OpenSSL CHANGES | |
_______________ | |
Changes between 1.0.1q and 1.0.1r [28 Jan 2016] | |
*) Protection for DH small subgroup attacks | |
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been | |
switched on by default and cannot be disabled. This could have some | |
performance impact. | |
[Matt Caswell] | |
*) SSLv2 doesn't block disabled ciphers | |
A malicious client can negotiate SSLv2 ciphers that have been disabled on | |
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have | |
been disabled, provided that the SSLv2 protocol was not also disabled via | |
SSL_OP_NO_SSLv2. | |
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram | |
and Sebastian Schinzel. | |
(CVE-2015-3197) | |
[Viktor Dukhovni] | |
*) Reject DH handshakes with parameters shorter than 1024 bits. | |
[Kurt Roeckx] | |
Changes between 1.0.1p and 1.0.1q [3 Dec 2015] | |
*) Certificate verify crash with missing PSS parameter | |
The signature verification routines will crash with a NULL pointer | |
dereference if presented with an ASN.1 signature using the RSA PSS | |
algorithm and absent mask generation function parameter. Since these | |
routines are used to verify certificate signature algorithms this can be | |
used to crash any certificate verification operation and exploited in a | |
DoS attack. Any application which performs certificate verification is | |
vulnerable including OpenSSL clients and servers which enable client | |
authentication. | |
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). | |
(CVE-2015-3194) | |
[Stephen Henson] | |
*) X509_ATTRIBUTE memory leak | |
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak | |
memory. This structure is used by the PKCS#7 and CMS routines so any | |
application which reads PKCS#7 or CMS data from untrusted sources is | |
affected. SSL/TLS is not affected. | |
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using | |
libFuzzer. | |
(CVE-2015-3195) | |
[Stephen Henson] | |
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. | |
This changes the decoding behaviour for some invalid messages, | |
though the change is mostly in the more lenient direction, and | |
legacy behaviour is preserved as much as possible. | |
[Emilia Käsper] | |
*) In DSA_generate_parameters_ex, if the provided seed is too short, | |
return an error | |
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] | |
Changes between 1.0.1o and 1.0.1p [9 Jul 2015] | |
*) Alternate chains certificate forgery | |
During certificate verfification, OpenSSL will attempt to find an | |
alternative certificate chain if the first attempt to build such a chain | |
fails. An error in the implementation of this logic can mean that an | |
attacker could cause certain checks on untrusted certificates to be | |
bypassed, such as the CA flag, enabling them to use a valid leaf | |
certificate to act as a CA and "issue" an invalid certificate. | |
This issue was reported to OpenSSL by Adam Langley/David Benjamin | |
(Google/BoringSSL). | |
(CVE-2015-1793) | |
[Matt Caswell] | |
*) Race condition handling PSK identify hint | |
If PSK identity hints are received by a multi-threaded client then | |
the values are wrongly updated in the parent SSL_CTX structure. This can | |
result in a race condition potentially leading to a double free of the | |
identify hint data. | |
(CVE-2015-3196) | |
[Stephen Henson] | |
Changes between 1.0.1n and 1.0.1o [12 Jun 2015] | |
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI | |
incompatibility in the handling of HMAC. The previous ABI has now been | |
restored. | |
Changes between 1.0.1m and 1.0.1n [11 Jun 2015] | |
*) Malformed ECParameters causes infinite loop | |
When processing an ECParameters structure OpenSSL enters an infinite loop | |
if the curve specified is over a specially malformed binary polynomial | |
field. | |
This can be used to perform denial of service against any | |
system which processes public keys, certificate requests or | |
certificates. This includes TLS clients and TLS servers with | |
client authentication enabled. | |
This issue was reported to OpenSSL by Joseph Barr-Pixton. | |
(CVE-2015-1788) | |
[Andy Polyakov] | |
*) Exploitable out-of-bounds read in X509_cmp_time | |
X509_cmp_time does not properly check the length of the ASN1_TIME | |
string and can read a few bytes out of bounds. In addition, | |
X509_cmp_time accepts an arbitrary number of fractional seconds in the | |
time string. | |
An attacker can use this to craft malformed certificates and CRLs of | |
various sizes and potentially cause a segmentation fault, resulting in | |
a DoS on applications that verify certificates or CRLs. TLS clients | |
that verify CRLs are affected. TLS clients and servers with client | |
authentication enabled may be affected if they use custom verification | |
callbacks. | |
This issue was reported to OpenSSL by Robert Swiecki (Google), and | |
independently by Hanno Böck. | |
(CVE-2015-1789) | |
[Emilia Käsper] | |
*) PKCS7 crash with missing EnvelopedContent | |
The PKCS#7 parsing code does not handle missing inner EncryptedContent | |
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs | |
with missing content and trigger a NULL pointer dereference on parsing. | |
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 | |
structures from untrusted sources are affected. OpenSSL clients and | |
servers are not affected. | |
This issue was reported to OpenSSL by Michal Zalewski (Google). | |
(CVE-2015-1790) | |
[Emilia Käsper] | |
*) CMS verify infinite loop with unknown hash function | |
When verifying a signedData message the CMS code can enter an infinite loop | |
if presented with an unknown hash function OID. This can be used to perform | |
denial of service against any system which verifies signedData messages using | |
the CMS code. | |
This issue was reported to OpenSSL by Johannes Bauer. | |
(CVE-2015-1792) | |
[Stephen Henson] | |
*) Race condition handling NewSessionTicket | |
If a NewSessionTicket is received by a multi-threaded client when attempting to | |
reuse a previous ticket then a race condition can occur potentially leading to | |
a double free of the ticket data. | |
(CVE-2015-1791) | |
[Matt Caswell] | |
*) Reject DH handshakes with parameters shorter than 768 bits. | |
[Kurt Roeckx and Emilia Kasper] | |
*) dhparam: generate 2048-bit parameters by default. | |
[Kurt Roeckx and Emilia Kasper] | |
Changes between 1.0.1l and 1.0.1m [19 Mar 2015] | |
*) Segmentation fault in ASN1_TYPE_cmp fix | |
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is | |
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check | |
certificate signature algorithm consistency this can be used to crash any | |
certificate verification operation and exploited in a DoS attack. Any | |
application which performs certificate verification is vulnerable including | |
OpenSSL clients and servers which enable client authentication. | |
(CVE-2015-0286) | |
[Stephen Henson] | |
*) ASN.1 structure reuse memory corruption fix | |
Reusing a structure in ASN.1 parsing may allow an attacker to cause | |
memory corruption via an invalid write. Such reuse is and has been | |
strongly discouraged and is believed to be rare. | |
Applications that parse structures containing CHOICE or ANY DEFINED BY | |
components may be affected. Certificate parsing (d2i_X509 and related | |
functions) are however not affected. OpenSSL clients and servers are | |
not affected. | |
(CVE-2015-0287) | |
[Stephen Henson] | |
*) PKCS7 NULL pointer dereferences fix | |
The PKCS#7 parsing code does not handle missing outer ContentInfo | |
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with | |
missing content and trigger a NULL pointer dereference on parsing. | |
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or | |
otherwise parse PKCS#7 structures from untrusted sources are | |
affected. OpenSSL clients and servers are not affected. | |
This issue was reported to OpenSSL by Michal Zalewski (Google). | |
(CVE-2015-0289) | |
[Emilia Käsper] | |
*) DoS via reachable assert in SSLv2 servers fix | |
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in | |
servers that both support SSLv2 and enable export cipher suites by sending | |
a specially crafted SSLv2 CLIENT-MASTER-KEY message. | |
This issue was discovered by Sean Burford (Google) and Emilia Käsper | |
(OpenSSL development team). | |
(CVE-2015-0293) | |
[Emilia Käsper] | |
*) Use After Free following d2i_ECPrivatekey error fix | |
A malformed EC private key file consumed via the d2i_ECPrivateKey function | |
could cause a use after free condition. This, in turn, could cause a double | |
free in several private key parsing functions (such as d2i_PrivateKey | |
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption | |
for applications that receive EC private keys from untrusted | |
sources. This scenario is considered rare. | |
This issue was discovered by the BoringSSL project and fixed in their | |
commit 517073cd4b. | |
(CVE-2015-0209) | |
[Matt Caswell] | |
*) X509_to_X509_REQ NULL pointer deref fix | |
The function X509_to_X509_REQ will crash with a NULL pointer dereference if | |
the certificate key is invalid. This function is rarely used in practice. | |
This issue was discovered by Brian Carpenter. | |
(CVE-2015-0288) | |
[Stephen Henson] | |
*) Removed the export ciphers from the DEFAULT ciphers | |
[Kurt Roeckx] | |
Changes between 1.0.1k and 1.0.1l [15 Jan 2015] | |
*) Build fixes for the Windows and OpenVMS platforms | |
[Matt Caswell and Richard Levitte] | |
Changes between 1.0.1j and 1.0.1k [8 Jan 2015] | |
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS | |
message can cause a segmentation fault in OpenSSL due to a NULL pointer | |
dereference. This could lead to a Denial Of Service attack. Thanks to | |
Markus Stenberg of Cisco Systems, Inc. for reporting this issue. | |
(CVE-2014-3571) | |
[Steve Henson] | |
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the | |
dtls1_buffer_record function under certain conditions. In particular this | |
could occur if an attacker sent repeated DTLS records with the same | |
sequence number but for the next epoch. The memory leak could be exploited | |
by an attacker in a Denial of Service attack through memory exhaustion. | |
Thanks to Chris Mueller for reporting this issue. | |
(CVE-2015-0206) | |
[Matt Caswell] | |
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is | |
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl | |
method would be set to NULL which could later result in a NULL pointer | |
dereference. Thanks to Frank Schmirler for reporting this issue. | |
(CVE-2014-3569) | |
[Kurt Roeckx] | |
*) Abort handshake if server key exchange message is omitted for ephemeral | |
ECDH ciphersuites. | |
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for | |
reporting this issue. | |
(CVE-2014-3572) | |
[Steve Henson] | |
*) Remove non-export ephemeral RSA code on client and server. This code | |
violated the TLS standard by allowing the use of temporary RSA keys in | |
non-export ciphersuites and could be used by a server to effectively | |
downgrade the RSA key length used to a value smaller than the server | |
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at | |
INRIA or reporting this issue. | |
(CVE-2015-0204) | |
[Steve Henson] | |
*) Fixed issue where DH client certificates are accepted without verification. | |
An OpenSSL server will accept a DH certificate for client authentication | |
without the certificate verify message. This effectively allows a client to | |
authenticate without the use of a private key. This only affects servers | |
which trust a client certificate authority which issues certificates | |
containing DH keys: these are extremely rare and hardly ever encountered. | |
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting | |
this issue. | |
(CVE-2015-0205) | |
[Steve Henson] | |
*) Ensure that the session ID context of an SSL is updated when its | |
SSL_CTX is updated via SSL_set_SSL_CTX. | |
The session ID context is typically set from the parent SSL_CTX, | |
and can vary with the CTX. | |
[Adam Langley] | |
*) Fix various certificate fingerprint issues. | |
By using non-DER or invalid encodings outside the signed portion of a | |
certificate the fingerprint can be changed without breaking the signature. | |
Although no details of the signed portion of the certificate can be changed | |
this can cause problems with some applications: e.g. those using the | |
certificate fingerprint for blacklists. | |
1. Reject signatures with non zero unused bits. | |
If the BIT STRING containing the signature has non zero unused bits reject | |
the signature. All current signature algorithms require zero unused bits. | |
2. Check certificate algorithm consistency. | |
Check the AlgorithmIdentifier inside TBS matches the one in the | |
certificate signature. NB: this will result in signature failure | |
errors for some broken certificates. | |
Thanks to Konrad Kraszewski from Google for reporting this issue. | |
3. Check DSA/ECDSA signatures use DER. | |
Reencode DSA/ECDSA signatures and compare with the original received | |
signature. Return an error if there is a mismatch. | |
This will reject various cases including garbage after signature | |
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS | |
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs | |
(negative or with leading zeroes). | |
Further analysis was conducted and fixes were developed by Stephen Henson | |
of the OpenSSL core team. | |
(CVE-2014-8275) | |
[Steve Henson] | |
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect | |
results on some platforms, including x86_64. This bug occurs at random | |
with a very low probability, and is not known to be exploitable in any | |
way, though its exact impact is difficult to determine. Thanks to Pieter | |
Wuille (Blockstream) who reported this issue and also suggested an initial | |
fix. Further analysis was conducted by the OpenSSL development team and | |
Adam Langley of Google. The final fix was developed by Andy Polyakov of | |
the OpenSSL core team. | |
(CVE-2014-3570) | |
[Andy Polyakov] | |
*) Do not resume sessions on the server if the negotiated protocol | |
version does not match the session's version. Resuming with a different | |
version, while not strictly forbidden by the RFC, is of questionable | |
sanity and breaks all known clients. | |
[David Benjamin, Emilia Käsper] | |
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject | |
early CCS messages during renegotiation. (Note that because | |
renegotiation is encrypted, this early CCS was not exploitable.) | |
[Emilia Käsper] | |
*) Tighten client-side session ticket handling during renegotiation: | |
ensure that the client only accepts a session ticket if the server sends | |
the extension anew in the ServerHello. Previously, a TLS client would | |
reuse the old extension state and thus accept a session ticket if one was | |
announced in the initial ServerHello. | |
Similarly, ensure that the client requires a session ticket if one | |
was advertised in the ServerHello. Previously, a TLS client would | |
ignore a missing NewSessionTicket message. | |
[Emilia Käsper] | |
Changes between 1.0.1i and 1.0.1j [15 Oct 2014] | |
*) SRTP Memory Leak. | |
A flaw in the DTLS SRTP extension parsing code allows an attacker, who | |
sends a carefully crafted handshake message, to cause OpenSSL to fail | |
to free up to 64k of memory causing a memory leak. This could be | |
exploited in a Denial Of Service attack. This issue affects OpenSSL | |
1.0.1 server implementations for both SSL/TLS and DTLS regardless of | |
whether SRTP is used or configured. Implementations of OpenSSL that | |
have been compiled with OPENSSL_NO_SRTP defined are not affected. | |
The fix was developed by the OpenSSL team. | |
(CVE-2014-3513) | |
[OpenSSL team] | |
*) Session Ticket Memory Leak. | |
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the | |
integrity of that ticket is first verified. In the event of a session | |
ticket integrity check failing, OpenSSL will fail to free memory | |
causing a memory leak. By sending a large number of invalid session | |
tickets an attacker could exploit this issue in a Denial Of Service | |
attack. | |
(CVE-2014-3567) | |
[Steve Henson] | |
*) Build option no-ssl3 is incomplete. | |
When OpenSSL is configured with "no-ssl3" as a build option, servers | |
could accept and complete a SSL 3.0 handshake, and clients could be | |
configured to send them. | |
(CVE-2014-3568) | |
[Akamai and the OpenSSL team] | |
*) Add support for TLS_FALLBACK_SCSV. | |
Client applications doing fallback retries should call | |
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). | |
(CVE-2014-3566) | |
[Adam Langley, Bodo Moeller] | |
*) Add additional DigestInfo checks. | |
Reencode DigestInto in DER and check against the original when | |
verifying RSA signature: this will reject any improperly encoded | |
DigestInfo structures. | |
Note: this is a precautionary measure and no attacks are currently known. | |
[Steve Henson] | |
Changes between 1.0.1h and 1.0.1i [6 Aug 2014] | |
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the | |
SRP code can be overrun an internal buffer. Add sanity check that | |
g, A, B < N to SRP code. | |
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC | |
Group for discovering this issue. | |
(CVE-2014-3512) | |
[Steve Henson] | |
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate | |
TLS 1.0 instead of higher protocol versions when the ClientHello message | |
is badly fragmented. This allows a man-in-the-middle attacker to force a | |
downgrade to TLS 1.0 even if both the server and the client support a | |
higher protocol version, by modifying the client's TLS records. | |
Thanks to David Benjamin and Adam Langley (Google) for discovering and | |
researching this issue. | |
(CVE-2014-3511) | |
[David Benjamin] | |
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject | |
to a denial of service attack. A malicious server can crash the client | |
with a null pointer dereference (read) by specifying an anonymous (EC)DH | |
ciphersuite and sending carefully crafted handshake messages. | |
Thanks to Felix Gröbert (Google) for discovering and researching this | |
issue. | |
(CVE-2014-3510) | |
[Emilia Käsper] | |
*) By sending carefully crafted DTLS packets an attacker could cause openssl | |
to leak memory. This can be exploited through a Denial of Service attack. | |
Thanks to Adam Langley for discovering and researching this issue. | |
(CVE-2014-3507) | |
[Adam Langley] | |
*) An attacker can force openssl to consume large amounts of memory whilst | |
processing DTLS handshake messages. This can be exploited through a | |
Denial of Service attack. | |
Thanks to Adam Langley for discovering and researching this issue. | |
(CVE-2014-3506) | |
[Adam Langley] | |
*) An attacker can force an error condition which causes openssl to crash | |
whilst processing DTLS packets due to memory being freed twice. This | |
can be exploited through a Denial of Service attack. | |
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching | |
this issue. | |
(CVE-2014-3505) | |
[Adam Langley] | |
*) If a multithreaded client connects to a malicious server using a resumed | |
session and the server sends an ec point format extension it could write | |
up to 255 bytes to freed memory. | |
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this | |
issue. | |
(CVE-2014-3509) | |
[Gabor Tyukasz] | |
*) A malicious server can crash an OpenSSL client with a null pointer | |
dereference (read) by specifying an SRP ciphersuite even though it was not | |
properly negotiated with the client. This can be exploited through a | |
Denial of Service attack. | |
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for | |
discovering and researching this issue. | |
(CVE-2014-5139) | |
[Steve Henson] | |
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as | |
X509_name_oneline, X509_name_print_ex et al. to leak some information | |
from the stack. Applications may be affected if they echo pretty printing | |
output to the attacker. | |
Thanks to Ivan Fratric (Google) for discovering this issue. | |
(CVE-2014-3508) | |
[Emilia Käsper, and Steve Henson] | |
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) | |
for corner cases. (Certain input points at infinity could lead to | |
bogus results, with non-infinity inputs mapped to infinity too.) | |
[Bodo Moeller] | |
Changes between 1.0.1g and 1.0.1h [5 Jun 2014] | |
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted | |
handshake can force the use of weak keying material in OpenSSL | |
SSL/TLS clients and servers. | |
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and | |
researching this issue. (CVE-2014-0224) | |
[KIKUCHI Masashi, Steve Henson] | |
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an | |
OpenSSL DTLS client the code can be made to recurse eventually crashing | |
in a DoS attack. | |
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. | |
(CVE-2014-0221) | |
[Imre Rad, Steve Henson] | |
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can | |
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS | |
client or server. This is potentially exploitable to run arbitrary | |
code on a vulnerable client or server. | |
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) | |
[Jüri Aedla, Steve Henson] | |
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites | |
are subject to a denial of service attack. | |
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering | |
this issue. (CVE-2014-3470) | |
[Felix Gröbert, Ivan Fratric, Steve Henson] | |
*) Harmonize version and its documentation. -f flag is used to display | |
compilation flags. | |
[mancha <mancha1@zoho.com>] | |
*) Fix eckey_priv_encode so it immediately returns an error upon a failure | |
in i2d_ECPrivateKey. | |
[mancha <mancha1@zoho.com>] | |
*) Fix some double frees. These are not thought to be exploitable. | |
[mancha <mancha1@zoho.com>] | |
Changes between 1.0.1f and 1.0.1g [7 Apr 2014] | |
*) A missing bounds check in the handling of the TLS heartbeat extension | |
can be used to reveal up to 64k of memory to a connected client or | |
server. | |
Thanks for Neel Mehta of Google Security for discovering this bug and to | |
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for | |
preparing the fix (CVE-2014-0160) | |
[Adam Langley, Bodo Moeller] | |
*) Fix for the attack described in the paper "Recovering OpenSSL | |
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" | |
by Yuval Yarom and Naomi Benger. Details can be obtained from: | |
http://eprint.iacr.org/2014/140 | |
Thanks to Yuval Yarom and Naomi Benger for discovering this | |
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) | |
[Yuval Yarom and Naomi Benger] | |
*) TLS pad extension: draft-agl-tls-padding-03 | |
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the | |
TLS client Hello record length value would otherwise be > 255 and | |
less that 512 pad with a dummy extension containing zeroes so it | |
is at least 512 bytes long. | |
[Adam Langley, Steve Henson] | |
Changes between 1.0.1e and 1.0.1f [6 Jan 2014] | |
*) Fix for TLS record tampering bug. A carefully crafted invalid | |
handshake could crash OpenSSL with a NULL pointer exception. | |
Thanks to Anton Johansson for reporting this issues. | |
(CVE-2013-4353) | |
*) Keep original DTLS digest and encryption contexts in retransmission | |
structures so we can use the previous session parameters if they need | |
to be resent. (CVE-2013-6450) | |
[Steve Henson] | |
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which | |
avoids preferring ECDHE-ECDSA ciphers when the client appears to be | |
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for | |
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug | |
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing | |
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. | |
[Rob Stradling, Adam Langley] | |
Changes between 1.0.1d and 1.0.1e [11 Feb 2013] | |
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI | |
supporting platforms or when small records were transferred. | |
[Andy Polyakov, Steve Henson] | |
Changes between 1.0.1c and 1.0.1d [5 Feb 2013] | |
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. | |
This addresses the flaw in CBC record processing discovered by | |
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found | |
at: http://www.isg.rhul.ac.uk/tls/ | |
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information | |
Security Group at Royal Holloway, University of London | |
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and | |
Emilia Käsper for the initial patch. | |
(CVE-2013-0169) | |
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] | |
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode | |
ciphersuites which can be exploited in a denial of service attack. | |
Thanks go to and to Adam Langley <agl@chromium.org> for discovering | |
and detecting this bug and to Wolfgang Ettlinger | |
<wolfgang.ettlinger@gmail.com> for independently discovering this issue. | |
(CVE-2012-2686) | |
[Adam Langley] | |
*) Return an error when checking OCSP signatures when key is NULL. | |
This fixes a DoS attack. (CVE-2013-0166) | |
[Steve Henson] | |
*) Make openssl verify return errors. | |
[Chris Palmer <palmer@google.com> and Ben Laurie] | |
*) Call OCSP Stapling callback after ciphersuite has been chosen, so | |
the right response is stapled. Also change SSL_get_certificate() | |
so it returns the certificate actually sent. | |
See http://rt.openssl.org/Ticket/Display.html?id=2836. | |
[Rob Stradling <rob.stradling@comodo.com>] | |
*) Fix possible deadlock when decoding public keys. | |
[Steve Henson] | |
*) Don't use TLS 1.0 record version number in initial client hello | |
if renegotiating. | |
[Steve Henson] | |
Changes between 1.0.1b and 1.0.1c [10 May 2012] | |
*) Sanity check record length before skipping explicit IV in TLS | |
1.2, 1.1 and DTLS to fix DoS attack. | |
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic | |
fuzzing as a service testing platform. | |
(CVE-2012-2333) | |
[Steve Henson] | |
*) Initialise tkeylen properly when encrypting CMS messages. | |
Thanks to Solar Designer of Openwall for reporting this issue. | |
[Steve Henson] | |
*) In FIPS mode don't try to use composite ciphers as they are not | |
approved. | |
[Steve Henson] | |
Changes between 1.0.1a and 1.0.1b [26 Apr 2012] | |
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and | |
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately | |
mean any application compiled against OpenSSL 1.0.0 headers setting | |
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng | |
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to | |
0x10000000L Any application which was previously compiled against | |
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 | |
will need to be recompiled as a result. Letting be results in | |
inability to disable specifically TLS 1.1 and in client context, | |
in unlike event, limit maximum offered version to TLS 1.0 [see below]. | |
[Steve Henson] | |
*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not | |
disable just protocol X, but all protocols above X *if* there are | |
protocols *below* X still enabled. In more practical terms it means | |
that if application wants to disable TLS1.0 in favor of TLS1.1 and | |
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass | |
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to | |
client side. | |
[Andy Polyakov] | |
Changes between 1.0.1 and 1.0.1a [19 Apr 2012] | |
*) Check for potentially exploitable overflows in asn1_d2i_read_bio | |
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer | |
in CRYPTO_realloc_clean. | |
Thanks to Tavis Ormandy, Google Security Team, for discovering this | |
issue and to Adam Langley <agl@chromium.org> for fixing it. | |
(CVE-2012-2110) | |
[Adam Langley (Google), Tavis Ormandy, Google Security Team] | |
*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. | |
[Adam Langley] | |
*) Workarounds for some broken servers that "hang" if a client hello | |
record length exceeds 255 bytes. | |
1. Do not use record version number > TLS 1.0 in initial client | |
hello: some (but not all) hanging servers will now work. | |
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate | |
the number of ciphers sent in the client hello. This should be | |
set to an even number, such as 50, for example by passing: | |
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. | |
Most broken servers should now work. | |
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable | |
TLS 1.2 client support entirely. | |
[Steve Henson] | |
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH. | |
[Andy Polyakov] | |
Changes between 1.0.0h and 1.0.1 [14 Mar 2012] | |
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET | |
STRING form instead of a DigestInfo. | |
[Steve Henson] | |
*) The format used for MDC2 RSA signatures is inconsistent between EVP | |
and the RSA_sign/RSA_verify functions. This was made more apparent when | |
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular | |
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect | |
the correct format in RSA_verify so both forms transparently work. | |
[Steve Henson] | |
*) Some servers which support TLS 1.0 can choke if we initially indicate | |
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA | |
encrypted premaster secret. As a workaround use the maximum pemitted | |
client version in client hello, this should keep such servers happy | |
and still work with previous versions of OpenSSL. | |
[Steve Henson] | |
*) Add support for TLS/DTLS heartbeats. | |
[Robin Seggelmann <seggelmann@fh-muenster.de>] | |
*) Add support for SCTP. | |
[Robin Seggelmann <seggelmann@fh-muenster.de>] | |
*) Improved PRNG seeding for VOS. | |
[Paul Green <Paul.Green@stratus.com>] | |
*) Extensive assembler packs updates, most notably: | |
- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; | |
- x86[_64]: SSSE3 support (SHA1, vector-permutation AES); | |
- x86_64: bit-sliced AES implementation; | |
- ARM: NEON support, contemporary platforms optimizations; | |
- s390x: z196 support; | |
- *: GHASH and GF(2^m) multiplication implementations; | |
[Andy Polyakov] | |
*) Make TLS-SRP code conformant with RFC 5054 API cleanup | |
(removal of unnecessary code) | |
[Peter Sylvester <peter.sylvester@edelweb.fr>] | |
*) Add TLS key material exporter from RFC 5705. | |
[Eric Rescorla] | |
*) Add DTLS-SRTP negotiation from RFC 5764. | |
[Eric Rescorla] | |
*) Add Next Protocol Negotiation, | |
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | |
disabled with a no-npn flag to config or Configure. Code donated | |
by Google. | |
[Adam Langley <agl@google.com> and Ben Laurie] | |
*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, | |
NIST-P256, NIST-P521, with constant-time single point multiplication on | |
typical inputs. Compiler support for the nonstandard type __uint128_t is | |
required to use this (present in gcc 4.4 and later, for 64-bit builds). | |
Code made available under Apache License version 2.0. | |
Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command | |
line to include this in your build of OpenSSL, and run "make depend" (or | |
"make update"). This enables the following EC_METHODs: | |
EC_GFp_nistp224_method() | |
EC_GFp_nistp256_method() | |
EC_GFp_nistp521_method() | |
EC_GROUP_new_by_curve_name() will automatically use these (while | |
EC_GROUP_new_curve_GFp() currently prefers the more flexible | |
implementations). | |
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)] | |
*) Use type ossl_ssize_t instad of ssize_t which isn't available on | |
all platforms. Move ssize_t definition from e_os.h to the public | |
header file e_os2.h as it now appears in public header file cms.h | |
[Steve Henson] | |
*) New -sigopt option to the ca, req and x509 utilities. Additional | |
signature parameters can be passed using this option and in | |
particular PSS. | |
[Steve Henson] | |
*) Add RSA PSS signing function. This will generate and set the | |
appropriate AlgorithmIdentifiers for PSS based on those in the | |
corresponding EVP_MD_CTX structure. No application support yet. | |
[Steve Henson] | |
*) Support for companion algorithm specific ASN1 signing routines. | |
New function ASN1_item_sign_ctx() signs a pre-initialised | |
EVP_MD_CTX structure and sets AlgorithmIdentifiers based on | |
the appropriate parameters. | |
[Steve Henson] | |
*) Add new algorithm specific ASN1 verification initialisation function | |
to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 | |
handling will be the same no matter what EVP_PKEY_METHOD is used. | |
Add a PSS handler to support verification of PSS signatures: checked | |
against a number of sample certificates. | |
[Steve Henson] | |
*) Add signature printing for PSS. Add PSS OIDs. | |
[Steve Henson, Martin Kaiser <lists@kaiser.cx>] | |
*) Add algorithm specific signature printing. An individual ASN1 method | |
can now print out signatures instead of the standard hex dump. | |
More complex signatures (e.g. PSS) can print out more meaningful | |
information. Include DSA version that prints out the signature | |
parameters r, s. | |
[Steve Henson] | |
*) Password based recipient info support for CMS library: implementing | |
RFC3211. | |
[Steve Henson] | |
*) Split password based encryption into PBES2 and PBKDF2 functions. This | |
neatly separates the code into cipher and PBE sections and is required | |
for some algorithms that split PBES2 into separate pieces (such as | |
password based CMS). | |
[Steve Henson] | |
*) Session-handling fixes: | |
- Fix handling of connections that are resuming with a session ID, | |
but also support Session Tickets. | |
- Fix a bug that suppressed issuing of a new ticket if the client | |
presented a ticket with an expired session. | |
- Try to set the ticket lifetime hint to something reasonable. | |
- Make tickets shorter by excluding irrelevant information. | |
- On the client side, don't ignore renewed tickets. | |
[Adam Langley, Bodo Moeller (Google)] | |
*) Fix PSK session representation. | |
[Bodo Moeller] | |
*) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. | |
This work was sponsored by Intel. | |
[Andy Polyakov] | |
*) Add GCM support to TLS library. Some custom code is needed to split | |
the IV between the fixed (from PRF) and explicit (from TLS record) | |
portions. This adds all GCM ciphersuites supported by RFC5288 and | |
RFC5289. Generalise some AES* cipherstrings to inlclude GCM and | |
add a special AESGCM string for GCM only. | |
[Steve Henson] | |
*) Expand range of ctrls for AES GCM. Permit setting invocation | |
field on decrypt and retrieval of invocation field only on encrypt. | |
[Steve Henson] | |
*) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. | |
As required by RFC5289 these ciphersuites cannot be used if for | |
versions of TLS earlier than 1.2. | |
[Steve Henson] | |
*) For FIPS capable OpenSSL interpret a NULL default public key method | |
as unset and return the appopriate default but do *not* set the default. | |
This means we can return the appopriate method in applications that | |
swicth between FIPS and non-FIPS modes. | |
[Steve Henson] | |
*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an | |
ENGINE is used then we cannot handle that in the FIPS module so we | |
keep original code iff non-FIPS operations are allowed. | |
[Steve Henson] | |
*) Add -attime option to openssl utilities. | |
[Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson] | |
*) Redirect DSA and DH operations to FIPS module in FIPS mode. | |
[Steve Henson] | |
*) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use | |
FIPS EC methods unconditionally for now. | |
[Steve Henson] | |
*) New build option no-ec2m to disable characteristic 2 code. | |
[Steve Henson] | |
*) Backport libcrypto audit of return value checking from 1.1.0-dev; not | |
all cases can be covered as some introduce binary incompatibilities. | |
[Steve Henson] | |
*) Redirect RSA operations to FIPS module including keygen, | |
encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. | |
[Steve Henson] | |
*) Add similar low level API blocking to ciphers. | |
[Steve Henson] | |
*) Low level digest APIs are not approved in FIPS mode: any attempt | |
to use these will cause a fatal error. Applications that *really* want | |
to use them can use the private_* version instead. | |
[Steve Henson] | |
*) Redirect cipher operations to FIPS module for FIPS builds. | |
[Steve Henson] | |
*) Redirect digest operations to FIPS module for FIPS builds. | |
[Steve Henson] | |
*) Update build system to add "fips" flag which will link in fipscanister.o | |
for static and shared library builds embedding a signature if needed. | |
[Steve Henson] | |
*) Output TLS supported curves in preference order instead of numerical | |
order. This is currently hardcoded for the highest order curves first. | |
This should be configurable so applications can judge speed vs strength. | |
[Steve Henson] | |
*) Add TLS v1.2 server support for client authentication. | |
[Steve Henson] | |
*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers | |
and enable MD5. | |
[Steve Henson] | |
*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying | |
FIPS modules versions. | |
[Steve Henson] | |
*) Add TLS v1.2 client side support for client authentication. Keep cache | |
of handshake records longer as we don't know the hash algorithm to use | |
until after the certificate request message is received. | |
[Steve Henson] | |
*) Initial TLS v1.2 client support. Add a default signature algorithms | |
extension including all the algorithms we support. Parse new signature | |
format in client key exchange. Relax some ECC signing restrictions for | |
TLS v1.2 as indicated in RFC5246. | |
[Steve Henson] | |
*) Add server support for TLS v1.2 signature algorithms extension. Switch | |
to new signature format when needed using client digest preference. | |
All server ciphersuites should now work correctly in TLS v1.2. No client | |
support yet and no support for client certificates. | |
[Steve Henson] | |
*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch | |
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based | |
ciphersuites. At present only RSA key exchange ciphersuites work with | |
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete | |
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods | |
and version checking. | |
[Steve Henson] | |
*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled | |
with this defined it will not be affected by any changes to ssl internal | |
structures. Add several utility functions to allow openssl application | |
to work with OPENSSL_NO_SSL_INTERN defined. | |
[Steve Henson] | |
*) Add SRP support. | |
[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie] | |
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. | |
[Steve Henson] | |
*) Permit abbreviated handshakes when renegotiating using the function | |
SSL_renegotiate_abbreviated(). | |
[Robin Seggelmann <seggelmann@fh-muenster.de>] | |
*) Add call to ENGINE_register_all_complete() to | |
ENGINE_load_builtin_engines(), so some implementations get used | |
automatically instead of needing explicit application support. | |
[Steve Henson] | |
*) Add support for TLS key exporter as described in RFC5705. | |
[Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] | |
*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only | |
a few changes are required: | |
Add SSL_OP_NO_TLSv1_1 flag. | |
Add TLSv1_1 methods. | |
Update version checking logic to handle version 1.1. | |
Add explicit IV handling (ported from DTLS code). | |
Add command line options to s_client/s_server. | |
[Steve Henson] | |
Changes between 1.0.0g and 1.0.0h [12 Mar 2012] | |
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness | |
in CMS and PKCS7 code. When RSA decryption fails use a random key for | |
content decryption and always return the same error. Note: this attack | |
needs on average 2^20 messages so it only affects automated senders. The | |
old behaviour can be reenabled in the CMS code by setting the | |
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where | |
an MMA defence is not necessary. | |
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering | |
this issue. (CVE-2012-0884) | |
[Steve Henson] | |
*) Fix CVE-2011-4619: make sure we really are receiving a | |
client hello before rejecting multiple SGC restarts. Thanks to | |
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. | |
[Steve Henson] | |
Changes between 1.0.0f and 1.0.0g [18 Jan 2012] | |
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. | |
Thanks to Antonio Martin, Enterprise Secure Access Research and | |
Development, Cisco Systems, Inc. for discovering this bug and | |
preparing a fix. (CVE-2012-0050) | |
[Antonio Martin] | |
Changes between 1.0.0e and 1.0.0f [4 Jan 2012] | |
*) Nadhem Alfardan and Kenny Paterson have discovered an extension | |
of the Vaudenay padding oracle attack on CBC mode encryption | |
which enables an efficient plaintext recovery attack against | |
the OpenSSL implementation of DTLS. Their attack exploits timing | |
differences arising during decryption processing. A research | |
paper describing this attack can be found at: | |
http://www.isg.rhul.ac.uk/~kp/dtls.pdf | |
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information | |
Security Group at Royal Holloway, University of London | |
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann | |
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> | |
for preparing the fix. (CVE-2011-4108) | |
[Robin Seggelmann, Michael Tuexen] | |
*) Clear bytes used for block padding of SSL 3.0 records. | |
(CVE-2011-4576) | |
[Adam Langley (Google)] | |
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George | |
Kadianakis <desnacked@gmail.com> for discovering this issue and | |
Adam Langley for preparing the fix. (CVE-2011-4619) | |
[Adam Langley (Google)] | |
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) | |
[Andrey Kulikov <amdeich@gmail.com>] | |
*) Prevent malformed RFC3779 data triggering an assertion failure. | |
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw | |
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) | |
[Rob Austein <sra@hactrn.net>] | |
*) Improved PRNG seeding for VOS. | |
[Paul Green <Paul.Green@stratus.com>] | |
*) Fix ssl_ciph.c set-up race. | |
[Adam Langley (Google)] | |
*) Fix spurious failures in ecdsatest.c. | |
[Emilia Käsper (Google)] | |
*) Fix the BIO_f_buffer() implementation (which was mixing different | |
interpretations of the '..._len' fields). | |
[Adam Langley (Google)] | |
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than | |
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent | |
threads won't reuse the same blinding coefficients. | |
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING | |
lock to call BN_BLINDING_invert_ex, and avoids one use of | |
BN_BLINDING_update for each BN_BLINDING structure (previously, | |
the last update always remained unused). | |
[Emilia Käsper (Google)] | |
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. | |
[Bob Buckholz (Google)] | |
Changes between 1.0.0d and 1.0.0e [6 Sep 2011] | |
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted | |
by initialising X509_STORE_CTX properly. (CVE-2011-3207) | |
[Kaspar Brand <ossl@velox.ch>] | |
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular | |
for multi-threaded use of ECDH. (CVE-2011-3210) | |
[Adam Langley (Google)] | |
*) Fix x509_name_ex_d2i memory leak on bad inputs. | |
[Bodo Moeller] | |
*) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check | |
signature public key algorithm by using OID xref utilities instead. | |
Before this you could only use some ECC ciphersuites with SHA1 only. | |
[Steve Henson] | |
*) Add protection against ECDSA timing attacks as mentioned in the paper | |
by Billy Bob Brumley and Nicola Tuveri, see: | |
http://eprint.iacr.org/2011/232.pdf | |
[Billy Bob Brumley and Nicola Tuveri] | |
Changes between 1.0.0c and 1.0.0d [8 Feb 2011] | |
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 | |
[Neel Mehta, Adam Langley, Bodo Moeller (Google)] | |
*) Fix bug in string printing code: if *any* escaping is enabled we must | |
escape the escape character (backslash) or the resulting string is | |
ambiguous. | |
[Steve Henson] | |
Changes between 1.0.0b and 1.0.0c [2 Dec 2010] | |
*) Disable code workaround for ancient and obsolete Netscape browsers | |
and servers: an attacker can use it in a ciphersuite downgrade attack. | |
Thanks to Martin Rex for discovering this bug. CVE-2010-4180 | |
[Steve Henson] | |
*) Fixed J-PAKE implementation error, originally discovered by | |
Sebastien Martini, further info and confirmation from Stefan | |
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 | |
[Ben Laurie] | |
Changes between 1.0.0a and 1.0.0b [16 Nov 2010] | |
*) Fix extension code to avoid race conditions which can result in a buffer | |
overrun vulnerability: resumed sessions must not be modified as they can | |
be shared by multiple threads. CVE-2010-3864 | |
[Steve Henson] | |
*) Fix WIN32 build system to correctly link an ENGINE directory into | |
a DLL. | |
[Steve Henson] | |
Changes between 1.0.0 and 1.0.0a [01 Jun 2010] | |
*) Check return value of int_rsa_verify in pkey_rsa_verifyrecover | |
(CVE-2010-1633) | |
[Steve Henson, Peter-Michael Hager <hager@dortmund.net>] | |
Changes between 0.9.8n and 1.0.0 [29 Mar 2010] | |
*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher | |
context. The operation can be customised via the ctrl mechanism in | |
case ENGINEs want to include additional functionality. | |
[Steve Henson] | |
*) Tolerate yet another broken PKCS#8 key format: private key value negative. | |
[Steve Henson] | |
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to | |
output hashes compatible with older versions of OpenSSL. | |
[Willy Weisz <weisz@vcpc.univie.ac.at>] | |
*) Fix compression algorithm handling: if resuming a session use the | |
compression algorithm of the resumed session instead of determining | |
it from client hello again. Don't allow server to change algorithm. | |
[Steve Henson] | |
*) Add load_crls() function to apps tidying load_certs() too. Add option | |
to verify utility to allow additional CRLs to be included. | |
[Steve Henson] | |
*) Update OCSP request code to permit adding custom headers to the request: | |
some responders need this. | |
[Steve Henson] | |
*) The function EVP_PKEY_sign() returns <=0 on error: check return code | |
correctly. | |
[Julia Lawall <julia@diku.dk>] | |
*) Update verify callback code in apps/s_cb.c and apps/verify.c, it | |
needlessly dereferenced structures, used obsolete functions and | |
didn't handle all updated verify codes correctly. | |
[Steve Henson] | |
*) Disable MD2 in the default configuration. | |
[Steve Henson] | |
*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to | |
indicate the initial BIO being pushed or popped. This makes it possible | |
to determine whether the BIO is the one explicitly called or as a result | |
of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so | |
it handles reference counts correctly and doesn't zero out the I/O bio | |
when it is not being explicitly popped. WARNING: applications which | |
included workarounds for the old buggy behaviour will need to be modified | |
or they could free up already freed BIOs. | |
[Steve Henson] | |
*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni | |
renaming to all platforms (within the 0.9.8 branch, this was | |
done conditionally on Netware platforms to avoid a name clash). | |
[Guenter <lists@gknw.net>] | |
*) Add ECDHE and PSK support to DTLS. | |
[Michael Tuexen <tuexen@fh-muenster.de>] | |
*) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't | |
be used on C++. | |
[Steve Henson] | |
*) Add "missing" function EVP_MD_flags() (without this the only way to | |
retrieve a digest flags is by accessing the structure directly. Update | |
EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest | |
or cipher is registered as in the "from" argument. Print out all | |
registered digests in the dgst usage message instead of manually | |
attempting to work them out. | |
[Steve Henson] | |
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: | |
this allows the use of compression and extensions. Change default cipher | |
string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 | |
by default unless an application cipher string requests it. | |
[Steve Henson] | |
*) Alter match criteria in PKCS12_parse(). It used to try to use local | |
key ids to find matching certificates and keys but some PKCS#12 files | |
don't follow the (somewhat unwritten) rules and this strategy fails. | |
Now just gather all certificates together and the first private key | |
then look for the first certificate that matches the key. | |
[Steve Henson] | |
*) Support use of registered digest and cipher names for dgst and cipher | |
commands instead of having to add each one as a special case. So now | |
you can do: | |
openssl sha256 foo | |
as well as: | |
openssl dgst -sha256 foo | |
and this works for ENGINE based algorithms too. | |
[Steve Henson] | |
*) Update Gost ENGINE to support parameter files. | |
[Victor B. Wagner <vitus@cryptocom.ru>] | |
*) Support GeneralizedTime in ca utility. | |
[Oliver Martin <oliver@volatilevoid.net>, Steve Henson] | |
*) Enhance the hash format used for certificate directory links. The new | |
form uses the canonical encoding (meaning equivalent names will work | |
even if they aren't identical) and uses SHA1 instead of MD5. This form | |
is incompatible with the older format and as a result c_rehash should | |
be used to rebuild symbolic links. | |
[Steve Henson] | |
*) Make PKCS#8 the default write format for private keys, replacing the | |
traditional format. This form is standardised, more secure and doesn't | |
include an implicit MD5 dependency. | |
[Steve Henson] | |
*) Add a $gcc_devteam_warn option to Configure. The idea is that any code | |
committed to OpenSSL should pass this lot as a minimum. | |
[Steve Henson] | |
*) Add session ticket override functionality for use by EAP-FAST. | |
[Jouni Malinen <j@w1.fi>] | |
*) Modify HMAC functions to return a value. Since these can be implemented | |
in an ENGINE errors can occur. | |
[Steve Henson] | |
*) Type-checked OBJ_bsearch_ex. | |
[Ben Laurie] | |
*) Type-checked OBJ_bsearch. Also some constification necessitated | |
by type-checking. Still to come: TXT_DB, bsearch(?), | |
OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, | |
CONF_VALUE. | |
[Ben Laurie] | |
*) New function OPENSSL_gmtime_adj() to add a specific number of days and | |
seconds to a tm structure directly, instead of going through OS | |
specific date routines. This avoids any issues with OS routines such | |
as the year 2038 bug. New *_adj() functions for ASN1 time structures | |
and X509_time_adj_ex() to cover the extended range. The existing | |
X509_time_adj() is still usable and will no longer have any date issues. | |
[Steve Henson] | |
*) Delta CRL support. New use deltas option which will attempt to locate | |
and search any appropriate delta CRLs available. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Support for CRLs partitioned by reason code. Reorganise CRL processing | |
code and add additional score elements. Validate alternate CRL paths | |
as part of the CRL checking and indicate a new error "CRL path validation | |
error" in this case. Applications wanting additional details can use | |
the verify callback and check the new "parent" field. If this is not | |
NULL CRL path validation is taking place. Existing applications wont | |
see this because it requires extended CRL support which is off by | |
default. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Support for freshest CRL extension. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Initial indirect CRL support. Currently only supported in the CRLs | |
passed directly and not via lookup. Process certificate issuer | |
CRL entry extension and lookup CRL entries by bother issuer name | |
and serial number. Check and process CRL issuer entry in IDP extension. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Add support for distinct certificate and CRL paths. The CRL issuer | |
certificate is validated separately in this case. Only enabled if | |
an extended CRL support flag is set: this flag will enable additional | |
CRL functionality in future. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Add support for policy mappings extension. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Fixes to pathlength constraint, self issued certificate handling, | |
policy processing to align with RFC3280 and PKITS tests. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Support for name constraints certificate extension. DN, email, DNS | |
and URI types are currently supported. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) To cater for systems that provide a pointer-based thread ID rather | |
than numeric, deprecate the current numeric thread ID mechanism and | |
replace it with a structure and associated callback type. This | |
mechanism allows a numeric "hash" to be extracted from a thread ID in | |
either case, and on platforms where pointers are larger than 'long', | |
mixing is done to help ensure the numeric 'hash' is usable even if it | |
can't be guaranteed unique. The default mechanism is to use "&errno" | |
as a pointer-based thread ID to distinguish between threads. | |
Applications that want to provide their own thread IDs should now use | |
CRYPTO_THREADID_set_callback() to register a callback that will call | |
either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). | |
Note that ERR_remove_state() is now deprecated, because it is tied | |
to the assumption that thread IDs are numeric. ERR_remove_state(0) | |
to free the current thread's error state should be replaced by | |
ERR_remove_thread_state(NULL). | |
(This new approach replaces the functions CRYPTO_set_idptr_callback(), | |
CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in | |
OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an | |
application was previously providing a numeric thread callback that | |
was inappropriate for distinguishing threads, then uniqueness might | |
have been obtained with &errno that happened immediately in the | |
intermediate development versions of OpenSSL; this is no longer the | |
case, the numeric thread callback will now override the automatic use | |
of &errno.) | |
[Geoff Thorpe, with help from Bodo Moeller] | |
*) Initial support for different CRL issuing certificates. This covers a | |
simple case where the self issued certificates in the chain exist and | |
the real CRL issuer is higher in the existing chain. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Removed effectively defunct crypto/store from the build. | |
[Ben Laurie] | |
*) Revamp of STACK to provide stronger type-checking. Still to come: | |
TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, | |
ASN1_STRING, CONF_VALUE. | |
[Ben Laurie] | |
*) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer | |
RAM on SSL connections. This option can save about 34k per idle SSL. | |
[Nick Mathewson] | |
*) Revamp of LHASH to provide stronger type-checking. Still to come: | |
STACK, TXT_DB, bsearch, qsort. | |
[Ben Laurie] | |
*) Initial support for Cryptographic Message Syntax (aka CMS) based | |
on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, | |
support for data, signedData, compressedData, digestedData and | |
encryptedData, envelopedData types included. Scripts to check against | |
RFC4134 examples draft and interop and consistency checks of many | |
content types and variants. | |
[Steve Henson] | |
*) Add options to enc utility to support use of zlib compression BIO. | |
[Steve Henson] | |
*) Extend mk1mf to support importing of options and assembly language | |
files from Configure script, currently only included in VC-WIN32. | |
The assembly language rules can now optionally generate the source | |
files from the associated perl scripts. | |
[Steve Henson] | |
*) Implement remaining functionality needed to support GOST ciphersuites. | |
Interop testing has been performed using CryptoPro implementations. | |
[Victor B. Wagner <vitus@cryptocom.ru>] | |
*) s390x assembler pack. | |
[Andy Polyakov] | |
*) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU | |
"family." | |
[Andy Polyakov] | |
*) Implement Opaque PRF Input TLS extension as specified in | |
draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an | |
official specification yet and no extension type assignment by | |
IANA exists, this extension (for now) will have to be explicitly | |
enabled when building OpenSSL by providing the extension number | |
to use. For example, specify an option | |
-DTLSEXT_TYPE_opaque_prf_input=0x9527 | |
to the "config" or "Configure" script to enable the extension, | |
assuming extension number 0x9527 (which is a completely arbitrary | |
and unofficial assignment based on the MD5 hash of the Internet | |
Draft). Note that by doing so, you potentially lose | |
interoperability with other TLS implementations since these might | |
be using the same extension number for other purposes. | |
SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the | |
opaque PRF input value to use in the handshake. This will create | |
an interal copy of the length-'len' string at 'src', and will | |
return non-zero for success. | |
To get more control and flexibility, provide a callback function | |
by using | |
SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) | |
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) | |
where | |
int (*cb)(SSL *, void *peerinput, size_t len, void *arg); | |
void *arg; | |
Callback function 'cb' will be called in handshakes, and is | |
expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. | |
Argument 'arg' is for application purposes (the value as given to | |
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly | |
be provided to the callback function). The callback function | |
has to return non-zero to report success: usually 1 to use opaque | |
PRF input just if possible, or 2 to enforce use of the opaque PRF | |
input. In the latter case, the library will abort the handshake | |
if opaque PRF input is not successfully negotiated. | |
Arguments 'peerinput' and 'len' given to the callback function | |
will always be NULL and 0 in the case of a client. A server will | |
see the client's opaque PRF input through these variables if | |
available (NULL and 0 otherwise). Note that if the server | |
provides an opaque PRF input, the length must be the same as the | |
length of the client's opaque PRF input. | |
Note that the callback function will only be called when creating | |
a new session (session resumption can resume whatever was | |
previously negotiated), and will not be called in SSL 2.0 | |
handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or | |
SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended | |
for applications that need to enforce opaque PRF input. | |
[Bodo Moeller] | |
*) Update ssl code to support digests other than SHA1+MD5 for handshake | |
MAC. | |
[Victor B. Wagner <vitus@cryptocom.ru>] | |
*) Add RFC4507 support to OpenSSL. This includes the corrections in | |
RFC4507bis. The encrypted ticket format is an encrypted encoded | |
SSL_SESSION structure, that way new session features are automatically | |
supported. | |
If a client application caches session in an SSL_SESSION structure | |
support is transparent because tickets are now stored in the encoded | |
SSL_SESSION. | |
The SSL_CTX structure automatically generates keys for ticket | |
protection in servers so again support should be possible | |
with no application modification. | |
If a client or server wishes to disable RFC4507 support then the option | |
SSL_OP_NO_TICKET can be set. | |
Add a TLS extension debugging callback to allow the contents of any client | |
or server extensions to be examined. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Final changes to avoid use of pointer pointer casts in OpenSSL. | |
OpenSSL should now compile cleanly on gcc 4.2 | |
[Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] | |
*) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC | |
support including streaming MAC support: this is required for GOST | |
ciphersuite support. | |
[Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] | |
*) Add option -stream to use PKCS#7 streaming in smime utility. New | |
function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() | |
to output in BER and PEM format. | |
[Steve Henson] | |
*) Experimental support for use of HMAC via EVP_PKEY interface. This | |
allows HMAC to be handled via the EVP_DigestSign*() interface. The | |
EVP_PKEY "key" in this case is the HMAC key, potentially allowing | |
ENGINE support for HMAC keys which are unextractable. New -mac and | |
-macopt options to dgst utility. | |
[Steve Henson] | |
*) New option -sigopt to dgst utility. Update dgst to use | |
EVP_Digest{Sign,Verify}*. These two changes make it possible to use | |
alternative signing paramaters such as X9.31 or PSS in the dgst | |
utility. | |
[Steve Henson] | |
*) Change ssl_cipher_apply_rule(), the internal function that does | |
the work each time a ciphersuite string requests enabling | |
("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or | |
removing ("!foo+bar") a class of ciphersuites: Now it maintains | |
the order of disabled ciphersuites such that those ciphersuites | |
that most recently went from enabled to disabled not only stay | |
in order with respect to each other, but also have higher priority | |
than other disabled ciphersuites the next time ciphersuites are | |
enabled again. | |
This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable | |
the same ciphersuites as with "HIGH" alone, but in a specific | |
order where the PSK ciphersuites come first (since they are the | |
most recently disabled ciphersuites when "HIGH" is parsed). | |
Also, change ssl_create_cipher_list() (using this new | |
funcionality) such that between otherwise identical | |
cihpersuites, ephemeral ECDH is preferred over ephemeral DH in | |
the default order. | |
[Bodo Moeller] | |
*) Change ssl_create_cipher_list() so that it automatically | |
arranges the ciphersuites in reasonable order before starting | |
to process the rule string. Thus, the definition for "DEFAULT" | |
(SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but | |
remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". | |
This makes it much easier to arrive at a reasonable default order | |
in applications for which anonymous ciphers are OK (meaning | |
that you can't actually use DEFAULT). | |
[Bodo Moeller; suggested by Victor Duchovni] | |
*) Split the SSL/TLS algorithm mask (as used for ciphersuite string | |
processing) into multiple integers instead of setting | |
"SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", | |
"SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. | |
(These masks as well as the individual bit definitions are hidden | |
away into the non-exported interface ssl/ssl_locl.h, so this | |
change to the definition of the SSL_CIPHER structure shouldn't | |
affect applications.) This give us more bits for each of these | |
