You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10901 lines
462 KiB
10901 lines
462 KiB
|
|
OpenSSL CHANGES |
|
_______________ |
|
|
|
Changes between 1.0.1u and 1.0.1v [xx XXX xxxx] |
|
|
|
*) |
|
|
|
Changes between 1.0.1t and 1.0.1u [22 Sep 2016] |
|
|
|
*) OCSP Status Request extension unbounded memory growth |
|
|
|
A malicious client can send an excessively large OCSP Status Request |
|
extension. If that client continually requests renegotiation, sending a |
|
large OCSP Status Request extension each time, then there will be unbounded |
|
memory growth on the server. This will eventually lead to a Denial Of |
|
Service attack through memory exhaustion. Servers with a default |
|
configuration are vulnerable even if they do not support OCSP. Builds using |
|
the "no-ocsp" build time option are not affected. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-6304) |
|
[Matt Caswell] |
|
|
|
*) In order to mitigate the SWEET32 attack, the DES ciphers were moved from |
|
HIGH to MEDIUM. |
|
|
|
This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan |
|
Leurent (INRIA) |
|
(CVE-2016-2183) |
|
[Rich Salz] |
|
|
|
*) OOB write in MDC2_Update() |
|
|
|
An overflow can occur in MDC2_Update() either if called directly or |
|
through the EVP_DigestUpdate() function using MDC2. If an attacker |
|
is able to supply very large amounts of input data after a previous |
|
call to EVP_EncryptUpdate() with a partial block then a length check |
|
can overflow resulting in a heap corruption. |
|
|
|
The amount of data needed is comparable to SIZE_MAX which is impractical |
|
on most platforms. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-6303) |
|
[Stephen Henson] |
|
|
|
*) Malformed SHA512 ticket DoS |
|
|
|
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a |
|
DoS attack where a malformed ticket will result in an OOB read which will |
|
ultimately crash. |
|
|
|
The use of SHA512 in TLS session tickets is comparatively rare as it requires |
|
a custom server callback and ticket lookup mechanism. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-6302) |
|
[Stephen Henson] |
|
|
|
*) OOB write in BN_bn2dec() |
|
|
|
The function BN_bn2dec() does not check the return value of BN_div_word(). |
|
This can cause an OOB write if an application uses this function with an |
|
overly large BIGNUM. This could be a problem if an overly large certificate |
|
or CRL is printed out from an untrusted source. TLS is not affected because |
|
record limits will reject an oversized certificate before it is parsed. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-2182) |
|
[Stephen Henson] |
|
|
|
*) OOB read in TS_OBJ_print_bio() |
|
|
|
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is |
|
the total length the OID text representation would use and not the amount |
|
of data written. This will result in OOB reads when large OIDs are |
|
presented. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-2180) |
|
[Stephen Henson] |
|
|
|
*) Pointer arithmetic undefined behaviour |
|
|
|
Avoid some undefined pointer arithmetic |
|
|
|
A common idiom in the codebase is to check limits in the following manner: |
|
"p + len > limit" |
|
|
|
Where "p" points to some malloc'd data of SIZE bytes and |
|
limit == p + SIZE |
|
|
|
"len" here could be from some externally supplied data (e.g. from a TLS |
|
message). |
|
|
|
The rules of C pointer arithmetic are such that "p + len" is only well |
|
defined where len <= SIZE. Therefore the above idiom is actually |
|
undefined behaviour. |
|
|
|
For example this could cause problems if some malloc implementation |
|
provides an address for "p" such that "p + len" actually overflows for |
|
values of len that are too big and therefore p + len < limit. |
|
|
|
This issue was reported to OpenSSL by Guido Vranken |
|
(CVE-2016-2177) |
|
[Matt Caswell] |
|
|
|
*) Constant time flag not preserved in DSA signing |
|
|
|
Operations in the DSA signing algorithm should run in constant time in |
|
order to avoid side channel attacks. A flaw in the OpenSSL DSA |
|
implementation means that a non-constant time codepath is followed for |
|
certain operations. This has been demonstrated through a cache-timing |
|
attack to be sufficient for an attacker to recover the private DSA key. |
|
|
|
This issue was reported by César Pereida (Aalto University), Billy Brumley |
|
(Tampere University of Technology), and Yuval Yarom (The University of |
|
Adelaide and NICTA). |
|
(CVE-2016-2178) |
|
[César Pereida] |
|
|
|
*) DTLS buffered message DoS |
|
|
|
In a DTLS connection where handshake messages are delivered out-of-order |
|
those messages that OpenSSL is not yet ready to process will be buffered |
|
for later use. Under certain circumstances, a flaw in the logic means that |
|
those messages do not get removed from the buffer even though the handshake |
|
has been completed. An attacker could force up to approx. 15 messages to |
|
remain in the buffer when they are no longer required. These messages will |
|
be cleared when the DTLS connection is closed. The default maximum size for |
|
a message is 100k. Therefore the attacker could force an additional 1500k |
|
to be consumed per connection. By opening many simulataneous connections an |
|
attacker could cause a DoS attack through memory exhaustion. |
|
|
|
This issue was reported to OpenSSL by Quan Luo. |
|
(CVE-2016-2179) |
|
[Matt Caswell] |
|
|
|
*) DTLS replay protection DoS |
|
|
|
A flaw in the DTLS replay attack protection mechanism means that records |
|
that arrive for future epochs update the replay protection "window" before |
|
the MAC for the record has been validated. This could be exploited by an |
|
attacker by sending a record for the next epoch (which does not have to |
|
decrypt or have a valid MAC), with a very large sequence number. This means |
|
that all subsequent legitimate packets are dropped causing a denial of |
|
service for a specific DTLS connection. |
|
|
|
This issue was reported to OpenSSL by the OCAP audit team. |
|
(CVE-2016-2181) |
|
[Matt Caswell] |
|
|
|
*) Certificate message OOB reads |
|
|
|
In OpenSSL 1.0.2 and earlier some missing message length checks can result |
|
in OOB reads of up to 2 bytes beyond an allocated buffer. There is a |
|
theoretical DoS risk but this has not been observed in practice on common |
|
platforms. |
|
|
|
The messages affected are client certificate, client certificate request |
|
and server certificate. As a result the attack can only be performed |
|
against a client or a server which enables client authentication. |
|
|
|
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
|
(CVE-2016-6306) |
|
[Stephen Henson] |
|
|
|
Changes between 1.0.1s and 1.0.1t [3 May 2016] |
|
|
|
*) Prevent padding oracle in AES-NI CBC MAC check |
|
|
|
A MITM attacker can use a padding oracle attack to decrypt traffic |
|
when the connection uses an AES CBC cipher and the server support |
|
AES-NI. |
|
|
|
This issue was introduced as part of the fix for Lucky 13 padding |
|
attack (CVE-2013-0169). The padding check was rewritten to be in |
|
constant time by making sure that always the same bytes are read and |
|
compared against either the MAC or padding bytes. But it no longer |
|
checked that there was enough data to have both the MAC and padding |
|
bytes. |
|
|
|
This issue was reported by Juraj Somorovsky using TLS-Attacker. |
|
(CVE-2016-2107) |
|
[Kurt Roeckx] |
|
|
|
*) Fix EVP_EncodeUpdate overflow |
|
|
|
An overflow can occur in the EVP_EncodeUpdate() function which is used for |
|
Base64 encoding of binary data. If an attacker is able to supply very large |
|
amounts of input data then a length check can overflow resulting in a heap |
|
corruption. |
|
|
|
Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by |
|
the PEM_write_bio* family of functions. These are mainly used within the |
|
OpenSSL command line applications, so any application which processes data |
|
from an untrusted source and outputs it as a PEM file should be considered |
|
vulnerable to this issue. User applications that call these APIs directly |
|
with large amounts of untrusted data may also be vulnerable. |
|
|
|
This issue was reported by Guido Vranken. |
|
(CVE-2016-2105) |
|
[Matt Caswell] |
|
|
|
*) Fix EVP_EncryptUpdate overflow |
|
|
|
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker |
|
is able to supply very large amounts of input data after a previous call to |
|
EVP_EncryptUpdate() with a partial block then a length check can overflow |
|
resulting in a heap corruption. Following an analysis of all OpenSSL |
|
internal usage of the EVP_EncryptUpdate() function all usage is one of two |
|
forms. The first form is where the EVP_EncryptUpdate() call is known to be |
|
the first called function after an EVP_EncryptInit(), and therefore that |
|
specific call must be safe. The second form is where the length passed to |
|
EVP_EncryptUpdate() can be seen from the code to be some small value and |
|
therefore there is no possibility of an overflow. Since all instances are |
|
one of these two forms, it is believed that there can be no overflows in |
|
internal code due to this problem. It should be noted that |
|
EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. |
|
Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances |
|
of these calls have also been analysed too and it is believed there are no |
|
instances in internal usage where an overflow could occur. |
|
|
|
This issue was reported by Guido Vranken. |
|
(CVE-2016-2106) |
|
[Matt Caswell] |
|
|
|
*) Prevent ASN.1 BIO excessive memory allocation |
|
|
|
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() |
|
a short invalid encoding can casuse allocation of large amounts of memory |
|
potentially consuming excessive resources or exhausting memory. |
|
|
|
Any application parsing untrusted data through d2i BIO functions is |
|
affected. The memory based functions such as d2i_X509() are *not* affected. |
|
Since the memory based functions are used by the TLS library, TLS |
|
applications are not affected. |
|
|
|
This issue was reported by Brian Carpenter. |
|
(CVE-2016-2109) |
|
[Stephen Henson] |
|
|
|
*) EBCDIC overread |
|
|
|
ASN1 Strings that are over 1024 bytes can cause an overread in applications |
|
using the X509_NAME_oneline() function on EBCDIC systems. This could result |
|
in arbitrary stack data being returned in the buffer. |
|
|
|
This issue was reported by Guido Vranken. |
|
(CVE-2016-2176) |
|
[Matt Caswell] |
|
|
|
*) Modify behavior of ALPN to invoke callback after SNI/servername |
|
callback, such that updates to the SSL_CTX affect ALPN. |
|
[Todd Short] |
|
|
|
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the |
|
default. |
|
[Kurt Roeckx] |
|
|
|
*) Only remove the SSLv2 methods with the no-ssl2-method option. When the |
|
methods are enabled and ssl2 is disabled the methods return NULL. |
|
[Kurt Roeckx] |
|
|
|
Changes between 1.0.1r and 1.0.1s [1 Mar 2016] |
|
|
|
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. |
|
Builds that are not configured with "enable-weak-ssl-ciphers" will not |
|
provide any "EXPORT" or "LOW" strength ciphers. |
|
[Viktor Dukhovni] |
|
|
|
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 |
|
is by default disabled at build-time. Builds that are not configured with |
|
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, |
|
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() |
|
will need to explicitly call either of: |
|
|
|
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); |
|
or |
|
SSL_clear_options(ssl, SSL_OP_NO_SSLv2); |
|
|
|
as appropriate. Even if either of those is used, or the application |
|
explicitly uses the version-specific SSLv2_method() or its client and |
|
server variants, SSLv2 ciphers vulnerable to exhaustive search key |
|
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT |
|
ciphers, and SSLv2 56-bit DES are no longer available. |
|
(CVE-2016-0800) |
|
[Viktor Dukhovni] |
|
|
|
*) Fix a double-free in DSA code |
|
|
|
A double free bug was discovered when OpenSSL parses malformed DSA private |
|
keys and could lead to a DoS attack or memory corruption for applications |
|
that receive DSA private keys from untrusted sources. This scenario is |
|
considered rare. |
|
|
|
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using |
|
libFuzzer. |
|
(CVE-2016-0705) |
|
[Stephen Henson] |
|
|
|
*) Disable SRP fake user seed to address a server memory leak. |
|
|
|
Add a new method SRP_VBASE_get1_by_user that handles the seed properly. |
|
|
|
SRP_VBASE_get_by_user had inconsistent memory management behaviour. |
|
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user |
|
was changed to ignore the "fake user" SRP seed, even if the seed |
|
is configured. |
|
|
|
Users should use SRP_VBASE_get1_by_user instead. Note that in |
|
SRP_VBASE_get1_by_user, caller must free the returned value. Note |
|
also that even though configuring the SRP seed attempts to hide |
|
invalid usernames by continuing the handshake with fake |
|
credentials, this behaviour is not constant time and no strong |
|
guarantees are made that the handshake is indistinguishable from |
|
that of a valid user. |
|
(CVE-2016-0798) |
|
[Emilia Käsper] |
|
|
|
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption |
|
|
|
In the BN_hex2bn function the number of hex digits is calculated using an |
|
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For |
|
large values of |i| this can result in |bn_expand| not allocating any |
|
memory because |i * 4| is negative. This can leave the internal BIGNUM data |
|
field as NULL leading to a subsequent NULL ptr deref. For very large values |
|
of |i|, the calculation |i * 4| could be a positive value smaller than |i|. |
|
In this case memory is allocated to the internal BIGNUM data field, but it |
|
is insufficiently sized leading to heap corruption. A similar issue exists |
|
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn |
|
is ever called by user applications with very large untrusted hex/dec data. |
|
This is anticipated to be a rare occurrence. |
|
|
|
All OpenSSL internal usage of these functions use data that is not expected |
|
to be untrusted, e.g. config file data or application command line |
|
arguments. If user developed applications generate config file data based |
|
on untrusted data then it is possible that this could also lead to security |
|
consequences. This is also anticipated to be rare. |
|
|
|
This issue was reported to OpenSSL by Guido Vranken. |
|
(CVE-2016-0797) |
|
[Matt Caswell] |
|
|
|
*) Fix memory issues in BIO_*printf functions |
|
|
|
The internal |fmtstr| function used in processing a "%s" format string in |
|
the BIO_*printf functions could overflow while calculating the length of a |
|
string and cause an OOB read when printing very long strings. |
|
|
|
Additionally the internal |doapr_outch| function can attempt to write to an |
|
OOB memory location (at an offset from the NULL pointer) in the event of a |
|
memory allocation failure. In 1.0.2 and below this could be caused where |
|
the size of a buffer to be allocated is greater than INT_MAX. E.g. this |
|
could be in processing a very long "%s" format string. Memory leaks can |
|
also occur. |
|
|
|
The first issue may mask the second issue dependent on compiler behaviour. |
|
These problems could enable attacks where large amounts of untrusted data |
|
is passed to the BIO_*printf functions. If applications use these functions |
|
in this way then they could be vulnerable. OpenSSL itself uses these |
|
functions when printing out human-readable dumps of ASN.1 data. Therefore |
|
applications that print this data could be vulnerable if the data is from |
|
untrusted sources. OpenSSL command line applications could also be |
|
vulnerable where they print out ASN.1 data, or if untrusted data is passed |
|
as command line arguments. |
|
|
|
Libssl is not considered directly vulnerable. Additionally certificates etc |
|
received via remote connections via libssl are also unlikely to be able to |
|
trigger these issues because of message size limits enforced within libssl. |
|
|
|
This issue was reported to OpenSSL Guido Vranken. |
|
(CVE-2016-0799) |
|
[Matt Caswell] |
|
|
|
*) Side channel attack on modular exponentiation |
|
|
|
A side-channel attack was found which makes use of cache-bank conflicts on |
|
the Intel Sandy-Bridge microarchitecture which could lead to the recovery |
|
of RSA keys. The ability to exploit this issue is limited as it relies on |
|
an attacker who has control of code in a thread running on the same |
|
hyper-threaded core as the victim thread which is performing decryptions. |
|
|
|
This issue was reported to OpenSSL by Yuval Yarom, The University of |
|
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and |
|
Nadia Heninger, University of Pennsylvania with more information at |
|
http://cachebleed.info. |
|
(CVE-2016-0702) |
|
[Andy Polyakov] |
|
|
|
*) Change the req app to generate a 2048-bit RSA/DSA key by default, |
|
if no keysize is specified with default_bits. This fixes an |
|
omission in an earlier change that changed all RSA/DSA key generation |
|
apps to use 2048 bits by default. |
|
[Emilia Käsper] |
|
|
|
Changes between 1.0.1q and 1.0.1r [28 Jan 2016] |
|
|
|
*) Protection for DH small subgroup attacks |
|
|
|
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been |
|
switched on by default and cannot be disabled. This could have some |
|
performance impact. |
|
[Matt Caswell] |
|
|
|
*) SSLv2 doesn't block disabled ciphers |
|
|
|
A malicious client can negotiate SSLv2 ciphers that have been disabled on |
|
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have |
|
been disabled, provided that the SSLv2 protocol was not also disabled via |
|
SSL_OP_NO_SSLv2. |
|
|
|
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram |
|
and Sebastian Schinzel. |
|
(CVE-2015-3197) |
|
[Viktor Dukhovni] |
|
|
|
*) Reject DH handshakes with parameters shorter than 1024 bits. |
|
[Kurt Roeckx] |
|
|
|
Changes between 1.0.1p and 1.0.1q [3 Dec 2015] |
|
|
|
*) Certificate verify crash with missing PSS parameter |
|
|
|
The signature verification routines will crash with a NULL pointer |
|
dereference if presented with an ASN.1 signature using the RSA PSS |
|
algorithm and absent mask generation function parameter. Since these |
|
routines are used to verify certificate signature algorithms this can be |
|
used to crash any certificate verification operation and exploited in a |
|
DoS attack. Any application which performs certificate verification is |
|
vulnerable including OpenSSL clients and servers which enable client |
|
authentication. |
|
|
|
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). |
|
(CVE-2015-3194) |
|
[Stephen Henson] |
|
|
|
*) X509_ATTRIBUTE memory leak |
|
|
|
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak |
|
memory. This structure is used by the PKCS#7 and CMS routines so any |
|
application which reads PKCS#7 or CMS data from untrusted sources is |
|
affected. SSL/TLS is not affected. |
|
|
|
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using |
|
libFuzzer. |
|
(CVE-2015-3195) |
|
[Stephen Henson] |
|
|
|
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. |
|
This changes the decoding behaviour for some invalid messages, |
|
though the change is mostly in the more lenient direction, and |
|
legacy behaviour is preserved as much as possible. |
|
[Emilia Käsper] |
|
|
|
*) In DSA_generate_parameters_ex, if the provided seed is too short, |
|
use a random seed, as already documented. |
|
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] |
|
|
|
Changes between 1.0.1o and 1.0.1p [9 Jul 2015] |
|
|
|
*) Alternate chains certificate forgery |
|
|
|
During certificate verfification, OpenSSL will attempt to find an |
|
alternative certificate chain if the first attempt to build such a chain |
|
fails. An error in the implementation of this logic can mean that an |
|
attacker could cause certain checks on untrusted certificates to be |
|
bypassed, such as the CA flag, enabling them to use a valid leaf |
|
certificate to act as a CA and "issue" an invalid certificate. |
|
|
|
This issue was reported to OpenSSL by Adam Langley/David Benjamin |
|
(Google/BoringSSL). |
|
(CVE-2015-1793) |
|
[Matt Caswell] |
|
|
|
*) Race condition handling PSK identify hint |
|
|
|
If PSK identity hints are received by a multi-threaded client then |
|
the values are wrongly updated in the parent SSL_CTX structure. This can |
|
result in a race condition potentially leading to a double free of the |
|
identify hint data. |
|
(CVE-2015-3196) |
|
[Stephen Henson] |
|
|
|
Changes between 1.0.1n and 1.0.1o [12 Jun 2015] |
|
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI |
|
incompatibility in the handling of HMAC. The previous ABI has now been |
|
restored. |
|
|
|
Changes between 1.0.1m and 1.0.1n [11 Jun 2015] |
|
|
|
*) Malformed ECParameters causes infinite loop |
|
|
|
When processing an ECParameters structure OpenSSL enters an infinite loop |
|
if the curve specified is over a specially malformed binary polynomial |
|
field. |
|
|
|
This can be used to perform denial of service against any |
|
system which processes public keys, certificate requests or |
|
certificates. This includes TLS clients and TLS servers with |
|
client authentication enabled. |
|
|
|
This issue was reported to OpenSSL by Joseph Barr-Pixton. |
|
(CVE-2015-1788) |
|
[Andy Polyakov] |
|
|
|
*) Exploitable out-of-bounds read in X509_cmp_time |
|
|
|
X509_cmp_time does not properly check the length of the ASN1_TIME |
|
string and can read a few bytes out of bounds. In addition, |
|
X509_cmp_time accepts an arbitrary number of fractional seconds in the |
|
time string. |
|
|
|
An attacker can use this to craft malformed certificates and CRLs of |
|
various sizes and potentially cause a segmentation fault, resulting in |
|
a DoS on applications that verify certificates or CRLs. TLS clients |
|
that verify CRLs are affected. TLS clients and servers with client |
|
authentication enabled may be affected if they use custom verification |
|
callbacks. |
|
|
|
This issue was reported to OpenSSL by Robert Swiecki (Google), and |
|
independently by Hanno Böck. |
|
(CVE-2015-1789) |
|
[Emilia Käsper] |
|
|
|
*) PKCS7 crash with missing EnvelopedContent |
|
|
|
The PKCS#7 parsing code does not handle missing inner EncryptedContent |
|
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs |
|
with missing content and trigger a NULL pointer dereference on parsing. |
|
|
|
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 |
|
structures from untrusted sources are affected. OpenSSL clients and |
|
servers are not affected. |
|
|
|
This issue was reported to OpenSSL by Michal Zalewski (Google). |
|
(CVE-2015-1790) |
|
[Emilia Käsper] |
|
|
|
*) CMS verify infinite loop with unknown hash function |
|
|
|
When verifying a signedData message the CMS code can enter an infinite loop |
|
if presented with an unknown hash function OID. This can be used to perform |
|
denial of service against any system which verifies signedData messages using |
|
the CMS code. |
|
This issue was reported to OpenSSL by Johannes Bauer. |
|
(CVE-2015-1792) |
|
[Stephen Henson] |
|
|
|
*) Race condition handling NewSessionTicket |
|
|
|
If a NewSessionTicket is received by a multi-threaded client when attempting to |
|
reuse a previous ticket then a race condition can occur potentially leading to |
|
a double free of the ticket data. |
|
(CVE-2015-1791) |
|
[Matt Caswell] |
|
|
|
*) Reject DH handshakes with parameters shorter than 768 bits. |
|
[Kurt Roeckx and Emilia Kasper] |
|
|
|
*) dhparam: generate 2048-bit parameters by default. |
|
[Kurt Roeckx and Emilia Kasper] |
|
|
|
Changes between 1.0.1l and 1.0.1m [19 Mar 2015] |
|
|
|
*) Segmentation fault in ASN1_TYPE_cmp fix |
|
|
|
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is |
|
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check |
|
certificate signature algorithm consistency this can be used to crash any |
|
certificate verification operation and exploited in a DoS attack. Any |
|
application which performs certificate verification is vulnerable including |
|
OpenSSL clients and servers which enable client authentication. |
|
(CVE-2015-0286) |
|
[Stephen Henson] |
|
|
|
*) ASN.1 structure reuse memory corruption fix |
|
|
|
Reusing a structure in ASN.1 parsing may allow an attacker to cause |
|
memory corruption via an invalid write. Such reuse is and has been |
|
strongly discouraged and is believed to be rare. |
|
|
|
Applications that parse structures containing CHOICE or ANY DEFINED BY |
|
components may be affected. Certificate parsing (d2i_X509 and related |
|
functions) are however not affected. OpenSSL clients and servers are |
|
not affected. |
|
(CVE-2015-0287) |
|
[Stephen Henson] |
|
|
|
*) PKCS7 NULL pointer dereferences fix |
|
|
|
The PKCS#7 parsing code does not handle missing outer ContentInfo |
|
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with |
|
missing content and trigger a NULL pointer dereference on parsing. |
|
|
|
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or |
|
otherwise parse PKCS#7 structures from untrusted sources are |
|
affected. OpenSSL clients and servers are not affected. |
|
|
|
This issue was reported to OpenSSL by Michal Zalewski (Google). |
|
(CVE-2015-0289) |
|
[Emilia Käsper] |
|
|
|
*) DoS via reachable assert in SSLv2 servers fix |
|
|
|
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in |
|
servers that both support SSLv2 and enable export cipher suites by sending |
|
a specially crafted SSLv2 CLIENT-MASTER-KEY message. |
|
|
|
This issue was discovered by Sean Burford (Google) and Emilia Käsper |
|
(OpenSSL development team). |
|
(CVE-2015-0293) |
|
[Emilia Käsper] |
|
|
|
*) Use After Free following d2i_ECPrivatekey error fix |
|
|
|
A malformed EC private key file consumed via the d2i_ECPrivateKey function |
|
could cause a use after free condition. This, in turn, could cause a double |
|
free in several private key parsing functions (such as d2i_PrivateKey |
|
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption |
|
for applications that receive EC private keys from untrusted |
|
sources. This scenario is considered rare. |
|
|
|
This issue was discovered by the BoringSSL project and fixed in their |
|
commit 517073cd4b. |
|
(CVE-2015-0209) |
|
[Matt Caswell] |
|
|
|
*) X509_to_X509_REQ NULL pointer deref fix |
|
|
|
The function X509_to_X509_REQ will crash with a NULL pointer dereference if |
|
the certificate key is invalid. This function is rarely used in practice. |
|
|
|
This issue was discovered by Brian Carpenter. |
|
(CVE-2015-0288) |
|
[Stephen Henson] |
|
|
|
*) Removed the export ciphers from the DEFAULT ciphers |
|
[Kurt Roeckx] |
|
|
|
Changes between 1.0.1k and 1.0.1l [15 Jan 2015] |
|
|
|
*) Build fixes for the Windows and OpenVMS platforms |
|
[Matt Caswell and Richard Levitte] |
|
|
|
Changes between 1.0.1j and 1.0.1k [8 Jan 2015] |
|
|
|
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS |
|
message can cause a segmentation fault in OpenSSL due to a NULL pointer |
|
dereference. This could lead to a Denial Of Service attack. Thanks to |
|
Markus Stenberg of Cisco Systems, Inc. for reporting this issue. |
|
(CVE-2014-3571) |
|
[Steve Henson] |
|
|
|
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the |
|
dtls1_buffer_record function under certain conditions. In particular this |
|
could occur if an attacker sent repeated DTLS records with the same |
|
sequence number but for the next epoch. The memory leak could be exploited |
|
by an attacker in a Denial of Service attack through memory exhaustion. |
|
Thanks to Chris Mueller for reporting this issue. |
|
(CVE-2015-0206) |
|
[Matt Caswell] |
|
|
|
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is |
|
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl |
|
method would be set to NULL which could later result in a NULL pointer |
|
dereference. Thanks to Frank Schmirler for reporting this issue. |
|
(CVE-2014-3569) |
|
[Kurt Roeckx] |
|
|
|
*) Abort handshake if server key exchange message is omitted for ephemeral |
|
ECDH ciphersuites. |
|
|
|
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
|
reporting this issue. |
|
(CVE-2014-3572) |
|
[Steve Henson] |
|
|
|
*) Remove non-export ephemeral RSA code on client and server. This code |
|
violated the TLS standard by allowing the use of temporary RSA keys in |
|
non-export ciphersuites and could be used by a server to effectively |
|
downgrade the RSA key length used to a value smaller than the server |
|
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
|
INRIA or reporting this issue. |
|
(CVE-2015-0204) |
|
[Steve Henson] |
|
|
|
*) Fixed issue where DH client certificates are accepted without verification. |
|
An OpenSSL server will accept a DH certificate for client authentication |
|
without the certificate verify message. This effectively allows a client to |
|
authenticate without the use of a private key. This only affects servers |
|
which trust a client certificate authority which issues certificates |
|
containing DH keys: these are extremely rare and hardly ever encountered. |
|
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting |
|
this issue. |
|
(CVE-2015-0205) |
|
[Steve Henson] |
|
|
|
*) Ensure that the session ID context of an SSL is updated when its |
|
SSL_CTX is updated via SSL_set_SSL_CTX. |
|
|
|
The session ID context is typically set from the parent SSL_CTX, |
|
and can vary with the CTX. |
|
[Adam Langley] |
|
|
|
*) Fix various certificate fingerprint issues. |
|
|
|
By using non-DER or invalid encodings outside the signed portion of a |
|
certificate the fingerprint can be changed without breaking the signature. |
|
Although no details of the signed portion of the certificate can be changed |
|
this can cause problems with some applications: e.g. those using the |
|
certificate fingerprint for blacklists. |
|
|
|
1. Reject signatures with non zero unused bits. |
|
|
|
If the BIT STRING containing the signature has non zero unused bits reject |
|
the signature. All current signature algorithms require zero unused bits. |
|
|
|
2. Check certificate algorithm consistency. |
|
|
|
Check the AlgorithmIdentifier inside TBS matches the one in the |
|
certificate signature. NB: this will result in signature failure |
|
errors for some broken certificates. |
|
|
|
Thanks to Konrad Kraszewski from Google for reporting this issue. |
|
|
|
3. Check DSA/ECDSA signatures use DER. |
|
|
|
Reencode DSA/ECDSA signatures and compare with the original received |
|
signature. Return an error if there is a mismatch. |
|
|
|
This will reject various cases including garbage after signature |
|
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS |
|
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs |
|
(negative or with leading zeroes). |
|
|
|
Further analysis was conducted and fixes were developed by Stephen Henson |
|
of the OpenSSL core team. |
|
|
|
(CVE-2014-8275) |
|
[Steve Henson] |
|
|
|
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect |
|
results on some platforms, including x86_64. This bug occurs at random |
|
with a very low probability, and is not known to be exploitable in any |
|
way, though its exact impact is difficult to determine. Thanks to Pieter |
|
Wuille (Blockstream) who reported this issue and also suggested an initial |
|
fix. Further analysis was conducted by the OpenSSL development team and |
|
Adam Langley of Google. The final fix was developed by Andy Polyakov of |
|
the OpenSSL core team. |
|
(CVE-2014-3570) |
|
[Andy Polyakov] |
|
|
|
*) Do not resume sessions on the server if the negotiated protocol |
|
version does not match the session's version. Resuming with a different |
|
version, while not strictly forbidden by the RFC, is of questionable |
|
sanity and breaks all known clients. |
|
[David Benjamin, Emilia Käsper] |
|
|
|
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject |
|
early CCS messages during renegotiation. (Note that because |
|
renegotiation is encrypted, this early CCS was not exploitable.) |
|
[Emilia Käsper] |
|
|
|
*) Tighten client-side session ticket handling during renegotiation: |
|
ensure that the client only accepts a session ticket if the server sends |
|
the extension anew in the ServerHello. Previously, a TLS client would |
|
reuse the old extension state and thus accept a session ticket if one was |
|
announced in the initial ServerHello. |
|
|
|
Similarly, ensure that the client requires a session ticket if one |
|
was advertised in the ServerHello. Previously, a TLS client would |
|
ignore a missing NewSessionTicket message. |
|
[Emilia Käsper] |
|
|
|
Changes between 1.0.1i and 1.0.1j [15 Oct 2014] |
|
|
|
*) SRTP Memory Leak. |
|
|
|
A flaw in the DTLS SRTP extension parsing code allows an attacker, who |
|
sends a carefully crafted handshake message, to cause OpenSSL to fail |
|
to free up to 64k of memory causing a memory leak. This could be |
|
exploited in a Denial Of Service attack. This issue affects OpenSSL |
|
1.0.1 server implementations for both SSL/TLS and DTLS regardless of |
|
whether SRTP is used or configured. Implementations of OpenSSL that |
|
have been compiled with OPENSSL_NO_SRTP defined are not affected. |
|
|
|
The fix was developed by the OpenSSL team. |
|
(CVE-2014-3513) |
|
[OpenSSL team] |
|
|
|
*) Session Ticket Memory Leak. |
|
|
|
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the |
|
integrity of that ticket is first verified. In the event of a session |
|
ticket integrity check failing, OpenSSL will fail to free memory |
|
causing a memory leak. By sending a large number of invalid session |
|
tickets an attacker could exploit this issue in a Denial Of Service |
|
attack. |
|
(CVE-2014-3567) |
|
[Steve Henson] |
|
|
|
*) Build option no-ssl3 is incomplete. |
|
|
|
When OpenSSL is configured with "no-ssl3" as a build option, servers |
|
could accept and complete a SSL 3.0 handshake, and clients could be |
|
configured to send them. |
|
(CVE-2014-3568) |
|
[Akamai and the OpenSSL team] |
|
|
|
*) Add support for TLS_FALLBACK_SCSV. |
|
Client applications doing fallback retries should call |
|
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). |
|
(CVE-2014-3566) |
|
[Adam Langley, Bodo Moeller] |
|
|
|
*) Add additional DigestInfo checks. |
|
|
|
Reencode DigestInto in DER and check against the original when |
|
verifying RSA signature: this will reject any improperly encoded |
|
DigestInfo structures. |
|
|
|
Note: this is a precautionary measure and no attacks are currently known. |
|
|
|
[Steve Henson] |
|
|
|
Changes between 1.0.1h and 1.0.1i [6 Aug 2014] |
|
|
|
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the |
|
SRP code can be overrun an internal buffer. Add sanity check that |
|
g, A, B < N to SRP code. |
|
|
|
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC |
|
Group for discovering this issue. |
|
(CVE-2014-3512) |
|
[Steve Henson] |
|
|
|
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate |
|
TLS 1.0 instead of higher protocol versions when the ClientHello message |
|
is badly fragmented. This allows a man-in-the-middle attacker to force a |
|
downgrade to TLS 1.0 even if both the server and the client support a |
|
higher protocol version, by modifying the client's TLS records. |
|
|
|
Thanks to David Benjamin and Adam Langley (Google) for discovering and |
|
researching this issue. |
|
(CVE-2014-3511) |
|
[David Benjamin] |
|
|
|
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject |
|
to a denial of service attack. A malicious server can crash the client |
|
with a null pointer dereference (read) by specifying an anonymous (EC)DH |
|
ciphersuite and sending carefully crafted handshake messages. |
|
|
|
Thanks to Felix Gröbert (Google) for discovering and researching this |
|
issue. |
|
(CVE-2014-3510) |
|
[Emilia Käsper] |
|
|
|
*) By sending carefully crafted DTLS packets an attacker could cause openssl |
|
to leak memory. This can be exploited through a Denial of Service attack. |
|
Thanks to Adam Langley for discovering and researching this issue. |
|
(CVE-2014-3507) |
|
[Adam Langley] |
|
|
|
*) An attacker can force openssl to consume large amounts of memory whilst |
|
processing DTLS handshake messages. This can be exploited through a |
|
Denial of Service attack. |
|
Thanks to Adam Langley for discovering and researching this issue. |
|
(CVE-2014-3506) |
|
[Adam Langley] |
|
|
|
*) An attacker can force an error condition which causes openssl to crash |
|
whilst processing DTLS packets due to memory being freed twice. This |
|
can be exploited through a Denial of Service attack. |
|
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching |
|
this issue. |
|
(CVE-2014-3505) |
|
[Adam Langley] |
|
|
|
*) If a multithreaded client connects to a malicious server using a resumed |
|
session and the server sends an ec point format extension it could write |
|
up to 255 bytes to freed memory. |
|
|
|
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this |
|
issue. |
|
(CVE-2014-3509) |
|
[Gabor Tyukasz] |
|
|
|
*) A malicious server can crash an OpenSSL client with a null pointer |
|
dereference (read) by specifying an SRP ciphersuite even though it was not |
|
properly negotiated with the client. This can be exploited through a |
|
Denial of Service attack. |
|
|
|
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for |
|
discovering and researching this issue. |
|
(CVE-2014-5139) |
|
[Steve Henson] |
|
|
|
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as |
|
X509_name_oneline, X509_name_print_ex et al. to leak some information |
|
from the stack. Applications may be affected if they echo pretty printing |
|
output to the attacker. |
|
|
|
Thanks to Ivan Fratric (Google) for discovering this issue. |
|
(CVE-2014-3508) |
|
[Emilia Käsper, and Steve Henson] |
|
|
|
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
|
for corner cases. (Certain input points at infinity could lead to |
|
bogus results, with non-infinity inputs mapped to infinity too.) |
|
[Bodo Moeller] |
|
|
|
Changes between 1.0.1g and 1.0.1h [5 Jun 2014] |
|
|
|
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted |
|
handshake can force the use of weak keying material in OpenSSL |
|
SSL/TLS clients and servers. |
|
|
|
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and |
|
researching this issue. (CVE-2014-0224) |
|
[KIKUCHI Masashi, Steve Henson] |
|
|
|
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an |
|
OpenSSL DTLS client the code can be made to recurse eventually crashing |
|
in a DoS attack. |
|
|
|
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. |
|
(CVE-2014-0221) |
|
[Imre Rad, Steve Henson] |
|
|
|
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can |
|
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS |
|
client or server. This is potentially exploitable to run arbitrary |
|
code on a vulnerable client or server. |
|
|
|
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) |
|
[Jüri Aedla, Steve Henson] |
|
|
|
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites |
|
are subject to a denial of service attack. |
|
|
|
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering |
|
this issue. (CVE-2014-3470) |
|
[Felix Gröbert, Ivan Fratric, Steve Henson] |
|
|
|
*) Harmonize version and its documentation. -f flag is used to display |
|
compilation flags. |
|
[mancha <mancha1@zoho.com>] |
|
|
|
*) Fix eckey_priv_encode so it immediately returns an error upon a failure |
|
in i2d_ECPrivateKey. |
|
[mancha <mancha1@zoho.com>] |
|
|
|
*) Fix some double frees. These are not thought to be exploitable. |
|
[mancha <mancha1@zoho.com>] |
|
|
|
Changes between 1.0.1f and 1.0.1g [7 Apr 2014] |
|
|
|
*) A missing bounds check in the handling of the TLS heartbeat extension |
|
can be used to reveal up to 64k of memory to a connected client or |
|
server. |
|
|
|
Thanks for Neel Mehta of Google Security for discovering this bug and to |
|
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for |
|
preparing the fix (CVE-2014-0160) |
|
[Adam Langley, Bodo Moeller] |
|
|
|
*) Fix for the attack described in the paper "Recovering OpenSSL |
|
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" |
|
by Yuval Yarom and Naomi Benger. Details can be obtained from: |
|
http://eprint.iacr.org/2014/140 |
|
|
|
Thanks to Yuval Yarom and Naomi Benger for discovering this |
|
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) |
|
[Yuval Yarom and Naomi Benger] |
|
|
|
*) TLS pad extension: draft-agl-tls-padding-03 |
|
|
|
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the |
|
TLS client Hello record length value would otherwise be > 255 and |
|
less that 512 pad with a dummy extension containing zeroes so it |
|
is at least 512 bytes long. |
|
|
|
[Adam Langley, Steve Henson] |
|
|
|
Changes between 1.0.1e and 1.0.1f [6 Jan 2014] |
|
|
|
*) Fix for TLS record tampering bug. A carefully crafted invalid |
|
