14206 14207 *Steve Henson* 14208 14209 * Fix escaping of non-ASCII characters when using the -subj option 14210 of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) 14211 14212 *Lutz Jaenicke* 14213 14214 * Make object definitions compliant to LDAP (RFC2256): SN is the short 14215 form for "surname", serialNumber has no short form. 14216 Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; 14217 therefore remove "mail" short name for "internet 7". 14218 The OID for unique identifiers in X509 certificates is 14219 x500UniqueIdentifier, not uniqueIdentifier. 14220 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) 14221 14222 *Lutz Jaenicke* 14223 14224 * Add an "init" command to the ENGINE config module and auto initialize 14225 ENGINEs. Without any "init" command the ENGINE will be initialized 14226 after all ctrl commands have been executed on it. If init=1 the 14227 ENGINE is initialized at that point (ctrls before that point are run 14228 on the uninitialized ENGINE and after on the initialized one). If 14229 init=0 then the ENGINE will not be initialized at all. 14230 14231 *Steve Henson* 14232 14233 * Fix the 'app_verify_callback' interface so that the user-defined 14234 argument is actually passed to the callback: In the 14235 SSL_CTX_set_cert_verify_callback() prototype, the callback 14236 declaration has been changed from 14237 int (*cb)() 14238 into 14239 int (*cb)(X509_STORE_CTX *,void *); 14240 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call 14241 i=s->ctx->app_verify_callback(&ctx) 14242 has been changed into 14243 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). 14244 14245 To update applications using SSL_CTX_set_cert_verify_callback(), 14246 a dummy argument can be added to their callback functions. 14247 14248 *D. K. Smetters <smetters@parc.xerox.com>* 14249 14250 * Added the '4758cca' ENGINE to support IBM 4758 cards. 14251 14252 *Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe* 14253 14254 * Add and OPENSSL_LOAD_CONF define which will cause 14255 OpenSSL_add_all_algorithms() to load the openssl.cnf config file. 14256 This allows older applications to transparently support certain 14257 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. 14258 Two new functions OPENSSL_add_all_algorithms_noconf() which will never 14259 load the config file and OPENSSL_add_all_algorithms_conf() which will 14260 always load it have also been added. 14261 14262 *Steve Henson* 14263 14264 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. 14265 Adjust NIDs and EVP layer. 14266 14267 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 14268 14269 * Config modules support in openssl utility. 14270 14271 Most commands now load modules from the config file, 14272 though in a few (such as version) this isn't done 14273 because it couldn't be used for anything. 14274 14275 In the case of ca and req the config file used is 14276 the same as the utility itself: that is the -config 14277 command line option can be used to specify an 14278 alternative file. 14279 14280 *Steve Henson* 14281 14282 * Move default behaviour from OPENSSL_config(). If appname is NULL 14283 use "openssl_conf" if filename is NULL use default openssl config file. 14284 14285 *Steve Henson* 14286 14287 * Add an argument to OPENSSL_config() to allow the use of an alternative 14288 config section name. Add a new flag to tolerate a missing config file 14289 and move code to CONF_modules_load_file(). 14290 14291 *Steve Henson* 14292 14293 * Support for crypto accelerator cards from Accelerated Encryption 14294 Processing, www.aep.ie. (Use engine 'aep') 14295 The support was copied from 0.9.6c [engine] and adapted/corrected 14296 to work with the new engine framework. 14297 14298 *AEP Inc. and Richard Levitte* 14299 14300 * Support for SureWare crypto accelerator cards from Baltimore 14301 Technologies. (Use engine 'sureware') 14302 The support was copied from 0.9.6c [engine] and adapted 14303 to work with the new engine framework. 14304 14305 *Richard Levitte* 14306 14307 * Have the CHIL engine fork-safe (as defined by nCipher) and actually 14308 make the newer ENGINE framework commands for the CHIL engine work. 14309 14310 *Toomas Kiisk <vix@cyber.ee> and Richard Levitte* 14311 14312 * Make it possible to produce shared libraries on ReliantUNIX. 14313 14314 *Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte* 14315 14316 * Add the configuration target debug-linux-ppro. 14317 Make 'openssl rsa' use the general key loading routines 14318 implemented in `apps.c`, and make those routines able to 14319 handle the key format FORMAT_NETSCAPE and the variant 14320 FORMAT_IISSGC. 14321 14322 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 14323 14324 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 14325 14326 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 14327 14328 * Add -keyform to rsautl, and document -engine. 14329 14330 *Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>* 14331 14332 * Change BIO_new_file (crypto/bio/bss_file.c) to use new 14333 BIO_R_NO_SUCH_FILE error code rather than the generic 14334 ERR_R_SYS_LIB error code if fopen() fails with ENOENT. 14335 14336 *Ben Laurie* 14337 14338 * Add new functions 14339 ERR_peek_last_error 14340 ERR_peek_last_error_line 14341 ERR_peek_last_error_line_data. 14342 These are similar to 14343 ERR_peek_error 14344 ERR_peek_error_line 14345 ERR_peek_error_line_data, 14346 but report on the latest error recorded rather than the first one 14347 still in the error queue. 14348 14349 *Ben Laurie, Bodo Moeller* 14350 14351 * default_algorithms option in ENGINE config module. This allows things 14352 like: 14353 default_algorithms = ALL 14354 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS 14355 14356 *Steve Henson* 14357 14358 * Preliminary ENGINE config module. 14359 14360 *Steve Henson* 14361 14362 * New experimental application configuration code. 14363 14364 *Steve Henson* 14365 14366 * Change the AES code to follow the same name structure as all other 14367 symmetric ciphers, and behave the same way. Move everything to 14368 the directory crypto/aes, thereby obsoleting crypto/rijndael. 14369 14370 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte* 14371 14372 * SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. 14373 14374 *Ben Laurie and Theo de Raadt* 14375 14376 * Add option to output public keys in req command. 14377 14378 *Massimiliano Pala madwolf@openca.org* 14379 14380 * Use wNAFs in EC_POINTs_mul() for improved efficiency 14381 (up to about 10% better than before for P-192 and P-224). 14382 14383 *Bodo Moeller* 14384 14385 * New functions/macros 14386 14387 SSL_CTX_set_msg_callback(ctx, cb) 14388 SSL_CTX_set_msg_callback_arg(ctx, arg) 14389 SSL_set_msg_callback(ssl, cb) 14390 SSL_set_msg_callback_arg(ssl, arg) 14391 14392 to request calling a callback function 14393 14394 void cb(int write_p, int version, int content_type, 14395 const void *buf, size_t len, SSL *ssl, void *arg) 14396 14397 whenever a protocol message has been completely received 14398 (write_p == 0) or sent (write_p == 1). Here 'version' is the 14399 protocol version according to which the SSL library interprets 14400 the current protocol message (SSL2_VERSION, SSL3_VERSION, or 14401 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or 14402 the content type as defined in the SSL 3.0/TLS 1.0 protocol 14403 specification (change_cipher_spec(20), alert(21), handshake(22)). 14404 'buf' and 'len' point to the actual message, 'ssl' to the 14405 SSL object, and 'arg' is the application-defined value set by 14406 SSL[_CTX]_set_msg_callback_arg(). 14407 14408 'openssl s_client' and 'openssl s_server' have new '-msg' options 14409 to enable a callback that displays all protocol messages. 14410 14411 *Bodo Moeller* 14412 14413 * Change the shared library support so shared libraries are built as 14414 soon as the corresponding static library is finished, and thereby get 14415 openssl and the test programs linked against the shared library. 14416 This still only happens when the keyword "shard" has been given to 14417 the configuration scripts. 14418 14419 NOTE: shared library support is still an experimental thing, and 14420 backward binary compatibility is still not guaranteed. 14421 14422 *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte* 14423 14424 * Add support for Subject Information Access extension. 14425 14426 *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>* 14427 14428 * Make BUF_MEM_grow() behaviour more consistent: Initialise to zero 14429 additional bytes when new memory had to be allocated, not just 14430 when reusing an existing buffer. 14431 14432 *Bodo Moeller* 14433 14434 * New command line and configuration option 'utf8' for the req command. 14435 This allows field values to be specified as UTF8 strings. 14436 14437 *Steve Henson* 14438 14439 * Add -multi and -mr options to "openssl speed" - giving multiple parallel 14440 runs for the former and machine-readable output for the latter. 14441 14442 *Ben Laurie* 14443 14444 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion 14445 of the e-mail address in the DN (i.e., it will go into a certificate 14446 extension only). The new configuration file option 'email_in_dn = no' 14447 has the same effect. 14448 14449 *Massimiliano Pala madwolf@openca.org* 14450 14451 * Change all functions with names starting with `des_` to be starting 14452 with `DES_` instead. Add wrappers that are compatible with libdes, 14453 but are named `_ossl_old_des_*`. Finally, add macros that map the 14454 `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes 14455 compatibility is desired. If OpenSSL 0.9.6c compatibility is 14456 desired, the `des_*` symbols will be mapped to `DES_*`, with one 14457 exception. 14458 14459 Since we provide two compatibility mappings, the user needs to 14460 define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes 14461 compatibility is desired. The default (i.e., when that macro 14462 isn't defined) is OpenSSL 0.9.6c compatibility. 14463 14464 There are also macros that enable and disable the support of old 14465 des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT 14466 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those 14467 are defined, the default will apply: to support the old des routines. 14468 14469 In either case, one must include openssl/des.h to get the correct 14470 definitions. Do not try to just include openssl/des_old.h, that 14471 won't work. 14472 14473 NOTE: This is a major break of an old API into a new one. Software 14474 authors are encouraged to switch to the `DES_` style functions. Some 14475 time in the future, des_old.h and the libdes compatibility functions 14476 will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the 14477 default), and then completely removed. 14478 14479 *Richard Levitte* 14480 14481 * Test for certificates which contain unsupported critical extensions. 14482 If such a certificate is found during a verify operation it is 14483 rejected by default: this behaviour can be overridden by either 14484 handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or 14485 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function 14486 X509_supported_extension() has also been added which returns 1 if a 14487 particular extension is supported. 14488 14489 *Steve Henson* 14490 14491 * Modify the behaviour of EVP cipher functions in similar way to digests 14492 to retain compatibility with existing code. 14493 14494 *Steve Henson* 14495 14496 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain 14497 compatibility with existing code. In particular the 'ctx' parameter does 14498 not have to be to be initialized before the call to EVP_DigestInit() and 14499 it is tidied up after a call to EVP_DigestFinal(). New function 14500 EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function 14501 EVP_MD_CTX_copy() changed to not require the destination to be 14502 initialized valid and new function EVP_MD_CTX_copy_ex() added which 14503 requires the destination to be valid. 14504 14505 Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), 14506 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). 14507 14508 *Steve Henson* 14509 14510 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it 14511 so that complete 'Handshake' protocol structures are kept in memory 14512 instead of overwriting 'msg_type' and 'length' with 'body' data. 14513 14514 *Bodo Moeller* 14515 14516 * Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. 14517 14518 *Massimo Santin via Richard Levitte* 14519 14520 * Major restructuring to the underlying ENGINE code. This includes 14521 reduction of linker bloat, separation of pure "ENGINE" manipulation 14522 (initialisation, etc) from functionality dealing with implementations 14523 of specific crypto interfaces. This change also introduces integrated 14524 support for symmetric ciphers and digest implementations - so ENGINEs 14525 can now accelerate these by providing EVP_CIPHER and EVP_MD 14526 implementations of their own. This is detailed in 14527 [crypto/engine/README.md](crypto/engine/README.md) 14528 as it couldn't be adequately described here. However, there are a few 14529 API changes worth noting - some RSA, DSA, DH, and RAND functions that 14530 were changed in the original introduction of ENGINE code have now 14531 reverted back - the hooking from this code to ENGINE is now a good 14532 deal more passive and at run-time, operations deal directly with 14533 RSA_METHODs, DSA_METHODs (etc) as they did before, rather than 14534 dereferencing through an ENGINE pointer any more. Also, the ENGINE 14535 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed - 14536 they were not being used by the framework as there is no concept of a 14537 BIGNUM_METHOD and they could not be generalised to the new 14538 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, 14539 ENGINE_cpy() has been removed as it cannot be consistently defined in 14540 the new code. 14541 14542 *Geoff Thorpe* 14543 14544 * Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. 14545 14546 *Steve Henson* 14547 14548 * Change mkdef.pl to sort symbols that get the same entry number, 14549 and make sure the automatically generated functions `ERR_load_*` 14550 become part of libeay.num as well. 14551 14552 *Richard Levitte* 14553 14554 * New function SSL_renegotiate_pending(). This returns true once 14555 renegotiation has been requested (either SSL_renegotiate() call 14556 or HelloRequest/ClientHello received from the peer) and becomes 14557 false once a handshake has been completed. 14558 (For servers, SSL_renegotiate() followed by SSL_do_handshake() 14559 sends a HelloRequest, but does not ensure that a handshake takes 14560 place. SSL_renegotiate_pending() is useful for checking if the 14561 client has followed the request.) 14562 14563 *Bodo Moeller* 14564 14565 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. 14566 By default, clients may request session resumption even during 14567 renegotiation (if session ID contexts permit); with this option, 14568 session resumption is possible only in the first handshake. 14569 14570 SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes 14571 more bits available for options that should not be part of 14572 SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). 14573 14574 *Bodo Moeller* 14575 14576 * Add some demos for certificate and certificate request creation. 14577 14578 *Steve Henson* 14579 14580 * Make maximum certificate chain size accepted from the peer application 14581 settable (`SSL*_get/set_max_cert_list()`), as proposed by 14582 "Douglas E. Engert" <deengert@anl.gov>. 14583 14584 *Lutz Jaenicke* 14585 14586 * Add support for shared libraries for Unixware-7 14587 (Boyd Lynn Gerber <gerberb@zenez.com>). 14588 14589 *Lutz Jaenicke* 14590 14591 * Add a "destroy" handler to ENGINEs that allows structural cleanup to 14592 be done prior to destruction. Use this to unload error strings from 14593 ENGINEs that load their own error strings. NB: This adds two new API 14594 functions to "get" and "set" this destroy handler in an ENGINE. 14595 14596 *Geoff Thorpe* 14597 14598 * Alter all existing ENGINE implementations (except "openssl" and 14599 "openbsd") to dynamically instantiate their own error strings. This 14600 makes them more flexible to be built both as statically-linked ENGINEs 14601 and self-contained shared-libraries loadable via the "dynamic" ENGINE. 14602 Also, add stub code to each that makes building them as self-contained 14603 shared-libraries easier (see [README-Engine.md](README-Engine.md)). 14604 14605 *Geoff Thorpe* 14606 14607 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE 14608 implementations into applications that are completely implemented in 14609 self-contained shared-libraries. The "dynamic" ENGINE exposes control 14610 commands that can be used to configure what shared-library to load and 14611 to control aspects of the way it is handled. Also, made an update to 14612 the [README-Engine.md](README-Engine.md) file 14613 that brings its information up-to-date and 14614 provides some information and instructions on the "dynamic" ENGINE 14615 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). 14616 14617 *Geoff Thorpe* 14618 14619 * Make it possible to unload ranges of ERR strings with a new 14620 "ERR_unload_strings" function. 14621 14622 *Geoff Thorpe* 14623 14624 * Add a copy() function to EVP_MD. 14625 14626 *Ben Laurie* 14627 14628 * Make EVP_MD routines take a context pointer instead of just the 14629 md_data void pointer. 14630 14631 *Ben Laurie* 14632 14633 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates 14634 that the digest can only process a single chunk of data 14635 (typically because it is provided by a piece of 14636 hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application 14637 is only going to provide a single chunk of data, and hence the 14638 framework needn't accumulate the data for oneshot drivers. 14639 14640 *Ben Laurie* 14641 14642 * As with "ERR", make it possible to replace the underlying "ex_data" 14643 functions. This change also alters the storage and management of global 14644 ex_data state - it's now all inside ex_data.c and all "class" code (eg. 14645 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class 14646 index counters. The API functions that use this state have been changed 14647 to take a "class_index" rather than pointers to the class's local STACK 14648 and counter, and there is now an API function to dynamically create new 14649 classes. This centralisation allows us to (a) plug a lot of the 14650 thread-safety problems that existed, and (b) makes it possible to clean 14651 up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) 14652 such data would previously have always leaked in application code and 14653 workarounds were in place to make the memory debugging turn a blind eye 14654 to it. Application code that doesn't use this new function will still 14655 leak as before, but their memory debugging output will announce it now 14656 rather than letting it slide. 14657 14658 Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change 14659 induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now 14660 has a return value to indicate success or failure. 14661 14662 *Geoff Thorpe* 14663 14664 * Make it possible to replace the underlying "ERR" functions such that the 14665 global state (2 LHASH tables and 2 locks) is only used by the "default" 14666 implementation. This change also adds two functions to "get" and "set" 14667 the implementation prior to it being automatically set the first time 14668 any other ERR function takes place. Ie. an application can call "get", 14669 pass the return value to a module it has just loaded, and that module 14670 can call its own "set" function using that value. This means the 14671 module's "ERR" operations will use (and modify) the error state in the 14672 application and not in its own statically linked copy of OpenSSL code. 14673 14674 *Geoff Thorpe* 14675 14676 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment 14677 reference counts. This performs normal REF_PRINT/REF_CHECK macros on 14678 the operation, and provides a more encapsulated way for external code 14679 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code 14680 to use these functions rather than manually incrementing the counts. 14681 14682 Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". 14683 14684 *Geoff Thorpe* 14685 14686 * Add EVP test program. 14687 14688 *Ben Laurie* 14689 14690 * Add symmetric cipher support to ENGINE. Expect the API to change! 14691 14692 *Ben Laurie* 14693 14694 * New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() 14695 X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), 14696 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). 14697 These allow a CRL to be built without having to access X509_CRL fields 14698 directly. Modify 'ca' application to use new functions. 14699 14700 *Steve Henson* 14701 14702 * Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended 14703 bug workarounds. Rollback attack detection is a security feature. 14704 The problem will only arise on OpenSSL servers when TLSv1 is not 14705 available (sslv3_server_method() or SSL_OP_NO_TLSv1). 14706 Software authors not wanting to support TLSv1 will have special reasons 14707 for their choice and can explicitly enable this option. 14708 14709 *Bodo Moeller, Lutz Jaenicke* 14710 14711 * Rationalise EVP so it can be extended: don't include a union of 14712 cipher/digest structures, add init/cleanup functions for EVP_MD_CTX 14713 (similar to those existing for EVP_CIPHER_CTX). 14714 Usage example: 14715 14716 EVP_MD_CTX md; 14717 14718 EVP_MD_CTX_init(&md); /* new function call */ 14719 EVP_DigestInit(&md, EVP_sha1()); 14720 EVP_DigestUpdate(&md, in, len); 14721 EVP_DigestFinal(&md, out, NULL); 14722 EVP_MD_CTX_cleanup(&md); /* new function call */ 14723 14724 *Ben Laurie* 14725 14726 * Make DES key schedule conform to the usual scheme, as well as 14727 correcting its structure. This means that calls to DES functions 14728 now have to pass a pointer to a des_key_schedule instead of a 14729 plain des_key_schedule (which was actually always a pointer 14730 anyway): E.g., 14731 14732 des_key_schedule ks; 14733 14734 des_set_key_checked(..., &ks); 14735 des_ncbc_encrypt(..., &ks, ...); 14736 14737 (Note that a later change renames 'des_...' into 'DES_...'.) 14738 14739 *Ben Laurie* 14740 14741 * Initial reduction of linker bloat: the use of some functions, such as 14742 PEM causes large amounts of unused functions to be linked in due to 14743 poor organisation. For example pem_all.c contains every PEM function 14744 which has a knock on effect of linking in large amounts of (unused) 14745 ASN1 code. Grouping together similar functions and splitting unrelated 14746 functions prevents this. 14747 14748 *Steve Henson* 14749 14750 * Cleanup of EVP macros. 14751 14752 *Ben Laurie* 14753 14754 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the 14755 correct `_ecb suffix`. 14756 14757 *Ben Laurie* 14758 14759 * Add initial OCSP responder support to ocsp application. The 14760 revocation information is handled using the text based index 14761 use by the ca application. The responder can either handle 14762 requests generated internally, supplied in files (for example 14763 via a CGI script) or using an internal minimal server. 14764 14765 *Steve Henson* 14766 14767 * Add configuration choices to get zlib compression for TLS. 14768 14769 *Richard Levitte* 14770 14771 * Changes to Kerberos SSL for RFC 2712 compliance: 14772 1. Implemented real KerberosWrapper, instead of just using 14773 KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] 14774 2. Implemented optional authenticator field of KerberosWrapper. 14775 14776 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, 14777 and authenticator structs; see crypto/krb5/. 14778 14779 Generalized Kerberos calls to support multiple Kerberos libraries. 14780 *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu> 14781 via Richard Levitte* 14782 14783 * Cause 'openssl speed' to use fully hard-coded DSA keys as it 14784 already does with RSA. testdsa.h now has 'priv_key/pub_key' 14785 values for each of the key sizes rather than having just 14786 parameters (and 'speed' generating keys each time). 14787 14788 *Geoff Thorpe* 14789 14790 * Speed up EVP routines. 14791 Before: 14792crypt 14793pe 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 14794s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k 14795s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k 14796s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k 14797crypt 14798s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k 14799s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k 14800s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k 14801 After: 14802crypt 14803s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k 14804crypt 14805s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 14806 14807 *Ben Laurie* 14808 14809 * Added the OS2-EMX target. 14810 14811 *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte* 14812 14813 * Rewrite commands to use `NCONF` routines instead of the old `CONF`. 14814 New functions to support `NCONF` routines in extension code. 14815 New function `CONF_set_nconf()` 14816 to allow functions which take an `NCONF` to also handle the old `LHASH` 14817 structure: this means that the old `CONF` compatible routines can be 14818 retained (in particular w.rt. extensions) without having to duplicate the 14819 code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack. 14820 14821 *Steve Henson* 14822 14823 * Enhance the general user interface with mechanisms for inner control 14824 and with possibilities to have yes/no kind of prompts. 14825 14826 *Richard Levitte* 14827 14828 * Change all calls to low-level digest routines in the library and 14829 applications to use EVP. Add missing calls to HMAC_cleanup() and 14830 don't assume HMAC_CTX can be copied using memcpy(). 14831 14832 *Verdon Walker <VWalker@novell.com>, Steve Henson* 14833 14834 * Add the possibility to control engines through control names but with 14835 arbitrary arguments instead of just a string. 14836 Change the key loaders to take a UI_METHOD instead of a callback 14837 function pointer. NOTE: this breaks binary compatibility with earlier 14838 versions of OpenSSL [engine]. 14839 Adapt the nCipher code for these new conditions and add a card insertion 14840 callback. 14841 14842 *Richard Levitte* 14843 14844 * Enhance the general user interface with mechanisms to better support 14845 dialog box interfaces, application-defined prompts, the possibility 14846 to use defaults (for example default passwords from somewhere else) 14847 and interrupts/cancellations. 14848 14849 *Richard Levitte* 14850 14851 * Tidy up PKCS#12 attribute handling. Add support for the CSP name 14852 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. 14853 14854 *Steve Henson* 14855 14856 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also 14857 tidy up some unnecessarily weird code in 'sk_new()'). 14858 14859 *Geoff, reported by Diego Tartara <dtartara@novamens.com>* 14860 14861 * Change the key loading routines for ENGINEs to use the same kind 14862 callback (pem_password_cb) as all other routines that need this 14863 kind of callback. 14864 14865 *Richard Levitte* 14866 14867 * Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 14868 256 bit (=32 byte) keys. Of course seeding with more entropy bytes 14869 than this minimum value is recommended. 14870 14871 *Lutz Jaenicke* 14872 14873 * New random seeder for OpenVMS, using the system process statistics 14874 that are easily reachable. 14875 14876 *Richard Levitte* 14877 14878 * Windows apparently can't transparently handle global 14879 variables defined in DLLs. Initialisations such as: 14880 14881 const ASN1_ITEM *it = &ASN1_INTEGER_it; 14882 14883 won't compile. This is used by the any applications that need to 14884 declare their own ASN1 modules. This was fixed by adding the option 14885 EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly 14886 needed for static libraries under Win32. 14887 14888 *Steve Henson* 14889 14890 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle 14891 setting of purpose and trust fields. New X509_STORE trust and 14892 purpose functions and tidy up setting in other SSL functions. 14893 14894 *Steve Henson* 14895 14896 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE 14897 structure. These are inherited by X509_STORE_CTX when it is 14898 initialised. This allows various defaults to be set in the 14899 X509_STORE structure (such as flags for CRL checking and custom 14900 purpose or trust settings) for functions which only use X509_STORE_CTX 14901 internally such as S/MIME. 14902 14903 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and 14904 trust settings if they are not set in X509_STORE. This allows X509_STORE 14905 purposes and trust (in S/MIME for example) to override any set by default. 14906 14907 Add command line options for CRL checking to smime, s_client and s_server 14908 applications. 14909 14910 *Steve Henson* 14911 14912 * Initial CRL based revocation checking. If the CRL checking flag(s) 14913 are set then the CRL is looked up in the X509_STORE structure and 14914 its validity and signature checked, then if the certificate is found 14915 in the CRL the verify fails with a revoked error. 14916 14917 Various new CRL related callbacks added to X509_STORE_CTX structure. 14918 14919 Command line options added to 'verify' application to support this. 14920 14921 This needs some additional work, such as being able to handle multiple 14922 CRLs with different times, extension based lookup (rather than just 14923 by subject name) and ultimately more complete V2 CRL extension 14924 handling. 14925 14926 *Steve Henson* 14927 14928 * Add a general user interface API (crypto/ui/). This is designed 14929 to replace things like des_read_password and friends (backward 14930 compatibility functions using this new API are provided). 14931 The purpose is to remove prompting functions from the DES code 14932 section as well as provide for prompting through dialog boxes in 14933 a window system and the like. 14934 14935 *Richard Levitte* 14936 14937 * Add "ex_data" support to ENGINE so implementations can add state at a 14938 per-structure level rather than having to store it globally. 14939 14940 *Geoff* 14941 14942 * Make it possible for ENGINE structures to be copied when retrieved by 14943 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. 14944 This causes the "original" ENGINE structure to act like a template, 14945 analogous to the RSA vs. RSA_METHOD type of separation. Because of this 14946 operational state can be localised to each ENGINE structure, despite the 14947 fact they all share the same "methods". New ENGINE structures returned in 14948 this case have no functional references and the return value is the single 14949 structural reference. This matches the single structural reference returned 14950 by ENGINE_by_id() normally, when it is incremented on the pre-existing 14951 ENGINE structure. 14952 14953 *Geoff* 14954 14955 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this 14956 needs to match any other type at all we need to manually clear the 14957 tag cache. 14958 14959 *Steve Henson* 14960 14961 * Changes to the "openssl engine" utility to include; 14962 - verbosity levels ('-v', '-vv', and '-vvv') that provide information 14963 about an ENGINE's available control commands. 14964 - executing control commands from command line arguments using the 14965 '-pre' and '-post' switches. '-post' is only used if '-t' is 14966 specified and the ENGINE is successfully initialised. The syntax for 14967 the individual commands are colon-separated, for example; 14968 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so 14969 14970 *Geoff* 14971 14972 * New dynamic control command support for ENGINEs. ENGINEs can now 14973 declare their own commands (numbers), names (strings), descriptions, 14974 and input types for run-time discovery by calling applications. A 14975 subset of these commands are implicitly classed as "executable" 14976 depending on their input type, and only these can be invoked through 14977 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this 14978 can be based on user input, config files, etc). The distinction is 14979 that "executable" commands cannot return anything other than a boolean 14980 result and can only support numeric or string input, whereas some 14981 discoverable commands may only be for direct use through 14982 ENGINE_ctrl(), eg. supporting the exchange of binary data, function 14983 pointers, or other custom uses. The "executable" commands are to 14984 support parameterisations of ENGINE behaviour that can be 14985 unambiguously defined by ENGINEs and used consistently across any 14986 OpenSSL-based application. Commands have been added to all the 14987 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow 14988 control over shared-library paths without source code alterations. 14989 14990 *Geoff* 14991 14992 * Changed all ENGINE implementations to dynamically allocate their 14993 ENGINEs rather than declaring them statically. Apart from this being 14994 necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, 14995 this also allows the implementations to compile without using the 14996 internal engine_int.h header. 14997 14998 *Geoff* 14999 15000 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 15001 'const' value. Any code that should be able to modify a RAND_METHOD 15002 should already have non-const pointers to it (ie. they should only 15003 modify their own ones). 15004 15005 *Geoff* 15006 15007 * Made a variety of little tweaks to the ENGINE code. 15008 - "atalla" and "ubsec" string definitions were moved from header files 15009 to C code. "nuron" string definitions were placed in variables 15010 rather than hard-coded - allowing parameterisation of these values 15011 later on via ctrl() commands. 15012 - Removed unused "#if 0"'d code. 15013 - Fixed engine list iteration code so it uses ENGINE_free() to release 15014 structural references. 15015 - Constified the RAND_METHOD element of ENGINE structures. 15016 - Constified various get/set functions as appropriate and added 15017 missing functions (including a catch-all ENGINE_cpy that duplicates 15018 all ENGINE values onto a new ENGINE except reference counts/state). 15019 - Removed NULL parameter checks in get/set functions. Setting a method 15020 or function to NULL is a way of cancelling out a previously set 15021 value. Passing a NULL ENGINE parameter is just plain stupid anyway 15022 and doesn't justify the extra error symbols and code. 15023 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for 15024 flags from engine_int.h to engine.h. 15025 - Changed prototypes for ENGINE handler functions (init(), finish(), 15026 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. 15027 15028 *Geoff* 15029 15030 * Implement binary inversion algorithm for BN_mod_inverse in addition 15031 to the algorithm using long division. The binary algorithm can be 15032 used only if the modulus is odd. On 32-bit systems, it is faster 15033 only for relatively small moduli (roughly 20-30% for 128-bit moduli, 15034 roughly 5-15% for 256-bit moduli), so we use it only for moduli 15035 up to 450 bits. In 64-bit environments, the binary algorithm 15036 appears to be advantageous for much longer moduli; here we use it 15037 for moduli up to 2048 bits. 15038 15039 *Bodo Moeller* 15040 15041 * Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code 15042 could not support the combine flag in choice fields. 15043 15044 *Steve Henson* 15045 15046 * Add a 'copy_extensions' option to the 'ca' utility. This copies 15047 extensions from a certificate request to the certificate. 15048 15049 *Steve Henson* 15050 15051 * Allow multiple 'certopt' and 'nameopt' options to be separated 15052 by commas. Add 'namopt' and 'certopt' options to the 'ca' config 15053 file: this allows the display of the certificate about to be 15054 signed to be customised, to allow certain fields to be included 15055 or excluded and extension details. The old system didn't display 15056 multicharacter strings properly, omitted fields not in the policy 15057 and couldn't display additional details such as extensions. 