categories, so there is no longer a need to coagulate AES128 and | |
AES256 into a single algorithm bit, and to coagulate Camellia128 | |
and Camellia256 into a single algorithm bit, which has led to all | |
kinds of kludges. | |
Thus, among other things, the kludge introduced in 0.9.7m and | |
0.9.8e for masking out AES256 independently of AES128 or masking | |
out Camellia256 independently of AES256 is not needed here in 0.9.9. | |
With the change, we also introduce new ciphersuite aliases that | |
so far were missing: "AES128", "AES256", "CAMELLIA128", and | |
"CAMELLIA256". | |
[Bodo Moeller] | |
*) Add support for dsa-with-SHA224 and dsa-with-SHA256. | |
Use the leftmost N bytes of the signature input if the input is | |
larger than the prime q (with N being the size in bytes of q). | |
[Nils Larsch] | |
*) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses | |
it yet and it is largely untested. | |
[Steve Henson] | |
*) Add support for the ecdsa-with-SHA224/256/384/512 signature types. | |
[Nils Larsch] | |
*) Initial incomplete changes to avoid need for function casts in OpenSSL | |
some compilers (gcc 4.2 and later) reject their use. Safestack is | |
reimplemented. Update ASN1 to avoid use of legacy functions. | |
[Steve Henson] | |
*) Win32/64 targets are linked with Winsock2. | |
[Andy Polyakov] | |
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected | |
to external functions. This can be used to increase CRL handling | |
efficiency especially when CRLs are very large by (for example) storing | |
the CRL revoked certificates in a database. | |
[Steve Henson] | |
*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so | |
new CRLs added to a directory can be used. New command line option | |
-verify_return_error to s_client and s_server. This causes real errors | |
to be returned by the verify callback instead of carrying on no matter | |
what. This reflects the way a "real world" verify callback would behave. | |
[Steve Henson] | |
*) GOST engine, supporting several GOST algorithms and public key formats. | |
Kindly donated by Cryptocom. | |
[Cryptocom] | |
*) Partial support for Issuing Distribution Point CRL extension. CRLs | |
partitioned by DP are handled but no indirect CRL or reason partitioning | |
(yet). Complete overhaul of CRL handling: now the most suitable CRL is | |
selected via a scoring technique which handles IDP and AKID in CRLs. | |
[Steve Henson] | |
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which | |
will ultimately be used for all verify operations: this will remove the | |
X509_STORE dependency on certificate verification and allow alternative | |
lookup methods. X509_STORE based implementations of these two callbacks. | |
[Steve Henson] | |
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. | |
Modify get_crl() to find a valid (unexpired) CRL if possible. | |
[Steve Henson] | |
*) New function X509_CRL_match() to check if two CRLs are identical. Normally | |
this would be called X509_CRL_cmp() but that name is already used by | |
a function that just compares CRL issuer names. Cache several CRL | |
extensions in X509_CRL structure and cache CRLDP in X509. | |
[Steve Henson] | |
*) Store a "canonical" representation of X509_NAME structure (ASN1 Name) | |
this maps equivalent X509_NAME structures into a consistent structure. | |
Name comparison can then be performed rapidly using memcmp(). | |
[Steve Henson] | |
*) Non-blocking OCSP request processing. Add -timeout option to ocsp | |
utility. | |
[Steve Henson] | |
*) Allow digests to supply their own micalg string for S/MIME type using | |
the ctrl EVP_MD_CTRL_MICALG. | |
[Steve Henson] | |
*) During PKCS7 signing pass the PKCS7 SignerInfo structure to the | |
EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN | |
ctrl. It can then customise the structure before and/or after signing | |
if necessary. | |
[Steve Henson] | |
*) New function OBJ_add_sigid() to allow application defined signature OIDs | |
to be added to OpenSSLs internal tables. New function OBJ_sigid_free() | |
to free up any added signature OIDs. | |
[Steve Henson] | |
*) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), | |
EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal | |
digest and cipher tables. New options added to openssl utility: | |
list-message-digest-algorithms and list-cipher-algorithms. | |
[Steve Henson] | |
*) Change the array representation of binary polynomials: the list | |
of degrees of non-zero coefficients is now terminated with -1. | |
Previously it was terminated with 0, which was also part of the | |
value; thus, the array representation was not applicable to | |
polynomials where t^0 has coefficient zero. This change makes | |
the array representation useful in a more general context. | |
[Douglas Stebila] | |
*) Various modifications and fixes to SSL/TLS cipher string | |
handling. For ECC, the code now distinguishes between fixed ECDH | |
with RSA certificates on the one hand and with ECDSA certificates | |
on the other hand, since these are separate ciphersuites. The | |
unused code for Fortezza ciphersuites has been removed. | |
For consistency with EDH, ephemeral ECDH is now called "EECDH" | |
(not "ECDHE"). For consistency with the code for DH | |
certificates, use of ECDH certificates is now considered ECDH | |
authentication, not RSA or ECDSA authentication (the latter is | |
merely the CA's signing algorithm and not actively used in the | |
protocol). | |
The temporary ciphersuite alias "ECCdraft" is no longer | |
available, and ECC ciphersuites are no longer excluded from "ALL" | |
and "DEFAULT". The following aliases now exist for RFC 4492 | |
ciphersuites, most of these by analogy with the DH case: | |
kECDHr - ECDH cert, signed with RSA | |
kECDHe - ECDH cert, signed with ECDSA | |
kECDH - ECDH cert (signed with either RSA or ECDSA) | |
kEECDH - ephemeral ECDH | |
ECDH - ECDH cert or ephemeral ECDH | |
aECDH - ECDH cert | |
aECDSA - ECDSA cert | |
ECDSA - ECDSA cert | |
AECDH - anonymous ECDH | |
EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") | |
[Bodo Moeller] | |
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported. | |
Use correct micalg parameters depending on digest(s) in signed message. | |
[Steve Henson] | |
*) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process | |
an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. | |
[Steve Henson] | |
*) Initial engine support for EVP_PKEY_METHOD. New functions to permit | |
an engine to register a method. Add ENGINE lookups for methods and | |
functional reference processing. | |
[Steve Henson] | |
*) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of | |
EVP_{Sign,Verify}* which allow an application to customise the signature | |
process. | |
[Steve Henson] | |
*) New -resign option to smime utility. This adds one or more signers | |
to an existing PKCS#7 signedData structure. Also -md option to use an | |
alternative message digest algorithm for signing. | |
[Steve Henson] | |
*) Tidy up PKCS#7 routines and add new functions to make it easier to | |
create PKCS7 structures containing multiple signers. Update smime | |
application to support multiple signers. | |
[Steve Henson] | |
*) New -macalg option to pkcs12 utility to allow setting of an alternative | |
digest MAC. | |
[Steve Henson] | |
*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. | |
Reorganize PBE internals to lookup from a static table using NIDs, | |
add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: | |
EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative | |
PRF which will be automatically used with PBES2. | |
[Steve Henson] | |
*) Replace the algorithm specific calls to generate keys in "req" with the | |
new API. | |
[Steve Henson] | |
*) Update PKCS#7 enveloped data routines to use new API. This is now | |
supported by any public key method supporting the encrypt operation. A | |
ctrl is added to allow the public key algorithm to examine or modify | |
the PKCS#7 RecipientInfo structure if it needs to: for RSA this is | |
a no op. | |
[Steve Henson] | |
*) Add a ctrl to asn1 method to allow a public key algorithm to express | |
a default digest type to use. In most cases this will be SHA1 but some | |
algorithms (such as GOST) need to specify an alternative digest. The | |
return value indicates how strong the prefernce is 1 means optional and | |
2 is mandatory (that is it is the only supported type). Modify | |
ASN1_item_sign() to accept a NULL digest argument to indicate it should | |
use the default md. Update openssl utilities to use the default digest | |
type for signing if it is not explicitly indicated. | |
[Steve Henson] | |
*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New | |
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant | |
signing method from the key type. This effectively removes the link | |
between digests and public key types. | |
[Steve Henson] | |
*) Add an OID cross reference table and utility functions. Its purpose is to | |
translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, | |
rsaEncryption. This will allow some of the algorithm specific hackery | |
needed to use the correct OID to be removed. | |
[Steve Henson] | |
*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO | |
structures for PKCS7_sign(). They are now set up by the relevant public | |
key ASN1 method. | |
[Steve Henson] | |
*) Add provisional EC pkey method with support for ECDSA and ECDH. | |
[Steve Henson] | |
*) Add support for key derivation (agreement) in the API, DH method and | |
pkeyutl. | |
[Steve Henson] | |
*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support | |
public and private key formats. As a side effect these add additional | |
command line functionality not previously available: DSA signatures can be | |
generated and verified using pkeyutl and DH key support and generation in | |
pkey, genpkey. | |
[Steve Henson] | |
*) BeOS support. | |
[Oliver Tappe <zooey@hirschkaefer.de>] | |
*) New make target "install_html_docs" installs HTML renditions of the | |
manual pages. | |
[Oliver Tappe <zooey@hirschkaefer.de>] | |
*) New utility "genpkey" this is analagous to "genrsa" etc except it can | |
generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to | |
support key and parameter generation and add initial key generation | |
functionality for RSA. | |
[Steve Henson] | |
*) Add functions for main EVP_PKEY_method operations. The undocumented | |
functions EVP_PKEY_{encrypt,decrypt} have been renamed to | |
EVP_PKEY_{encrypt,decrypt}_old. | |
[Steve Henson] | |
*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public | |
key API, doesn't do much yet. | |
[Steve Henson] | |
*) New function EVP_PKEY_asn1_get0_info() to retrieve information about | |
public key algorithms. New option to openssl utility: | |
"list-public-key-algorithms" to print out info. | |
[Steve Henson] | |
*) Implement the Supported Elliptic Curves Extension for | |
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
[Douglas Stebila] | |
*) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or | |
EVP_CIPHER structures to avoid later problems in EVP_cleanup(). | |
[Steve Henson] | |
*) New utilities pkey and pkeyparam. These are similar to algorithm specific | |
utilities such as rsa, dsa, dsaparam etc except they process any key | |
type. | |
[Steve Henson] | |
*) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New | |
functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), | |
EVP_PKEY_print_param() to print public key data from an EVP_PKEY | |
structure. | |
[Steve Henson] | |
*) Initial support for pluggable public key ASN1. | |
De-spaghettify the public key ASN1 handling. Move public and private | |
key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate | |
algorithm specific handling to a single module within the relevant | |
algorithm directory. Add functions to allow (near) opaque processing | |
of public and private key structures. | |
[Steve Henson] | |
*) Implement the Supported Point Formats Extension for | |
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
[Douglas Stebila] | |
*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members | |
for the psk identity [hint] and the psk callback functions to the | |
SSL_SESSION, SSL and SSL_CTX structure. | |
New ciphersuites: | |
PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, | |
PSK-AES256-CBC-SHA | |
New functions: | |
SSL_CTX_use_psk_identity_hint | |
SSL_get_psk_identity_hint | |
SSL_get_psk_identity | |
SSL_use_psk_identity_hint | |
[Mika Kousa and Pasi Eronen of Nokia Corporation] | |
*) Add RFC 3161 compliant time stamp request creation, response generation | |
and response verification functionality. | |
[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project] | |
*) Add initial support for TLS extensions, specifically for the server_name | |
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now | |
have new members for a host name. The SSL data structure has an | |
additional member SSL_CTX *initial_ctx so that new sessions can be | |
stored in that context to allow for session resumption, even after the | |
SSL has been switched to a new SSL_CTX in reaction to a client's | |
server_name extension. | |
New functions (subject to change): | |
SSL_get_servername() | |
SSL_get_servername_type() | |
SSL_set_SSL_CTX() | |
New CTRL codes and macros (subject to change): | |
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB | |
- SSL_CTX_set_tlsext_servername_callback() | |
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG | |
- SSL_CTX_set_tlsext_servername_arg() | |
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() | |
openssl s_client has a new '-servername ...' option. | |
openssl s_server has new options '-servername_host ...', '-cert2 ...', | |
'-key2 ...', '-servername_fatal' (subject to change). This allows | |
testing the HostName extension for a specific single host name ('-cert' | |
and '-key' remain fallbacks for handshakes without HostName | |
negotiation). If the unrecogninzed_name alert has to be sent, this by | |
default is a warning; it becomes fatal with the '-servername_fatal' | |
option. | |
[Peter Sylvester, Remy Allais, Christophe Renou] | |
*) Whirlpool hash implementation is added. | |
[Andy Polyakov] | |
*) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to | |
bn(64,32). Because of instruction set limitations it doesn't have | |
any negative impact on performance. This was done mostly in order | |
to make it possible to share assembler modules, such as bn_mul_mont | |
implementations, between 32- and 64-bit builds without hassle. | |
[Andy Polyakov] | |
*) Move code previously exiled into file crypto/ec/ec2_smpt.c | |
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP | |
macro. | |
[Bodo Moeller] | |
*) New candidate for BIGNUM assembler implementation, bn_mul_mont, | |
dedicated Montgomery multiplication procedure, is introduced. | |
BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher | |
"64-bit" performance on certain 32-bit targets. | |
[Andy Polyakov] | |
*) New option SSL_OP_NO_COMP to disable use of compression selectively | |
in SSL structures. New SSL ctrl to set maximum send fragment size. | |
Save memory by seeting the I/O buffer sizes dynamically instead of | |
using the maximum available value. | |
[Steve Henson] | |
*) New option -V for 'openssl ciphers'. This prints the ciphersuite code | |
in addition to the text details. | |
[Bodo Moeller] | |
*) Very, very preliminary EXPERIMENTAL support for printing of general | |
ASN1 structures. This currently produces rather ugly output and doesn't | |
handle several customised structures at all. | |
[Steve Henson] | |
*) Integrated support for PVK file format and some related formats such | |
as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support | |
these in the 'rsa' and 'dsa' utilities. | |
[Steve Henson] | |
*) Support for PKCS#1 RSAPublicKey format on rsa utility command line. | |
[Steve Henson] | |
*) Remove the ancient ASN1_METHOD code. This was only ever used in one | |
place for the (very old) "NETSCAPE" format certificates which are now | |
handled using new ASN1 code equivalents. | |
[Steve Henson] | |
*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD | |
pointer and make the SSL_METHOD parameter in SSL_CTX_new, | |
SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. | |
[Nils Larsch] | |
*) Modify CRL distribution points extension code to print out previously | |
unsupported fields. Enhance extension setting code to allow setting of | |
all fields. | |
[Steve Henson] | |
*) Add print and set support for Issuing Distribution Point CRL extension. | |
[Steve Henson] | |
*) Change 'Configure' script to enable Camellia by default. | |
[NTT] | |
Changes between 0.9.8m and 0.9.8n [24 Mar 2010] | |
*) When rejecting SSL/TLS records due to an incorrect version number, never | |
update s->server with a new major version number. As of | |
- OpenSSL 0.9.8m if 'short' is a 16-bit type, | |
- OpenSSL 0.9.8f if 'short' is longer than 16 bits, | |
the previous behavior could result in a read attempt at NULL when | |
receiving specific incorrect SSL/TLS records once record payload | |
protection is active. (CVE-2010-0740) | |
[Bodo Moeller, Adam Langley <agl@chromium.org>] | |
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL | |
could be crashed if the relevant tables were not present (e.g. chrooted). | |
[Tomas Hoger <thoger@redhat.com>] | |
Changes between 0.9.8l and 0.9.8m [25 Feb 2010] | |
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245) | |
[Martin Olsson, Neel Mehta] | |
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to | |
accommodate for stack sorting, always a write lock!). | |
[Bodo Moeller] | |
*) On some versions of WIN32 Heap32Next is very slow. This can cause | |
excessive delays in the RAND_poll(): over a minute. As a workaround | |
include a time check in the inner Heap32Next loop too. | |
[Steve Henson] | |
*) The code that handled flushing of data in SSL/TLS originally used the | |
BIO_CTRL_INFO ctrl to see if any data was pending first. This caused | |
the problem outlined in PR#1949. The fix suggested there however can | |
trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions | |
of Apache). So instead simplify the code to flush unconditionally. | |
This should be fine since flushing with no data to flush is a no op. | |
[Steve Henson] | |
*) Handle TLS versions 2.0 and later properly and correctly use the | |
highest version of TLS/SSL supported. Although TLS >= 2.0 is some way | |
off ancient servers have a habit of sticking around for a while... | |
[Steve Henson] | |
*) Modify compression code so it frees up structures without using the | |
ex_data callbacks. This works around a problem where some applications | |
call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when | |
restarting) then use compression (e.g. SSL with compression) later. | |
This results in significant per-connection memory leaks and | |
has caused some security issues including CVE-2008-1678 and | |
CVE-2009-4355. | |
[Steve Henson] | |
*) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't | |
change when encrypting or decrypting. | |
[Bodo Moeller] | |
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to | |
connect and renegotiate with servers which do not support RI. | |
Until RI is more widely deployed this option is enabled by default. | |
[Steve Henson] | |
*) Add "missing" ssl ctrls to clear options and mode. | |
[Steve Henson] | |
*) If client attempts to renegotiate and doesn't support RI respond with | |
a no_renegotiation alert as required by RFC5746. Some renegotiating | |
TLS clients will continue a connection gracefully when they receive | |
the alert. Unfortunately OpenSSL mishandled this alert and would hang | |
waiting for a server hello which it will never receive. Now we treat a | |
received no_renegotiation alert as a fatal error. This is because | |
applications requesting a renegotiation might well expect it to succeed | |
and would have no code in place to handle the server denying it so the | |
only safe thing to do is to terminate the connection. | |
[Steve Henson] | |
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if | |
peer supports secure renegotiation and 0 otherwise. Print out peer | |
renegotiation support in s_client/s_server. | |
[Steve Henson] | |
*) Replace the highly broken and deprecated SPKAC certification method with | |
the updated NID creation version. This should correctly handle UTF8. | |
[Steve Henson] | |
*) Implement RFC5746. Re-enable renegotiation but require the extension | |
as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | |
turns out to be a bad idea. It has been replaced by | |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with | |
SSL_CTX_set_options(). This is really not recommended unless you | |
know what you are doing. | |
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] | |
*) Fixes to stateless session resumption handling. Use initial_ctx when | |
issuing and attempting to decrypt tickets in case it has changed during | |
servername handling. Use a non-zero length session ID when attempting | |