handshake could crash OpenSSL with a NULL pointer exception. |
|
Thanks to Anton Johansson for reporting this issues. |
|
(CVE-2013-4353) |
|
|
|
*) Keep original DTLS digest and encryption contexts in retransmission |
|
structures so we can use the previous session parameters if they need |
|
to be resent. (CVE-2013-6450) |
|
[Steve Henson] |
|
|
|
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which |
|
avoids preferring ECDHE-ECDSA ciphers when the client appears to be |
|
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for |
|
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug |
|
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing |
|
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. |
|
[Rob Stradling, Adam Langley] |
|
|
|
Changes between 1.0.1d and 1.0.1e [11 Feb 2013] |
|
|
|
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI |
|
supporting platforms or when small records were transferred. |
|
[Andy Polyakov, Steve Henson] |
|
|
|
Changes between 1.0.1c and 1.0.1d [5 Feb 2013] |
|
|
|
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. |
|
|
|
This addresses the flaw in CBC record processing discovered by |
|
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found |
|
at: http://www.isg.rhul.ac.uk/tls/ |
|
|
|
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
|
Security Group at Royal Holloway, University of London |
|
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and |
|
Emilia Käsper for the initial patch. |
|
(CVE-2013-0169) |
|
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] |
|
|
|
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode |
|
ciphersuites which can be exploited in a denial of service attack. |
|
Thanks go to and to Adam Langley <agl@chromium.org> for discovering |
|
and detecting this bug and to Wolfgang Ettlinger |
|
<wolfgang.ettlinger@gmail.com> for independently discovering this issue. |
|
(CVE-2012-2686) |
|
[Adam Langley] |
|
|
|
*) Return an error when checking OCSP signatures when key is NULL. |
|
This fixes a DoS attack. (CVE-2013-0166) |
|
[Steve Henson] |
|
|
|
*) Make openssl verify return errors. |
|
[Chris Palmer <palmer@google.com> and Ben Laurie] |
|
|
|
*) Call OCSP Stapling callback after ciphersuite has been chosen, so |
|
the right response is stapled. Also change SSL_get_certificate() |
|
so it returns the certificate actually sent. |
|
See http://rt.openssl.org/Ticket/Display.html?id=2836. |
|
[Rob Stradling <rob.stradling@comodo.com>] |
|
|
|
*) Fix possible deadlock when decoding public keys. |
|
[Steve Henson] |
|
|
|
*) Don't use TLS 1.0 record version number in initial client hello |
|
if renegotiating. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.1b and 1.0.1c [10 May 2012] |
|
|
|
*) Sanity check record length before skipping explicit IV in TLS |
|
1.2, 1.1 and DTLS to fix DoS attack. |
|
|
|
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic |
|
fuzzing as a service testing platform. |
|
(CVE-2012-2333) |
|
[Steve Henson] |
|
|
|
*) Initialise tkeylen properly when encrypting CMS messages. |
|
Thanks to Solar Designer of Openwall for reporting this issue. |
|
[Steve Henson] |
|
|
|
*) In FIPS mode don't try to use composite ciphers as they are not |
|
approved. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.1a and 1.0.1b [26 Apr 2012] |
|
|
|
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and |
|
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately |
|
mean any application compiled against OpenSSL 1.0.0 headers setting |
|
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng |
|
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to |
|
0x10000000L Any application which was previously compiled against |
|
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 |
|
will need to be recompiled as a result. Letting be results in |
|
inability to disable specifically TLS 1.1 and in client context, |
|
in unlike event, limit maximum offered version to TLS 1.0 [see below]. |
|
[Steve Henson] |
|
|
|
*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not |
|
disable just protocol X, but all protocols above X *if* there are |
|
protocols *below* X still enabled. In more practical terms it means |
|
that if application wants to disable TLS1.0 in favor of TLS1.1 and |
|
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass |
|
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to |
|
client side. |
|
[Andy Polyakov] |
|
|
|
Changes between 1.0.1 and 1.0.1a [19 Apr 2012] |
|
|
|
*) Check for potentially exploitable overflows in asn1_d2i_read_bio |
|
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer |
|
in CRYPTO_realloc_clean. |
|
|
|
Thanks to Tavis Ormandy, Google Security Team, for discovering this |
|
issue and to Adam Langley <agl@chromium.org> for fixing it. |
|
(CVE-2012-2110) |
|
[Adam Langley (Google), Tavis Ormandy, Google Security Team] |
|
|
|
*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. |
|
[Adam Langley] |
|
|
|
*) Workarounds for some broken servers that "hang" if a client hello |
|
record length exceeds 255 bytes. |
|
|
|
1. Do not use record version number > TLS 1.0 in initial client |
|
hello: some (but not all) hanging servers will now work. |
|
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate |
|
the number of ciphers sent in the client hello. This should be |
|
set to an even number, such as 50, for example by passing: |
|
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. |
|
Most broken servers should now work. |
|
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable |
|
TLS 1.2 client support entirely. |
|
[Steve Henson] |
|
|
|
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH. |
|
[Andy Polyakov] |
|
|
|
Changes between 1.0.0h and 1.0.1 [14 Mar 2012] |
|
|
|
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET |
|
STRING form instead of a DigestInfo. |
|
[Steve Henson] |
|
|
|
*) The format used for MDC2 RSA signatures is inconsistent between EVP |
|
and the RSA_sign/RSA_verify functions. This was made more apparent when |
|
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular |
|
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect |
|
the correct format in RSA_verify so both forms transparently work. |
|
[Steve Henson] |
|
|
|
*) Some servers which support TLS 1.0 can choke if we initially indicate |
|
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA |
|
encrypted premaster secret. As a workaround use the maximum pemitted |
|
client version in client hello, this should keep such servers happy |
|
and still work with previous versions of OpenSSL. |
|
[Steve Henson] |
|
|
|
*) Add support for TLS/DTLS heartbeats. |
|
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
|
|
|
*) Add support for SCTP. |
|
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
|
|
|
*) Improved PRNG seeding for VOS. |
|
[Paul Green <Paul.Green@stratus.com>] |
|
|
|
*) Extensive assembler packs updates, most notably: |
|
|
|
- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; |
|
- x86[_64]: SSSE3 support (SHA1, vector-permutation AES); |
|
- x86_64: bit-sliced AES implementation; |
|
- ARM: NEON support, contemporary platforms optimizations; |
|
- s390x: z196 support; |
|
- *: GHASH and GF(2^m) multiplication implementations; |
|
|
|
[Andy Polyakov] |
|
|
|
*) Make TLS-SRP code conformant with RFC 5054 API cleanup |
|
(removal of unnecessary code) |
|
[Peter Sylvester <peter.sylvester@edelweb.fr>] |
|
|
|
*) Add TLS key material exporter from RFC 5705. |
|
[Eric Rescorla] |
|
|
|
*) Add DTLS-SRTP negotiation from RFC 5764. |
|
[Eric Rescorla] |
|
|
|
*) Add Next Protocol Negotiation, |
|
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be |
|
disabled with a no-npn flag to config or Configure. Code donated |
|
by Google. |
|
[Adam Langley <agl@google.com> and Ben Laurie] |
|
|
|
*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, |
|
NIST-P256, NIST-P521, with constant-time single point multiplication on |
|
typical inputs. Compiler support for the nonstandard type __uint128_t is |
|
required to use this (present in gcc 4.4 and later, for 64-bit builds). |
|
Code made available under Apache License version 2.0. |
|
|
|
Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command |
|
line to include this in your build of OpenSSL, and run "make depend" (or |
|
"make update"). This enables the following EC_METHODs: |
|
|
|
EC_GFp_nistp224_method() |
|
EC_GFp_nistp256_method() |
|
EC_GFp_nistp521_method() |
|
|
|
EC_GROUP_new_by_curve_name() will automatically use these (while |
|
EC_GROUP_new_curve_GFp() currently prefers the more flexible |
|
implementations). |
|
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)] |
|
|
|
*) Use type ossl_ssize_t instad of ssize_t which isn't available on |
|
all platforms. Move ssize_t definition from e_os.h to the public |
|
header file e_os2.h as it now appears in public header file cms.h |
|
[Steve Henson] |
|
|
|
*) New -sigopt option to the ca, req and x509 utilities. Additional |
|
signature parameters can be passed using this option and in |
|
particular PSS. |
|
[Steve Henson] |
|
|
|
*) Add RSA PSS signing function. This will generate and set the |
|
appropriate AlgorithmIdentifiers for PSS based on those in the |
|
corresponding EVP_MD_CTX structure. No application support yet. |
|
[Steve Henson] |
|
|
|
*) Support for companion algorithm specific ASN1 signing routines. |
|
New function ASN1_item_sign_ctx() signs a pre-initialised |
|
EVP_MD_CTX structure and sets AlgorithmIdentifiers based on |
|
the appropriate parameters. |
|
[Steve Henson] |
|
|
|
*) Add new algorithm specific ASN1 verification initialisation function |
|
to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 |
|
handling will be the same no matter what EVP_PKEY_METHOD is used. |
|
Add a PSS handler to support verification of PSS signatures: checked |
|
against a number of sample certificates. |
|
[Steve Henson] |
|
|
|
*) Add signature printing for PSS. Add PSS OIDs. |
|
[Steve Henson, Martin Kaiser <lists@kaiser.cx>] |
|
|
|
*) Add algorithm specific signature printing. An individual ASN1 method |
|
can now print out signatures instead of the standard hex dump. |
|
|
|
More complex signatures (e.g. PSS) can print out more meaningful |
|
information. Include DSA version that prints out the signature |
|
parameters r, s. |
|
[Steve Henson] |
|
|
|
*) Password based recipient info support for CMS library: implementing |
|
RFC3211. |
|
[Steve Henson] |
|
|
|
*) Split password based encryption into PBES2 and PBKDF2 functions. This |
|
neatly separates the code into cipher and PBE sections and is required |
|
for some algorithms that split PBES2 into separate pieces (such as |
|
password based CMS). |
|
[Steve Henson] |
|
|
|
*) Session-handling fixes: |
|
- Fix handling of connections that are resuming with a session ID, |
|
but also support Session Tickets. |
|
- Fix a bug that suppressed issuing of a new ticket if the client |
|
presented a ticket with an expired session. |
|
- Try to set the ticket lifetime hint to something reasonable. |
|
- Make tickets shorter by excluding irrelevant information. |
|
- On the client side, don't ignore renewed tickets. |
|
[Adam Langley, Bodo Moeller (Google)] |
|
|
|
*) Fix PSK session representation. |
|
[Bodo Moeller] |
|
|
|
*) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. |
|
|
|
This work was sponsored by Intel. |
|
[Andy Polyakov] |
|
|
|
*) Add GCM support to TLS library. Some custom code is needed to split |
|
the IV between the fixed (from PRF) and explicit (from TLS record) |
|
portions. This adds all GCM ciphersuites supported by RFC5288 and |
|
RFC5289. Generalise some AES* cipherstrings to inlclude GCM and |
|
add a special AESGCM string for GCM only. |
|
[Steve Henson] |
|
|
|
*) Expand range of ctrls for AES GCM. Permit setting invocation |
|
field on decrypt and retrieval of invocation field only on encrypt. |
|
[Steve Henson] |
|
|
|
*) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. |
|
As required by RFC5289 these ciphersuites cannot be used if for |
|
versions of TLS earlier than 1.2. |
|
[Steve Henson] |
|
|
|
*) For FIPS capable OpenSSL interpret a NULL default public key method |
|
as unset and return the appopriate default but do *not* set the default. |
|
This means we can return the appopriate method in applications that |
|
swicth between FIPS and non-FIPS modes. |
|
[Steve Henson] |
|
|
|
*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an |
|
ENGINE is used then we cannot handle that in the FIPS module so we |
|
keep original code iff non-FIPS operations are allowed. |
|
[Steve Henson] |
|
|
|
*) Add -attime option to openssl utilities. |
|
[Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson] |
|
|
|
*) Redirect DSA and DH operations to FIPS module in FIPS mode. |
|
[Steve Henson] |
|
|
|
*) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use |
|
FIPS EC methods unconditionally for now. |
|
[Steve Henson] |
|
|
|
*) New build option no-ec2m to disable characteristic 2 code. |
|
[Steve Henson] |
|
|
|
*) Backport libcrypto audit of return value checking from 1.1.0-dev; not |
|
all cases can be covered as some introduce binary incompatibilities. |
|
[Steve Henson] |
|
|
|
*) Redirect RSA operations to FIPS module including keygen, |
|
encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. |
|
[Steve Henson] |
|
|
|
*) Add similar low level API blocking to ciphers. |
|
[Steve Henson] |
|
|
|
*) Low level digest APIs are not approved in FIPS mode: any attempt |
|
to use these will cause a fatal error. Applications that *really* want |
|
to use them can use the private_* version instead. |
|
[Steve Henson] |
|
|
|
*) Redirect cipher operations to FIPS module for FIPS builds. |
|
[Steve Henson] |
|
|
|
*) Redirect digest operations to FIPS module for FIPS builds. |
|
[Steve Henson] |
|
|
|
*) Update build system to add "fips" flag which will link in fipscanister.o |
|
for static and shared library builds embedding a signature if needed. |
|
[Steve Henson] |
|
|
|
*) Output TLS supported curves in preference order instead of numerical |
|
order. This is currently hardcoded for the highest order curves first. |
|
This should be configurable so applications can judge speed vs strength. |
|
[Steve Henson] |
|
|
|
*) Add TLS v1.2 server support for client authentication. |
|
[Steve Henson] |
|
|
|
*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers |
|
and enable MD5. |
|
[Steve Henson] |
|
|
|
*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying |
|
FIPS modules versions. |
|
[Steve Henson] |
|
|
|
*) Add TLS v1.2 client side support for client authentication. Keep cache |
|
of handshake records longer as we don't know the hash algorithm to use |
|
until after the certificate request message is received. |
|
[Steve Henson] |
|
|
|
*) Initial TLS v1.2 client support. Add a default signature algorithms |
|
extension including all the algorithms we support. Parse new signature |
|
format in client key exchange. Relax some ECC signing restrictions for |
|
TLS v1.2 as indicated in RFC5246. |
|
[Steve Henson] |
|
|
|
*) Add server support for TLS v1.2 signature algorithms extension. Switch |
|
to new signature format when needed using client digest preference. |
|
All server ciphersuites should now work correctly in TLS v1.2. No client |
|
support yet and no support for client certificates. |
|
[Steve Henson] |
|
|
|
*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch |
|
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based |
|
ciphersuites. At present only RSA key exchange ciphersuites work with |
|
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete |
|
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods |
|
and version checking. |
|
[Steve Henson] |
|
|
|
*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled |
|
with this defined it will not be affected by any changes to ssl internal |
|
structures. Add several utility functions to allow openssl application |
|
to work with OPENSSL_NO_SSL_INTERN defined. |
|
[Steve Henson] |
|
|
|
*) Add SRP support. |
|
[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie] |
|
|
|
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. |
|
[Steve Henson] |
|
|
|
*) Permit abbreviated handshakes when renegotiating using the function |
|
SSL_renegotiate_abbreviated(). |
|
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
|
|
|
*) Add call to ENGINE_register_all_complete() to |
|
ENGINE_load_builtin_engines(), so some implementations get used |
|
automatically instead of needing explicit application support. |
|
[Steve Henson] |
|
|
|
*) Add support for TLS key exporter as described in RFC5705. |
|
[Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] |
|
|
|
*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only |
|
a few changes are required: |
|
|
|
Add SSL_OP_NO_TLSv1_1 flag. |
|
Add TLSv1_1 methods. |
|
Update version checking logic to handle version 1.1. |
|
Add explicit IV handling (ported from DTLS code). |
|
Add command line options to s_client/s_server. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.0g and 1.0.0h [12 Mar 2012] |
|
|
|
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness |
|
in CMS and PKCS7 code. When RSA decryption fails use a random key for |
|
content decryption and always return the same error. Note: this attack |
|
needs on average 2^20 messages so it only affects automated senders. The |
|
old behaviour can be reenabled in the CMS code by setting the |
|
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where |
|
an MMA defence is not necessary. |
|
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering |
|
this issue. (CVE-2012-0884) |
|
[Steve Henson] |
|
|
|
*) Fix CVE-2011-4619: make sure we really are receiving a |
|
client hello before rejecting multiple SGC restarts. Thanks to |
|
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.0f and 1.0.0g [18 Jan 2012] |
|
|
|
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. |
|
Thanks to Antonio Martin, Enterprise Secure Access Research and |
|
Development, Cisco Systems, Inc. for discovering this bug and |
|
preparing a fix. (CVE-2012-0050) |
|
[Antonio Martin] |
|
|
|
Changes between 1.0.0e and 1.0.0f [4 Jan 2012] |
|
|
|
*) Nadhem Alfardan and Kenny Paterson have discovered an extension |
|
of the Vaudenay padding oracle attack on CBC mode encryption |
|
which enables an efficient plaintext recovery attack against |
|
the OpenSSL implementation of DTLS. Their attack exploits timing |
|
differences arising during decryption processing. A research |
|
paper describing this attack can be found at: |
|
http://www.isg.rhul.ac.uk/~kp/dtls.pdf |
|
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
|
Security Group at Royal Holloway, University of London |
|
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann |
|
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> |
|
for preparing the fix. (CVE-2011-4108) |
|
[Robin Seggelmann, Michael Tuexen] |
|
|
|
*) Clear bytes used for block padding of SSL 3.0 records. |
|
(CVE-2011-4576) |
|
[Adam Langley (Google)] |
|
|
|
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George |
|
Kadianakis <desnacked@gmail.com> for discovering this issue and |
|
Adam Langley for preparing the fix. (CVE-2011-4619) |
|
[Adam Langley (Google)] |
|
|
|
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) |
|
[Andrey Kulikov <amdeich@gmail.com>] |
|
|
|
*) Prevent malformed RFC3779 data triggering an assertion failure. |
|
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw |
|
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) |
|
[Rob Austein <sra@hactrn.net>] |
|
|
|
*) Improved PRNG seeding for VOS. |
|
[Paul Green <Paul.Green@stratus.com>] |
|
|
|
*) Fix ssl_ciph.c set-up race. |
|
[Adam Langley (Google)] |
|
|
|
*) Fix spurious failures in ecdsatest.c. |
|
[Emilia Käsper (Google)] |
|
|
|
*) Fix the BIO_f_buffer() implementation (which was mixing different |
|
interpretations of the '..._len' fields). |
|
[Adam Langley (Google)] |
|
|
|
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than |
|
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent |
|
threads won't reuse the same blinding coefficients. |
|
|
|
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING |
|
lock to call BN_BLINDING_invert_ex, and avoids one use of |
|
BN_BLINDING_update for each BN_BLINDING structure (previously, |
|
the last update always remained unused). |
|
[Emilia Käsper (Google)] |
|
|
|
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. |
|
[Bob Buckholz (Google)] |
|
|
|
Changes between 1.0.0d and 1.0.0e [6 Sep 2011] |
|
|
|
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted |
|
by initialising X509_STORE_CTX properly. (CVE-2011-3207) |
|
[Kaspar Brand <ossl@velox.ch>] |
|
|
|
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular |
|
for multi-threaded use of ECDH. (CVE-2011-3210) |
|
[Adam Langley (Google)] |
|
|
|
*) Fix x509_name_ex_d2i memory leak on bad inputs. |
|
[Bodo Moeller] |
|
|
|
*) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check |
|
signature public key algorithm by using OID xref utilities instead. |
|
Before this you could only use some ECC ciphersuites with SHA1 only. |
|
[Steve Henson] |
|
|
|
*) Add protection against ECDSA timing attacks as mentioned in the paper |
|
by Billy Bob Brumley and Nicola Tuveri, see: |
|
|
|
http://eprint.iacr.org/2011/232.pdf |
|
|
|
[Billy Bob Brumley and Nicola Tuveri] |
|
|
|
Changes between 1.0.0c and 1.0.0d [8 Feb 2011] |
|
|
|
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 |
|
[Neel Mehta, Adam Langley, Bodo Moeller (Google)] |
|
|
|
*) Fix bug in string printing code: if *any* escaping is enabled we must |
|
escape the escape character (backslash) or the resulting string is |
|
ambiguous. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.0b and 1.0.0c [2 Dec 2010] |
|
|
|
*) Disable code workaround for ancient and obsolete Netscape browsers |
|
and servers: an attacker can use it in a ciphersuite downgrade attack. |
|
Thanks to Martin Rex for discovering this bug. CVE-2010-4180 |
|
[Steve Henson] |
|
|
|
*) Fixed J-PAKE implementation error, originally discovered by |
|
Sebastien Martini, further info and confirmation from Stefan |
|
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 |
|
[Ben Laurie] |
|
|
|
Changes between 1.0.0a and 1.0.0b [16 Nov 2010] |
|
|
|
*) Fix extension code to avoid race conditions which can result in a buffer |
|
overrun vulnerability: resumed sessions must not be modified as they can |
|
be shared by multiple threads. CVE-2010-3864 |
|
[Steve Henson] |
|
|
|
*) Fix WIN32 build system to correctly link an ENGINE directory into |
|
a DLL. |
|
[Steve Henson] |
|
|
|
Changes between 1.0.0 and 1.0.0a [01 Jun 2010] |
|
|
|
*) Check return value of int_rsa_verify in pkey_rsa_verifyrecover |
|
(CVE-2010-1633) |
|
[Steve Henson, Peter-Michael Hager <hager@dortmund.net>] |
|
|
|
Changes between 0.9.8n and 1.0.0 [29 Mar 2010] |
|
|
|
*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher |
|
context. The operation can be customised via the ctrl mechanism in |
|
case ENGINEs want to include additional functionality. |
|
[Steve Henson] |
|
|
|
*) Tolerate yet another broken PKCS#8 key format: private key value negative. |
|
[Steve Henson] |
|
|
|
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to |
|
output hashes compatible with older versions of OpenSSL. |
|
[Willy Weisz <weisz@vcpc.univie.ac.at>] |
|
|
|
*) Fix compression algorithm handling: if resuming a session use the |
|
compression algorithm of the resumed session instead of determining |
|
it from client hello again. Don't allow server to change algorithm. |
|
[Steve Henson] |
|
|
|
*) Add load_crls() function to apps tidying load_certs() too. Add option |
|
to verify utility to allow additional CRLs to be included. |
|
[Steve Henson] |
|
|
|
*) Update OCSP request code to permit adding custom headers to the request: |
|
some responders need this. |
|
[Steve Henson] |
|
|
|
*) The function EVP_PKEY_sign() returns <=0 on error: check return code |
|
correctly. |
|
[Julia Lawall <julia@diku.dk>] |
|
|
|
*) Update verify callback code in apps/s_cb.c and apps/verify.c, it |
|
needlessly dereferenced structures, used obsolete functions and |
|
didn't handle all updated verify codes correctly. |
|
[Steve Henson] |
|
|
|
*) Disable MD2 in the default configuration. |
|
[Steve Henson] |
|
|
|
*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to |
|
indicate the initial BIO being pushed or popped. This makes it possible |
|
to determine whether the BIO is the one explicitly called or as a result |
|
of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so |
|
it handles reference counts correctly and doesn't zero out the I/O bio |
|
when it is not being explicitly popped. WARNING: applications which |
|
included workarounds for the old buggy behaviour will need to be modified |
|
or they could free up already freed BIOs. |
|
[Steve Henson] |
|
|
|
*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni |
|
renaming to all platforms (within the 0.9.8 branch, this was |
|
done conditionally on Netware platforms to avoid a name clash). |
|
[Guenter <lists@gknw.net>] |
|
|
|
*) Add ECDHE and PSK support to DTLS. |
|
[Michael Tuexen <tuexen@fh-muenster.de>] |
|
|
|
*) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't |
|
be used on C++. |
|
[Steve Henson] |
|
|
|
*) Add "missing" function EVP_MD_flags() (without this the only way to |
|
retrieve a digest flags is by accessing the structure directly. Update |
|
EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest |
|
or cipher is registered as in the "from" argument. Print out all |
|
registered digests in the dgst usage message instead of manually |
|
attempting to work them out. |
|
[Steve Henson] |
|
|
|
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: |
|
this allows the use of compression and extensions. Change default cipher |
|
string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 |
|
by default unless an application cipher string requests it. |
|
[Steve Henson] |
|
|
|
*) Alter match criteria in PKCS12_parse(). It used to try to use local |
|
key ids to find matching certificates and keys but some PKCS#12 files |
|
don't follow the (somewhat unwritten) rules and this strategy fails. |
|
Now just gather all certificates together and the first private key |
|
then look for the first certificate that matches the key. |
|
[Steve Henson] |
|
|
|
*) Support use of registered digest and cipher names for dgst and cipher |
|
commands instead of having to add each one as a special case. So now |
|
you can do: |
|
|
|
openssl sha256 foo |
|
|
|
as well as: |
|
|
|
openssl dgst -sha256 foo |
|
|
|
and this works for ENGINE based algorithms too. |
|
|
|
[Steve Henson] |
|
|
|
*) Update Gost ENGINE to support parameter files. |
|
[Victor B. Wagner <vitus@cryptocom.ru>] |
|
|
|
*) Support GeneralizedTime in ca utility. |
|
[Oliver Martin <oliver@volatilevoid.net>, Steve Henson] |
|
|
|
*) Enhance the hash format used for certificate directory links. The new |
|
form uses the canonical encoding (meaning equivalent names will work |
|
even if they aren't identical) and uses SHA1 instead of MD5. This form |
|
is incompatible with the older format and as a result c_rehash should |
|
be used to rebuild symbolic links. |
|
[Steve Henson] |
|
|
|
*) Make PKCS#8 the default write format for private keys, replacing the |
|
traditional format. This form is standardised, more secure and doesn't |
|
include an implicit MD5 dependency. |
|
[Steve Henson] |
|
|
|
*) Add a $gcc_devteam_warn option to Configure. The idea is that any code |
|
committed to OpenSSL should pass this lot as a minimum. |
|
[Steve Henson] |
|
|
|
*) Add session ticket override functionality for use by EAP-FAST. |
|
[Jouni Malinen <j@w1.fi>] |
|
|
|
*) Modify HMAC functions to return a value. Since these can be implemented |
|
in an ENGINE errors can occur. |
|
[Steve Henson] |
|
|
|
*) Type-checked OBJ_bsearch_ex. |
|
[Ben Laurie] |
|
|
|
*) Type-checked OBJ_bsearch. Also some constification necessitated |
|
by type-checking. Still to come: TXT_DB, bsearch(?), |
|
OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, |
|
CONF_VALUE. |
|
[Ben Laurie] |
|
|
|
*) New function OPENSSL_gmtime_adj() to add a specific number of days and |
|
seconds to a tm structure directly, instead of going through OS |
|
specific date routines. This avoids any issues with OS routines such |
|
as the year 2038 bug. New *_adj() functions for ASN1 time structures |
|
and X509_time_adj_ex() to cover the extended range. The existing |
|
X509_time_adj() is still usable and will no longer have any date issues. |
|
[Steve Henson] |
|
|
|
*) Delta CRL support. New use deltas option which will attempt to locate |
|
and search any appropriate delta CRLs available. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Support for CRLs partitioned by reason code. Reorganise CRL processing |
|
code and add additional score elements. Validate alternate CRL paths |
|
as part of the CRL checking and indicate a new error "CRL path validation |
|
error" in this case. Applications wanting additional details can use |
|
the verify callback and check the new "parent" field. If this is not |
|
NULL CRL path validation is taking place. Existing applications wont |
|
see this because it requires extended CRL support which is off by |
|
default. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Support for freshest CRL extension. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Initial indirect CRL support. Currently only supported in the CRLs |
|
passed directly and not via lookup. Process certificate issuer |
|
CRL entry extension and lookup CRL entries by bother issuer name |
|
and serial number. Check and process CRL issuer entry in IDP extension. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Add support for distinct certificate and CRL paths. The CRL issuer |
|
certificate is validated separately in this case. Only enabled if |
|
an extended CRL support flag is set: this flag will enable additional |
|
CRL functionality in future. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Add support for policy mappings extension. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Fixes to pathlength constraint, self issued certificate handling, |
|
policy processing to align with RFC3280 and PKITS tests. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Support for name constraints certificate extension. DN, email, DNS |
|
and URI types are currently supported. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) To cater for systems that provide a pointer-based thread ID rather |
|
than numeric, deprecate the current numeric thread ID mechanism and |
|
replace it with a structure and associated callback type. This |
|
mechanism allows a numeric "hash" to be extracted from a thread ID in |
|
either case, and on platforms where pointers are larger than 'long', |
|
mixing is done to help ensure the numeric 'hash' is usable even if it |
|
can't be guaranteed unique. The default mechanism is to use "&errno" |
|
as a pointer-based thread ID to distinguish between threads. |
|
|
|
Applications that want to provide their own thread IDs should now use |
|
CRYPTO_THREADID_set_callback() to register a callback that will call |
|
either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). |
|
|
|
Note that ERR_remove_state() is now deprecated, because it is tied |
|
to the assumption that thread IDs are numeric. ERR_remove_state(0) |
|
to free the current thread's error state should be replaced by |
|
ERR_remove_thread_state(NULL). |
|
|
|
(This new approach replaces the functions CRYPTO_set_idptr_callback(), |
|
CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in |
|
OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an |
|
application was previously providing a numeric thread callback that |
|
was inappropriate for distinguishing threads, then uniqueness might |
|
have been obtained with &errno that happened immediately in the |
|
intermediate development versions of OpenSSL; this is no longer the |
|
case, the numeric thread callback will now override the automatic use |
|
of &errno.) |
|
[Geoff Thorpe, with help from Bodo Moeller] |
|
|
|
*) Initial support for different CRL issuing certificates. This covers a |
|
simple case where the self issued certificates in the chain exist and |
|
the real CRL issuer is higher in the existing chain. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Removed effectively defunct crypto/store from the build. |
|
[Ben Laurie] |
|
|
|
*) Revamp of STACK to provide stronger type-checking. Still to come: |
|
TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, |
|
ASN1_STRING, CONF_VALUE. |
|
[Ben Laurie] |
|
|
|
*) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer |
|
RAM on SSL connections. This option can save about 34k per idle SSL. |
|
[Nick Mathewson] |
|
|
|
*) Revamp of LHASH to provide stronger type-checking. Still to come: |
|
STACK, TXT_DB, bsearch, qsort. |
|
[Ben Laurie] |
|
|
|
*) Initial support for Cryptographic Message Syntax (aka CMS) based |
|
on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, |
|
support for data, signedData, compressedData, digestedData and |
|
encryptedData, envelopedData types included. Scripts to check against |
|
RFC4134 examples draft and interop and consistency checks of many |
|
content types and variants. |
|
[Steve Henson] |
|
|
|
*) Add options to enc utility to support use of zlib compression BIO. |
|
[Steve Henson] |
|
|
|
*) Extend mk1mf to support importing of options and assembly language |
|
files from Configure script, currently only included in VC-WIN32. |
|
The assembly language rules can now optionally generate the source |
|
files from the associated perl scripts. |
|
[Steve Henson] |
|
|
|
*) Implement remaining functionality needed to support GOST ciphersuites. |
|
Interop testing has been performed using CryptoPro implementations. |
|
[Victor B. Wagner <vitus@cryptocom.ru>] |
|
|
|
*) s390x assembler pack. |
|
[Andy Polyakov] |
|
|
|
*) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU |
|
"family." |
|
[Andy Polyakov] |
|
|
|
*) Implement Opaque PRF Input TLS extension as specified in |
|
draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an |
|
official specification yet and no extension type assignment by |
|
IANA exists, this extension (for now) will have to be explicitly |
|
enabled when building OpenSSL by providing the extension number |
|
to use. For example, specify an option |
|
|
|
-DTLSEXT_TYPE_opaque_prf_input=0x9527 |
|
|
|
to the "config" or "Configure" script to enable the extension, |
|
assuming extension number 0x9527 (which is a completely arbitrary |
|
and unofficial assignment based on the MD5 hash of the Internet |
|
Draft). Note that by doing so, you potentially lose |
|
interoperability with other TLS implementations since these might |
|
be using the same extension number for other purposes. |
|
|
|
SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the |
|
opaque PRF input value to use in the handshake. This will create |
|
an interal copy of the length-'len' string at 'src', and will |
|
return non-zero for success. |
|
|
|
To get more control and flexibility, provide a callback function |
|
by using |
|
|
|
SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) |
|
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) |
|
|
|
where |
|
|
|
int (*cb)(SSL *, void *peerinput, size_t len, void *arg); |
|
void *arg; |
|
|
|
Callback function 'cb' will be called in handshakes, and is |
|
expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. |
|
Argument 'arg' is for application purposes (the value as given to |
|
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly |
|
be provided to the callback function). The callback function |
|
has to return non-zero to report success: usually 1 to use opaque |
|
PRF input just if possible, or 2 to enforce use of the opaque PRF |
|
input. In the latter case, the library will abort the handshake |
|
if opaque PRF input is not successfully negotiated. |
|
|
|
Arguments 'peerinput' and 'len' given to the callback function |
|
will always be NULL and 0 in the case of a client. A server will |
|
see the client's opaque PRF input through these variables if |
|
available (NULL and 0 otherwise). Note that if the server |
|
provides an opaque PRF input, the length must be the same as the |
|
length of the client's opaque PRF input. |
|
|
|
Note that the callback function will only be called when creating |
|
a new session (session resumption can resume whatever was |
|
previously negotiated), and will not be called in SSL 2.0 |
|
handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or |
|
SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended |
|
for applications that need to enforce opaque PRF input. |
|
|
|
[Bodo Moeller] |
|
|
|
*) Update ssl code to support digests other than SHA1+MD5 for handshake |
|
MAC. |
|
|
|
[Victor B. Wagner <vitus@cryptocom.ru>] |
|
|
|
*) Add RFC4507 support to OpenSSL. This includes the corrections in |
|
RFC4507bis. The encrypted ticket format is an encrypted encoded |
|
SSL_SESSION structure, that way new session features are automatically |
|
supported. |
|
|
|
If a client application caches session in an SSL_SESSION structure |
|
support is transparent because tickets are now stored in the encoded |
|
SSL_SESSION. |
|
|
|
The SSL_CTX structure automatically generates keys for ticket |
|
protection in servers so again support should be possible |
|
with no application modification. |
|
|
|
If a client or server wishes to disable RFC4507 support then the option |
|
SSL_OP_NO_TICKET can be set. |
|
|
|
Add a TLS extension debugging callback to allow the contents of any client |
|
or server extensions to be examined. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Final changes to avoid use of pointer pointer casts in OpenSSL. |
|
OpenSSL should now compile cleanly on gcc 4.2 |
|
[Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] |
|
|
|
*) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC |
|
support including streaming MAC support: this is required for GOST |
|
ciphersuite support. |
|
[Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] |
|
|
|
*) Add option -stream to use PKCS#7 streaming in smime utility. New |
|
function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() |
|
to output in BER and PEM format. |
|
[Steve Henson] |
|
|
|
*) Experimental support for use of HMAC via EVP_PKEY interface. This |
|
allows HMAC to be handled via the EVP_DigestSign*() interface. The |
|
EVP_PKEY "key" in this case is the HMAC key, potentially allowing |
|
ENGINE support for HMAC keys which are unextractable. New -mac and |
|
-macopt options to dgst utility. |
|
[Steve Henson] |
|
|
|
*) New option -sigopt to dgst utility. Update dgst to use |
|
EVP_Digest{Sign,Verify}*. These two changes make it possible to use |
|
alternative signing paramaters such as X9.31 or PSS in the dgst |
|
utility. |
|
[Steve Henson] |
|
|
|
*) Change ssl_cipher_apply_rule(), the internal function that does |
|
the work each time a ciphersuite string requests enabling |
|
("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or |
|
removing ("!foo+bar") a class of ciphersuites: Now it maintains |
|
the order of disabled ciphersuites such that those ciphersuites |
|
that most recently went from enabled to disabled not only stay |
|
in order with respect to each other, but also have higher priority |
|
than other disabled ciphersuites the next time ciphersuites are |
|
enabled again. |
|
|
|
This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable |
|
the same ciphersuites as with "HIGH" alone, but in a specific |
|
order where the PSK ciphersuites come first (since they are the |
|
most recently disabled ciphersuites when "HIGH" is parsed). |
|
|
|
Also, change ssl_create_cipher_list() (using this new |
|
funcionality) such that between otherwise identical |
|
cihpersuites, ephemeral ECDH is preferred over ephemeral DH in |
|
the default order. |
|
[Bodo Moeller] |
|
|
|
*) Change ssl_create_cipher_list() so that it automatically |
|
arranges the ciphersuites in reasonable order before starting |
|
to process the rule string. Thus, the definition for "DEFAULT" |
|
(SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but |
|
remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". |
|
This makes it much easier to arrive at a reasonable default order |
|
in applications for which anonymous ciphers are OK (meaning |
|
that you can't actually use DEFAULT). |
|
[Bodo Moeller; suggested by Victor Duchovni] |
|
|
|
*) Split the SSL/TLS algorithm mask (as used for ciphersuite string |
|
processing) into multiple integers instead of setting |
|
"SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", |
|
"SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. |
|
(These masks as well as the individual bit definitions are hidden |
|
away into the non-exported interface ssl/ssl_locl.h, so this |
|