15058 15059 *Steve Henson* 15060 15061 * Function EC_POINTs_mul for multiple scalar multiplication 15062 of an arbitrary number of elliptic curve points 15063 \sum scalars[i]*points[i], 15064 optionally including the generator defined for the EC_GROUP: 15065 scalar*generator + \sum scalars[i]*points[i]. 15066 15067 EC_POINT_mul is a simple wrapper function for the typical case 15068 that the point list has just one item (besides the optional 15069 generator). 15070 15071 *Bodo Moeller* 15072 15073 * First EC_METHODs for curves over GF(p): 15074 15075 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr 15076 operations and provides various method functions that can also 15077 operate with faster implementations of modular arithmetic. 15078 15079 EC_GFp_mont_method() reuses most functions that are part of 15080 EC_GFp_simple_method, but uses Montgomery arithmetic. 15081 15082 *Bodo Moeller; point addition and point doubling 15083 implementation directly derived from source code provided by 15084 Lenka Fibikova <fibikova@exp-math.uni-essen.de>* 15085 15086 * Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, 15087 crypto/ec/ec_lib.c): 15088 15089 Curves are EC_GROUP objects (with an optional group generator) 15090 based on EC_METHODs that are built into the library. 15091 15092 Points are EC_POINT objects based on EC_GROUP objects. 15093 15094 Most of the framework would be able to handle curves over arbitrary 15095 finite fields, but as there are no obvious types for fields other 15096 than GF(p), some functions are limited to that for now. 15097 15098 *Bodo Moeller* 15099 15100 * Add the -HTTP option to s_server. It is similar to -WWW, but requires 15101 that the file contains a complete HTTP response. 15102 15103 *Richard Levitte* 15104 15105 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl 15106 change the def and num file printf format specifier from "%-40sXXX" 15107 to "%-39s XXX". The latter will always guarantee a space after the 15108 field while the former will cause them to run together if the field 15109 is 40 of more characters long. 15110 15111 *Steve Henson* 15112 15113 * Constify the cipher and digest 'method' functions and structures 15114 and modify related functions to take constant EVP_MD and EVP_CIPHER 15115 pointers. 15116 15117 *Steve Henson* 15118 15119 * Hide BN_CTX structure details in bn_lcl.h instead of publishing them 15120 in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. 15121 15122 *Bodo Moeller* 15123 15124 * Modify `EVP_Digest*()` routines so they now return values. Although the 15125 internal software routines can never fail additional hardware versions 15126 might. 15127 15128 *Steve Henson* 15129 15130 * Clean up crypto/err/err.h and change some error codes to avoid conflicts: 15131 15132 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 15133 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. 15134 15135 ASN1 error codes 15136 ERR_R_NESTED_ASN1_ERROR 15137 ... 15138 ERR_R_MISSING_ASN1_EOS 15139 were 4 .. 9, conflicting with 15140 ERR_LIB_RSA (= ERR_R_RSA_LIB) 15141 ... 15142 ERR_LIB_PEM (= ERR_R_PEM_LIB). 15143 They are now 58 .. 63 (i.e., just below ERR_R_FATAL). 15144 15145 Add new error code 'ERR_R_INTERNAL_ERROR'. 15146 15147 *Bodo Moeller* 15148 15149 * Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock 15150 suffices. 15151 15152 *Bodo Moeller* 15153 15154 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This 15155 sets the subject name for a new request or supersedes the 15156 subject name in a given request. Formats that can be parsed are 15157 'CN=Some Name, OU=myOU, C=IT' 15158 and 15159 'CN=Some Name/OU=myOU/C=IT'. 15160 15161 Add options '-batch' and '-verbose' to 'openssl req'. 15162 15163 *Massimiliano Pala <madwolf@hackmasters.net>* 15164 15165 * Introduce the possibility to access global variables through 15166 functions on platform were that's the best way to handle exporting 15167 global variables in shared libraries. To enable this functionality, 15168 one must configure with "EXPORT_VAR_AS_FN" or defined the C macro 15169 "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter 15170 is normally done by Configure or something similar). 15171 15172 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL 15173 in the source file (foo.c) like this: 15174 15175 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; 15176 OPENSSL_IMPLEMENT_GLOBAL(double,bar); 15177 15178 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL 15179 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: 15180 15181 OPENSSL_DECLARE_GLOBAL(int,foo); 15182 #define foo OPENSSL_GLOBAL_REF(foo) 15183 OPENSSL_DECLARE_GLOBAL(double,bar); 15184 #define bar OPENSSL_GLOBAL_REF(bar) 15185 15186 The #defines are very important, and therefore so is including the 15187 header file everywhere where the defined globals are used. 15188 15189 The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition 15190 of ASN.1 items, but that structure is a bit different. 15191 15192 The largest change is in util/mkdef.pl which has been enhanced with 15193 better and easier to understand logic to choose which symbols should 15194 go into the Windows .def files as well as a number of fixes and code 15195 cleanup (among others, algorithm keywords are now sorted 15196 lexicographically to avoid constant rewrites). 15197 15198 *Richard Levitte* 15199 15200 * In BN_div() keep a copy of the sign of 'num' before writing the 15201 result to 'rm' because if rm==num the value will be overwritten 15202 and produce the wrong result if 'num' is negative: this caused 15203 problems with BN_mod() and BN_nnmod(). 15204 15205 *Steve Henson* 15206 15207 * Function OCSP_request_verify(). This checks the signature on an 15208 OCSP request and verifies the signer certificate. The signer 15209 certificate is just checked for a generic purpose and OCSP request 15210 trust settings. 15211 15212 *Steve Henson* 15213 15214 * Add OCSP_check_validity() function to check the validity of OCSP 15215 responses. OCSP responses are prepared in real time and may only 15216 be a few seconds old. Simply checking that the current time lies 15217 between thisUpdate and nextUpdate max reject otherwise valid responses 15218 caused by either OCSP responder or client clock inaccuracy. Instead 15219 we allow thisUpdate and nextUpdate to fall within a certain period of 15220 the current time. The age of the response can also optionally be 15221 checked. Two new options -validity_period and -status_age added to 15222 ocsp utility. 15223 15224 *Steve Henson* 15225 15226 * If signature or public key algorithm is unrecognized print out its 15227 OID rather that just UNKNOWN. 15228 15229 *Steve Henson* 15230 15231 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and 15232 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate 15233 ID to be generated from the issuer certificate alone which can then be 15234 passed to OCSP_id_issuer_cmp(). 15235 15236 *Steve Henson* 15237 15238 * New compilation option ASN1_ITEM_FUNCTIONS. This causes the new 15239 ASN1 modules to export functions returning ASN1_ITEM pointers 15240 instead of the ASN1_ITEM structures themselves. This adds several 15241 new macros which allow the underlying ASN1 function/structure to 15242 be accessed transparently. As a result code should not use ASN1_ITEM 15243 references directly (such as &X509_it) but instead use the relevant 15244 macros (such as ASN1_ITEM_rptr(X509)). This option is to allow 15245 use of the new ASN1 code on platforms where exporting structures 15246 is problematical (for example in shared libraries) but exporting 15247 functions returning pointers to structures is not. 15248 15249 *Steve Henson* 15250 15251 * Add support for overriding the generation of SSL/TLS session IDs. 15252 These callbacks can be registered either in an SSL_CTX or per SSL. 15253 The purpose of this is to allow applications to control, if they wish, 15254 the arbitrary values chosen for use as session IDs, particularly as it 15255 can be useful for session caching in multiple-server environments. A 15256 command-line switch for testing this (and any client code that wishes 15257 to use such a feature) has been added to "s_server". 15258 15259 *Geoff Thorpe, Lutz Jaenicke* 15260 15261 * Modify mkdef.pl to recognise and parse preprocessor conditionals 15262 of the form `#if defined(...) || defined(...) || ...` and 15263 `#if !defined(...) && !defined(...) && ...`. This also avoids 15264 the growing number of special cases it was previously handling. 15265 15266 *Richard Levitte* 15267 15268 * Make all configuration macros available for application by making 15269 sure they are available in opensslconf.h, by giving them names starting 15270 with `OPENSSL_` to avoid conflicts with other packages and by making 15271 sure e_os2.h will cover all platform-specific cases together with 15272 opensslconf.h. 15273 Additionally, it is now possible to define configuration/platform- 15274 specific names (called "system identities"). In the C code, these 15275 are prefixed with `OPENSSL_SYSNAME_`. e_os2.h will create another 15276 macro with the name beginning with `OPENSSL_SYS_`, which is determined 15277 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on 15278 what is available. 15279 15280 *Richard Levitte* 15281 15282 * New option -set_serial to 'req' and 'x509' this allows the serial 15283 number to use to be specified on the command line. Previously self 15284 signed certificates were hard coded with serial number 0 and the 15285 CA options of 'x509' had to use a serial number in a file which was 15286 auto incremented. 15287 15288 *Steve Henson* 15289 15290 * New options to 'ca' utility to support V2 CRL entry extensions. 15291 Currently CRL reason, invalidity date and hold instruction are 15292 supported. Add new CRL extensions to V3 code and some new objects. 15293 15294 *Steve Henson* 15295 15296 * New function EVP_CIPHER_CTX_set_padding() this is used to 15297 disable standard block padding (aka PKCS#5 padding) in the EVP 15298 API, which was previously mandatory. This means that the data is 15299 not padded in any way and so the total length much be a multiple 15300 of the block size, otherwise an error occurs. 15301 15302 *Steve Henson* 15303 15304 * Initial (incomplete) OCSP SSL support. 15305 15306 *Steve Henson* 15307 15308 * New function OCSP_parse_url(). This splits up a URL into its host, 15309 port and path components: primarily to parse OCSP URLs. New -url 15310 option to ocsp utility. 15311 15312 *Steve Henson* 15313 15314 * New nonce behavior. The return value of OCSP_check_nonce() now 15315 reflects the various checks performed. Applications can decide 15316 whether to tolerate certain situations such as an absent nonce 15317 in a response when one was present in a request: the ocsp application 15318 just prints out a warning. New function OCSP_add1_basic_nonce() 15319 this is to allow responders to include a nonce in a response even if 15320 the request is nonce-less. 15321 15322 *Steve Henson* 15323 15324 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are 15325 skipped when using openssl x509 multiple times on a single input file, 15326 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`. 15327 15328 *Bodo Moeller* 15329 15330 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() 15331 set string type: to handle setting ASN1_TIME structures. Fix ca 15332 utility to correctly initialize revocation date of CRLs. 15333 15334 *Steve Henson* 15335 15336 * New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override 15337 the clients preferred ciphersuites and rather use its own preferences. 15338 Should help to work around M$ SGC (Server Gated Cryptography) bug in 15339 Internet Explorer by ensuring unchanged hash method during stepup. 15340 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) 15341 15342 *Lutz Jaenicke* 15343 15344 * Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael 15345 to aes and add a new 'exist' option to print out symbols that don't 15346 appear to exist. 15347 15348 *Steve Henson* 15349 15350 * Additional options to ocsp utility to allow flags to be set and 15351 additional certificates supplied. 15352 15353 *Steve Henson* 15354 15355 * Add the option -VAfile to 'openssl ocsp', so the user can give the 15356 OCSP client a number of certificate to only verify the response 15357 signature against. 15358 15359 *Richard Levitte* 15360 15361 * Update Rijndael code to version 3.0 and change EVP AES ciphers to 15362 handle the new API. Currently only ECB, CBC modes supported. Add new 15363 AES OIDs. 15364 15365 Add TLS AES ciphersuites as described in RFC3268, "Advanced 15366 Encryption Standard (AES) Ciphersuites for Transport Layer 15367 Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were 15368 not enabled by default and were not part of the "ALL" ciphersuite 15369 alias because they were not yet official; they could be 15370 explicitly requested by specifying the "AESdraft" ciphersuite 15371 group alias. In the final release of OpenSSL 0.9.7, the group 15372 alias is called "AES" and is part of "ALL".) 15373 15374 *Ben Laurie, Steve Henson, Bodo Moeller* 15375 15376 * New function OCSP_copy_nonce() to copy nonce value (if present) from 15377 request to response. 15378 15379 *Steve Henson* 15380 15381 * Functions for OCSP responders. OCSP_request_onereq_count(), 15382 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() 15383 extract information from a certificate request. OCSP_response_create() 15384 creates a response and optionally adds a basic response structure. 15385 OCSP_basic_add1_status() adds a complete single response to a basic 15386 response and returns the OCSP_SINGLERESP structure just added (to allow 15387 extensions to be included for example). OCSP_basic_add1_cert() adds a 15388 certificate to a basic response and OCSP_basic_sign() signs a basic 15389 response with various flags. New helper functions ASN1_TIME_check() 15390 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() 15391 (converts ASN1_TIME to GeneralizedTime). 15392 15393 *Steve Henson* 15394 15395 * Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() 15396 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key 15397 structure from a certificate. X509_pubkey_digest() digests the public_key 15398 contents: this is used in various key identifiers. 15399 15400 *Steve Henson* 15401 15402 * Make sk_sort() tolerate a NULL argument. 15403 15404 *Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>* 15405 15406 * New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates 15407 passed by the function are trusted implicitly. If any of them signed the 15408 response then it is assumed to be valid and is not verified. 15409 15410 *Steve Henson* 15411 15412 * In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT 15413 to data. This was previously part of the PKCS7 ASN1 code. This 15414 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. 15415 *Steve Henson, reported by Kenneth R. Robinette 15416 <support@securenetterm.com>* 15417 15418 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 15419 routines: without these tracing memory leaks is very painful. 15420 Fix leaks in PKCS12 and PKCS7 routines. 15421 15422 *Steve Henson* 15423 15424 * Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). 15425 Previously it initialised the 'type' argument to V_ASN1_UTCTIME which 15426 effectively meant GeneralizedTime would never be used. Now it 15427 is initialised to -1 but X509_time_adj() now has to check the value 15428 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or 15429 V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. 15430 *Steve Henson, reported by Kenneth R. Robinette 15431 <support@securenetterm.com>* 15432 15433 * Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously 15434 result in a zero length in the ASN1_INTEGER structure which was 15435 not consistent with the structure when d2i_ASN1_INTEGER() was used 15436 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() 15437 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() 15438 where it did not print out a minus for negative ASN1_INTEGER. 15439 15440 *Steve Henson* 15441 15442 * Add summary printout to ocsp utility. The various functions which 15443 convert status values to strings have been renamed to: 15444 OCSP_response_status_str(), OCSP_cert_status_str() and 15445 OCSP_crl_reason_str() and are no longer static. New options 15446 to verify nonce values and to disable verification. OCSP response 15447 printout format cleaned up. 15448 15449 *Steve Henson* 15450 15451 * Add additional OCSP certificate checks. These are those specified 15452 in RFC2560. This consists of two separate checks: the CA of the 15453 certificate being checked must either be the OCSP signer certificate 15454 or the issuer of the OCSP signer certificate. In the latter case the 15455 OCSP signer certificate must contain the OCSP signing extended key 15456 usage. This check is performed by attempting to match the OCSP 15457 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash 15458 in the OCSP_CERTID structures of the response. 15459 15460 *Steve Henson* 15461 15462 * Initial OCSP certificate verification added to OCSP_basic_verify() 15463 and related routines. This uses the standard OpenSSL certificate 15464 verify routines to perform initial checks (just CA validity) and 15465 to obtain the certificate chain. Then additional checks will be 15466 performed on the chain. Currently the root CA is checked to see 15467 if it is explicitly trusted for OCSP signing. This is used to set 15468 a root CA as a global signing root: that is any certificate that 15469 chains to that CA is an acceptable OCSP signing certificate. 15470 15471 *Steve Henson* 15472 15473 * New '-extfile ...' option to 'openssl ca' for reading X.509v3 15474 extensions from a separate configuration file. 15475 As when reading extensions from the main configuration file, 15476 the '-extensions ...' option may be used for specifying the 15477 section to use. 15478 15479 *Massimiliano Pala <madwolf@comune.modena.it>* 15480 15481 * New OCSP utility. Allows OCSP requests to be generated or 15482 read. The request can be sent to a responder and the output 15483 parsed, outputted or printed in text form. Not complete yet: 15484 still needs to check the OCSP response validity. 15485 15486 *Steve Henson* 15487 15488 * New subcommands for 'openssl ca': 15489 `openssl ca -status <serial>` prints the status of the cert with 15490 the given serial number (according to the index file). 15491 `openssl ca -updatedb` updates the expiry status of certificates 15492 in the index file. 15493 15494 *Massimiliano Pala <madwolf@comune.modena.it>* 15495 15496 * New '-newreq-nodes' command option to CA.pl. This is like 15497 '-newreq', but calls 'openssl req' with the '-nodes' option 15498 so that the resulting key is not encrypted. 15499 15500 *Damien Miller <djm@mindrot.org>* 15501 15502 * New configuration for the GNU Hurd. 15503 15504 *Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte* 15505 15506 * Initial code to implement OCSP basic response verify. This 15507 is currently incomplete. Currently just finds the signer's 15508 certificate and verifies the signature on the response. 15509 15510 *Steve Henson* 15511 15512 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in 15513 value of OPENSSLDIR. This is available via the new '-d' option 15514 to 'openssl version', and is also included in 'openssl version -a'. 15515 15516 *Bodo Moeller* 15517 15518 * Allowing defining memory allocation callbacks that will be given 15519 file name and line number information in additional arguments 15520 (a `const char*` and an int). The basic functionality remains, as 15521 well as the original possibility to just replace malloc(), 15522 realloc() and free() by functions that do not know about these 15523 additional arguments. To register and find out the current 15524 settings for extended allocation functions, the following 15525 functions are provided: 15526 15527 CRYPTO_set_mem_ex_functions 15528 CRYPTO_set_locked_mem_ex_functions 15529 CRYPTO_get_mem_ex_functions 15530 CRYPTO_get_locked_mem_ex_functions 15531 15532 These work the same way as CRYPTO_set_mem_functions and friends. 15533 `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an 15534 extended allocation function is enabled. 15535 Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where 15536 a conventional allocation function is enabled. 15537 15538 *Richard Levitte, Bodo Moeller* 15539 15540 * Finish off removing the remaining LHASH function pointer casts. 15541 There should no longer be any prototype-casting required when using 15542 the LHASH abstraction, and any casts that remain are "bugs". See 15543 the callback types and macros at the head of lhash.h for details 15544 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). 15545 15546 *Geoff Thorpe* 15547 15548 * Add automatic query of EGD sockets in RAND_poll() for the unix variant. 15549 If /dev/[u]random devices are not available or do not return enough 15550 entropy, EGD style sockets (served by EGD or PRNGD) will automatically 15551 be queried. 15552 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and 15553 /etc/entropy will be queried once each in this sequence, querying stops 15554 when enough entropy was collected without querying more sockets. 15555 15556 *Lutz Jaenicke* 15557 15558 * Change the Unix RAND_poll() variant to be able to poll several 15559 random devices, as specified by DEVRANDOM, until a sufficient amount 15560 of data has been collected. We spend at most 10 ms on each file 15561 (select timeout) and read in non-blocking mode. DEVRANDOM now 15562 defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" 15563 (previously it was just the string "/dev/urandom"), so on typical 15564 platforms the 10 ms delay will never occur. 15565 Also separate out the Unix variant to its own file, rand_unix.c. 15566 For VMS, there's a currently-empty rand_vms.c. 15567 15568 *Richard Levitte* 15569 15570 * Move OCSP client related routines to ocsp_cl.c. These 15571 provide utility functions which an application needing 15572 to issue a request to an OCSP responder and analyse the 15573 response will typically need: as opposed to those which an 15574 OCSP responder itself would need which will be added later. 15575 15576 OCSP_request_sign() signs an OCSP request with an API similar 15577 to PKCS7_sign(). OCSP_response_status() returns status of OCSP 15578 response. OCSP_response_get1_basic() extracts basic response 15579 from response. OCSP_resp_find_status(): finds and extracts status 15580 information from an OCSP_CERTID structure (which will be created 15581 when the request structure is built). These are built from lower 15582 level functions which work on OCSP_SINGLERESP structures but 15583 won't normally be used unless the application wishes to examine 15584 extensions in the OCSP response for example. 15585 15586 Replace nonce routines with a pair of functions. 15587 OCSP_request_add1_nonce() adds a nonce value and optionally 15588 generates a random value. OCSP_check_nonce() checks the 15589 validity of the nonce in an OCSP response. 15590 15591 *Steve Henson* 15592 15593 * Change function OCSP_request_add() to OCSP_request_add0_id(). 15594 This doesn't copy the supplied OCSP_CERTID and avoids the 15595 need to free up the newly created id. Change return type 15596 to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. 15597 This can then be used to add extensions to the request. 15598 Deleted OCSP_request_new(), since most of its functionality 15599 is now in OCSP_REQUEST_new() (and the case insensitive name 15600 clash) apart from the ability to set the request name which 15601 will be added elsewhere. 15602 15603 *Steve Henson* 15604 15605 * Update OCSP API. Remove obsolete extensions argument from 15606 various functions. Extensions are now handled using the new 15607 OCSP extension code. New simple OCSP HTTP function which 15608 can be used to send requests and parse the response. 15609 15610 *Steve Henson* 15611 15612 * Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new 15613 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN 15614 uses the special reorder version of SET OF to sort the attributes 15615 and reorder them to match the encoded order. This resolves a long 15616 standing problem: a verify on a PKCS7 structure just after signing 15617 it used to fail because the attribute order did not match the 15618 encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: 15619 it uses the received order. This is necessary to tolerate some broken 15620 software that does not order SET OF. This is handled by encoding 15621 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) 15622 to produce the required SET OF. 15623 15624 *Steve Henson* 15625 15626 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and 15627 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header 15628 files to get correct declarations of the ASN.1 item variables. 15629 15630 *Richard Levitte* 15631 15632 * Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many 15633 PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: 15634 asn1_check_tlen() would sometimes attempt to use 'ctx' when it was 15635 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). 15636 New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant 15637 ASN1_ITEM and no wrapper functions. 15638 15639 *Steve Henson* 15640 15641 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These 15642 replace the old function pointer based I/O routines. Change most of 15643 the `*_d2i_bio()` and `*_d2i_fp()` functions to use these. 15644 15645 *Steve Henson* 15646 15647 * Enhance mkdef.pl to be more accepting about spacing in C preprocessor 15648 lines, recognize more "algorithms" that can be deselected, and make 15649 it complain about algorithm deselection that isn't recognised. 15650 15651 *Richard Levitte* 15652 15653 * New ASN1 functions to handle dup, sign, verify, digest, pack and 15654 unpack operations in terms of ASN1_ITEM. Modify existing wrappers 15655 to use new functions. Add NO_ASN1_OLD which can be set to remove 15656 some old style ASN1 functions: this can be used to determine if old 15657 code will still work when these eventually go away. 15658 15659 *Steve Henson* 15660 15661 * New extension functions for OCSP structures, these follow the 15662 same conventions as certificates and CRLs. 15663 15664 *Steve Henson* 15665 15666 * New function X509V3_add1_i2d(). This automatically encodes and 15667 adds an extension. Its behaviour can be customised with various 15668 flags to append, replace or delete. Various wrappers added for 15669 certificates and CRLs. 15670 15671 *Steve Henson* 15672 15673 * Fix to avoid calling the underlying ASN1 print routine when 15674 an extension cannot be parsed. Correct a typo in the 15675 OCSP_SERVICELOC extension. Tidy up print OCSP format. 15676 15677 *Steve Henson* 15678 15679 * Make mkdef.pl parse some of the ASN1 macros and add appropriate 15680 entries for variables. 15681 15682 *Steve Henson* 15683 15684 * Add functionality to `apps/openssl.c` for detecting locking 15685 problems: As the program is single-threaded, all we have 15686 to do is register a locking callback using an array for 15687 storing which locks are currently held by the program. 15688 15689 *Bodo Moeller* 15690 15691 * Use a lock around the call to CRYPTO_get_ex_new_index() in 15692 SSL_get_ex_data_X509_STORE_idx(), which is used in 15693 ssl_verify_cert_chain() and thus can be called at any time 15694 during TLS/SSL handshakes so that thread-safety is essential. 15695 Unfortunately, the ex_data design is not at all suited 15696 for multi-threaded use, so it probably should be abolished. 15697 15698 *Bodo Moeller* 15699 15700 * Added Broadcom "ubsec" ENGINE to OpenSSL. 15701 15702 *Broadcom, tweaked and integrated by Geoff Thorpe* 15703 15704 * Move common extension printing code to new function 15705 X509V3_print_extensions(). Reorganise OCSP print routines and 15706 implement some needed OCSP ASN1 functions. Add OCSP extensions. 15707 15708 *Steve Henson* 15709 15710 * New function X509_signature_print() to remove duplication in some 15711 print routines. 15712 15713 *Steve Henson* 15714 15715 * Add a special meaning when SET OF and SEQUENCE OF flags are both 15716 set (this was treated exactly the same as SET OF previously). This 15717 is used to reorder the STACK representing the structure to match the 15718 encoding. This will be used to get round a problem where a PKCS7 15719 structure which was signed could not be verified because the STACK 15720 order did not reflect the encoded order. 15721 15722 *Steve Henson* 15723 15724 * Reimplement the OCSP ASN1 module using the new code. 15725 15726 *Steve Henson* 15727 15728 * Update the X509V3 code to permit the use of an ASN1_ITEM structure 15729 for its ASN1 operations. The old style function pointers still exist 15730 for now but they will eventually go away. 15731 15732 *Steve Henson* 15733 15734 * Merge in replacement ASN1 code from the ASN1 branch. This almost 15735 completely replaces the old ASN1 functionality with a table driven 15736 encoder and decoder which interprets an ASN1_ITEM structure describing 15737 the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is 15738 largely maintained. Almost all of the old asn1_mac.h macro based ASN1 15739 has also been converted to the new form. 15740 15741 *Steve Henson* 15742 15743 * Change BN_mod_exp_recp so that negative moduli are tolerated 15744 (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set 15745 so that BN_mod_exp_mont and BN_mod_exp_mont_word work 15746 for negative moduli. 15747 15748 *Bodo Moeller* 15749 15750 * Fix BN_uadd and BN_usub: Always return non-negative results instead 15751 of not touching the result's sign bit. 15752 15753 *Bodo Moeller* 15754 15755 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be 15756 set. 15757 15758 *Bodo Moeller* 15759 15760 * Changed the LHASH code to use prototypes for callbacks, and created 15761 macros to declare and implement thin (optionally static) functions 15762 that provide type-safety and avoid function pointer casting for the 15763 type-specific callbacks. 15764 15765 *Geoff Thorpe* 15766 15767 * Added Kerberos Cipher Suites to be used with TLS, as written in 15768 RFC 2712. 15769 *Veers Staats <staatsvr@asc.hpc.mil>, 15770 Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte* 15771 15772 * Reformat the FAQ so the different questions and answers can be divided 15773 in sections depending on the subject. 15774 15775 *Richard Levitte* 15776 15777 * Have the zlib compression code load ZLIB.DLL dynamically under 15778 Windows. 15779 15780 *Richard Levitte* 15781 15782 * New function BN_mod_sqrt for computing square roots modulo a prime 15783 (using the probabilistic Tonelli-Shanks algorithm unless 15784 p == 3 (mod 4) or p == 5 (mod 8), which are cases that can 15785 be handled deterministically). 15786 15787 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 15788 15789 * Make BN_mod_inverse faster by explicitly handling small quotients 15790 in the Euclid loop. (Speed gain about 20% for small moduli [256 or 15791 512 bits], about 30% for larger ones [1024 or 2048 bits].) 15792 15793 *Bodo Moeller* 15794 15795 * New function BN_kronecker. 15796 15797 *Bodo Moeller* 15798 15799 * Fix BN_gcd so that it works on negative inputs; the result is 15800 positive unless both parameters are zero. 15801 Previously something reasonably close to an infinite loop was 15802 possible because numbers could be growing instead of shrinking 15803 in the implementation of Euclid's algorithm. 15804 15805 *Bodo Moeller* 15806 15807 * Fix BN_is_word() and BN_is_one() macros to take into account the 15808 sign of the number in question. 15809 15810 Fix BN_is_word(a,w) to work correctly for w == 0. 15811 15812 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) 15813 because its test if the absolute value of 'a' equals 'w'. 15814 Note that BN_abs_is_word does *not* handle w == 0 reliably; 15815 it exists mostly for use in the implementations of BN_is_zero(), 15816 BN_is_one(), and BN_is_word(). 15817 15818 *Bodo Moeller* 15819 15820 * New function BN_swap. 15821 15822 *Bodo Moeller* 15823 15824 * Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that 15825 the exponentiation functions are more likely to produce reasonable 15826 results on negative inputs. 15827 15828 *Bodo Moeller* 15829 15830 * Change BN_mod_mul so that the result is always non-negative. 15831 Previously, it could be negative if one of the factors was negative; 15832 I don't think anyone really wanted that behaviour. 15833 15834 *Bodo Moeller* 15835 15836 * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c` 15837 (except for exponentiation, which stays in `crypto/bn/bn_exp.c`, 15838 and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`) 15839 and add new functions: 15840 15841 BN_nnmod 15842 BN_mod_sqr 15843 BN_mod_add 15844 BN_mod_add_quick 15845 BN_mod_sub 15846 BN_mod_sub_quick 15847 BN_mod_lshift1 15848 BN_mod_lshift1_quick 15849 BN_mod_lshift 15850 BN_mod_lshift_quick 15851 15852 These functions always generate non-negative results. 15853 15854 `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r` 15855 such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead). 15856 15857 `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as 15858 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`] 15859 be reduced modulo `m`. 15860 15861 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller* 15862 15863<!-- 15864 The following entry accidentally appeared in the CHANGES file 15865 distributed with OpenSSL 0.9.7. The modifications described in 15866 it do *not* apply to OpenSSL 0.9.7. 15867 15868 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 15869 was actually never needed) and in BN_mul(). The removal in BN_mul() 15870 required a small change in bn_mul_part_recursive() and the addition 15871 of the functions bn_cmp_part_words(), bn_sub_part_words() and 15872 bn_add_part_words(), which do the same thing as bn_cmp_words(), 15873 bn_sub_words() and bn_add_words() except they take arrays with 15874 differing sizes. 15875 15876 *Richard Levitte* 15877--> 15878 15879 * In 'openssl passwd', verify passwords read from the terminal 15880 unless the '-salt' option is used (which usually means that 15881 verification would just waste user's time since the resulting 15882 hash is going to be compared with some given password hash) 15883 or the new '-noverify' option is used. 15884 15885 This is an incompatible change, but it does not affect 15886 non-interactive use of 'openssl passwd' (passwords on the command 15887 line, '-stdin' option, '-in ...' option) and thus should not 15888 cause any problems. 15889 15890 *Bodo Moeller* 15891 15892 * Remove all references to RSAref, since there's no more need for it. 15893 15894 *Richard Levitte* 15895 15896 * Make DSO load along a path given through an environment variable 15897 (SHLIB_PATH) with shl_load(). 15898 15899 *Richard Levitte* 15900 15901 * Constify the ENGINE code as a result of BIGNUM constification. 15902 Also constify the RSA code and most things related to it. In a 15903 few places, most notable in the depth of the ASN.1 code, ugly 15904 casts back to non-const were required (to be solved at a later 15905 time) 15906 15907 *Richard Levitte* 15908 15909 * Make it so the openssl application has all engines loaded by default. 15910 15911 *Richard Levitte* 15912 15913 * Constify the BIGNUM routines a little more. 15914 15915 *Richard Levitte* 15916 15917 * Add the following functions: 15918 15919 ENGINE_load_cswift() 15920 ENGINE_load_chil() 15921 ENGINE_load_atalla() 15922 ENGINE_load_nuron() 15923 ENGINE_load_builtin_engines() 15924 15925 That way, an application can itself choose if external engines that 15926 are built-in in OpenSSL shall ever be used or not. The benefit is 15927 that applications won't have to be linked with libdl or other dso 15928 libraries unless it's really needed. 15929 15930 Changed 'openssl engine' to load all engines on demand. 15931 Changed the engine header files to avoid the duplication of some 15932 declarations (they differed!). 15933 15934 *Richard Levitte* 15935 15936 * 'openssl engine' can now list capabilities. 