stateless session resumption: this makes it possible to determine if | |
a resumption has occurred immediately after receiving server hello | |
(several places in OpenSSL subtly assume this) instead of later in | |
the handshake. | |
[Steve Henson] | |
*) The functions ENGINE_ctrl(), OPENSSL_isservice(), | |
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error | |
fixes for a few places where the return code is not checked | |
correctly. | |
[Julia Lawall <julia@diku.dk>] | |
*) Add --strict-warnings option to Configure script to include devteam | |
warnings in other configurations. | |
[Steve Henson] | |
*) Add support for --libdir option and LIBDIR variable in makefiles. This | |
makes it possible to install openssl libraries in locations which | |
have names other than "lib", for example "/usr/lib64" which some | |
systems need. | |
[Steve Henson, based on patch from Jeremy Utley] | |
*) Don't allow the use of leading 0x80 in OIDs. This is a violation of | |
X690 8.9.12 and can produce some misleading textual output of OIDs. | |
[Steve Henson, reported by Dan Kaminsky] | |
*) Delete MD2 from algorithm tables. This follows the recommendation in | |
several standards that it is not used in new applications due to | |
several cryptographic weaknesses. For binary compatibility reasons | |
the MD2 API is still compiled in by default. | |
[Steve Henson] | |
*) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved | |
and restored. | |
[Steve Henson] | |
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and | |
OPENSSL_asc2uni conditionally on Netware platforms to avoid a name | |
clash. | |
[Guenter <lists@gknw.net>] | |
*) Fix the server certificate chain building code to use X509_verify_cert(), | |
it used to have an ad-hoc builder which was unable to cope with anything | |
other than a simple chain. | |
[David Woodhouse <dwmw2@infradead.org>, Steve Henson] | |
*) Don't check self signed certificate signatures in X509_verify_cert() | |
by default (a flag can override this): it just wastes time without | |
adding any security. As a useful side effect self signed root CAs | |
with non-FIPS digests are now usable in FIPS mode. | |
[Steve Henson] | |
*) In dtls1_process_out_of_seq_message() the check if the current message | |
is already buffered was missing. For every new message was memory | |
allocated, allowing an attacker to perform an denial of service attack | |
with sending out of seq handshake messages until there is no memory | |
left. Additionally every future messege was buffered, even if the | |
sequence number made no sense and would be part of another handshake. | |
So only messages with sequence numbers less than 10 in advance will be | |
buffered. (CVE-2009-1378) | |
[Robin Seggelmann, discovered by Daniel Mentz] | |
*) Records are buffered if they arrive with a future epoch to be | |
processed after finishing the corresponding handshake. There is | |
currently no limitation to this buffer allowing an attacker to perform | |
a DOS attack with sending records with future epochs until there is no | |
memory left. This patch adds the pqueue_size() function to detemine | |
the size of a buffer and limits the record buffer to 100 entries. | |
(CVE-2009-1377) | |
[Robin Seggelmann, discovered by Daniel Mentz] | |
*) Keep a copy of frag->msg_header.frag_len so it can be used after the | |
parent structure is freed. (CVE-2009-1379) | |
[Daniel Mentz] | |
*) Handle non-blocking I/O properly in SSL_shutdown() call. | |
[Darryl Miles <darryl-mailinglists@netbauds.net>] | |
*) Add 2.5.4.* OIDs | |
[Ilya O. <vrghost@gmail.com>] | |
Changes between 0.9.8k and 0.9.8l [5 Nov 2009] | |
*) Disable renegotiation completely - this fixes a severe security | |
problem (CVE-2009-3555) at the cost of breaking all | |
renegotiation. Renegotiation can be re-enabled by setting | |
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at | |
run-time. This is really not recommended unless you know what | |
you're doing. | |
[Ben Laurie] | |
Changes between 0.9.8j and 0.9.8k [25 Mar 2009] | |
*) Don't set val to NULL when freeing up structures, it is freed up by | |
underlying code. If sizeof(void *) > sizeof(long) this can result in | |
zeroing past the valid field. (CVE-2009-0789) | |
[Paolo Ganci <Paolo.Ganci@AdNovum.CH>] | |
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not | |
checked correctly. This would allow some invalid signed attributes to | |
appear to verify correctly. (CVE-2009-0591) | |
[Ivan Nestlerode <inestlerode@us.ibm.com>] | |
*) Reject UniversalString and BMPString types with invalid lengths. This | |
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have | |
a legal length. (CVE-2009-0590) | |
[Steve Henson] | |
*) Set S/MIME signing as the default purpose rather than setting it | |
unconditionally. This allows applications to override it at the store | |
level. | |
[Steve Henson] | |
*) Permit restricted recursion of ASN1 strings. This is needed in practice | |
to handle some structures. | |
[Steve Henson] | |
*) Improve efficiency of mem_gets: don't search whole buffer each time | |
for a '\n' | |
[Jeremy Shapiro <jnshapir@us.ibm.com>] | |
*) New -hex option for openssl rand. | |
[Matthieu Herrb] | |
*) Print out UTF8String and NumericString when parsing ASN1. | |
[Steve Henson] | |
*) Support NumericString type for name components. | |
[Steve Henson] | |
*) Allow CC in the environment to override the automatically chosen | |
compiler. Note that nothing is done to ensure flags work with the | |
chosen compiler. | |
[Ben Laurie] | |
Changes between 0.9.8i and 0.9.8j [07 Jan 2009] | |
*) Properly check EVP_VerifyFinal() and similar return values | |
(CVE-2008-5077). | |
[Ben Laurie, Bodo Moeller, Google Security Team] | |
*) Enable TLS extensions by default. | |
[Ben Laurie] | |
*) Allow the CHIL engine to be loaded, whether the application is | |
multithreaded or not. (This does not release the developer from the | |
obligation to set up the dynamic locking callbacks.) | |
[Sander Temme <sander@temme.net>] | |
*) Use correct exit code if there is an error in dgst command. | |
[Steve Henson; problem pointed out by Roland Dirlewanger] | |
*) Tweak Configure so that you need to say "experimental-jpake" to enable | |
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. | |
[Bodo Moeller] | |
*) Add experimental JPAKE support, including demo authentication in | |
s_client and s_server. | |
[Ben Laurie] | |
*) Set the comparison function in v3_addr_canonize(). | |
[Rob Austein <sra@hactrn.net>] | |
*) Add support for XMPP STARTTLS in s_client. | |
[Philip Paeps <philip@freebsd.org>] | |
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior | |
to ensure that even with this option, only ciphersuites in the | |
server's preference list will be accepted. (Note that the option | |
applies only when resuming a session, so the earlier behavior was | |
just about the algorithm choice for symmetric cryptography.) | |
[Bodo Moeller] | |
Changes between 0.9.8h and 0.9.8i [15 Sep 2008] | |
*) Fix NULL pointer dereference if a DTLS server received | |
ChangeCipherSpec as first record (CVE-2009-1386). | |
[PR #1679] | |
*) Fix a state transitition in s3_srvr.c and d1_srvr.c | |
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). | |
[Nagendra Modadugu] | |
*) The fix in 0.9.8c that supposedly got rid of unsafe | |
double-checked locking was incomplete for RSA blinding, | |
addressing just one layer of what turns out to have been | |
doubly unsafe triple-checked locking. | |
So now fix this for real by retiring the MONT_HELPER macro | |
in crypto/rsa/rsa_eay.c. | |
[Bodo Moeller; problem pointed out by Marius Schilder] | |
*) Various precautionary measures: | |
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). | |
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). | |
(NB: This would require knowledge of the secret session ticket key | |
to exploit, in which case you'd be SOL either way.) | |
- Change bn_nist.c so that it will properly handle input BIGNUMs | |
outside the expected range. | |
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG | |
builds. | |
[Neel Mehta, Bodo Moeller] | |
*) Allow engines to be "soft loaded" - i.e. optionally don't die if | |
the load fails. Useful for distros. | |
[Ben Laurie and the FreeBSD team] | |
*) Add support for Local Machine Keyset attribute in PKCS#12 files. | |
[Steve Henson] | |
*) Fix BN_GF2m_mod_arr() top-bit cleanup code. | |
[Huang Ying] | |
*) Expand ENGINE to support engine supplied SSL client certificate functions. | |
This work was sponsored by Logica. | |
[Steve Henson] | |
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows | |
keystores. Support for SSL/TLS client authentication too. | |
Not compiled unless enable-capieng specified to Configure. | |
This work was sponsored by Logica. | |
[Steve Henson] | |
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using | |
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain | |
attribute creation routines such as certifcate requests and PKCS#12 | |
files. | |
[Steve Henson] | |
Changes between 0.9.8g and 0.9.8h [28 May 2008] | |
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS | |
handshake which could lead to a cilent crash as found using the | |
Codenomicon TLS test suite (CVE-2008-1672) | |
[Steve Henson, Mark Cox] | |
*) Fix double free in TLS server name extensions which could lead to | |
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) | |
[Joe Orton] | |
*) Clear error queue in SSL_CTX_use_certificate_chain_file() | |
Clear the error queue to ensure that error entries left from | |
older function calls do not interfere with the correct operation. | |
[Lutz Jaenicke, Erik de Castro Lopo] | |
*) Remove root CA certificates of commercial CAs: | |
The OpenSSL project does not recommend any specific CA and does not | |
have any policy with respect to including or excluding any CA. | |
Therefore it does not make any sense to ship an arbitrary selection | |
of root CA certificates with the OpenSSL software. | |
[Lutz Jaenicke] | |
*) RSA OAEP patches to fix two separate invalid memory reads. | |
The first one involves inputs when 'lzero' is greater than | |
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes | |
before the beginning of from). The second one involves inputs where | |
the 'db' section contains nothing but zeroes (there is a one-byte | |
invalid read after the end of 'db'). | |
[Ivan Nestlerode <inestlerode@us.ibm.com>] | |
*) Partial backport from 0.9.9-dev: | |
Introduce bn_mul_mont (dedicated Montgomery multiplication | |
procedure) as a candidate for BIGNUM assembler implementation. | |
While 0.9.9-dev uses assembler for various architectures, only | |
x86_64 is available by default here in the 0.9.8 branch, and | |
32-bit x86 is available through a compile-time setting. | |
To try the 32-bit x86 assembler implementation, use Configure | |
option "enable-montasm" (which exists only for this backport). | |
As "enable-montasm" for 32-bit x86 disclaims code stability | |
anyway, in this constellation we activate additional code | |
backported from 0.9.9-dev for further performance improvements, | |
namely BN_from_montgomery_word. (To enable this otherwise, | |
e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) | |
[Andy Polyakov (backport partially by Bodo Moeller)] | |
*) Add TLS session ticket callback. This allows an application to set | |
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed | |
values. This is useful for key rollover for example where several key | |
sets may exist with different names. | |
[Steve Henson] | |
*) Reverse ENGINE-internal logic for caching default ENGINE handles. | |
This was broken until now in 0.9.8 releases, such that the only way | |
a registered ENGINE could be used (assuming it initialises | |
successfully on the host) was to explicitly set it as the default | |
for the relevant algorithms. This is in contradiction with 0.9.7 | |
behaviour and the documentation. With this fix, when an ENGINE is | |
registered into a given algorithm's table of implementations, the | |
'uptodate' flag is reset so that auto-discovery will be used next | |
time a new context for that algorithm attempts to select an | |
implementation. | |
[Ian Lister (tweaked by Geoff Thorpe)] | |
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 | |
implemention in the following ways: | |
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be | |
hard coded. | |
Lack of BER streaming support means one pass streaming processing is | |
only supported if data is detached: setting the streaming flag is | |
ignored for embedded content. | |
CMS support is disabled by default and must be explicitly enabled | |
with the enable-cms configuration option. | |
[Steve Henson] | |
*) Update the GMP engine glue to do direct copies between BIGNUM and | |
mpz_t when openssl and GMP use the same limb size. Otherwise the | |
existing "conversion via a text string export" trick is still used. | |
[Paul Sheer <paulsheer@gmail.com>] | |
*) Zlib compression BIO. This is a filter BIO which compressed and | |
uncompresses any data passed through it. | |
[Steve Henson] | |
*) Add AES_wrap_key() and AES_unwrap_key() functions to implement | |
RFC3394 compatible AES key wrapping. | |
[Steve Henson] | |
*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): | |
sets string data without copying. X509_ALGOR_set0() and | |
X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) | |
data. Attribute function X509at_get0_data_by_OBJ(): retrieves data | |
from an X509_ATTRIBUTE structure optionally checking it occurs only | |
once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied | |
data. | |
[Steve Henson] | |
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() | |
to get the expected BN_FLG_CONSTTIME behavior. | |
[Bodo Moeller (Google)] | |
*) Netware support: | |
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets | |
- fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) | |
- added some more tests to do_tests.pl | |
- fixed RunningProcess usage so that it works with newer LIBC NDKs too | |
- removed usage of BN_LLONG for CLIB builds to avoid runtime dependency | |
- added new Configure targets netware-clib-bsdsock, netware-clib-gcc, | |
netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc | |
- various changes to netware.pl to enable gcc-cross builds on Win32 | |
platform | |
- changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) | |
- various changes to fix missing prototype warnings | |
- fixed x86nasm.pl to create correct asm files for NASM COFF output | |
- added AES, WHIRLPOOL and CPUID assembler code to build files | |
- added missing AES assembler make rules to mk1mf.pl | |
- fixed order of includes in apps/ocsp.c so that e_os.h settings apply | |
[Guenter Knauf <eflash@gmx.net>] | |
*) Implement certificate status request TLS extension defined in RFC3546. | |
A client can set the appropriate parameters and receive the encoded | |
OCSP response via a callback. A server can query the supplied parameters | |
and set the encoded OCSP response in the callback. Add simplified examples | |
to s_client and s_server. | |
[Steve Henson] | |
Changes between 0.9.8f and 0.9.8g [19 Oct 2007] | |
*) Fix various bugs: | |
+ Binary incompatibility of ssl_ctx_st structure | |
+ DTLS interoperation with non-compliant servers | |
+ Don't call get_session_cb() without proposed session | |
+ Fix ia64 assembler code | |
[Andy Polyakov, Steve Henson] | |
Changes between 0.9.8e and 0.9.8f [11 Oct 2007] | |
*) DTLS Handshake overhaul. There were longstanding issues with | |
OpenSSL DTLS implementation, which were making it impossible for | |
RFC 4347 compliant client to communicate with OpenSSL server. | |
Unfortunately just fixing these incompatibilities would "cut off" | |
pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e | |
server keeps tolerating non RFC compliant syntax. The opposite is | |
not true, 0.9.8f client can not communicate with earlier server. | |
This update even addresses CVE-2007-4995. | |
[Andy Polyakov] | |
*) Changes to avoid need for function casts in OpenSSL: some compilers | |
(gcc 4.2 and later) reject their use. | |
[Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, | |
Steve Henson] | |
*) Add RFC4507 support to OpenSSL. This includes the corrections in | |
RFC4507bis. The encrypted ticket format is an encrypted encoded | |
SSL_SESSION structure, that way new session features are automatically | |
supported. | |
If a client application caches session in an SSL_SESSION structure | |
support is transparent because tickets are now stored in the encoded | |
SSL_SESSION. | |
The SSL_CTX structure automatically generates keys for ticket | |
protection in servers so again support should be possible | |
with no application modification. | |
If a client or server wishes to disable RFC4507 support then the option | |
SSL_OP_NO_TICKET can be set. | |
Add a TLS extension debugging callback to allow the contents of any client | |
or server extensions to be examined. | |
This work was sponsored by Google. | |
[Steve Henson] | |
*) Add initial support for TLS extensions, specifically for the server_name | |
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now | |
have new members for a host name. The SSL data structure has an | |
additional member SSL_CTX *initial_ctx so that new sessions can be | |
stored in that context to allow for session resumption, even after the | |
SSL has been switched to a new SSL_CTX in reaction to a client's | |
server_name extension. | |
New functions (subject to change): | |
SSL_get_servername() | |
SSL_get_servername_type() | |
SSL_set_SSL_CTX() | |
New CTRL codes and macros (subject to change): | |
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB | |
- SSL_CTX_set_tlsext_servername_callback() | |
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG | |
- SSL_CTX_set_tlsext_servername_arg() | |
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() | |
openssl s_client has a new '-servername ...' option. | |
openssl s_server has new options '-servername_host ...', '-cert2 ...', | |
'-key2 ...', '-servername_fatal' (subject to change). This allows | |
testing the HostName extension for a specific single host name ('-cert' | |
and '-key' remain fallbacks for handshakes without HostName | |
negotiation). If the unrecogninzed_name alert has to be sent, this by | |
default is a warning; it becomes fatal with the '-servername_fatal' | |
option. | |
[Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] | |
*) Add AES and SSE2 assembly language support to VC++ build. | |
[Steve Henson] | |
*) Mitigate attack on final subtraction in Montgomery reduction. | |
[Andy Polyakov] | |
*) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 | |
(which previously caused an internal error). | |
[Bodo Moeller] | |
*) Squeeze another 10% out of IGE mode when in != out. | |
[Ben Laurie] | |
*) AES IGE mode speedup. | |
[Dean Gaudet (Google)] | |
*) Add the Korean symmetric 128-bit cipher SEED (see | |
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and | |
add SEED ciphersuites from RFC 4162: | |
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" | |
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" | |
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" | |
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" | |
To minimize changes between patchlevels in the OpenSSL 0.9.8 | |
series, SEED remains excluded from compilation unless OpenSSL | |
is configured with 'enable-seed'. | |
[KISA, Bodo Moeller] | |
*) Mitigate branch prediction attacks, which can be practical if a | |
single processor is shared, allowing a spy process to extract | |
information. For detailed background information, see | |
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, | |
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL | |
and Necessary Software Countermeasures"). The core of the change | |
are new versions BN_div_no_branch() and | |
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), | |
respectively, which are slower, but avoid the security-relevant | |
conditional branches. These are automatically called by BN_div() | |
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one | |
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to | |
remove a conditional branch. | |
BN_FLG_CONSTTIME is the new name for the previous | |
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just | |
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag | |
in the exponent causes BN_mod_exp_mont() to use the alternative | |
implementation in BN_mod_exp_mont_consttime().) The old name | |
remains as a deprecated alias. | |
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general | |
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses | |
constant-time implementations for more than just exponentiation. | |
Here too the old name is kept as a deprecated alias. | |
BN_BLINDING_new() will now use BN_dup() for the modulus so that | |
the BN_BLINDING structure gets an independent copy of the | |
modulus. This means that the previous "BIGNUM *m" argument to | |
BN_BLINDING_new() and to BN_BLINDING_create_param() now | |
essentially becomes "const BIGNUM *m", although we can't actually | |