change to the definition of the SSL_CIPHER structure shouldn't |
|
affect applications.) This give us more bits for each of these |
|
categories, so there is no longer a need to coagulate AES128 and |
|
AES256 into a single algorithm bit, and to coagulate Camellia128 |
|
and Camellia256 into a single algorithm bit, which has led to all |
|
kinds of kludges. |
|
|
|
Thus, among other things, the kludge introduced in 0.9.7m and |
|
0.9.8e for masking out AES256 independently of AES128 or masking |
|
out Camellia256 independently of AES256 is not needed here in 0.9.9. |
|
|
|
With the change, we also introduce new ciphersuite aliases that |
|
so far were missing: "AES128", "AES256", "CAMELLIA128", and |
|
"CAMELLIA256". |
|
[Bodo Moeller] |
|
|
|
*) Add support for dsa-with-SHA224 and dsa-with-SHA256. |
|
Use the leftmost N bytes of the signature input if the input is |
|
larger than the prime q (with N being the size in bytes of q). |
|
[Nils Larsch] |
|
|
|
*) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses |
|
it yet and it is largely untested. |
|
[Steve Henson] |
|
|
|
*) Add support for the ecdsa-with-SHA224/256/384/512 signature types. |
|
[Nils Larsch] |
|
|
|
*) Initial incomplete changes to avoid need for function casts in OpenSSL |
|
some compilers (gcc 4.2 and later) reject their use. Safestack is |
|
reimplemented. Update ASN1 to avoid use of legacy functions. |
|
[Steve Henson] |
|
|
|
*) Win32/64 targets are linked with Winsock2. |
|
[Andy Polyakov] |
|
|
|
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected |
|
to external functions. This can be used to increase CRL handling |
|
efficiency especially when CRLs are very large by (for example) storing |
|
the CRL revoked certificates in a database. |
|
[Steve Henson] |
|
|
|
*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so |
|
new CRLs added to a directory can be used. New command line option |
|
-verify_return_error to s_client and s_server. This causes real errors |
|
to be returned by the verify callback instead of carrying on no matter |
|
what. This reflects the way a "real world" verify callback would behave. |
|
[Steve Henson] |
|
|
|
*) GOST engine, supporting several GOST algorithms and public key formats. |
|
Kindly donated by Cryptocom. |
|
[Cryptocom] |
|
|
|
*) Partial support for Issuing Distribution Point CRL extension. CRLs |
|
partitioned by DP are handled but no indirect CRL or reason partitioning |
|
(yet). Complete overhaul of CRL handling: now the most suitable CRL is |
|
selected via a scoring technique which handles IDP and AKID in CRLs. |
|
[Steve Henson] |
|
|
|
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which |
|
will ultimately be used for all verify operations: this will remove the |
|
X509_STORE dependency on certificate verification and allow alternative |
|
lookup methods. X509_STORE based implementations of these two callbacks. |
|
[Steve Henson] |
|
|
|
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. |
|
Modify get_crl() to find a valid (unexpired) CRL if possible. |
|
[Steve Henson] |
|
|
|
*) New function X509_CRL_match() to check if two CRLs are identical. Normally |
|
this would be called X509_CRL_cmp() but that name is already used by |
|
a function that just compares CRL issuer names. Cache several CRL |
|
extensions in X509_CRL structure and cache CRLDP in X509. |
|
[Steve Henson] |
|
|
|
*) Store a "canonical" representation of X509_NAME structure (ASN1 Name) |
|
this maps equivalent X509_NAME structures into a consistent structure. |
|
Name comparison can then be performed rapidly using memcmp(). |
|
[Steve Henson] |
|
|
|
*) Non-blocking OCSP request processing. Add -timeout option to ocsp |
|
utility. |
|
[Steve Henson] |
|
|
|
*) Allow digests to supply their own micalg string for S/MIME type using |
|
the ctrl EVP_MD_CTRL_MICALG. |
|
[Steve Henson] |
|
|
|
*) During PKCS7 signing pass the PKCS7 SignerInfo structure to the |
|
EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN |
|
ctrl. It can then customise the structure before and/or after signing |
|
if necessary. |
|
[Steve Henson] |
|
|
|
*) New function OBJ_add_sigid() to allow application defined signature OIDs |
|
to be added to OpenSSLs internal tables. New function OBJ_sigid_free() |
|
to free up any added signature OIDs. |
|
[Steve Henson] |
|
|
|
*) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), |
|
EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal |
|
digest and cipher tables. New options added to openssl utility: |
|
list-message-digest-algorithms and list-cipher-algorithms. |
|
[Steve Henson] |
|
|
|
*) Change the array representation of binary polynomials: the list |
|
of degrees of non-zero coefficients is now terminated with -1. |
|
Previously it was terminated with 0, which was also part of the |
|
value; thus, the array representation was not applicable to |
|
polynomials where t^0 has coefficient zero. This change makes |
|
the array representation useful in a more general context. |
|
[Douglas Stebila] |
|
|
|
*) Various modifications and fixes to SSL/TLS cipher string |
|
handling. For ECC, the code now distinguishes between fixed ECDH |
|
with RSA certificates on the one hand and with ECDSA certificates |
|
on the other hand, since these are separate ciphersuites. The |
|
unused code for Fortezza ciphersuites has been removed. |
|
|
|
For consistency with EDH, ephemeral ECDH is now called "EECDH" |
|
(not "ECDHE"). For consistency with the code for DH |
|
certificates, use of ECDH certificates is now considered ECDH |
|
authentication, not RSA or ECDSA authentication (the latter is |
|
merely the CA's signing algorithm and not actively used in the |
|
protocol). |
|
|
|
The temporary ciphersuite alias "ECCdraft" is no longer |
|
available, and ECC ciphersuites are no longer excluded from "ALL" |
|
and "DEFAULT". The following aliases now exist for RFC 4492 |
|
ciphersuites, most of these by analogy with the DH case: |
|
|
|
kECDHr - ECDH cert, signed with RSA |
|
kECDHe - ECDH cert, signed with ECDSA |
|
kECDH - ECDH cert (signed with either RSA or ECDSA) |
|
kEECDH - ephemeral ECDH |
|
ECDH - ECDH cert or ephemeral ECDH |
|
|
|
aECDH - ECDH cert |
|
aECDSA - ECDSA cert |
|
ECDSA - ECDSA cert |
|
|
|
AECDH - anonymous ECDH |
|
EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") |
|
|
|
[Bodo Moeller] |
|
|
|
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported. |
|
Use correct micalg parameters depending on digest(s) in signed message. |
|
[Steve Henson] |
|
|
|
*) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process |
|
an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. |
|
[Steve Henson] |
|
|
|
*) Initial engine support for EVP_PKEY_METHOD. New functions to permit |
|
an engine to register a method. Add ENGINE lookups for methods and |
|
functional reference processing. |
|
[Steve Henson] |
|
|
|
*) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of |
|
EVP_{Sign,Verify}* which allow an application to customise the signature |
|
process. |
|
[Steve Henson] |
|
|
|
*) New -resign option to smime utility. This adds one or more signers |
|
to an existing PKCS#7 signedData structure. Also -md option to use an |
|
alternative message digest algorithm for signing. |
|
[Steve Henson] |
|
|
|
*) Tidy up PKCS#7 routines and add new functions to make it easier to |
|
create PKCS7 structures containing multiple signers. Update smime |
|
application to support multiple signers. |
|
[Steve Henson] |
|
|
|
*) New -macalg option to pkcs12 utility to allow setting of an alternative |
|
digest MAC. |
|
[Steve Henson] |
|
|
|
*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. |
|
Reorganize PBE internals to lookup from a static table using NIDs, |
|
add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: |
|
EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative |
|
PRF which will be automatically used with PBES2. |
|
[Steve Henson] |
|
|
|
*) Replace the algorithm specific calls to generate keys in "req" with the |
|
new API. |
|
[Steve Henson] |
|
|
|
*) Update PKCS#7 enveloped data routines to use new API. This is now |
|
supported by any public key method supporting the encrypt operation. A |
|
ctrl is added to allow the public key algorithm to examine or modify |
|
the PKCS#7 RecipientInfo structure if it needs to: for RSA this is |
|
a no op. |
|
[Steve Henson] |
|
|
|
*) Add a ctrl to asn1 method to allow a public key algorithm to express |
|
a default digest type to use. In most cases this will be SHA1 but some |
|
algorithms (such as GOST) need to specify an alternative digest. The |
|
return value indicates how strong the prefernce is 1 means optional and |
|
2 is mandatory (that is it is the only supported type). Modify |
|
ASN1_item_sign() to accept a NULL digest argument to indicate it should |
|
use the default md. Update openssl utilities to use the default digest |
|
type for signing if it is not explicitly indicated. |
|
[Steve Henson] |
|
|
|
*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New |
|
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant |
|
signing method from the key type. This effectively removes the link |
|
between digests and public key types. |
|
[Steve Henson] |
|
|
|
*) Add an OID cross reference table and utility functions. Its purpose is to |
|
translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, |
|
rsaEncryption. This will allow some of the algorithm specific hackery |
|
needed to use the correct OID to be removed. |
|
[Steve Henson] |
|
|
|
*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO |
|
structures for PKCS7_sign(). They are now set up by the relevant public |
|
key ASN1 method. |
|
[Steve Henson] |
|
|
|
*) Add provisional EC pkey method with support for ECDSA and ECDH. |
|
[Steve Henson] |
|
|
|
*) Add support for key derivation (agreement) in the API, DH method and |
|
pkeyutl. |
|
[Steve Henson] |
|
|
|
*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support |
|
public and private key formats. As a side effect these add additional |
|
command line functionality not previously available: DSA signatures can be |
|
generated and verified using pkeyutl and DH key support and generation in |
|
pkey, genpkey. |
|
[Steve Henson] |
|
|
|
*) BeOS support. |
|
[Oliver Tappe <zooey@hirschkaefer.de>] |
|
|
|
*) New make target "install_html_docs" installs HTML renditions of the |
|
manual pages. |
|
[Oliver Tappe <zooey@hirschkaefer.de>] |
|
|
|
*) New utility "genpkey" this is analagous to "genrsa" etc except it can |
|
generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to |
|
support key and parameter generation and add initial key generation |
|
functionality for RSA. |
|
[Steve Henson] |
|
|
|
*) Add functions for main EVP_PKEY_method operations. The undocumented |
|
functions EVP_PKEY_{encrypt,decrypt} have been renamed to |
|
EVP_PKEY_{encrypt,decrypt}_old. |
|
[Steve Henson] |
|
|
|
*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public |
|
key API, doesn't do much yet. |
|
[Steve Henson] |
|
|
|
*) New function EVP_PKEY_asn1_get0_info() to retrieve information about |
|
public key algorithms. New option to openssl utility: |
|
"list-public-key-algorithms" to print out info. |
|
[Steve Henson] |
|
|
|
*) Implement the Supported Elliptic Curves Extension for |
|
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
|
[Douglas Stebila] |
|
|
|
*) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or |
|
EVP_CIPHER structures to avoid later problems in EVP_cleanup(). |
|
[Steve Henson] |
|
|
|
*) New utilities pkey and pkeyparam. These are similar to algorithm specific |
|
utilities such as rsa, dsa, dsaparam etc except they process any key |
|
type. |
|
[Steve Henson] |
|
|
|
*) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New |
|
functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), |
|
EVP_PKEY_print_param() to print public key data from an EVP_PKEY |
|
structure. |
|
[Steve Henson] |
|
|
|
*) Initial support for pluggable public key ASN1. |
|
De-spaghettify the public key ASN1 handling. Move public and private |
|
key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate |
|
algorithm specific handling to a single module within the relevant |
|
algorithm directory. Add functions to allow (near) opaque processing |
|
of public and private key structures. |
|
[Steve Henson] |
|
|
|
*) Implement the Supported Point Formats Extension for |
|
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
|
[Douglas Stebila] |
|
|
|
*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members |
|
for the psk identity [hint] and the psk callback functions to the |
|
SSL_SESSION, SSL and SSL_CTX structure. |
|
|
|
New ciphersuites: |
|
PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, |
|
PSK-AES256-CBC-SHA |
|
|
|
New functions: |
|
SSL_CTX_use_psk_identity_hint |
|
SSL_get_psk_identity_hint |
|
SSL_get_psk_identity |
|
SSL_use_psk_identity_hint |
|
|
|
[Mika Kousa and Pasi Eronen of Nokia Corporation] |
|
|
|
*) Add RFC 3161 compliant time stamp request creation, response generation |
|
and response verification functionality. |
|
[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project] |
|
|
|
*) Add initial support for TLS extensions, specifically for the server_name |
|
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now |
|
have new members for a host name. The SSL data structure has an |
|
additional member SSL_CTX *initial_ctx so that new sessions can be |
|
stored in that context to allow for session resumption, even after the |
|
SSL has been switched to a new SSL_CTX in reaction to a client's |
|
server_name extension. |
|
|
|
New functions (subject to change): |
|
|
|
SSL_get_servername() |
|
SSL_get_servername_type() |
|
SSL_set_SSL_CTX() |
|
|
|
New CTRL codes and macros (subject to change): |
|
|
|
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB |
|
- SSL_CTX_set_tlsext_servername_callback() |
|
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG |
|
- SSL_CTX_set_tlsext_servername_arg() |
|
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() |
|
|
|
openssl s_client has a new '-servername ...' option. |
|
|
|
openssl s_server has new options '-servername_host ...', '-cert2 ...', |
|
'-key2 ...', '-servername_fatal' (subject to change). This allows |
|
testing the HostName extension for a specific single host name ('-cert' |
|
and '-key' remain fallbacks for handshakes without HostName |
|
negotiation). If the unrecogninzed_name alert has to be sent, this by |
|
default is a warning; it becomes fatal with the '-servername_fatal' |
|
option. |
|
|
|
[Peter Sylvester, Remy Allais, Christophe Renou] |
|
|
|
*) Whirlpool hash implementation is added. |
|
[Andy Polyakov] |
|
|
|
*) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to |
|
bn(64,32). Because of instruction set limitations it doesn't have |
|
any negative impact on performance. This was done mostly in order |
|
to make it possible to share assembler modules, such as bn_mul_mont |
|
implementations, between 32- and 64-bit builds without hassle. |
|
[Andy Polyakov] |
|
|
|
*) Move code previously exiled into file crypto/ec/ec2_smpt.c |
|
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP |
|
macro. |
|
[Bodo Moeller] |
|
|
|
*) New candidate for BIGNUM assembler implementation, bn_mul_mont, |
|
dedicated Montgomery multiplication procedure, is introduced. |
|
BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher |
|
"64-bit" performance on certain 32-bit targets. |
|
[Andy Polyakov] |
|
|
|
*) New option SSL_OP_NO_COMP to disable use of compression selectively |
|
in SSL structures. New SSL ctrl to set maximum send fragment size. |
|
Save memory by seeting the I/O buffer sizes dynamically instead of |
|
using the maximum available value. |
|
[Steve Henson] |
|
|
|
*) New option -V for 'openssl ciphers'. This prints the ciphersuite code |
|
in addition to the text details. |
|
[Bodo Moeller] |
|
|
|
*) Very, very preliminary EXPERIMENTAL support for printing of general |
|
ASN1 structures. This currently produces rather ugly output and doesn't |
|
handle several customised structures at all. |
|
[Steve Henson] |
|
|
|
*) Integrated support for PVK file format and some related formats such |
|
as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support |
|
these in the 'rsa' and 'dsa' utilities. |
|
[Steve Henson] |
|
|
|
*) Support for PKCS#1 RSAPublicKey format on rsa utility command line. |
|
[Steve Henson] |
|
|
|
*) Remove the ancient ASN1_METHOD code. This was only ever used in one |
|
place for the (very old) "NETSCAPE" format certificates which are now |
|
handled using new ASN1 code equivalents. |
|
[Steve Henson] |
|
|
|
*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD |
|
pointer and make the SSL_METHOD parameter in SSL_CTX_new, |
|
SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. |
|
[Nils Larsch] |
|
|
|
*) Modify CRL distribution points extension code to print out previously |
|
unsupported fields. Enhance extension setting code to allow setting of |
|
all fields. |
|
[Steve Henson] |
|
|
|
*) Add print and set support for Issuing Distribution Point CRL extension. |
|
[Steve Henson] |
|
|
|
*) Change 'Configure' script to enable Camellia by default. |
|
[NTT] |
|
|
|
Changes between 0.9.8m and 0.9.8n [24 Mar 2010] |
|
|
|
*) When rejecting SSL/TLS records due to an incorrect version number, never |
|
update s->server with a new major version number. As of |
|
- OpenSSL 0.9.8m if 'short' is a 16-bit type, |
|
- OpenSSL 0.9.8f if 'short' is longer than 16 bits, |
|
the previous behavior could result in a read attempt at NULL when |
|
receiving specific incorrect SSL/TLS records once record payload |
|
protection is active. (CVE-2010-0740) |
|
[Bodo Moeller, Adam Langley <agl@chromium.org>] |
|
|
|
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL |
|
could be crashed if the relevant tables were not present (e.g. chrooted). |
|
[Tomas Hoger <thoger@redhat.com>] |
|
|
|
Changes between 0.9.8l and 0.9.8m [25 Feb 2010] |
|
|
|
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245) |
|
[Martin Olsson, Neel Mehta] |
|
|
|
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to |
|
accommodate for stack sorting, always a write lock!). |
|
[Bodo Moeller] |
|
|
|
*) On some versions of WIN32 Heap32Next is very slow. This can cause |
|
excessive delays in the RAND_poll(): over a minute. As a workaround |
|
include a time check in the inner Heap32Next loop too. |
|
[Steve Henson] |
|
|
|
*) The code that handled flushing of data in SSL/TLS originally used the |
|
BIO_CTRL_INFO ctrl to see if any data was pending first. This caused |
|
the problem outlined in PR#1949. The fix suggested there however can |
|
trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions |
|
of Apache). So instead simplify the code to flush unconditionally. |
|
This should be fine since flushing with no data to flush is a no op. |
|
[Steve Henson] |
|
|
|
*) Handle TLS versions 2.0 and later properly and correctly use the |
|
highest version of TLS/SSL supported. Although TLS >= 2.0 is some way |
|
off ancient servers have a habit of sticking around for a while... |
|
[Steve Henson] |
|
|
|
*) Modify compression code so it frees up structures without using the |
|
ex_data callbacks. This works around a problem where some applications |
|
call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when |
|
restarting) then use compression (e.g. SSL with compression) later. |
|
This results in significant per-connection memory leaks and |
|
has caused some security issues including CVE-2008-1678 and |
|
CVE-2009-4355. |
|
[Steve Henson] |
|
|
|
*) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't |
|
change when encrypting or decrypting. |
|
[Bodo Moeller] |
|
|
|
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to |
|
connect and renegotiate with servers which do not support RI. |
|
Until RI is more widely deployed this option is enabled by default. |
|
[Steve Henson] |
|
|
|
*) Add "missing" ssl ctrls to clear options and mode. |
|
[Steve Henson] |
|
|
|
*) If client attempts to renegotiate and doesn't support RI respond with |
|
a no_renegotiation alert as required by RFC5746. Some renegotiating |
|
TLS clients will continue a connection gracefully when they receive |
|
the alert. Unfortunately OpenSSL mishandled this alert and would hang |
|
waiting for a server hello which it will never receive. Now we treat a |
|
received no_renegotiation alert as a fatal error. This is because |
|
applications requesting a renegotiation might well expect it to succeed |
|
and would have no code in place to handle the server denying it so the |
|
only safe thing to do is to terminate the connection. |
|
[Steve Henson] |
|
|
|
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if |
|
peer supports secure renegotiation and 0 otherwise. Print out peer |
|
renegotiation support in s_client/s_server. |
|
[Steve Henson] |
|
|
|
*) Replace the highly broken and deprecated SPKAC certification method with |
|
the updated NID creation version. This should correctly handle UTF8. |
|
[Steve Henson] |
|
|
|
*) Implement RFC5746. Re-enable renegotiation but require the extension |
|
as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
|
turns out to be a bad idea. It has been replaced by |
|
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with |
|
SSL_CTX_set_options(). This is really not recommended unless you |
|
know what you are doing. |
|
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] |
|
|
|
*) Fixes to stateless session resumption handling. Use initial_ctx when |
|
issuing and attempting to decrypt tickets in case it has changed during |
|
servername handling. Use a non-zero length session ID when attempting |
|
stateless session resumption: this makes it possible to determine if |
|
a resumption has occurred immediately after receiving server hello |
|
(several places in OpenSSL subtly assume this) instead of later in |
|
the handshake. |
|
[Steve Henson] |
|
|
|
*) The functions ENGINE_ctrl(), OPENSSL_isservice(), |
|
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error |
|
fixes for a few places where the return code is not checked |
|
correctly. |
|
[Julia Lawall <julia@diku.dk>] |
|
|
|
*) Add --strict-warnings option to Configure script to include devteam |
|
warnings in other configurations. |
|
[Steve Henson] |
|
|
|
*) Add support for --libdir option and LIBDIR variable in makefiles. This |
|
makes it possible to install openssl libraries in locations which |
|
have names other than "lib", for example "/usr/lib64" which some |
|
systems need. |
|
[Steve Henson, based on patch from Jeremy Utley] |
|
|
|
*) Don't allow the use of leading 0x80 in OIDs. This is a violation of |
|
X690 8.9.12 and can produce some misleading textual output of OIDs. |
|
[Steve Henson, reported by Dan Kaminsky] |
|
|
|
*) Delete MD2 from algorithm tables. This follows the recommendation in |
|
several standards that it is not used in new applications due to |
|
several cryptographic weaknesses. For binary compatibility reasons |
|
the MD2 API is still compiled in by default. |
|
[Steve Henson] |
|
|
|
*) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved |
|
and restored. |
|
[Steve Henson] |
|
|
|
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and |
|
OPENSSL_asc2uni conditionally on Netware platforms to avoid a name |
|
clash. |
|
[Guenter <lists@gknw.net>] |
|
|
|
*) Fix the server certificate chain building code to use X509_verify_cert(), |
|
it used to have an ad-hoc builder which was unable to cope with anything |
|
other than a simple chain. |
|
[David Woodhouse <dwmw2@infradead.org>, Steve Henson] |
|
|
|
*) Don't check self signed certificate signatures in X509_verify_cert() |
|
by default (a flag can override this): it just wastes time without |
|
adding any security. As a useful side effect self signed root CAs |
|
with non-FIPS digests are now usable in FIPS mode. |
|
[Steve Henson] |
|
|
|
*) In dtls1_process_out_of_seq_message() the check if the current message |
|
is already buffered was missing. For every new message was memory |
|
allocated, allowing an attacker to perform an denial of service attack |
|
with sending out of seq handshake messages until there is no memory |
|
left. Additionally every future messege was buffered, even if the |
|
sequence number made no sense and would be part of another handshake. |
|
So only messages with sequence numbers less than 10 in advance will be |
|
buffered. (CVE-2009-1378) |
|
[Robin Seggelmann, discovered by Daniel Mentz] |
|
|
|
*) Records are buffered if they arrive with a future epoch to be |
|
processed after finishing the corresponding handshake. There is |
|
currently no limitation to this buffer allowing an attacker to perform |
|
a DOS attack with sending records with future epochs until there is no |
|
memory left. This patch adds the pqueue_size() function to detemine |
|
the size of a buffer and limits the record buffer to 100 entries. |
|
(CVE-2009-1377) |
|
[Robin Seggelmann, discovered by Daniel Mentz] |
|
|
|
*) Keep a copy of frag->msg_header.frag_len so it can be used after the |
|
parent structure is freed. (CVE-2009-1379) |
|
[Daniel Mentz] |
|
|
|
*) Handle non-blocking I/O properly in SSL_shutdown() call. |
|
[Darryl Miles <darryl-mailinglists@netbauds.net>] |
|
|
|
*) Add 2.5.4.* OIDs |
|
[Ilya O. <vrghost@gmail.com>] |
|
|
|
Changes between 0.9.8k and 0.9.8l [5 Nov 2009] |
|
|
|
*) Disable renegotiation completely - this fixes a severe security |
|
problem (CVE-2009-3555) at the cost of breaking all |
|
renegotiation. Renegotiation can be re-enabled by setting |
|
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at |
|
run-time. This is really not recommended unless you know what |
|
you're doing. |
|
[Ben Laurie] |
|
|
|
Changes between 0.9.8j and 0.9.8k [25 Mar 2009] |
|
|
|
*) Don't set val to NULL when freeing up structures, it is freed up by |
|
underlying code. If sizeof(void *) > sizeof(long) this can result in |
|
zeroing past the valid field. (CVE-2009-0789) |
|
[Paolo Ganci <Paolo.Ganci@AdNovum.CH>] |
|
|
|
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not |
|
checked correctly. This would allow some invalid signed attributes to |
|
appear to verify correctly. (CVE-2009-0591) |
|
[Ivan Nestlerode <inestlerode@us.ibm.com>] |
|
|
|
*) Reject UniversalString and BMPString types with invalid lengths. This |
|
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have |
|
a legal length. (CVE-2009-0590) |
|
[Steve Henson] |
|
|
|
*) Set S/MIME signing as the default purpose rather than setting it |
|
unconditionally. This allows applications to override it at the store |
|
level. |
|
[Steve Henson] |
|
|
|
*) Permit restricted recursion of ASN1 strings. This is needed in practice |
|
to handle some structures. |
|
[Steve Henson] |
|
|
|
*) Improve efficiency of mem_gets: don't search whole buffer each time |
|
for a '\n' |
|
[Jeremy Shapiro <jnshapir@us.ibm.com>] |
|
|
|
*) New -hex option for openssl rand. |
|
[Matthieu Herrb] |
|
|
|
*) Print out UTF8String and NumericString when parsing ASN1. |
|
[Steve Henson] |
|
|
|
*) Support NumericString type for name components. |
|
[Steve Henson] |
|
|
|
*) Allow CC in the environment to override the automatically chosen |
|
compiler. Note that nothing is done to ensure flags work with the |
|
chosen compiler. |
|
[Ben Laurie] |
|
|
|
Changes between 0.9.8i and 0.9.8j [07 Jan 2009] |
|
|
|
*) Properly check EVP_VerifyFinal() and similar return values |
|
(CVE-2008-5077). |
|
[Ben Laurie, Bodo Moeller, Google Security Team] |
|
|
|
*) Enable TLS extensions by default. |
|
[Ben Laurie] |
|
|
|
*) Allow the CHIL engine to be loaded, whether the application is |
|
multithreaded or not. (This does not release the developer from the |
|
obligation to set up the dynamic locking callbacks.) |
|
[Sander Temme <sander@temme.net>] |
|
|
|
*) Use correct exit code if there is an error in dgst command. |
|
[Steve Henson; problem pointed out by Roland Dirlewanger] |
|
|
|
*) Tweak Configure so that you need to say "experimental-jpake" to enable |
|
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. |
|
[Bodo Moeller] |
|
|
|
*) Add experimental JPAKE support, including demo authentication in |
|
s_client and s_server. |
|
[Ben Laurie] |
|
|
|
*) Set the comparison function in v3_addr_canonize(). |
|
[Rob Austein <sra@hactrn.net>] |
|
|
|
*) Add support for XMPP STARTTLS in s_client. |
|
[Philip Paeps <philip@freebsd.org>] |
|
|
|
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior |
|
to ensure that even with this option, only ciphersuites in the |
|
server's preference list will be accepted. (Note that the option |
|
applies only when resuming a session, so the earlier behavior was |
|
just about the algorithm choice for symmetric cryptography.) |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.8h and 0.9.8i [15 Sep 2008] |
|
|
|
*) Fix NULL pointer dereference if a DTLS server received |
|
ChangeCipherSpec as first record (CVE-2009-1386). |
|
[PR #1679] |
|
|
|
*) Fix a state transitition in s3_srvr.c and d1_srvr.c |
|
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). |
|
[Nagendra Modadugu] |
|
|
|
*) The fix in 0.9.8c that supposedly got rid of unsafe |
|
double-checked locking was incomplete for RSA blinding, |
|
addressing just one layer of what turns out to have been |
|
doubly unsafe triple-checked locking. |
|
|
|
So now fix this for real by retiring the MONT_HELPER macro |
|
in crypto/rsa/rsa_eay.c. |
|
|
|
[Bodo Moeller; problem pointed out by Marius Schilder] |
|
|
|
*) Various precautionary measures: |
|
|
|
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). |
|
|
|
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). |
|
(NB: This would require knowledge of the secret session ticket key |
|
to exploit, in which case you'd be SOL either way.) |
|
|
|
- Change bn_nist.c so that it will properly handle input BIGNUMs |
|
outside the expected range. |
|
|
|
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG |
|
builds. |
|
|
|
[Neel Mehta, Bodo Moeller] |
|
|
|
*) Allow engines to be "soft loaded" - i.e. optionally don't die if |
|
the load fails. Useful for distros. |
|
[Ben Laurie and the FreeBSD team] |
|
|
|
*) Add support for Local Machine Keyset attribute in PKCS#12 files. |
|
[Steve Henson] |
|
|
|
*) Fix BN_GF2m_mod_arr() top-bit cleanup code. |
|
[Huang Ying] |
|
|
|
*) Expand ENGINE to support engine supplied SSL client certificate functions. |
|
|
|
This work was sponsored by Logica. |
|
[Steve Henson] |
|
|
|
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows |
|
keystores. Support for SSL/TLS client authentication too. |
|
Not compiled unless enable-capieng specified to Configure. |
|
|
|
This work was sponsored by Logica. |
|
[Steve Henson] |
|
|
|
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using |
|
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain |
|
attribute creation routines such as certifcate requests and PKCS#12 |
|
files. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.8g and 0.9.8h [28 May 2008] |
|
|
|
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS |
|
handshake which could lead to a cilent crash as found using the |
|
Codenomicon TLS test suite (CVE-2008-1672) |
|
[Steve Henson, Mark Cox] |
|
|
|
*) Fix double free in TLS server name extensions which could lead to |
|
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) |
|
[Joe Orton] |
|
|
|
*) Clear error queue in SSL_CTX_use_certificate_chain_file() |
|
|
|
Clear the error queue to ensure that error entries left from |
|
older function calls do not interfere with the correct operation. |
|
[Lutz Jaenicke, Erik de Castro Lopo] |
|
|
|
*) Remove root CA certificates of commercial CAs: |
|
|
|
The OpenSSL project does not recommend any specific CA and does not |
|
have any policy with respect to including or excluding any CA. |
|
Therefore it does not make any sense to ship an arbitrary selection |
|
of root CA certificates with the OpenSSL software. |
|
[Lutz Jaenicke] |
|
|
|
*) RSA OAEP patches to fix two separate invalid memory reads. |
|
The first one involves inputs when 'lzero' is greater than |
|
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes |
|
before the beginning of from). The second one involves inputs where |
|
the 'db' section contains nothing but zeroes (there is a one-byte |
|
invalid read after the end of 'db'). |
|
[Ivan Nestlerode <inestlerode@us.ibm.com>] |
|
|
|
*) Partial backport from 0.9.9-dev: |
|
|
|
Introduce bn_mul_mont (dedicated Montgomery multiplication |
|
procedure) as a candidate for BIGNUM assembler implementation. |
|
While 0.9.9-dev uses assembler for various architectures, only |
|
x86_64 is available by default here in the 0.9.8 branch, and |
|
32-bit x86 is available through a compile-time setting. |
|
|
|
To try the 32-bit x86 assembler implementation, use Configure |
|
option "enable-montasm" (which exists only for this backport). |
|
|
|
As "enable-montasm" for 32-bit x86 disclaims code stability |
|
anyway, in this constellation we activate additional code |
|
backported from 0.9.9-dev for further performance improvements, |
|
namely BN_from_montgomery_word. (To enable this otherwise, |
|
e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) |
|
|
|
[Andy Polyakov (backport partially by Bodo Moeller)] |
|
|
|
*) Add TLS session ticket callback. This allows an application to set |
|
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed |
|
values. This is useful for key rollover for example where several key |
|
sets may exist with different names. |
|
[Steve Henson] |
|
|
|
*) Reverse ENGINE-internal logic for caching default ENGINE handles. |
|
This was broken until now in 0.9.8 releases, such that the only way |
|
a registered ENGINE could be used (assuming it initialises |
|
successfully on the host) was to explicitly set it as the default |
|
for the relevant algorithms. This is in contradiction with 0.9.7 |
|
behaviour and the documentation. With this fix, when an ENGINE is |
|
registered into a given algorithm's table of implementations, the |
|
'uptodate' flag is reset so that auto-discovery will be used next |
|
time a new context for that algorithm attempts to select an |
|
implementation. |
|
[Ian Lister (tweaked by Geoff Thorpe)] |
|
|
|
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 |
|
implemention in the following ways: |
|
|
|
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be |
|
hard coded. |
|
|
|
Lack of BER streaming support means one pass streaming processing is |
|
only supported if data is detached: setting the streaming flag is |
|
ignored for embedded content. |
|
|
|
CMS support is disabled by default and must be explicitly enabled |
|
with the enable-cms configuration option. |
|
[Steve Henson] |
|
|
|
*) Update the GMP engine glue to do direct copies between BIGNUM and |
|
mpz_t when openssl and GMP use the same limb size. Otherwise the |
|
existing "conversion via a text string export" trick is still used. |
|
[Paul Sheer <paulsheer@gmail.com>] |
|
|
|
*) Zlib compression BIO. This is a filter BIO which compressed and |
|
uncompresses any data passed through it. |
|
[Steve Henson] |
|
|
|
*) Add AES_wrap_key() and AES_unwrap_key() functions to implement |
|
RFC3394 compatible AES key wrapping. |
|
[Steve Henson] |
|
|
|
*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): |
|
sets string data without copying. X509_ALGOR_set0() and |
|
X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) |
|
data. Attribute function X509at_get0_data_by_OBJ(): retrieves data |
|
from an X509_ATTRIBUTE structure optionally checking it occurs only |
|
once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied |
|
data. |
|
[Steve Henson] |
|
|
|
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() |
|
to get the expected BN_FLG_CONSTTIME behavior. |
|
[Bodo Moeller (Google)] |
|
|
|
*) Netware support: |
|
|
|
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets |
|
- fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) |
|
- added some more tests to do_tests.pl |
|
- fixed RunningProcess usage so that it works with newer LIBC NDKs too |
|
- removed usage of BN_LLONG for CLIB builds to avoid runtime dependency |
|
- added new Configure targets netware-clib-bsdsock, netware-clib-gcc, |
|
netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc |
|
- various changes to netware.pl to enable gcc-cross builds on Win32 |
|
platform |
|
- changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) |
|
- various changes to fix missing prototype warnings |
|
- fixed x86nasm.pl to create correct asm files for NASM COFF output |
|
- added AES, WHIRLPOOL and CPUID assembler code to build files |
|
- added missing AES assembler make rules to mk1mf.pl |
|
- fixed order of includes in apps/ocsp.c so that e_os.h settings apply |
|
[Guenter Knauf <eflash@gmx.net>] |
|
|
|
*) Implement certificate status request TLS extension defined in RFC3546. |
|
A client can set the appropriate parameters and receive the encoded |
|
OCSP response via a callback. A server can query the supplied parameters |
|
and set the encoded OCSP response in the callback. Add simplified examples |
|
to s_client and s_server. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.8f and 0.9.8g [19 Oct 2007] |
|
|
|
*) Fix various bugs: |
|
+ Binary incompatibility of ssl_ctx_st structure |
|
+ DTLS interoperation with non-compliant servers |
|
+ Don't call get_session_cb() without proposed session |
|
+ Fix ia64 assembler code |
|
[Andy Polyakov, Steve Henson] |
|
|
|
Changes between 0.9.8e and 0.9.8f [11 Oct 2007] |
|
|
|
*) DTLS Handshake overhaul. There were longstanding issues with |
|
OpenSSL DTLS implementation, which were making it impossible for |
|
RFC 4347 compliant client to communicate with OpenSSL server. |
|
Unfortunately just fixing these incompatibilities would "cut off" |
|
pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e |
|
server keeps tolerating non RFC compliant syntax. The opposite is |
|
not true, 0.9.8f client can not communicate with earlier server. |
|
This update even addresses CVE-2007-4995. |
|
[Andy Polyakov] |
|
|
|
*) Changes to avoid need for function casts in OpenSSL: some compilers |
|
(gcc 4.2 and later) reject their use. |
|
[Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, |
|
Steve Henson] |
|
|
|
*) Add RFC4507 support to OpenSSL. This includes the corrections in |
|
RFC4507bis. The encrypted ticket format is an encrypted encoded |
|
SSL_SESSION structure, that way new session features are automatically |
|
supported. |
|
|
|
If a client application caches session in an SSL_SESSION structure |
|
support is transparent because tickets are now stored in the encoded |
|
SSL_SESSION. |
|
|
|
The SSL_CTX structure automatically generates keys for ticket |
|
protection in servers so again support should be possible |
|
with no application modification. |
|
|
|
If a client or server wishes to disable RFC4507 support then the option |
|
SSL_OP_NO_TICKET can be set. |
|
|
|
Add a TLS extension debugging callback to allow the contents of any client |
|
or server extensions to be examined. |
|
|
|
This work was sponsored by Google. |
|
[Steve Henson] |
|
|
|
*) Add initial support for TLS extensions, specifically for the server_name |
|
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now |
|
have new members for a host name. The SSL data structure has an |
|
additional member SSL_CTX *initial_ctx so that new sessions can be |
|
stored in that context to allow for session resumption, even after the |
|
SSL has been switched to a new SSL_CTX in reaction to a client's |
|
server_name extension. |
|
|
|
New functions (subject to change): |
|
|
|
SSL_get_servername() |
|
SSL_get_servername_type() |
|
SSL_set_SSL_CTX() |
|
|
|
New CTRL codes and macros (subject to change): |
|
|
|
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB |
|
- SSL_CTX_set_tlsext_servername_callback() |
|
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG |
|
- SSL_CTX_set_tlsext_servername_arg() |
|
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() |
|
|
|
openssl s_client has a new '-servername ...' option. |
|
|
|
openssl s_server has new options '-servername_host ...', '-cert2 ...', |
|
'-key2 ...', '-servername_fatal' (subject to change). This allows |
|
testing the HostName extension for a specific single host name ('-cert' |
|
and '-key' remain fallbacks for handshakes without HostName |
|
negotiation). If the unrecogninzed_name alert has to be sent, this by |
|
default is a warning; it becomes fatal with the '-servername_fatal' |
|
option. |
|
|
|
[Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] |
|
|
|
*) Add AES and SSE2 assembly language support to VC++ build. |
|
[Steve Henson] |
|
|
|
*) Mitigate attack on final subtraction in Montgomery reduction. |
|
[Andy Polyakov] |
|
|
|
*) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 |
|
(which previously caused an internal error). |
|
[Bodo Moeller] |
|
|
|
*) Squeeze another 10% out of IGE mode when in != out. |
|
[Ben Laurie] |
|
|
|
*) AES IGE mode speedup. |