15937 15938 *Richard Levitte* 15939 15940 * Better error reporting in 'openssl engine'. 15941 15942 *Richard Levitte* 15943 15944 * Never call load_dh_param(NULL) in s_server. 15945 15946 *Bodo Moeller* 15947 15948 * Add engine application. It can currently list engines by name and 15949 identity, and test if they are actually available. 15950 15951 *Richard Levitte* 15952 15953 * Improve RPM specification file by forcing symbolic linking and making 15954 sure the installed documentation is also owned by root.root. 15955 15956 *Damien Miller <djm@mindrot.org>* 15957 15958 * Give the OpenSSL applications more possibilities to make use of 15959 keys (public as well as private) handled by engines. 15960 15961 *Richard Levitte* 15962 15963 * Add OCSP code that comes from CertCo. 15964 15965 *Richard Levitte* 15966 15967 * Add VMS support for the Rijndael code. 15968 15969 *Richard Levitte* 15970 15971 * Added untested support for Nuron crypto accelerator. 15972 15973 *Ben Laurie* 15974 15975 * Add support for external cryptographic devices. This code was 15976 previously distributed separately as the "engine" branch. 15977 15978 *Geoff Thorpe, Richard Levitte* 15979 15980 * Rework the filename-translation in the DSO code. It is now possible to 15981 have far greater control over how a "name" is turned into a filename 15982 depending on the operating environment and any oddities about the 15983 different shared library filenames on each system. 15984 15985 *Geoff Thorpe* 15986 15987 * Support threads on FreeBSD-elf in Configure. 15988 15989 *Richard Levitte* 15990 15991 * Fix for SHA1 assembly problem with MASM: it produces 15992 warnings about corrupt line number information when assembling 15993 with debugging information. This is caused by the overlapping 15994 of two sections. 15995 15996 *Bernd Matthes <mainbug@celocom.de>, Steve Henson* 15997 15998 * NCONF changes. 15999 NCONF_get_number() has no error checking at all. As a replacement, 16000 NCONF_get_number_e() is defined (`_e` for "error checking") and is 16001 promoted strongly. The old NCONF_get_number is kept around for 16002 binary backward compatibility. 16003 Make it possible for methods to load from something other than a BIO, 16004 by providing a function pointer that is given a name instead of a BIO. 16005 For example, this could be used to load configuration data from an 16006 LDAP server. 16007 16008 *Richard Levitte* 16009 16010 * Fix for non blocking accept BIOs. Added new I/O special reason 16011 BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs 16012 with non blocking I/O was not possible because no retry code was 16013 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover 16014 this case. 16015 16016 *Steve Henson* 16017 16018 * Added the beginnings of Rijndael support. 16019 16020 *Ben Laurie* 16021 16022 * Fix for bug in DirectoryString mask setting. Add support for 16023 X509_NAME_print_ex() in 'req' and X509_print_ex() function 16024 to allow certificate printing to more controllable, additional 16025 'certopt' option to 'x509' to allow new printing options to be 16026 set. 16027 16028 *Steve Henson* 16029 16030 * Clean old EAY MD5 hack from e_os.h. 16031 16032 *Richard Levitte* 16033 16034### Changes between 0.9.6l and 0.9.6m [17 Mar 2004] 16035 16036 * Fix null-pointer assignment in do_change_cipher_spec() revealed 16037 by using the Codenomicon TLS Test Tool ([CVE-2004-0079]) 16038 16039 *Joe Orton, Steve Henson* 16040 16041### Changes between 0.9.6k and 0.9.6l [04 Nov 2003] 16042 16043 * Fix additional bug revealed by the NISCC test suite: 16044 16045 Stop bug triggering large recursion when presented with 16046 certain ASN.1 tags ([CVE-2003-0851]) 16047 16048 *Steve Henson* 16049 16050### Changes between 0.9.6j and 0.9.6k [30 Sep 2003] 16051 16052 * Fix various bugs revealed by running the NISCC test suite: 16053 16054 Stop out of bounds reads in the ASN1 code when presented with 16055 invalid tags (CVE-2003-0543 and CVE-2003-0544). 16056 16057 If verify callback ignores invalid public key errors don't try to check 16058 certificate signature with the NULL public key. 16059 16060 *Steve Henson* 16061 16062 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 16063 if the server requested one: as stated in TLS 1.0 and SSL 3.0 16064 specifications. 16065 16066 *Steve Henson* 16067 16068 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 16069 extra data after the compression methods not only for TLS 1.0 16070 but also for SSL 3.0 (as required by the specification). 16071 16072 *Bodo Moeller; problem pointed out by Matthias Loepfe* 16073 16074 * Change X509_certificate_type() to mark the key as exported/exportable 16075 when it's 512 *bits* long, not 512 bytes. 16076 16077 *Richard Levitte* 16078 16079### Changes between 0.9.6i and 0.9.6j [10 Apr 2003] 16080 16081 * Countermeasure against the Klima-Pokorny-Rosa extension of 16082 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 16083 a protocol version number mismatch like a decryption error 16084 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 16085 16086 *Bodo Moeller* 16087 16088 * Turn on RSA blinding by default in the default implementation 16089 to avoid a timing attack. Applications that don't want it can call 16090 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 16091 They would be ill-advised to do so in most cases. 16092 16093 *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller* 16094 16095 * Change RSA blinding code so that it works when the PRNG is not 16096 seeded (in this case, the secret RSA exponent is abused as 16097 an unpredictable seed -- if it is not unpredictable, there 16098 is no point in blinding anyway). Make RSA blinding thread-safe 16099 by remembering the creator's thread ID in rsa->blinding and 16100 having all other threads use local one-time blinding factors 16101 (this requires more computation than sharing rsa->blinding, but 16102 avoids excessive locking; and if an RSA object is not shared 16103 between threads, blinding will still be very fast). 16104 16105 *Bodo Moeller* 16106 16107### Changes between 0.9.6h and 0.9.6i [19 Feb 2003] 16108 16109 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 16110 via timing by performing a MAC computation even if incorrect 16111 block cipher padding has been found. This is a countermeasure 16112 against active attacks where the attacker has to distinguish 16113 between bad padding and a MAC verification error. ([CVE-2003-0078]) 16114 16115 *Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 16116 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 16117 Martin Vuagnoux (EPFL, Ilion)* 16118 16119### Changes between 0.9.6g and 0.9.6h [5 Dec 2002] 16120 16121 * New function OPENSSL_cleanse(), which is used to cleanse a section of 16122 memory from its contents. This is done with a counter that will 16123 place alternating values in each byte. This can be used to solve 16124 two issues: 1) the removal of calls to memset() by highly optimizing 16125 compilers, and 2) cleansing with other values than 0, since those can 16126 be read through on certain media, for example a swap space on disk. 16127 16128 *Geoff Thorpe* 16129 16130 * Bugfix: client side session caching did not work with external caching, 16131 because the session->cipher setting was not restored when reloading 16132 from the external cache. This problem was masked, when 16133 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. 16134 (Found by Steve Haslam <steve@araqnid.ddts.net>.) 16135 16136 *Lutz Jaenicke* 16137 16138 * Fix client_certificate (ssl/s2_clnt.c): The permissible total 16139 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. 16140 16141 *Zeev Lieber <zeev-l@yahoo.com>* 16142 16143 * Undo an undocumented change introduced in 0.9.6e which caused 16144 repeated calls to OpenSSL_add_all_ciphers() and 16145 OpenSSL_add_all_digests() to be ignored, even after calling 16146 EVP_cleanup(). 16147 16148 *Richard Levitte* 16149 16150 * Change the default configuration reader to deal with last line not 16151 being properly terminated. 16152 16153 *Richard Levitte* 16154 16155 * Change X509_NAME_cmp() so it applies the special rules on handling 16156 DN values that are of type PrintableString, as well as RDNs of type 16157 emailAddress where the value has the type ia5String. 16158 16159 *stefank@valicert.com via Richard Levitte* 16160 16161 * Add an SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half 16162 the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently 16163 doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be 16164 the bitwise-OR of the two for use by the majority of applications 16165 wanting this behaviour, and update the docs. The documented 16166 behaviour and actual behaviour were inconsistent and had been 16167 changing anyway, so this is more a bug-fix than a behavioural 16168 change. 16169 16170 *Geoff Thorpe, diagnosed by Nadav Har'El* 16171 16172 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c 16173 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). 16174 16175 *Bodo Moeller* 16176 16177 * Fix initialization code race conditions in 16178 SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), 16179 SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), 16180 SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), 16181 TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), 16182 ssl2_get_cipher_by_char(), 16183 ssl3_get_cipher_by_char(). 16184 16185 *Patrick McCormick <patrick@tellme.com>, Bodo Moeller* 16186 16187 * Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after 16188 the cached sessions are flushed, as the remove_cb() might use ex_data 16189 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> 16190 (see [openssl.org #212]). 16191 16192 *Geoff Thorpe, Lutz Jaenicke* 16193 16194 * Fix typo in OBJ_txt2obj which incorrectly passed the content 16195 length, instead of the encoding length to d2i_ASN1_OBJECT. 16196 16197 *Steve Henson* 16198 16199### Changes between 0.9.6f and 0.9.6g [9 Aug 2002] 16200 16201 * [In 0.9.6g-engine release:] 16202 Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`). 16203 16204 *Lynn Gazis <lgazis@rainbow.com>* 16205 16206### Changes between 0.9.6e and 0.9.6f [8 Aug 2002] 16207 16208 * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX 16209 and get fix the header length calculation. 16210 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 16211 Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson* 16212 16213 * Use proper error handling instead of 'assertions' in buffer 16214 overflow checks added in 0.9.6e. This prevents DoS (the 16215 assertions could call abort()). 16216 16217 *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller* 16218 16219### Changes between 0.9.6d and 0.9.6e [30 Jul 2002] 16220 16221 * Add various sanity checks to asn1_get_length() to reject 16222 the ASN1 length bytes if they exceed sizeof(long), will appear 16223 negative or the content length exceeds the length of the 16224 supplied buffer. 16225 16226 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 16227 16228 * Fix cipher selection routines: ciphers without encryption had no flags 16229 for the cipher strength set and where therefore not handled correctly 16230 by the selection routines (PR #130). 16231 16232 *Lutz Jaenicke* 16233 16234 * Fix EVP_dsa_sha macro. 16235 16236 *Nils Larsch* 16237 16238 * New option 16239 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 16240 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure 16241 that was added in OpenSSL 0.9.6d. 16242 16243 As the countermeasure turned out to be incompatible with some 16244 broken SSL implementations, the new option is part of SSL_OP_ALL. 16245 SSL_OP_ALL is usually employed when compatibility with weird SSL 16246 implementations is desired (e.g. '-bugs' option to 's_client' and 16247 's_server'), so the new option is automatically set in many 16248 applications. 16249 16250 *Bodo Moeller* 16251 16252 * Changes in security patch: 16253 16254 Changes marked "(CHATS)" were sponsored by the Defense Advanced 16255 Research Projects Agency (DARPA) and Air Force Research Laboratory, 16256 Air Force Materiel Command, USAF, under agreement number 16257 F30602-01-2-0537. 16258 16259 * Add various sanity checks to asn1_get_length() to reject 16260 the ASN1 length bytes if they exceed sizeof(long), will appear 16261 negative or the content length exceeds the length of the 16262 supplied buffer. ([CVE-2002-0659]) 16263 16264 *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>* 16265 16266 * Assertions for various potential buffer overflows, not known to 16267 happen in practice. 16268 16269 *Ben Laurie (CHATS)* 16270 16271 * Various temporary buffers to hold ASCII versions of integers were 16272 too small for 64 bit platforms. ([CVE-2002-0655]) 16273 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>* 16274 16275 * Remote buffer overflow in SSL3 protocol - an attacker could 16276 supply an oversized session ID to a client. ([CVE-2002-0656]) 16277 16278 *Ben Laurie (CHATS)* 16279 16280 * Remote buffer overflow in SSL2 protocol - an attacker could 16281 supply an oversized client master key. ([CVE-2002-0656]) 16282 16283 *Ben Laurie (CHATS)* 16284 16285### Changes between 0.9.6c and 0.9.6d [9 May 2002] 16286 16287 * Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not 16288 encoded as NULL) with id-dsa-with-sha1. 16289 16290 *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller* 16291 16292 * Check various `X509_...()` return values in `apps/req.c`. 16293 16294 *Nils Larsch <nla@trustcenter.de>* 16295 16296 * Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: 16297 an end-of-file condition would erroneously be flagged, when the CRLF 16298 was just at the end of a processed block. The bug was discovered when 16299 processing data through a buffering memory BIO handing the data to a 16300 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov 16301 <ptsekov@syntrex.com> and Nedelcho Stanev. 16302 16303 *Lutz Jaenicke* 16304 16305 * Implement a countermeasure against a vulnerability recently found 16306 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment 16307 before application data chunks to avoid the use of known IVs 16308 with data potentially chosen by the attacker. 16309 16310 *Bodo Moeller* 16311 16312 * Fix length checks in ssl3_get_client_hello(). 16313 16314 *Bodo Moeller* 16315 16316 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently 16317 to prevent ssl3_read_internal() from incorrectly assuming that 16318 ssl3_read_bytes() found application data while handshake 16319 processing was enabled when in fact s->s3->in_read_app_data was 16320 merely automatically cleared during the initial handshake. 16321 16322 *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>* 16323 16324 * Fix object definitions for Private and Enterprise: they were not 16325 recognized in their shortname (=lowercase) representation. Extend 16326 obj_dat.pl to issue an error when using undefined keywords instead 16327 of silently ignoring the problem (Svenning Sorensen 16328 <sss@sss.dnsalias.net>). 16329 16330 *Lutz Jaenicke* 16331 16332 * Fix DH_generate_parameters() so that it works for 'non-standard' 16333 generators, i.e. generators other than 2 and 5. (Previously, the 16334 code did not properly initialise the 'add' and 'rem' values to 16335 BN_generate_prime().) 16336 16337 In the new general case, we do not insist that 'generator' is 16338 actually a primitive root: This requirement is rather pointless; 16339 a generator of the order-q subgroup is just as good, if not 16340 better. 16341 16342 *Bodo Moeller* 16343 16344 * Map new X509 verification errors to alerts. Discovered and submitted by 16345 Tom Wu <tom@arcot.com>. 16346 16347 *Lutz Jaenicke* 16348 16349 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from 16350 returning non-zero before the data has been completely received 16351 when using non-blocking I/O. 16352 16353 *Bodo Moeller; problem pointed out by John Hughes* 16354 16355 * Some of the ciphers missed the strength entry (SSL_LOW etc). 16356 16357 *Ben Laurie, Lutz Jaenicke* 16358 16359 * Fix bug in SSL_clear(): bad sessions were not removed (found by 16360 Yoram Zahavi <YoramZ@gilian.com>). 16361 16362 *Lutz Jaenicke* 16363 16364 * Add information about CygWin 1.3 and on, and preserve proper 16365 configuration for the versions before that. 16366 16367 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte* 16368 16369 * Make removal from session cache (SSL_CTX_remove_session()) more robust: 16370 check whether we deal with a copy of a session and do not delete from 16371 the cache in this case. Problem reported by "Izhar Shoshani Levi" 16372 <izhar@checkpoint.com>. 16373 16374 *Lutz Jaenicke* 16375 16376 * Do not store session data into the internal session cache, if it 16377 is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 16378 flag is set). Proposed by Aslam <aslam@funk.com>. 16379 16380 *Lutz Jaenicke* 16381 16382 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested 16383 value is 0. 16384 16385 *Richard Levitte* 16386 16387 * [In 0.9.6d-engine release:] 16388 Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 16389 16390 *Toomas Kiisk <vix@cyber.ee> via Richard Levitte* 16391 16392 * Add the configuration target linux-s390x. 16393 16394 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte* 16395 16396 * The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of 16397 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag 16398 variable as an indication that a ClientHello message has been 16399 received. As the flag value will be lost between multiple 16400 invocations of ssl3_accept when using non-blocking I/O, the 16401 function may not be aware that a handshake has actually taken 16402 place, thus preventing a new session from being added to the 16403 session cache. 16404 16405 To avoid this problem, we now set s->new_session to 2 instead of 16406 using a local variable. 16407 16408 *Lutz Jaenicke, Bodo Moeller* 16409 16410 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) 16411 if the SSL_R_LENGTH_MISMATCH error is detected. 16412 16413 *Geoff Thorpe, Bodo Moeller* 16414 16415 * New 'shared_ldflag' column in Configure platform table. 16416 16417 *Richard Levitte* 16418 16419 * Fix EVP_CIPHER_mode macro. 16420 16421 *"Dan S. Camper" <dan@bti.net>* 16422 16423 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown 16424 type, we must throw them away by setting rr->length to 0. 16425 16426 *D P Chang <dpc@qualys.com>* 16427 16428### Changes between 0.9.6b and 0.9.6c [21 dec 2001] 16429 16430 * Fix BN_rand_range bug pointed out by Dominikus Scherkl 16431 <Dominikus.Scherkl@biodata.com>. (The previous implementation 16432 worked incorrectly for those cases where range = `10..._2` and 16433 `3*range` is two bits longer than range.) 16434 16435 *Bodo Moeller* 16436 16437 * Only add signing time to PKCS7 structures if it is not already 16438 present. 16439 16440 *Steve Henson* 16441 16442 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 16443 OBJ_ld_ce should be OBJ_id_ce. 16444 Also some ip-pda OIDs in crypto/objects/objects.txt were 16445 incorrect (cf. RFC 3039). 16446 16447 *Matt Cooper, Frederic Giudicelli, Bodo Moeller* 16448 16449 * Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 16450 returns early because it has nothing to do. 16451 16452 *Andy Schneider <andy.schneider@bjss.co.uk>* 16453 16454 * [In 0.9.6c-engine release:] 16455 Fix mutex callback return values in crypto/engine/hw_ncipher.c. 16456 16457 *Andy Schneider <andy.schneider@bjss.co.uk>* 16458 16459 * [In 0.9.6c-engine release:] 16460 Add support for Cryptographic Appliance's keyserver technology. 16461 (Use engine 'keyclient') 16462 16463 *Cryptographic Appliances and Geoff Thorpe* 16464 16465 * Add a configuration entry for OS/390 Unix. The C compiler 'c89' 16466 is called via tools/c89.sh because arguments have to be 16467 rearranged (all '-L' options must appear before the first object 16468 modules). 16469 16470 *Richard Shapiro <rshapiro@abinitio.com>* 16471 16472 * [In 0.9.6c-engine release:] 16473 Add support for Broadcom crypto accelerator cards, backported 16474 from 0.9.7. 16475 16476 *Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox* 16477 16478 * [In 0.9.6c-engine release:] 16479 Add support for SureWare crypto accelerator cards from 16480 Baltimore Technologies. (Use engine 'sureware') 16481 16482 *Baltimore Technologies and Mark Cox* 16483 16484 * [In 0.9.6c-engine release:] 16485 Add support for crypto accelerator cards from Accelerated 16486 Encryption Processing, www.aep.ie. (Use engine 'aep') 16487 16488 *AEP Inc. and Mark Cox* 16489 16490 * Add a configuration entry for gcc on UnixWare. 16491 16492 *Gary Benson <gbenson@redhat.com>* 16493 16494 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 16495 messages are stored in a single piece (fixed-length part and 16496 variable-length part combined) and fix various bugs found on the way. 16497 16498 *Bodo Moeller* 16499 16500 * Disable caching in BIO_gethostbyname(), directly use gethostbyname() 16501 instead. BIO_gethostbyname() does not know what timeouts are 16502 appropriate, so entries would stay in cache even when they have 16503 become invalid. 16504 *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>* 16505 16506 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 16507 faced with a pathologically small ClientHello fragment that does 16508 not contain client_version: Instead of aborting with an error, 16509 simply choose the highest available protocol version (i.e., 16510 TLS 1.0 unless it is disabled). In practice, ClientHello 16511 messages are never sent like this, but this change gives us 16512 strictly correct behaviour at least for TLS. 16513 16514 *Bodo Moeller* 16515 16516 * Fix SSL handshake functions and SSL_clear() such that SSL_clear() 16517 never resets s->method to s->ctx->method when called from within 16518 one of the SSL handshake functions. 16519 16520 *Bodo Moeller; problem pointed out by Niko Baric* 16521 16522 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 16523 (sent using the client's version number) if client_version is 16524 smaller than the protocol version in use. Also change 16525 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 16526 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 16527 the client will at least see that alert. 16528 16529 *Bodo Moeller* 16530 16531 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 16532 correctly. 16533 16534 *Bodo Moeller* 16535 16536 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 16537 client receives HelloRequest while in a handshake. 16538 16539 *Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>* 16540 16541 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 16542 should end in 'break', not 'goto end' which circumvents various 16543 cleanups done in state SSL_ST_OK. But session related stuff 16544 must be disabled for SSL_ST_OK in the case that we just sent a 16545 HelloRequest. 16546 16547 Also avoid some overhead by not calling ssl_init_wbio_buffer() 16548 before just sending a HelloRequest. 16549 16550 *Bodo Moeller, Eric Rescorla <ekr@rtfm.com>* 16551 16552 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 16553 reveal whether illegal block cipher padding was found or a MAC 16554 verification error occurred. (Neither SSLerr() codes nor alerts 16555 are directly visible to potential attackers, but the information 16556 may leak via logfiles.) 16557 16558 Similar changes are not required for the SSL 2.0 implementation 16559 because the number of padding bytes is sent in clear for SSL 2.0, 16560 and the extra bytes are just ignored. However ssl/s2_pkt.c 16561 failed to verify that the purported number of padding bytes is in 16562 the legal range. 16563 16564 *Bodo Moeller* 16565 16566 * Add OpenUNIX-8 support including shared libraries 16567 (Boyd Lynn Gerber <gerberb@zenez.com>). 16568 16569 *Lutz Jaenicke* 16570 16571 * Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 16572 'wristwatch attack' using huge encoding parameters (cf. 16573 James H. Manger's CRYPTO 2001 paper). Note that the 16574 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 16575 encoding parameters and hence was not vulnerable. 16576 16577 *Bodo Moeller* 16578 16579 * BN_sqr() bug fix. 16580 16581 *Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>* 16582 16583 * Rabin-Miller test analyses assume uniformly distributed witnesses, 16584 so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 16585 followed by modular reduction. 16586 16587 *Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>* 16588 16589 * Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 16590 equivalent based on BN_pseudo_rand() instead of BN_rand(). 16591 16592 *Bodo Moeller* 16593 16594 * s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 16595 This function was broken, as the check for a new client hello message 16596 to handle SGC did not allow these large messages. 16597 (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 16598 16599 *Lutz Jaenicke* 16600 16601 * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`. 16602 16603 *Lutz Jaenicke* 16604 16605 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 16606 for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 16607 16608 *Lutz Jaenicke* 16609 16610 * Rework the configuration and shared library support for Tru64 Unix. 16611 The configuration part makes use of modern compiler features and 16612 still retains old compiler behavior for those that run older versions 16613 of the OS. The shared library support part includes a variant that 16614 uses the RPATH feature, and is available through the special 16615 configuration target "alpha-cc-rpath", which will never be selected 16616 automatically. 16617 16618 *Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte* 16619 16620 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 16621 with the same message size as in ssl3_get_certificate_request(). 16622 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 16623 messages might inadvertently be reject as too long. 16624 16625 *Petr Lampa <lampa@fee.vutbr.cz>* 16626 16627 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 16628 16629 *Andy Polyakov* 16630 16631 * Modified SSL library such that the verify_callback that has been set 16632 specifically for an SSL object with SSL_set_verify() is actually being 16633 used. Before the change, a verify_callback set with this function was 16634 ignored and the verify_callback() set in the SSL_CTX at the time of 16635 the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 16636 to allow the necessary settings. 16637 16638 *Lutz Jaenicke* 16639 16640 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 16641 explicitly to NULL, as at least on Solaris 8 this seems not always to be 16642 done automatically (in contradiction to the requirements of the C 16643 standard). This made problems when used from OpenSSH. 16644 16645 *Lutz Jaenicke* 16646 16647 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 16648 dh->length and always used 16649 16650 BN_rand_range(priv_key, dh->p). 16651 16652 BN_rand_range() is not necessary for Diffie-Hellman, and this 16653 specific range makes Diffie-Hellman unnecessarily inefficient if 16654 dh->length (recommended exponent length) is much smaller than the 16655 length of dh->p. We could use BN_rand_range() if the order of 16656 the subgroup was stored in the DH structure, but we only have 16657 dh->length. 16658 16659 So switch back to 16660 16661 BN_rand(priv_key, l, ...) 16662 16663 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 16664 otherwise. 16665 16666 *Bodo Moeller* 16667 16668 * In 16669 16670 RSA_eay_public_encrypt 16671 RSA_eay_private_decrypt 16672 RSA_eay_private_encrypt (signing) 16673 RSA_eay_public_decrypt (signature verification) 16674 16675 (default implementations for RSA_public_encrypt, 16676 RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 16677 always reject numbers >= n. 16678 16679 *Bodo Moeller* 16680 16681 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 16682 to synchronize access to 'locking_thread'. This is necessary on 16683 systems where access to 'locking_thread' (an 'unsigned long' 16684 variable) is not atomic. 16685 16686 *Bodo Moeller* 16687 16688 * In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 16689 *before* setting the 'crypto_lock_rand' flag. The previous code had 16690 a race condition if 0 is a valid thread ID. 16691 16692 *Travis Vitek <vitek@roguewave.com>* 16693 16694 * Add support for shared libraries under Irix. 16695 16696 *Albert Chin-A-Young <china@thewrittenword.com>* 16697 16698 * Add configuration option to build on Linux on both big-endian and 16699 little-endian MIPS. 16700 16701 *Ralf Baechle <ralf@uni-koblenz.de>* 16702 16703 * Add the possibility to create shared libraries on HP-UX. 16704 16705 *Richard Levitte* 16706 16707### Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 16708 16709 * Change ssleay_rand_bytes (crypto/rand/md_rand.c) 16710 to avoid an SSLeay/OpenSSL PRNG weakness pointed out by 16711 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 16712 PRNG state recovery was possible based on the output of 16713 one PRNG request appropriately sized to gain knowledge on 16714 'md' followed by enough consecutive 1-byte PRNG requests 16715 to traverse all of 'state'. 16716 16717 1. When updating 'md_local' (the current thread's copy of 'md') 16718 during PRNG output generation, hash all of the previous 16719 'md_local' value, not just the half used for PRNG output. 16720 16721 2. Make the number of bytes from 'state' included into the hash 16722 independent from the number of PRNG bytes requested. 16723 16724 The first measure alone would be sufficient to avoid 16725 Markku-Juhani's attack. (Actually it had never occurred 16726 to me that the half of 'md_local' used for chaining was the 16727 half from which PRNG output bytes were taken -- I had always 16728 assumed that the secret half would be used.) The second 16729 measure makes sure that additional data from 'state' is never 16730 mixed into 'md_local' in small portions; this heuristically 16731 further strengthens the PRNG. 16732 16733 *Bodo Moeller* 16734 16735 * Fix crypto/bn/asm/mips3.s. 16736 16737 *Andy Polyakov* 16738 16739 * When only the key is given to "enc", the IV is undefined. Print out 16740 an error message in this case. 16741 16742 *Lutz Jaenicke* 16743 16744 * Handle special case when X509_NAME is empty in X509 printing routines. 16745 16746 *Steve Henson* 16747 16748 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 16749 positive and less than q. 16750 16751 *Bodo Moeller* 16752 16753 * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is 16754 used: it isn't thread safe and the add_lock_callback should handle 16755 that itself. 16756 16757 *Paul Rose <Paul.Rose@bridge.com>* 16758 16759 * Verify that incoming data obeys the block size in 16760 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 16761 16762 *Bodo Moeller* 16763 16764 * Fix OAEP check. 16765 16766 *Ulf Möller, Bodo Möller* 16767 16768 * The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 16769 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 16770 when fixing the server behaviour for backwards-compatible 'client 16771 hello' messages. (Note that the attack is impractical against 16772 SSL 3.0 and TLS 1.0 anyway because length and version checking 16773 means that the probability of guessing a valid ciphertext is 16774 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 16775 paper.) 16776 16777 Before 0.9.5, the countermeasure (hide the error by generating a 16778 random 'decryption result') did not work properly because 16779 ERR_clear_error() was missing, meaning that SSL_get_error() would 16780 detect the supposedly ignored error. 16781 16782 Both problems are now fixed. 16783 16784 *Bodo Moeller* 16785 16786 * In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 16787 (previously it was 1024). 16788 16789 *Bodo Moeller* 16790 16791 * Fix for compatibility mode trust settings: ignore trust settings 16792 unless some valid trust or reject settings are present. 16793 16794 *Steve Henson* 16795 16796 * Fix for blowfish EVP: its a variable length cipher. 16797 16798 *Steve Henson* 16799 16800 * Fix various bugs related to DSA S/MIME verification. Handle missing 16801 parameters in DSA public key structures and return an error in the 16802 DSA routines if parameters are absent. 16803 16804 *Steve Henson* 16805 16806 * In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 16807 in the current directory if neither $RANDFILE nor $HOME was set. 16808 RAND_file_name() in 0.9.6a returned NULL in this case. This has 16809 caused some confusion to Windows users who haven't defined $HOME. 16810 Thus RAND_file_name() is changed again: e_os.h can define a 16811 DEFAULT_HOME, which will be used if $HOME is not set. 16812 For Windows, we use "C:"; on other platforms, we still require 16813 environment variables. 16814 16815 * Move 'if (!initialized) RAND_poll()' into regions protected by 16816 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 16817 having multiple threads call RAND_poll() concurrently. 16818 16819 *Bodo Moeller* 16820 16821 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 16822 combination of a flag and a thread ID variable. 16823 Otherwise while one thread is in ssleay_rand_bytes (which sets the 16824 flag), *other* threads can enter ssleay_add_bytes without obeying 16825 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock 16826 that they do not hold after the first thread unsets add_do_not_lock). 16827 16828 *Bodo Moeller* 16829 16830 * Change bctest again: '-x' expressions are not available in all 16831 versions of 'test'. 16832 16833 *Bodo Moeller* 16834 16835### Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 16836 16837 * Fix a couple of memory leaks in PKCS7_dataDecode() 16838 16839 *Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>* 16840 16841 * Change Configure and Makefiles to provide EXE_EXT, which will contain 16842 the default extension for executables, if any. Also, make the perl 16843 scripts that use symlink() to test if it really exists and use "cp" 16844 if it doesn't. All this made OpenSSL compilable and installable in 16845 CygWin. 16846 16847 *Richard Levitte* 16848 16849 * Fix for asn1_GetSequence() for indefinite length constructed data. 16850 If SEQUENCE is length is indefinite just set c->slen to the total 16851 amount of data available. 16852 16853 *Steve Henson, reported by shige@FreeBSD.org* 16854 16855 *This change does not apply to 0.9.7.* 16856 16857 * Change bctest to avoid here-documents inside command substitution 16858 (workaround for FreeBSD /bin/sh bug). 16859 For compatibility with Ultrix, avoid shell functions (introduced 16860 in the bctest version that searches along $PATH). 16861 16862 *Bodo Moeller* 16863 16864 * Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes 16865 with des_encrypt() defined on some operating systems, like Solaris 16866 and UnixWare. 16867 16868 *Richard Levitte* 16869 16870 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: 16871 On the Importance of Eliminating Errors in Cryptographic 16872 Computations, J. Cryptology 14 (2001) 2, 101-119, 16873 <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>). 16874 16875 *Ulf Moeller* 16876 16877 * MIPS assembler BIGNUM division bug fix. 16878 16879 *Andy Polyakov* 16880 16881 * Disabled incorrect Alpha assembler code. 16882 16883 *Richard Levitte* 16884 16885 * Fix PKCS#7 decode routines so they correctly update the length 16886 after reading an EOC for the EXPLICIT tag. 16887 16888 *Steve Henson* 16889 16890 *This change does not apply to 0.9.7.* 16891 16892 * Fix bug in PKCS#12 key generation routines. This was triggered 16893 if a 3DES key was generated with a 0 initial byte. Include 16894 PKCS12_BROKEN_KEYGEN compilation option to retain the old 16895 (but broken) behaviour. 16896 16897 *Steve Henson* 16898 16899 * Enhance bctest to search for a working bc along $PATH and print 16900 it when found. 16901 16902 *Tim Rice <tim@multitalents.net> via Richard Levitte* 16903 16904 * Fix memory leaks in err.c: free err_data string if necessary; 16905 don't write to the wrong index in ERR_set_error_data. 16906 16907 *Bodo Moeller* 16908 16909 * Implement ssl23_peek (analogous to ssl23_read), which previously 16910 did not exist. 