change this in the header file before 0.9.9. It allows | |
RSA_setup_blinding() to use BN_with_flags() on the modulus to | |
enable BN_FLG_CONSTTIME. | |
[Matthew D Wood (Intel Corp)] | |
*) In the SSL/TLS server implementation, be strict about session ID | |
context matching (which matters if an application uses a single | |
external cache for different purposes). Previously, | |
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was | |
set. This did ensure strict client verification, but meant that, | |
with applications using a single external cache for quite | |
different requirements, clients could circumvent ciphersuite | |
restrictions for a given session ID context by starting a session | |
in a different context. | |
[Bodo Moeller] | |
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that | |
a ciphersuite string such as "DEFAULT:RSA" cannot enable | |
authentication-only ciphersuites. | |
[Bodo Moeller] | |
*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was | |
not complete and could lead to a possible single byte overflow | |
(CVE-2007-5135) [Ben Laurie] | |
Changes between 0.9.8d and 0.9.8e [23 Feb 2007] | |
*) Since AES128 and AES256 (and similarly Camellia128 and | |
Camellia256) share a single mask bit in the logic of | |
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a | |
kludge to work properly if AES128 is available and AES256 isn't | |
(or if Camellia128 is available and Camellia256 isn't). | |
[Victor Duchovni] | |
*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c | |
(within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): | |
When a point or a seed is encoded in a BIT STRING, we need to | |
prevent the removal of trailing zero bits to get the proper DER | |
encoding. (By default, crypto/asn1/a_bitstr.c assumes the case | |
of a NamedBitList, for which trailing 0 bits need to be removed.) | |
[Bodo Moeller] | |
*) Have SSL/TLS server implementation tolerate "mismatched" record | |
protocol version while receiving ClientHello even if the | |
ClientHello is fragmented. (The server can't insist on the | |
particular protocol version it has chosen before the ServerHello | |
message has informed the client about his choice.) | |
[Bodo Moeller] | |
*) Add RFC 3779 support. | |
[Rob Austein for ARIN, Ben Laurie] | |
*) Load error codes if they are not already present instead of using a | |
static variable. This allows them to be cleanly unloaded and reloaded. | |
Improve header file function name parsing. | |
[Steve Henson] | |
*) extend SMTP and IMAP protocol emulation in s_client to use EHLO | |
or CAPABILITY handshake as required by RFCs. | |
[Goetz Babin-Ebell] | |
Changes between 0.9.8c and 0.9.8d [28 Sep 2006] | |
*) Introduce limits to prevent malicious keys being able to | |
cause a denial of service. (CVE-2006-2940) | |
[Steve Henson, Bodo Moeller] | |
*) Fix ASN.1 parsing of certain invalid structures that can result | |
in a denial of service. (CVE-2006-2937) [Steve Henson] | |
*) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
*) Fix SSL client code which could crash if connecting to a | |
malicious SSLv2 server. (CVE-2006-4343) | |
[Tavis Ormandy and Will Drewry, Google Security Team] | |
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites | |
match only those. Before that, "AES256-SHA" would be interpreted | |
as a pattern and match "AES128-SHA" too (since AES128-SHA got | |
the same strength classification in 0.9.7h) as we currently only | |
have a single AES bit in the ciphersuite description bitmap. | |
That change, however, also applied to ciphersuite strings such as | |
"RC4-MD5" that intentionally matched multiple ciphersuites -- | |
namely, SSL 2.0 ciphersuites in addition to the more common ones | |
from SSL 3.0/TLS 1.0. | |
So we change the selection algorithm again: Naming an explicit | |
ciphersuite selects this one ciphersuite, and any other similar | |
ciphersuite (same bitmap) from *other* protocol versions. | |
Thus, "RC4-MD5" again will properly select both the SSL 2.0 | |
ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. | |
Since SSL 2.0 does not have any ciphersuites for which the | |
128/256 bit distinction would be relevant, this works for now. | |
The proper fix will be to use different bits for AES128 and | |
AES256, which would have avoided the problems from the beginning; | |
however, bits are scarce, so we can only do this in a new release | |
(not just a patchlevel) when we can change the SSL_CIPHER | |
definition to split the single 'unsigned long mask' bitmap into | |
multiple values to extend the available space. | |
[Bodo Moeller] | |
Changes between 0.9.8b and 0.9.8c [05 Sep 2006] | |
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher | |
(CVE-2006-4339) [Ben Laurie and Google Security Team] | |
*) Add AES IGE and biIGE modes. | |
[Ben Laurie] | |
*) Change the Unix randomness entropy gathering to use poll() when | |
possible instead of select(), since the latter has some | |
undesirable limitations. | |
[Darryl Miles via Richard Levitte and Bodo Moeller] | |
*) Disable "ECCdraft" ciphersuites more thoroughly. Now special | |
treatment in ssl/ssl_ciph.s makes sure that these ciphersuites | |
cannot be implicitly activated as part of, e.g., the "AES" alias. | |
However, please upgrade to OpenSSL 0.9.9[-dev] for | |
non-experimental use of the ECC ciphersuites to get TLS extension | |
support, which is required for curve and point format negotiation | |
to avoid potential handshake problems. | |
[Bodo Moeller] | |
*) Disable rogue ciphersuites: | |
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
The latter two were purportedly from | |
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
appear there. | |
Also deactivate the remaining ciphersuites from | |
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as | |
unofficial, and the ID has long expired. | |
[Bodo Moeller] | |
*) Fix RSA blinding Heisenbug (problems sometimes occured on | |
dual-core machines) and other potential thread-safety issues. | |
[Bodo Moeller] | |
*) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key | |
versions), which is now available for royalty-free use | |
(see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). | |
Also, add Camellia TLS ciphersuites from RFC 4132. | |
To minimize changes between patchlevels in the OpenSSL 0.9.8 | |
series, Camellia remains excluded from compilation unless OpenSSL | |
is configured with 'enable-camellia'. | |
[NTT] | |
*) Disable the padding bug check when compression is in use. The padding | |
bug check assumes the first packet is of even length, this is not | |
necessarily true if compresssion is enabled and can result in false | |
positives causing handshake failure. The actual bug test is ancient | |
code so it is hoped that implementations will either have fixed it by | |
now or any which still have the bug do not support compression. | |
[Steve Henson] | |
Changes between 0.9.8a and 0.9.8b [04 May 2006] | |
*) When applying a cipher rule check to see if string match is an explicit | |
cipher suite and only match that one cipher suite if it is. | |
[Steve Henson] | |
*) Link in manifests for VC++ if needed. | |
[Austin Ziegler <halostatue@gmail.com>] | |
*) Update support for ECC-based TLS ciphersuites according to | |
draft-ietf-tls-ecc-12.txt with proposed changes (but without | |
TLS extensions, which are supported starting with the 0.9.9 | |
branch, not in the OpenSSL 0.9.8 branch). | |
[Douglas Stebila] | |
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support | |
opaque EVP_CIPHER_CTX handling. | |
[Steve Henson] | |
*) Fixes and enhancements to zlib compression code. We now only use | |
"zlib1.dll" and use the default __cdecl calling convention on Win32 | |
to conform with the standards mentioned here: | |
http://www.zlib.net/DLL_FAQ.txt | |
Static zlib linking now works on Windows and the new --with-zlib-include | |
--with-zlib-lib options to Configure can be used to supply the location | |
of the headers and library. Gracefully handle case where zlib library | |
can't be loaded. | |
[Steve Henson] | |
*) Several fixes and enhancements to the OID generation code. The old code | |
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't | |
handle numbers larger than ULONG_MAX, truncated printing and had a | |
non standard OBJ_obj2txt() behaviour. | |
[Steve Henson] | |
*) Add support for building of engines under engine/ as shared libraries | |
under VC++ build system. | |
[Steve Henson] | |
*) Corrected the numerous bugs in the Win32 path splitter in DSO. | |
Hopefully, we will not see any false combination of paths any more. | |
[Richard Levitte] | |
Changes between 0.9.8 and 0.9.8a [11 Oct 2005] | |
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
(part of SSL_OP_ALL). This option used to disable the | |
countermeasure against man-in-the-middle protocol-version | |
rollback in the SSL 2.0 server implementation, which is a bad | |
idea. (CVE-2005-2969) | |
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
for Information Security, National Institute of Advanced Industrial | |
Science and Technology [AIST], Japan)] | |
*) Add two function to clear and return the verify parameter flags. | |
[Steve Henson] | |
*) Keep cipherlists sorted in the source instead of sorting them at | |
runtime, thus removing the need for a lock. | |
[Nils Larsch] | |
*) Avoid some small subgroup attacks in Diffie-Hellman. | |
[Nick Mathewson and Ben Laurie] | |
*) Add functions for well-known primes. | |
[Nick Mathewson] | |
*) Extended Windows CE support. | |
[Satoshi Nakamura and Andy Polyakov] | |
*) Initialize SSL_METHOD structures at compile time instead of during | |
runtime, thus removing the need for a lock. | |
[Steve Henson] | |
*) Make PKCS7_decrypt() work even if no certificate is supplied by | |
attempting to decrypt each encrypted key in turn. Add support to | |
smime utility. | |
[Steve Henson] | |
Changes between 0.9.7h and 0.9.8 [05 Jul 2005] | |
[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after | |
OpenSSL 0.9.8.] | |
*) Add libcrypto.pc and libssl.pc for those who feel they need them. | |
[Richard Levitte] | |
*) Change CA.sh and CA.pl so they don't bundle the CSR and the private | |
key into the same file any more. | |
[Richard Levitte] | |
*) Add initial support for Win64, both IA64 and AMD64/x64 flavors. | |
[Andy Polyakov] | |
*) Add -utf8 command line and config file option to 'ca'. | |
[Stefan <stf@udoma.org] | |
*) Removed the macro des_crypt(), as it seems to conflict with some | |
libraries. Use DES_crypt(). | |
[Richard Levitte] | |
*) Correct naming of the 'chil' and '4758cca' ENGINEs. This | |
involves renaming the source and generated shared-libs for | |
both. The engines will accept the corrected or legacy ids | |
('ncipher' and '4758_cca' respectively) when binding. NB, | |
this only applies when building 'shared'. | |
[Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] | |
*) Add attribute functions to EVP_PKEY structure. Modify | |
PKCS12_create() to recognize a CSP name attribute and | |
use it. Make -CSP option work again in pkcs12 utility. | |
[Steve Henson] | |
*) Add new functionality to the bn blinding code: | |
- automatic re-creation of the BN_BLINDING parameters after | |
a fixed number of uses (currently 32) | |
- add new function for parameter creation | |
- introduce flags to control the update behaviour of the | |
BN_BLINDING parameters | |
- hide BN_BLINDING structure | |
Add a second BN_BLINDING slot to the RSA structure to improve | |
performance when a single RSA object is shared among several | |
threads. | |
[Nils Larsch] | |
*) Add support for DTLS. | |
[Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] | |
*) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) | |
to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() | |
[Walter Goulet] | |
*) Remove buggy and incompletet DH cert support from | |
ssl/ssl_rsa.c and ssl/s3_both.c | |
[Nils Larsch] | |
*) Use SHA-1 instead of MD5 as the default digest algorithm for | |
the apps/openssl applications. | |
[Nils Larsch] | |
*) Compile clean with "-Wall -Wmissing-prototypes | |
-Wstrict-prototypes -Wmissing-declarations -Werror". Currently | |
DEBUG_SAFESTACK must also be set. | |
[Ben Laurie] | |
*) Change ./Configure so that certain algorithms can be disabled by default. | |
The new counterpiece to "no-xxx" is "enable-xxx". | |
The patented RC5 and MDC2 algorithms will now be disabled unless | |
"enable-rc5" and "enable-mdc2", respectively, are specified. | |
(IDEA remains enabled despite being patented. This is because IDEA | |
is frequently required for interoperability, and there is no license | |
fee for non-commercial use. As before, "no-idea" can be used to | |
avoid this algorithm.) | |
[Bodo Moeller] | |
*) Add processing of proxy certificates (see RFC 3820). This work was | |
sponsored by KTH (The Royal Institute of Technology in Stockholm) and | |
EGEE (Enabling Grids for E-science in Europe). | |
[Richard Levitte] | |
*) RC4 performance overhaul on modern architectures/implementations, such | |
as Intel P4, IA-64 and AMD64. | |
[Andy Polyakov] | |
*) New utility extract-section.pl. This can be used specify an alternative | |
section number in a pod file instead of having to treat each file as | |
a separate case in Makefile. This can be done by adding two lines to the | |
pod file: | |
=for comment openssl_section:XXX | |
The blank line is mandatory. | |
[Steve Henson] | |
*) New arguments -certform, -keyform and -pass for s_client and s_server | |
to allow alternative format key and certificate files and passphrase | |
sources. | |
[Steve Henson] | |
*) New structure X509_VERIFY_PARAM which combines current verify parameters, | |
update associated structures and add various utility functions. | |
Add new policy related verify parameters, include policy checking in | |
standard verify code. Enhance 'smime' application with extra parameters | |
to support policy checking and print out. | |
[Steve Henson] | |
*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 | |
Nehemiah processors. These extensions support AES encryption in hardware | |
as well as RNG (though RNG support is currently disabled). | |
[Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] | |
*) Deprecate BN_[get|set]_params() functions (they were ignored internally). | |
[Geoff Thorpe] | |
*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. | |
[Andy Polyakov and a number of other people] | |
*) Improved PowerPC platform support. Most notably BIGNUM assembler | |
implementation contributed by IBM. | |
[Suresh Chari, Peter Waltenberg, Andy Polyakov] | |
*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public | |
exponent rather than 'unsigned long'. There is a corresponding change to | |
the new 'rsa_keygen' element of the RSA_METHOD structure. | |
[Jelte Jansen, Geoff Thorpe] | |
*) Functionality for creating the initial serial number file is now | |
moved from CA.pl to the 'ca' utility with a new option -create_serial. | |
(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial | |
number file to 1, which is bound to cause problems. To avoid | |
the problems while respecting compatibility between different 0.9.7 | |
patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in | |
CA.pl for serial number initialization. With the new release 0.9.8, | |
we can fix the problem directly in the 'ca' utility.) | |
[Steve Henson] | |
*) Reduced header interdepencies by declaring more opaque objects in | |
ossl_typ.h. As a consequence, including some headers (eg. engine.h) will | |
give fewer recursive includes, which could break lazy source code - so | |
this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, | |
developers should define this symbol when building and using openssl to | |
ensure they track the recommended behaviour, interfaces, [etc], but | |
backwards-compatible behaviour prevails when this isn't defined. | |
[Geoff Thorpe] | |
*) New function X509_POLICY_NODE_print() which prints out policy nodes. | |
[Steve Henson] | |
*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. | |
This will generate a random key of the appropriate length based on the | |
cipher context. The EVP_CIPHER can provide its own random key generation | |
routine to support keys of a specific form. This is used in the des and | |
3des routines to generate a key of the correct parity. Update S/MIME | |
code to use new functions and hence generate correct parity DES keys. | |
Add EVP_CHECK_DES_KEY #define to return an error if the key is not | |
valid (weak or incorrect parity). | |
[Steve Henson] | |
*) Add a local set of CRLs that can be used by X509_verify_cert() as well | |
as looking them up. This is useful when the verified structure may contain | |
CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs | |
present unless the new PKCS7_NO_CRL flag is asserted. | |
[Steve Henson] | |
*) Extend ASN1 oid configuration module. It now additionally accepts the | |
syntax: | |
shortName = some long name, 1.2.3.4 | |
[Steve Henson] | |
*) Reimplemented the BN_CTX implementation. There is now no more static | |
limitation on the number of variables it can handle nor the depth of the | |
"stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack | |
information can now expand as required, and rather than having a single | |
static array of bignums, BN_CTX now uses a linked-list of such arrays | |
allowing it to expand on demand whilst maintaining the usefulness of | |
BN_CTX's "bundling". | |
[Geoff Thorpe] | |
*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD | |
to allow all RSA operations to function using a single BN_CTX. | |
[Geoff Thorpe] | |
*) Preliminary support for certificate policy evaluation and checking. This | |
is initially intended to pass the tests outlined in "Conformance Testing | |
of Relying Party Client Certificate Path Processing Logic" v1.07. | |
[Steve Henson] | |
*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and | |
remained unused and not that useful. A variety of other little bignum | |
tweaks and fixes have also been made continuing on from the audit (see | |
below). | |
[Geoff Thorpe] | |
*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with | |
associated ASN1, EVP and SSL functions and old ASN1 macros. | |
[Richard Levitte] | |
*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, | |
and this should never fail. So the return value from the use of | |
BN_set_word() (which can fail due to needless expansion) is now deprecated; | |
if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. | |
[Geoff Thorpe] | |
*) BN_CTX_get() should return zero-valued bignums, providing the same | |
initialised value as BN_new(). | |
[Geoff Thorpe, suggested by Ulf Möller] | |
*) Support for inhibitAnyPolicy certificate extension. | |
[Steve Henson] | |
*) An audit of the BIGNUM code is underway, for which debugging code is | |
enabled when BN_DEBUG is defined. This makes stricter enforcements on what | |
is considered valid when processing BIGNUMs, and causes execution to | |
assert() when a problem is discovered. If BN_DEBUG_RAND is defined, | |
further steps are taken to deliberately pollute unused data in BIGNUM | |
structures to try and expose faulty code further on. For now, openssl will | |
(in its default mode of operation) continue to tolerate the inconsistent | |
forms that it has tolerated in the past, but authors and packagers should | |
consider trying openssl and their own applications when compiled with | |
these debugging symbols defined. It will help highlight potential bugs in | |
their own code, and will improve the test coverage for OpenSSL itself. At | |
some point, these tighter rules will become openssl's default to improve | |
maintainability, though the assert()s and other overheads will remain only | |
in debugging configurations. See bn.h for more details. | |
[Geoff Thorpe, Nils Larsch, Ulf Möller] | |
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure | |
that can only be obtained through BN_CTX_new() (which implicitly | |
initialises it). The presence of this function only made it possible | |
to overwrite an existing structure (and cause memory leaks). | |
[Geoff Thorpe] | |
*) Because of the callback-based approach for implementing LHASH as a | |
template type, lh_insert() adds opaque objects to hash-tables and | |
lh_doall() or lh_doall_arg() are typically used with a destructor callback | |
to clean up those corresponding objects before destroying the hash table | |
(and losing the object pointers). So some over-zealous constifications in | |
LHASH have been relaxed so that lh_insert() does not take (nor store) the | |
objects as "const" and the lh_doall[_arg] callback wrappers are not | |
prototyped to have "const" restrictions on the object pointers they are | |
given (and so aren't required to cast them away any more). | |
[Geoff Thorpe] | |
*) The tmdiff.h API was so ugly and minimal that our own timing utility | |
(speed) prefers to use its own implementation. The two implementations | |
haven't been consolidated as yet (volunteers?) but the tmdiff API has had | |
its object type properly exposed (MS_TM) instead of casting to/from "char | |
*". This may still change yet if someone realises MS_TM and "ms_time_***" | |