|
[Dean Gaudet (Google)] |
|
|
|
*) Add the Korean symmetric 128-bit cipher SEED (see |
|
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and |
|
add SEED ciphersuites from RFC 4162: |
|
|
|
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" |
|
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" |
|
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" |
|
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" |
|
|
|
To minimize changes between patchlevels in the OpenSSL 0.9.8 |
|
series, SEED remains excluded from compilation unless OpenSSL |
|
is configured with 'enable-seed'. |
|
[KISA, Bodo Moeller] |
|
|
|
*) Mitigate branch prediction attacks, which can be practical if a |
|
single processor is shared, allowing a spy process to extract |
|
information. For detailed background information, see |
|
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, |
|
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL |
|
and Necessary Software Countermeasures"). The core of the change |
|
are new versions BN_div_no_branch() and |
|
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), |
|
respectively, which are slower, but avoid the security-relevant |
|
conditional branches. These are automatically called by BN_div() |
|
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one |
|
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to |
|
remove a conditional branch. |
|
|
|
BN_FLG_CONSTTIME is the new name for the previous |
|
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just |
|
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag |
|
in the exponent causes BN_mod_exp_mont() to use the alternative |
|
implementation in BN_mod_exp_mont_consttime().) The old name |
|
remains as a deprecated alias. |
|
|
|
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general |
|
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses |
|
constant-time implementations for more than just exponentiation. |
|
Here too the old name is kept as a deprecated alias. |
|
|
|
BN_BLINDING_new() will now use BN_dup() for the modulus so that |
|
the BN_BLINDING structure gets an independent copy of the |
|
modulus. This means that the previous "BIGNUM *m" argument to |
|
BN_BLINDING_new() and to BN_BLINDING_create_param() now |
|
essentially becomes "const BIGNUM *m", although we can't actually |
|
change this in the header file before 0.9.9. It allows |
|
RSA_setup_blinding() to use BN_with_flags() on the modulus to |
|
enable BN_FLG_CONSTTIME. |
|
|
|
[Matthew D Wood (Intel Corp)] |
|
|
|
*) In the SSL/TLS server implementation, be strict about session ID |
|
context matching (which matters if an application uses a single |
|
external cache for different purposes). Previously, |
|
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was |
|
set. This did ensure strict client verification, but meant that, |
|
with applications using a single external cache for quite |
|
different requirements, clients could circumvent ciphersuite |
|
restrictions for a given session ID context by starting a session |
|
in a different context. |
|
[Bodo Moeller] |
|
|
|
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
|
a ciphersuite string such as "DEFAULT:RSA" cannot enable |
|
authentication-only ciphersuites. |
|
[Bodo Moeller] |
|
|
|
*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was |
|
not complete and could lead to a possible single byte overflow |
|
(CVE-2007-5135) [Ben Laurie] |
|
|
|
Changes between 0.9.8d and 0.9.8e [23 Feb 2007] |
|
|
|
*) Since AES128 and AES256 (and similarly Camellia128 and |
|
Camellia256) share a single mask bit in the logic of |
|
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a |
|
kludge to work properly if AES128 is available and AES256 isn't |
|
(or if Camellia128 is available and Camellia256 isn't). |
|
[Victor Duchovni] |
|
|
|
*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c |
|
(within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): |
|
When a point or a seed is encoded in a BIT STRING, we need to |
|
prevent the removal of trailing zero bits to get the proper DER |
|
encoding. (By default, crypto/asn1/a_bitstr.c assumes the case |
|
of a NamedBitList, for which trailing 0 bits need to be removed.) |
|
[Bodo Moeller] |
|
|
|
*) Have SSL/TLS server implementation tolerate "mismatched" record |
|
protocol version while receiving ClientHello even if the |
|
ClientHello is fragmented. (The server can't insist on the |
|
particular protocol version it has chosen before the ServerHello |
|
message has informed the client about his choice.) |
|
[Bodo Moeller] |
|
|
|
*) Add RFC 3779 support. |
|
[Rob Austein for ARIN, Ben Laurie] |
|
|
|
*) Load error codes if they are not already present instead of using a |
|
static variable. This allows them to be cleanly unloaded and reloaded. |
|
Improve header file function name parsing. |
|
[Steve Henson] |
|
|
|
*) extend SMTP and IMAP protocol emulation in s_client to use EHLO |
|
or CAPABILITY handshake as required by RFCs. |
|
[Goetz Babin-Ebell] |
|
|
|
Changes between 0.9.8c and 0.9.8d [28 Sep 2006] |
|
|
|
*) Introduce limits to prevent malicious keys being able to |
|
cause a denial of service. (CVE-2006-2940) |
|
[Steve Henson, Bodo Moeller] |
|
|
|
*) Fix ASN.1 parsing of certain invalid structures that can result |
|
in a denial of service. (CVE-2006-2937) [Steve Henson] |
|
|
|
*) Fix buffer overflow in SSL_get_shared_ciphers() function. |
|
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] |
|
|
|
*) Fix SSL client code which could crash if connecting to a |
|
malicious SSLv2 server. (CVE-2006-4343) |
|
[Tavis Ormandy and Will Drewry, Google Security Team] |
|
|
|
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites |
|
match only those. Before that, "AES256-SHA" would be interpreted |
|
as a pattern and match "AES128-SHA" too (since AES128-SHA got |
|
the same strength classification in 0.9.7h) as we currently only |
|
have a single AES bit in the ciphersuite description bitmap. |
|
That change, however, also applied to ciphersuite strings such as |
|
"RC4-MD5" that intentionally matched multiple ciphersuites -- |
|
namely, SSL 2.0 ciphersuites in addition to the more common ones |
|
from SSL 3.0/TLS 1.0. |
|
|
|
So we change the selection algorithm again: Naming an explicit |
|
ciphersuite selects this one ciphersuite, and any other similar |
|
ciphersuite (same bitmap) from *other* protocol versions. |
|
Thus, "RC4-MD5" again will properly select both the SSL 2.0 |
|
ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. |
|
|
|
Since SSL 2.0 does not have any ciphersuites for which the |
|
128/256 bit distinction would be relevant, this works for now. |
|
The proper fix will be to use different bits for AES128 and |
|
AES256, which would have avoided the problems from the beginning; |
|
however, bits are scarce, so we can only do this in a new release |
|
(not just a patchlevel) when we can change the SSL_CIPHER |
|
definition to split the single 'unsigned long mask' bitmap into |
|
multiple values to extend the available space. |
|
|
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.8b and 0.9.8c [05 Sep 2006] |
|
|
|
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
|
(CVE-2006-4339) [Ben Laurie and Google Security Team] |
|
|
|
*) Add AES IGE and biIGE modes. |
|
[Ben Laurie] |
|
|
|
*) Change the Unix randomness entropy gathering to use poll() when |
|
possible instead of select(), since the latter has some |
|
undesirable limitations. |
|
[Darryl Miles via Richard Levitte and Bodo Moeller] |
|
|
|
*) Disable "ECCdraft" ciphersuites more thoroughly. Now special |
|
treatment in ssl/ssl_ciph.s makes sure that these ciphersuites |
|
cannot be implicitly activated as part of, e.g., the "AES" alias. |
|
However, please upgrade to OpenSSL 0.9.9[-dev] for |
|
non-experimental use of the ECC ciphersuites to get TLS extension |
|
support, which is required for curve and point format negotiation |
|
to avoid potential handshake problems. |
|
[Bodo Moeller] |
|
|
|
*) Disable rogue ciphersuites: |
|
|
|
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") |
|
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") |
|
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") |
|
|
|
The latter two were purportedly from |
|
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really |
|
appear there. |
|
|
|
Also deactivate the remaining ciphersuites from |
|
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
|
unofficial, and the ID has long expired. |
|
[Bodo Moeller] |
|
|
|
*) Fix RSA blinding Heisenbug (problems sometimes occured on |
|
dual-core machines) and other potential thread-safety issues. |
|
[Bodo Moeller] |
|
|
|
*) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key |
|
versions), which is now available for royalty-free use |
|
(see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). |
|
Also, add Camellia TLS ciphersuites from RFC 4132. |
|
|
|
To minimize changes between patchlevels in the OpenSSL 0.9.8 |
|
series, Camellia remains excluded from compilation unless OpenSSL |
|
is configured with 'enable-camellia'. |
|
[NTT] |
|
|
|
*) Disable the padding bug check when compression is in use. The padding |
|
bug check assumes the first packet is of even length, this is not |
|
necessarily true if compresssion is enabled and can result in false |
|
positives causing handshake failure. The actual bug test is ancient |
|
code so it is hoped that implementations will either have fixed it by |
|
now or any which still have the bug do not support compression. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.8a and 0.9.8b [04 May 2006] |
|
|
|
*) When applying a cipher rule check to see if string match is an explicit |
|
cipher suite and only match that one cipher suite if it is. |
|
[Steve Henson] |
|
|
|
*) Link in manifests for VC++ if needed. |
|
[Austin Ziegler <halostatue@gmail.com>] |
|
|
|
*) Update support for ECC-based TLS ciphersuites according to |
|
draft-ietf-tls-ecc-12.txt with proposed changes (but without |
|
TLS extensions, which are supported starting with the 0.9.9 |
|
branch, not in the OpenSSL 0.9.8 branch). |
|
[Douglas Stebila] |
|
|
|
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support |
|
opaque EVP_CIPHER_CTX handling. |
|
[Steve Henson] |
|
|
|
*) Fixes and enhancements to zlib compression code. We now only use |
|
"zlib1.dll" and use the default __cdecl calling convention on Win32 |
|
to conform with the standards mentioned here: |
|
http://www.zlib.net/DLL_FAQ.txt |
|
Static zlib linking now works on Windows and the new --with-zlib-include |
|
--with-zlib-lib options to Configure can be used to supply the location |
|
of the headers and library. Gracefully handle case where zlib library |
|
can't be loaded. |
|
[Steve Henson] |
|
|
|
*) Several fixes and enhancements to the OID generation code. The old code |
|
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't |
|
handle numbers larger than ULONG_MAX, truncated printing and had a |
|
non standard OBJ_obj2txt() behaviour. |
|
[Steve Henson] |
|
|
|
*) Add support for building of engines under engine/ as shared libraries |
|
under VC++ build system. |
|
[Steve Henson] |
|
|
|
*) Corrected the numerous bugs in the Win32 path splitter in DSO. |
|
Hopefully, we will not see any false combination of paths any more. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.8 and 0.9.8a [11 Oct 2005] |
|
|
|
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING |
|
(part of SSL_OP_ALL). This option used to disable the |
|
countermeasure against man-in-the-middle protocol-version |
|
rollback in the SSL 2.0 server implementation, which is a bad |
|
idea. (CVE-2005-2969) |
|
|
|
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center |
|
for Information Security, National Institute of Advanced Industrial |
|
Science and Technology [AIST], Japan)] |
|
|
|
*) Add two function to clear and return the verify parameter flags. |
|
[Steve Henson] |
|
|
|
*) Keep cipherlists sorted in the source instead of sorting them at |
|
runtime, thus removing the need for a lock. |
|
[Nils Larsch] |
|
|
|
*) Avoid some small subgroup attacks in Diffie-Hellman. |
|
[Nick Mathewson and Ben Laurie] |
|
|
|
*) Add functions for well-known primes. |
|
[Nick Mathewson] |
|
|
|
*) Extended Windows CE support. |
|
[Satoshi Nakamura and Andy Polyakov] |
|
|
|
*) Initialize SSL_METHOD structures at compile time instead of during |
|
runtime, thus removing the need for a lock. |
|
[Steve Henson] |
|
|
|
*) Make PKCS7_decrypt() work even if no certificate is supplied by |
|
attempting to decrypt each encrypted key in turn. Add support to |
|
smime utility. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7h and 0.9.8 [05 Jul 2005] |
|
|
|
[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after |
|
OpenSSL 0.9.8.] |
|
|
|
*) Add libcrypto.pc and libssl.pc for those who feel they need them. |
|
[Richard Levitte] |
|
|
|
*) Change CA.sh and CA.pl so they don't bundle the CSR and the private |
|
key into the same file any more. |
|
[Richard Levitte] |
|
|
|
*) Add initial support for Win64, both IA64 and AMD64/x64 flavors. |
|
[Andy Polyakov] |
|
|
|
*) Add -utf8 command line and config file option to 'ca'. |
|
[Stefan <stf@udoma.org] |
|
|
|
*) Removed the macro des_crypt(), as it seems to conflict with some |
|
libraries. Use DES_crypt(). |
|
[Richard Levitte] |
|
|
|
*) Correct naming of the 'chil' and '4758cca' ENGINEs. This |
|
involves renaming the source and generated shared-libs for |
|
both. The engines will accept the corrected or legacy ids |
|
('ncipher' and '4758_cca' respectively) when binding. NB, |
|
this only applies when building 'shared'. |
|
[Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] |
|
|
|
*) Add attribute functions to EVP_PKEY structure. Modify |
|
PKCS12_create() to recognize a CSP name attribute and |
|
use it. Make -CSP option work again in pkcs12 utility. |
|
[Steve Henson] |
|
|
|
*) Add new functionality to the bn blinding code: |
|
- automatic re-creation of the BN_BLINDING parameters after |
|
a fixed number of uses (currently 32) |
|
- add new function for parameter creation |
|
- introduce flags to control the update behaviour of the |
|
BN_BLINDING parameters |
|
- hide BN_BLINDING structure |
|
Add a second BN_BLINDING slot to the RSA structure to improve |
|
performance when a single RSA object is shared among several |
|
threads. |
|
[Nils Larsch] |
|
|
|
*) Add support for DTLS. |
|
[Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] |
|
|
|
*) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) |
|
to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() |
|
[Walter Goulet] |
|
|
|
*) Remove buggy and incompletet DH cert support from |
|
ssl/ssl_rsa.c and ssl/s3_both.c |
|
[Nils Larsch] |
|
|
|
*) Use SHA-1 instead of MD5 as the default digest algorithm for |
|
the apps/openssl applications. |
|
[Nils Larsch] |
|
|
|
*) Compile clean with "-Wall -Wmissing-prototypes |
|
-Wstrict-prototypes -Wmissing-declarations -Werror". Currently |
|
DEBUG_SAFESTACK must also be set. |
|
[Ben Laurie] |
|
|
|
*) Change ./Configure so that certain algorithms can be disabled by default. |
|
The new counterpiece to "no-xxx" is "enable-xxx". |
|
|
|
The patented RC5 and MDC2 algorithms will now be disabled unless |
|
"enable-rc5" and "enable-mdc2", respectively, are specified. |
|
|
|
(IDEA remains enabled despite being patented. This is because IDEA |
|
is frequently required for interoperability, and there is no license |
|
fee for non-commercial use. As before, "no-idea" can be used to |
|
avoid this algorithm.) |
|
|
|
[Bodo Moeller] |
|
|
|
*) Add processing of proxy certificates (see RFC 3820). This work was |
|
sponsored by KTH (The Royal Institute of Technology in Stockholm) and |
|
EGEE (Enabling Grids for E-science in Europe). |
|
[Richard Levitte] |
|
|
|
*) RC4 performance overhaul on modern architectures/implementations, such |
|
as Intel P4, IA-64 and AMD64. |
|
[Andy Polyakov] |
|
|
|
*) New utility extract-section.pl. This can be used specify an alternative |
|
section number in a pod file instead of having to treat each file as |
|
a separate case in Makefile. This can be done by adding two lines to the |
|
pod file: |
|
|
|
=for comment openssl_section:XXX |
|
|
|
The blank line is mandatory. |
|
|
|
[Steve Henson] |
|
|
|
*) New arguments -certform, -keyform and -pass for s_client and s_server |
|
to allow alternative format key and certificate files and passphrase |
|
sources. |
|
[Steve Henson] |
|
|
|
*) New structure X509_VERIFY_PARAM which combines current verify parameters, |
|
update associated structures and add various utility functions. |
|
|
|
Add new policy related verify parameters, include policy checking in |
|
standard verify code. Enhance 'smime' application with extra parameters |
|
to support policy checking and print out. |
|
[Steve Henson] |
|
|
|
*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 |
|
Nehemiah processors. These extensions support AES encryption in hardware |
|
as well as RNG (though RNG support is currently disabled). |
|
[Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] |
|
|
|
*) Deprecate BN_[get|set]_params() functions (they were ignored internally). |
|
[Geoff Thorpe] |
|
|
|
*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. |
|
[Andy Polyakov and a number of other people] |
|
|
|
*) Improved PowerPC platform support. Most notably BIGNUM assembler |
|
implementation contributed by IBM. |
|
[Suresh Chari, Peter Waltenberg, Andy Polyakov] |
|
|
|
*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public |
|
exponent rather than 'unsigned long'. There is a corresponding change to |
|
the new 'rsa_keygen' element of the RSA_METHOD structure. |
|
[Jelte Jansen, Geoff Thorpe] |
|
|
|
*) Functionality for creating the initial serial number file is now |
|
moved from CA.pl to the 'ca' utility with a new option -create_serial. |
|
|
|
(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial |
|
number file to 1, which is bound to cause problems. To avoid |
|
the problems while respecting compatibility between different 0.9.7 |
|
patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in |
|
CA.pl for serial number initialization. With the new release 0.9.8, |
|
we can fix the problem directly in the 'ca' utility.) |
|
[Steve Henson] |
|
|
|
*) Reduced header interdepencies by declaring more opaque objects in |
|
ossl_typ.h. As a consequence, including some headers (eg. engine.h) will |
|
give fewer recursive includes, which could break lazy source code - so |
|
this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, |
|
developers should define this symbol when building and using openssl to |
|
ensure they track the recommended behaviour, interfaces, [etc], but |
|
backwards-compatible behaviour prevails when this isn't defined. |
|
[Geoff Thorpe] |
|
|
|
*) New function X509_POLICY_NODE_print() which prints out policy nodes. |
|
[Steve Henson] |
|
|
|
*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. |
|
This will generate a random key of the appropriate length based on the |
|
cipher context. The EVP_CIPHER can provide its own random key generation |
|
routine to support keys of a specific form. This is used in the des and |
|
3des routines to generate a key of the correct parity. Update S/MIME |
|
code to use new functions and hence generate correct parity DES keys. |
|
Add EVP_CHECK_DES_KEY #define to return an error if the key is not |
|
valid (weak or incorrect parity). |
|
[Steve Henson] |
|
|
|
*) Add a local set of CRLs that can be used by X509_verify_cert() as well |
|
as looking them up. This is useful when the verified structure may contain |
|
CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs |
|
present unless the new PKCS7_NO_CRL flag is asserted. |
|
[Steve Henson] |
|
|
|
*) Extend ASN1 oid configuration module. It now additionally accepts the |
|
syntax: |
|
|
|
shortName = some long name, 1.2.3.4 |
|
[Steve Henson] |
|
|
|
*) Reimplemented the BN_CTX implementation. There is now no more static |
|
limitation on the number of variables it can handle nor the depth of the |
|
"stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack |
|
information can now expand as required, and rather than having a single |
|
static array of bignums, BN_CTX now uses a linked-list of such arrays |
|
allowing it to expand on demand whilst maintaining the usefulness of |
|
BN_CTX's "bundling". |
|
[Geoff Thorpe] |
|
|
|
*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD |
|
to allow all RSA operations to function using a single BN_CTX. |
|
[Geoff Thorpe] |
|
|
|
*) Preliminary support for certificate policy evaluation and checking. This |
|
is initially intended to pass the tests outlined in "Conformance Testing |
|
of Relying Party Client Certificate Path Processing Logic" v1.07. |
|
[Steve Henson] |
|
|
|
*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and |
|
remained unused and not that useful. A variety of other little bignum |
|
tweaks and fixes have also been made continuing on from the audit (see |
|
below). |
|
[Geoff Thorpe] |
|
|
|
*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with |
|
associated ASN1, EVP and SSL functions and old ASN1 macros. |
|
[Richard Levitte] |
|
|
|
*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, |
|
and this should never fail. So the return value from the use of |
|
BN_set_word() (which can fail due to needless expansion) is now deprecated; |
|
if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. |
|
[Geoff Thorpe] |
|
|
|
*) BN_CTX_get() should return zero-valued bignums, providing the same |
|
initialised value as BN_new(). |
|
[Geoff Thorpe, suggested by Ulf Möller] |
|
|
|
*) Support for inhibitAnyPolicy certificate extension. |
|
[Steve Henson] |
|
|
|
*) An audit of the BIGNUM code is underway, for which debugging code is |
|
enabled when BN_DEBUG is defined. This makes stricter enforcements on what |
|
is considered valid when processing BIGNUMs, and causes execution to |
|
assert() when a problem is discovered. If BN_DEBUG_RAND is defined, |
|
further steps are taken to deliberately pollute unused data in BIGNUM |
|
structures to try and expose faulty code further on. For now, openssl will |
|
(in its default mode of operation) continue to tolerate the inconsistent |
|
forms that it has tolerated in the past, but authors and packagers should |
|
consider trying openssl and their own applications when compiled with |
|
these debugging symbols defined. It will help highlight potential bugs in |
|
their own code, and will improve the test coverage for OpenSSL itself. At |
|
some point, these tighter rules will become openssl's default to improve |
|
maintainability, though the assert()s and other overheads will remain only |
|
in debugging configurations. See bn.h for more details. |
|
[Geoff Thorpe, Nils Larsch, Ulf Möller] |
|
|
|
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure |
|
that can only be obtained through BN_CTX_new() (which implicitly |
|
initialises it). The presence of this function only made it possible |
|
to overwrite an existing structure (and cause memory leaks). |
|
[Geoff Thorpe] |
|
|
|
*) Because of the callback-based approach for implementing LHASH as a |
|
template type, lh_insert() adds opaque objects to hash-tables and |
|
lh_doall() or lh_doall_arg() are typically used with a destructor callback |
|
to clean up those corresponding objects before destroying the hash table |
|
(and losing the object pointers). So some over-zealous constifications in |
|
LHASH have been relaxed so that lh_insert() does not take (nor store) the |
|
objects as "const" and the lh_doall[_arg] callback wrappers are not |
|
prototyped to have "const" restrictions on the object pointers they are |
|
given (and so aren't required to cast them away any more). |
|
[Geoff Thorpe] |
|
|
|
*) The tmdiff.h API was so ugly and minimal that our own timing utility |
|
(speed) prefers to use its own implementation. The two implementations |
|
haven't been consolidated as yet (volunteers?) but the tmdiff API has had |
|
its object type properly exposed (MS_TM) instead of casting to/from "char |
|
*". This may still change yet if someone realises MS_TM and "ms_time_***" |
|
aren't necessarily the greatest nomenclatures - but this is what was used |
|
internally to the implementation so I've used that for now. |
|
[Geoff Thorpe] |
|
|
|
*) Ensure that deprecated functions do not get compiled when |
|
OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of |
|
the self-tests were still using deprecated key-generation functions so |
|
these have been updated also. |
|
[Geoff Thorpe] |
|
|
|
*) Reorganise PKCS#7 code to separate the digest location functionality |
|
into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). |
|
New function PKCS7_set_digest() to set the digest type for PKCS#7 |
|
digestedData type. Add additional code to correctly generate the |
|
digestedData type and add support for this type in PKCS7 initialization |
|
functions. |
|
[Steve Henson] |
|
|
|
*) New function PKCS7_set0_type_other() this initializes a PKCS7 |
|
structure of type "other". |
|
[Steve Henson] |
|
|
|
*) Fix prime generation loop in crypto/bn/bn_prime.pl by making |
|
sure the loop does correctly stop and breaking ("division by zero") |
|
modulus operations are not performed. The (pre-generated) prime |
|
table crypto/bn/bn_prime.h was already correct, but it could not be |
|
re-generated on some platforms because of the "division by zero" |
|
situation in the script. |
|
[Ralf S. Engelschall] |
|
|
|
*) Update support for ECC-based TLS ciphersuites according to |
|
draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with |
|
SHA-1 now is only used for "small" curves (where the |
|
representation of a field element takes up to 24 bytes); for |
|
larger curves, the field element resulting from ECDH is directly |
|
used as premaster secret. |
|
[Douglas Stebila (Sun Microsystems Laboratories)] |
|
|
|
*) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 |
|
curve secp160r1 to the tests. |
|
[Douglas Stebila (Sun Microsystems Laboratories)] |
|
|
|
*) Add the possibility to load symbols globally with DSO. |
|
[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] |
|
|
|
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better |
|
control of the error stack. |
|
[Richard Levitte] |
|
|
|
*) Add support for STORE in ENGINE. |
|
[Richard Levitte] |
|
|
|
*) Add the STORE type. The intention is to provide a common interface |
|
to certificate and key stores, be they simple file-based stores, or |
|
HSM-type store, or LDAP stores, or... |
|
NOTE: The code is currently UNTESTED and isn't really used anywhere. |
|
[Richard Levitte] |
|
|
|
*) Add a generic structure called OPENSSL_ITEM. This can be used to |
|
pass a list of arguments to any function as well as provide a way |
|
for a function to pass data back to the caller. |
|
[Richard Levitte] |
|
|
|
*) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() |
|
works like BUF_strdup() but can be used to duplicate a portion of |
|
a string. The copy gets NUL-terminated. BUF_memdup() duplicates |
|
a memory area. |
|
[Richard Levitte] |
|
|
|
*) Add the function sk_find_ex() which works like sk_find(), but will |
|
return an index to an element even if an exact match couldn't be |
|
found. The index is guaranteed to point at the element where the |
|
searched-for key would be inserted to preserve sorting order. |
|
[Richard Levitte] |
|
|
|
*) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but |
|
takes an extra flags argument for optional functionality. Currently, |
|
the following flags are defined: |
|
|
|
OBJ_BSEARCH_VALUE_ON_NOMATCH |
|
This one gets OBJ_bsearch_ex() to return a pointer to the first |
|
element where the comparing function returns a negative or zero |
|
number. |
|
|
|
OBJ_BSEARCH_FIRST_VALUE_ON_MATCH |
|
This one gets OBJ_bsearch_ex() to return a pointer to the first |
|
element where the comparing function returns zero. This is useful |
|
if there are more than one element where the comparing function |
|
returns zero. |
|
[Richard Levitte] |
|
|
|
*) Make it possible to create self-signed certificates with 'openssl ca' |
|
in such a way that the self-signed certificate becomes part of the |
|
CA database and uses the same mechanisms for serial number generation |
|
as all other certificate signing. The new flag '-selfsign' enables |
|
this functionality. Adapt CA.sh and CA.pl.in. |
|
[Richard Levitte] |
|
|
|
*) Add functionality to check the public key of a certificate request |
|
against a given private. This is useful to check that a certificate |
|
request can be signed by that key (self-signing). |
|
[Richard Levitte] |
|
|
|
*) Make it possible to have multiple active certificates with the same |
|
subject in the CA index file. This is done only if the keyword |
|
'unique_subject' is set to 'no' in the main CA section (default |
|
if 'CA_default') of the configuration file. The value is saved |
|
with the database itself in a separate index attribute file, |
|
named like the index file with '.attr' appended to the name. |
|
[Richard Levitte] |
|
|
|
*) Generate muti valued AVAs using '+' notation in config files for |
|
req and dirName. |
|
[Steve Henson] |
|
|
|
*) Support for nameConstraints certificate extension. |
|
[Steve Henson] |
|
|
|
*) Support for policyConstraints certificate extension. |
|
[Steve Henson] |
|
|
|
*) Support for policyMappings certificate extension. |
|
[Steve Henson] |
|
|
|
*) Make sure the default DSA_METHOD implementation only uses its |
|
dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, |
|
and change its own handlers to be NULL so as to remove unnecessary |
|
indirection. This lets alternative implementations fallback to the |
|
default implementation more easily. |
|
[Geoff Thorpe] |
|
|
|
*) Support for directoryName in GeneralName related extensions |
|
in config files. |
|
[Steve Henson] |
|
|
|
*) Make it possible to link applications using Makefile.shared. |
|
Make that possible even when linking against static libraries! |
|
[Richard Levitte] |
|
|
|
*) Support for single pass processing for S/MIME signing. This now |
|
means that S/MIME signing can be done from a pipe, in addition |
|
cleartext signing (multipart/signed type) is effectively streaming |
|
and the signed data does not need to be all held in memory. |
|
|
|
This is done with a new flag PKCS7_STREAM. When this flag is set |
|
PKCS7_sign() only initializes the PKCS7 structure and the actual signing |
|
is done after the data is output (and digests calculated) in |
|
SMIME_write_PKCS7(). |
|
[Steve Henson] |
|
|
|
*) Add full support for -rpath/-R, both in shared libraries and |
|
applications, at least on the platforms where it's known how |
|
to do it. |
|
[Richard Levitte] |
|
|
|
*) In crypto/ec/ec_mult.c, implement fast point multiplication with |
|
precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() |
|
will now compute a table of multiples of the generator that |
|
makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() |
|
faster (notably in the case of a single point multiplication, |
|
scalar * generator). |
|
[Nils Larsch, Bodo Moeller] |
|
|
|
*) IPv6 support for certificate extensions. The various extensions |
|
which use the IP:a.b.c.d can now take IPv6 addresses using the |
|
formats of RFC1884 2.2 . IPv6 addresses are now also displayed |
|
correctly. |
|
[Steve Henson] |
|
|
|
*) Added an ENGINE that implements RSA by performing private key |
|
exponentiations with the GMP library. The conversions to and from |
|
GMP's mpz_t format aren't optimised nor are any montgomery forms |
|
cached, and on x86 it appears OpenSSL's own performance has caught up. |
|
However there are likely to be other architectures where GMP could |
|
provide a boost. This ENGINE is not built in by default, but it can be |
|
specified at Configure time and should be accompanied by the necessary |
|
linker additions, eg; |
|
./config -DOPENSSL_USE_GMP -lgmp |
|
[Geoff Thorpe] |
|
|
|
*) "openssl engine" will not display ENGINE/DSO load failure errors when |
|
testing availability of engines with "-t" - the old behaviour is |
|
produced by increasing the feature's verbosity with "-tt". |
|
[Geoff Thorpe] |
|
|
|
*) ECDSA routines: under certain error conditions uninitialized BN objects |
|
could be freed. Solution: make sure initialization is performed early |
|
enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> |
|
via PR#459) |
|
[Lutz Jaenicke] |
|
|
|
*) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD |
|
and DH_METHOD (eg. by ENGINE implementations) to override the normal |
|
software implementations. For DSA and DH, parameter generation can |
|
also be overriden by providing the appropriate method callbacks. |
|
[Geoff Thorpe] |
|
|
|
*) Change the "progress" mechanism used in key-generation and |
|
primality testing to functions that take a new BN_GENCB pointer in |
|
place of callback/argument pairs. The new API functions have "_ex" |
|
postfixes and the older functions are reimplemented as wrappers for |
|
the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide |
|
declarations of the old functions to help (graceful) attempts to |
|
migrate to the new functions. Also, the new key-generation API |
|
functions operate on a caller-supplied key-structure and return |
|
success/failure rather than returning a key or NULL - this is to |
|
help make "keygen" another member function of RSA_METHOD etc. |
|
|
|
Example for using the new callback interface: |
|
|
|
int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; |
|
void *my_arg = ...; |
|
BN_GENCB my_cb; |
|
|
|
BN_GENCB_set(&my_cb, my_callback, my_arg); |
|
|
|
return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); |
|
/* For the meaning of a, b in calls to my_callback(), see the |
|
* documentation of the function that calls the callback. |
|
* cb will point to my_cb; my_arg can be retrieved as cb->arg. |
|
* my_callback should return 1 if it wants BN_is_prime_ex() |
|
* to continue, or 0 to stop. |
|
*/ |
|
|
|
[Geoff Thorpe] |
|
|
|
*) Change the ZLIB compression method to be stateful, and make it |
|
available to TLS with the number defined in |
|
draft-ietf-tls-compression-04.txt. |
|
[Richard Levitte] |
|
|
|
*) Add the ASN.1 structures and functions for CertificatePair, which |
|
is defined as follows (according to X.509_4thEditionDraftV6.pdf): |
|
|
|
CertificatePair ::= SEQUENCE { |
|
forward [0] Certificate OPTIONAL, |
|
reverse [1] Certificate OPTIONAL, |
|
-- at least one of the pair shall be present -- } |
|
|
|
Also implement the PEM functions to read and write certificate |
|
pairs, and defined the PEM tag as "CERTIFICATE PAIR". |
|
|
|
This needed to be defined, mostly for the sake of the LDAP |
|
attribute crossCertificatePair, but may prove useful elsewhere as |
|
well. |
|
[Richard Levitte] |
|
|
|
*) Make it possible to inhibit symlinking of shared libraries in |
|
Makefile.shared, for Cygwin's sake. |
|
[Richard Levitte] |
|
|
|
*) Extend the BIGNUM API by creating a function |
|
void BN_set_negative(BIGNUM *a, int neg); |
|
and a macro that behave like |
|
int BN_is_negative(const BIGNUM *a); |
|
|
|
to avoid the need to access 'a->neg' directly in applications. |
|
[Nils Larsch] |
|
|
|
*) Implement fast modular reduction for pseudo-Mersenne primes |
|
used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). |
|
EC_GROUP_new_curve_GFp() will now automatically use this |
|
if applicable. |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Add new lock type (CRYPTO_LOCK_BN). |
|
[Bodo Moeller] |
|
|
|
*) Change the ENGINE framework to automatically load engines |
|
dynamically from specific directories unless they could be |
|
found to already be built in or loaded. Move all the |
|
current engines except for the cryptodev one to a new |
|
directory engines/. |
|
The engines in engines/ are built as shared libraries if |
|
the "shared" options was given to ./Configure or ./config. |
|
Otherwise, they are inserted in libcrypto.a. |
|
/usr/local/ssl/engines is the default directory for dynamic |
|
engines, but that can be overriden at configure time through |
|
the usual use of --prefix and/or --openssldir, and at run |
|
time with the environment variable OPENSSL_ENGINES. |
|
[Geoff Thorpe and Richard Levitte] |
|
|
|
*) Add Makefile.shared, a helper makefile to build shared |
|
libraries. Addapt Makefile.org. |
|
[Richard Levitte] |
|
|
|
*) Add version info to Win32 DLLs. |
|
[Peter 'Luna' Runestig" <peter@runestig.com>] |
|
|
|
*) Add new 'medium level' PKCS#12 API. Certificates and keys |
|
can be added using this API to created arbitrary PKCS#12 |
|
files while avoiding the low level API. |
|
|
|
New options to PKCS12_create(), key or cert can be NULL and |
|
will then be omitted from the output file. The encryption |
|
algorithm NIDs can be set to -1 for no encryption, the mac |
|
iteration count can be set to 0 to omit the mac. |
|
|
|
Enhance pkcs12 utility by making the -nokeys and -nocerts |
|
options work when creating a PKCS#12 file. New option -nomac |
|
to omit the mac, NONE can be set for an encryption algorithm. |
|
New code is modified to use the enhanced PKCS12_create() |
|
instead of the low level API. |
|
[Steve Henson] |
|
|
|
*) Extend ASN1 encoder to support indefinite length constructed |
|
encoding. This can output sequences tags and octet strings in |
|
this form. Modify pk7_asn1.c to support indefinite length |
|
encoding. This is experimental and needs additional code to |
|
be useful, such as an ASN1 bio and some enhanced streaming |
|
PKCS#7 code. |
|
|
|
Extend template encode functionality so that tagging is passed |
|
down to the template encoder. |
|
[Steve Henson] |
|
|
|
*) Let 'openssl req' fail if an argument to '-newkey' is not |
|
recognized instead of using RSA as a default. |
|
[Bodo Moeller] |
|
|
|
*) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. |
|
As these are not official, they are not included in "ALL"; |
|
the "ECCdraft" ciphersuite group alias can be used to select them. |
|
[Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] |
|
|
|
*) Add ECDH engine support. |
|
[Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] |
|
|
|
*) Add ECDH in new directory crypto/ecdh/. |
|
[Douglas Stebila (Sun Microsystems Laboratories)] |
|
|
|
*) Let BN_rand_range() abort with an error after 100 iterations |
|
without success (which indicates a broken PRNG). |
|
[Bodo Moeller] |
|
|
|
*) Change BN_mod_sqrt() so that it verifies that the input value |
|
is really the square of the return value. (Previously, |
|
BN_mod_sqrt would show GIGO behaviour.) |
|
[Bodo Moeller] |
|
|
|
*) Add named elliptic curves over binary fields from X9.62, SECG, |
|
and WAP/WTLS; add OIDs that were still missing. |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) Extend the EC library for elliptic curves over binary fields |
|
(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). |
|
New EC_METHOD: |
|
|
|
EC_GF2m_simple_method |
|
|
|
New API functions: |
|
|
|
EC_GROUP_new_curve_GF2m |
|
EC_GROUP_set_curve_GF2m |
|
EC_GROUP_get_curve_GF2m |
|
EC_POINT_set_affine_coordinates_GF2m |
|
EC_POINT_get_affine_coordinates_GF2m |
|
EC_POINT_set_compressed_coordinates_GF2m |
|
|
|
Point compression for binary fields is disabled by default for |
|
patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to |
|
enable it). |
|
|
|
As binary polynomials are represented as BIGNUMs, various members |
|
of the EC_GROUP and EC_POINT data structures can be shared |
|
between the implementations for prime fields and binary fields; |
|
the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) |
|
are essentially identical to their ..._GFp counterparts. |
|
(For simplicity, the '..._GFp' prefix has been dropped from |
|
various internal method names.) |
|
|
|
An internal 'field_div' method (similar to 'field_mul' and |
|
'field_sqr') has been added; this is used only for binary fields. |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() |
|
through methods ('mul', 'precompute_mult'). |
|
|
|
The generic implementations (now internally called 'ec_wNAF_mul' |
|
and 'ec_wNAF_precomputed_mult') remain the default if these |
|
methods are undefined. |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) New function EC_GROUP_get_degree, which is defined through |
|
EC_METHOD. For curves over prime fields, this returns the bit |
|
length of the modulus. |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) New functions EC_GROUP_dup, EC_POINT_dup. |
|
(These simply call ..._new and ..._copy). |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. |
|
Polynomials are represented as BIGNUMs (where the sign bit is not |
|
used) in the following functions [macros]: |
|
|
|
BN_GF2m_add |
|
BN_GF2m_sub [= BN_GF2m_add] |
|
BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] |
|
BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] |
|
BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] |
|
BN_GF2m_mod_inv |