16911 16912 *Bodo Moeller* 16913 16914 * Replace rdtsc with `_emit` statements for VC++ version 5. 16915 16916 *Jeremy Cooper <jeremy@baymoo.org>* 16917 16918 * Make it possible to reuse SSLv2 sessions. 16919 16920 *Richard Levitte* 16921 16922 * In copy_email() check for >= 0 as a return value for 16923 X509_NAME_get_index_by_NID() since 0 is a valid index. 16924 16925 *Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>* 16926 16927 * Avoid coredump with unsupported or invalid public keys by checking if 16928 X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when 16929 PKCS7_verify() fails with non detached data. 16930 16931 *Steve Henson* 16932 16933 * Don't use getenv in library functions when run as setuid/setgid. 16934 New function OPENSSL_issetugid(). 16935 16936 *Ulf Moeller* 16937 16938 * Avoid false positives in memory leak detection code (crypto/mem_dbg.c) 16939 due to incorrect handling of multi-threading: 16940 16941 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 16942 16943 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 16944 16945 3. Count how many times MemCheck_off() has been called so that 16946 nested use can be treated correctly. This also avoids 16947 inband-signalling in the previous code (which relied on the 16948 assumption that thread ID 0 is impossible). 16949 16950 *Bodo Moeller* 16951 16952 * Add "-rand" option also to s_client and s_server. 16953 16954 *Lutz Jaenicke* 16955 16956 * Fix CPU detection on Irix 6.x. 16957 *Kurt Hockenbury <khockenb@stevens-tech.edu> and 16958 "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 16959 16960 * Fix X509_NAME bug which produced incorrect encoding if X509_NAME 16961 was empty. 16962 16963 *Steve Henson* 16964 16965 *This change does not apply to 0.9.7.* 16966 16967 * Use the cached encoding of an X509_NAME structure rather than 16968 copying it. This is apparently the reason for the libsafe "errors" 16969 but the code is actually correct. 16970 16971 *Steve Henson* 16972 16973 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent 16974 Bleichenbacher's DSA attack. 16975 Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits 16976 to be set and top=0 forces the highest bit to be set; top=-1 is new 16977 and leaves the highest bit random. 16978 16979 *Ulf Moeller, Bodo Moeller* 16980 16981 * In the `NCONF_...`-based implementations for `CONF_...` queries 16982 (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using 16983 a temporary CONF structure with the data component set to NULL 16984 (which gives segmentation faults in lh_retrieve). 16985 Instead, use NULL for the CONF pointer in CONF_get_string and 16986 CONF_get_number (which may use environment variables) and directly 16987 return NULL from CONF_get_section. 16988 16989 *Bodo Moeller* 16990 16991 * Fix potential buffer overrun for EBCDIC. 16992 16993 *Ulf Moeller* 16994 16995 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign 16996 keyUsage if basicConstraints absent for a CA. 16997 16998 *Steve Henson* 16999 17000 * Make SMIME_write_PKCS7() write mail header values with a format that 17001 is more generally accepted (no spaces before the semicolon), since 17002 some programs can't parse those values properly otherwise. Also make 17003 sure BIO's that break lines after each write do not create invalid 17004 headers. 17005 17006 *Richard Levitte* 17007 17008 * Make the CRL encoding routines work with empty SEQUENCE OF. The 17009 macros previously used would not encode an empty SEQUENCE OF 17010 and break the signature. 17011 17012 *Steve Henson* 17013 17014 *This change does not apply to 0.9.7.* 17015 17016 * Zero the premaster secret after deriving the master secret in 17017 DH ciphersuites. 17018 17019 *Steve Henson* 17020 17021 * Add some EVP_add_digest_alias registrations (as found in 17022 OpenSSL_add_all_digests()) to SSL_library_init() 17023 aka OpenSSL_add_ssl_algorithms(). This provides improved 17024 compatibility with peers using X.509 certificates 17025 with unconventional AlgorithmIdentifier OIDs. 17026 17027 *Bodo Moeller* 17028 17029 * Fix for Irix with NO_ASM. 17030 17031 *"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>* 17032 17033 * ./config script fixes. 17034 17035 *Ulf Moeller, Richard Levitte* 17036 17037 * Fix 'openssl passwd -1'. 17038 17039 *Bodo Moeller* 17040 17041 * Change PKCS12_key_gen_asc() so it can cope with non null 17042 terminated strings whose length is passed in the passlen 17043 parameter, for example from PEM callbacks. This was done 17044 by adding an extra length parameter to asc2uni(). 17045 17046 *Steve Henson, reported by <oddissey@samsung.co.kr>* 17047 17048 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn 17049 call failed, free the DSA structure. 17050 17051 *Bodo Moeller* 17052 17053 * Fix to uni2asc() to cope with zero length Unicode strings. 17054 These are present in some PKCS#12 files. 17055 17056 *Steve Henson* 17057 17058 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). 17059 Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits 17060 when writing a 32767 byte record. 17061 17062 *Bodo Moeller; problem reported by Eric Day <eday@concentric.net>* 17063 17064 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c), 17065 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`. 17066 17067 (RSA objects have a reference count access to which is protected 17068 by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], 17069 so they are meant to be shared between threads.) 17070 *Bodo Moeller, Geoff Thorpe; original patch submitted by 17071 "Reddie, Steven" <Steven.Reddie@ca.com>* 17072 17073 * Fix a deadlock in CRYPTO_mem_leaks(). 17074 17075 *Bodo Moeller* 17076 17077 * Use better test patterns in bntest. 17078 17079 *Ulf Möller* 17080 17081 * rand_win.c fix for Borland C. 17082 17083 *Ulf Möller* 17084 17085 * BN_rshift bugfix for n == 0. 17086 17087 *Bodo Moeller* 17088 17089 * Add a 'bctest' script that checks for some known 'bc' bugs 17090 so that 'make test' does not abort just because 'bc' is broken. 17091 17092 *Bodo Moeller* 17093 17094 * Store verify_result within SSL_SESSION also for client side to 17095 avoid potential security hole. (Reused sessions on the client side 17096 always resulted in verify_result==X509_V_OK, not using the original 17097 result of the server certificate verification.) 17098 17099 *Lutz Jaenicke* 17100 17101 * Fix ssl3_pending: If the record in s->s3->rrec is not of type 17102 SSL3_RT_APPLICATION_DATA, return 0. 17103 Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. 17104 17105 *Bodo Moeller* 17106 17107 * Fix SSL_peek: 17108 Both ssl2_peek and ssl3_peek, which were totally broken in earlier 17109 releases, have been re-implemented by renaming the previous 17110 implementations of ssl2_read and ssl3_read to ssl2_read_internal 17111 and ssl3_read_internal, respectively, and adding 'peek' parameters 17112 to them. The new ssl[23]_{read,peek} functions are calls to 17113 ssl[23]_read_internal with the 'peek' flag set appropriately. 17114 A 'peek' parameter has also been added to ssl3_read_bytes, which 17115 does the actual work for ssl3_read_internal. 17116 17117 *Bodo Moeller* 17118 17119 * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling 17120 the method-specific "init()" handler. Also clean up ex_data after 17121 calling the method-specific "finish()" handler. Previously, this was 17122 happening the other way round. 17123 17124 *Geoff Thorpe* 17125 17126 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. 17127 The previous value, 12, was not always sufficient for BN_mod_exp(). 17128 17129 *Bodo Moeller* 17130 17131 * Make sure that shared libraries get the internal name engine with 17132 the full version number and not just 0. This should mark the 17133 shared libraries as not backward compatible. Of course, this should 17134 be changed again when we can guarantee backward binary compatibility. 17135 17136 *Richard Levitte* 17137 17138 * Fix typo in get_cert_by_subject() in by_dir.c 17139 17140 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>* 17141 17142 * Rework the system to generate shared libraries: 17143 17144 - Make note of the expected extension for the shared libraries and 17145 if there is a need for symbolic links from for example libcrypto.so.0 17146 to libcrypto.so.0.9.7. There is extended info in Configure for 17147 that. 17148 17149 - Make as few rebuilds of the shared libraries as possible. 17150 17151 - Still avoid linking the OpenSSL programs with the shared libraries. 17152 17153 - When installing, install the shared libraries separately from the 17154 static ones. 17155 17156 *Richard Levitte* 17157 17158 * Fix SSL_CTX_set_read_ahead macro to actually use its argument. 17159 17160 Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new 17161 and not in SSL_clear because the latter is also used by the 17162 accept/connect functions; previously, the settings made by 17163 SSL_set_read_ahead would be lost during the handshake. 17164 17165 *Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>* 17166 17167 * Correct util/mkdef.pl to be selective about disabled algorithms. 17168 Previously, it would create entries for disabled algorithms no 17169 matter what. 17170 17171 *Richard Levitte* 17172 17173 * Added several new manual pages for SSL_* function. 17174 17175 *Lutz Jaenicke* 17176 17177### Changes between 0.9.5a and 0.9.6 [24 Sep 2000] 17178 17179 * In ssl23_get_client_hello, generate an error message when faced 17180 with an initial SSL 3.0/TLS record that is too small to contain the 17181 first two bytes of the ClientHello message, i.e. client_version. 17182 (Note that this is a pathologic case that probably has never happened 17183 in real life.) The previous approach was to use the version number 17184 from the record header as a substitute; but our protocol choice 17185 should not depend on that one because it is not authenticated 17186 by the Finished messages. 17187 17188 *Bodo Moeller* 17189 17190 * More robust randomness gathering functions for Windows. 17191 17192 *Jeffrey Altman <jaltman@columbia.edu>* 17193 17194 * For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is 17195 not set then we don't setup the error code for issuer check errors 17196 to avoid possibly overwriting other errors which the callback does 17197 handle. If an application does set the flag then we assume it knows 17198 what it is doing and can handle the new informational codes 17199 appropriately. 17200 17201 *Steve Henson* 17202 17203 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for 17204 a general "ANY" type, as such it should be able to decode anything 17205 including tagged types. However it didn't check the class so it would 17206 wrongly interpret tagged types in the same way as their universal 17207 counterpart and unknown types were just rejected. Changed so that the 17208 tagged and unknown types are handled in the same way as a SEQUENCE: 17209 that is the encoding is stored intact. There is also a new type 17210 "V_ASN1_OTHER" which is used when the class is not universal, in this 17211 case we have no idea what the actual type is so we just lump them all 17212 together. 17213 17214 *Steve Henson* 17215 17216 * On VMS, stdout may very well lead to a file that is written to 17217 in a record-oriented fashion. That means that every write() will 17218 write a separate record, which will be read separately by the 17219 programs trying to read from it. This can be very confusing. 17220 17221 The solution is to put a BIO filter in the way that will buffer 17222 text until a linefeed is reached, and then write everything a 17223 line at a time, so every record written will be an actual line, 17224 not chunks of lines and not (usually doesn't happen, but I've 17225 seen it once) several lines in one record. BIO_f_linebuffer() is 17226 the answer. 17227 17228 Currently, it's a VMS-only method, because that's where it has 17229 been tested well enough. 17230 17231 *Richard Levitte* 17232 17233 * Remove 'optimized' squaring variant in BN_mod_mul_montgomery, 17234 it can return incorrect results. 17235 (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, 17236 but it was in 0.9.6-beta[12].) 17237 17238 *Bodo Moeller* 17239 17240 * Disable the check for content being present when verifying detached 17241 signatures in pk7_smime.c. Some versions of Netscape (wrongly) 17242 include zero length content when signing messages. 17243 17244 *Steve Henson* 17245 17246 * New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR 17247 BIO_ctrl (for BIO pairs). 17248 17249 *Bodo Möller* 17250 17251 * Add DSO method for VMS. 17252 17253 *Richard Levitte* 17254 17255 * Bug fix: Montgomery multiplication could produce results with the 17256 wrong sign. 17257 17258 *Ulf Möller* 17259 17260 * Add RPM specification openssl.spec and modify it to build three 17261 packages. The default package contains applications, application 17262 documentation and run-time libraries. The devel package contains 17263 include files, static libraries and function documentation. The 17264 doc package contains the contents of the doc directory. The original 17265 openssl.spec was provided by Damien Miller <djm@mindrot.org>. 17266 17267 *Richard Levitte* 17268 17269 * Add a large number of documentation files for many SSL routines. 17270 17271 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 17272 17273 * Add a configuration entry for Sony News 4. 17274 17275 *NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>* 17276 17277 * Don't set the two most significant bits to one when generating a 17278 random number < q in the DSA library. 17279 17280 *Ulf Möller* 17281 17282 * New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default 17283 behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if 17284 the underlying transport is blocking) if a handshake took place. 17285 (The default behaviour is needed by applications such as s_client 17286 and s_server that use select() to determine when to use SSL_read; 17287 but for applications that know in advance when to expect data, it 17288 just makes things more complicated.) 17289 17290 *Bodo Moeller* 17291 17292 * Add RAND_egd_bytes(), which gives control over the number of bytes read 17293 from EGD. 17294 17295 *Ben Laurie* 17296 17297 * Add a few more EBCDIC conditionals that make `req` and `x509` 17298 work better on such systems. 17299 17300 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 17301 17302 * Add two demo programs for PKCS12_parse() and PKCS12_create(). 17303 Update PKCS12_parse() so it copies the friendlyName and the 17304 keyid to the certificates aux info. 17305 17306 *Steve Henson* 17307 17308 * Fix bug in PKCS7_verify() which caused an infinite loop 17309 if there was more than one signature. 17310 17311 *Sven Uszpelkat <su@celocom.de>* 17312 17313 * Major change in util/mkdef.pl to include extra information 17314 about each symbol, as well as presenting variables as well 17315 as functions. This change means that there's n more need 17316 to rebuild the .num files when some algorithms are excluded. 17317 17318 *Richard Levitte* 17319 17320 * Allow the verify time to be set by an application, 17321 rather than always using the current time. 17322 17323 *Steve Henson* 17324 17325 * Phase 2 verify code reorganisation. The certificate 17326 verify code now looks up an issuer certificate by a 17327 number of criteria: subject name, authority key id 17328 and key usage. It also verifies self signed certificates 17329 by the same criteria. The main comparison function is 17330 X509_check_issued() which performs these checks. 17331 17332 Lot of changes were necessary in order to support this 17333 without completely rewriting the lookup code. 17334 17335 Authority and subject key identifier are now cached. 17336 17337 The LHASH 'certs' is X509_STORE has now been replaced 17338 by a STACK_OF(X509_OBJECT). This is mainly because an 17339 LHASH can't store or retrieve multiple objects with 17340 the same hash value. 17341 17342 As a result various functions (which were all internal 17343 use only) have changed to handle the new X509_STORE 17344 structure. This will break anything that messed round 17345 with X509_STORE internally. 17346 17347 The functions X509_STORE_add_cert() now checks for an 17348 exact match, rather than just subject name. 17349 17350 The X509_STORE API doesn't directly support the retrieval 17351 of multiple certificates matching a given criteria, however 17352 this can be worked round by performing a lookup first 17353 (which will fill the cache with candidate certificates) 17354 and then examining the cache for matches. This is probably 17355 the best we can do without throwing out X509_LOOKUP 17356 entirely (maybe later...). 17357 17358 The X509_VERIFY_CTX structure has been enhanced considerably. 17359 17360 All certificate lookup operations now go via a get_issuer() 17361 callback. Although this currently uses an X509_STORE it 17362 can be replaced by custom lookups. This is a simple way 17363 to bypass the X509_STORE hackery necessary to make this 17364 work and makes it possible to use more efficient techniques 17365 in future. A very simple version which uses a simple 17366 STACK for its trusted certificate store is also provided 17367 using X509_STORE_CTX_trusted_stack(). 17368 17369 The verify_cb() and verify() callbacks now have equivalents 17370 in the X509_STORE_CTX structure. 17371 17372 X509_STORE_CTX also has a 'flags' field which can be used 17373 to customise the verify behaviour. 17374 17375 *Steve Henson* 17376 17377 * Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 17378 excludes S/MIME capabilities. 17379 17380 *Steve Henson* 17381 17382 * When a certificate request is read in keep a copy of the 17383 original encoding of the signed data and use it when outputting 17384 again. Signatures then use the original encoding rather than 17385 a decoded, encoded version which may cause problems if the 17386 request is improperly encoded. 17387 17388 *Steve Henson* 17389 17390 * For consistency with other BIO_puts implementations, call 17391 buffer_write(b, ...) directly in buffer_puts instead of calling 17392 BIO_write(b, ...). 17393 17394 In BIO_puts, increment b->num_write as in BIO_write. 17395 17396 *Peter.Sylvester@EdelWeb.fr* 17397 17398 * Fix BN_mul_word for the case where the word is 0. (We have to use 17399 BN_zero, we may not return a BIGNUM with an array consisting of 17400 words set to zero.) 17401 17402 *Bodo Moeller* 17403 17404 * Avoid calling abort() from within the library when problems are 17405 detected, except if preprocessor symbols have been defined 17406 (such as REF_CHECK, BN_DEBUG etc.). 17407 17408 *Bodo Moeller* 17409 17410 * New openssl application 'rsautl'. This utility can be 17411 used for low-level RSA operations. DER public key 17412 BIO/fp routines also added. 17413 17414 *Steve Henson* 17415 17416 * New Configure entry and patches for compiling on QNX 4. 17417 17418 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>* 17419 17420 * A demo state-machine implementation was sponsored by 17421 Nuron (<http://www.nuron.com/>) and is now available in 17422 demos/state_machine. 17423 17424 *Ben Laurie* 17425 17426 * New options added to the 'dgst' utility for signature 17427 generation and verification. 17428 17429 *Steve Henson* 17430 17431 * Unrecognized PKCS#7 content types are now handled via a 17432 catch all ASN1_TYPE structure. This allows unsupported 17433 types to be stored as a "blob" and an application can 17434 encode and decode it manually. 17435 17436 *Steve Henson* 17437 17438 * Fix various signed/unsigned issues to make a_strex.c 17439 compile under VC++. 17440 17441 *Oscar Jacobsson <oscar.jacobsson@celocom.com>* 17442 17443 * ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct 17444 length if passed a buffer. ASN1_INTEGER_to_BN failed 17445 if passed a NULL BN and its argument was negative. 17446 17447 *Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>* 17448 17449 * Modification to PKCS#7 encoding routines to output definite 17450 length encoding. Since currently the whole structures are in 17451 memory there's not real point in using indefinite length 17452 constructed encoding. However if OpenSSL is compiled with 17453 the flag PKCS7_INDEFINITE_ENCODING the old form is used. 17454 17455 *Steve Henson* 17456 17457 * Added BIO_vprintf() and BIO_vsnprintf(). 17458 17459 *Richard Levitte* 17460 17461 * Added more prefixes to parse for in the strings written 17462 through a logging bio, to cover all the levels that are available 17463 through syslog. The prefixes are now: 17464 17465 PANIC, EMERG, EMR => LOG_EMERG 17466 ALERT, ALR => LOG_ALERT 17467 CRIT, CRI => LOG_CRIT 17468 ERROR, ERR => LOG_ERR 17469 WARNING, WARN, WAR => LOG_WARNING 17470 NOTICE, NOTE, NOT => LOG_NOTICE 17471 INFO, INF => LOG_INFO 17472 DEBUG, DBG => LOG_DEBUG 17473 17474 and as before, if none of those prefixes are present at the 17475 beginning of the string, LOG_ERR is chosen. 17476 17477 On Win32, the `LOG_*` levels are mapped according to this: 17478 17479 LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE 17480 LOG_WARNING => EVENTLOG_WARNING_TYPE 17481 LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE 17482 17483 *Richard Levitte* 17484 17485 * Made it possible to reconfigure with just the configuration 17486 argument "reconf" or "reconfigure". The command line arguments 17487 are stored in Makefile.ssl in the variable CONFIGURE_ARGS, 17488 and are retrieved from there when reconfiguring. 17489 17490 *Richard Levitte* 17491 17492 * MD4 implemented. 17493 17494 *Assar Westerlund <assar@sics.se>, Richard Levitte* 17495 17496 * Add the arguments -CAfile and -CApath to the pkcs12 utility. 17497 17498 *Richard Levitte* 17499 17500 * The obj_dat.pl script was messing up the sorting of object 17501 names. The reason was that it compared the quoted version 17502 of strings as a result "OCSP" > "OCSP Signing" because 17503 " > SPACE. Changed script to store unquoted versions of 17504 names and add quotes on output. It was also omitting some 17505 names from the lookup table if they were given a default 17506 value (that is if SN is missing it is given the same 17507 value as LN and vice versa), these are now added on the 17508 grounds that if an object has a name we should be able to 17509 look it up. Finally added warning output when duplicate 17510 short or long names are found. 17511 17512 *Steve Henson* 17513 17514 * Changes needed for Tandem NSK. 17515 17516 *Scott Uroff <scott@xypro.com>* 17517 17518 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in 17519 RSA_padding_check_SSLv23(), special padding was never detected 17520 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol 17521 version rollback attacks was not effective. 17522 17523 In s23_clnt.c, don't use special rollback-attack detection padding 17524 (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the 17525 client; similarly, in s23_srvr.c, don't do the rollback check if 17526 SSL 2.0 is the only protocol enabled in the server. 17527 17528 *Bodo Moeller* 17529 17530 * Make it possible to get hexdumps of unprintable data with 'openssl 17531 asn1parse'. By implication, the functions ASN1_parse_dump() and 17532 BIO_dump_indent() are added. 17533 17534 *Richard Levitte* 17535 17536 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() 17537 these print out strings and name structures based on various 17538 flags including RFC2253 support and proper handling of 17539 multibyte characters. Added options to the 'x509' utility 17540 to allow the various flags to be set. 17541 17542 *Steve Henson* 17543 17544 * Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. 17545 Also change the functions X509_cmp_current_time() and 17546 X509_gmtime_adj() work with an ASN1_TIME structure, 17547 this will enable certificates using GeneralizedTime in validity 17548 dates to be checked. 17549 17550 *Steve Henson* 17551 17552 * Make the NEG_PUBKEY_BUG code (which tolerates invalid 17553 negative public key encodings) on by default, 17554 NO_NEG_PUBKEY_BUG can be set to disable it. 17555 17556 *Steve Henson* 17557 17558 * New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT 17559 content octets. An i2c_ASN1_OBJECT is unnecessary because 17560 the encoding can be trivially obtained from the structure. 17561 17562 *Steve Henson* 17563 17564 * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`), 17565 not read locks (`CRYPTO_r_[un]lock`). 17566 17567 *Bodo Moeller* 17568 17569 * A first attempt at creating official support for shared 17570 libraries through configuration. I've kept it so the 17571 default is static libraries only, and the OpenSSL programs 17572 are always statically linked for now, but there are 17573 preparations for dynamic linking in place. 17574 This has been tested on Linux and Tru64. 17575 17576 *Richard Levitte* 17577 17578 * Randomness polling function for Win9x, as described in: 17579 Peter Gutmann, Software Generation of Practically Strong 17580 Random Numbers. 17581 17582 *Ulf Möller* 17583 17584 * Fix so PRNG is seeded in req if using an already existing 17585 DSA key. 17586 17587 *Steve Henson* 17588 17589 * New options to smime application. -inform and -outform 17590 allow alternative formats for the S/MIME message including 17591 PEM and DER. The -content option allows the content to be 17592 specified separately. This should allow things like Netscape 17593 form signing output easier to verify. 17594 17595 *Steve Henson* 17596 17597 * Fix the ASN1 encoding of tags using the 'long form'. 17598 17599 *Steve Henson* 17600 17601 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT 17602 STRING types. These convert content octets to and from the 17603 underlying type. The actual tag and length octets are 17604 already assumed to have been read in and checked. These 17605 are needed because all other string types have virtually 17606 identical handling apart from the tag. By having versions 17607 of the ASN1 functions that just operate on content octets 17608 IMPLICIT tagging can be handled properly. It also allows 17609 the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED 17610 and ASN1_INTEGER are identical apart from the tag. 17611 17612 *Steve Henson* 17613 17614 * Change the handling of OID objects as follows: 17615 17616 - New object identifiers are inserted in objects.txt, following 17617 the syntax given in [crypto/objects/README.md](crypto/objects/README.md). 17618 - objects.pl is used to process obj_mac.num and create a new 17619 obj_mac.h. 17620 - obj_dat.pl is used to create a new obj_dat.h, using the data in 17621 obj_mac.h. 17622 17623 This is currently kind of a hack, and the perl code in objects.pl 17624 isn't very elegant, but it works as I intended. The simplest way 17625 to check that it worked correctly is to look in obj_dat.h and 17626 check the array nid_objs and make sure the objects haven't moved 17627 around (this is important!). Additions are OK, as well as 17628 consistent name changes. 17629 17630 *Richard Levitte* 17631 17632 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). 17633 17634 *Bodo Moeller* 17635 17636 * Addition of the command line parameter '-rand file' to 'openssl req'. 17637 The given file adds to whatever has already been seeded into the 17638 random pool through the RANDFILE configuration file option or 17639 environment variable, or the default random state file. 17640 17641 *Richard Levitte* 17642 17643 * mkstack.pl now sorts each macro group into lexical order. 17644 Previously the output order depended on the order the files 17645 appeared in the directory, resulting in needless rewriting 17646 of safestack.h . 17647 17648 *Steve Henson* 17649 17650 * Patches to make OpenSSL compile under Win32 again. Mostly 17651 work arounds for the VC++ problem that it treats func() as 17652 func(void). Also stripped out the parts of mkdef.pl that 17653 added extra typesafe functions: these no longer exist. 17654 17655 *Steve Henson* 17656 17657 * Reorganisation of the stack code. The macros are now all 17658 collected in safestack.h . Each macro is defined in terms of 17659 a "stack macro" of the form `SKM_<name>(type, a, b)`. The 17660 DEBUG_SAFESTACK is now handled in terms of function casts, 17661 this has the advantage of retaining type safety without the 17662 use of additional functions. If DEBUG_SAFESTACK is not defined 17663 then the non typesafe macros are used instead. Also modified the 17664 mkstack.pl script to handle the new form. Needs testing to see 17665 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK 17666 the default if no major problems. Similar behaviour for ASN1_SET_OF 17667 and PKCS12_STACK_OF. 17668 17669 *Steve Henson* 17670 17671 * When some versions of IIS use the 'NET' form of private key the 17672 key derivation algorithm is different. Normally MD5(password) is 17673 used as a 128 bit RC4 key. In the modified case 17674 MD5(MD5(password) + "SGCKEYSALT") is used instead. Added some 17675 new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same 17676 as the old Netscape_RSA functions except they have an additional 17677 'sgckey' parameter which uses the modified algorithm. Also added 17678 an -sgckey command line option to the rsa utility. Thanks to 17679 Adrian Peck <bertie@ncipher.com> for posting details of the modified 17680 algorithm to openssl-dev. 17681 17682 *Steve Henson* 17683 17684 * The evp_local.h macros were using 'c.##kname' which resulted in 17685 invalid expansion on some systems (SCO 5.0.5 for example). 17686 Corrected to 'c.kname'. 17687 17688 *Phillip Porch <root@theporch.com>* 17689 17690 * New X509_get1_email() and X509_REQ_get1_email() functions that return 17691 a STACK of email addresses from a certificate or request, these look 17692 in the subject name and the subject alternative name extensions and 17693 omit any duplicate addresses. 17694 17695 *Steve Henson* 17696 17697 * Re-implement BN_mod_exp2_mont using independent (and larger) windows. 17698 This makes DSA verification about 2 % faster. 17699 17700 *Bodo Moeller* 17701 17702 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5 17703 (meaning that now 2^5 values will be precomputed, which is only 4 KB 17704 plus overhead for 1024 bit moduli). 17705 This makes exponentiations about 0.5 % faster for 1024 bit 17706 exponents (as measured by "openssl speed rsa2048"). 17707 17708 *Bodo Moeller* 17709 17710 * Rename memory handling macros to avoid conflicts with other 17711 software: 17712 Malloc => OPENSSL_malloc 17713 Malloc_locked => OPENSSL_malloc_locked 17714 Realloc => OPENSSL_realloc 17715 Free => OPENSSL_free 17716 17717 *Richard Levitte* 17718 17719 * New function BN_mod_exp_mont_word for small bases (roughly 15% 17720 faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). 17721 17722 *Bodo Moeller* 17723 17724 * CygWin32 support. 17725 17726 *John Jarvie <jjarvie@newsguy.com>* 17727 17728 * The type-safe stack code has been rejigged. It is now only compiled 17729 in when OpenSSL is configured with the DEBUG_SAFESTACK option and 17730 by default all type-specific stack functions are "#define"d back to 17731 standard stack functions. This results in more streamlined output 17732 but retains the type-safety checking possibilities of the original 17733 approach. 17734 17735 *Geoff Thorpe* 17736 17737 * The STACK code has been cleaned up, and certain type declarations 17738 that didn't make a lot of sense have been brought in line. This has 17739 also involved a cleanup of sorts in safestack.h to more correctly 17740 map type-safe stack functions onto their plain stack counterparts. 17741 This work has also resulted in a variety of "const"ifications of 17742 lots of the code, especially `_cmp` operations which should normally 17743 be prototyped with "const" parameters anyway. 17744 17745 *Geoff Thorpe* 17746 17747 * When generating bytes for the first time in md_rand.c, 'stir the pool' 17748 by seeding with STATE_SIZE dummy bytes (with zero entropy count). 17749 (The PRNG state consists of two parts, the large pool 'state' and 'md', 17750 where all of 'md' is used each time the PRNG is used, but 'state' 17751 is used only indexed by a cyclic counter. As entropy may not be 17752 well distributed from the beginning, 'md' is important as a 17753 chaining variable. However, the output function chains only half 17754 of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains 17755 all of 'md', and seeding with STATE_SIZE dummy bytes will result 17756 in all of 'state' being rewritten, with the new values depending 17757 on virtually all of 'md'. This overcomes the 80 bit limitation.) 17758 17759 *Bodo Moeller* 17760 17761 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when 17762 the handshake is continued after ssl_verify_cert_chain(); 17763 otherwise, if SSL_VERIFY_NONE is set, remaining error codes 17764 can lead to 'unexplainable' connection aborts later. 17765 17766 *Bodo Moeller; problem tracked down by Lutz Jaenicke* 17767 17768 * Major EVP API cipher revision. 17769 Add hooks for extra EVP features. This allows various cipher 17770 parameters to be set in the EVP interface. Support added for variable 17771 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and 17772 setting of RC2 and RC5 parameters. 17773 17774 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length 17775 ciphers. 17776 17777 Remove lots of duplicated code from the EVP library. For example *every* 17778 cipher init() function handles the 'iv' in the same way according to the 17779 cipher mode. They also all do nothing if the 'key' parameter is NULL and 17780 for CFB and OFB modes they zero ctx->num. 17781 17782 New functionality allows removal of S/MIME code RC2 hack. 17783 17784 Most of the routines have the same form and so can be declared in terms 17785 of macros. 17786 17787 By shifting this to the top level EVP_CipherInit() it can be removed from 17788 all individual ciphers. If the cipher wants to handle IVs or keys 17789 differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT 17790 flags. 17791 17792 Change lots of functions like EVP_EncryptUpdate() to now return a 17793 value: although software versions of the algorithms cannot fail 17794 any installed hardware versions can. 17795 17796 *Steve Henson* 17797 17798 * Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if 17799 this option is set, tolerate broken clients that send the negotiated 17800 protocol version number instead of the requested protocol version 17801 number. 17802 17803 *Bodo Moeller* 17804 17805 * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag; 17806 i.e. non-zero for export ciphersuites, zero otherwise. 17807 Previous versions had this flag inverted, inconsistent with 17808 rsa_tmp_cb (..._TMP_RSA_CB). 17809 17810 *Bodo Moeller; problem reported by Amit Chopra* 17811 17812 * Add missing DSA library text string. Work around for some IIS 17813 key files with invalid SEQUENCE encoding. 17814 17815 *Steve Henson* 17816 17817 * Add a document (doc/standards.txt) that list all kinds of standards 17818 and so on that are implemented in OpenSSL. 17819 17820 *Richard Levitte* 17821 17822 * Enhance c_rehash script. Old version would mishandle certificates 17823 with the same subject name hash and wouldn't handle CRLs at all. 17824 Added -fingerprint option to crl utility, to support new c_rehash 17825 features. 17826 17827 *Steve Henson* 17828 17829 * Eliminate non-ANSI declarations in crypto.h and stack.h. 17830 17831 *Ulf Möller* 17832 17833 * Fix for SSL server purpose checking. Server checking was 17834 rejecting certificates which had extended key usage present 17835 but no ssl client purpose. 17836 17837 *Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>* 17838 17839 * Make PKCS#12 code work with no password. The PKCS#12 spec 17840 is a little unclear about how a blank password is handled. 17841 Since the password in encoded as a BMPString with terminating 17842 double NULL a zero length password would end up as just the 17843 double NULL. However no password at all is different and is 17844 handled differently in the PKCS#12 key generation code. NS 17845 treats a blank password as zero length. MSIE treats it as no 17846 password on export: but it will try both on import. We now do 17847 the same: PKCS12_parse() tries zero length and no password if 17848 the password is set to "" or NULL (NULL is now a valid password: 17849 it wasn't before) as does the pkcs12 application. 