aren't necessarily the greatest nomenclatures - but this is what was used | |
internally to the implementation so I've used that for now. | |
[Geoff Thorpe] | |
*) Ensure that deprecated functions do not get compiled when | |
OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of | |
the self-tests were still using deprecated key-generation functions so | |
these have been updated also. | |
[Geoff Thorpe] | |
*) Reorganise PKCS#7 code to separate the digest location functionality | |
into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). | |
New function PKCS7_set_digest() to set the digest type for PKCS#7 | |
digestedData type. Add additional code to correctly generate the | |
digestedData type and add support for this type in PKCS7 initialization | |
functions. | |
[Steve Henson] | |
*) New function PKCS7_set0_type_other() this initializes a PKCS7 | |
structure of type "other". | |
[Steve Henson] | |
*) Fix prime generation loop in crypto/bn/bn_prime.pl by making | |
sure the loop does correctly stop and breaking ("division by zero") | |
modulus operations are not performed. The (pre-generated) prime | |
table crypto/bn/bn_prime.h was already correct, but it could not be | |
re-generated on some platforms because of the "division by zero" | |
situation in the script. | |
[Ralf S. Engelschall] | |
*) Update support for ECC-based TLS ciphersuites according to | |
draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with | |
SHA-1 now is only used for "small" curves (where the | |
representation of a field element takes up to 24 bytes); for | |
larger curves, the field element resulting from ECDH is directly | |
used as premaster secret. | |
[Douglas Stebila (Sun Microsystems Laboratories)] | |
*) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 | |
curve secp160r1 to the tests. | |
[Douglas Stebila (Sun Microsystems Laboratories)] | |
*) Add the possibility to load symbols globally with DSO. | |
[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] | |
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better | |
control of the error stack. | |
[Richard Levitte] | |
*) Add support for STORE in ENGINE. | |
[Richard Levitte] | |
*) Add the STORE type. The intention is to provide a common interface | |
to certificate and key stores, be they simple file-based stores, or | |
HSM-type store, or LDAP stores, or... | |
NOTE: The code is currently UNTESTED and isn't really used anywhere. | |
[Richard Levitte] | |
*) Add a generic structure called OPENSSL_ITEM. This can be used to | |
pass a list of arguments to any function as well as provide a way | |
for a function to pass data back to the caller. | |
[Richard Levitte] | |
*) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() | |
works like BUF_strdup() but can be used to duplicate a portion of | |
a string. The copy gets NUL-terminated. BUF_memdup() duplicates | |
a memory area. | |
[Richard Levitte] | |
*) Add the function sk_find_ex() which works like sk_find(), but will | |
return an index to an element even if an exact match couldn't be | |
found. The index is guaranteed to point at the element where the | |
searched-for key would be inserted to preserve sorting order. | |
[Richard Levitte] | |
*) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but | |
takes an extra flags argument for optional functionality. Currently, | |
the following flags are defined: | |
OBJ_BSEARCH_VALUE_ON_NOMATCH | |
This one gets OBJ_bsearch_ex() to return a pointer to the first | |
element where the comparing function returns a negative or zero | |
number. | |
OBJ_BSEARCH_FIRST_VALUE_ON_MATCH | |
This one gets OBJ_bsearch_ex() to return a pointer to the first | |
element where the comparing function returns zero. This is useful | |
if there are more than one element where the comparing function | |
returns zero. | |
[Richard Levitte] | |
*) Make it possible to create self-signed certificates with 'openssl ca' | |
in such a way that the self-signed certificate becomes part of the | |
CA database and uses the same mechanisms for serial number generation | |
as all other certificate signing. The new flag '-selfsign' enables | |
this functionality. Adapt CA.sh and CA.pl.in. | |
[Richard Levitte] | |
*) Add functionality to check the public key of a certificate request | |
against a given private. This is useful to check that a certificate | |
request can be signed by that key (self-signing). | |
[Richard Levitte] | |
*) Make it possible to have multiple active certificates with the same | |
subject in the CA index file. This is done only if the keyword | |
'unique_subject' is set to 'no' in the main CA section (default | |
if 'CA_default') of the configuration file. The value is saved | |
with the database itself in a separate index attribute file, | |
named like the index file with '.attr' appended to the name. | |
[Richard Levitte] | |
*) Generate muti valued AVAs using '+' notation in config files for | |
req and dirName. | |
[Steve Henson] | |
*) Support for nameConstraints certificate extension. | |
[Steve Henson] | |
*) Support for policyConstraints certificate extension. | |
[Steve Henson] | |
*) Support for policyMappings certificate extension. | |
[Steve Henson] | |
*) Make sure the default DSA_METHOD implementation only uses its | |
dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, | |
and change its own handlers to be NULL so as to remove unnecessary | |
indirection. This lets alternative implementations fallback to the | |
default implementation more easily. | |
[Geoff Thorpe] | |
*) Support for directoryName in GeneralName related extensions | |
in config files. | |
[Steve Henson] | |
*) Make it possible to link applications using Makefile.shared. | |
Make that possible even when linking against static libraries! | |
[Richard Levitte] | |
*) Support for single pass processing for S/MIME signing. This now | |
means that S/MIME signing can be done from a pipe, in addition | |
cleartext signing (multipart/signed type) is effectively streaming | |
and the signed data does not need to be all held in memory. | |
This is done with a new flag PKCS7_STREAM. When this flag is set | |
PKCS7_sign() only initializes the PKCS7 structure and the actual signing | |
is done after the data is output (and digests calculated) in | |
SMIME_write_PKCS7(). | |
[Steve Henson] | |
*) Add full support for -rpath/-R, both in shared libraries and | |
applications, at least on the platforms where it's known how | |
to do it. | |
[Richard Levitte] | |
*) In crypto/ec/ec_mult.c, implement fast point multiplication with | |
precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() | |
will now compute a table of multiples of the generator that | |
makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() | |
faster (notably in the case of a single point multiplication, | |
scalar * generator). | |
[Nils Larsch, Bodo Moeller] | |
*) IPv6 support for certificate extensions. The various extensions | |
which use the IP:a.b.c.d can now take IPv6 addresses using the | |
formats of RFC1884 2.2 . IPv6 addresses are now also displayed | |
correctly. | |
[Steve Henson] | |
*) Added an ENGINE that implements RSA by performing private key | |
exponentiations with the GMP library. The conversions to and from | |
GMP's mpz_t format aren't optimised nor are any montgomery forms | |
cached, and on x86 it appears OpenSSL's own performance has caught up. | |
However there are likely to be other architectures where GMP could | |
provide a boost. This ENGINE is not built in by default, but it can be | |
specified at Configure time and should be accompanied by the necessary | |
linker additions, eg; | |
./config -DOPENSSL_USE_GMP -lgmp | |
[Geoff Thorpe] | |
*) "openssl engine" will not display ENGINE/DSO load failure errors when | |
testing availability of engines with "-t" - the old behaviour is | |
produced by increasing the feature's verbosity with "-tt". | |
[Geoff Thorpe] | |
*) ECDSA routines: under certain error conditions uninitialized BN objects | |
could be freed. Solution: make sure initialization is performed early | |
enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> | |
via PR#459) | |
[Lutz Jaenicke] | |
*) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD | |
and DH_METHOD (eg. by ENGINE implementations) to override the normal | |
software implementations. For DSA and DH, parameter generation can | |
also be overriden by providing the appropriate method callbacks. | |
[Geoff Thorpe] | |
*) Change the "progress" mechanism used in key-generation and | |
primality testing to functions that take a new BN_GENCB pointer in | |
place of callback/argument pairs. The new API functions have "_ex" | |
postfixes and the older functions are reimplemented as wrappers for | |
the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide | |
declarations of the old functions to help (graceful) attempts to | |
migrate to the new functions. Also, the new key-generation API | |
functions operate on a caller-supplied key-structure and return | |
success/failure rather than returning a key or NULL - this is to | |
help make "keygen" another member function of RSA_METHOD etc. | |
Example for using the new callback interface: | |
int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; | |
void *my_arg = ...; | |
BN_GENCB my_cb; | |
BN_GENCB_set(&my_cb, my_callback, my_arg); | |
return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); | |
/* For the meaning of a, b in calls to my_callback(), see the | |
* documentation of the function that calls the callback. | |
* cb will point to my_cb; my_arg can be retrieved as cb->arg. | |
* my_callback should return 1 if it wants BN_is_prime_ex() | |
* to continue, or 0 to stop. | |
*/ | |
[Geoff Thorpe] | |
*) Change the ZLIB compression method to be stateful, and make it | |
available to TLS with the number defined in | |
draft-ietf-tls-compression-04.txt. | |
[Richard Levitte] | |
*) Add the ASN.1 structures and functions for CertificatePair, which | |
is defined as follows (according to X.509_4thEditionDraftV6.pdf): | |
CertificatePair ::= SEQUENCE { | |
forward [0] Certificate OPTIONAL, | |
reverse [1] Certificate OPTIONAL, | |
-- at least one of the pair shall be present -- } | |
Also implement the PEM functions to read and write certificate | |
pairs, and defined the PEM tag as "CERTIFICATE PAIR". | |
This needed to be defined, mostly for the sake of the LDAP | |
attribute crossCertificatePair, but may prove useful elsewhere as | |
well. | |
[Richard Levitte] | |
*) Make it possible to inhibit symlinking of shared libraries in | |
Makefile.shared, for Cygwin's sake. | |
[Richard Levitte] | |
*) Extend the BIGNUM API by creating a function | |
void BN_set_negative(BIGNUM *a, int neg); | |
and a macro that behave like | |
int BN_is_negative(const BIGNUM *a); | |
to avoid the need to access 'a->neg' directly in applications. | |
[Nils Larsch] | |
*) Implement fast modular reduction for pseudo-Mersenne primes | |
used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). | |
EC_GROUP_new_curve_GFp() will now automatically use this | |
if applicable. | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Add new lock type (CRYPTO_LOCK_BN). | |
[Bodo Moeller] | |
*) Change the ENGINE framework to automatically load engines | |
dynamically from specific directories unless they could be | |
found to already be built in or loaded. Move all the | |
current engines except for the cryptodev one to a new | |
directory engines/. | |
The engines in engines/ are built as shared libraries if | |
the "shared" options was given to ./Configure or ./config. | |
Otherwise, they are inserted in libcrypto.a. | |
/usr/local/ssl/engines is the default directory for dynamic | |
engines, but that can be overriden at configure time through | |
the usual use of --prefix and/or --openssldir, and at run | |
time with the environment variable OPENSSL_ENGINES. | |
[Geoff Thorpe and Richard Levitte] | |
*) Add Makefile.shared, a helper makefile to build shared | |
libraries. Addapt Makefile.org. | |
[Richard Levitte] | |
*) Add version info to Win32 DLLs. | |
[Peter 'Luna' Runestig" <peter@runestig.com>] | |
*) Add new 'medium level' PKCS#12 API. Certificates and keys | |
can be added using this API to created arbitrary PKCS#12 | |
files while avoiding the low level API. | |
New options to PKCS12_create(), key or cert can be NULL and | |
will then be omitted from the output file. The encryption | |
algorithm NIDs can be set to -1 for no encryption, the mac | |
iteration count can be set to 0 to omit the mac. | |
Enhance pkcs12 utility by making the -nokeys and -nocerts | |
options work when creating a PKCS#12 file. New option -nomac | |
to omit the mac, NONE can be set for an encryption algorithm. | |
New code is modified to use the enhanced PKCS12_create() | |
instead of the low level API. | |
[Steve Henson] | |
*) Extend ASN1 encoder to support indefinite length constructed | |
encoding. This can output sequences tags and octet strings in | |
this form. Modify pk7_asn1.c to support indefinite length | |
encoding. This is experimental and needs additional code to | |
be useful, such as an ASN1 bio and some enhanced streaming | |
PKCS#7 code. | |
Extend template encode functionality so that tagging is passed | |
down to the template encoder. | |
[Steve Henson] | |
*) Let 'openssl req' fail if an argument to '-newkey' is not | |
recognized instead of using RSA as a default. | |
[Bodo Moeller] | |
*) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. | |
As these are not official, they are not included in "ALL"; | |
the "ECCdraft" ciphersuite group alias can be used to select them. | |
[Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] | |
*) Add ECDH engine support. | |
[Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] | |
*) Add ECDH in new directory crypto/ecdh/. | |
[Douglas Stebila (Sun Microsystems Laboratories)] | |
*) Let BN_rand_range() abort with an error after 100 iterations | |
without success (which indicates a broken PRNG). | |
[Bodo Moeller] | |
*) Change BN_mod_sqrt() so that it verifies that the input value | |
is really the square of the return value. (Previously, | |
BN_mod_sqrt would show GIGO behaviour.) | |
[Bodo Moeller] | |
*) Add named elliptic curves over binary fields from X9.62, SECG, | |
and WAP/WTLS; add OIDs that were still missing. | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) Extend the EC library for elliptic curves over binary fields | |
(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). | |
New EC_METHOD: | |
EC_GF2m_simple_method | |
New API functions: | |
EC_GROUP_new_curve_GF2m | |
EC_GROUP_set_curve_GF2m | |
EC_GROUP_get_curve_GF2m | |
EC_POINT_set_affine_coordinates_GF2m | |
EC_POINT_get_affine_coordinates_GF2m | |
EC_POINT_set_compressed_coordinates_GF2m | |
Point compression for binary fields is disabled by default for | |
patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to | |
enable it). | |
As binary polynomials are represented as BIGNUMs, various members | |
of the EC_GROUP and EC_POINT data structures can be shared | |
between the implementations for prime fields and binary fields; | |
the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) | |
are essentially identical to their ..._GFp counterparts. | |
(For simplicity, the '..._GFp' prefix has been dropped from | |
various internal method names.) | |
An internal 'field_div' method (similar to 'field_mul' and | |
'field_sqr') has been added; this is used only for binary fields. | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() | |
through methods ('mul', 'precompute_mult'). | |
The generic implementations (now internally called 'ec_wNAF_mul' | |
and 'ec_wNAF_precomputed_mult') remain the default if these | |
methods are undefined. | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) New function EC_GROUP_get_degree, which is defined through | |
EC_METHOD. For curves over prime fields, this returns the bit | |
length of the modulus. | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) New functions EC_GROUP_dup, EC_POINT_dup. | |
(These simply call ..._new and ..._copy). | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. | |
Polynomials are represented as BIGNUMs (where the sign bit is not | |
used) in the following functions [macros]: | |
BN_GF2m_add | |
BN_GF2m_sub [= BN_GF2m_add] | |
BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] | |
BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] | |
BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] | |
BN_GF2m_mod_inv | |
BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] | |
BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] | |
BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] | |
BN_GF2m_cmp [= BN_ucmp] | |
(Note that only the 'mod' functions are actually for fields GF(2^m). | |
BN_GF2m_add() is misnomer, but this is for the sake of consistency.) | |
For some functions, an the irreducible polynomial defining a | |
field can be given as an 'unsigned int[]' with strictly | |
decreasing elements giving the indices of those bits that are set; | |
i.e., p[] represents the polynomial | |
f(t) = t^p[0] + t^p[1] + ... + t^p[k] | |
where | |
p[0] > p[1] > ... > p[k] = 0. | |
This applies to the following functions: | |
BN_GF2m_mod_arr | |
BN_GF2m_mod_mul_arr | |
BN_GF2m_mod_sqr_arr | |
BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] | |
BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] | |
BN_GF2m_mod_exp_arr | |
BN_GF2m_mod_sqrt_arr | |
BN_GF2m_mod_solve_quad_arr | |
BN_GF2m_poly2arr | |
BN_GF2m_arr2poly | |
Conversion can be performed by the following functions: | |
BN_GF2m_poly2arr | |
BN_GF2m_arr2poly | |
bntest.c has additional tests for binary polynomial arithmetic. | |
Two implementations for BN_GF2m_mod_div() are available. | |
The default algorithm simply uses BN_GF2m_mod_inv() and | |
BN_GF2m_mod_mul(). The alternative algorithm is compiled in only | |
if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the | |
copyright notice in crypto/bn/bn_gf2m.c before enabling it). | |
[Sheueling Chang Shantz and Douglas Stebila | |
(Sun Microsystems Laboratories)] | |
*) Add new error code 'ERR_R_DISABLED' that can be used when some | |
functionality is disabled at compile-time. | |
[Douglas Stebila <douglas.stebila@sun.com>] | |
*) Change default behaviour of 'openssl asn1parse' so that more | |
information is visible when viewing, e.g., a certificate: | |
Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' | |
mode the content of non-printable OCTET STRINGs is output in a | |
style similar to INTEGERs, but with '[HEX DUMP]' prepended to | |
avoid the appearance of a printable string. | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access | |
functions | |
EC_GROUP_set_asn1_flag() | |
EC_GROUP_get_asn1_flag() | |
EC_GROUP_set_point_conversion_form() | |
EC_GROUP_get_point_conversion_form() | |
These control ASN1 encoding details: | |
- Curves (i.e., groups) are encoded explicitly unless asn1_flag | |
has been set to OPENSSL_EC_NAMED_CURVE. | |
- Points are encoded in uncompressed form by default; options for | |
asn1_for are as for point2oct, namely | |
POINT_CONVERSION_COMPRESSED | |
POINT_CONVERSION_UNCOMPRESSED | |
POINT_CONVERSION_HYBRID | |
Also add 'seed' and 'seed_len' members to EC_GROUP with access | |
functions | |
EC_GROUP_set_seed() | |
EC_GROUP_get0_seed() | |
EC_GROUP_get_seed_len() | |
This is used only for ASN1 purposes (so far). | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Add 'field_type' member to EC_METHOD, which holds the NID | |
of the appropriate field type OID. The new function | |
EC_METHOD_get_field_type() returns this value. | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Add functions | |
EC_POINT_point2bn() | |
EC_POINT_bn2point() | |
EC_POINT_point2hex() | |
EC_POINT_hex2point() | |
providing useful interfaces to EC_POINT_point2oct() and | |
EC_POINT_oct2point(). | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Change internals of the EC library so that the functions | |
EC_GROUP_set_generator() | |
EC_GROUP_get_generator() | |
EC_GROUP_get_order() | |
EC_GROUP_get_cofactor() | |
are implemented directly in crypto/ec/ec_lib.c and not dispatched | |
to methods, which would lead to unnecessary code duplication when | |
adding different types of curves. | |
[Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] | |
*) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM | |
arithmetic, and such that modified wNAFs are generated | |
(which avoid length expansion in many cases). | |
[Bodo Moeller] | |
*) Add a function EC_GROUP_check_discriminant() (defined via | |
EC_METHOD) that verifies that the curve discriminant is non-zero. | |
Add a function EC_GROUP_check() that makes some sanity tests | |
on a EC_GROUP, its generator and order. This includes | |
EC_GROUP_check_discriminant(). | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Add ECDSA in new directory crypto/ecdsa/. | |
Add applications 'openssl ecparam' and 'openssl ecdsa' | |
(these are based on 'openssl dsaparam' and 'openssl dsa'). | |
ECDSA support is also included in various other files across the | |
library. Most notably, | |
- 'openssl req' now has a '-newkey ecdsa:file' option; | |
- EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; | |
- X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and | |
d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make | |
them suitable for ECDSA where domain parameters must be | |
extracted before the specific public key; | |
- ECDSA engine support has been added. | |
[Nils Larsch <nla@trustcenter.de>] | |
*) Include some named elliptic curves, and add OIDs from X9.62, | |
SECG, and WAP/WTLS. Each curve can be obtained from the new | |
function | |
EC_GROUP_new_by_curve_name(), | |
and the list of available named curves can be obtained with | |
EC_get_builtin_curves(). | |
Also add a 'curve_name' member to EC_GROUP objects, which can be | |
accessed via | |
EC_GROUP_set_curve_name() | |
EC_GROUP_get_curve_name() | |
[Nils Larsch <larsch@trustcenter.de, Bodo Moeller] | |
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there | |
was actually never needed) and in BN_mul(). The removal in BN_mul() | |
required a small change in bn_mul_part_recursive() and the addition | |
of the functions bn_cmp_part_words(), bn_sub_part_words() and | |
bn_add_part_words(), which do the same thing as bn_cmp_words(), | |
bn_sub_words() and bn_add_words() except they take arrays with | |
differing sizes. | |
[Richard Levitte] | |
Changes between 0.9.7l and 0.9.7m [23 Feb 2007] | |
*) Cleanse PEM buffers before freeing them since they may contain | |
sensitive data. | |
[Benjamin Bennett <ben@psc.edu>] | |
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that | |
a ciphersuite string such as "DEFAULT:RSA" cannot enable | |
authentication-only ciphersuites. | |
[Bodo Moeller] | |
*) Since AES128 and AES256 share a single mask bit in the logic of | |
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a | |
kludge to work properly if AES128 is available and AES256 isn't. | |
[Victor Duchovni] | |
*) Expand security boundary to match 1.1.1 module. | |
[Steve Henson] | |
*) Remove redundant features: hash file source, editing of test vectors | |
modify fipsld to use external fips_premain.c signature. | |
[Steve Henson] | |
*) New perl script mkfipsscr.pl to create shell scripts or batch files to | |
run algorithm test programs. | |
[Steve Henson] | |
*) Make algorithm test programs more tolerant of whitespace. | |
[Steve Henson] | |
*) Have SSL/TLS server implementation tolerate "mismatched" record | |
protocol version while receiving ClientHello even if the | |
ClientHello is fragmented. (The server can't insist on the | |
particular protocol version it has chosen before the ServerHello | |
message has informed the client about his choice.) | |
[Bodo Moeller] | |
*) Load error codes if they are not already present instead of using a | |
static variable. This allows them to be cleanly unloaded and reloaded. | |
[Steve Henson] | |
Changes between 0.9.7k and 0.9.7l [28 Sep 2006] | |
*) Introduce limits to prevent malicious keys being able to | |
cause a denial of service. (CVE-2006-2940) | |
[Steve Henson, Bodo Moeller] | |
*) Fix ASN.1 parsing of certain invalid structures that can result | |
in a denial of service. (CVE-2006-2937) [Steve Henson] | |
*) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
*) Fix SSL client code which could crash if connecting to a | |
malicious SSLv2 server. (CVE-2006-4343) | |
[Tavis Ormandy and Will Drewry, Google Security Team] | |
*) Change ciphersuite string processing so that an explicit | |
ciphersuite selects this one ciphersuite (so that "AES256-SHA" | |
will no longer include "AES128-SHA"), and any other similar | |
ciphersuite (same bitmap) from *other* protocol versions (so that | |
"RC4-MD5" will still include both the SSL 2.0 ciphersuite and the | |
SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining | |
changes from 0.9.8b and 0.9.8d. | |
[Bodo Moeller] | |
Changes between 0.9.7j and 0.9.7k [05 Sep 2006] | |
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher | |
(CVE-2006-4339) [Ben Laurie and Google Security Team] | |
*) Change the Unix randomness entropy gathering to use poll() when | |
possible instead of select(), since the latter has some | |
undesirable limitations. | |
[Darryl Miles via Richard Levitte and Bodo Moeller] | |
*) Disable rogue ciphersuites: | |
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
The latter two were purportedly from | |
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
appear there. | |
Also deactive the remaining ciphersuites from | |
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as | |
unofficial, and the ID has long expired. | |
[Bodo Moeller] | |
*) Fix RSA blinding Heisenbug (problems sometimes occured on | |
dual-core machines) and other potential thread-safety issues. | |
[Bodo Moeller] | |
Changes between 0.9.7i and 0.9.7j [04 May 2006] | |
*) Adapt fipsld and the build system to link against the validated FIPS | |
module in FIPS mode. | |
[Steve Henson] | |
*) Fixes for VC++ 2005 build under Windows. | |
[Steve Henson] | |
*) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make | |
from a Windows bash shell such as MSYS. It is autodetected from the | |
"config" script when run from a VC++ environment. Modify standard VC++ | |
build to use fipscanister.o from the GNU make build. | |
[Steve Henson] | |
Changes between 0.9.7h and 0.9.7i [14 Oct 2005] | |
*) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. | |
The value now differs depending on if you build for FIPS or not. | |
BEWARE! A program linked with a shared FIPSed libcrypto can't be | |
safely run with a non-FIPSed libcrypto, as it may crash because of | |
the difference induced by this change. | |
[Andy Polyakov] | |
Changes between 0.9.7g and 0.9.7h [11 Oct 2005] | |
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
(part of SSL_OP_ALL). This option used to disable the | |
countermeasure against man-in-the-middle protocol-version | |
rollback in the SSL 2.0 server implementation, which is a bad | |
idea. (CVE-2005-2969) | |
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
for Information Security, National Institute of Advanced Industrial | |
Science and Technology [AIST], Japan)] | |
*) Minimal support for X9.31 signatures and PSS padding modes. This is | |
mainly for FIPS compliance and not fully integrated at this stage. | |
[Steve Henson] | |
*) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform | |
the exponentiation using a fixed-length exponent. (Otherwise, | |
the information leaked through timing could expose the secret key | |
after many signatures; cf. Bleichenbacher's attack on DSA with | |
biased k.) | |
[Bodo Moeller] | |
*) Make a new fixed-window mod_exp implementation the default for | |
RSA, DSA, and DH private-key operations so that the sequence of | |
squares and multiplies and the memory access pattern are | |
independent of the particular secret key. This will mitigate | |
cache-timing and potential related attacks. | |
BN_mod_exp_mont_consttime() is the new exponentiation implementation, | |
and this is automatically used by BN_mod_exp_mont() if the new flag | |
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH | |
will use this BN flag for private exponents unless the flag | |
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or | |
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. | |
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] | |
*) Change the client implementation for SSLv23_method() and | |
SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 | |
Client Hello message format if the SSL_OP_NO_SSLv2 option is set. | |
(Previously, the SSL 2.0 backwards compatible Client Hello | |
message format would be used even with SSL_OP_NO_SSLv2.) | |
[Bodo Moeller] | |
*) Add support for smime-type MIME parameter in S/MIME messages which some | |
clients need. | |
[Steve Henson] | |
*) New function BN_MONT_CTX_set_locked() to set montgomery parameters in | |
a threadsafe manner. Modify rsa code to use new function and add calls | |
to dsa and dh code (which had race conditions before). | |
[Steve Henson] | |
*) Include the fixed error library code in the C error file definitions | |
instead of fixing them up at runtime. This keeps the error code | |
structures constant. | |
[Steve Henson] | |
Changes between 0.9.7f and 0.9.7g [11 Apr 2005] | |
[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after | |
OpenSSL 0.9.8.] | |
*) Fixes for newer kerberos headers. NB: the casts are needed because | |
the 'length' field is signed on one version and unsigned on another | |
with no (?) obvious way to tell the difference, without these VC++ | |
complains. Also the "definition" of FAR (blank) is no longer included | |
nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up | |
some needed definitions. | |
[Steve Henson] | |
*) Undo Cygwin change. | |
[Ulf Möller] | |
*) Added support for proxy certificates according to RFC 3820. | |
Because they may be a security thread to unaware applications, | |
they must be explicitely allowed in run-time. See | |
docs/HOWTO/proxy_certificates.txt for further information. | |
[Richard Levitte] | |
Changes between 0.9.7e and 0.9.7f [22 Mar 2005] | |
*) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating | |
server and client random values. Previously | |
(SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in | |
less random data when sizeof(time_t) > 4 (some 64 bit platforms). | |
This change has negligible security impact because: | |
1. Server and client random values still have 24 bytes of pseudo random | |
data. | |
2. Server and client random values are sent in the clear in the initial | |
handshake. | |
3. The master secret is derived using the premaster secret (48 bytes in | |
size for static RSA ciphersuites) as well as client server and random | |
values. | |
The OpenSSL team would like to thank the UK NISCC for bringing this issue | |
to our attention. | |
[Stephen Henson, reported by UK NISCC] | |
*) Use Windows randomness collection on Cygwin. | |
[Ulf Möller] | |
*) Fix hang in EGD/PRNGD query when communication socket is closed | |
prematurely by EGD/PRNGD. | |
[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] | |
*) Prompt for pass phrases when appropriate for PKCS12 input format. | |
[Steve Henson] | |
*) Back-port of selected performance improvements from development | |
branch, as well as improved support for PowerPC platforms. | |
[Andy Polyakov] | |
*) Add lots of checks for memory allocation failure, error codes to indicate | |
failure and freeing up memory if a failure occurs. | |
[Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] | |
*) Add new -passin argument to dgst. | |
[Steve Henson] | |
*) Perform some character comparisons of different types in X509_NAME_cmp: | |
this is needed for some certificates that reencode DNs into UTF8Strings | |
(in violation of RFC3280) and can't or wont issue name rollover | |
certificates. | |
[Steve Henson] | |
*) Make an explicit check during certificate validation to see that | |
the CA setting in each certificate on the chain is correct. As a | |
side effect always do the following basic checks on extensions, | |
not just when there's an associated purpose to the check: | |
- if there is an unhandled critical extension (unless the user | |
has chosen to ignore this fault) | |
- if the path length has been exceeded (if one is set at all) | |
- that certain extensions fit the associated purpose (if one has | |
been given) | |
[Richard Levitte] | |
Changes between 0.9.7d and 0.9.7e [25 Oct 2004] | |
*) Avoid a race condition when CRLs are checked in a multi threaded | |
environment. This would happen due to the reordering of the revoked | |
entries during signature checking and serial number lookup. Now the | |
encoding is cached and the serial number sort performed under a lock. | |
Add new STACK function sk_is_sorted(). | |
[Steve Henson] | |
*) Add Delta CRL to the extension code. | |
[Steve Henson] | |
*) Various fixes to s3_pkt.c so alerts are sent properly. | |
[David Holmes <d.holmes@f5.com>] | |
*) Reduce the chances of duplicate issuer name and serial numbers (in | |
violation of RFC3280) using the OpenSSL certificate creation utilities. | |
This is done by creating a random 64 bit value for the initial serial | |
number when a serial number file is created or when a self signed | |
certificate is created using 'openssl req -x509'. The initial serial | |
number file is created using 'openssl x509 -next_serial' in CA.pl | |
rather than being initialized to 1. | |
[Steve Henson] | |
Changes between 0.9.7c and 0.9.7d [17 Mar 2004] | |
*) Fix null-pointer assignment in do_change_cipher_spec() revealed | |
by using the Codenomicon TLS Test Tool (CVE-2004-0079) | |
[Joe Orton, Steve Henson] | |
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites | |
(CVE-2004-0112) | |
[Joe Orton, Steve Henson] | |
*) Make it possible to have multiple active certificates with the same | |
subject in the CA index file. This is done only if the keyword | |
'unique_subject' is set to 'no' in the main CA section (default | |
if 'CA_default') of the configuration file. The value is saved | |
with the database itself in a separate index attribute file, | |
named like the index file with '.attr' appended to the name. | |
[Richard Levitte] | |
*) X509 verify fixes. Disable broken certificate workarounds when | |
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if | |
keyUsage extension present. Don't accept CRLs with unhandled critical | |
extensions: since verify currently doesn't process CRL extensions this | |
rejects a CRL with *any* critical extensions. Add new verify error codes | |
for these cases. | |
[Steve Henson] | |
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue. | |
A clarification of RFC2560 will require the use of OCTET STRINGs and | |
some implementations cannot handle the current raw format. Since OpenSSL | |
copies and compares OCSP nonces as opaque blobs without any attempt at | |
parsing them this should not create any compatibility issues. | |
[Steve Henson] | |
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when | |
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without | |
this HMAC (and other) operations are several times slower than OpenSSL | |
< 0.9.7. | |
[Steve Henson] | |
*) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). | |
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] | |
*) Use the correct content when signing type "other". | |
[Steve Henson] | |
Changes between 0.9.7b and 0.9.7c [30 Sep 2003] | |
*) Fix various bugs revealed by running the NISCC test suite: | |
Stop out of bounds reads in the ASN1 code when presented with | |
invalid tags (CVE-2003-0543 and CVE-2003-0544). | |
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). | |
If verify callback ignores invalid public key errors don't try to check | |
certificate signature with the NULL public key. | |
[Steve Henson] | |
*) New -ignore_err option in ocsp application to stop the server | |
exiting on the first error in a request. | |
[Steve Henson] | |
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate | |
if the server requested one: as stated in TLS 1.0 and SSL 3.0 | |
specifications. | |
[Steve Henson] | |
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional | |
extra data after the compression methods not only for TLS 1.0 | |
but also for SSL 3.0 (as required by the specification). | |
[Bodo Moeller; problem pointed out by Matthias Loepfe] | |
*) Change X509_certificate_type() to mark the key as exported/exportable | |
when it's 512 *bits* long, not 512 bytes. | |
[Richard Levitte] | |
*) Change AES_cbc_encrypt() so it outputs exact multiple of | |
blocks during encryption. | |
[Richard Levitte] | |
*) Various fixes to base64 BIO and non blocking I/O. On write | |
flushes were not handled properly if the BIO retried. On read | |
data was not being buffered properly and had various logic bugs. | |
This also affects blocking I/O when the data being decoded is a | |
certain size. | |
[Steve Henson] | |
*) Various S/MIME bugfixes and compatibility changes: | |
output correct application/pkcs7 MIME type if | |
PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. | |
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening | |
of files as .eml work). Correctly handle very long lines in MIME | |
parser. | |
[Steve Henson] | |
Changes between 0.9.7a and 0.9.7b [10 Apr 2003] | |
*) Countermeasure against the Klima-Pokorny-Rosa extension of | |
Bleichbacher's attack on PKCS #1 v1.5 padding: treat | |
a protocol version number mismatch like a decryption error | |
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). | |
[Bodo Moeller] | |
*) Turn on RSA blinding by default in the default implementation | |
to avoid a timing attack. Applications that don't want it can call | |
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. | |
They would be ill-advised to do so in most cases. | |
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] | |
*) Change RSA blinding code so that it works when the PRNG is not | |
seeded (in this case, the secret RSA exponent is abused as | |
an unpredictable seed -- if it is not unpredictable, there | |
is no point in blinding anyway). Make RSA blinding thread-safe | |
by remembering the creator's thread ID in rsa->blinding and | |
having all other threads use local one-time blinding factors | |
(this requires more computation than sharing rsa->blinding, but | |
avoids excessive locking; and if an RSA object is not shared | |
between threads, blinding will still be very fast). | |
[Bodo Moeller] | |
*) Fixed a typo bug that would cause ENGINE_set_default() to set an | |
ENGINE as defaults for all supported algorithms irrespective of | |
the 'flags' parameter. 'flags' is now honoured, so applications | |
should make sure they are passing it correctly. | |
[Geoff Thorpe] | |
*) Target "mingw" now allows native Windows code to be generated in | |
the Cygwin environment as well as with the MinGW compiler. | |
[Ulf Moeller] | |
Changes between 0.9.7 and 0.9.7a [19 Feb 2003] | |
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked | |
via timing by performing a MAC computation even if incorrrect | |
block cipher padding has been found. This is a countermeasure | |
against active attacks where the attacker has to distinguish | |
between bad padding and a MAC verification error. (CVE-2003-0078) | |
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL), | |
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and | |
Martin Vuagnoux (EPFL, Ilion)] | |
*) Make the no-err option work as intended. The intention with no-err | |
is not to have the whole error stack handling routines removed from | |
libcrypto, it's only intended to remove all the function name and | |
reason texts, thereby removing some of the footprint that may not | |
be interesting if those errors aren't displayed anyway. | |
NOTE: it's still possible for any application or module to have it's | |
own set of error texts inserted. The routines are there, just not | |
used by default when no-err is given. | |
[Richard Levitte] | |
*) Add support for FreeBSD on IA64. | |
[dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] | |
*) Adjust DES_cbc_cksum() so it returns the same value as the MIT | |
Kerberos function mit_des_cbc_cksum(). Before this change, | |
the value returned by DES_cbc_cksum() was like the one from | |
mit_des_cbc_cksum(), except the bytes were swapped. | |
[Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] | |
*) Allow an application to disable the automatic SSL chain building. | |
Before this a rather primitive chain build was always performed in | |
ssl3_output_cert_chain(): an application had no way to send the | |
correct chain if the automatic operation produced an incorrect result. | |
Now the chain builder is disabled if either: | |
1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). | |
2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. | |
The reasoning behind this is that an application would not want the | |
auto chain building to take place if extra chain certificates are | |
present and it might also want a means of sending no additional | |
certificates (for example the chain has two certificates and the | |
root is omitted). | |
[Steve Henson] | |
*) Add the possibility to build without the ENGINE framework. | |
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] | |
*) Under Win32 gmtime() can return NULL: check return value in | |
OPENSSL_gmtime(). Add error code for case where gmtime() fails. | |
[Steve Henson] | |
*) DSA routines: under certain error conditions uninitialized BN objects | |
could be freed. Solution: make sure initialization is performed early | |
enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, | |
Nils Larsch <nla@trustcenter.de> via PR#459) | |
[Lutz Jaenicke] | |
*) Another fix for SSLv2 session ID handling: the session ID was incorrectly | |
checked on reconnect on the client side, therefore session resumption | |
could still fail with a "ssl session id is different" error. This | |
behaviour is masked when SSL_OP_ALL is used due to | |
SSL_OP_MICROSOFT_SESS_ID_BUG being set. | |
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as | |
followup to PR #377. | |
[Lutz Jaenicke] | |