|
BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] |
|
BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] |
|
BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] |
|
BN_GF2m_cmp [= BN_ucmp] |
|
|
|
(Note that only the 'mod' functions are actually for fields GF(2^m). |
|
BN_GF2m_add() is misnomer, but this is for the sake of consistency.) |
|
|
|
For some functions, an the irreducible polynomial defining a |
|
field can be given as an 'unsigned int[]' with strictly |
|
decreasing elements giving the indices of those bits that are set; |
|
i.e., p[] represents the polynomial |
|
f(t) = t^p[0] + t^p[1] + ... + t^p[k] |
|
where |
|
p[0] > p[1] > ... > p[k] = 0. |
|
This applies to the following functions: |
|
|
|
BN_GF2m_mod_arr |
|
BN_GF2m_mod_mul_arr |
|
BN_GF2m_mod_sqr_arr |
|
BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] |
|
BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] |
|
BN_GF2m_mod_exp_arr |
|
BN_GF2m_mod_sqrt_arr |
|
BN_GF2m_mod_solve_quad_arr |
|
BN_GF2m_poly2arr |
|
BN_GF2m_arr2poly |
|
|
|
Conversion can be performed by the following functions: |
|
|
|
BN_GF2m_poly2arr |
|
BN_GF2m_arr2poly |
|
|
|
bntest.c has additional tests for binary polynomial arithmetic. |
|
|
|
Two implementations for BN_GF2m_mod_div() are available. |
|
The default algorithm simply uses BN_GF2m_mod_inv() and |
|
BN_GF2m_mod_mul(). The alternative algorithm is compiled in only |
|
if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the |
|
copyright notice in crypto/bn/bn_gf2m.c before enabling it). |
|
|
|
[Sheueling Chang Shantz and Douglas Stebila |
|
(Sun Microsystems Laboratories)] |
|
|
|
*) Add new error code 'ERR_R_DISABLED' that can be used when some |
|
functionality is disabled at compile-time. |
|
[Douglas Stebila <douglas.stebila@sun.com>] |
|
|
|
*) Change default behaviour of 'openssl asn1parse' so that more |
|
information is visible when viewing, e.g., a certificate: |
|
|
|
Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' |
|
mode the content of non-printable OCTET STRINGs is output in a |
|
style similar to INTEGERs, but with '[HEX DUMP]' prepended to |
|
avoid the appearance of a printable string. |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access |
|
functions |
|
EC_GROUP_set_asn1_flag() |
|
EC_GROUP_get_asn1_flag() |
|
EC_GROUP_set_point_conversion_form() |
|
EC_GROUP_get_point_conversion_form() |
|
These control ASN1 encoding details: |
|
- Curves (i.e., groups) are encoded explicitly unless asn1_flag |
|
has been set to OPENSSL_EC_NAMED_CURVE. |
|
- Points are encoded in uncompressed form by default; options for |
|
asn1_for are as for point2oct, namely |
|
POINT_CONVERSION_COMPRESSED |
|
POINT_CONVERSION_UNCOMPRESSED |
|
POINT_CONVERSION_HYBRID |
|
|
|
Also add 'seed' and 'seed_len' members to EC_GROUP with access |
|
functions |
|
EC_GROUP_set_seed() |
|
EC_GROUP_get0_seed() |
|
EC_GROUP_get_seed_len() |
|
This is used only for ASN1 purposes (so far). |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Add 'field_type' member to EC_METHOD, which holds the NID |
|
of the appropriate field type OID. The new function |
|
EC_METHOD_get_field_type() returns this value. |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Add functions |
|
EC_POINT_point2bn() |
|
EC_POINT_bn2point() |
|
EC_POINT_point2hex() |
|
EC_POINT_hex2point() |
|
providing useful interfaces to EC_POINT_point2oct() and |
|
EC_POINT_oct2point(). |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Change internals of the EC library so that the functions |
|
EC_GROUP_set_generator() |
|
EC_GROUP_get_generator() |
|
EC_GROUP_get_order() |
|
EC_GROUP_get_cofactor() |
|
are implemented directly in crypto/ec/ec_lib.c and not dispatched |
|
to methods, which would lead to unnecessary code duplication when |
|
adding different types of curves. |
|
[Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] |
|
|
|
*) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM |
|
arithmetic, and such that modified wNAFs are generated |
|
(which avoid length expansion in many cases). |
|
[Bodo Moeller] |
|
|
|
*) Add a function EC_GROUP_check_discriminant() (defined via |
|
EC_METHOD) that verifies that the curve discriminant is non-zero. |
|
|
|
Add a function EC_GROUP_check() that makes some sanity tests |
|
on a EC_GROUP, its generator and order. This includes |
|
EC_GROUP_check_discriminant(). |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Add ECDSA in new directory crypto/ecdsa/. |
|
|
|
Add applications 'openssl ecparam' and 'openssl ecdsa' |
|
(these are based on 'openssl dsaparam' and 'openssl dsa'). |
|
|
|
ECDSA support is also included in various other files across the |
|
library. Most notably, |
|
- 'openssl req' now has a '-newkey ecdsa:file' option; |
|
- EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; |
|
- X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and |
|
d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make |
|
them suitable for ECDSA where domain parameters must be |
|
extracted before the specific public key; |
|
- ECDSA engine support has been added. |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Include some named elliptic curves, and add OIDs from X9.62, |
|
SECG, and WAP/WTLS. Each curve can be obtained from the new |
|
function |
|
EC_GROUP_new_by_curve_name(), |
|
and the list of available named curves can be obtained with |
|
EC_get_builtin_curves(). |
|
Also add a 'curve_name' member to EC_GROUP objects, which can be |
|
accessed via |
|
EC_GROUP_set_curve_name() |
|
EC_GROUP_get_curve_name() |
|
[Nils Larsch <larsch@trustcenter.de, Bodo Moeller] |
|
|
|
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
|
was actually never needed) and in BN_mul(). The removal in BN_mul() |
|
required a small change in bn_mul_part_recursive() and the addition |
|
of the functions bn_cmp_part_words(), bn_sub_part_words() and |
|
bn_add_part_words(), which do the same thing as bn_cmp_words(), |
|
bn_sub_words() and bn_add_words() except they take arrays with |
|
differing sizes. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.7l and 0.9.7m [23 Feb 2007] |
|
|
|
*) Cleanse PEM buffers before freeing them since they may contain |
|
sensitive data. |
|
[Benjamin Bennett <ben@psc.edu>] |
|
|
|
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
|
a ciphersuite string such as "DEFAULT:RSA" cannot enable |
|
authentication-only ciphersuites. |
|
[Bodo Moeller] |
|
|
|
*) Since AES128 and AES256 share a single mask bit in the logic of |
|
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a |
|
kludge to work properly if AES128 is available and AES256 isn't. |
|
[Victor Duchovni] |
|
|
|
*) Expand security boundary to match 1.1.1 module. |
|
[Steve Henson] |
|
|
|
*) Remove redundant features: hash file source, editing of test vectors |
|
modify fipsld to use external fips_premain.c signature. |
|
[Steve Henson] |
|
|
|
*) New perl script mkfipsscr.pl to create shell scripts or batch files to |
|
run algorithm test programs. |
|
[Steve Henson] |
|
|
|
*) Make algorithm test programs more tolerant of whitespace. |
|
[Steve Henson] |
|
|
|
*) Have SSL/TLS server implementation tolerate "mismatched" record |
|
protocol version while receiving ClientHello even if the |
|
ClientHello is fragmented. (The server can't insist on the |
|
particular protocol version it has chosen before the ServerHello |
|
message has informed the client about his choice.) |
|
[Bodo Moeller] |
|
|
|
*) Load error codes if they are not already present instead of using a |
|
static variable. This allows them to be cleanly unloaded and reloaded. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7k and 0.9.7l [28 Sep 2006] |
|
|
|
*) Introduce limits to prevent malicious keys being able to |
|
cause a denial of service. (CVE-2006-2940) |
|
[Steve Henson, Bodo Moeller] |
|
|
|
*) Fix ASN.1 parsing of certain invalid structures that can result |
|
in a denial of service. (CVE-2006-2937) [Steve Henson] |
|
|
|
*) Fix buffer overflow in SSL_get_shared_ciphers() function. |
|
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] |
|
|
|
*) Fix SSL client code which could crash if connecting to a |
|
malicious SSLv2 server. (CVE-2006-4343) |
|
[Tavis Ormandy and Will Drewry, Google Security Team] |
|
|
|
*) Change ciphersuite string processing so that an explicit |
|
ciphersuite selects this one ciphersuite (so that "AES256-SHA" |
|
will no longer include "AES128-SHA"), and any other similar |
|
ciphersuite (same bitmap) from *other* protocol versions (so that |
|
"RC4-MD5" will still include both the SSL 2.0 ciphersuite and the |
|
SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining |
|
changes from 0.9.8b and 0.9.8d. |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.7j and 0.9.7k [05 Sep 2006] |
|
|
|
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
|
(CVE-2006-4339) [Ben Laurie and Google Security Team] |
|
|
|
*) Change the Unix randomness entropy gathering to use poll() when |
|
possible instead of select(), since the latter has some |
|
undesirable limitations. |
|
[Darryl Miles via Richard Levitte and Bodo Moeller] |
|
|
|
*) Disable rogue ciphersuites: |
|
|
|
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") |
|
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") |
|
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") |
|
|
|
The latter two were purportedly from |
|
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really |
|
appear there. |
|
|
|
Also deactive the remaining ciphersuites from |
|
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
|
unofficial, and the ID has long expired. |
|
[Bodo Moeller] |
|
|
|
*) Fix RSA blinding Heisenbug (problems sometimes occured on |
|
dual-core machines) and other potential thread-safety issues. |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.7i and 0.9.7j [04 May 2006] |
|
|
|
*) Adapt fipsld and the build system to link against the validated FIPS |
|
module in FIPS mode. |
|
[Steve Henson] |
|
|
|
*) Fixes for VC++ 2005 build under Windows. |
|
[Steve Henson] |
|
|
|
*) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make |
|
from a Windows bash shell such as MSYS. It is autodetected from the |
|
"config" script when run from a VC++ environment. Modify standard VC++ |
|
build to use fipscanister.o from the GNU make build. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7h and 0.9.7i [14 Oct 2005] |
|
|
|
*) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. |
|
The value now differs depending on if you build for FIPS or not. |
|
BEWARE! A program linked with a shared FIPSed libcrypto can't be |
|
safely run with a non-FIPSed libcrypto, as it may crash because of |
|
the difference induced by this change. |
|
[Andy Polyakov] |
|
|
|
Changes between 0.9.7g and 0.9.7h [11 Oct 2005] |
|
|
|
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING |
|
(part of SSL_OP_ALL). This option used to disable the |
|
countermeasure against man-in-the-middle protocol-version |
|
rollback in the SSL 2.0 server implementation, which is a bad |
|
idea. (CVE-2005-2969) |
|
|
|
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center |
|
for Information Security, National Institute of Advanced Industrial |
|
Science and Technology [AIST], Japan)] |
|
|
|
*) Minimal support for X9.31 signatures and PSS padding modes. This is |
|
mainly for FIPS compliance and not fully integrated at this stage. |
|
[Steve Henson] |
|
|
|
*) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform |
|
the exponentiation using a fixed-length exponent. (Otherwise, |
|
the information leaked through timing could expose the secret key |
|
after many signatures; cf. Bleichenbacher's attack on DSA with |
|
biased k.) |
|
[Bodo Moeller] |
|
|
|
*) Make a new fixed-window mod_exp implementation the default for |
|
RSA, DSA, and DH private-key operations so that the sequence of |
|
squares and multiplies and the memory access pattern are |
|
independent of the particular secret key. This will mitigate |
|
cache-timing and potential related attacks. |
|
|
|
BN_mod_exp_mont_consttime() is the new exponentiation implementation, |
|
and this is automatically used by BN_mod_exp_mont() if the new flag |
|
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH |
|
will use this BN flag for private exponents unless the flag |
|
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or |
|
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. |
|
|
|
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] |
|
|
|
*) Change the client implementation for SSLv23_method() and |
|
SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 |
|
Client Hello message format if the SSL_OP_NO_SSLv2 option is set. |
|
(Previously, the SSL 2.0 backwards compatible Client Hello |
|
message format would be used even with SSL_OP_NO_SSLv2.) |
|
[Bodo Moeller] |
|
|
|
*) Add support for smime-type MIME parameter in S/MIME messages which some |
|
clients need. |
|
[Steve Henson] |
|
|
|
*) New function BN_MONT_CTX_set_locked() to set montgomery parameters in |
|
a threadsafe manner. Modify rsa code to use new function and add calls |
|
to dsa and dh code (which had race conditions before). |
|
[Steve Henson] |
|
|
|
*) Include the fixed error library code in the C error file definitions |
|
instead of fixing them up at runtime. This keeps the error code |
|
structures constant. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7f and 0.9.7g [11 Apr 2005] |
|
|
|
[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after |
|
OpenSSL 0.9.8.] |
|
|
|
*) Fixes for newer kerberos headers. NB: the casts are needed because |
|
the 'length' field is signed on one version and unsigned on another |
|
with no (?) obvious way to tell the difference, without these VC++ |
|
complains. Also the "definition" of FAR (blank) is no longer included |
|
nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up |
|
some needed definitions. |
|
[Steve Henson] |
|
|
|
*) Undo Cygwin change. |
|
[Ulf Möller] |
|
|
|
*) Added support for proxy certificates according to RFC 3820. |
|
Because they may be a security thread to unaware applications, |
|
they must be explicitely allowed in run-time. See |
|
docs/HOWTO/proxy_certificates.txt for further information. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.7e and 0.9.7f [22 Mar 2005] |
|
|
|
*) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating |
|
server and client random values. Previously |
|
(SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in |
|
less random data when sizeof(time_t) > 4 (some 64 bit platforms). |
|
|
|
This change has negligible security impact because: |
|
|
|
1. Server and client random values still have 24 bytes of pseudo random |
|
data. |
|
|
|
2. Server and client random values are sent in the clear in the initial |
|
handshake. |
|
|
|
3. The master secret is derived using the premaster secret (48 bytes in |
|
size for static RSA ciphersuites) as well as client server and random |
|
values. |
|
|
|
The OpenSSL team would like to thank the UK NISCC for bringing this issue |
|
to our attention. |
|
|
|
[Stephen Henson, reported by UK NISCC] |
|
|
|
*) Use Windows randomness collection on Cygwin. |
|
[Ulf Möller] |
|
|
|
*) Fix hang in EGD/PRNGD query when communication socket is closed |
|
prematurely by EGD/PRNGD. |
|
[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] |
|
|
|
*) Prompt for pass phrases when appropriate for PKCS12 input format. |
|
[Steve Henson] |
|
|
|
*) Back-port of selected performance improvements from development |
|
branch, as well as improved support for PowerPC platforms. |
|
[Andy Polyakov] |
|
|
|
*) Add lots of checks for memory allocation failure, error codes to indicate |
|
failure and freeing up memory if a failure occurs. |
|
[Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] |
|
|
|
*) Add new -passin argument to dgst. |
|
[Steve Henson] |
|
|
|
*) Perform some character comparisons of different types in X509_NAME_cmp: |
|
this is needed for some certificates that reencode DNs into UTF8Strings |
|
(in violation of RFC3280) and can't or wont issue name rollover |
|
certificates. |
|
[Steve Henson] |
|
|
|
*) Make an explicit check during certificate validation to see that |
|
the CA setting in each certificate on the chain is correct. As a |
|
side effect always do the following basic checks on extensions, |
|
not just when there's an associated purpose to the check: |
|
|
|
- if there is an unhandled critical extension (unless the user |
|
has chosen to ignore this fault) |
|
- if the path length has been exceeded (if one is set at all) |
|
- that certain extensions fit the associated purpose (if one has |
|
been given) |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.7d and 0.9.7e [25 Oct 2004] |
|
|
|
*) Avoid a race condition when CRLs are checked in a multi threaded |
|
environment. This would happen due to the reordering of the revoked |
|
entries during signature checking and serial number lookup. Now the |
|
encoding is cached and the serial number sort performed under a lock. |
|
Add new STACK function sk_is_sorted(). |
|
[Steve Henson] |
|
|
|
*) Add Delta CRL to the extension code. |
|
[Steve Henson] |
|
|
|
*) Various fixes to s3_pkt.c so alerts are sent properly. |
|
[David Holmes <d.holmes@f5.com>] |
|
|
|
*) Reduce the chances of duplicate issuer name and serial numbers (in |
|
violation of RFC3280) using the OpenSSL certificate creation utilities. |
|
This is done by creating a random 64 bit value for the initial serial |
|
number when a serial number file is created or when a self signed |
|
certificate is created using 'openssl req -x509'. The initial serial |
|
number file is created using 'openssl x509 -next_serial' in CA.pl |
|
rather than being initialized to 1. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7c and 0.9.7d [17 Mar 2004] |
|
|
|
*) Fix null-pointer assignment in do_change_cipher_spec() revealed |
|
by using the Codenomicon TLS Test Tool (CVE-2004-0079) |
|
[Joe Orton, Steve Henson] |
|
|
|
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites |
|
(CVE-2004-0112) |
|
[Joe Orton, Steve Henson] |
|
|
|
*) Make it possible to have multiple active certificates with the same |
|
subject in the CA index file. This is done only if the keyword |
|
'unique_subject' is set to 'no' in the main CA section (default |
|
if 'CA_default') of the configuration file. The value is saved |
|
with the database itself in a separate index attribute file, |
|
named like the index file with '.attr' appended to the name. |
|
[Richard Levitte] |
|
|
|
*) X509 verify fixes. Disable broken certificate workarounds when |
|
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if |
|
keyUsage extension present. Don't accept CRLs with unhandled critical |
|
extensions: since verify currently doesn't process CRL extensions this |
|
rejects a CRL with *any* critical extensions. Add new verify error codes |
|
for these cases. |
|
[Steve Henson] |
|
|
|
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue. |
|
A clarification of RFC2560 will require the use of OCTET STRINGs and |
|
some implementations cannot handle the current raw format. Since OpenSSL |
|
copies and compares OCSP nonces as opaque blobs without any attempt at |
|
parsing them this should not create any compatibility issues. |
|
[Steve Henson] |
|
|
|
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when |
|
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without |
|
this HMAC (and other) operations are several times slower than OpenSSL |
|
< 0.9.7. |
|
[Steve Henson] |
|
|
|
*) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). |
|
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
|
|
|
*) Use the correct content when signing type "other". |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7b and 0.9.7c [30 Sep 2003] |
|
|
|
*) Fix various bugs revealed by running the NISCC test suite: |
|
|
|
Stop out of bounds reads in the ASN1 code when presented with |
|
invalid tags (CVE-2003-0543 and CVE-2003-0544). |
|
|
|
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). |
|
|
|
If verify callback ignores invalid public key errors don't try to check |
|
certificate signature with the NULL public key. |
|
|
|
[Steve Henson] |
|
|
|
*) New -ignore_err option in ocsp application to stop the server |
|
exiting on the first error in a request. |
|
[Steve Henson] |
|
|
|
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate |
|
if the server requested one: as stated in TLS 1.0 and SSL 3.0 |
|
specifications. |
|
[Steve Henson] |
|
|
|
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional |
|
extra data after the compression methods not only for TLS 1.0 |
|
but also for SSL 3.0 (as required by the specification). |
|
[Bodo Moeller; problem pointed out by Matthias Loepfe] |
|
|
|
*) Change X509_certificate_type() to mark the key as exported/exportable |
|
when it's 512 *bits* long, not 512 bytes. |
|
[Richard Levitte] |
|
|
|
*) Change AES_cbc_encrypt() so it outputs exact multiple of |
|
blocks during encryption. |
|
[Richard Levitte] |
|
|
|
*) Various fixes to base64 BIO and non blocking I/O. On write |
|
flushes were not handled properly if the BIO retried. On read |
|
data was not being buffered properly and had various logic bugs. |
|
This also affects blocking I/O when the data being decoded is a |
|
certain size. |
|
[Steve Henson] |
|
|
|
*) Various S/MIME bugfixes and compatibility changes: |
|
output correct application/pkcs7 MIME type if |
|
PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. |
|
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening |
|
of files as .eml work). Correctly handle very long lines in MIME |
|
parser. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.7a and 0.9.7b [10 Apr 2003] |
|
|
|
*) Countermeasure against the Klima-Pokorny-Rosa extension of |
|
Bleichbacher's attack on PKCS #1 v1.5 padding: treat |
|
a protocol version number mismatch like a decryption error |
|
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). |
|
[Bodo Moeller] |
|
|
|
*) Turn on RSA blinding by default in the default implementation |
|
to avoid a timing attack. Applications that don't want it can call |
|
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. |
|
They would be ill-advised to do so in most cases. |
|
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] |
|
|
|
*) Change RSA blinding code so that it works when the PRNG is not |
|
seeded (in this case, the secret RSA exponent is abused as |
|
an unpredictable seed -- if it is not unpredictable, there |
|
is no point in blinding anyway). Make RSA blinding thread-safe |
|
by remembering the creator's thread ID in rsa->blinding and |
|
having all other threads use local one-time blinding factors |
|
(this requires more computation than sharing rsa->blinding, but |
|
avoids excessive locking; and if an RSA object is not shared |
|
between threads, blinding will still be very fast). |
|
[Bodo Moeller] |
|
|
|
*) Fixed a typo bug that would cause ENGINE_set_default() to set an |
|
ENGINE as defaults for all supported algorithms irrespective of |
|
the 'flags' parameter. 'flags' is now honoured, so applications |
|
should make sure they are passing it correctly. |
|
[Geoff Thorpe] |
|
|
|
*) Target "mingw" now allows native Windows code to be generated in |
|
the Cygwin environment as well as with the MinGW compiler. |
|
[Ulf Moeller] |
|
|
|
Changes between 0.9.7 and 0.9.7a [19 Feb 2003] |
|
|
|
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked |
|
via timing by performing a MAC computation even if incorrrect |
|
block cipher padding has been found. This is a countermeasure |
|
against active attacks where the attacker has to distinguish |
|
between bad padding and a MAC verification error. (CVE-2003-0078) |
|
|
|
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL), |
|
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and |
|
Martin Vuagnoux (EPFL, Ilion)] |
|
|
|
*) Make the no-err option work as intended. The intention with no-err |
|
is not to have the whole error stack handling routines removed from |
|
libcrypto, it's only intended to remove all the function name and |
|
reason texts, thereby removing some of the footprint that may not |
|
be interesting if those errors aren't displayed anyway. |
|
|
|
NOTE: it's still possible for any application or module to have it's |
|
own set of error texts inserted. The routines are there, just not |
|
used by default when no-err is given. |
|
[Richard Levitte] |
|
|
|
*) Add support for FreeBSD on IA64. |
|
[dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] |
|
|
|
*) Adjust DES_cbc_cksum() so it returns the same value as the MIT |
|
Kerberos function mit_des_cbc_cksum(). Before this change, |
|
the value returned by DES_cbc_cksum() was like the one from |
|
mit_des_cbc_cksum(), except the bytes were swapped. |
|
[Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] |
|
|
|
*) Allow an application to disable the automatic SSL chain building. |
|
Before this a rather primitive chain build was always performed in |
|
ssl3_output_cert_chain(): an application had no way to send the |
|
correct chain if the automatic operation produced an incorrect result. |
|
|
|
Now the chain builder is disabled if either: |
|
|
|
1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). |
|
|
|
2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. |
|
|
|
The reasoning behind this is that an application would not want the |
|
auto chain building to take place if extra chain certificates are |
|
present and it might also want a means of sending no additional |
|
certificates (for example the chain has two certificates and the |
|
root is omitted). |
|
[Steve Henson] |
|
|
|
*) Add the possibility to build without the ENGINE framework. |
|
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] |
|
|
|
*) Under Win32 gmtime() can return NULL: check return value in |
|
OPENSSL_gmtime(). Add error code for case where gmtime() fails. |
|
[Steve Henson] |
|
|
|
*) DSA routines: under certain error conditions uninitialized BN objects |
|
could be freed. Solution: make sure initialization is performed early |
|
enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, |
|
Nils Larsch <nla@trustcenter.de> via PR#459) |
|
[Lutz Jaenicke] |
|
|
|
*) Another fix for SSLv2 session ID handling: the session ID was incorrectly |
|
checked on reconnect on the client side, therefore session resumption |
|
could still fail with a "ssl session id is different" error. This |
|
behaviour is masked when SSL_OP_ALL is used due to |
|
SSL_OP_MICROSOFT_SESS_ID_BUG being set. |
|
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as |
|
followup to PR #377. |
|
[Lutz Jaenicke] |
|
|
|
*) IA-32 assembler support enhancements: unified ELF targets, support |
|
for SCO/Caldera platforms, fix for Cygwin shared build. |
|
[Andy Polyakov] |
|
|
|
*) Add support for FreeBSD on sparc64. As a consequence, support for |
|
FreeBSD on non-x86 processors is separate from x86 processors on |
|
the config script, much like the NetBSD support. |
|
[Richard Levitte & Kris Kennaway <kris@obsecurity.org>] |
|
|
|
Changes between 0.9.6h and 0.9.7 [31 Dec 2002] |
|
|
|
[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after |
|
OpenSSL 0.9.7.] |
|
|
|
*) Fix session ID handling in SSLv2 client code: the SERVER FINISHED |
|
code (06) was taken as the first octet of the session ID and the last |
|
octet was ignored consequently. As a result SSLv2 client side session |
|
caching could not have worked due to the session ID mismatch between |
|
client and server. |
|
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as |
|
PR #377. |
|
[Lutz Jaenicke] |
|
|
|
*) Change the declaration of needed Kerberos libraries to use EX_LIBS |
|
instead of the special (and badly supported) LIBKRB5. LIBKRB5 is |
|
removed entirely. |
|
[Richard Levitte] |
|
|
|
*) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it |
|
seems that in spite of existing for more than a year, many application |
|
author have done nothing to provide the necessary callbacks, which |
|
means that this particular engine will not work properly anywhere. |
|
This is a very unfortunate situation which forces us, in the name |
|
of usability, to give the hw_ncipher.c a static lock, which is part |
|
of libcrypto. |
|
NOTE: This is for the 0.9.7 series ONLY. This hack will never |
|
appear in 0.9.8 or later. We EXPECT application authors to have |
|
dealt properly with this when 0.9.8 is released (unless we actually |
|
make such changes in the libcrypto locking code that changes will |
|
have to be made anyway). |
|
[Richard Levitte] |
|
|
|
*) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content |
|
octets have been read, EOF or an error occurs. Without this change |
|
some truncated ASN1 structures will not produce an error. |
|
[Steve Henson] |
|
|
|
*) Disable Heimdal support, since it hasn't been fully implemented. |
|
Still give the possibility to force the use of Heimdal, but with |
|
warnings and a request that patches get sent to openssl-dev. |
|
[Richard Levitte] |
|
|
|
*) Add the VC-CE target, introduce the WINCE sysname, and add |
|
INSTALL.WCE and appropriate conditionals to make it build. |
|
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] |
|
|
|
*) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and |
|
cygssl-x.y.z.dll, where x, y and z are the major, minor and |
|
edit numbers of the version. |
|
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] |
|
|
|
*) Introduce safe string copy and catenation functions |
|
(BUF_strlcpy() and BUF_strlcat()). |
|
[Ben Laurie (CHATS) and Richard Levitte] |
|
|
|
*) Avoid using fixed-size buffers for one-line DNs. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Add BUF_MEM_grow_clean() to avoid information leakage when |
|
resizing buffers containing secrets, and use where appropriate. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Avoid using fixed size buffers for configuration file location. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Avoid filename truncation for various CA files. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Use sizeof in preference to magic numbers. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Avoid filename truncation in cert requests. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Add assertions to check for (supposedly impossible) buffer |
|
overflows. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Don't cache truncated DNS entries in the local cache (this could |
|
potentially lead to a spoofing attack). |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Fix various buffers to be large enough for hex/decimal |
|
representations in a platform independent manner. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Add CRYPTO_realloc_clean() to avoid information leakage when |
|
resizing buffers containing secrets, and use where appropriate. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Add BIO_indent() to avoid much slightly worrying code to do |
|
indents. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Convert sprintf()/BIO_puts() to BIO_printf(). |
|
[Ben Laurie (CHATS)] |
|
|
|
*) buffer_gets() could terminate with the buffer only half |
|
full. Fixed. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Add assertions to prevent user-supplied crypto functions from |
|
overflowing internal buffers by having large block sizes, etc. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) New OPENSSL_assert() macro (similar to assert(), but enabled |
|
unconditionally). |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Eliminate unused copy of key in RC4. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Eliminate unused and incorrectly sized buffers for IV in pem.h. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Fix off-by-one error in EGD path. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) If RANDFILE path is too long, ignore instead of truncating. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Eliminate unused and incorrectly sized X.509 structure |
|
CBCParameter. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Eliminate unused and dangerous function knumber(). |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Eliminate unused and dangerous structure, KSSL_ERR. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Protect against overlong session ID context length in an encoded |
|
session object. Since these are local, this does not appear to be |
|
exploitable. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Change from security patch (see 0.9.6e below) that did not affect |
|
the 0.9.6 release series: |
|
|
|
Remote buffer overflow in SSL3 protocol - an attacker could |
|
supply an oversized master key in Kerberos-enabled versions. |
|
(CVE-2002-0657) |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Change the SSL kerb5 codes to match RFC 2712. |
|
[Richard Levitte] |
|
|
|
*) Make -nameopt work fully for req and add -reqopt switch. |
|
[Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] |
|
|
|
*) The "block size" for block ciphers in CFB and OFB mode should be 1. |
|
[Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] |
|
|
|
*) Make sure tests can be performed even if the corresponding algorithms |
|
have been removed entirely. This was also the last step to make |
|
OpenSSL compilable with DJGPP under all reasonable conditions. |
|
[Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] |
|
|
|
*) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT |
|
to allow version independent disabling of normally unselected ciphers, |
|
which may be activated as a side-effect of selecting a single cipher. |
|
|
|
(E.g., cipher list string "RSA" enables ciphersuites that are left |
|
out of "ALL" because they do not provide symmetric encryption. |
|
"RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) |
|
[Lutz Jaenicke, Bodo Moeller] |
|
|
|
*) Add appropriate support for separate platform-dependent build |
|
directories. The recommended way to make a platform-dependent |
|
build directory is the following (tested on Linux), maybe with |
|
some local tweaks: |
|
|
|
# Place yourself outside of the OpenSSL source tree. In |
|
# this example, the environment variable OPENSSL_SOURCE |
|
# is assumed to contain the absolute OpenSSL source directory. |
|
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" |
|
cd objtree/"`uname -s`-`uname -r`-`uname -m`" |
|
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do |
|
mkdir -p `dirname $F` |
|
ln -s $OPENSSL_SOURCE/$F $F |
|
done |
|
|
|
To be absolutely sure not to disturb the source tree, a "make clean" |
|
is a good thing. If it isn't successfull, don't worry about it, |
|
it probably means the source directory is very clean. |
|
[Richard Levitte] |
|
|
|
*) Make sure any ENGINE control commands make local copies of string |
|
pointers passed to them whenever necessary. Otherwise it is possible |
|
the caller may have overwritten (or deallocated) the original string |
|
data when a later ENGINE operation tries to use the stored values. |
|
[Götz Babin-Ebell <babinebell@trustcenter.de>] |
|
|
|
*) Improve diagnostics in file reading and command-line digests. |
|
[Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] |
|
|
|
*) Add AES modes CFB and OFB to the object database. Correct an |
|
error in AES-CFB decryption. |
|
[Richard Levitte] |
|
|
|
*) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this |
|
allows existing EVP_CIPHER_CTX structures to be reused after |
|
calling EVP_*Final(). This behaviour is used by encryption |
|
BIOs and some applications. This has the side effect that |
|
applications must explicitly clean up cipher contexts with |
|
EVP_CIPHER_CTX_cleanup() or they will leak memory. |
|
[Steve Henson] |
|
|
|
*) Check the values of dna and dnb in bn_mul_recursive before calling |
|
bn_mul_comba (a non zero value means the a or b arrays do not contain |
|
n2 elements) and fallback to bn_mul_normal if either is not zero. |
|
[Steve Henson] |
|
|
|
*) Fix escaping of non-ASCII characters when using the -subj option |
|
of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) |
|
[Lutz Jaenicke] |
|
|
|
*) Make object definitions compliant to LDAP (RFC2256): SN is the short |
|
form for "surname", serialNumber has no short form. |
|
Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; |
|
therefore remove "mail" short name for "internet 7". |
|
The OID for unique identifiers in X509 certificates is |
|
x500UniqueIdentifier, not uniqueIdentifier. |
|
Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) |
|
[Lutz Jaenicke] |
|
|
|
*) Add an "init" command to the ENGINE config module and auto initialize |
|
ENGINEs. Without any "init" command the ENGINE will be initialized |
|
after all ctrl commands have been executed on it. If init=1 the |
|
ENGINE is initailized at that point (ctrls before that point are run |
|
on the uninitialized ENGINE and after on the initialized one). If |
|
init=0 then the ENGINE will not be iniatialized at all. |
|
[Steve Henson] |
|
|
|
*) Fix the 'app_verify_callback' interface so that the user-defined |
|
argument is actually passed to the callback: In the |
|
SSL_CTX_set_cert_verify_callback() prototype, the callback |
|
declaration has been changed from |
|
int (*cb)() |
|
into |
|
int (*cb)(X509_STORE_CTX *,void *); |
|
in ssl_verify_cert_chain (ssl/ssl_cert.c), the call |
|
i=s->ctx->app_verify_callback(&ctx) |
|
has been changed into |
|
i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). |
|
|
|
To update applications using SSL_CTX_set_cert_verify_callback(), |
|
a dummy argument can be added to their callback functions. |
|
[D. K. Smetters <smetters@parc.xerox.com>] |
|
|
|
*) Added the '4758cca' ENGINE to support IBM 4758 cards. |
|
[Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] |
|
|
|
*) Add and OPENSSL_LOAD_CONF define which will cause |
|
OpenSSL_add_all_algorithms() to load the openssl.cnf config file. |
|
This allows older applications to transparently support certain |
|
OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. |
|
Two new functions OPENSSL_add_all_algorithms_noconf() which will never |
|
load the config file and OPENSSL_add_all_algorithms_conf() which will |
|
always load it have also been added. |
|
[Steve Henson] |
|
|
|
*) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. |
|
Adjust NIDs and EVP layer. |
|
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] |
|
|
|
*) Config modules support in openssl utility. |
|
|
|
Most commands now load modules from the config file, |
|
though in a few (such as version) this isn't done |
|
because it couldn't be used for anything. |
|
|
|
In the case of ca and req the config file used is |
|
the same as the utility itself: that is the -config |
|
command line option can be used to specify an |
|
alternative file. |
|
[Steve Henson] |
|
|
|
*) Move default behaviour from OPENSSL_config(). If appname is NULL |
|
use "openssl_conf" if filename is NULL use default openssl config file. |
|
[Steve Henson] |
|
|
|
*) Add an argument to OPENSSL_config() to allow the use of an alternative |
|
config section name. Add a new flag to tolerate a missing config file |
|
and move code to CONF_modules_load_file(). |
|
[Steve Henson] |
|
|
|
*) Support for crypto accelerator cards from Accelerated Encryption |
|
Processing, www.aep.ie. (Use engine 'aep') |
|
The support was copied from 0.9.6c [engine] and adapted/corrected |
|
to work with the new engine framework. |
|
[AEP Inc. and Richard Levitte] |
|
|
|
*) Support for SureWare crypto accelerator cards from Baltimore |
|
Technologies. (Use engine 'sureware') |
|
The support was copied from 0.9.6c [engine] and adapted |
|
to work with the new engine framework. |
|
[Richard Levitte] |
|
|
|
*) Have the CHIL engine fork-safe (as defined by nCipher) and actually |
|
make the newer ENGINE framework commands for the CHIL engine work. |
|
[Toomas Kiisk <vix@cyber.ee> and Richard Levitte] |
|
|
|
*) Make it possible to produce shared libraries on ReliantUNIX. |
|
[Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] |
|
|
|
*) Add the configuration target debug-linux-ppro. |
|
Make 'openssl rsa' use the general key loading routines |
|
implemented in apps.c, and make those routines able to |
|
handle the key format FORMAT_NETSCAPE and the variant |
|
FORMAT_IISSGC. |
|
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
|
|
|
*) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
|
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
|
|
|
*) Add -keyform to rsautl, and document -engine. |
|
[Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] |
|
|
|
*) Change BIO_new_file (crypto/bio/bss_file.c) to use new |
|
BIO_R_NO_SUCH_FILE error code rather than the generic |
|
ERR_R_SYS_LIB error code if fopen() fails with ENOENT. |
|
[Ben Laurie] |
|
|
|
*) Add new functions |
|
ERR_peek_last_error |
|
ERR_peek_last_error_line |
|
ERR_peek_last_error_line_data. |
|
These are similar to |
|
ERR_peek_error |
|
ERR_peek_error_line |
|
ERR_peek_error_line_data, |
|