17850 17851 *Steve Henson* 17852 17853 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use 17854 perror when PEM_read_bio_X509_REQ fails, the error message must 17855 be obtained from the error queue. 17856 17857 *Bodo Moeller* 17858 17859 * Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing 17860 it in ERR_remove_state if appropriate, and change ERR_get_state 17861 accordingly to avoid race conditions (this is necessary because 17862 thread_hash is no longer constant once set). 17863 17864 *Bodo Moeller* 17865 17866 * Bugfix for linux-elf makefile.one. 17867 17868 *Ulf Möller* 17869 17870 * RSA_get_default_method() will now cause a default 17871 RSA_METHOD to be chosen if one doesn't exist already. 17872 Previously this was only set during a call to RSA_new() 17873 or RSA_new_method(NULL) meaning it was possible for 17874 RSA_get_default_method() to return NULL. 17875 17876 *Geoff Thorpe* 17877 17878 * Added native name translation to the existing DSO code 17879 that will convert (if the flag to do so is set) filenames 17880 that are sufficiently small and have no path information 17881 into a canonical native form. Eg. "blah" converted to 17882 "libblah.so" or "blah.dll" etc. 17883 17884 *Geoff Thorpe* 17885 17886 * New function ERR_error_string_n(e, buf, len) which is like 17887 ERR_error_string(e, buf), but writes at most 'len' bytes 17888 including the 0 terminator. For ERR_error_string_n, 'buf' 17889 may not be NULL. 17890 17891 *Damien Miller <djm@mindrot.org>, Bodo Moeller* 17892 17893 * CONF library reworked to become more general. A new CONF 17894 configuration file reader "class" is implemented as well as a 17895 new functions (`NCONF_*`, for "New CONF") to handle it. The now 17896 old `CONF_*` functions are still there, but are reimplemented to 17897 work in terms of the new functions. Also, a set of functions 17898 to handle the internal storage of the configuration data is 17899 provided to make it easier to write new configuration file 17900 reader "classes" (I can definitely see something reading a 17901 configuration file in XML format, for example), called `_CONF_*`, 17902 or "the configuration storage API"... 17903 17904 The new configuration file reading functions are: 17905 17906 NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, 17907 NCONF_get_section, NCONF_get_string, NCONF_get_numbre 17908 17909 NCONF_default, NCONF_WIN32 17910 17911 NCONF_dump_fp, NCONF_dump_bio 17912 17913 NCONF_default and NCONF_WIN32 are method (or "class") choosers, 17914 NCONF_new creates a new CONF object. This works in the same way 17915 as other interfaces in OpenSSL, like the BIO interface. 17916 `NCONF_dump_*` dump the internal storage of the configuration file, 17917 which is useful for debugging. All other functions take the same 17918 arguments as the old `CONF_*` functions with the exception of the 17919 first that must be a `CONF *` instead of a `LHASH *`. 17920 17921 To make it easier to use the new classes with the old `CONF_*` functions, 17922 the function CONF_set_default_method is provided. 17923 17924 *Richard Levitte* 17925 17926 * Add '-tls1' option to 'openssl ciphers', which was already 17927 mentioned in the documentation but had not been implemented. 17928 (This option is not yet really useful because even the additional 17929 experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) 17930 17931 *Bodo Moeller* 17932 17933 * Initial DSO code added into libcrypto for letting OpenSSL (and 17934 OpenSSL-based applications) load shared libraries and bind to 17935 them in a portable way. 17936 17937 *Geoff Thorpe, with contributions from Richard Levitte* 17938 17939### Changes between 0.9.5 and 0.9.5a [1 Apr 2000] 17940 17941 * Make sure _lrotl and _lrotr are only used with MSVC. 17942 17943 * Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status 17944 (the default implementation of RAND_status). 17945 17946 * Rename openssl x509 option '-crlext', which was added in 0.9.5, 17947 to '-clrext' (= clear extensions), as intended and documented. 17948 *Bodo Moeller; inconsistency pointed out by Michael Attili 17949 <attili@amaxo.com>* 17950 17951 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length 17952 was larger than the MD block size. 17953 17954 *Steve Henson, pointed out by Yost William <YostW@tce.com>* 17955 17956 * Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument 17957 fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() 17958 using the passed key: if the passed key was a private key the result 17959 of X509_print(), for example, would be to print out all the private key 17960 components. 17961 17962 *Steve Henson* 17963 17964 * des_quad_cksum() byte order bug fix. 17965 *Ulf Möller, using the problem description in krb4-0.9.7, where 17966 the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>* 17967 17968 * Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly 17969 discouraged. 17970 17971 *Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>* 17972 17973 * For easily testing in shell scripts whether some command 17974 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' 17975 returns with exit code 0 iff no command of the given name is available. 17976 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, 17977 the output goes to stdout and nothing is printed to stderr. 17978 Additional arguments are always ignored. 17979 17980 Since for each cipher there is a command of the same name, 17981 the 'no-cipher' compilation switches can be tested this way. 17982 17983 ('openssl no-XXX' is not able to detect pseudo-commands such 17984 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) 17985 17986 *Bodo Moeller* 17987 17988 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration. 17989 17990 *Bodo Moeller* 17991 17992 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE 17993 is set; it will be thrown away anyway because each handshake creates 17994 its own key. 17995 ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition 17996 to parameters -- in previous versions (since OpenSSL 0.9.3) the 17997 'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning 17998 you effectively got SSL_OP_SINGLE_DH_USE when using this macro. 17999 18000 *Bodo Moeller* 18001 18002 * New s_client option -ign_eof: EOF at stdin is ignored, and 18003 'Q' and 'R' lose their special meanings (quit/renegotiate). 18004 This is part of what -quiet does; unlike -quiet, -ign_eof 18005 does not suppress any output. 18006 18007 *Richard Levitte* 18008 18009 * Add compatibility options to the purpose and trust code. The 18010 purpose X509_PURPOSE_ANY is "any purpose" which automatically 18011 accepts a certificate or CA, this was the previous behaviour, 18012 with all the associated security issues. 18013 18014 X509_TRUST_COMPAT is the old trust behaviour: only and 18015 automatically trust self signed roots in certificate store. A 18016 new trust setting X509_TRUST_DEFAULT is used to specify that 18017 a purpose has no associated trust setting and it should instead 18018 use the value in the default purpose. 18019 18020 *Steve Henson* 18021 18022 * Fix the PKCS#8 DSA private key code so it decodes keys again 18023 and fix a memory leak. 18024 18025 *Steve Henson* 18026 18027 * In util/mkerr.pl (which implements 'make errors'), preserve 18028 reason strings from the previous version of the .c file, as 18029 the default to have only downcase letters (and digits) in 18030 automatically generated reasons codes is not always appropriate. 18031 18032 *Bodo Moeller* 18033 18034 * In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table 18035 using strerror. Previously, ERR_reason_error_string() returned 18036 library names as reason strings for SYSerr; but SYSerr is a special 18037 case where small numbers are errno values, not library numbers. 18038 18039 *Bodo Moeller* 18040 18041 * Add '-dsaparam' option to 'openssl dhparam' application. This 18042 converts DSA parameters into DH parameters. (When creating parameters, 18043 DSA_generate_parameters is used.) 18044 18045 *Bodo Moeller* 18046 18047 * Include 'length' (recommended exponent length) in C code generated 18048 by 'openssl dhparam -C'. 18049 18050 *Bodo Moeller* 18051 18052 * The second argument to set_label in perlasm was already being used 18053 so couldn't be used as a "file scope" flag. Moved to third argument 18054 which was free. 18055 18056 *Steve Henson* 18057 18058 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes 18059 instead of RAND_bytes for encryption IVs and salts. 18060 18061 *Bodo Moeller* 18062 18063 * Include RAND_status() into RAND_METHOD instead of implementing 18064 it only for md_rand.c Otherwise replacing the PRNG by calling 18065 RAND_set_rand_method would be impossible. 18066 18067 *Bodo Moeller* 18068 18069 * Don't let DSA_generate_key() enter an infinite loop if the random 18070 number generation fails. 18071 18072 *Bodo Moeller* 18073 18074 * New 'rand' application for creating pseudo-random output. 18075 18076 *Bodo Moeller* 18077 18078 * Added configuration support for Linux/IA64 18079 18080 *Rolf Haberrecker <rolf@suse.de>* 18081 18082 * Assembler module support for Mingw32. 18083 18084 *Ulf Möller* 18085 18086 * Shared library support for HPUX (in shlib/). 18087 18088 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous* 18089 18090 * Shared library support for Solaris gcc. 18091 18092 *Lutz Behnke <behnke@trustcenter.de>* 18093 18094### Changes between 0.9.4 and 0.9.5 [28 Feb 2000] 18095 18096 * PKCS7_encrypt() was adding text MIME headers twice because they 18097 were added manually and by SMIME_crlf_copy(). 18098 18099 *Steve Henson* 18100 18101 * In bntest.c don't call BN_rand with zero bits argument. 18102 18103 *Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>* 18104 18105 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] 18106 case was implemented. This caused BN_div_recp() to fail occasionally. 18107 18108 *Ulf Möller* 18109 18110 * Add an optional second argument to the set_label() in the perl 18111 assembly language builder. If this argument exists and is set 18112 to 1 it signals that the assembler should use a symbol whose 18113 scope is the entire file, not just the current function. This 18114 is needed with MASM which uses the format label:: for this scope. 18115 18116 *Steve Henson, pointed out by Peter Runestig <peter@runestig.com>* 18117 18118 * Change the ASN1 types so they are typedefs by default. Before 18119 almost all types were #define'd to ASN1_STRING which was causing 18120 STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) 18121 for example. 18122 18123 *Steve Henson* 18124 18125 * Change names of new functions to the new get1/get0 naming 18126 convention: After 'get1', the caller owns a reference count 18127 and has to call `..._free`; 'get0' returns a pointer to some 18128 data structure without incrementing reference counters. 18129 (Some of the existing 'get' functions increment a reference 18130 counter, some don't.) 18131 Similarly, 'set1' and 'add1' functions increase reference 18132 counters or duplicate objects. 18133 18134 *Steve Henson* 18135 18136 * Allow for the possibility of temp RSA key generation failure: 18137 the code used to assume it always worked and crashed on failure. 18138 18139 *Steve Henson* 18140 18141 * Fix potential buffer overrun problem in BIO_printf(). 18142 *Ulf Möller, using public domain code by Patrick Powell; problem 18143 pointed out by David Sacerdote <das33@cornell.edu>* 18144 18145 * Support EGD <http://www.lothar.com/tech/crypto/>. New functions 18146 RAND_egd() and RAND_status(). In the command line application, 18147 the EGD socket can be specified like a seed file using RANDFILE 18148 or -rand. 18149 18150 *Ulf Möller* 18151 18152 * Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. 18153 Some CAs (e.g. Verisign) distribute certificates in this form. 18154 18155 *Steve Henson* 18156 18157 * Remove the SSL_ALLOW_ADH compile option and set the default cipher 18158 list to exclude them. This means that no special compilation option 18159 is needed to use anonymous DH: it just needs to be included in the 18160 cipher list. 18161 18162 *Steve Henson* 18163 18164 * Change the EVP_MD_CTX_type macro so its meaning consistent with 18165 EVP_MD_type. The old functionality is available in a new macro called 18166 EVP_MD_md(). Change code that uses it and update docs. 18167 18168 *Steve Henson* 18169 18170 * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions 18171 where the `void *` argument is replaced by a function pointer argument. 18172 Previously `void *` was abused to point to functions, which works on 18173 many platforms, but is not correct. As these functions are usually 18174 called by macros defined in OpenSSL header files, most source code 18175 should work without changes. 18176 18177 *Richard Levitte* 18178 18179 * `<openssl/opensslconf.h>` (which is created by Configure) now contains 18180 sections with information on -D... compiler switches used for 18181 compiling the library so that applications can see them. To enable 18182 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES` 18183 must be defined. E.g., 18184 #define OPENSSL_ALGORITHM_DEFINES 18185 #include <openssl/opensslconf.h> 18186 defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc. 18187 18188 *Richard Levitte, Ulf and Bodo Möller* 18189 18190 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS 18191 record layer. 18192 18193 *Bodo Moeller* 18194 18195 * Change the 'other' type in certificate aux info to a STACK_OF 18196 X509_ALGOR. Although not an AlgorithmIdentifier as such it has 18197 the required ASN1 format: arbitrary types determined by an OID. 18198 18199 *Steve Henson* 18200 18201 * Add some PEM_write_X509_REQ_NEW() functions and a command line 18202 argument to 'req'. This is not because the function is newer or 18203 better than others it just uses the work 'NEW' in the certificate 18204 request header lines. Some software needs this. 18205 18206 *Steve Henson* 18207 18208 * Reorganise password command line arguments: now passwords can be 18209 obtained from various sources. Delete the PEM_cb function and make 18210 it the default behaviour: i.e. if the callback is NULL and the 18211 usrdata argument is not NULL interpret it as a null terminated pass 18212 phrase. If usrdata and the callback are NULL then the pass phrase 18213 is prompted for as usual. 18214 18215 *Steve Henson* 18216 18217 * Add support for the Compaq Atalla crypto accelerator. If it is installed, 18218 the support is automatically enabled. The resulting binaries will 18219 autodetect the card and use it if present. 18220 18221 *Ben Laurie and Compaq Inc.* 18222 18223 * Work around for Netscape hang bug. This sends certificate request 18224 and server done in one record. Since this is perfectly legal in the 18225 SSL/TLS protocol it isn't a "bug" option and is on by default. See 18226 the bugs/SSLv3 entry for more info. 18227 18228 *Steve Henson* 18229 18230 * HP-UX tune-up: new unified configs, HP C compiler bug workaround. 18231 18232 *Andy Polyakov* 18233 18234 * Add -rand argument to smime and pkcs12 applications and read/write 18235 of seed file. 18236 18237 *Steve Henson* 18238 18239 * New 'passwd' tool for crypt(3) and apr1 password hashes. 18240 18241 *Bodo Moeller* 18242 18243 * Add command line password options to the remaining applications. 18244 18245 *Steve Henson* 18246 18247 * Bug fix for BN_div_recp() for numerators with an even number of 18248 bits. 18249 18250 *Ulf Möller* 18251 18252 * More tests in bntest.c, and changed test_bn output. 18253 18254 *Ulf Möller* 18255 18256 * ./config recognizes MacOS X now. 18257 18258 *Andy Polyakov* 18259 18260 * Bug fix for BN_div() when the first words of num and divisor are 18261 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`. 18262 18263 *Ulf Möller* 18264 18265 * Add support for various broken PKCS#8 formats, and command line 18266 options to produce them. 18267 18268 *Steve Henson* 18269 18270 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to 18271 get temporary BIGNUMs from a BN_CTX. 18272 18273 *Ulf Möller* 18274 18275 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() 18276 for p == 0. 18277 18278 *Ulf Möller* 18279 18280 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and 18281 include a #define from the old name to the new. The original intent 18282 was that statically linked binaries could for example just call 18283 SSLeay_add_all_ciphers() to just add ciphers to the table and not 18284 link with digests. This never worked because SSLeay_add_all_digests() 18285 and SSLeay_add_all_ciphers() were in the same source file so calling 18286 one would link with the other. They are now in separate source files. 18287 18288 *Steve Henson* 18289 18290 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. 18291 18292 *Steve Henson* 18293 18294 * Use a less unusual form of the Miller-Rabin primality test (it used 18295 a binary algorithm for exponentiation integrated into the Miller-Rabin 18296 loop, our standard modexp algorithms are faster). 18297 18298 *Bodo Moeller* 18299 18300 * Support for the EBCDIC character set completed. 18301 18302 *Martin Kraemer <Martin.Kraemer@Mch.SNI.De>* 18303 18304 * Source code cleanups: use const where appropriate, eliminate casts, 18305 use `void *` instead of `char *` in lhash. 18306 18307 *Ulf Möller* 18308 18309 * Bugfix: ssl3_send_server_key_exchange was not restartable 18310 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of 18311 this the server could overwrite ephemeral keys that the client 18312 has already seen). 18313 18314 *Bodo Moeller* 18315 18316 * Turn DSA_is_prime into a macro that calls BN_is_prime, 18317 using 50 iterations of the Rabin-Miller test. 18318 18319 DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 18320 iterations of the Rabin-Miller test as required by the appendix 18321 to FIPS PUB 186[-1]) instead of DSA_is_prime. 18322 As BN_is_prime_fasttest includes trial division, DSA parameter 18323 generation becomes much faster. 18324 18325 This implies a change for the callback functions in DSA_is_prime 18326 and DSA_generate_parameters: The callback function is called once 18327 for each positive witness in the Rabin-Miller test, not just 18328 occasionally in the inner loop; and the parameters to the 18329 callback function now provide an iteration count for the outer 18330 loop rather than for the current invocation of the inner loop. 18331 DSA_generate_parameters additionally can call the callback 18332 function with an 'iteration count' of -1, meaning that a 18333 candidate has passed the trial division test (when q is generated 18334 from an application-provided seed, trial division is skipped). 18335 18336 *Bodo Moeller* 18337 18338 * New function BN_is_prime_fasttest that optionally does trial 18339 division before starting the Rabin-Miller test and has 18340 an additional BN_CTX * argument (whereas BN_is_prime always 18341 has to allocate at least one BN_CTX). 18342 'callback(1, -1, cb_arg)' is called when a number has passed the 18343 trial division stage. 18344 18345 *Bodo Moeller* 18346 18347 * Fix for bug in CRL encoding. The validity dates weren't being handled 18348 as ASN1_TIME. 18349 18350 *Steve Henson* 18351 18352 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file. 18353 18354 *Steve Henson* 18355 18356 * New function BN_pseudo_rand(). 18357 18358 *Ulf Möller* 18359 18360 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) 18361 bignum version of BN_from_montgomery() with the working code from 18362 SSLeay 0.9.0 (the word based version is faster anyway), and clean up 18363 the comments. 18364 18365 *Ulf Möller* 18366 18367 * Avoid a race condition in s2_clnt.c (function get_server_hello) that 18368 made it impossible to use the same SSL_SESSION data structure in 18369 SSL2 clients in multiple threads. 18370 18371 *Bodo Moeller* 18372 18373 * The return value of RAND_load_file() no longer counts bytes obtained 18374 by stat(). RAND_load_file(..., -1) is new and uses the complete file 18375 to seed the PRNG (previously an explicit byte count was required). 18376 18377 *Ulf Möller, Bodo Möller* 18378 18379 * Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes 18380 used `char *` instead of `void *` and had casts all over the place. 18381 18382 *Steve Henson* 18383 18384 * Make BN_generate_prime() return NULL on error if ret!=NULL. 18385 18386 *Ulf Möller* 18387 18388 * Retain source code compatibility for BN_prime_checks macro: 18389 BN_is_prime(..., BN_prime_checks, ...) now uses 18390 BN_prime_checks_for_size to determine the appropriate number of 18391 Rabin-Miller iterations. 18392 18393 *Ulf Möller* 18394 18395 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to 18396 DH_CHECK_P_NOT_SAFE_PRIME. 18397 (Check if this is true? OpenPGP calls them "strong".) 18398 18399 *Ulf Möller* 18400 18401 * Merge the functionality of "dh" and "gendh" programs into a new program 18402 "dhparam". The old programs are retained for now but will handle DH keys 18403 (instead of parameters) in future. 18404 18405 *Steve Henson* 18406 18407 * Make the ciphers, s_server and s_client programs check the return values 18408 when a new cipher list is set. 18409 18410 *Steve Henson* 18411 18412 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit 18413 ciphers. Before when the 56bit ciphers were enabled the sorting was 18414 wrong. 18415 18416 The syntax for the cipher sorting has been extended to support sorting by 18417 cipher-strength (using the strength_bits hard coded in the tables). 18418 The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`). 18419 18420 Fix a bug in the cipher-command parser: when supplying a cipher command 18421 string with an "undefined" symbol (neither command nor alphanumeric 18422 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now 18423 an error is flagged. 18424 18425 Due to the strength-sorting extension, the code of the 18426 ssl_create_cipher_list() function was completely rearranged. I hope that 18427 the readability was also increased :-) 18428 18429 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>* 18430 18431 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1 18432 for the first serial number and places 2 in the serial number file. This 18433 avoids problems when the root CA is created with serial number zero and 18434 the first user certificate has the same issuer name and serial number 18435 as the root CA. 18436 18437 *Steve Henson* 18438 18439 * Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses 18440 the new code. Add documentation for this stuff. 18441 18442 *Steve Henson* 18443 18444 * Changes to X509_ATTRIBUTE utilities. These have been renamed from 18445 `X509_*()` to `X509at_*()` on the grounds that they don't handle X509 18446 structures and behave in an analogous way to the X509v3 functions: 18447 they shouldn't be called directly but wrapper functions should be used 18448 instead. 18449 18450 So we also now have some wrapper functions that call the X509at functions 18451 when passed certificate requests. (TO DO: similar things can be done with 18452 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other 18453 things. Some of these need some d2i or i2d and print functionality 18454 because they handle more complex structures.) 18455 18456 *Steve Henson* 18457 18458 * Add missing #ifndefs that caused missing symbols when building libssl 18459 as a shared library without RSA. Use #ifndef NO_SSL2 instead of 18460 NO_RSA in `ssl/s2*.c`. 18461 18462 *Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller* 18463 18464 * Precautions against using the PRNG uninitialized: RAND_bytes() now 18465 has a return value which indicates the quality of the random data 18466 (1 = ok, 0 = not seeded). Also an error is recorded on the thread's 18467 error queue. New function RAND_pseudo_bytes() generates output that is 18468 guaranteed to be unique but not unpredictable. RAND_add is like 18469 RAND_seed, but takes an extra argument for an entropy estimate 18470 (RAND_seed always assumes full entropy). 18471 18472 *Ulf Möller* 18473 18474 * Do more iterations of Rabin-Miller probable prime test (specifically, 18475 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes 18476 instead of only 2 for all lengths; see BN_prime_checks_for_size definition 18477 in crypto/bn/bn_prime.c for the complete table). This guarantees a 18478 false-positive rate of at most 2^-80 for random input. 18479 18480 *Bodo Moeller* 18481 18482 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. 18483 18484 *Bodo Moeller* 18485 18486 * New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain 18487 in the 0.9.5 release), this returns the chain 18488 from an X509_CTX structure with a dup of the stack and all 18489 the X509 reference counts upped: so the stack will exist 18490 after X509_CTX_cleanup() has been called. Modify pkcs12.c 18491 to use this. 18492 18493 Also make SSL_SESSION_print() print out the verify return 18494 code. 18495 18496 *Steve Henson* 18497 18498 * Add manpage for the pkcs12 command. Also change the default 18499 behaviour so MAC iteration counts are used unless the new 18500 -nomaciter option is used. This improves file security and 18501 only older versions of MSIE (4.0 for example) need it. 18502 18503 *Steve Henson* 18504 18505 * Honor the no-xxx Configure options when creating .DEF files. 18506 18507 *Ulf Möller* 18508 18509 * Add PKCS#10 attributes to field table: challengePassword, 18510 unstructuredName and unstructuredAddress. These are taken from 18511 draft PKCS#9 v2.0 but are compatible with v1.2 provided no 18512 international characters are used. 18513 18514 More changes to X509_ATTRIBUTE code: allow the setting of types 18515 based on strings. Remove the 'loc' parameter when adding 18516 attributes because these will be a SET OF encoding which is sorted 18517 in ASN1 order. 18518 18519 *Steve Henson* 18520 18521 * Initial changes to the 'req' utility to allow request generation 18522 automation. This will allow an application to just generate a template 18523 file containing all the field values and have req construct the 18524 request. 18525 18526 Initial support for X509_ATTRIBUTE handling. Stacks of these are 18527 used all over the place including certificate requests and PKCS#7 18528 structures. They are currently handled manually where necessary with 18529 some primitive wrappers for PKCS#7. The new functions behave in a 18530 manner analogous to the X509 extension functions: they allow 18531 attributes to be looked up by NID and added. 18532 18533 Later something similar to the X509V3 code would be desirable to 18534 automatically handle the encoding, decoding and printing of the 18535 more complex types. The string types like challengePassword can 18536 be handled by the string table functions. 18537 18538 Also modified the multi byte string table handling. Now there is 18539 a 'global mask' which masks out certain types. The table itself 18540 can use the flag STABLE_NO_MASK to ignore the mask setting: this 18541 is useful when for example there is only one permissible type 18542 (as in countryName) and using the mask might result in no valid 18543 types at all. 18544 18545 *Steve Henson* 18546 18547 * Clean up 'Finished' handling, and add functions SSL_get_finished and 18548 SSL_get_peer_finished to allow applications to obtain the latest 18549 Finished messages sent to the peer or expected from the peer, 18550 respectively. (SSL_get_peer_finished is usually the Finished message 18551 actually received from the peer, otherwise the protocol will be aborted.) 18552 18553 As the Finished message are message digests of the complete handshake 18554 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can 18555 be used for external authentication procedures when the authentication 18556 provided by SSL/TLS is not desired or is not enough. 18557 18558 *Bodo Moeller* 18559 18560 * Enhanced support for Alpha Linux is added. Now ./config checks if 18561 the host supports BWX extension and if Compaq C is present on the 18562 $PATH. Just exploiting of the BWX extension results in 20-30% 18563 performance kick for some algorithms, e.g. DES and RC4 to mention 18564 a couple. Compaq C in turn generates ~20% faster code for MD5 and 18565 SHA1. 18566 18567 *Andy Polyakov* 18568 18569 * Add support for MS "fast SGC". This is arguably a violation of the 18570 SSL3/TLS protocol. Netscape SGC does two handshakes: the first with 18571 weak crypto and after checking the certificate is SGC a second one 18572 with strong crypto. MS SGC stops the first handshake after receiving 18573 the server certificate message and sends a second client hello. Since 18574 a server will typically do all the time consuming operations before 18575 expecting any further messages from the client (server key exchange 18576 is the most expensive) there is little difference between the two. 18577 18578 To get OpenSSL to support MS SGC we have to permit a second client 18579 hello message after we have sent server done. In addition we have to 18580 reset the MAC if we do get this second client hello. 18581 18582 *Steve Henson* 18583 18584 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide 18585 if a DER encoded private key is RSA or DSA traditional format. Changed 18586 d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" 18587 format DER encoded private key. Newer code should use PKCS#8 format which 18588 has the key type encoded in the ASN1 structure. Added DER private key 18589 support to pkcs8 application. 18590 18591 *Steve Henson* 18592 18593 * SSL 3/TLS 1 servers now don't request certificates when an anonymous 18594 ciphersuites has been selected (as required by the SSL 3/TLS 1 18595 specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT 18596 is set, we interpret this as a request to violate the specification 18597 (the worst that can happen is a handshake failure, and 'correct' 18598 behaviour would result in a handshake failure anyway). 18599 18600 *Bodo Moeller* 18601 18602 * In SSL_CTX_add_session, take into account that there might be multiple 18603 SSL_SESSION structures with the same session ID (e.g. when two threads 18604 concurrently obtain them from an external cache). 18605 The internal cache can handle only one SSL_SESSION with a given ID, 18606 so if there's a conflict, we now throw out the old one to achieve 18607 consistency. 18608 18609 *Bodo Moeller* 18610 18611 * Add OIDs for idea and blowfish in CBC mode. This will allow both 18612 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to 18613 some routines that use cipher OIDs: some ciphers do not have OIDs 18614 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for 18615 example. 18616 18617 *Steve Henson* 18618 18619 * Simplify the trust setting structure and code. Now we just have 18620 two sequences of OIDs for trusted and rejected settings. These will 18621 typically have values the same as the extended key usage extension 18622 and any application specific purposes. 18623 18624 The trust checking code now has a default behaviour: it will just 18625 check for an object with the same NID as the passed id. Functions can 18626 be provided to override either the default behaviour or the behaviour 18627 for a given id. SSL client, server and email already have functions 18628 in place for compatibility: they check the NID and also return "trusted" 18629 if the certificate is self signed. 18630 18631 *Steve Henson* 18632 18633 * Add d2i,i2d bio/fp functions for PrivateKey: these convert the 18634 traditional format into an EVP_PKEY structure. 18635 18636 *Steve Henson* 18637 18638 * Add a password callback function PEM_cb() which either prompts for 18639 a password if usr_data is NULL or otherwise assumes it is a null 18640 terminated password. Allow passwords to be passed on command line 18641 environment or config files in a few more utilities. 18642 18643 *Steve Henson* 18644 18645 * Add a bunch of DER and PEM functions to handle PKCS#8 format private 18646 keys. Add some short names for PKCS#8 PBE algorithms and allow them 18647 to be specified on the command line for the pkcs8 and pkcs12 utilities. 18648 Update documentation. 18649 18650 *Steve Henson* 18651 18652 * Support for ASN1 "NULL" type. This could be handled before by using 18653 ASN1_TYPE but there wasn't any function that would try to read a NULL 18654 and produce an error if it couldn't. For compatibility we also have 18655 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and 18656 don't allocate anything because they don't need to. 18657 18658 *Steve Henson* 18659 18660 * Initial support for MacOS is now provided. Examine INSTALL.MacOS 18661 for details. 18662 18663 *Andy Polyakov, Roy Woods <roy@centicsystems.ca>* 18664 18665 * Rebuild of the memory allocation routines used by OpenSSL code and 18666 possibly others as well. The purpose is to make an interface that 18667 provide hooks so anyone can build a separate set of allocation and 18668 deallocation routines to be used by OpenSSL, for example memory 18669 pool implementations, or something else, which was previously hard 18670 since Malloc(), Realloc() and Free() were defined as macros having 18671 the values malloc, realloc and free, respectively (except for Win32 18672 compilations). The same is provided for memory debugging code. 18673 OpenSSL already comes with functionality to find memory leaks, but 18674 this gives people a chance to debug other memory problems. 18675 18676 With these changes, a new set of functions and macros have appeared: 18677 18678 CRYPTO_set_mem_debug_functions() [F] 18679 CRYPTO_get_mem_debug_functions() [F] 18680 CRYPTO_dbg_set_options() [F] 18681 CRYPTO_dbg_get_options() [F] 18682 CRYPTO_malloc_debug_init() [M] 18683 18684 The memory debug functions are NULL by default, unless the library 18685 is compiled with CRYPTO_MDEBUG or friends is defined. If someone 18686 wants to debug memory anyway, CRYPTO_malloc_debug_init() (which 18687 gives the standard debugging functions that come with OpenSSL) or 18688 CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions 18689 provided by the library user) must be used. When the standard 18690 debugging functions are used, CRYPTO_dbg_set_options can be used to 18691 request additional information: 18692 CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting 18693 the CRYPTO_MDEBUG_xxx macro when compiling the library. 18694 18695 Also, things like CRYPTO_set_mem_functions will always give the 18696 expected result (the new set of functions is used for allocation 18697 and deallocation) at all times, regardless of platform and compiler 18698 options. 18699 18700 To finish it up, some functions that were never use in any other 18701 way than through macros have a new API and new semantic: 18702 18703 CRYPTO_dbg_malloc() 18704 CRYPTO_dbg_realloc() 18705 CRYPTO_dbg_free() 18706 18707 All macros of value have retained their old syntax. 18708 18709 *Richard Levitte and Bodo Moeller* 18710 18711 * Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the 18712 ordering of SMIMECapabilities wasn't in "strength order" and there 18713 was a missing NULL in the AlgorithmIdentifier for the SHA1 signature 18714 algorithm. 18715 18716 *Steve Henson* 18717 18718 * Some ASN1 types with illegal zero length encoding (INTEGER, 18719 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. 18720 18721 *Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson* 18722 18723 * Merge in my S/MIME library for OpenSSL. This provides a simple 18724 S/MIME API on top of the PKCS#7 code, a MIME parser (with enough 18725 functionality to handle multipart/signed properly) and a utility 18726 called 'smime' to call all this stuff. This is based on code I 18727 originally wrote for Celo who have kindly allowed it to be 18728 included in OpenSSL. 18729 18730 *Steve Henson* 18731 18732 * Add variants des_set_key_checked and des_set_key_unchecked of 18733 des_set_key (aka des_key_sched). Global variable des_check_key 18734 decides which of these is called by des_set_key; this way 18735 des_check_key behaves as it always did, but applications and 18736 the library itself, which was buggy for des_check_key == 1, 18737 have a cleaner way to pick the version they need. 18738 18739 *Bodo Moeller* 18740 18741 * New function PKCS12_newpass() which changes the password of a 18742 PKCS12 structure. 