but report on the latest error recorded rather than the first one |
|
still in the error queue. |
|
[Ben Laurie, Bodo Moeller] |
|
|
|
*) default_algorithms option in ENGINE config module. This allows things |
|
like: |
|
default_algorithms = ALL |
|
default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS |
|
[Steve Henson] |
|
|
|
*) Prelminary ENGINE config module. |
|
[Steve Henson] |
|
|
|
*) New experimental application configuration code. |
|
[Steve Henson] |
|
|
|
*) Change the AES code to follow the same name structure as all other |
|
symmetric ciphers, and behave the same way. Move everything to |
|
the directory crypto/aes, thereby obsoleting crypto/rijndael. |
|
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] |
|
|
|
*) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. |
|
[Ben Laurie and Theo de Raadt] |
|
|
|
*) Add option to output public keys in req command. |
|
[Massimiliano Pala madwolf@openca.org] |
|
|
|
*) Use wNAFs in EC_POINTs_mul() for improved efficiency |
|
(up to about 10% better than before for P-192 and P-224). |
|
[Bodo Moeller] |
|
|
|
*) New functions/macros |
|
|
|
SSL_CTX_set_msg_callback(ctx, cb) |
|
SSL_CTX_set_msg_callback_arg(ctx, arg) |
|
SSL_set_msg_callback(ssl, cb) |
|
SSL_set_msg_callback_arg(ssl, arg) |
|
|
|
to request calling a callback function |
|
|
|
void cb(int write_p, int version, int content_type, |
|
const void *buf, size_t len, SSL *ssl, void *arg) |
|
|
|
whenever a protocol message has been completely received |
|
(write_p == 0) or sent (write_p == 1). Here 'version' is the |
|
protocol version according to which the SSL library interprets |
|
the current protocol message (SSL2_VERSION, SSL3_VERSION, or |
|
TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or |
|
the content type as defined in the SSL 3.0/TLS 1.0 protocol |
|
specification (change_cipher_spec(20), alert(21), handshake(22)). |
|
'buf' and 'len' point to the actual message, 'ssl' to the |
|
SSL object, and 'arg' is the application-defined value set by |
|
SSL[_CTX]_set_msg_callback_arg(). |
|
|
|
'openssl s_client' and 'openssl s_server' have new '-msg' options |
|
to enable a callback that displays all protocol messages. |
|
[Bodo Moeller] |
|
|
|
*) Change the shared library support so shared libraries are built as |
|
soon as the corresponding static library is finished, and thereby get |
|
openssl and the test programs linked against the shared library. |
|
This still only happens when the keyword "shard" has been given to |
|
the configuration scripts. |
|
|
|
NOTE: shared library support is still an experimental thing, and |
|
backward binary compatibility is still not guaranteed. |
|
["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] |
|
|
|
*) Add support for Subject Information Access extension. |
|
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
|
|
|
*) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero |
|
additional bytes when new memory had to be allocated, not just |
|
when reusing an existing buffer. |
|
[Bodo Moeller] |
|
|
|
*) New command line and configuration option 'utf8' for the req command. |
|
This allows field values to be specified as UTF8 strings. |
|
[Steve Henson] |
|
|
|
*) Add -multi and -mr options to "openssl speed" - giving multiple parallel |
|
runs for the former and machine-readable output for the latter. |
|
[Ben Laurie] |
|
|
|
*) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion |
|
of the e-mail address in the DN (i.e., it will go into a certificate |
|
extension only). The new configuration file option 'email_in_dn = no' |
|
has the same effect. |
|
[Massimiliano Pala madwolf@openca.org] |
|
|
|
*) Change all functions with names starting with des_ to be starting |
|
with DES_ instead. Add wrappers that are compatible with libdes, |
|
but are named _ossl_old_des_*. Finally, add macros that map the |
|
des_* symbols to the corresponding _ossl_old_des_* if libdes |
|
compatibility is desired. If OpenSSL 0.9.6c compatibility is |
|
desired, the des_* symbols will be mapped to DES_*, with one |
|
exception. |
|
|
|
Since we provide two compatibility mappings, the user needs to |
|
define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes |
|
compatibility is desired. The default (i.e., when that macro |
|
isn't defined) is OpenSSL 0.9.6c compatibility. |
|
|
|
There are also macros that enable and disable the support of old |
|
des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT |
|
and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those |
|
are defined, the default will apply: to support the old des routines. |
|
|
|
In either case, one must include openssl/des.h to get the correct |
|
definitions. Do not try to just include openssl/des_old.h, that |
|
won't work. |
|
|
|
NOTE: This is a major break of an old API into a new one. Software |
|
authors are encouraged to switch to the DES_ style functions. Some |
|
time in the future, des_old.h and the libdes compatibility functions |
|
will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the |
|
default), and then completely removed. |
|
[Richard Levitte] |
|
|
|
*) Test for certificates which contain unsupported critical extensions. |
|
If such a certificate is found during a verify operation it is |
|
rejected by default: this behaviour can be overridden by either |
|
handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or |
|
by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function |
|
X509_supported_extension() has also been added which returns 1 if a |
|
particular extension is supported. |
|
[Steve Henson] |
|
|
|
*) Modify the behaviour of EVP cipher functions in similar way to digests |
|
to retain compatibility with existing code. |
|
[Steve Henson] |
|
|
|
*) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain |
|
compatibility with existing code. In particular the 'ctx' parameter does |
|
not have to be to be initialized before the call to EVP_DigestInit() and |
|
it is tidied up after a call to EVP_DigestFinal(). New function |
|
EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function |
|
EVP_MD_CTX_copy() changed to not require the destination to be |
|
initialized valid and new function EVP_MD_CTX_copy_ex() added which |
|
requires the destination to be valid. |
|
|
|
Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), |
|
EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). |
|
[Steve Henson] |
|
|
|
*) Change ssl3_get_message (ssl/s3_both.c) and the functions using it |
|
so that complete 'Handshake' protocol structures are kept in memory |
|
instead of overwriting 'msg_type' and 'length' with 'body' data. |
|
[Bodo Moeller] |
|
|
|
*) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. |
|
[Massimo Santin via Richard Levitte] |
|
|
|
*) Major restructuring to the underlying ENGINE code. This includes |
|
reduction of linker bloat, separation of pure "ENGINE" manipulation |
|
(initialisation, etc) from functionality dealing with implementations |
|
of specific crypto iterfaces. This change also introduces integrated |
|
support for symmetric ciphers and digest implementations - so ENGINEs |
|
can now accelerate these by providing EVP_CIPHER and EVP_MD |
|
implementations of their own. This is detailed in crypto/engine/README |
|
as it couldn't be adequately described here. However, there are a few |
|
API changes worth noting - some RSA, DSA, DH, and RAND functions that |
|
were changed in the original introduction of ENGINE code have now |
|
reverted back - the hooking from this code to ENGINE is now a good |
|
deal more passive and at run-time, operations deal directly with |
|
RSA_METHODs, DSA_METHODs (etc) as they did before, rather than |
|
dereferencing through an ENGINE pointer any more. Also, the ENGINE |
|
functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - |
|
they were not being used by the framework as there is no concept of a |
|
BIGNUM_METHOD and they could not be generalised to the new |
|
'ENGINE_TABLE' mechanism that underlies the new code. Similarly, |
|
ENGINE_cpy() has been removed as it cannot be consistently defined in |
|
the new code. |
|
[Geoff Thorpe] |
|
|
|
*) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. |
|
[Steve Henson] |
|
|
|
*) Change mkdef.pl to sort symbols that get the same entry number, |
|
and make sure the automatically generated functions ERR_load_* |
|
become part of libeay.num as well. |
|
[Richard Levitte] |
|
|
|
*) New function SSL_renegotiate_pending(). This returns true once |
|
renegotiation has been requested (either SSL_renegotiate() call |
|
or HelloRequest/ClientHello receveived from the peer) and becomes |
|
false once a handshake has been completed. |
|
(For servers, SSL_renegotiate() followed by SSL_do_handshake() |
|
sends a HelloRequest, but does not ensure that a handshake takes |
|
place. SSL_renegotiate_pending() is useful for checking if the |
|
client has followed the request.) |
|
[Bodo Moeller] |
|
|
|
*) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. |
|
By default, clients may request session resumption even during |
|
renegotiation (if session ID contexts permit); with this option, |
|
session resumption is possible only in the first handshake. |
|
|
|
SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes |
|
more bits available for options that should not be part of |
|
SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). |
|
[Bodo Moeller] |
|
|
|
*) Add some demos for certificate and certificate request creation. |
|
[Steve Henson] |
|
|
|
*) Make maximum certificate chain size accepted from the peer application |
|
settable (SSL*_get/set_max_cert_list()), as proposed by |
|
"Douglas E. Engert" <deengert@anl.gov>. |
|
[Lutz Jaenicke] |
|
|
|
*) Add support for shared libraries for Unixware-7 |
|
(Boyd Lynn Gerber <gerberb@zenez.com>). |
|
[Lutz Jaenicke] |
|
|
|
*) Add a "destroy" handler to ENGINEs that allows structural cleanup to |
|
be done prior to destruction. Use this to unload error strings from |
|
ENGINEs that load their own error strings. NB: This adds two new API |
|
functions to "get" and "set" this destroy handler in an ENGINE. |
|
[Geoff Thorpe] |
|
|
|
*) Alter all existing ENGINE implementations (except "openssl" and |
|
"openbsd") to dynamically instantiate their own error strings. This |
|
makes them more flexible to be built both as statically-linked ENGINEs |
|
and self-contained shared-libraries loadable via the "dynamic" ENGINE. |
|
Also, add stub code to each that makes building them as self-contained |
|
shared-libraries easier (see README.ENGINE). |
|
[Geoff Thorpe] |
|
|
|
*) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE |
|
implementations into applications that are completely implemented in |
|
self-contained shared-libraries. The "dynamic" ENGINE exposes control |
|
commands that can be used to configure what shared-library to load and |
|
to control aspects of the way it is handled. Also, made an update to |
|
the README.ENGINE file that brings its information up-to-date and |
|
provides some information and instructions on the "dynamic" ENGINE |
|
(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). |
|
[Geoff Thorpe] |
|
|
|
*) Make it possible to unload ranges of ERR strings with a new |
|
"ERR_unload_strings" function. |
|
[Geoff Thorpe] |
|
|
|
*) Add a copy() function to EVP_MD. |
|
[Ben Laurie] |
|
|
|
*) Make EVP_MD routines take a context pointer instead of just the |
|
md_data void pointer. |
|
[Ben Laurie] |
|
|
|
*) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates |
|
that the digest can only process a single chunk of data |
|
(typically because it is provided by a piece of |
|
hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application |
|
is only going to provide a single chunk of data, and hence the |
|
framework needn't accumulate the data for oneshot drivers. |
|
[Ben Laurie] |
|
|
|
*) As with "ERR", make it possible to replace the underlying "ex_data" |
|
functions. This change also alters the storage and management of global |
|
ex_data state - it's now all inside ex_data.c and all "class" code (eg. |
|
RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class |
|
index counters. The API functions that use this state have been changed |
|
to take a "class_index" rather than pointers to the class's local STACK |
|
and counter, and there is now an API function to dynamically create new |
|
classes. This centralisation allows us to (a) plug a lot of the |
|
thread-safety problems that existed, and (b) makes it possible to clean |
|
up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) |
|
such data would previously have always leaked in application code and |
|
workarounds were in place to make the memory debugging turn a blind eye |
|
to it. Application code that doesn't use this new function will still |
|
leak as before, but their memory debugging output will announce it now |
|
rather than letting it slide. |
|
|
|
Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change |
|
induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now |
|
has a return value to indicate success or failure. |
|
[Geoff Thorpe] |
|
|
|
*) Make it possible to replace the underlying "ERR" functions such that the |
|
global state (2 LHASH tables and 2 locks) is only used by the "default" |
|
implementation. This change also adds two functions to "get" and "set" |
|
the implementation prior to it being automatically set the first time |
|
any other ERR function takes place. Ie. an application can call "get", |
|
pass the return value to a module it has just loaded, and that module |
|
can call its own "set" function using that value. This means the |
|
module's "ERR" operations will use (and modify) the error state in the |
|
application and not in its own statically linked copy of OpenSSL code. |
|
[Geoff Thorpe] |
|
|
|
*) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment |
|
reference counts. This performs normal REF_PRINT/REF_CHECK macros on |
|
the operation, and provides a more encapsulated way for external code |
|
(crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code |
|
to use these functions rather than manually incrementing the counts. |
|
|
|
Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". |
|
[Geoff Thorpe] |
|
|
|
*) Add EVP test program. |
|
[Ben Laurie] |
|
|
|
*) Add symmetric cipher support to ENGINE. Expect the API to change! |
|
[Ben Laurie] |
|
|
|
*) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() |
|
X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), |
|
X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). |
|
These allow a CRL to be built without having to access X509_CRL fields |
|
directly. Modify 'ca' application to use new functions. |
|
[Steve Henson] |
|
|
|
*) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended |
|
bug workarounds. Rollback attack detection is a security feature. |
|
The problem will only arise on OpenSSL servers when TLSv1 is not |
|
available (sslv3_server_method() or SSL_OP_NO_TLSv1). |
|
Software authors not wanting to support TLSv1 will have special reasons |
|
for their choice and can explicitly enable this option. |
|
[Bodo Moeller, Lutz Jaenicke] |
|
|
|
*) Rationalise EVP so it can be extended: don't include a union of |
|
cipher/digest structures, add init/cleanup functions for EVP_MD_CTX |
|
(similar to those existing for EVP_CIPHER_CTX). |
|
Usage example: |
|
|
|
EVP_MD_CTX md; |
|
|
|
EVP_MD_CTX_init(&md); /* new function call */ |
|
EVP_DigestInit(&md, EVP_sha1()); |
|
EVP_DigestUpdate(&md, in, len); |
|
EVP_DigestFinal(&md, out, NULL); |
|
EVP_MD_CTX_cleanup(&md); /* new function call */ |
|
|
|
[Ben Laurie] |
|
|
|
*) Make DES key schedule conform to the usual scheme, as well as |
|
correcting its structure. This means that calls to DES functions |
|
now have to pass a pointer to a des_key_schedule instead of a |
|
plain des_key_schedule (which was actually always a pointer |
|
anyway): E.g., |
|
|
|
des_key_schedule ks; |
|
|
|
des_set_key_checked(..., &ks); |
|
des_ncbc_encrypt(..., &ks, ...); |
|
|
|
(Note that a later change renames 'des_...' into 'DES_...'.) |
|
[Ben Laurie] |
|
|
|
*) Initial reduction of linker bloat: the use of some functions, such as |
|
PEM causes large amounts of unused functions to be linked in due to |
|
poor organisation. For example pem_all.c contains every PEM function |
|
which has a knock on effect of linking in large amounts of (unused) |
|
ASN1 code. Grouping together similar functions and splitting unrelated |
|
functions prevents this. |
|
[Steve Henson] |
|
|
|
*) Cleanup of EVP macros. |
|
[Ben Laurie] |
|
|
|
*) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the |
|
correct _ecb suffix. |
|
[Ben Laurie] |
|
|
|
*) Add initial OCSP responder support to ocsp application. The |
|
revocation information is handled using the text based index |
|
use by the ca application. The responder can either handle |
|
requests generated internally, supplied in files (for example |
|
via a CGI script) or using an internal minimal server. |
|
[Steve Henson] |
|
|
|
*) Add configuration choices to get zlib compression for TLS. |
|
[Richard Levitte] |
|
|
|
*) Changes to Kerberos SSL for RFC 2712 compliance: |
|
1. Implemented real KerberosWrapper, instead of just using |
|
KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] |
|
2. Implemented optional authenticator field of KerberosWrapper. |
|
|
|
Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, |
|
and authenticator structs; see crypto/krb5/. |
|
|
|
Generalized Kerberos calls to support multiple Kerberos libraries. |
|
[Vern Staats <staatsvr@asc.hpc.mil>, |
|
Jeffrey Altman <jaltman@columbia.edu> |
|
via Richard Levitte] |
|
|
|
*) Cause 'openssl speed' to use fully hard-coded DSA keys as it |
|
already does with RSA. testdsa.h now has 'priv_key/pub_key' |
|
values for each of the key sizes rather than having just |
|
parameters (and 'speed' generating keys each time). |
|
[Geoff Thorpe] |
|
|
|
*) Speed up EVP routines. |
|
Before: |
|
encrypt |
|
type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes |
|
des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k |
|
des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k |
|
des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k |
|
decrypt |
|
des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k |
|
des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k |
|
des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k |
|
After: |
|
encrypt |
|
des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k |
|
decrypt |
|
des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
|
[Ben Laurie] |
|
|
|
*) Added the OS2-EMX target. |
|
["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] |
|
|
|
*) Rewrite apps to use NCONF routines instead of the old CONF. New functions |
|
to support NCONF routines in extension code. New function CONF_set_nconf() |
|
to allow functions which take an NCONF to also handle the old LHASH |
|
structure: this means that the old CONF compatible routines can be |
|
retained (in particular wrt extensions) without having to duplicate the |
|
code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. |
|
[Steve Henson] |
|
|
|
*) Enhance the general user interface with mechanisms for inner control |
|
and with possibilities to have yes/no kind of prompts. |
|
[Richard Levitte] |
|
|
|
*) Change all calls to low level digest routines in the library and |
|
applications to use EVP. Add missing calls to HMAC_cleanup() and |
|
don't assume HMAC_CTX can be copied using memcpy(). |
|
[Verdon Walker <VWalker@novell.com>, Steve Henson] |
|
|
|
*) Add the possibility to control engines through control names but with |
|
arbitrary arguments instead of just a string. |
|
Change the key loaders to take a UI_METHOD instead of a callback |
|
function pointer. NOTE: this breaks binary compatibility with earlier |
|
versions of OpenSSL [engine]. |
|
Adapt the nCipher code for these new conditions and add a card insertion |
|
callback. |
|
[Richard Levitte] |
|
|
|
*) Enhance the general user interface with mechanisms to better support |
|
dialog box interfaces, application-defined prompts, the possibility |
|
to use defaults (for example default passwords from somewhere else) |
|
and interrupts/cancellations. |
|
[Richard Levitte] |
|
|
|
*) Tidy up PKCS#12 attribute handling. Add support for the CSP name |
|
attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. |
|
[Steve Henson] |
|
|
|
*) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also |
|
tidy up some unnecessarily weird code in 'sk_new()'). |
|
[Geoff, reported by Diego Tartara <dtartara@novamens.com>] |
|
|
|
*) Change the key loading routines for ENGINEs to use the same kind |
|
callback (pem_password_cb) as all other routines that need this |
|
kind of callback. |
|
[Richard Levitte] |
|
|
|
*) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with |
|
256 bit (=32 byte) keys. Of course seeding with more entropy bytes |
|
than this minimum value is recommended. |
|
[Lutz Jaenicke] |
|
|
|
*) New random seeder for OpenVMS, using the system process statistics |
|
that are easily reachable. |
|
[Richard Levitte] |
|
|
|
*) Windows apparently can't transparently handle global |
|
variables defined in DLLs. Initialisations such as: |
|
|
|
const ASN1_ITEM *it = &ASN1_INTEGER_it; |
|
|
|
wont compile. This is used by the any applications that need to |
|
declare their own ASN1 modules. This was fixed by adding the option |
|
EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly |
|
needed for static libraries under Win32. |
|
[Steve Henson] |
|
|
|
*) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle |
|
setting of purpose and trust fields. New X509_STORE trust and |
|
purpose functions and tidy up setting in other SSL functions. |
|
[Steve Henson] |
|
|
|
*) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE |
|
structure. These are inherited by X509_STORE_CTX when it is |
|
initialised. This allows various defaults to be set in the |
|
X509_STORE structure (such as flags for CRL checking and custom |
|
purpose or trust settings) for functions which only use X509_STORE_CTX |
|
internally such as S/MIME. |
|
|
|
Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and |
|
trust settings if they are not set in X509_STORE. This allows X509_STORE |
|
purposes and trust (in S/MIME for example) to override any set by default. |
|
|
|
Add command line options for CRL checking to smime, s_client and s_server |
|
applications. |
|
[Steve Henson] |
|
|
|
*) Initial CRL based revocation checking. If the CRL checking flag(s) |
|
are set then the CRL is looked up in the X509_STORE structure and |
|
its validity and signature checked, then if the certificate is found |
|
in the CRL the verify fails with a revoked error. |
|
|
|
Various new CRL related callbacks added to X509_STORE_CTX structure. |
|
|
|
Command line options added to 'verify' application to support this. |
|
|
|
This needs some additional work, such as being able to handle multiple |
|
CRLs with different times, extension based lookup (rather than just |
|
by subject name) and ultimately more complete V2 CRL extension |
|
handling. |
|
[Steve Henson] |
|
|
|
*) Add a general user interface API (crypto/ui/). This is designed |
|
to replace things like des_read_password and friends (backward |
|
compatibility functions using this new API are provided). |
|
The purpose is to remove prompting functions from the DES code |
|
section as well as provide for prompting through dialog boxes in |
|
a window system and the like. |
|
[Richard Levitte] |
|
|
|
*) Add "ex_data" support to ENGINE so implementations can add state at a |
|
per-structure level rather than having to store it globally. |
|
[Geoff] |
|
|
|
*) Make it possible for ENGINE structures to be copied when retrieved by |
|
ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. |
|
This causes the "original" ENGINE structure to act like a template, |
|
analogous to the RSA vs. RSA_METHOD type of separation. Because of this |
|
operational state can be localised to each ENGINE structure, despite the |
|
fact they all share the same "methods". New ENGINE structures returned in |
|
this case have no functional references and the return value is the single |
|
structural reference. This matches the single structural reference returned |
|
by ENGINE_by_id() normally, when it is incremented on the pre-existing |
|
ENGINE structure. |
|
[Geoff] |
|
|
|
*) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this |
|
needs to match any other type at all we need to manually clear the |
|
tag cache. |
|
[Steve Henson] |
|
|
|
*) Changes to the "openssl engine" utility to include; |
|
- verbosity levels ('-v', '-vv', and '-vvv') that provide information |
|
about an ENGINE's available control commands. |
|
- executing control commands from command line arguments using the |
|
'-pre' and '-post' switches. '-post' is only used if '-t' is |
|
specified and the ENGINE is successfully initialised. The syntax for |
|
the individual commands are colon-separated, for example; |
|
openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so |
|
[Geoff] |
|
|
|
*) New dynamic control command support for ENGINEs. ENGINEs can now |
|
declare their own commands (numbers), names (strings), descriptions, |
|
and input types for run-time discovery by calling applications. A |
|
subset of these commands are implicitly classed as "executable" |
|
depending on their input type, and only these can be invoked through |
|
the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this |
|
can be based on user input, config files, etc). The distinction is |
|
that "executable" commands cannot return anything other than a boolean |
|
result and can only support numeric or string input, whereas some |
|
discoverable commands may only be for direct use through |
|
ENGINE_ctrl(), eg. supporting the exchange of binary data, function |
|
pointers, or other custom uses. The "executable" commands are to |
|
support parameterisations of ENGINE behaviour that can be |
|
unambiguously defined by ENGINEs and used consistently across any |
|
OpenSSL-based application. Commands have been added to all the |
|
existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow |
|
control over shared-library paths without source code alterations. |
|
[Geoff] |
|
|
|
*) Changed all ENGINE implementations to dynamically allocate their |
|
ENGINEs rather than declaring them statically. Apart from this being |
|
necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, |
|
this also allows the implementations to compile without using the |
|
internal engine_int.h header. |
|
[Geoff] |
|
|
|
*) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a |
|
'const' value. Any code that should be able to modify a RAND_METHOD |
|
should already have non-const pointers to it (ie. they should only |
|
modify their own ones). |
|
[Geoff] |
|
|
|
*) Made a variety of little tweaks to the ENGINE code. |
|
- "atalla" and "ubsec" string definitions were moved from header files |
|
to C code. "nuron" string definitions were placed in variables |
|
rather than hard-coded - allowing parameterisation of these values |
|
later on via ctrl() commands. |
|
- Removed unused "#if 0"'d code. |
|
- Fixed engine list iteration code so it uses ENGINE_free() to release |
|
structural references. |
|
- Constified the RAND_METHOD element of ENGINE structures. |
|
- Constified various get/set functions as appropriate and added |
|
missing functions (including a catch-all ENGINE_cpy that duplicates |
|
all ENGINE values onto a new ENGINE except reference counts/state). |
|
- Removed NULL parameter checks in get/set functions. Setting a method |
|
or function to NULL is a way of cancelling out a previously set |
|
value. Passing a NULL ENGINE parameter is just plain stupid anyway |
|
and doesn't justify the extra error symbols and code. |
|
- Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for |
|
flags from engine_int.h to engine.h. |
|
- Changed prototypes for ENGINE handler functions (init(), finish(), |
|
ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. |
|
[Geoff] |
|
|
|
*) Implement binary inversion algorithm for BN_mod_inverse in addition |
|
to the algorithm using long division. The binary algorithm can be |
|
used only if the modulus is odd. On 32-bit systems, it is faster |
|
only for relatively small moduli (roughly 20-30% for 128-bit moduli, |
|
roughly 5-15% for 256-bit moduli), so we use it only for moduli |
|
up to 450 bits. In 64-bit environments, the binary algorithm |
|
appears to be advantageous for much longer moduli; here we use it |
|
for moduli up to 2048 bits. |
|
[Bodo Moeller] |
|
|
|
*) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code |
|
could not support the combine flag in choice fields. |
|
[Steve Henson] |
|
|
|
*) Add a 'copy_extensions' option to the 'ca' utility. This copies |
|
extensions from a certificate request to the certificate. |
|
[Steve Henson] |
|
|
|
*) Allow multiple 'certopt' and 'nameopt' options to be separated |
|
by commas. Add 'namopt' and 'certopt' options to the 'ca' config |
|
file: this allows the display of the certificate about to be |
|
signed to be customised, to allow certain fields to be included |
|
or excluded and extension details. The old system didn't display |
|
multicharacter strings properly, omitted fields not in the policy |
|
and couldn't display additional details such as extensions. |
|
[Steve Henson] |
|
|
|
*) Function EC_POINTs_mul for multiple scalar multiplication |
|
of an arbitrary number of elliptic curve points |
|
\sum scalars[i]*points[i], |
|
optionally including the generator defined for the EC_GROUP: |
|
scalar*generator + \sum scalars[i]*points[i]. |
|
|
|
EC_POINT_mul is a simple wrapper function for the typical case |
|
that the point list has just one item (besides the optional |
|
generator). |
|
[Bodo Moeller] |
|
|
|
*) First EC_METHODs for curves over GF(p): |
|
|
|
EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr |
|
operations and provides various method functions that can also |
|
operate with faster implementations of modular arithmetic. |
|
|
|
EC_GFp_mont_method() reuses most functions that are part of |
|
EC_GFp_simple_method, but uses Montgomery arithmetic. |
|
|
|
[Bodo Moeller; point addition and point doubling |
|
implementation directly derived from source code provided by |
|
Lenka Fibikova <fibikova@exp-math.uni-essen.de>] |
|
|
|
*) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, |
|
crypto/ec/ec_lib.c): |
|
|
|
Curves are EC_GROUP objects (with an optional group generator) |
|
based on EC_METHODs that are built into the library. |
|
|
|
Points are EC_POINT objects based on EC_GROUP objects. |
|
|
|
Most of the framework would be able to handle curves over arbitrary |
|
finite fields, but as there are no obvious types for fields other |
|
than GF(p), some functions are limited to that for now. |
|
[Bodo Moeller] |
|
|
|
*) Add the -HTTP option to s_server. It is similar to -WWW, but requires |
|
that the file contains a complete HTTP response. |
|
[Richard Levitte] |
|
|
|
*) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl |
|
change the def and num file printf format specifier from "%-40sXXX" |
|
to "%-39s XXX". The latter will always guarantee a space after the |
|
field while the former will cause them to run together if the field |
|
is 40 of more characters long. |
|
[Steve Henson] |
|
|
|
*) Constify the cipher and digest 'method' functions and structures |
|
and modify related functions to take constant EVP_MD and EVP_CIPHER |
|
pointers. |
|
[Steve Henson] |
|
|
|
*) Hide BN_CTX structure details in bn_lcl.h instead of publishing them |
|
in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. |
|
[Bodo Moeller] |
|
|
|
*) Modify EVP_Digest*() routines so they now return values. Although the |
|
internal software routines can never fail additional hardware versions |
|
might. |
|
[Steve Henson] |
|
|
|
*) Clean up crypto/err/err.h and change some error codes to avoid conflicts: |
|
|
|
Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 |
|
(= ERR_R_PKCS7_LIB); it is now 64 instead of 32. |
|
|
|
ASN1 error codes |
|
ERR_R_NESTED_ASN1_ERROR |
|
... |
|
ERR_R_MISSING_ASN1_EOS |
|
were 4 .. 9, conflicting with |
|
ERR_LIB_RSA (= ERR_R_RSA_LIB) |
|
... |
|
ERR_LIB_PEM (= ERR_R_PEM_LIB). |
|
They are now 58 .. 63 (i.e., just below ERR_R_FATAL). |
|
|
|
Add new error code 'ERR_R_INTERNAL_ERROR'. |
|
[Bodo Moeller] |
|
|
|
*) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock |
|
suffices. |
|
[Bodo Moeller] |
|
|
|
*) New option '-subj arg' for 'openssl req' and 'openssl ca'. This |
|
sets the subject name for a new request or supersedes the |
|
subject name in a given request. Formats that can be parsed are |
|
'CN=Some Name, OU=myOU, C=IT' |
|
and |
|
'CN=Some Name/OU=myOU/C=IT'. |
|
|
|
Add options '-batch' and '-verbose' to 'openssl req'. |
|
[Massimiliano Pala <madwolf@hackmasters.net>] |
|
|
|
*) Introduce the possibility to access global variables through |
|
functions on platform were that's the best way to handle exporting |
|
global variables in shared libraries. To enable this functionality, |
|
one must configure with "EXPORT_VAR_AS_FN" or defined the C macro |
|
"OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter |
|
is normally done by Configure or something similar). |
|
|
|
To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL |
|
in the source file (foo.c) like this: |
|
|
|
OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; |
|
OPENSSL_IMPLEMENT_GLOBAL(double,bar); |
|
|
|
To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL |
|
and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: |
|
|
|
OPENSSL_DECLARE_GLOBAL(int,foo); |
|
#define foo OPENSSL_GLOBAL_REF(foo) |
|
OPENSSL_DECLARE_GLOBAL(double,bar); |
|
#define bar OPENSSL_GLOBAL_REF(bar) |
|
|
|
The #defines are very important, and therefore so is including the |
|
header file everywhere where the defined globals are used. |
|
|
|
The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition |
|
of ASN.1 items, but that structure is a bit different. |
|
|
|
The largest change is in util/mkdef.pl which has been enhanced with |
|
better and easier to understand logic to choose which symbols should |
|
go into the Windows .def files as well as a number of fixes and code |
|
cleanup (among others, algorithm keywords are now sorted |
|
lexicographically to avoid constant rewrites). |
|
[Richard Levitte] |
|
|
|
*) In BN_div() keep a copy of the sign of 'num' before writing the |
|
result to 'rm' because if rm==num the value will be overwritten |
|
and produce the wrong result if 'num' is negative: this caused |
|
problems with BN_mod() and BN_nnmod(). |
|
[Steve Henson] |
|
|
|
*) Function OCSP_request_verify(). This checks the signature on an |
|
OCSP request and verifies the signer certificate. The signer |
|
certificate is just checked for a generic purpose and OCSP request |
|
trust settings. |
|
[Steve Henson] |
|
|
|
*) Add OCSP_check_validity() function to check the validity of OCSP |
|
responses. OCSP responses are prepared in real time and may only |
|
be a few seconds old. Simply checking that the current time lies |
|
between thisUpdate and nextUpdate max reject otherwise valid responses |
|
caused by either OCSP responder or client clock inaccuracy. Instead |
|
we allow thisUpdate and nextUpdate to fall within a certain period of |
|
the current time. The age of the response can also optionally be |
|
checked. Two new options -validity_period and -status_age added to |
|
ocsp utility. |
|
[Steve Henson] |
|
|
|
*) If signature or public key algorithm is unrecognized print out its |
|
OID rather that just UNKNOWN. |
|
[Steve Henson] |
|
|
|
*) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and |
|
OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate |
|
ID to be generated from the issuer certificate alone which can then be |
|
passed to OCSP_id_issuer_cmp(). |
|
[Steve Henson] |
|
|
|
*) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new |
|
ASN1 modules to export functions returning ASN1_ITEM pointers |
|
instead of the ASN1_ITEM structures themselves. This adds several |
|
new macros which allow the underlying ASN1 function/structure to |
|
be accessed transparently. As a result code should not use ASN1_ITEM |
|
references directly (such as &X509_it) but instead use the relevant |
|
macros (such as ASN1_ITEM_rptr(X509)). This option is to allow |
|
use of the new ASN1 code on platforms where exporting structures |
|
is problematical (for example in shared libraries) but exporting |
|
functions returning pointers to structures is not. |
|
[Steve Henson] |
|
|
|
*) Add support for overriding the generation of SSL/TLS session IDs. |
|
These callbacks can be registered either in an SSL_CTX or per SSL. |
|
The purpose of this is to allow applications to control, if they wish, |
|
the arbitrary values chosen for use as session IDs, particularly as it |
|
can be useful for session caching in multiple-server environments. A |
|
command-line switch for testing this (and any client code that wishes |
|
to use such a feature) has been added to "s_server". |
|
[Geoff Thorpe, Lutz Jaenicke] |
|
|
|
*) Modify mkdef.pl to recognise and parse preprocessor conditionals |
|
of the form '#if defined(...) || defined(...) || ...' and |
|
'#if !defined(...) && !defined(...) && ...'. This also avoids |
|
the growing number of special cases it was previously handling. |
|
[Richard Levitte] |
|
|
|
*) Make all configuration macros available for application by making |
|
sure they are available in opensslconf.h, by giving them names starting |
|
with "OPENSSL_" to avoid conflicts with other packages and by making |
|
sure e_os2.h will cover all platform-specific cases together with |
|
opensslconf.h. |
|
Additionally, it is now possible to define configuration/platform- |
|
specific names (called "system identities"). In the C code, these |
|
are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another |
|
macro with the name beginning with "OPENSSL_SYS_", which is determined |
|
from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on |
|
what is available. |
|
[Richard Levitte] |
|
|
|
*) New option -set_serial to 'req' and 'x509' this allows the serial |
|
number to use to be specified on the command line. Previously self |
|
signed certificates were hard coded with serial number 0 and the |
|
CA options of 'x509' had to use a serial number in a file which was |
|
auto incremented. |
|
[Steve Henson] |
|
|
|
*) New options to 'ca' utility to support V2 CRL entry extensions. |
|
Currently CRL reason, invalidity date and hold instruction are |
|
supported. Add new CRL extensions to V3 code and some new objects. |
|
[Steve Henson] |
|
|
|
*) New function EVP_CIPHER_CTX_set_padding() this is used to |
|
disable standard block padding (aka PKCS#5 padding) in the EVP |
|
API, which was previously mandatory. This means that the data is |
|
not padded in any way and so the total length much be a multiple |
|
of the block size, otherwise an error occurs. |
|
[Steve Henson] |
|
|
|
*) Initial (incomplete) OCSP SSL support. |
|
[Steve Henson] |
|
|
|
*) New function OCSP_parse_url(). This splits up a URL into its host, |
|
port and path components: primarily to parse OCSP URLs. New -url |
|
option to ocsp utility. |
|
[Steve Henson] |
|
|
|
*) New nonce behavior. The return value of OCSP_check_nonce() now |
|
reflects the various checks performed. Applications can decide |
|
whether to tolerate certain situations such as an absent nonce |
|
in a response when one was present in a request: the ocsp application |
|
just prints out a warning. New function OCSP_add1_basic_nonce() |
|
this is to allow responders to include a nonce in a response even if |
|
the request is nonce-less. |
|
[Steve Henson] |
|
|
|
*) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are |
|
skipped when using openssl x509 multiple times on a single input file, |
|
e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". |
|
[Bodo Moeller] |
|
|
|
*) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() |
|
set string type: to handle setting ASN1_TIME structures. Fix ca |
|
utility to correctly initialize revocation date of CRLs. |
|
[Steve Henson] |
|
|
|
*) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override |
|
the clients preferred ciphersuites and rather use its own preferences. |
|
Should help to work around M$ SGC (Server Gated Cryptography) bug in |
|
Internet Explorer by ensuring unchanged hash method during stepup. |
|
(Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) |
|
[Lutz Jaenicke] |
|
|
|
*) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael |
|
to aes and add a new 'exist' option to print out symbols that don't |
|
appear to exist. |
|
[Steve Henson] |
|
|
|
*) Additional options to ocsp utility to allow flags to be set and |
|
additional certificates supplied. |
|
[Steve Henson] |
|
|
|
*) Add the option -VAfile to 'openssl ocsp', so the user can give the |
|
OCSP client a number of certificate to only verify the response |
|
signature against. |
|
[Richard Levitte] |
|
|
|
*) Update Rijndael code to version 3.0 and change EVP AES ciphers to |
|
handle the new API. Currently only ECB, CBC modes supported. Add new |
|
AES OIDs. |
|
|
|
Add TLS AES ciphersuites as described in RFC3268, "Advanced |
|
Encryption Standard (AES) Ciphersuites for Transport Layer |
|
Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were |
|
not enabled by default and were not part of the "ALL" ciphersuite |
|
alias because they were not yet official; they could be |
|
explicitly requested by specifying the "AESdraft" ciphersuite |
|
group alias. In the final release of OpenSSL 0.9.7, the group |
|
alias is called "AES" and is part of "ALL".) |
|
[Ben Laurie, Steve Henson, Bodo Moeller] |
|
|
|
*) New function OCSP_copy_nonce() to copy nonce value (if present) from |
|
request to response. |
|
[Steve Henson] |
|
|
|
*) Functions for OCSP responders. OCSP_request_onereq_count(), |
|
OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() |
|
extract information from a certificate request. OCSP_response_create() |
|
creates a response and optionally adds a basic response structure. |
|
OCSP_basic_add1_status() adds a complete single response to a basic |
|
response and returns the OCSP_SINGLERESP structure just added (to allow |
|
extensions to be included for example). OCSP_basic_add1_cert() adds a |
|
certificate to a basic response and OCSP_basic_sign() signs a basic |
|
response with various flags. New helper functions ASN1_TIME_check() |
|
(checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() |
|
(converts ASN1_TIME to GeneralizedTime). |
|
[Steve Henson] |
|
|
|
*) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() |
|
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key |
|
structure from a certificate. X509_pubkey_digest() digests the public_key |
|
contents: this is used in various key identifiers. |
|
[Steve Henson] |
|
|
|
*) Make sk_sort() tolerate a NULL argument. |
|
[Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] |
|
|
|
*) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates |
|
passed by the function are trusted implicitly. If any of them signed the |
|
response then it is assumed to be valid and is not verified. |
|
[Steve Henson] |
|
|
|
*) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT |
|
to data. This was previously part of the PKCS7 ASN1 code. This |
|
was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. |
|
[Steve Henson, reported by Kenneth R. Robinette |
|
<support@securenetterm.com>] |
|
|
|
*) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 |
|
routines: without these tracing memory leaks is very painful. |
|
Fix leaks in PKCS12 and PKCS7 routines. |
|
[Steve Henson] |
|
|
|
*) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). |
|
Previously it initialised the 'type' argument to V_ASN1_UTCTIME which |
|
effectively meant GeneralizedTime would never be used. Now it |
|
is initialised to -1 but X509_time_adj() now has to check the value |
|
and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or |
|
V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. |
|
[Steve Henson, reported by Kenneth R. Robinette |
|
<support@securenetterm.com>] |
|
|
|
*) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously |
|
result in a zero length in the ASN1_INTEGER structure which was |
|
not consistent with the structure when d2i_ASN1_INTEGER() was used |
|
and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() |
|
to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() |
|
where it did not print out a minus for negative ASN1_INTEGER. |
|
[Steve Henson] |
|
|
|
*) Add summary printout to ocsp utility. The various functions which |
|
convert status values to strings have been renamed to: |
|
OCSP_response_status_str(), OCSP_cert_status_str() and |
|
OCSP_crl_reason_str() and are no longer static. New options |
|
to verify nonce values and to disable verification. OCSP response |
|
printout format cleaned up. |
|
[Steve Henson] |
|
|
|
*) Add additional OCSP certificate checks. These are those specified |
|
in RFC2560. This consists of two separate checks: the CA of the |
|
certificate being checked must either be the OCSP signer certificate |
|
or the issuer of the OCSP signer certificate. In the latter case the |
|
OCSP signer certificate must contain the OCSP signing extended key |
|
usage. This check is performed by attempting to match the OCSP |
|
signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash |
|
in the OCSP_CERTID structures of the response. |
|
[Steve Henson] |
|
|
|
*) Initial OCSP certificate verification added to OCSP_basic_verify() |
|
and related routines. This uses the standard OpenSSL certificate |
|
verify routines to perform initial checks (just CA validity) and |
|
to obtain the certificate chain. Then additional checks will be |
|
performed on the chain. Currently the root CA is checked to see |
|
if it is explicitly trusted for OCSP signing. This is used to set |
|
a root CA as a global signing root: that is any certificate that |
|
chains to that CA is an acceptable OCSP signing certificate. |
|
[Steve Henson] |
|
|
|
*) New '-extfile ...' option to 'openssl ca' for reading X.509v3 |
|
extensions from a separate configuration file. |
|
As when reading extensions from the main configuration file, |
|
the '-extensions ...' option may be used for specifying the |
|
section to use. |
|
[Massimiliano Pala <madwolf@comune.modena.it>] |
|
|
|
*) New OCSP utility. Allows OCSP requests to be generated or |
|
read. The request can be sent to a responder and the output |
|
parsed, outputed or printed in text form. Not complete yet: |
|
still needs to check the OCSP response validity. |
|
[Steve Henson] |
|
|
|
*) New subcommands for 'openssl ca': |
|
'openssl ca -status <serial>' prints the status of the cert with |
|
the given serial number (according to the index file). |
|
'openssl ca -updatedb' updates the expiry status of certificates |
|
in the index file. |
|
[Massimiliano Pala <madwolf@comune.modena.it>] |
|
|
|
*) New '-newreq-nodes' command option to CA.pl. This is like |
|
'-newreq', but calls 'openssl req' with the '-nodes' option |
|
so that the resulting key is not encrypted. |
|
[Damien Miller <djm@mindrot.org>] |
|
|
|
*) New configuration for the GNU Hurd. |
|
[Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] |
|
|
|
*) Initial code to implement OCSP basic response verify. This |
|
is currently incomplete. Currently just finds the signer's |
|
certificate and verifies the signature on the response. |
|
[Steve Henson] |
|
|
|
*) New SSLeay_version code SSLEAY_DIR to determine the compiled-in |
|
value of OPENSSLDIR. This is available via the new '-d' option |
|
to 'openssl version', and is also included in 'openssl version -a'. |
|
[Bodo Moeller] |
|
|
|
*) Allowing defining memory allocation callbacks that will be given |
|
file name and line number information in additional arguments |
|
(a const char* and an int). The basic functionality remains, as |
|
well as the original possibility to just replace malloc(), |
|
realloc() and free() by functions that do not know about these |
|
additional arguments. To register and find out the current |
|
settings for extended allocation functions, the following |
|
functions are provided: |
|
|
|
CRYPTO_set_mem_ex_functions |
|
CRYPTO_set_locked_mem_ex_functions |
|
CRYPTO_get_mem_ex_functions |
|
CRYPTO_get_locked_mem_ex_functions |
|
|
|
These work the same way as CRYPTO_set_mem_functions and friends. |
|
CRYPTO_get_[locked_]mem_functions now writes 0 where such an |
|
extended allocation function is enabled. |
|
Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where |
|
a conventional allocation function is enabled. |
|
[Richard Levitte, Bodo Moeller] |
|
|
|
*) Finish off removing the remaining LHASH function pointer casts. |
|
There should no longer be any prototype-casting required when using |
|
the LHASH abstraction, and any casts that remain are "bugs". See |
|
the callback types and macros at the head of lhash.h for details |
|
(and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). |
|
[Geoff Thorpe] |
|
|
|
*) Add automatic query of EGD sockets in RAND_poll() for the unix variant. |
|
If /dev/[u]random devices are not available or do not return enough |
|
entropy, EGD style sockets (served by EGD or PRNGD) will automatically |
|
be queried. |
|
The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and |
|
/etc/entropy will be queried once each in this sequence, quering stops |
|
when enough entropy was collected without querying more sockets. |
|
[Lutz Jaenicke] |
|
|
|
*) Change the Unix RAND_poll() variant to be able to poll several |
|
random devices, as specified by DEVRANDOM, until a sufficient amount |
|
of data has been collected. We spend at most 10 ms on each file |
|
(select timeout) and read in non-blocking mode. DEVRANDOM now |
|
defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" |
|
(previously it was just the string "/dev/urandom"), so on typical |
|
platforms the 10 ms delay will never occur. |
|
Also separate out the Unix variant to its own file, rand_unix.c. |
|
For VMS, there's a currently-empty rand_vms.c. |
|
[Richard Levitte] |
|
|
|
*) Move OCSP client related routines to ocsp_cl.c. These |
|
provide utility functions which an application needing |
|
to issue a request to an OCSP responder and analyse the |
|
response will typically need: as opposed to those which an |
|
OCSP responder itself would need which will be added later. |
|
|
|
OCSP_request_sign() signs an OCSP request with an API similar |
|
to PKCS7_sign(). OCSP_response_status() returns status of OCSP |
|
response. OCSP_response_get1_basic() extracts basic response |
|
from response. OCSP_resp_find_status(): finds and extracts status |
|
information from an OCSP_CERTID structure (which will be created |
|
when the request structure is built). These are built from lower |
|
level functions which work on OCSP_SINGLERESP structures but |
|
wont normally be used unless the application wishes to examine |
|
extensions in the OCSP response for example. |
|
|
|
Replace nonce routines with a pair of functions. |
|
OCSP_request_add1_nonce() adds a nonce value and optionally |
|
generates a random value. OCSP_check_nonce() checks the |
|
validity of the nonce in an OCSP response. |
|
[Steve Henson] |
|
|
|
*) Change function OCSP_request_add() to OCSP_request_add0_id(). |
|
This doesn't copy the supplied OCSP_CERTID and avoids the |
|
need to free up the newly created id. Change return type |
|
to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. |
|
This can then be used to add extensions to the request. |
|
Deleted OCSP_request_new(), since most of its functionality |
|
is now in OCSP_REQUEST_new() (and the case insensitive name |
|
clash) apart from the ability to set the request name which |
|
will be added elsewhere. |
|
[Steve Henson] |
|
|
|
*) Update OCSP API. Remove obsolete extensions argument from |
|
various functions. Extensions are now handled using the new |
|
OCSP extension code. New simple OCSP HTTP function which |
|
can be used to send requests and parse the response. |
|
[Steve Henson] |
|
|
|
*) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new |
|
ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN |
|
uses the special reorder version of SET OF to sort the attributes |
|
and reorder them to match the encoded order. This resolves a long |
|
standing problem: a verify on a PKCS7 structure just after signing |
|
it used to fail because the attribute order did not match the |
|
encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: |
|
it uses the received order. This is necessary to tolerate some broken |
|
software that does not order SET OF. This is handled by encoding |
|
as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) |
|
to produce the required SET OF. |
|
[Steve Henson] |
|
|
|
*) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and |
|
OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header |
|
files to get correct declarations of the ASN.1 item variables. |
|
[Richard Levitte] |
|
|
|
*) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many |
|
PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: |
|
asn1_check_tlen() would sometimes attempt to use 'ctx' when it was |
|
NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). |
|
New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant |
|
ASN1_ITEM and no wrapper functions. |
|
[Steve Henson] |
|
|
|
*) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These |
|
replace the old function pointer based I/O routines. Change most of |
|
the *_d2i_bio() and *_d2i_fp() functions to use these. |
|
[Steve Henson] |
|
|
|
*) Enhance mkdef.pl to be more accepting about spacing in C preprocessor |
|
lines, recognice more "algorithms" that can be deselected, and make |
|
it complain about algorithm deselection that isn't recognised. |
|
[Richard Levitte] |
|
|
|
*) New ASN1 functions to handle dup, sign, verify, digest, pack and |
|
unpack operations in terms of ASN1_ITEM. Modify existing wrappers |
|
to use new functions. Add NO_ASN1_OLD which can be set to remove |
|
some old style ASN1 functions: this can be used to determine if old |
|
code will still work when these eventually go away. |
|
[Steve Henson] |
|
|
|
*) New extension functions for OCSP structures, these follow the |
|
same conventions as certificates and CRLs. |
|
[Steve Henson] |
|
|
|
*) New function X509V3_add1_i2d(). This automatically encodes and |
|
adds an extension. Its behaviour can be customised with various |
|
flags to append, replace or delete. Various wrappers added for |
|
certifcates and CRLs. |
|
[Steve Henson] |
|
|
|
*) Fix to avoid calling the underlying ASN1 print routine when |
|
an extension cannot be parsed. Correct a typo in the |
|
OCSP_SERVICELOC extension. Tidy up print OCSP format. |
|
[Steve Henson] |
|
|
|
*) Make mkdef.pl parse some of the ASN1 macros and add apropriate |
|
entries for variables. |
|
[Steve Henson] |
|
|
|
*) Add functionality to apps/openssl.c for detecting locking |
|
problems: As the program is single-threaded, all we have |
|
to do is register a locking callback using an array for |
|
storing which locks are currently held by the program. |
|
[Bodo Moeller] |
|
|
|
*) Use a lock around the call to CRYPTO_get_ex_new_index() in |
|
SSL_get_ex_data_X509_STORE_idx(), which is used in |
|
ssl_verify_cert_chain() and thus can be called at any time |
|
during TLS/SSL handshakes so that thread-safety is essential. |
|
Unfortunately, the ex_data design is not at all suited |
|
for multi-threaded use, so it probably should be abolished. |
|
[Bodo Moeller] |
|
|
|
*) Added Broadcom "ubsec" ENGINE to OpenSSL. |
|
[Broadcom, tweaked and integrated by Geoff Thorpe] |
|
|
|
*) Move common extension printing code to new function |
|
X509V3_print_extensions(). Reorganise OCSP print routines and |
|
implement some needed OCSP ASN1 functions. Add OCSP extensions. |
|
[Steve Henson] |
|
|
|
*) New function X509_signature_print() to remove duplication in some |
|
print routines. |
|
[Steve Henson] |
|
|
|
*) Add a special meaning when SET OF and SEQUENCE OF flags are both |
|
set (this was treated exactly the same as SET OF previously). This |
|
is used to reorder the STACK representing the structure to match the |
|
encoding. This will be used to get round a problem where a PKCS7 |
|
structure which was signed could not be verified because the STACK |
|
order did not reflect the encoded order. |
|
[Steve Henson] |
|
|
|
*) Reimplement the OCSP ASN1 module using the new code. |
|
[Steve Henson] |
|
|
|
*) Update the X509V3 code to permit the use of an ASN1_ITEM structure |
|
for its ASN1 operations. The old style function pointers still exist |
|
for now but they will eventually go away. |
|
[Steve Henson] |
|
|
|
*) Merge in replacement ASN1 code from the ASN1 branch. This almost |
|
completely replaces the old ASN1 functionality with a table driven |
|
encoder and decoder which interprets an ASN1_ITEM structure describing |
|
the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is |
|
largely maintained. Almost all of the old asn1_mac.h macro based ASN1 |
|
has also been converted to the new form. |
|
[Steve Henson] |
|
|
|
*) Change BN_mod_exp_recp so that negative moduli are tolerated |
|
(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set |
|
so that BN_mod_exp_mont and BN_mod_exp_mont_word work |
|
for negative moduli. |
|
[Bodo Moeller] |
|
|
|
*) Fix BN_uadd and BN_usub: Always return non-negative results instead |
|
of not touching the result's sign bit. |
|
[Bodo Moeller] |
|
|
|
*) BN_div bugfix: If the result is 0, the sign (res->neg) must not be |
|
set. |
|
[Bodo Moeller] |
|
|
|
*) Changed the LHASH code to use prototypes for callbacks, and created |
|
macros to declare and implement thin (optionally static) functions |
|
that provide type-safety and avoid function pointer casting for the |
|
type-specific callbacks. |
|
[Geoff Thorpe] |
|
|
|
*) Added Kerberos Cipher Suites to be used with TLS, as written in |
|
RFC 2712. |
|
[Veers Staats <staatsvr@asc.hpc.mil>, |
|
Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] |
|
|
|
*) Reformat the FAQ so the different questions and answers can be divided |
|
in sections depending on the subject. |
|
[Richard Levitte] |
|
|
|
*) Have the zlib compression code load ZLIB.DLL dynamically under |
|
Windows. |
|
[Richard Levitte] |
|
|
|
*) New function BN_mod_sqrt for computing square roots modulo a prime |
|
(using the probabilistic Tonelli-Shanks algorithm unless |
|
p == 3 (mod 4) or p == 5 (mod 8), which are cases that can |
|
be handled deterministically). |
|
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
|
|
|
*) Make BN_mod_inverse faster by explicitly handling small quotients |
|
in the Euclid loop. (Speed gain about 20% for small moduli [256 or |
|
512 bits], about 30% for larger ones [1024 or 2048 bits].) |
|
[Bodo Moeller] |
|
|
|
*) New function BN_kronecker. |
|
[Bodo Moeller] |
|
|
|
*) Fix BN_gcd so that it works on negative inputs; the result is |
|
positive unless both parameters are zero. |
|
Previously something reasonably close to an infinite loop was |
|
possible because numbers could be growing instead of shrinking |
|
in the implementation of Euclid's algorithm. |
|
[Bodo Moeller] |
|
|
|
*) Fix BN_is_word() and BN_is_one() macros to take into account the |
|
sign of the number in question. |
|
|
|
Fix BN_is_word(a,w) to work correctly for w == 0. |
|
|
|
The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) |
|
because its test if the absolute value of 'a' equals 'w'. |
|
Note that BN_abs_is_word does *not* handle w == 0 reliably; |
|
it exists mostly for use in the implementations of BN_is_zero(), |
|
BN_is_one(), and BN_is_word(). |
|
[Bodo Moeller] |
|
|
|
*) New function BN_swap. |
|
[Bodo Moeller] |
|
|
|
*) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that |
|
the exponentiation functions are more likely to produce reasonable |
|
results on negative inputs. |
|
[Bodo Moeller] |
|
|
|
*) Change BN_mod_mul so that the result is always non-negative. |
|
Previously, it could be negative if one of the factors was negative; |
|
I don't think anyone really wanted that behaviour. |
|
[Bodo Moeller] |
|
|
|
*) Move BN_mod_... functions into new file crypto/bn/bn_mod.c |
|
(except for exponentiation, which stays in crypto/bn/bn_exp.c, |
|
and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) |
|
and add new functions: |
|
|
|
BN_nnmod |
|
BN_mod_sqr |
|
BN_mod_add |
|
BN_mod_add_quick |
|
BN_mod_sub |
|
BN_mod_sub_quick |
|
BN_mod_lshift1 |
|
BN_mod_lshift1_quick |
|
BN_mod_lshift |
|
BN_mod_lshift_quick |
|
|
|
These functions always generate non-negative results. |
|
|
|
BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r |
|
such that |m| < r < 0, BN_nnmod will output rem + |m| instead). |
|
|
|
BN_mod_XXX_quick(r, a, [b,] m) generates the same result as |
|
BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] |
|
be reduced modulo m. |
|
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
|
|
|
#if 0 |
|
The following entry accidentily appeared in the CHANGES file |
|
distributed with OpenSSL 0.9.7. The modifications described in |
|
it do *not* apply to OpenSSL 0.9.7. |
|
|
|
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
|
was actually never needed) and in BN_mul(). The removal in BN_mul() |
|
required a small change in bn_mul_part_recursive() and the addition |
|
of the functions bn_cmp_part_words(), bn_sub_part_words() and |
|
bn_add_part_words(), which do the same thing as bn_cmp_words(), |
|
bn_sub_words() and bn_add_words() except they take arrays with |
|
differing sizes. |
|
[Richard Levitte] |
|
#endif |
|
|
|
*) In 'openssl passwd', verify passwords read from the terminal |
|
unless the '-salt' option is used (which usually means that |
|
verification would just waste user's time since the resulting |
|
hash is going to be compared with some given password hash) |
|
or the new '-noverify' option is used. |
|
|
|
This is an incompatible change, but it does not affect |
|
non-interactive use of 'openssl passwd' (passwords on the command |
|
line, '-stdin' option, '-in ...' option) and thus should not |
|
cause any problems. |
|
[Bodo Moeller] |
|
|
|
*) Remove all references to RSAref, since there's no more need for it. |
|
[Richard Levitte] |
|
|
|
*) Make DSO load along a path given through an environment variable |
|
(SHLIB_PATH) with shl_load(). |
|
[Richard Levitte] |
|
|
|
*) Constify the ENGINE code as a result of BIGNUM constification. |
|
Also constify the RSA code and most things related to it. In a |
|
few places, most notable in the depth of the ASN.1 code, ugly |
|
casts back to non-const were required (to be solved at a later |
|
time) |
|
[Richard Levitte] |
|
|
|
*) Make it so the openssl application has all engines loaded by default. |
|
[Richard Levitte] |
|
|
|
*) Constify the BIGNUM routines a little more. |
|
[Richard Levitte] |
|
|
|
*) Add the following functions: |
|
|
|
ENGINE_load_cswift() |
|
ENGINE_load_chil() |
|
ENGINE_load_atalla() |
|
ENGINE_load_nuron() |
|
ENGINE_load_builtin_engines() |
|
|
|
That way, an application can itself choose if external engines that |
|
are built-in in OpenSSL shall ever be used or not. The benefit is |
|
that applications won't have to be linked with libdl or other dso |
|
libraries unless it's really needed. |
|
|
|
Changed 'openssl engine' to load all engines on demand. |
|
Changed the engine header files to avoid the duplication of some |
|
declarations (they differed!). |
|
[Richard Levitte] |
|
|
|
*) 'openssl engine' can now list capabilities. |
|
[Richard Levitte] |
|
|
|
*) Better error reporting in 'openssl engine'. |
|
[Richard Levitte] |
|
|
|
*) Never call load_dh_param(NULL) in s_server. |
|
[Bodo Moeller] |
|
|
|
*) Add engine application. It can currently list engines by name and |
|
identity, and test if they are actually available. |
|
[Richard Levitte] |
|
|
|
*) Improve RPM specification file by forcing symbolic linking and making |
|
sure the installed documentation is also owned by root.root. |
|
[Damien Miller <djm@mindrot.org>] |
|
|
|
*) Give the OpenSSL applications more possibilities to make use of |
|
keys (public as well as private) handled by engines. |
|
[Richard Levitte] |
|
|
|
*) Add OCSP code that comes from CertCo. |
|
[Richard Levitte] |
|
|
|
*) Add VMS support for the Rijndael code. |
|
[Richard Levitte] |
|
|
|
*) Added untested support for Nuron crypto accelerator. |
|
[Ben Laurie] |
|
|
|
*) Add support for external cryptographic devices. This code was |
|
previously distributed separately as the "engine" branch. |
|
[Geoff Thorpe, Richard Levitte] |
|
|
|
*) Rework the filename-translation in the DSO code. It is now possible to |
|
have far greater control over how a "name" is turned into a filename |
|
depending on the operating environment and any oddities about the |
|
different shared library filenames on each system. |
|
[Geoff Thorpe] |
|
|
|
*) Support threads on FreeBSD-elf in Configure. |
|
[Richard Levitte] |
|
|
|
*) Fix for SHA1 assembly problem with MASM: it produces |
|
warnings about corrupt line number information when assembling |
|
with debugging information. This is caused by the overlapping |
|
of two sections. |
|
[Bernd Matthes <mainbug@celocom.de>, Steve Henson] |
|
|
|
*) NCONF changes. |
|
NCONF_get_number() has no error checking at all. As a replacement, |
|
NCONF_get_number_e() is defined (_e for "error checking") and is |
|
promoted strongly. The old NCONF_get_number is kept around for |
|
binary backward compatibility. |
|
Make it possible for methods to load from something other than a BIO, |
|
by providing a function pointer that is given a name instead of a BIO. |
|
For example, this could be used to load configuration data from an |
|
LDAP server. |
|
[Richard Levitte] |
|
|
|
*) Fix for non blocking accept BIOs. Added new I/O special reason |
|
BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs |
|
with non blocking I/O was not possible because no retry code was |
|
implemented. Also added new SSL code SSL_WANT_ACCEPT to cover |
|
this case. |
|
[Steve Henson] |
|
|
|
*) Added the beginnings of Rijndael support. |
|
[Ben Laurie] |
|
|
|
*) Fix for bug in DirectoryString mask setting. Add support for |
|
X509_NAME_print_ex() in 'req' and X509_print_ex() function |
|
to allow certificate printing to more controllable, additional |
|
'certopt' option to 'x509' to allow new printing options to be |
|
set. |
|
[Steve Henson] |
|
|
|
*) Clean old EAY MD5 hack from e_os.h. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.6l and 0.9.6m [17 Mar 2004] |
|
|
|
*) Fix null-pointer assignment in do_change_cipher_spec() revealed |
|
by using the Codenomicon TLS Test Tool (CVE-2004-0079) |
|
[Joe Orton, Steve Henson] |
|
|
|
Changes between 0.9.6k and 0.9.6l [04 Nov 2003] |
|
|
|
*) Fix additional bug revealed by the NISCC test suite: |
|
|
|
Stop bug triggering large recursion when presented with |
|
certain ASN.1 tags (CVE-2003-0851) |
|
[Steve Henson] |
|
|
|
Changes between 0.9.6j and 0.9.6k [30 Sep 2003] |
|
|
|
*) Fix various bugs revealed by running the NISCC test suite: |
|
|
|
Stop out of bounds reads in the ASN1 code when presented with |
|
invalid tags (CVE-2003-0543 and CVE-2003-0544). |
|
|
|
If verify callback ignores invalid public key errors don't try to check |
|
certificate signature with the NULL public key. |
|
|
|
[Steve Henson] |
|
|
|
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate |
|
if the server requested one: as stated in TLS 1.0 and SSL 3.0 |
|
specifications. |
|
[Steve Henson] |
|
|
|
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional |
|
extra data after the compression methods not only for TLS 1.0 |
|
but also for SSL 3.0 (as required by the specification). |
|
[Bodo Moeller; problem pointed out by Matthias Loepfe] |
|
|
|
*) Change X509_certificate_type() to mark the key as exported/exportable |
|
when it's 512 *bits* long, not 512 bytes. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.6i and 0.9.6j [10 Apr 2003] |
|
|
|
*) Countermeasure against the Klima-Pokorny-Rosa extension of |
|
Bleichbacher's attack on PKCS #1 v1.5 padding: treat |
|
a protocol version number mismatch like a decryption error |
|
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). |
|
[Bodo Moeller] |
|
|
|
*) Turn on RSA blinding by default in the default implementation |
|
to avoid a timing attack. Applications that don't want it can call |
|
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. |
|
They would be ill-advised to do so in most cases. |
|
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] |
|
|
|
*) Change RSA blinding code so that it works when the PRNG is not |
|
seeded (in this case, the secret RSA exponent is abused as |
|
an unpredictable seed -- if it is not unpredictable, there |
|
is no point in blinding anyway). Make RSA blinding thread-safe |
|
by remembering the creator's thread ID in rsa->blinding and |
|
having all other threads use local one-time blinding factors |
|
(this requires more computation than sharing rsa->blinding, but |
|
avoids excessive locking; and if an RSA object is not shared |
|
between threads, blinding will still be very fast). |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.6h and 0.9.6i [19 Feb 2003] |
|
|
|
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked |
|
via timing by performing a MAC computation even if incorrrect |
|
block cipher padding has been found. This is a countermeasure |
|
against active attacks where the attacker has to distinguish |
|
between bad padding and a MAC verification error. (CVE-2003-0078) |
|
|
|
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL), |
|
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and |
|
Martin Vuagnoux (EPFL, Ilion)] |
|
|
|
Changes between 0.9.6g and 0.9.6h [5 Dec 2002] |
|
|
|
*) New function OPENSSL_cleanse(), which is used to cleanse a section of |
|
memory from it's contents. This is done with a counter that will |
|
place alternating values in each byte. This can be used to solve |
|
two issues: 1) the removal of calls to memset() by highly optimizing |
|
compilers, and 2) cleansing with other values than 0, since those can |
|
be read through on certain media, for example a swap space on disk. |
|
[Geoff Thorpe] |
|
|
|
*) Bugfix: client side session caching did not work with external caching, |
|
because the session->cipher setting was not restored when reloading |
|
from the external cache. This problem was masked, when |
|
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. |
|
(Found by Steve Haslam <steve@araqnid.ddts.net>.) |
|
[Lutz Jaenicke] |
|
|
|
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total |
|
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. |
|
[Zeev Lieber <zeev-l@yahoo.com>] |
|
|
|
*) Undo an undocumented change introduced in 0.9.6e which caused |
|
repeated calls to OpenSSL_add_all_ciphers() and |
|
OpenSSL_add_all_digests() to be ignored, even after calling |
|
EVP_cleanup(). |
|
[Richard Levitte] |
|
|
|
*) Change the default configuration reader to deal with last line not |
|
being properly terminated. |
|
[Richard Levitte] |
|
|
|
*) Change X509_NAME_cmp() so it applies the special rules on handling |
|
DN values that are of type PrintableString, as well as RDNs of type |
|
emailAddress where the value has the type ia5String. |
|
[stefank@valicert.com via Richard Levitte] |
|
|
|
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half |
|
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently |
|
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be |
|
the bitwise-OR of the two for use by the majority of applications |
|
wanting this behaviour, and update the docs. The documented |
|
behaviour and actual behaviour were inconsistent and had been |
|
changing anyway, so this is more a bug-fix than a behavioural |
|
change. |
|
[Geoff Thorpe, diagnosed by Nadav Har'El] |
|
|
|
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c |
|
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). |
|
[Bodo Moeller] |
|
|
|
*) Fix initialization code race conditions in |
|
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), |
|
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), |
|
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), |
|
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), |
|
ssl2_get_cipher_by_char(), |
|
ssl3_get_cipher_by_char(). |
|
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller] |
|
|
|
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after |
|
the cached sessions are flushed, as the remove_cb() might use ex_data |
|
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> |
|
(see [openssl.org #212]). |
|
[Geoff Thorpe, Lutz Jaenicke] |
|
|
|
*) Fix typo in OBJ_txt2obj which incorrectly passed the content |
|
length, instead of the encoding length to d2i_ASN1_OBJECT. |
|
[Steve Henson] |
|
|
|
Changes between 0.9.6f and 0.9.6g [9 Aug 2002] |
|
|
|
*) [In 0.9.6g-engine release:] |
|
Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). |
|
[Lynn Gazis <lgazis@rainbow.com>] |
|
|
|
Changes between 0.9.6e and 0.9.6f [8 Aug 2002] |
|
|
|
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX |
|
and get fix the header length calculation. |
|
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, |
|
Alon Kantor <alonk@checkpoint.com> (and others), |
|
Steve Henson] |
|
|
|
*) Use proper error handling instead of 'assertions' in buffer |
|
overflow checks added in 0.9.6e. This prevents DoS (the |
|
assertions could call abort()). |
|
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller] |
|
|
|
Changes between 0.9.6d and 0.9.6e [30 Jul 2002] |
|
|
|
*) Add various sanity checks to asn1_get_length() to reject |
|
the ASN1 length bytes if they exceed sizeof(long), will appear |
|
negative or the content length exceeds the length of the |
|
supplied buffer. |
|
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] |
|
|
|
*) Fix cipher selection routines: ciphers without encryption had no flags |
|
for the cipher strength set and where therefore not handled correctly |
|
by the selection routines (PR #130). |
|
[Lutz Jaenicke] |
|
|
|
*) Fix EVP_dsa_sha macro. |
|
[Nils Larsch] |
|
|
|
*) New option |
|
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
|
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure |
|
that was added in OpenSSL 0.9.6d. |
|
|
|
As the countermeasure turned out to be incompatible with some |
|
broken SSL implementations, the new option is part of SSL_OP_ALL. |
|
SSL_OP_ALL is usually employed when compatibility with weird SSL |
|
implementations is desired (e.g. '-bugs' option to 's_client' and |
|
's_server'), so the new option is automatically set in many |
|
applications. |
|
[Bodo Moeller] |
|
|
|
*) Changes in security patch: |
|
|
|
Changes marked "(CHATS)" were sponsored by the Defense Advanced |
|
Research Projects Agency (DARPA) and Air Force Research Laboratory, |
|
Air Force Materiel Command, USAF, under agreement number |
|
F30602-01-2-0537. |
|
|
|
*) Add various sanity checks to asn1_get_length() to reject |
|
the ASN1 length bytes if they exceed sizeof(long), will appear |
|
negative or the content length exceeds the length of the |
|
supplied buffer. (CVE-2002-0659) |
|
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] |
|
|
|
*) Assertions for various potential buffer overflows, not known to |
|
happen in practice. |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Various temporary buffers to hold ASCII versions of integers were |
|
too small for 64 bit platforms. (CVE-2002-0655) |
|
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> |
|
|
|
*) Remote buffer overflow in SSL3 protocol - an attacker could |
|
supply an oversized session ID to a client. (CVE-2002-0656) |
|
[Ben Laurie (CHATS)] |
|
|
|
*) Remote buffer overflow in SSL2 protocol - an attacker could |
|
supply an oversized client master key. (CVE-2002-0656) |
|
[Ben Laurie (CHATS)] |
|
|
|
Changes between 0.9.6c and 0.9.6d [9 May 2002] |
|
|
|
*) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not |
|
encoded as NULL) with id-dsa-with-sha1. |
|
[Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] |
|
|
|
*) Check various X509_...() return values in apps/req.c. |
|
[Nils Larsch <nla@trustcenter.de>] |
|
|
|
*) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: |
|
an end-of-file condition would erronously be flagged, when the CRLF |
|
was just at the end of a processed block. The bug was discovered when |
|
processing data through a buffering memory BIO handing the data to a |
|
BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov |
|
<ptsekov@syntrex.com> and Nedelcho Stanev. |
|
[Lutz Jaenicke] |
|
|
|
*) Implement a countermeasure against a vulnerability recently found |
|
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment |
|
before application data chunks to avoid the use of known IVs |
|
with data potentially chosen by the attacker. |
|
[Bodo Moeller] |
|
|
|
*) Fix length checks in ssl3_get_client_hello(). |
|
[Bodo Moeller] |
|
|
|
*) TLS/SSL library bugfix: use s->s3->in_read_app_data differently |
|
to prevent ssl3_read_internal() from incorrectly assuming that |
|
ssl3_read_bytes() found application data while handshake |
|
processing was enabled when in fact s->s3->in_read_app_data was |
|
merely automatically cleared during the initial handshake. |
|
[Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) Fix object definitions for Private and Enterprise: they were not |
|
recognized in their shortname (=lowercase) representation. Extend |
|
obj_dat.pl to issue an error when using undefined keywords instead |
|
of silently ignoring the problem (Svenning Sorensen |
|
<sss@sss.dnsalias.net>). |
|
[Lutz Jaenicke] |
|
|
|
*) Fix DH_generate_parameters() so that it works for 'non-standard' |
|
generators, i.e. generators other than 2 and 5. (Previously, the |
|
code did not properly initialise the 'add' and 'rem' values to |
|
BN_generate_prime().) |
|
|
|
In the new general case, we do not insist that 'generator' is |
|
actually a primitive root: This requirement is rather pointless; |
|
a generator of the order-q subgroup is just as good, if not |
|
better. |
|
[Bodo Moeller] |
|
|
|
*) Map new X509 verification errors to alerts. Discovered and submitted by |
|
Tom Wu <tom@arcot.com>. |
|
[Lutz Jaenicke] |
|
|
|
*) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from |
|
returning non-zero before the data has been completely received |
|
when using non-blocking I/O. |
|
[Bodo Moeller; problem pointed out by John Hughes] |
|
|
|
*) Some of the ciphers missed the strength entry (SSL_LOW etc). |
|
[Ben Laurie, Lutz Jaenicke] |
|
|
|
*) Fix bug in SSL_clear(): bad sessions were not removed (found by |
|
Yoram Zahavi <YoramZ@gilian.com>). |
|
[Lutz Jaenicke] |
|
|
|
*) Add information about CygWin 1.3 and on, and preserve proper |
|
configuration for the versions before that. |
|
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] |
|
|
|
*) Make removal from session cache (SSL_CTX_remove_session()) more robust: |
|
check whether we deal with a copy of a session and do not delete from |
|
the cache in this case. Problem reported by "Izhar Shoshani Levi" |
|
<izhar@checkpoint.com>. |
|
[Lutz Jaenicke] |
|
|
|
*) Do not store session data into the internal session cache, if it |
|
is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP |
|
flag is set). Proposed by Aslam <aslam@funk.com>. |
|
[Lutz Jaenicke] |
|
|
|
*) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested |
|
value is 0. |
|
[Richard Levitte] |
|
|
|
*) [In 0.9.6d-engine release:] |
|
Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
|
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
|
|
|
*) Add the configuration target linux-s390x. |
|
[Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] |
|
|
|
*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of |
|
ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag |
|
variable as an indication that a ClientHello message has been |
|
received. As the flag value will be lost between multiple |
|
invocations of ssl3_accept when using non-blocking I/O, the |
|
function may not be aware that a handshake has actually taken |
|
place, thus preventing a new session from being added to the |
|
session cache. |
|
|
|
To avoid this problem, we now set s->new_session to 2 instead of |
|
using a local variable. |
|
[Lutz Jaenicke, Bodo Moeller] |
|
|
|
*) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) |
|
if the SSL_R_LENGTH_MISMATCH error is detected. |
|
[Geoff Thorpe, Bodo Moeller] |
|
|
|
*) New 'shared_ldflag' column in Configure platform table. |
|
[Richard Levitte] |
|
|
|
*) Fix EVP_CIPHER_mode macro. |
|
["Dan S. Camper" <dan@bti.net>] |
|
|
|
*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown |
|
type, we must throw them away by setting rr->length to 0. |
|
[D P Chang <dpc@qualys.com>] |
|
|
|
Changes between 0.9.6b and 0.9.6c [21 dec 2001] |
|
|
|
*) Fix BN_rand_range bug pointed out by Dominikus Scherkl |
|
<Dominikus.Scherkl@biodata.com>. (The previous implementation |
|
worked incorrectly for those cases where range = 10..._2 and |
|
3*range is two bits longer than range.) |
|
[Bodo Moeller] |
|
|
|
*) Only add signing time to PKCS7 structures if it is not already |
|
present. |
|
[Steve Henson] |
|
|
|
*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", |
|
OBJ_ld_ce should be OBJ_id_ce. |
|
Also some ip-pda OIDs in crypto/objects/objects.txt were |
|
incorrect (cf. RFC 3039). |
|
[Matt Cooper, Frederic Giudicelli, Bodo Moeller] |
|
|
|
*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() |
|
returns early because it has nothing to do. |
|
[Andy Schneider <andy.schneider@bjss.co.uk>] |
|
|
|
*) [In 0.9.6c-engine release:] |
|
Fix mutex callback return values in crypto/engine/hw_ncipher.c. |
|