18743 18744 *Steve Henson* 18745 18746 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and 18747 dynamic mix. In both cases the ids can be used as an index into the 18748 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() 18749 functions so they accept a list of the field values and the 18750 application doesn't need to directly manipulate the X509_TRUST 18751 structure. 18752 18753 *Steve Henson* 18754 18755 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't 18756 need initialising. 18757 18758 *Steve Henson* 18759 18760 * Modify the way the V3 extension code looks up extensions. This now 18761 works in a similar way to the object code: we have some "standard" 18762 extensions in a static table which is searched with OBJ_bsearch() 18763 and the application can add dynamic ones if needed. The file 18764 crypto/x509v3/ext_dat.h now has the info: this file needs to be 18765 updated whenever a new extension is added to the core code and kept 18766 in ext_nid order. There is a simple program 'tabtest.c' which checks 18767 this. New extensions are not added too often so this file can readily 18768 be maintained manually. 18769 18770 There are two big advantages in doing things this way. The extensions 18771 can be looked up immediately and no longer need to be "added" using 18772 X509V3_add_standard_extensions(): this function now does nothing. 18773 Side note: I get *lots* of email saying the extension code doesn't 18774 work because people forget to call this function. 18775 Also no dynamic allocation is done unless new extensions are added: 18776 so if we don't add custom extensions there is no need to call 18777 X509V3_EXT_cleanup(). 18778 18779 *Steve Henson* 18780 18781 * Modify enc utility's salting as follows: make salting the default. Add a 18782 magic header, so unsalted files fail gracefully instead of just decrypting 18783 to garbage. This is because not salting is a big security hole, so people 18784 should be discouraged from doing it. 18785 18786 *Ben Laurie* 18787 18788 * Fixes and enhancements to the 'x509' utility. It allowed a message 18789 digest to be passed on the command line but it only used this 18790 parameter when signing a certificate. Modified so all relevant 18791 operations are affected by the digest parameter including the 18792 -fingerprint and -x509toreq options. Also -x509toreq choked if a 18793 DSA key was used because it didn't fix the digest. 18794 18795 *Steve Henson* 18796 18797 * Initial certificate chain verify code. Currently tests the untrusted 18798 certificates for consistency with the verify purpose (which is set 18799 when the X509_STORE_CTX structure is set up) and checks the pathlength. 18800 18801 There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: 18802 this is because it will reject chains with invalid extensions whereas 18803 every previous version of OpenSSL and SSLeay made no checks at all. 18804 18805 Trust code: checks the root CA for the relevant trust settings. Trust 18806 settings have an initial value consistent with the verify purpose: e.g. 18807 if the verify purpose is for SSL client use it expects the CA to be 18808 trusted for SSL client use. However the default value can be changed to 18809 permit custom trust settings: one example of this would be to only trust 18810 certificates from a specific "secure" set of CAs. 18811 18812 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions 18813 which should be used for version portability: especially since the 18814 verify structure is likely to change more often now. 18815 18816 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions 18817 to set them. If not set then assume SSL clients will verify SSL servers 18818 and vice versa. 18819 18820 Two new options to the verify program: -untrusted allows a set of 18821 untrusted certificates to be passed in and -purpose which sets the 18822 intended purpose of the certificate. If a purpose is set then the 18823 new chain verify code is used to check extension consistency. 18824 18825 *Steve Henson* 18826 18827 * Support for the authority information access extension. 18828 18829 *Steve Henson* 18830 18831 * Modify RSA and DSA PEM read routines to transparently handle 18832 PKCS#8 format private keys. New *_PUBKEY_* functions that handle 18833 public keys in a format compatible with certificate 18834 SubjectPublicKeyInfo structures. Unfortunately there were already 18835 functions called *_PublicKey_* which used various odd formats so 18836 these are retained for compatibility: however the DSA variants were 18837 never in a public release so they have been deleted. Changed dsa/rsa 18838 utilities to handle the new format: note no releases ever handled public 18839 keys so we should be OK. 18840 18841 The primary motivation for this change is to avoid the same fiasco 18842 that dogs private keys: there are several incompatible private key 18843 formats some of which are standard and some OpenSSL specific and 18844 require various evil hacks to allow partial transparent handling and 18845 even then it doesn't work with DER formats. Given the option anything 18846 other than PKCS#8 should be dumped: but the other formats have to 18847 stay in the name of compatibility. 18848 18849 With public keys and the benefit of hindsight one standard format 18850 is used which works with EVP_PKEY, RSA or DSA structures: though 18851 it clearly returns an error if you try to read the wrong kind of key. 18852 18853 Added a -pubkey option to the 'x509' utility to output the public key. 18854 Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()` 18855 (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add 18856 `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`) 18857 that do the same as the `EVP_PKEY_assign_*()` except they up the 18858 reference count of the added key (they don't "swallow" the 18859 supplied key). 18860 18861 *Steve Henson* 18862 18863 * Fixes to crypto/x509/by_file.c the code to read in certificates and 18864 CRLs would fail if the file contained no certificates or no CRLs: 18865 added a new function to read in both types and return the number 18866 read: this means that if none are read it will be an error. The 18867 DER versions of the certificate and CRL reader would always fail 18868 because it isn't possible to mix certificates and CRLs in DER format 18869 without choking one or the other routine. Changed this to just read 18870 a certificate: this is the best we can do. Also modified the code 18871 in `apps/verify.c` to take notice of return codes: it was previously 18872 attempting to read in certificates from NULL pointers and ignoring 18873 any errors: this is one reason why the cert and CRL reader seemed 18874 to work. It doesn't check return codes from the default certificate 18875 routines: these may well fail if the certificates aren't installed. 18876 18877 *Steve Henson* 18878 18879 * Code to support otherName option in GeneralName. 18880 18881 *Steve Henson* 18882 18883 * First update to verify code. Change the verify utility 18884 so it warns if it is passed a self signed certificate: 18885 for consistency with the normal behaviour. X509_verify 18886 has been modified to it will now verify a self signed 18887 certificate if *exactly* the same certificate appears 18888 in the store: it was previously impossible to trust a 18889 single self signed certificate. This means that: 18890 openssl verify ss.pem 18891 now gives a warning about a self signed certificate but 18892 openssl verify -CAfile ss.pem ss.pem 18893 is OK. 18894 18895 *Steve Henson* 18896 18897 * For servers, store verify_result in SSL_SESSION data structure 18898 (and add it to external session representation). 18899 This is needed when client certificate verifications fails, 18900 but an application-provided verification callback (set by 18901 SSL_CTX_set_cert_verify_callback) allows accepting the session 18902 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK 18903 but returns 1): When the session is reused, we have to set 18904 ssl->verify_result to the appropriate error code to avoid 18905 security holes. 18906 18907 *Bodo Moeller, problem pointed out by Lutz Jaenicke* 18908 18909 * Fix a bug in the new PKCS#7 code: it didn't consider the 18910 case in PKCS7_dataInit() where the signed PKCS7 structure 18911 didn't contain any existing data because it was being created. 18912 18913 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson* 18914 18915 * Add a salt to the key derivation routines in enc.c. This 18916 forms the first 8 bytes of the encrypted file. Also add a 18917 -S option to allow a salt to be input on the command line. 18918 18919 *Steve Henson* 18920 18921 * New function X509_cmp(). Oddly enough there wasn't a function 18922 to compare two certificates. We do this by working out the SHA1 18923 hash and comparing that. X509_cmp() will be needed by the trust 18924 code. 18925 18926 *Steve Henson* 18927 18928 * SSL_get1_session() is like SSL_get_session(), but increments 18929 the reference count in the SSL_SESSION returned. 18930 18931 *Geoff Thorpe <geoff@eu.c2.net>* 18932 18933 * Fix for 'req': it was adding a null to request attributes. 18934 Also change the X509_LOOKUP and X509_INFO code to handle 18935 certificate auxiliary information. 18936 18937 *Steve Henson* 18938 18939 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document 18940 the 'enc' command. 18941 18942 *Steve Henson* 18943 18944 * Add the possibility to add extra information to the memory leak 18945 detecting output, to form tracebacks, showing from where each 18946 allocation was originated: CRYPTO_push_info("constant string") adds 18947 the string plus current file name and line number to a per-thread 18948 stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() 18949 is like calling CYRPTO_pop_info() until the stack is empty. 18950 Also updated memory leak detection code to be multi-thread-safe. 18951 18952 *Richard Levitte* 18953 18954 * Add options -text and -noout to pkcs7 utility and delete the 18955 encryption options which never did anything. Update docs. 18956 18957 *Steve Henson* 18958 18959 * Add options to some of the utilities to allow the pass phrase 18960 to be included on either the command line (not recommended on 18961 OSes like Unix) or read from the environment. Update the 18962 manpages and fix a few bugs. 18963 18964 *Steve Henson* 18965 18966 * Add a few manpages for some of the openssl commands. 18967 18968 *Steve Henson* 18969 18970 * Fix the -revoke option in ca. It was freeing up memory twice, 18971 leaking and not finding already revoked certificates. 18972 18973 *Steve Henson* 18974 18975 * Extensive changes to support certificate auxiliary information. 18976 This involves the use of X509_CERT_AUX structure and X509_AUX 18977 functions. An X509_AUX function such as PEM_read_X509_AUX() 18978 can still read in a certificate file in the usual way but it 18979 will also read in any additional "auxiliary information". By 18980 doing things this way a fair degree of compatibility can be 18981 retained: existing certificates can have this information added 18982 using the new 'x509' options. 18983 18984 Current auxiliary information includes an "alias" and some trust 18985 settings. The trust settings will ultimately be used in enhanced 18986 certificate chain verification routines: currently a certificate 18987 can only be trusted if it is self signed and then it is trusted 18988 for all purposes. 18989 18990 *Steve Henson* 18991 18992 * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`). 18993 The problem was that one of the replacement routines had not been working 18994 since SSLeay releases. For now the offending routine has been replaced 18995 with non-optimised assembler. Even so, this now gives around 95% 18996 performance improvement for 1024 bit RSA signs. 18997 18998 *Mark Cox* 18999 19000 * Hack to fix PKCS#7 decryption when used with some unorthodox RC2 19001 handling. Most clients have the effective key size in bits equal to 19002 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. 19003 A few however don't do this and instead use the size of the decrypted key 19004 to determine the RC2 key length and the AlgorithmIdentifier to determine 19005 the effective key length. In this case the effective key length can still 19006 be 40 bits but the key length can be 168 bits for example. This is fixed 19007 by manually forcing an RC2 key into the EVP_PKEY structure because the 19008 EVP code can't currently handle unusual RC2 key sizes: it always assumes 19009 the key length and effective key length are equal. 19010 19011 *Steve Henson* 19012 19013 * Add a bunch of functions that should simplify the creation of 19014 X509_NAME structures. Now you should be able to do: 19015 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); 19016 and have it automatically work out the correct field type and fill in 19017 the structures. The more adventurous can try: 19018 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); 19019 and it will (hopefully) work out the correct multibyte encoding. 19020 19021 *Steve Henson* 19022 19023 * Change the 'req' utility to use the new field handling and multibyte 19024 copy routines. Before the DN field creation was handled in an ad hoc 19025 way in req, ca, and x509 which was rather broken and didn't support 19026 BMPStrings or UTF8Strings. Since some software doesn't implement 19027 BMPStrings or UTF8Strings yet, they can be enabled using the config file 19028 using the dirstring_type option. See the new comment in the default 19029 openssl.cnf for more info. 19030 19031 *Steve Henson* 19032 19033 * Make crypto/rand/md_rand.c more robust: 19034 - Assure unique random numbers after fork(). 19035 - Make sure that concurrent threads access the global counter and 19036 md serializably so that we never lose entropy in them 19037 or use exactly the same state in multiple threads. 19038 Access to the large state is not always serializable because 19039 the additional locking could be a performance killer, and 19040 md should be large enough anyway. 19041 19042 *Bodo Moeller* 19043 19044 * New file `apps/app_rand.c` with commonly needed functionality 19045 for handling the random seed file. 19046 19047 Use the random seed file in some applications that previously did not: 19048 ca, 19049 dsaparam -genkey (which also ignored its '-rand' option), 19050 s_client, 19051 s_server, 19052 x509 (when signing). 19053 Except on systems with /dev/urandom, it is crucial to have a random 19054 seed file at least for key creation, DSA signing, and for DH exchanges; 19055 for RSA signatures we could do without one. 19056 19057 gendh and gendsa (unlike genrsa) used to read only the first byte 19058 of each file listed in the '-rand' option. The function as previously 19059 found in genrsa is now in app_rand.c and is used by all programs 19060 that support '-rand'. 19061 19062 *Bodo Moeller* 19063 19064 * In RAND_write_file, use mode 0600 for creating files; 19065 don't just chmod when it may be too late. 19066 19067 *Bodo Moeller* 19068 19069 * Report an error from X509_STORE_load_locations 19070 when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. 19071 19072 *Bill Perry* 19073 19074 * New function ASN1_mbstring_copy() this copies a string in either 19075 ASCII, Unicode, Universal (4 bytes per character) or UTF8 format 19076 into an ASN1_STRING type. A mask of permissible types is passed 19077 and it chooses the "minimal" type to use or an error if not type 19078 is suitable. 19079 19080 *Steve Henson* 19081 19082 * Add function equivalents to the various macros in asn1.h. The old 19083 macros are retained with an `M_` prefix. Code inside the library can 19084 use the `M_` macros. External code (including the openssl utility) 19085 should *NOT* in order to be "shared library friendly". 19086 19087 *Steve Henson* 19088 19089 * Add various functions that can check a certificate's extensions 19090 to see if it usable for various purposes such as SSL client, 19091 server or S/MIME and CAs of these types. This is currently 19092 VERY EXPERIMENTAL but will ultimately be used for certificate chain 19093 verification. Also added a -purpose flag to x509 utility to 19094 print out all the purposes. 19095 19096 *Steve Henson* 19097 19098 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated 19099 functions. 19100 19101 *Steve Henson* 19102 19103 * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search 19104 for, obtain and decode and extension and obtain its critical flag. 19105 This allows all the necessary extension code to be handled in a 19106 single function call. 19107 19108 *Steve Henson* 19109 19110 * RC4 tune-up featuring 30-40% performance improvement on most RISC 19111 platforms. See crypto/rc4/rc4_enc.c for further details. 19112 19113 *Andy Polyakov* 19114 19115 * New -noout option to asn1parse. This causes no output to be produced 19116 its main use is when combined with -strparse and -out to extract data 19117 from a file (which may not be in ASN.1 format). 19118 19119 *Steve Henson* 19120 19121 * Fix for pkcs12 program. It was hashing an invalid certificate pointer 19122 when producing the local key id. 19123 19124 *Richard Levitte <levitte@stacken.kth.se>* 19125 19126 * New option -dhparam in s_server. This allows a DH parameter file to be 19127 stated explicitly. If it is not stated then it tries the first server 19128 certificate file. The previous behaviour hard coded the filename 19129 "server.pem". 19130 19131 *Steve Henson* 19132 19133 * Add -pubin and -pubout options to the rsa and dsa commands. These allow 19134 a public key to be input or output. For example: 19135 openssl rsa -in key.pem -pubout -out pubkey.pem 19136 Also added necessary DSA public key functions to handle this. 19137 19138 *Steve Henson* 19139 19140 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained 19141 in the message. This was handled by allowing 19142 X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. 19143 19144 *Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>* 19145 19146 * Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null 19147 to the end of the strings whereas this didn't. This would cause problems 19148 if strings read with d2i_ASN1_bytes() were later modified. 19149 19150 *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>* 19151 19152 * Fix for base64 decode bug. When a base64 bio reads only one line of 19153 data and it contains EOF it will end up returning an error. This is 19154 caused by input 46 bytes long. The cause is due to the way base64 19155 BIOs find the start of base64 encoded data. They do this by trying a 19156 trial decode on each line until they find one that works. When they 19157 do a flag is set and it starts again knowing it can pass all the 19158 data directly through the decoder. Unfortunately it doesn't reset 19159 the context it uses. This means that if EOF is reached an attempt 19160 is made to pass two EOFs through the context and this causes the 19161 resulting error. This can also cause other problems as well. As is 19162 usual with these problems it takes *ages* to find and the fix is 19163 trivial: move one line. 19164 19165 *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)* 19166 19167 * Ugly workaround to get s_client and s_server working under Windows. The 19168 old code wouldn't work because it needed to select() on sockets and the 19169 tty (for keypresses and to see if data could be written). Win32 only 19170 supports select() on sockets so we select() with a 1s timeout on the 19171 sockets and then see if any characters are waiting to be read, if none 19172 are present then we retry, we also assume we can always write data to 19173 the tty. This isn't nice because the code then blocks until we've 19174 received a complete line of data and it is effectively polling the 19175 keyboard at 1s intervals: however it's quite a bit better than not 19176 working at all :-) A dedicated Windows application might handle this 19177 with an event loop for example. 19178 19179 *Steve Henson* 19180 19181 * Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign 19182 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions 19183 will be called when RSA_sign() and RSA_verify() are used. This is useful 19184 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. 19185 For this to work properly RSA_public_decrypt() and RSA_private_encrypt() 19186 should *not* be used: RSA_sign() and RSA_verify() must be used instead. 19187 This necessitated the support of an extra signature type NID_md5_sha1 19188 for SSL signatures and modifications to the SSL library to use it instead 19189 of calling RSA_public_decrypt() and RSA_private_encrypt(). 19190 19191 *Steve Henson* 19192 19193 * Add new -verify -CAfile and -CApath options to the crl program, these 19194 will lookup a CRL issuers certificate and verify the signature in a 19195 similar way to the verify program. Tidy up the crl program so it 19196 no longer accesses structures directly. Make the ASN1 CRL parsing a bit 19197 less strict. It will now permit CRL extensions even if it is not 19198 a V2 CRL: this will allow it to tolerate some broken CRLs. 19199 19200 *Steve Henson* 19201 19202 * Initialize all non-automatic variables each time one of the openssl 19203 sub-programs is started (this is necessary as they may be started 19204 multiple times from the "OpenSSL>" prompt). 19205 19206 *Lennart Bang, Bodo Moeller* 19207 19208 * Preliminary compilation option RSA_NULL which disables RSA crypto without 19209 removing all other RSA functionality (this is what NO_RSA does). This 19210 is so (for example) those in the US can disable those operations covered 19211 by the RSA patent while allowing storage and parsing of RSA keys and RSA 19212 key generation. 19213 19214 *Steve Henson* 19215 19216 * Non-copying interface to BIO pairs. 19217 (still largely untested) 19218 19219 *Bodo Moeller* 19220 19221 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive 19222 ASCII string. This was handled independently in various places before. 19223 19224 *Steve Henson* 19225 19226 * New functions UTF8_getc() and UTF8_putc() that parse and generate 19227 UTF8 strings a character at a time. 19228 19229 *Steve Henson* 19230 19231 * Use client_version from client hello to select the protocol 19232 (s23_srvr.c) and for RSA client key exchange verification 19233 (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. 19234 19235 *Bodo Moeller* 19236 19237 * Add various utility functions to handle SPKACs, these were previously 19238 handled by poking round in the structure internals. Added new function 19239 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to 19240 print, verify and generate SPKACs. Based on an original idea from 19241 Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. 19242 19243 *Steve Henson* 19244 19245 * RIPEMD160 is operational on all platforms and is back in 'make test'. 19246 19247 *Andy Polyakov* 19248 19249 * Allow the config file extension section to be overwritten on the 19250 command line. Based on an original idea from Massimiliano Pala 19251 <madwolf@comune.modena.it>. The new option is called -extensions 19252 and can be applied to ca, req and x509. Also -reqexts to override 19253 the request extensions in req and -crlexts to override the crl extensions 19254 in ca. 19255 19256 *Steve Henson* 19257 19258 * Add new feature to the SPKAC handling in ca. Now you can include 19259 the same field multiple times by preceding it by "XXXX." for example: 19260 1.OU="Unit name 1" 19261 2.OU="Unit name 2" 19262 this is the same syntax as used in the req config file. 19263 19264 *Steve Henson* 19265 19266 * Allow certificate extensions to be added to certificate requests. These 19267 are specified in a 'req_extensions' option of the req section of the 19268 config file. They can be printed out with the -text option to req but 19269 are otherwise ignored at present. 19270 19271 *Steve Henson* 19272 19273 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first 19274 data read consists of only the final block it would not decrypted because 19275 EVP_CipherUpdate() would correctly report zero bytes had been decrypted. 19276 A misplaced 'break' also meant the decrypted final block might not be 19277 copied until the next read. 19278 19279 *Steve Henson* 19280 19281 * Initial support for DH_METHOD. Again based on RSA_METHOD. Also added 19282 a few extra parameters to the DH structure: these will be useful if 19283 for example we want the value of 'q' or implement X9.42 DH. 19284 19285 *Steve Henson* 19286 19287 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and 19288 provides hooks that allow the default DSA functions or functions on a 19289 "per key" basis to be replaced. This allows hardware acceleration and 19290 hardware key storage to be handled without major modification to the 19291 library. Also added low-level modexp hooks and CRYPTO_EX structure and 19292 associated functions. 19293 19294 *Steve Henson* 19295 19296 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO 19297 as "read only": it can't be written to and the buffer it points to will 19298 not be freed. Reading from a read only BIO is much more efficient than 19299 a normal memory BIO. This was added because there are several times when 19300 an area of memory needs to be read from a BIO. The previous method was 19301 to create a memory BIO and write the data to it, this results in two 19302 copies of the data and an O(n^2) reading algorithm. There is a new 19303 function BIO_new_mem_buf() which creates a read only memory BIO from 19304 an area of memory. Also modified the PKCS#7 routines to use read only 19305 memory BIOs. 19306 19307 *Steve Henson* 19308 19309 * Bugfix: ssl23_get_client_hello did not work properly when called in 19310 state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of 19311 an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, 19312 but a retry condition occurred while trying to read the rest. 19313 19314 *Bodo Moeller* 19315 19316 * The PKCS7_ENC_CONTENT_new() function was setting the content type as 19317 NID_pkcs7_encrypted by default: this was wrong since this should almost 19318 always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle 19319 the encrypted data type: this is a more sensible place to put it and it 19320 allows the PKCS#12 code to be tidied up that duplicated this 19321 functionality. 19322 19323 *Steve Henson* 19324 19325 * Changed obj_dat.pl script so it takes its input and output files on 19326 the command line. This should avoid shell escape redirection problems 19327 under Win32. 19328 19329 *Steve Henson* 19330 19331 * Initial support for certificate extension requests, these are included 19332 in things like Xenroll certificate requests. Included functions to allow 19333 extensions to be obtained and added. 19334 19335 *Steve Henson* 19336 19337 * -crlf option to s_client and s_server for sending newlines as 19338 CRLF (as required by many protocols). 19339 19340 *Bodo Moeller* 19341 19342### Changes between 0.9.3a and 0.9.4 [09 Aug 1999] 19343 19344 * Install libRSAglue.a when OpenSSL is built with RSAref. 19345 19346 *Ralf S. Engelschall* 19347 19348 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency. 19349 19350 *Andrija Antonijevic <TheAntony2@bigfoot.com>* 19351 19352 * Fix -startdate and -enddate (which was missing) arguments to 'ca' 19353 program. 19354 19355 *Steve Henson* 19356 19357 * New function DSA_dup_DH, which duplicates DSA parameters/keys as 19358 DH parameters/keys (q is lost during that conversion, but the resulting 19359 DH parameters contain its length). 19360 19361 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is 19362 much faster than DH_generate_parameters (which creates parameters 19363 where `p = 2*q + 1`), and also the smaller q makes DH computations 19364 much more efficient (160-bit exponentiation instead of 1024-bit 19365 exponentiation); so this provides a convenient way to support DHE 19366 ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of 19367 utter importance to use 19368 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 19369 or 19370 SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 19371 when such DH parameters are used, because otherwise small subgroup 19372 attacks may become possible! 19373 19374 *Bodo Moeller* 19375 19376 * Avoid memory leak in i2d_DHparams. 19377 19378 *Bodo Moeller* 19379 19380 * Allow the -k option to be used more than once in the enc program: 19381 this allows the same encrypted message to be read by multiple recipients. 19382 19383 *Steve Henson* 19384 19385 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts 19386 an ASN1_OBJECT to a text string. If the "no_name" parameter is set then 19387 it will always use the numerical form of the OID, even if it has a short 19388 or long name. 19389 19390 *Steve Henson* 19391 19392 * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp 19393 method only got called if p,q,dmp1,dmq1,iqmp components were present, 19394 otherwise bn_mod_exp was called. In the case of hardware keys for example 19395 no private key components need be present and it might store extra data 19396 in the RSA structure, which cannot be accessed from bn_mod_exp. 19397 By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for 19398 private key operations. 19399 19400 *Steve Henson* 19401 19402 * Added support for SPARC Linux. 19403 19404 *Andy Polyakov* 19405 19406 * pem_password_cb function type incompatibly changed from 19407 typedef int pem_password_cb(char *buf, int size, int rwflag); 19408 to 19409 ....(char *buf, int size, int rwflag, void *userdata); 19410 so that applications can pass data to their callbacks: 19411 The `PEM[_ASN1]_{read,write}...` functions and macros now take an 19412 additional void * argument, which is just handed through whenever 19413 the password callback is called. 19414 19415 *Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller* 19416 19417 New function SSL_CTX_set_default_passwd_cb_userdata. 19418 19419 Compatibility note: As many C implementations push function arguments 19420 onto the stack in reverse order, the new library version is likely to 19421 interoperate with programs that have been compiled with the old 19422 pem_password_cb definition (PEM_whatever takes some data that 19423 happens to be on the stack as its last argument, and the callback 19424 just ignores this garbage); but there is no guarantee whatsoever that 19425 this will work. 19426 19427 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... 19428 (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused 19429 problems not only on Windows, but also on some Unix platforms. 19430 To avoid problematic command lines, these definitions are now in an 19431 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl 19432 for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). 19433 19434 *Bodo Moeller* 19435 19436 * MIPS III/IV assembler module is reimplemented. 19437 19438 *Andy Polyakov* 19439 19440 * More DES library cleanups: remove references to srand/rand and 19441 delete an unused file. 19442 19443 *Ulf Möller* 19444 19445 * Add support for the free Netwide assembler (NASM) under Win32, 19446 since not many people have MASM (ml) and it can be hard to obtain. 19447 This is currently experimental but it seems to work OK and pass all 19448 the tests. Check out INSTALL.W32 for info. 19449 19450 *Steve Henson* 19451 19452 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections 19453 without temporary keys kept an extra copy of the server key, 19454 and connections with temporary keys did not free everything in case 19455 of an error. 19456 19457 *Bodo Moeller* 19458 19459 * New function RSA_check_key and new openssl rsa option -check 19460 for verifying the consistency of RSA keys. 19461 19462 *Ulf Moeller, Bodo Moeller* 19463 19464 * Various changes to make Win32 compile work: 19465 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 19466 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned 19467 comparison" warnings. 19468 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update. 19469 19470 *Steve Henson* 19471 19472 * Add a debugging option to PKCS#5 v2 key generation function: when 19473 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and 19474 derived keys are printed to stderr. 19475 19476 *Steve Henson* 19477 19478 * Copy the flags in ASN1_STRING_dup(). 19479 19480 *Roman E. Pavlov <pre@mo.msk.ru>* 19481 19482 * The x509 application mishandled signing requests containing DSA 19483 keys when the signing key was also DSA and the parameters didn't match. 19484 19485 It was supposed to omit the parameters when they matched the signing key: 19486 the verifying software was then supposed to automatically use the CA's 19487 parameters if they were absent from the end user certificate. 19488 19489 Omitting parameters is no longer recommended. The test was also 19490 the wrong way round! This was probably due to unusual behaviour in 19491 EVP_cmp_parameters() which returns 1 if the parameters match. 19492 This meant that parameters were omitted when they *didn't* match and 19493 the certificate was useless. Certificates signed with 'ca' didn't have 19494 this bug. 19495 19496 *Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>* 19497 19498 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems. 19499 The interface is as follows: 19500 Applications can use 19501 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), 19502 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); 19503 "off" is now the default. 19504 The library internally uses 19505 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), 19506 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() 19507 to disable memory-checking temporarily. 19508 19509 Some inconsistent states that previously were possible (and were 19510 even the default) are now avoided. 19511 19512 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time 19513 with each memory chunk allocated; this is occasionally more helpful 19514 than just having a counter. 19515 19516 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. 19517 19518 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future 19519 extensions. 19520 19521 *Bodo Moeller* 19522 19523 * Introduce "mode" for SSL structures (with defaults in SSL_CTX), 19524 which largely parallels "options", but is for changing API behaviour, 19525 whereas "options" are about protocol behaviour. 19526 Initial "mode" flags are: 19527 19528 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 19529 a single record has been written. 19530 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 19531 retries use the same buffer location. 19532 (But all of the contents must be 19533 copied!) 19534 19535 *Bodo Moeller* 19536 19537 * Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options 19538 worked. 19539 19540 * Fix problems with no-hmac etc. 19541 19542 *Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>* 19543 19544 * New functions RSA_get_default_method(), RSA_set_method() and 19545 RSA_get_method(). These allows replacement of RSA_METHODs without having 19546 to mess around with the internals of an RSA structure. 19547 19548 *Steve Henson* 19549 19550 * Fix memory leaks in DSA_do_sign and DSA_is_prime. 19551 Also really enable memory leak checks in openssl.c and in some 19552 test programs. 19553 19554 *Chad C. Mulligan, Bodo Moeller* 19555 19556 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess 19557 up the length of negative integers. This has now been simplified to just 19558 store the length when it is first determined and use it later, rather 19559 than trying to keep track of where data is copied and updating it to 19560 point to the end. 19561 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>* 19562 19563 * Add a new function PKCS7_signatureVerify. This allows the verification 19564 of a PKCS#7 signature but with the signing certificate passed to the 19565 function itself. This contrasts with PKCS7_dataVerify which assumes the 19566 certificate is present in the PKCS#7 structure. This isn't always the 19567 case: certificates can be omitted from a PKCS#7 structure and be 19568 distributed by "out of band" means (such as a certificate database). 19569 19570 *Steve Henson* 19571 19572 * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the 19573 function prototypes in pem.h, also change util/mkdef.pl to add the 19574 necessary function names. 19575 19576 *Steve Henson* 19577 19578 * mk1mf.pl (used by Windows builds) did not properly read the 19579 options set by Configure in the top level Makefile, and Configure 19580 was not even able to write more than one option correctly. 19581 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. 19582 19583 *Bodo Moeller* 19584 19585 * New functions CONF_load_bio() and CONF_load_fp() to allow a config 19586 file to be loaded from a BIO or FILE pointer. The BIO version will 19587 for example allow memory BIOs to contain config info. 19588 19589 *Steve Henson* 19590 19591 * New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. 19592 Whoever hopes to achieve shared-library compatibility across versions 19593 must use this, not the compile-time macro. 19594 (Exercise 0.9.4: Which is the minimum library version required by 19595 such programs?) 19596 Note: All this applies only to multi-threaded programs, others don't 19597 need locks. 19598 19599 *Bodo Moeller* 19600 19601 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests 19602 through a BIO pair triggered the default case, i.e. 19603 SSLerr(...,SSL_R_UNKNOWN_STATE). 19604 19605 *Bodo Moeller* 19606 19607 * New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications 19608 can use the SSL library even if none of the specific BIOs is 19609 appropriate. 19610 19611 *Bodo Moeller* 19612 19613 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value 19614 for the encoded length. 19615 19616 *Jeon KyoungHo <khjeon@sds.samsung.co.kr>* 19617 19618 * Add initial documentation of the X509V3 functions. 19619 19620 *Steve Henson* 19621 19622 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and 19623 PEM_write_bio_PKCS8PrivateKey() that are equivalent to 19624 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more 19625 secure PKCS#8 private key format with a high iteration count. 19626 19627 *Steve Henson* 19628 19629 * Fix determination of Perl interpreter: A perl or perl5 19630 *directory* in $PATH was also accepted as the interpreter. 19631 19632 *Ralf S. Engelschall* 19633 19634 * Fix demos/sign/sign.c: well there wasn't anything strictly speaking 19635 wrong with it but it was very old and did things like calling 19636 PEM_ASN1_read() directly and used MD5 for the hash not to mention some 19637 unusual formatting. 19638 19639 *Steve Henson* 19640 19641 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed 19642 to use the new extension code. 19643 19644 *Steve Henson* 19645 19646 * Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c 19647 with macros. This should make it easier to change their form, add extra 19648 arguments etc. Fix a few PEM prototypes which didn't have cipher as a 19649 constant. 19650 19651 *Steve Henson* 19652 19653 * Add to configuration table a new entry that can specify an alternative 19654 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, 19655 according to Mark Crispin <MRC@Panda.COM>. 19656 19657 *Bodo Moeller* 19658 19659 * DES CBC did not update the IV. Weird. 19660 19661 *Ben Laurie* 19662lse 19663 des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. 19664 Changing the behaviour of the former might break existing programs -- 19665 where IV updating is needed, des_ncbc_encrypt can be used. 19666ndif 19667 19668 * When bntest is run from "make test" it drives bc to check its 19669 calculations, as well as internally checking them. If an internal check 19670 fails, it needs to cause bc to give a non-zero result or make test carries 19671 on without noticing the failure. Fixed. 19672 19673 *Ben Laurie* 19674 19675 * DES library cleanups. 19676 19677 *Ulf Möller* 19678 19679 * Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be 19680 used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit 19681 ciphers. NOTE: although the key derivation function has been verified 19682 against some published test vectors it has not been extensively tested 19683 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use 19684 of v2.0. 19685 19686 *Steve Henson* 19687 19688 * Instead of "mkdir -p", which is not fully portable, use new 19689 Perl script "util/mkdir-p.pl". 19690 19691 *Bodo Moeller* 19692 19693 * Rewrite the way password based encryption (PBE) is handled. It used to 19694 assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter 19695 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms 19696 but doesn't apply to PKCS#5 v2.0 where it can be something else. Now 19697 the 'parameter' field of the AlgorithmIdentifier is passed to the 19698 underlying key generation function so it must do its own ASN1 parsing. 19699 This has also changed the EVP_PBE_CipherInit() function which now has a 19700 'parameter' argument instead of literal salt and iteration count values 19701 and the function EVP_PBE_ALGOR_CipherInit() has been deleted. 19702 19703 *Steve Henson* 19704 19705 * Support for PKCS#5 v1.5 compatible password based encryption algorithms 19706 and PKCS#8 functionality. New 'pkcs8' application linked to openssl. 19707 Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE 19708 KEY" because this clashed with PKCS#8 unencrypted string. Since this 19709 value was just used as a "magic string" and not used directly its 19710 value doesn't matter. 19711 19712 *Steve Henson* 19713 19714 * Introduce some semblance of const correctness to BN. Shame C doesn't 19715 support mutable. 19716 19717 *Ben Laurie* 19718 19719 * "linux-sparc64" configuration (ultrapenguin). 19720 19721 *Ray Miller <ray.miller@oucs.ox.ac.uk>* 19722 "linux-sparc" configuration. 19723 19724 *Christian Forster <fo@hawo.stw.uni-erlangen.de>* 19725 19726 * config now generates no-xxx options for missing ciphers. 19727 19728 *Ulf Möller* 19729 19730 * Support the EBCDIC character set (work in progress). 19731 File ebcdic.c not yet included because it has a different license. 19732 19733 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 19734 19735 * Support BS2000/OSD-POSIX. 19736 19737 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>* 19738 19739 * Make callbacks for key generation use `void *` instead of `char *`. 19740 19741 *Ben Laurie* 19742 19743 * Make S/MIME samples compile (not yet tested). 19744 19745 *Ben Laurie* 19746 19747 * Additional typesafe stacks. 19748 19749 *Ben Laurie* 19750 19751 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). 19752 19753 *Bodo Moeller* 19754 19755### Changes between 0.9.3 and 0.9.3a [29 May 1999] 19756 19757 * New configuration variant "sco5-gcc". 19758 19759 * Updated some demos. 19760 19761 *Sean O Riordain, Wade Scholine* 19762 19763 * Add missing BIO_free at exit of pkcs12 application. 19764 19765 *Wu Zhigang* 19766 19767 * Fix memory leak in conf.c. 19768 19769 *Steve Henson* 19770 19771 * Updates for Win32 to assembler version of MD5. 19772 19773 *Steve Henson* 19774 19775 * Set #! path to perl in `apps/der_chop` to where we found it 19776 instead of using a fixed path. 19777 19778 *Bodo Moeller* 19779 19780 * SHA library changes for irix64-mips4-cc. 19781 19782 *Andy Polyakov* 19783 19784 * Improvements for VMS support. 19785 19786 *Richard Levitte* 19787 19788### Changes between 0.9.2b and 0.9.3 [24 May 1999] 19789 19790 * Bignum library bug fix. IRIX 6 passes "make test" now! 19791 This also avoids the problems with SC4.2 and unpatched SC5. 19792 19793 *Andy Polyakov <appro@fy.chalmers.se>* 19794 19795 * New functions sk_num, sk_value and sk_set to replace the previous macros. 19796 These are required because of the typesafe stack would otherwise break 19797 existing code. If old code used a structure member which used to be STACK 19798 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with 19799 sk_num or sk_value it would produce an error because the num, data members 19800 are not present in STACK_OF. Now it just produces a warning. sk_set 19801 replaces the old method of assigning a value to sk_value 19802 (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code 19803 that does this will no longer work (and should use sk_set instead) but 19804 this could be regarded as a "questionable" behaviour anyway. 19805 19806 *Steve Henson* 19807 19808 * Fix most of the other PKCS#7 bugs. The "experimental" code can now 19809 correctly handle encrypted S/MIME data. 19810 19811 *Steve Henson* 19812 19813 * Change type of various DES function arguments from des_cblock 19814 (which means, in function argument declarations, pointer to char) 19815 to des_cblock * (meaning pointer to array with 8 char elements), 19816 which allows the compiler to do more typechecking; it was like 19817 that back in SSLeay, but with lots of ugly casts. 19818 19819 Introduce new type const_des_cblock. 19820 19821 *Bodo Moeller* 19822 19823 * Reorganise the PKCS#7 library and get rid of some of the more obvious 19824 problems: find RecipientInfo structure that matches recipient certificate 19825 and initialise the ASN1 structures properly based on passed cipher. 19826 19827 *Steve Henson* 19828 19829 * Belatedly make the BN tests actually check the results. 19830 19831 *Ben Laurie* 19832 19833 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion 19834 to and from BNs: it was completely broken. New compilation option 19835 NEG_PUBKEY_BUG to allow for some broken certificates that encode public 19836 key elements as negative integers. 19837 19838 *Steve Henson* 19839 19840 * Reorganize and speed up MD5. 19841 19842 *Andy Polyakov <appro@fy.chalmers.se>* 19843 19844 * VMS support. 19845 19846 *Richard Levitte <richard@levitte.org>* 19847 19848 * New option -out to asn1parse to allow the parsed structure to be 19849 output to a file. This is most useful when combined with the -strparse 19850 option to examine the output of things like OCTET STRINGS. 19851 19852 *Steve Henson* 19853 19854 * Make SSL library a little more fool-proof by not requiring any longer 19855 that `SSL_set_{accept,connect}_state` be called before 19856 `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted 19857 in many applications because usually everything *appeared* to work as 19858 intended anyway -- now it really works as intended). 19859 19860 *Bodo Moeller* 19861 19862 * Move openssl.cnf out of lib/. 19863 19864 *Ulf Möller* 19865 19866 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall 19867 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes 19868 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+ 19869 19870 *Ralf S. Engelschall* 19871 19872 * Various fixes to the EVP and PKCS#7 code. It may now be able to 19873 handle PKCS#7 enveloped data properly. 19874 19875 *Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve* 19876 19877 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of 19878 copying pointers. The cert_st handling is changed by this in 19879 various ways (and thus what used to be known as ctx->default_cert 19880 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert` 19881 any longer when s->cert does not give us what we need). 19882 ssl_cert_instantiate becomes obsolete by this change. 19883 As soon as we've got the new code right (possibly it already is?), 19884 we have solved a couple of bugs of the earlier code where s->cert 19885 was used as if it could not have been shared with other SSL structures. 19886 19887 Note that using the SSL API in certain dirty ways now will result 19888 in different behaviour than observed with earlier library versions: 19889 Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx) 19890 does not influence s as it used to. 19891 19892 In order to clean up things more thoroughly, inside SSL_SESSION 19893 we don't use CERT any longer, but a new structure SESS_CERT 19894 that holds per-session data (if available); currently, this is 19895 the peer's certificate chain and, for clients, the server's certificate 19896 and temporary key. CERT holds only those values that can have 19897 meaningful defaults in an SSL_CTX. 19898 19899 *Bodo Moeller* 19900 19901 * New function X509V3_EXT_i2d() to create an X509_EXTENSION structure 19902 from the internal representation. Various PKCS#7 fixes: remove some 19903 evil casts and set the enc_dig_alg field properly based on the signing 19904 key type. 19905 19906 *Steve Henson* 19907 19908 * Allow PKCS#12 password to be set from the command line or the 19909 environment. Let 'ca' get its config file name from the environment 19910 variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' 19911 and 'x509'). 19912 19913 *Steve Henson* 19914 19915 * Allow certificate policies extension to use an IA5STRING for the 19916 organization field. This is contrary to the PKIX definition but 19917 VeriSign uses it and IE5 only recognises this form. Document 'x509' 19918 extension option. 19919 19920 *Steve Henson* 19921 19922 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, 19923 without disallowing inline assembler and the like for non-pedantic builds. 19924 19925 *Ben Laurie* 19926 19927 * Support Borland C++ builder. 19928 19929 *Janez Jere <jj@void.si>, modified by Ulf Möller* 19930 19931 * Support Mingw32. 19932 19933 *Ulf Möller* 19934 19935 * SHA-1 cleanups and performance enhancements. 19936 19937 *Andy Polyakov <appro@fy.chalmers.se>* 19938 19939 * Sparc v8plus assembler for the bignum library. 19940 19941 *Andy Polyakov <appro@fy.chalmers.se>* 19942 19943 * Accept any -xxx and +xxx compiler options in Configure. 19944 19945 *Ulf Möller* 19946 19947 * Update HPUX configuration. 19948 19949 *Anonymous* 19950 19951 * Add missing `sk_<type>_unshift()` function to safestack.h 19952 19953 *Ralf S. Engelschall* 19954 19955 * New function SSL_CTX_use_certificate_chain_file that sets the 19956 "extra_cert"s in addition to the certificate. (This makes sense 19957 only for "PEM" format files, as chains as a whole are not 19958 DER-encoded.) 19959 19960 *Bodo Moeller* 19961 19962 * Support verify_depth from the SSL API. 19963 x509_vfy.c had what can be considered an off-by-one-error: 19964 Its depth (which was not part of the external interface) 19965 was actually counting the number of certificates in a chain; 19966 now it really counts the depth. 19967 19968 *Bodo Moeller* 19969 19970 * Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used 19971 instead of X509err, which often resulted in confusing error 19972 messages since the error codes are not globally unique 19973 (e.g. an alleged error in ssl3_accept when a certificate 19974 didn't match the private key). 19975 19976 * New function SSL_CTX_set_session_id_context that allows to set a default 19977 value (so that you don't need SSL_set_session_id_context for each 19978 connection using the SSL_CTX). 19979 19980 *Bodo Moeller* 19981 19982 * OAEP decoding bug fix. 19983 19984 *Ulf Möller* 19985 19986 * Support INSTALL_PREFIX for package builders, as proposed by 19987 David Harris. 19988 19989 *Bodo Moeller* 19990 19991 * New Configure options "threads" and "no-threads". For systems 19992 where the proper compiler options are known (currently Solaris 19993 and Linux), "threads" is the default. 19994 19995 *Bodo Moeller* 19996 19997 * New script util/mklink.pl as a faster substitute for util/mklink.sh. 19998 19999 *Bodo Moeller* 20000 20001 * Install various scripts to $(OPENSSLDIR)/misc, not to 20002 $(INSTALLTOP)/bin -- they shouldn't clutter directories 20003 such as /usr/local/bin. 20004 20005 *Bodo Moeller* 20006 20007 * "make linux-shared" to build shared libraries. 20008 20009 *Niels Poppe <niels@netbox.org>* 20010 20011 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...). 20012 20013 *Ulf Möller* 20014 20015 * Add the PKCS#12 API documentation to openssl.txt. Preliminary support for 20016 extension adding in x509 utility. 20017 20018 *Steve Henson* 20019 20020 * Remove NOPROTO sections and error code comments. 20021 20022 *Ulf Möller* 20023 20024 * Partial rewrite of the DEF file generator to now parse the ANSI 20025 prototypes. 20026 20027 *Steve Henson* 20028 20029 * New Configure options --prefix=DIR and --openssldir=DIR. 20030 20031 *Ulf Möller* 20032 20033 * Complete rewrite of the error code script(s). It is all now handled 20034 by one script at the top level which handles error code gathering, 20035 header rewriting and C source file generation. It should be much better 20036 than the old method: it now uses a modified version of Ulf's parser to 20037 read the ANSI prototypes in all header files (thus the old K&R definitions 20038 aren't needed for error creation any more) and do a better job of 20039 translating function codes into names. The old 'ASN1 error code embedded 20040 in a comment' is no longer necessary and it doesn't use .err files which 20041 have now been deleted. Also the error code call doesn't have to appear all 20042 on one line (which resulted in some large lines...). 20043 20044 *Steve Henson* 20045 20046 * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`. 20047 20048 *Bodo Moeller* 20049 20050 * Change behaviour of ssl2_read when facing length-0 packets: Don't return 20051 0 (which usually indicates a closed connection), but continue reading. 20052 20053 *Bodo Moeller* 20054 20055 * Fix some race conditions. 20056 20057 *Bodo Moeller* 20058 20059 * Add support for CRL distribution points extension. Add Certificate 20060 Policies and CRL distribution points documentation. 20061 20062 *Steve Henson* 20063 20064 * Move the autogenerated header file parts to crypto/opensslconf.h. 20065 20066 *Ulf Möller* 20067 20068 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 20069 8 of keying material. Merlin has also confirmed interop with this fix 20070 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. 20071 20072 *Merlin Hughes <merlin@baltimore.ie>* 20073 20074 * Fix lots of warnings. 20075 20076 *Richard Levitte <levitte@stacken.kth.se>* 20077 20078 * In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if 20079 the directory spec didn't end with a LIST_SEPARATOR_CHAR. 20080 20081 *Richard Levitte <levitte@stacken.kth.se>* 20082 20083 * Fix problems with sizeof(long) == 8. 20084 20085 *Andy Polyakov <appro@fy.chalmers.se>* 20086 20087 * Change functions to ANSI C. 20088 20089 *Ulf Möller* 20090 20091 * Fix typos in error codes. 20092 20093 *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller* 20094 20095 * Remove defunct assembler files from Configure. 20096 20097 *Ulf Möller* 20098 20099 * SPARC v8 assembler BIGNUM implementation. 20100 20101 *Andy Polyakov <appro@fy.chalmers.se>* 20102 20103 * Support for Certificate Policies extension: both print and set. 20104 Various additions to support the r2i method this uses. 20105 20106 *Steve Henson* 20107 20108 * A lot of constification, and fix a bug in X509_NAME_oneline() that could 20109 return a const string when you are expecting an allocated buffer. 20110 20111 *Ben Laurie* 20112 20113 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE 20114 types DirectoryString and DisplayText. 20115 20116 *Steve Henson* 20117 20118 * Add code to allow r2i extensions to access the configuration database, 20119 add an LHASH database driver and add several ctx helper functions. 20120 20121 *Steve Henson* 20122 20123 * Fix an evil bug in bn_expand2() which caused various BN functions to 20124 fail when they extended the size of a BIGNUM. 20125 20126 *Steve Henson* 20127 20128 * Various utility functions to handle SXNet extension. Modify mkdef.pl to 20129 support typesafe stack. 20130 20131 *Steve Henson* 20132 20133 * Fix typo in SSL_[gs]et_options(). 20134 20135 *Nils Frostberg <nils@medcom.se>* 20136 20137 * Delete various functions and files that belonged to the (now obsolete) 20138 old X509V3 handling code. 20139 20140 *Steve Henson* 20141 20142 * New Configure option "rsaref". 20143 20144 *Ulf Möller* 20145 20146 * Don't auto-generate pem.h. 20147 20148 *Bodo Moeller* 20149 20150 * Introduce type-safe ASN.1 SETs. 20151 20152 *Ben Laurie* 20153 20154 * Convert various additional casted stacks to type-safe STACK_OF() variants. 20155 20156 *Ben Laurie, Ralf S. Engelschall, Steve Henson* 20157 20158 * Introduce type-safe STACKs. This will almost certainly break lots of code 20159 that links with OpenSSL (well at least cause lots of warnings), but fear 20160 not: the conversion is trivial, and it eliminates loads of evil casts. A 20161 few STACKed things have been converted already. Feel free to convert more. 20162 In the fullness of time, I'll do away with the STACK type altogether. 20163 20164 *Ben Laurie* 20165 20166 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate 20167 specified in `<certfile>` by updating the entry in the index.txt file. 20168 This way one no longer has to edit the index.txt file manually for 20169 revoking a certificate. The -revoke option does the gory details now. 20170 20171 *Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall* 20172 20173 * Fix `openssl crl -noout -text` combination where `-noout` killed the 20174 `-text` option at all and this way the `-noout -text` combination was 20175 inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`. 20176 20177 *Ralf S. Engelschall* 20178 20179 * Make sure a corresponding plain text error message exists for the 20180 X509_V_ERR_CERT_REVOKED/23 error number which can occur when a 20181 verify callback function determined that a certificate was revoked. 20182 20183 *Ralf S. Engelschall* 20184 20185 * Bugfix: In test/testenc, don't test `openssl <cipher>` for 20186 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test 20187 all available ciphers including rc5, which was forgotten until now. 20188 In order to let the testing shell script know which algorithms 20189 are available, a new (up to now undocumented) command 20190 `openssl list-cipher-commands` is used. 20191 20192 *Bodo Moeller* 20193 20194 * Bugfix: s_client occasionally would sleep in select() when 20195 it should have checked SSL_pending() first. 20196 20197 *Bodo Moeller* 20198 20199 * New functions DSA_do_sign and DSA_do_verify to provide access to 20200 the raw DSA values prior to ASN.1 encoding. 20201 20202 *Ulf Möller* 20203 20204 * Tweaks to Configure 20205 20206 *Niels Poppe <niels@netbox.org>* 20207 20208 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, 20209 yet... 20210 20211 *Steve Henson* 20212 20213 * New variables $(RANLIB) and $(PERL) in the Makefiles. 20214 20215 *Ulf Möller* 20216 20217 * New config option to avoid instructions that are illegal on the 80386. 20218 The default code is faster, but requires at least a 486. 20219 20220 *Ulf Möller* 20221 20222 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and 20223 SSL2_SERVER_VERSION (not used at all) macros, which are now the 20224 same as SSL2_VERSION anyway. 20225 20226 *Bodo Moeller* 20227 20228 * New "-showcerts" option for s_client. 20229 20230 *Bodo Moeller* 20231 20232 * Still more PKCS#12 integration. Add pkcs12 application to openssl 20233 application. Various cleanups and fixes. 20234 20235 *Steve Henson* 20236 20237 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and 20238 modify error routines to work internally. Add error codes and PBE init 20239 to library startup routines. 20240 20241 *Steve Henson* 20242 20243 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and 20244 packing functions to asn1 and evp. Changed function names and error 20245 codes along the way. 20246 20247 *Steve Henson* 20248 20249 * PKCS12 integration: and so it begins... First of several patches to 20250 slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 20251 objects to objects.h 20252 20253 *Steve Henson* 20254 20255 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1 20256 and display support for Thawte strong extranet extension. 20257 20258 *Steve Henson* 20259 20260 * Add LinuxPPC support. 20261 20262 *Jeff Dubrule <igor@pobox.org>* 20263 20264 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to 20265 bn_div_words in alpha.s. 20266 20267 *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie* 20268 20269 * Make sure the RSA OAEP test is skipped under -DRSAref because 20270 OAEP isn't supported when OpenSSL is built with RSAref. 20271 20272 *Ulf Moeller <ulf@fitug.de>* 20273 20274 * Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 20275 so they no longer are missing under -DNOPROTO. 20276 20277 *Soren S. Jorvang <soren@t.dk>* 20278 20279### Changes between 0.9.1c and 0.9.2b [22 Mar 1999] 20280 20281 * Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still 20282 doesn't work when the session is reused. Coming soon! 20283 20284 *Ben Laurie* 20285 20286 * Fix a security hole, that allows sessions to be reused in the wrong 20287 context thus bypassing client cert protection! All software that uses 20288 client certs and session caches in multiple contexts NEEDS PATCHING to 20289 allow session reuse! A fuller solution is in the works. 20290 20291 *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)* 20292 20293 * Some more source tree cleanups (removed obsolete files 20294 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed 20295 permission on "config" script to be executable) and a fix for the INSTALL 20296 document. 20297 20298 *Ulf Moeller <ulf@fitug.de>* 20299 20300 * Remove some legacy and erroneous uses of malloc, free instead of 20301 Malloc, Free. 20302 20303 *Lennart Bang <lob@netstream.se>, with minor changes by Steve* 20304 20305 * Make rsa_oaep_test return non-zero on error. 20306 20307 *Ulf Moeller <ulf@fitug.de>* 20308 20309 * Add support for native Solaris shared libraries. Configure 20310 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice 20311 if someone would make that last step automatic. 20312 20313 *Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>* 20314 20315 * ctx_size was not built with the right compiler during "make links". Fixed. 20316 20317 *Ben Laurie* 20318 20319 * Change the meaning of 'ALL' in the cipher list. It now means "everything 20320 except NULL ciphers". This means the default cipher list will no longer 20321 enable NULL ciphers. They need to be specifically enabled e.g. with 20322 the string "DEFAULT:eNULL". 20323 20324 *Steve Henson* 20325 20326 * Fix to RSA private encryption routines: if p < q then it would 20327 occasionally produce an invalid result. This will only happen with 20328 externally generated keys because OpenSSL (and SSLeay) ensure p > q. 20329 20330 *Steve Henson* 20331 20332 * Be less restrictive and allow also `perl util/perlpath.pl 20333 /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`, 20334 because this way one can also use an interpreter named `perl5` (which is 20335 usually the name of Perl 5.xxx on platforms where an Perl 4.x is still 20336 installed as `perl`). 20337 20338 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 20339 20340 * Let util/clean-depend.pl work also with older Perl 5.00x versions. 20341 20342 *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 20343 20344 * Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add 20345 advapi32.lib to Win32 build and change the pem test comparison 20346 to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the 20347 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h 20348 and crypto/des/ede_cbcm_enc.c. 20349 20350 *Steve Henson* 20351 20352 * DES quad checksum was broken on big-endian architectures. Fixed. 20353 20354 *Ben Laurie* 20355 20356 * Comment out two functions in bio.h that aren't implemented. Fix up the 20357 Win32 test batch file so it (might) work again. The Win32 test batch file 20358 is horrible: I feel ill.... 20359 20360 *Steve Henson* 20361 20362 * Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected 20363 in e_os.h. Audit of header files to check ANSI and non ANSI 20364 sections: 10 functions were absent from non ANSI section and not exported 20365 from Windows DLLs. Fixed up libeay.num for new functions. 20366 20367 *Steve Henson* 20368 20369 * Make `openssl version` output lines consistent. 20370 20371 *Ralf S. Engelschall* 20372 20373 * Fix Win32 symbol export lists for BIO functions: Added 20374 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data 20375 to ms/libeay{16,32}.def. 20376 20377 *Ralf S. Engelschall* 20378 20379 * Second round of fixing the OpenSSL perl/ stuff. It now at least compiled 20380 fine under Unix and passes some trivial tests I've now added. But the 20381 whole stuff is horribly incomplete, so a README.1ST with a disclaimer was 20382 added to make sure no one expects that this stuff really works in the 20383 OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources 20384 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and 20385 openssl_bio.xs. 20386 20387 *Ralf S. Engelschall* 20388 20389 * Fix the generation of two part addresses in perl. 20390 20391 *Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie* 20392 20393 * Add config entry for Linux on MIPS. 20394 20395 *John Tobey <jtobey@channel1.com>* 20396 20397 * Make links whenever Configure is run, unless we are on Windoze. 20398 20399 *Ben Laurie* 20400 20401 * Permit extensions to be added to CRLs using crl_section in openssl.cnf. 20402 Currently only issuerAltName and AuthorityKeyIdentifier make any sense 20403 in CRLs. 20404 20405 *Steve Henson* 20406 20407 * Add a useful kludge to allow package maintainers to specify compiler and 20408 other platforms details on the command line without having to patch the 20409 Configure script every time: One now can use 20410 `perl Configure <id>:<details>`, 20411 i.e. platform ids are allowed to have details appended 20412 to them (separated by colons). This is treated as there would be a static 20413 pre-configured entry in Configure's %table under key `<id>` with value 20414 `<details>` and `perl Configure <id>` is called. So, when you want to 20415 perform a quick test-compile under FreeBSD 3.1 with pgcc and without 20416 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"` 20417 now, which overrides the FreeBSD-elf entry on-the-fly. 20418 20419 *Ralf S. Engelschall* 20420 20421 * Disable new TLS1 ciphersuites by default: they aren't official yet. 20422 20423 *Ben Laurie* 20424 20425 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified 20426 on the `perl Configure ...` command line. This way one can compile 20427 OpenSSL libraries with Position Independent Code (PIC) which is needed 20428 for linking it into DSOs. 20429 20430 *Ralf S. Engelschall* 20431 20432 * Remarkably, export ciphers were totally broken and no-one had noticed! 20433 Fixed. 20434 20435 *Ben Laurie* 20436 20437 * Cleaned up the LICENSE document: The official contact for any license 20438 questions now is the OpenSSL core team under openssl-core@openssl.org. 20439 And add a paragraph about the dual-license situation to make sure people 20440 recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply 20441 to the OpenSSL toolkit. 20442 20443 *Ralf S. Engelschall* 20444 20445 * General source tree makefile cleanups: Made `making xxx in yyy...` 20446 display consistent in the source tree and replaced `/bin/rm` by `rm`. 20447 Additionally cleaned up the `make links` target: Remove unnecessary 20448 semicolons, subsequent redundant removes, inline point.sh into mklink.sh 20449 to speed processing and no longer clutter the display with confusing 20450 stuff. Instead only the actually done links are displayed. 20451 20452 *Ralf S. Engelschall* 20453 20454 * Permit null encryption ciphersuites, used for authentication only. It used 20455 to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. 20456 It is now necessary to set SSL_FORBID_ENULL to prevent the use of null 20457 encryption. 20458 20459 *Ben Laurie* 20460 20461 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder 20462 signed attributes when verifying signatures (this would break them), 20463 the detached data encoding was wrong and public keys obtained using 20464 X509_get_pubkey() weren't freed. 20465 20466 *Steve Henson* 20467 20468 * Add text documentation for the BUFFER functions. Also added a work around 20469 to a Win95 console bug. This was triggered by the password read stuff: the 20470 last character typed gets carried over to the next fread(). If you were 20471 generating a new cert request using 'req' for example then the last 20472 character of the passphrase would be CR which would then enter the first 20473 field as blank. 20474 20475 *Steve Henson* 20476 20477 * Added the new 'Includes OpenSSL Cryptography Software' button as 20478 doc/openssl_button.{gif,html} which is similar in style to the old SSLeay 20479 button and can be used by applications based on OpenSSL to show the 20480 relationship to the OpenSSL project. 20481 20482 *Ralf S. Engelschall* 20483 20484 * Remove confusing variables in function signatures in files 20485 ssl/ssl_lib.c and ssl/ssl.h. 20486 20487 *Lennart Bong <lob@kulthea.stacken.kth.se>* 20488 20489 * Don't install bss_file.c under PREFIX/include/ 20490 20491 *Lennart Bong <lob@kulthea.stacken.kth.se>* 20492 20493 * Get the Win32 compile working again. Modify mkdef.pl so it can handle 20494 functions that return function pointers and has support for NT specific 20495 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various 20496 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from 20497 unsigned to signed types: this was killing the Win32 compile. 20498 20499 *Steve Henson* 20500 20501 * Add new certificate file to stack functions, 20502 SSL_add_dir_cert_subjects_to_stack() and 20503 SSL_add_file_cert_subjects_to_stack(). These largely supplant 20504 SSL_load_client_CA_file(), and can be used to add multiple certs easily 20505 to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). 20506 This means that Apache-SSL and similar packages don't have to mess around 20507 to add as many CAs as they want to the preferred list. 20508 20509 *Ben Laurie* 20510 20511 * Experiment with doxygen documentation. Currently only partially applied to 20512 ssl/ssl_lib.c. 20513 See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with 20514 openssl.doxy as the configuration file. 20515 20516 *Ben Laurie* 20517 20518 * Get rid of remaining C++-style comments which strict C compilers hate. 20519 20520 *Ralf S. Engelschall, pointed out by Carlos Amengual* 20521 20522 * Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not 20523 compiled in by default: it has problems with large keys. 20524 20525 *Steve Henson* 20526 20527 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and 20528 DH private keys and/or callback functions which directly correspond to 20529 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This 20530 is needed for applications which have to configure certificates on a 20531 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis 20532 (e.g. s_server). 20533 For the RSA certificate situation is makes no difference, but 20534 for the DSA certificate situation this fixes the "no shared cipher" 20535 problem where the OpenSSL cipher selection procedure failed because the 20536 temporary keys were not overtaken from the context and the API provided 20537 no way to reconfigure them. 20538 The new functions now let applications reconfigure the stuff and they 20539 are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, 20540 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new 20541 non-public-API function ssl_cert_instantiate() is used as a helper 20542 function and also to reduce code redundancy inside ssl_rsa.c. 20543 20544 *Ralf S. Engelschall* 20545 20546 * Move s_server -dcert and -dkey options out of the undocumented feature 20547 area because they are useful for the DSA situation and should be 20548 recognized by the users. 20549 20550 *Ralf S. Engelschall* 20551 20552 * Fix the cipher decision scheme for export ciphers: the export bits are 20553 *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within 20554 SSL_EXP_MASK. So, the original variable has to be used instead of the 20555 already masked variable. 20556 20557 *Richard Levitte <levitte@stacken.kth.se>* 20558 20559 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c 20560 20561 *Richard Levitte <levitte@stacken.kth.se>* 20562 20563 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() 20564 from `int` to `unsigned int` because it is a length and initialized by 20565 EVP_DigestFinal() which expects an `unsigned int *`. 20566 20567 *Richard Levitte <levitte@stacken.kth.se>* 20568 20569 * Don't hard-code path to Perl interpreter on shebang line of Configure 20570 script. Instead use the usual Shell->Perl transition trick. 20571 20572 *Ralf S. Engelschall* 20573 20574 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates 20575 (in addition to RSA certificates) to match the behaviour of `openssl dsa 20576 -noout -modulus` as it's already the case for `openssl rsa -noout 20577 -modulus`. For RSA the -modulus is the real "modulus" while for DSA 20578 currently the public key is printed (a decision which was already done by 20579 `openssl dsa -modulus` in the past) which serves a similar purpose. 20580 Additionally the NO_RSA no longer completely removes the whole -modulus 20581 option; it now only avoids using the RSA stuff. Same applies to NO_DSA 20582 now, too. 20583 20584 *Ralf S. Engelschall* 20585 20586 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested 20587 BIO. See the source (crypto/evp/bio_ok.c) for more info. 20588 20589 *Arne Ansper <arne@ats.cyber.ee>* 20590 20591 * Dump the old yucky req code that tried (and failed) to allow raw OIDs 20592 to be added. Now both 'req' and 'ca' can use new objects defined in the 20593 config file. 20594 20595 *Steve Henson* 20596 20597 * Add cool BIO that does syslog (or event log on NT). 20598 20599 *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie* 20600 20601 * Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, 20602 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and 20603 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher 20604 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. 20605 20606 *Ben Laurie* 20607 20608 * Add preliminary config info for new extension code. 20609 20610 *Steve Henson* 20611 20612 * Make RSA_NO_PADDING really use no padding. 20613 20614 *Ulf Moeller <ulf@fitug.de>* 20615 20616 * Generate errors when private/public key check is done. 20617 20618 *Ben Laurie* 20619 20620 * Overhaul for 'crl' utility. New function X509_CRL_print. Partial support 20621 for some CRL extensions and new objects added. 20622 20623 *Steve Henson* 20624 20625 * Really fix the ASN1 IMPLICIT bug this time... Partial support for private 20626 key usage extension and fuller support for authority key id. 20627 20628 *Steve Henson* 20629 20630 * Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved 20631 padding method for RSA, which is recommended for new applications in PKCS 20632 #1 v2.0 (RFC 2437, October 1998). 20633 OAEP (Optimal Asymmetric Encryption Padding) has better theoretical 20634 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure 20635 against Bleichbacher's attack on RSA. 20636 *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by 20637 Ben Laurie* 20638 20639 * Updates to the new SSL compression code 20640 20641 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20642 20643 * Fix so that the version number in the master secret, when passed 20644 via RSA, checks that if TLS was proposed, but we roll back to SSLv3 20645 (because the server will not accept higher), that the version number 20646 is 0x03,0x01, not 0x03,0x00 20647 20648 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20649 20650 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory 20651 leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes 20652 in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`. 20653 20654 *Steve Henson* 20655 20656 * Support for RAW extensions where an arbitrary extension can be 20657 created by including its DER encoding. See `apps/openssl.cnf` for 20658 an example. 20659 20660 *Steve Henson* 20661 20662 * Make sure latest Perl versions don't interpret some generated C array 20663 code as Perl array code in the crypto/err/err_genc.pl script. 20664 20665 *Lars Weber <3weber@informatik.uni-hamburg.de>* 20666 20667 * Modify ms/do_ms.bat to not generate assembly language makefiles since 20668 not many people have the assembler. Various Win32 compilation fixes and 20669 update to the INSTALL.W32 file with (hopefully) more accurate Win32 20670 build instructions. 20671 20672 *Steve Henson* 20673 20674 * Modify configure script 'Configure' to automatically create crypto/date.h 20675 file under Win32 and also build pem.h from pem.org. New script 20676 util/mkfiles.pl to create the MINFO file on environments that can't do a 20677 'make files': perl util/mkfiles.pl >MINFO should work. 20678 20679 *Steve Henson* 20680 20681 * Major rework of DES function declarations, in the pursuit of correctness 20682 and purity. As a result, many evil casts evaporated, and some weirdness, 20683 too. You may find this causes warnings in your code. Zapping your evil 20684 casts will probably fix them. Mostly. 20685 20686 *Ben Laurie* 20687 20688 * Fix for a typo in asn1.h. Bug fix to object creation script 20689 obj_dat.pl. It considered a zero in an object definition to mean 20690 "end of object": none of the objects in objects.h have any zeros 20691 so it wasn't spotted. 20692 20693 *Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>* 20694 20695 * Add support for Triple DES Cipher Block Chaining with Output Feedback 20696 Masking (CBCM). In the absence of test vectors, the best I have been able 20697 to do is check that the decrypt undoes the encrypt, so far. Send me test 20698 vectors if you have them. 20699 20700 *Ben Laurie* 20701 20702 * Correct calculation of key length for export ciphers (too much space was 20703 allocated for null ciphers). This has not been tested! 20704 20705 *Ben Laurie* 20706 20707 * Modifications to the mkdef.pl for Win32 DEF file creation. The usage 20708 message is now correct (it understands "crypto" and "ssl" on its 20709 command line). There is also now an "update" option. This will update 20710 the util/ssleay.num and util/libeay.num files with any new functions. 20711 If you do a: 20712 perl util/mkdef.pl crypto ssl update 20713 it will update them. 20714 20715 *Steve Henson* 20716 20717 * Overhauled the Perl interface: 20718 - ported BN stuff to OpenSSL's different BN library 20719 - made the perl/ source tree CVS-aware 20720 - renamed the package from SSLeay to OpenSSL (the files still contain 20721 their history because I've copied them in the repository) 20722 - removed obsolete files (the test scripts will be replaced 20723 by better Test::Harness variants in the future) 20724 20725 *Ralf S. Engelschall* 20726 20727 * First cut for a very conservative source tree cleanup: 20728 1. merge various obsolete readme texts into doc/ssleay.txt 20729 where we collect the old documents and readme texts. 20730 2. remove the first part of files where I'm already sure that we no 20731 longer need them because of three reasons: either they are just temporary 20732 files which were left by Eric or they are preserved original files where 20733 I've verified that the diff is also available in the CVS via "cvs diff 20734 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for 20735 the crypto/md/ stuff). 20736 20737 *Ralf S. Engelschall* 20738 20739 * More extension code. Incomplete support for subject and issuer alt 20740 name, issuer and authority key id. Change the i2v function parameters 20741 and add an extra 'crl' parameter in the X509V3_CTX structure: guess 20742 what that's for :-) Fix to ASN1 macro which messed up 20743 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. 20744 20745 *Steve Henson* 20746 20747 * Preliminary support for ENUMERATED type. This is largely copied from the 20748 INTEGER code. 20749 20750 *Steve Henson* 20751 20752 * Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. 20753 20754 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20755 20756 * Make sure `make rehash` target really finds the `openssl` program. 20757 20758 *Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>* 20759 20760 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd 20761 like to hear about it if this slows down other processors. 20762 20763 *Ben Laurie* 20764 20765 * Add CygWin32 platform information to Configure script. 20766 20767 *Alan Batie <batie@aahz.jf.intel.com>* 20768 20769 * Fixed ms/32all.bat script: `no_asm` -> `no-asm` 20770 20771 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>* 20772 20773 * New program nseq to manipulate netscape certificate sequences 20774 20775 *Steve Henson* 20776 20777 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a 20778 few typos. 20779 20780 *Steve Henson* 20781 20782 * Fixes to BN code. Previously the default was to define BN_RECURSION 20783 but the BN code had some problems that would cause failures when 20784 doing certificate verification and some other functions. 20785 20786 *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)* 20787 20788 * Add ASN1 and PEM code to support netscape certificate sequences. 20789 20790 *Steve Henson* 20791 20792 * Add ASN1 and PEM code to support netscape certificate sequences. 20793 20794 *Steve Henson* 20795 20796 * Add several PKIX and private extended key usage OIDs. 20797 20798 *Steve Henson* 20799 20800 * Modify the 'ca' program to handle the new extension code. Modify 20801 openssl.cnf for new extension format, add comments. 20802 20803 *Steve Henson* 20804 20805 * More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' 20806 and add a sample to openssl.cnf so req -x509 now adds appropriate 20807 CA extensions. 20808 20809 *Steve Henson* 20810 20811 * Continued X509 V3 changes. Add to other makefiles, integrate with the 20812 error code, add initial support to X509_print() and x509 application. 20813 20814 *Steve Henson* 20815 20816 * Takes a deep breath and start adding X509 V3 extension support code. Add 20817 files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this 20818 stuff is currently isolated and isn't even compiled yet. 20819 20820 *Steve Henson* 20821 20822 * Continuing patches for GeneralizedTime. Fix up certificate and CRL 20823 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. 20824 Removed the versions check from X509 routines when loading extensions: 20825 this allows certain broken certificates that don't set the version 20826 properly to be processed. 20827 20828 *Steve Henson* 20829 20830 * Deal with irritating shit to do with dependencies, in YAAHW (Yet Another 20831 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which 20832 can still be regenerated with "make depend". 20833 20834 *Ben Laurie* 20835 20836 * Spelling mistake in C version of CAST-128. 20837 20838 *Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>* 20839 20840 * Changes to the error generation code. The perl script err-code.pl 20841 now reads in the old error codes and retains the old numbers, only 20842 adding new ones if necessary. It also only changes the .err files if new 20843 codes are added. The makefiles have been modified to only insert errors 20844 when needed (to avoid needlessly modifying header files). This is done 20845 by only inserting errors if the .err file is newer than the auto generated 20846 C file. To rebuild all the error codes from scratch (the old behaviour) 20847 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl 20848 or delete all the .err files. 20849 20850 *Steve Henson* 20851 20852 * CAST-128 was incorrectly implemented for short keys. The C version has 20853 been fixed, but is untested. The assembler versions are also fixed, but 20854 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing 20855 to regenerate it if needed. 20856 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun 20857 Hagino <itojun@kame.net>* 20858 20859 * File was opened incorrectly in randfile.c. 20860 20861 *Ulf Möller <ulf@fitug.de>* 20862 20863 * Beginning of support for GeneralizedTime. d2i, i2d, check and print 20864 functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or 20865 GeneralizedTime. ASN1_TIME is the proper type used in certificates et 20866 al: it's just almost always a UTCTime. Note this patch adds new error 20867 codes so do a "make errors" if there are problems. 20868 20869 *Steve Henson* 20870 20871 * Correct Linux 1 recognition in config. 20872 20873 *Ulf Möller <ulf@fitug.de>* 20874 20875 * Remove pointless MD5 hash when using DSA keys in ca. 20876 20877 *Anonymous <nobody@replay.com>* 20878 20879 * Generate an error if given an empty string as a cert directory. Also 20880 generate an error if handed NULL (previously returned 0 to indicate an 20881 error, but didn't set one). 20882 20883 *Ben Laurie, reported by Anonymous <nobody@replay.com>* 20884 20885 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last. 20886 20887 *Ben Laurie* 20888 20889 * Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct 20890 parameters. This was causing a warning which killed off the Win32 compile. 20891 20892 *Steve Henson* 20893 20894 * Remove C++ style comments from crypto/bn/bn_local.h. 20895 20896 *Neil Costigan <neil.costigan@celocom.com>* 20897 20898 * The function OBJ_txt2nid was broken. It was supposed to return a nid 20899 based on a text string, looking up short and long names and finally 20900 "dot" format. The "dot" format stuff didn't work. Added new function 20901 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 20902 OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the 20903 OID is not part of the table. 20904 20905 *Steve Henson* 20906 20907 * Add prototypes to X509 lookup/verify methods, fixing a bug in 20908 X509_LOOKUP_by_alias(). 20909 20910 *Ben Laurie* 20911 20912 * Sort openssl functions by name. 20913 20914 *Ben Laurie* 20915 20916 * Get the `gendsa` command working and add it to the `list` command. Remove 20917 encryption from sample DSA keys (in case anyone is interested the password 20918 was "1234"). 20919 20920 *Steve Henson* 20921 20922 * Make *all* `*_free` functions accept a NULL pointer. 20923 20924 *Frans Heymans <fheymans@isaserver.be>* 20925 20926 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use 20927 NULL pointers. 20928 20929 *Anonymous <nobody@replay.com>* 20930 20931 * s_server should send the CAfile as acceptable CAs, not its own cert. 20932 20933 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 20934 20935 * Don't blow it for numeric `-newkey` arguments to `apps/req`. 20936 20937 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>* 20938 20939 * Temp key "for export" tests were wrong in s3_srvr.c. 20940 20941 *Anonymous <nobody@replay.com>* 20942 20943 * Add prototype for temp key callback functions 20944 SSL_CTX_set_tmp_{rsa,dh}_callback(). 20945 20946 *Ben Laurie* 20947 20948 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and 20949 DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). 20950 20951 *Steve Henson* 20952 20953 * X509_name_add_entry() freed the wrong thing after an error. 20954 20955 *Arne Ansper <arne@ats.cyber.ee>* 20956 20957 * rsa_eay.c would attempt to free a NULL context. 20958 20959 *Arne Ansper <arne@ats.cyber.ee>* 20960 20961 * BIO_s_socket() had a broken should_retry() on Windoze. 20962 20963 *Arne Ansper <arne@ats.cyber.ee>* 20964 20965 * BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. 20966 20967 *Arne Ansper <arne@ats.cyber.ee>* 20968 20969 * Make sure the already existing X509_STORE->depth variable is initialized 20970 in X509_STORE_new(), but document the fact that this variable is still 20971 unused in the certificate verification process. 20972 20973 *Ralf S. Engelschall* 20974 20975 * Fix the various library and `apps/` files to free up pkeys obtained from 20976 X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. 20977 20978 *Steve Henson* 20979 20980 * Fix reference counting in X509_PUBKEY_get(). This makes 20981 demos/maurice/example2.c work, amongst others, probably. 20982 20983 *Steve Henson and Ben Laurie* 20984 20985 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named 20986 `openssl` and second, the shortcut symlinks for the `openssl <command>` 20987 are no longer created. This way we have a single and consistent command 20988 line interface `openssl <command>`, similar to `cvs <command>`. 20989 20990 *Ralf S. Engelschall, Paul Sutton and Ben Laurie* 20991 20992 * ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey 20993 BIT STRING wrapper always have zero unused bits. 20994 20995 *Steve Henson* 20996 20997 * Add CA.pl, perl version of CA.sh, add extended key usage OID. 20998 20999 *Steve Henson* 21000 21001 * Make the top-level INSTALL documentation easier to understand. 21002 21003 *Paul Sutton* 21004 21005 * Makefiles updated to exit if an error occurs in a sub-directory 21006 make (including if user presses ^C) [Paul Sutton] 21007 21008 * Make Montgomery context stuff explicit in RSA data structure. 21009 21010 *Ben Laurie* 21011 21012 * Fix build order of pem and err to allow for generated pem.h. 21013 21014 *Ben Laurie* 21015 21016 * Fix renumbering bug in X509_NAME_delete_entry(). 21017 21018 *Ben Laurie* 21019 21020 * Enhanced the err-ins.pl script so it makes the error library number 21021 global and can add a library name. This is needed for external ASN1 and 21022 other error libraries. 21023 21024 *Steve Henson* 21025 21026 * Fixed sk_insert which never worked properly. 21027 21028 *Steve Henson* 21029 21030 * Fix ASN1 macros so they can handle indefinite length constructed 21031 EXPLICIT tags. Some non standard certificates use these: they can now 21032 be read in. 21033 21034 *Steve Henson* 21035 21036 * Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) 21037 into a single doc/ssleay.txt bundle. This way the information is still 21038 preserved but no longer messes up this directory. Now it's new room for 21039 the new set of documentation files. 21040 21041 *Ralf S. Engelschall* 21042 21043 * SETs were incorrectly DER encoded. This was a major pain, because they 21044 shared code with SEQUENCEs, which aren't coded the same. This means that 21045 almost everything to do with SETs or SEQUENCEs has either changed name or 21046 number of arguments. 21047 21048 *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>* 21049 21050 * Fix test data to work with the above. 21051 21052 *Ben Laurie* 21053 21054 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but 21055 was already fixed by Eric for 0.9.1 it seems. 21056 21057 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>* 21058 21059 * Autodetect FreeBSD3. 21060 21061 *Ben Laurie* 21062 21063 * Fix various bugs in Configure. This affects the following platforms: 21064 nextstep 21065 ncr-scde 21066 unixware-2.0 21067 unixware-2.0-pentium 21068 sco5-cc. 21069 21070 *Ben Laurie* 21071 21072 * Eliminate generated files from CVS. Reorder tests to regenerate files 21073 before they are needed. 21074 21075 *Ben Laurie* 21076 21077 * Generate Makefile.ssl from Makefile.org (to keep CVS happy). 21078 21079 *Ben Laurie* 21080 21081### Changes between 0.9.1b and 0.9.1c [23-Dec-1998] 21082 21083 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 21084 changed SSLeay to OpenSSL in version strings. 21085 21086 *Ralf S. Engelschall* 21087 21088 * Some fixups to the top-level documents. 21089 21090 *Paul Sutton* 21091 21092 * Fixed the nasty bug where rsaref.h was not found under compile-time 21093 because the symlink to include/ was missing. 21094 21095 *Ralf S. Engelschall* 21096 21097 * Incorporated the popular no-RSA/DSA-only patches 21098 which allow to compile an RSA-free SSLeay. 21099 21100 *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall* 21101 21102 * Fixed nasty rehash problem under `make -f Makefile.ssl links` 21103 when "ssleay" is still not found. 21104 21105 *Ralf S. Engelschall* 21106 21107 * Added more platforms to Configure: Cray T3E, HPUX 11, 21108 21109 *Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>* 21110 21111 * Updated the README file. 21112 21113 *Ralf S. Engelschall* 21114 21115 * Added various .cvsignore files in the CVS repository subdirs 21116 to make a "cvs update" really silent. 21117 21118 *Ralf S. Engelschall* 21119 21120 * Recompiled the error-definition header files and added 21121 missing symbols to the Win32 linker tables. 21122 21123 *Ralf S. Engelschall* 21124 21125 * Cleaned up the top-level documents; 21126 o new files: CHANGES and LICENSE 21127 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 21128 o merged COPYRIGHT into LICENSE 21129 o removed obsolete TODO file 21130 o renamed MICROSOFT to INSTALL.W32 21131 21132 *Ralf S. Engelschall* 21133 21134 * Removed dummy files from the 0.9.1b source tree: 21135 crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi 21136 crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f 21137 crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f 21138 crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f 21139 util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f 21140 21141 *Ralf S. Engelschall* 21142 21143 * Added various platform portability fixes. 21144 21145 *Mark J. Cox* 21146 21147 * The Genesis of the OpenSSL rpject: 21148 We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. 21149 Young and Tim J. Hudson created while they were working for C2Net until 21150 summer 1998. 21151 21152 *The OpenSSL Project* 21153 21154### Changes between 0.9.0b and 0.9.1b [not released] 21155 21156 * Updated a few CA certificates under certs/ 21157 21158 *Eric A. Young* 21159 21160 * Changed some BIGNUM api stuff. 21161 21162 *Eric A. Young* 21163 21164 * Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 21165 DGUX x86, Linux Alpha, etc. 21166 21167 *Eric A. Young* 21168 21169 * New COMP library [crypto/comp/] for SSL Record Layer Compression: 21170 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is 21171 available). 21172 21173 *Eric A. Young* 21174 21175 * Add -strparse option to asn1pars program which parses nested 21176 binary structures 21177 21178 *Dr Stephen Henson <shenson@bigfoot.com>* 21179 21180 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs. 21181 21182 *Eric A. Young* 21183 21184 * DSA fix for "ca" program. 21185 21186 *Eric A. Young* 21187 21188 * Added "-genkey" option to "dsaparam" program. 21189 21190 *Eric A. Young* 21191 21192 * Added RIPE MD160 (rmd160) message digest. 21193 21194 *Eric A. Young* 21195 21196 * Added -a (all) option to "ssleay version" command. 21197 21198 *Eric A. Young* 21199 21200 * Added PLATFORM define which is the id given to Configure. 21201 21202 *Eric A. Young* 21203 21204 * Added MemCheck_XXXX functions to crypto/mem.c for memory checking. 21205 21206 *Eric A. Young* 21207 21208 * Extended the ASN.1 parser routines. 21209 21210 *Eric A. Young* 21211 21212 * Extended BIO routines to support REUSEADDR, seek, tell, etc. 21213 21214 *Eric A. Young* 21215 21216 * Added a BN_CTX to the BN library. 21217 21218 *Eric A. Young* 21219 21220 * Fixed the weak key values in DES library 21221 21222 *Eric A. Young* 21223 21224 * Changed API in EVP library for cipher aliases. 21225 21226 *Eric A. Young* 21227 21228 * Added support for RC2/64bit cipher. 21229 21230 *Eric A. Young* 21231 21232 * Converted the lhash library to the crypto/mem.c functions. 21233 21234 *Eric A. Young* 21235 21236 * Added more recognized ASN.1 object ids. 21237 21238 *Eric A. Young* 21239 21240 * Added more RSA padding checks for SSL/TLS. 21241 21242 *Eric A. Young* 21243 21244 * Added BIO proxy/filter functionality. 21245 21246 *Eric A. Young* 21247 21248 * Added extra_certs to SSL_CTX which can be used 21249 send extra CA certificates to the client in the CA cert chain sending 21250 process. It can be configured with SSL_CTX_add_extra_chain_cert(). 21251 21252 *Eric A. Young* 21253 21254 * Now Fortezza is denied in the authentication phase because 21255 this is key exchange mechanism is not supported by SSLeay at all. 21256 21257 *Eric A. Young* 21258 21259 * Additional PKCS1 checks. 21260 21261 *Eric A. Young* 21262 21263 * Support the string "TLSv1" for all TLS v1 ciphers. 21264 21265 *Eric A. Young* 21266 21267 * Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the 21268 ex_data index of the SSL context in the X509_STORE_CTX ex_data. 21269 21270 *Eric A. Young* 21271 21272 * Fixed a few memory leaks. 21273 21274 *Eric A. Young* 21275 21276 * Fixed various code and comment typos. 21277 21278 *Eric A. Young* 21279 21280 * A minor bug in ssl/s3_clnt.c where there would always be 4 0 21281 bytes sent in the client random. 21282 21283 *Edward Bishop <ebishop@spyglass.com>* 21284 21285<!-- Links --> 21286 21287[CVE-2025-4575]: https://www.openssl.org/news/vulnerabilities.html#CVE-2025-4575 21288[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176 21289[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143 21290[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119 21291[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535 21292[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741 21293[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603 21294[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511 21295[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727 21296[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237 21297[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129 21298[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678 21299[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 21300[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807 21301[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817 21302[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446 21303[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975 21304[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 21305[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650 21306[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255 21307[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 21308[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 21309[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464 21310[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401 21311[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286 21312[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217 21313[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216 21314[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215 21315[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450 21316[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304 21317[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 21318[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 21319[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 21320[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 21321[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 21322[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 21323[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 21324[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559 21325[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552 21326[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551 21327[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549 21328[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547 21329[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543 21330[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407 21331[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739 21332[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737 21333[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735 21334[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734 21335[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733 21336[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732 21337[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738 21338[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737 21339[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736 21340[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735 21341[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733 21342[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732 21343[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731 21344[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730 21345[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055 21346[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054 21347[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053 21348[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052 21349[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309 21350[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308 21351[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307 21352[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306 21353[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305 21354[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304 21355[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303 21356[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302 21357[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183 21358[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182 21359[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181 21360[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180 21361[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179 21362[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178 21363[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177 21364[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176 21365[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109 21366[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107 21367[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106 21368[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105 21369[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800 21370[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799 21371[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798 21372[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797 21373[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705 21374[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702 21375[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701 21376[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197 21377[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196 21378[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195 21379[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194 21380[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193 21381[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793 21382[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792 21383[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791 21384[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790 21385[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789 21386[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788 21387[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787 21388[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293 21389[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291 21390[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290 21391[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289 21392[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288 21393[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287 21394[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286 21395[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285 21396[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209 21397[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208 21398[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207 21399[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206 21400[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205 21401[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204 21402[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275 21403[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139 21404[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572 21405[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571 21406[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570 21407[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569 21408[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568 21409[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567 21410[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566 21411[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513 21412[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512 21413[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511 21414[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510 21415[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509 21416[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508 21417[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507 21418[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506 21419[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505 21420[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470 21421[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224 21422[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221 21423[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195 21424[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160 21425[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076 21426[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450 21427[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353 21428[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169 21429[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166 21430[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686 21431[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333 21432[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110 21433[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884 21434[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050 21435[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027 21436[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619 21437[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577 21438[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576 21439[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109 21440[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108 21441[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210 21442[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207 21443[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014 21444[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252 21445[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180 21446[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864 21447[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633 21448[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740 21449[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433 21450[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355 21451[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555 21452[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245 21453[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386 21454[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379 21455[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378 21456[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377 21457[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789 21458[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591 21459[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590 21460[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077 21461[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678 21462[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672 21463[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891 21464[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135 21465[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995 21466[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343 21467[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339 21468[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738 21469[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940 21470[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937 21471[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969 21472[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112 21473[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079 21474[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851 21475[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545 21476[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544 21477[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543 21478[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078 21479[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659 21480[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657 21481[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656 21482[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655 21483[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program 21484[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations 21485