[Andy Schneider <andy.schneider@bjss.co.uk>] |
|
|
|
*) [In 0.9.6c-engine release:] |
|
Add support for Cryptographic Appliance's keyserver technology. |
|
(Use engine 'keyclient') |
|
[Cryptographic Appliances and Geoff Thorpe] |
|
|
|
*) Add a configuration entry for OS/390 Unix. The C compiler 'c89' |
|
is called via tools/c89.sh because arguments have to be |
|
rearranged (all '-L' options must appear before the first object |
|
modules). |
|
[Richard Shapiro <rshapiro@abinitio.com>] |
|
|
|
*) [In 0.9.6c-engine release:] |
|
Add support for Broadcom crypto accelerator cards, backported |
|
from 0.9.7. |
|
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] |
|
|
|
*) [In 0.9.6c-engine release:] |
|
Add support for SureWare crypto accelerator cards from |
|
Baltimore Technologies. (Use engine 'sureware') |
|
[Baltimore Technologies and Mark Cox] |
|
|
|
*) [In 0.9.6c-engine release:] |
|
Add support for crypto accelerator cards from Accelerated |
|
Encryption Processing, www.aep.ie. (Use engine 'aep') |
|
[AEP Inc. and Mark Cox] |
|
|
|
*) Add a configuration entry for gcc on UnixWare. |
|
[Gary Benson <gbenson@redhat.com>] |
|
|
|
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake |
|
messages are stored in a single piece (fixed-length part and |
|
variable-length part combined) and fix various bugs found on the way. |
|
[Bodo Moeller] |
|
|
|
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname() |
|
instead. BIO_gethostbyname() does not know what timeouts are |
|
appropriate, so entries would stay in cache even when they have |
|
become invalid. |
|
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> |
|
|
|
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when |
|
faced with a pathologically small ClientHello fragment that does |
|
not contain client_version: Instead of aborting with an error, |
|
simply choose the highest available protocol version (i.e., |
|
TLS 1.0 unless it is disabled). In practice, ClientHello |
|
messages are never sent like this, but this change gives us |
|
strictly correct behaviour at least for TLS. |
|
[Bodo Moeller] |
|
|
|
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear() |
|
never resets s->method to s->ctx->method when called from within |
|
one of the SSL handshake functions. |
|
[Bodo Moeller; problem pointed out by Niko Baric] |
|
|
|
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert |
|
(sent using the client's version number) if client_version is |
|
smaller than the protocol version in use. Also change |
|
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if |
|
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then |
|
the client will at least see that alert. |
|
[Bodo Moeller] |
|
|
|
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation |
|
correctly. |
|
[Bodo Moeller] |
|
|
|
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a |
|
client receives HelloRequest while in a handshake. |
|
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] |
|
|
|
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C |
|
should end in 'break', not 'goto end' which circuments various |
|
cleanups done in state SSL_ST_OK. But session related stuff |
|
must be disabled for SSL_ST_OK in the case that we just sent a |
|
HelloRequest. |
|
|
|
Also avoid some overhead by not calling ssl_init_wbio_buffer() |
|
before just sending a HelloRequest. |
|
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] |
|
|
|
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't |
|
reveal whether illegal block cipher padding was found or a MAC |
|
verification error occured. (Neither SSLerr() codes nor alerts |
|
are directly visible to potential attackers, but the information |
|
may leak via logfiles.) |
|
|
|
Similar changes are not required for the SSL 2.0 implementation |
|
because the number of padding bytes is sent in clear for SSL 2.0, |
|
and the extra bytes are just ignored. However ssl/s2_pkt.c |
|
failed to verify that the purported number of padding bytes is in |
|
the legal range. |
|
[Bodo Moeller] |
|
|
|
*) Add OpenUNIX-8 support including shared libraries |
|
(Boyd Lynn Gerber <gerberb@zenez.com>). |
|
[Lutz Jaenicke] |
|
|
|
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid |
|
'wristwatch attack' using huge encoding parameters (cf. |
|
James H. Manger's CRYPTO 2001 paper). Note that the |
|
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use |
|
encoding parameters and hence was not vulnerable. |
|
[Bodo Moeller] |
|
|
|
*) BN_sqr() bug fix. |
|
[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>] |
|
|
|
*) Rabin-Miller test analyses assume uniformly distributed witnesses, |
|
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() |
|
followed by modular reduction. |
|
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] |
|
|
|
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() |
|
equivalent based on BN_pseudo_rand() instead of BN_rand(). |
|
[Bodo Moeller] |
|
|
|
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). |
|
This function was broken, as the check for a new client hello message |
|
to handle SGC did not allow these large messages. |
|
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) |
|
[Lutz Jaenicke] |
|
|
|
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). |
|
[Lutz Jaenicke] |
|
|
|
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() |
|
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). |
|
[Lutz Jaenicke] |
|
|
|
*) Rework the configuration and shared library support for Tru64 Unix. |
|
The configuration part makes use of modern compiler features and |
|
still retains old compiler behavior for those that run older versions |
|
of the OS. The shared library support part includes a variant that |
|
uses the RPATH feature, and is available through the special |
|
configuration target "alpha-cc-rpath", which will never be selected |
|
automatically. |
|
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] |
|
|
|
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() |
|
with the same message size as in ssl3_get_certificate_request(). |
|
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest |
|
messages might inadvertently be reject as too long. |
|
[Petr Lampa <lampa@fee.vutbr.cz>] |
|
|
|
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). |
|
[Andy Polyakov] |
|
|
|
*) Modified SSL library such that the verify_callback that has been set |
|
specificly for an SSL object with SSL_set_verify() is actually being |
|
used. Before the change, a verify_callback set with this function was |
|
ignored and the verify_callback() set in the SSL_CTX at the time of |
|
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced |
|
to allow the necessary settings. |
|
[Lutz Jaenicke] |
|
|
|
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c |
|
explicitly to NULL, as at least on Solaris 8 this seems not always to be |
|
done automatically (in contradiction to the requirements of the C |
|
standard). This made problems when used from OpenSSH. |
|
[Lutz Jaenicke] |
|
|
|
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored |
|
dh->length and always used |
|
|
|
BN_rand_range(priv_key, dh->p). |
|
|
|
BN_rand_range() is not necessary for Diffie-Hellman, and this |
|
specific range makes Diffie-Hellman unnecessarily inefficient if |
|
dh->length (recommended exponent length) is much smaller than the |
|
length of dh->p. We could use BN_rand_range() if the order of |
|
the subgroup was stored in the DH structure, but we only have |
|
dh->length. |
|
|
|
So switch back to |
|
|
|
BN_rand(priv_key, l, ...) |
|
|
|
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 |
|
otherwise. |
|
[Bodo Moeller] |
|
|
|
*) In |
|
|
|
RSA_eay_public_encrypt |
|
RSA_eay_private_decrypt |
|
RSA_eay_private_encrypt (signing) |
|
RSA_eay_public_decrypt (signature verification) |
|
|
|
(default implementations for RSA_public_encrypt, |
|
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), |
|
always reject numbers >= n. |
|
[Bodo Moeller] |
|
|
|
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 |
|
to synchronize access to 'locking_thread'. This is necessary on |
|
systems where access to 'locking_thread' (an 'unsigned long' |
|
variable) is not atomic. |
|
[Bodo Moeller] |
|
|
|
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID |
|
*before* setting the 'crypto_lock_rand' flag. The previous code had |
|
a race condition if 0 is a valid thread ID. |
|
[Travis Vitek <vitek@roguewave.com>] |
|
|
|
*) Add support for shared libraries under Irix. |
|
[Albert Chin-A-Young <china@thewrittenword.com>] |
|
|
|
*) Add configuration option to build on Linux on both big-endian and |
|
little-endian MIPS. |
|
[Ralf Baechle <ralf@uni-koblenz.de>] |
|
|
|
*) Add the possibility to create shared libraries on HP-UX. |
|
[Richard Levitte] |
|
|
|
Changes between 0.9.6a and 0.9.6b [9 Jul 2001] |
|
|
|
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c) |
|
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by |
|
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: |
|
PRNG state recovery was possible based on the output of |
|
one PRNG request appropriately sized to gain knowledge on |
|
'md' followed by enough consecutive 1-byte PRNG requests |
|
to traverse all of 'state'. |
|
|
|
1. When updating 'md_local' (the current thread's copy of 'md') |
|
during PRNG output generation, hash all of the previous |
|
'md_local' value, not just the half used for PRNG output. |
|
|
|
2. Make the number of bytes from 'state' included into the hash |
|
independent from the number of PRNG bytes requested. |
|
|
|
The first measure alone would be sufficient to avoid |
|
Markku-Juhani's attack. (Actually it had never occurred |
|
to me that the half of 'md_local' used for chaining was the |
|
half from which PRNG output bytes were taken -- I had always |
|
assumed that the secret half would be used.) The second |
|
measure makes sure that additional data from 'state' is never |
|
mixed into 'md_local' in small portions; this heuristically |
|
further strengthens the PRNG. |
|
[Bodo Moeller] |
|
|
|
*) Fix crypto/bn/asm/mips3.s. |
|
[Andy Polyakov] |
|
|
|
*) When only the key is given to "enc", the IV is undefined. Print out |
|
an error message in this case. |
|
[Lutz Jaenicke] |
|
|
|
*) Handle special case when X509_NAME is empty in X509 printing routines. |
|
[Steve Henson] |
|
|
|
*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are |
|
positive and less than q. |
|
[Bodo Moeller] |
|
|
|
*) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is |
|
used: it isn't thread safe and the add_lock_callback should handle |
|
that itself. |
|
[Paul Rose <Paul.Rose@bridge.com>] |
|
|
|
*) Verify that incoming data obeys the block size in |
|
ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). |
|
[Bodo Moeller] |
|
|
|
*) Fix OAEP check. |
|
[Ulf Möller, Bodo Möller] |
|
|
|
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 |
|
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 |
|
when fixing the server behaviour for backwards-compatible 'client |
|
hello' messages. (Note that the attack is impractical against |
|
SSL 3.0 and TLS 1.0 anyway because length and version checking |
|
means that the probability of guessing a valid ciphertext is |
|
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 |
|
paper.) |
|
|
|
Before 0.9.5, the countermeasure (hide the error by generating a |
|
random 'decryption result') did not work properly because |
|
ERR_clear_error() was missing, meaning that SSL_get_error() would |
|
detect the supposedly ignored error. |
|
|
|
Both problems are now fixed. |
|
[Bodo Moeller] |
|
|
|
*) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 |
|
(previously it was 1024). |
|
[Bodo Moeller] |
|
|
|
*) Fix for compatibility mode trust settings: ignore trust settings |
|
unless some valid trust or reject settings are present. |
|
[Steve Henson] |
|
|
|
*) Fix for blowfish EVP: its a variable length cipher. |
|
[Steve Henson] |
|
|
|
*) Fix various bugs related to DSA S/MIME verification. Handle missing |
|
parameters in DSA public key structures and return an error in the |
|
DSA routines if parameters are absent. |
|
[Steve Henson] |
|
|
|
*) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" |
|
in the current directory if neither $RANDFILE nor $HOME was set. |
|
RAND_file_name() in 0.9.6a returned NULL in this case. This has |
|
caused some confusion to Windows users who haven't defined $HOME. |
|
Thus RAND_file_name() is changed again: e_os.h can define a |
|
DEFAULT_HOME, which will be used if $HOME is not set. |
|
For Windows, we use "C:"; on other platforms, we still require |
|
environment variables. |
|
|
|
*) Move 'if (!initialized) RAND_poll()' into regions protected by |
|
CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids |
|
having multiple threads call RAND_poll() concurrently. |
|
[Bodo Moeller] |
|
|
|
*) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a |
|
combination of a flag and a thread ID variable. |
|
Otherwise while one thread is in ssleay_rand_bytes (which sets the |
|
flag), *other* threads can enter ssleay_add_bytes without obeying |
|
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock |
|
that they do not hold after the first thread unsets add_do_not_lock). |
|
[Bodo Moeller] |
|
|
|
*) Change bctest again: '-x' expressions are not available in all |
|
versions of 'test'. |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.6 and 0.9.6a [5 Apr 2001] |
|
|
|
*) Fix a couple of memory leaks in PKCS7_dataDecode() |
|
[Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] |
|
|
|
*) Change Configure and Makefiles to provide EXE_EXT, which will contain |
|
the default extension for executables, if any. Also, make the perl |
|
scripts that use symlink() to test if it really exists and use "cp" |
|
if it doesn't. All this made OpenSSL compilable and installable in |
|
CygWin. |
|
[Richard Levitte] |
|
|
|
*) Fix for asn1_GetSequence() for indefinite length constructed data. |
|
If SEQUENCE is length is indefinite just set c->slen to the total |
|
amount of data available. |
|
[Steve Henson, reported by shige@FreeBSD.org] |
|
[This change does not apply to 0.9.7.] |
|
|
|
*) Change bctest to avoid here-documents inside command substitution |
|
(workaround for FreeBSD /bin/sh bug). |
|
For compatibility with Ultrix, avoid shell functions (introduced |
|
in the bctest version that searches along $PATH). |
|
[Bodo Moeller] |
|
|
|
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes |
|
with des_encrypt() defined on some operating systems, like Solaris |
|
and UnixWare. |
|
[Richard Levitte] |
|
|
|
*) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: |
|
On the Importance of Eliminating Errors in Cryptographic |
|
Computations, J. Cryptology 14 (2001) 2, 101-119, |
|
http://theory.stanford.edu/~dabo/papers/faults.ps.gz). |
|
[Ulf Moeller] |
|
|
|
*) MIPS assembler BIGNUM division bug fix. |
|
[Andy Polyakov] |
|
|
|
*) Disabled incorrect Alpha assembler code. |
|
[Richard Levitte] |
|
|
|
*) Fix PKCS#7 decode routines so they correctly update the length |
|
after reading an EOC for the EXPLICIT tag. |
|
[Steve Henson] |
|
[This change does not apply to 0.9.7.] |
|
|
|
*) Fix bug in PKCS#12 key generation routines. This was triggered |
|
if a 3DES key was generated with a 0 initial byte. Include |
|
PKCS12_BROKEN_KEYGEN compilation option to retain the old |
|
(but broken) behaviour. |
|
[Steve Henson] |
|
|
|
*) Enhance bctest to search for a working bc along $PATH and print |
|
it when found. |
|
[Tim Rice <tim@multitalents.net> via Richard Levitte] |
|
|
|
*) Fix memory leaks in err.c: free err_data string if necessary; |
|
don't write to the wrong index in ERR_set_error_data. |
|
[Bodo Moeller] |
|
|
|
*) Implement ssl23_peek (analogous to ssl23_read), which previously |
|
did not exist. |
|
[Bodo Moeller] |
|
|
|
*) Replace rdtsc with _emit statements for VC++ version 5. |
|
[Jeremy Cooper <jeremy@baymoo.org>] |
|
|
|
*) Make it possible to reuse SSLv2 sessions. |
|
[Richard Levitte] |
|
|
|
*) In copy_email() check for >= 0 as a return value for |
|
X509_NAME_get_index_by_NID() since 0 is a valid index. |
|
[Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] |
|
|
|
*) Avoid coredump with unsupported or invalid public keys by checking if |
|
X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when |
|
PKCS7_verify() fails with non detached data. |
|
[Steve Henson] |
|
|
|
*) Don't use getenv in library functions when run as setuid/setgid. |
|
New function OPENSSL_issetugid(). |
|
[Ulf Moeller] |
|
|
|
*) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) |
|
due to incorrect handling of multi-threading: |
|
|
|
1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). |
|
|
|
2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). |
|
|
|
3. Count how many times MemCheck_off() has been called so that |
|
nested use can be treated correctly. This also avoids |
|
inband-signalling in the previous code (which relied on the |
|
assumption that thread ID 0 is impossible). |
|
[Bodo Moeller] |
|
|
|
*) Add "-rand" option also to s_client and s_server. |
|
[Lutz Jaenicke] |
|
|
|
*) Fix CPU detection on Irix 6.x. |
|
[Kurt Hockenbury <khockenb@stevens-tech.edu> and |
|
"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] |
|
|
|
*) Fix X509_NAME bug which produced incorrect encoding if X509_NAME |
|
was empty. |
|
[Steve Henson] |
|
[This change does not apply to 0.9.7.] |
|
|
|
*) Use the cached encoding of an X509_NAME structure rather than |
|
copying it. This is apparently the reason for the libsafe "errors" |
|
but the code is actually correct. |
|
[Steve Henson] |
|
|
|
*) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent |
|
Bleichenbacher's DSA attack. |
|
Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits |
|
to be set and top=0 forces the highest bit to be set; top=-1 is new |
|
and leaves the highest bit random. |
|
[Ulf Moeller, Bodo Moeller] |
|
|
|
*) In the NCONF_...-based implementations for CONF_... queries |
|
(crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using |
|
a temporary CONF structure with the data component set to NULL |
|
(which gives segmentation faults in lh_retrieve). |
|
Instead, use NULL for the CONF pointer in CONF_get_string and |
|
CONF_get_number (which may use environment variables) and directly |
|
return NULL from CONF_get_section. |
|
[Bodo Moeller] |
|
|
|
*) Fix potential buffer overrun for EBCDIC. |
|
[Ulf Moeller] |
|
|
|
*) Tolerate nonRepudiation as being valid for S/MIME signing and certSign |
|
keyUsage if basicConstraints absent for a CA. |
|
[Steve Henson] |
|
|
|
*) Make SMIME_write_PKCS7() write mail header values with a format that |
|
is more generally accepted (no spaces before the semicolon), since |
|
some programs can't parse those values properly otherwise. Also make |
|
sure BIO's that break lines after each write do not create invalid |
|
headers. |
|
[Richard Levitte] |
|
|
|
*) Make the CRL encoding routines work with empty SEQUENCE OF. The |
|
macros previously used would not encode an empty SEQUENCE OF |
|
and break the signature. |
|
[Steve Henson] |
|
[This change does not apply to 0.9.7.] |
|
|
|
*) Zero the premaster secret after deriving the master secret in |
|
DH ciphersuites. |
|
[Steve Henson] |
|
|
|
*) Add some EVP_add_digest_alias registrations (as found in |
|
OpenSSL_add_all_digests()) to SSL_library_init() |
|
aka OpenSSL_add_ssl_algorithms(). This provides improved |
|
compatibility with peers using X.509 certificates |
|
with unconventional AlgorithmIdentifier OIDs. |
|
[Bodo Moeller] |
|
|
|
*) Fix for Irix with NO_ASM. |
|
["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] |
|
|
|
*) ./config script fixes. |
|
[Ulf Moeller, Richard Levitte] |
|
|
|
*) Fix 'openssl passwd -1'. |
|
[Bodo Moeller] |
|
|
|
*) Change PKCS12_key_gen_asc() so it can cope with non null |
|
terminated strings whose length is passed in the passlen |
|
parameter, for example from PEM callbacks. This was done |
|
by adding an extra length parameter to asc2uni(). |
|
[Steve Henson, reported by <oddissey@samsung.co.kr>] |
|
|
|
*) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn |
|
call failed, free the DSA structure. |
|
[Bodo Moeller] |
|
|
|
*) Fix to uni2asc() to cope with zero length Unicode strings. |
|
These are present in some PKCS#12 files. |
|
[Steve Henson] |
|
|
|
*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). |
|
Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits |
|
when writing a 32767 byte record. |
|
[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] |
|
|
|
*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), |
|
obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. |
|
|
|
(RSA objects have a reference count access to which is protected |
|
by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], |
|
so they are meant to be shared between threads.) |
|
[Bodo Moeller, Geoff Thorpe; original patch submitted by |
|
"Reddie, Steven" <Steven.Reddie@ca.com>] |
|
|
|
*) Fix a deadlock in CRYPTO_mem_leaks(). |
|
[Bodo Moeller] |
|
|
|
*) Use better test patterns in bntest. |
|
[Ulf Möller] |
|
|
|
*) rand_win.c fix for Borland C. |
|
[Ulf Möller] |
|
|
|
*) BN_rshift bugfix for n == 0. |
|
[Bodo Moeller] |
|
|
|
*) Add a 'bctest' script that checks for some known 'bc' bugs |
|
so that 'make test' does not abort just because 'bc' is broken. |
|
[Bodo Moeller] |
|
|
|
*) Store verify_result within SSL_SESSION also for client side to |
|
avoid potential security hole. (Re-used sessions on the client side |
|
always resulted in verify_result==X509_V_OK, not using the original |
|
result of the server certificate verification.) |
|
[Lutz Jaenicke] |
|
|
|
*) Fix ssl3_pending: If the record in s->s3->rrec is not of type |
|
SSL3_RT_APPLICATION_DATA, return 0. |
|
Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. |
|
[Bodo Moeller] |
|
|
|
*) Fix SSL_peek: |
|
Both ssl2_peek and ssl3_peek, which were totally broken in earlier |
|
releases, have been re-implemented by renaming the previous |
|
implementations of ssl2_read and ssl3_read to ssl2_read_internal |
|
and ssl3_read_internal, respectively, and adding 'peek' parameters |
|
to them. The new ssl[23]_{read,peek} functions are calls to |
|
ssl[23]_read_internal with the 'peek' flag set appropriately. |
|
A 'peek' parameter has also been added to ssl3_read_bytes, which |
|
does the actual work for ssl3_read_internal. |
|
[Bodo Moeller] |
|
|
|
*) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling |
|
the method-specific "init()" handler. Also clean up ex_data after |
|
calling the method-specific "finish()" handler. Previously, this was |
|
happening the other way round. |
|
[Geoff Thorpe] |
|
|
|
*) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. |
|
The previous value, 12, was not always sufficient for BN_mod_exp(). |
|
[Bodo Moeller] |
|
|
|
*) Make sure that shared libraries get the internal name engine with |
|
the full version number and not just 0. This should mark the |
|
shared libraries as not backward compatible. Of course, this should |
|
be changed again when we can guarantee backward binary compatibility. |
|
[Richard Levitte] |
|
|
|
*) Fix typo in get_cert_by_subject() in by_dir.c |
|
[Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] |
|
|
|
*) Rework the system to generate shared libraries: |
|
|
|
- Make note of the expected extension for the shared libraries and |
|
if there is a need for symbolic links from for example libcrypto.so.0 |
|
to libcrypto.so.0.9.7. There is extended info in Configure for |
|
that. |
|
|
|
- Make as few rebuilds of the shared libraries as possible. |
|
|
|
- Still avoid linking the OpenSSL programs with the shared libraries. |
|
|
|
- When installing, install the shared libraries separately from the |
|
static ones. |
|
[Richard Levitte] |
|
|
|
*) Fix SSL_CTX_set_read_ahead macro to actually use its argument. |
|
|
|
Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new |
|
and not in SSL_clear because the latter is also used by the |
|
accept/connect functions; previously, the settings made by |
|
SSL_set_read_ahead would be lost during the handshake. |
|
[Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] |
|
|
|
*) Correct util/mkdef.pl to be selective about disabled algorithms. |
|
Previously, it would create entries for disableed algorithms no |
|
matter what. |
|
[Richard Levitte] |
|
|
|
*) Added several new manual pages for SSL_* function. |
|
[Lutz Jaenicke] |
|
|
|
Changes between 0.9.5a and 0.9.6 [24 Sep 2000] |
|
|
|
*) In ssl23_get_client_hello, generate an error message when faced |
|
with an initial SSL 3.0/TLS record that is too small to contain the |
|
first two bytes of the ClientHello message, i.e. client_version. |
|
(Note that this is a pathologic case that probably has never happened |
|
in real life.) The previous approach was to use the version number |
|
from the record header as a substitute; but our protocol choice |
|
should not depend on that one because it is not authenticated |
|
by the Finished messages. |
|
[Bodo Moeller] |
|
|
|
*) More robust randomness gathering functions for Windows. |
|
[Jeffrey Altman <jaltman@columbia.edu>] |
|
|
|
*) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is |
|
not set then we don't setup the error code for issuer check errors |
|
to avoid possibly overwriting other errors which the callback does |
|
handle. If an application does set the flag then we assume it knows |
|
what it is doing and can handle the new informational codes |
|
appropriately. |
|
[Steve Henson] |
|
|
|
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for |
|
a general "ANY" type, as such it should be able to decode anything |
|
including tagged types. However it didn't check the class so it would |
|
wrongly interpret tagged types in the same way as their universal |
|
counterpart and unknown types were just rejected. Changed so that the |
|
tagged and unknown types are handled in the same way as a SEQUENCE: |
|
that is the encoding is stored intact. There is also a new type |
|
"V_ASN1_OTHER" which is used when the class is not universal, in this |
|
case we have no idea what the actual type is so we just lump them all |
|
together. |
|
[Steve Henson] |
|
|
|
*) On VMS, stdout may very well lead to a file that is written to |
|
in a record-oriented fashion. That means that every write() will |
|
write a separate record, which will be read separately by the |
|
programs trying to read from it. This can be very confusing. |
|
|
|
The solution is to put a BIO filter in the way that will buffer |
|
text until a linefeed is reached, and then write everything a |
|
line at a time, so every record written will be an actual line, |
|
not chunks of lines and not (usually doesn't happen, but I've |
|
seen it once) several lines in one record. BIO_f_linebuffer() is |
|
the answer. |
|
|
|
Currently, it's a VMS-only method, because that's where it has |
|
been tested well enough. |
|
[Richard Levitte] |
|
|
|
*) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, |
|
it can return incorrect results. |
|
(Note: The buggy variant was not enabled in OpenSSL 0.9.5a, |
|
but it was in 0.9.6-beta[12].) |
|
[Bodo Moeller] |
|
|
|
*) Disable the check for content being present when verifying detached |
|
signatures in pk7_smime.c. Some versions of Netscape (wrongly) |
|
include zero length content when signing messages. |
|
[Steve Henson] |
|
|
|
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR |
|
BIO_ctrl (for BIO pairs). |
|
[Bodo Möller] |
|
|
|
*) Add DSO method for VMS. |
|
[Richard Levitte] |
|
|
|
*) Bug fix: Montgomery multiplication could produce results with the |
|
wrong sign. |
|
[Ulf Möller] |
|
|
|
*) Add RPM specification openssl.spec and modify it to build three |
|
packages. The default package contains applications, application |
|
documentation and run-time libraries. The devel package contains |
|
include files, static libraries and function documentation. The |
|
doc package contains the contents of the doc directory. The original |
|
openssl.spec was provided by Damien Miller <djm@mindrot.org>. |
|
[Richard Levitte] |
|
|
|
*) Add a large number of documentation files for many SSL routines. |
|
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] |
|
|
|
*) Add a configuration entry for Sony News 4. |
|
[NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>] |
|
|
|
*) Don't set the two most significant bits to one when generating a |
|
random number < q in the DSA library. |
|
[Ulf Möller] |
|
|
|
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default |
|
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if |
|
the underlying transport is blocking) if a handshake took place. |
|
(The default behaviour is needed by applications such as s_client |
|
and s_server that use select() to determine when to use SSL_read; |
|
but for applications that know in advance when to expect data, it |
|
just makes things more complicated.) |
|
[Bodo Moeller] |
|
|
|
*) Add RAND_egd_bytes(), which gives control over the number of bytes read |
|
from EGD. |
|
[Ben Laurie] |
|
|
|
*) Add a few more EBCDIC conditionals that make `req' and `x509' |
|
work better on such systems. |
|
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
|
|
|
*) Add two demo programs for PKCS12_parse() and PKCS12_create(). |
|
Update PKCS12_parse() so it copies the friendlyName and the |
|
keyid to the certificates aux info. |
|
[Steve Henson] |
|
|
|
*) Fix bug in PKCS7_verify() which caused an infinite loop |
|
if there was more than one signature. |
|
[Sven Uszpelkat <su@celocom.de>] |
|
|
|
*) Major change in util/mkdef.pl to include extra information |
|
about each symbol, as well as presentig variables as well |
|
as functions. This change means that there's n more need |
|
to rebuild the .num files when some algorithms are excluded. |
|
[Richard Levitte] |
|
|
|
*) Allow the verify time to be set by an application, |
|
rather than always using the current time. |
|
[Steve Henson] |
|
|
|
*) Phase 2 verify code reorganisation. The certificate |
|
verify code now looks up an issuer certificate by a |
|
number of criteria: subject name, authority key id |
|
and key usage. It also verifies self signed certificates |
|
by the same criteria. The main comparison function is |
|
X509_check_issued() which performs these checks. |
|
|
|
Lot of changes were necessary in order to support this |
|
without completely rewriting the lookup code. |
|
|
|
Authority and subject key identifier are now cached. |
|
|
|
The LHASH 'certs' is X509_STORE has now been replaced |
|
by a STACK_OF(X509_OBJECT). This is mainly because an |
|
LHASH can't store or retrieve multiple objects with |
|
the same hash value. |
|
|
|
As a result various functions (which were all internal |
|
use only) have changed to handle the new X509_STORE |
|
structure. This will break anything that messed round |
|
with X509_STORE internally. |
|
|
|
The functions X509_STORE_add_cert() now checks for an |
|
exact match, rather than just subject name. |
|
|
|
The X509_STORE API doesn't directly support the retrieval |
|
of multiple certificates matching a given criteria, however |
|
this can be worked round by performing a lookup first |
|
(which will fill the cache with candidate certificates) |
|
and then examining the cache for matches. This is probably |
|
the best we can do without throwing out X509_LOOKUP |
|
entirely (maybe later...). |
|
|
|
The X509_VERIFY_CTX structure has been enhanced considerably. |
|
|
|
All certificate lookup operations now go via a get_issuer() |
|
callback. Although this currently uses an X509_STORE it |
|
can be replaced by custom lookups. This is a simple way |
|
to bypass the X509_STORE hackery necessary to make this |
|
work and makes it possible to use more efficient techniques |
|
in future. A very simple version which uses a simple |
|
STACK for its trusted certificate store is also provided |
|
using X509_STORE_CTX_trusted_stack(). |
|
|
|
The verify_cb() and verify() callbacks now have equivalents |
|
in the X509_STORE_CTX structure. |
|
|
|
X509_STORE_CTX also has a 'flags' field which can be used |
|
to customise the verify behaviour. |
|
[Steve Henson] |
|
|
|
*) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which |
|
excludes S/MIME capabilities. |
|
[Steve Henson] |
|
|
|
*) When a certificate request is read in keep a copy of the |
|
original encoding of the signed data and use it when outputing |
|
again. Signatures then use the original encoding rather than |
|
a decoded, encoded version which may cause problems if the |
|
request is improperly encoded. |
|
[Steve Henson] |
|
|
|
*) For consistency with other BIO_puts implementations, call |
|
buffer_write(b, ...) directly in buffer_puts instead of calling |
|
BIO_write(b, ...). |
|
|
|
In BIO_puts, increment b->num_write as in BIO_write. |
|
[Peter.Sylvester@EdelWeb.fr] |
|
|
|
*) Fix BN_mul_word for the case where the word is 0. (We have to use |
|
BN_zero, we may not return a BIGNUM with an array consisting of |
|
words set to zero.) |
|
[Bodo Moeller] |
|
|
|
*) Avoid calling abort() from within the library when problems are |
|
detected, except if preprocessor symbols have been defined |
|
(such as REF_CHECK, BN_DEBUG etc.). |
|
[Bodo Moeller] |
|
|
|
*) New openssl application 'rsautl'. This utility can be |
|
used for low level RSA operations. DER public key |
|
BIO/fp routines also added. |
|
[Steve Henson] |
|
|
|
*) New Configure entry and patches for compiling on QNX 4. |
|
[Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>] |
|
|
|
*) A demo state-machine implementation was sponsored by |
|
Nuron (http://www.nuron.com/) and is now available in |
|
demos/state_machine. |
|
[Ben Laurie] |
|
|
|
*) New options added to the 'dgst' utility for signature |
|
generation and verification. |
|
[Steve Henson] |
|
|
|
*) Unrecognized PKCS#7 content types are now handled via a |
|
catch all ASN1_TYPE structure. This allows unsupported |
|
types to be stored as a "blob" and an application can |
|
encode and decode it manually. |
|
[Steve Henson] |
|
|
|
*) Fix various signed/unsigned issues to make a_strex.c |
|
compile under VC++. |
|
[Oscar Jacobsson <oscar.jacobsson@celocom.com>] |
|
|
|
*) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct |
|
length if passed a buffer. ASN1_INTEGER_to_BN failed |
|
if passed a NULL BN and its argument was negative. |
|
[Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>] |
|
|
|
*) Modification to PKCS#7 encoding routines to output definite |
|
length encoding. Since currently the whole structures are in |
|
memory there's not real point in using indefinite length |
|
constructed encoding. However if OpenSSL is compiled with |
|
the flag PKCS7_INDEFINITE_ENCODING the old form is used. |
|
[Steve Henson] |
|
|
|
*) Added BIO_vprintf() and BIO_vsnprintf(). |
|
[Richard Levitte] |
|
|
|
*) Added more prefixes to parse for in the the strings written |
|
through a logging bio, to cover all the levels that are available |
|
through syslog. The prefixes are now: |
|
|
|
PANIC, EMERG, EMR => LOG_EMERG |
|
ALERT, ALR => LOG_ALERT |
|
CRIT, CRI => LOG_CRIT |
|
ERROR, ERR => LOG_ERR |
|
WARNING, WARN, WAR => LOG_WARNING |
|
NOTICE, NOTE, NOT => LOG_NOTICE |
|
INFO, INF => LOG_INFO |
|
DEBUG, DBG => LOG_DEBUG |
|
|
|
and as before, if none of those prefixes are present at the |
|
beginning of the string, LOG_ERR is chosen. |
|
|
|
On Win32, the LOG_* levels are mapped according to this: |
|
|
|
LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE |
|
LOG_WARNING => EVENTLOG_WARNING_TYPE |
|
LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE |
|
|
|
[Richard Levitte] |
|
|
|
*) Made it possible to reconfigure with just the configuration |
|
argument "reconf" or "reconfigure". The command line arguments |
|
are stored in Makefile.ssl in the variable CONFIGURE_ARGS, |
|
and are retrieved from there when reconfiguring. |
|
[Richard Levitte] |
|
|
|
*) MD4 implemented. |
|
[Assar Westerlund <assar@sics.se>, Richard Levitte] |
|
|
|
*) Add the arguments -CAfile and -CApath to the pkcs12 utility. |
|
[Richard Levitte] |
|
|
|
*) The obj_dat.pl script was messing up the sorting of object |
|
names. The reason was that it compared the quoted version |
|
of strings as a result "OCSP" > "OCSP Signing" because |
|
" > SPACE. Changed script to store unquoted versions of |
|
names and add quotes on output. It was also omitting some |
|
names from the lookup table if they were given a default |
|
value (that is if SN is missing it is given the same |
|
value as LN and vice versa), these are now added on the |
|
grounds that if an object has a name we should be able to |
|
look it up. Finally added warning output when duplicate |
|
short or long names are found. |
|
[Steve Henson] |
|
|
|
*) Changes needed for Tandem NSK. |
|
[Scott Uroff <scott@xypro.com>] |
|
|
|
*) Fix SSL 2.0 rollback checking: Due to an off-by-one error in |
|
RSA_padding_check_SSLv23(), special padding was never detected |
|
and thus the SSL 3.0/TLS 1.0 countermeasure against protocol |
|
version rollback attacks was not effective. |
|
|
|
In s23_clnt.c, don't use special rollback-attack detection padding |
|
(RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the |
|
client; similarly, in s23_srvr.c, don't do the rollback check if |
|
SSL 2.0 is the only protocol enabled in the server. |
|
[Bodo Moeller] |
|
|
|
*) Make it possible to get hexdumps of unprintable data with 'openssl |
|
asn1parse'. By implication, the functions ASN1_parse_dump() and |
|
BIO_dump_indent() are added. |
|
[Richard Levitte] |
|
|
|
*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() |
|
these print out strings and name structures based on various |
|
flags including RFC2253 support and proper handling of |
|
multibyte characters. Added options to the 'x509' utility |
|
to allow the various flags to be set. |
|
[Steve Henson] |
|
|
|
*) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. |
|
Also change the functions X509_cmp_current_time() and |
|
X509_gmtime_adj() work with an ASN1_TIME structure, |
|
this will enable certificates using GeneralizedTime in validity |
|
dates to be checked. |
|
[Steve Henson] |
|
|
|
*) Make the NEG_PUBKEY_BUG code (which tolerates invalid |
|
negative public key encodings) on by default, |
|
NO_NEG_PUBKEY_BUG can be set to disable it. |
|
[Steve Henson] |
|
|
|
*) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT |
|
content octets. An i2c_ASN1_OBJECT is unnecessary because |
|
the encoding can be trivially obtained from the structure. |
|
[Steve Henson] |
|
|
|
*) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), |
|
not read locks (CRYPTO_r_[un]lock). |
|
[Bodo Moeller] |
|
|
|
*) A first attempt at creating official support for shared |
|
libraries through configuration. I've kept it so the |
|
default is static libraries only, and the OpenSSL programs |
|
are always statically linked for now, but there are |
|
preparations for dynamic linking in place. |
|
This has been tested on Linux and Tru64. |
|
[Richard Levitte] |
|
|
|
*) Randomness polling function for Win9x, as described in: |
|
Peter Gutmann, Software Generation of Practically Strong |
|
Random Numbers. |
|
[Ulf Möller] |
|
|
|
*) Fix so PRNG is seeded in req if using an already existing |
|
DSA key. |
|
[Steve Henson] |
|
|
|
*) New options to smime application. -inform and -outform |
|
allow alternative formats for the S/MIME message including |
|
PEM and DER. The -content option allows the content to be |
|
specified separately. This should allow things like Netscape |
|
form signing output easier to verify. |
|
[Steve Henson] |
|
|
|
*) Fix the ASN1 encoding of tags using the 'long form'. |
|
[Steve Henson] |
|
|
|
*) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT |
|
STRING types. These convert content octets to and from the |
|
underlying type. The actual tag and length octets are |
|
already assumed to have been read in and checked. These |
|
are needed because all other string types have virtually |
|
identical handling apart from the tag. By having versions |
|
of the ASN1 functions that just operate on content octets |
|
IMPLICIT tagging can be handled properly. It also allows |
|
the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED |
|
and ASN1_INTEGER are identical apart from the tag. |
|
[Steve Henson] |
|
|
|
*) Change the handling of OID objects as follows: |
|
|
|
- New object identifiers are inserted in objects.txt, following |
|
the syntax given in objects.README. |
|
- objects.pl is used to process obj_mac.num and create a new |
|
obj_mac.h. |
|
- obj_dat.pl is used to create a new obj_dat.h, using the data in |
|
obj_mac.h. |
|
|
|
This is currently kind of a hack, and the perl code in objects.pl |
|
isn't very elegant, but it works as I intended. The simplest way |
|
to check that it worked correctly is to look in obj_dat.h and |
|
check the array nid_objs and make sure the objects haven't moved |
|
around (this is important!). Additions are OK, as well as |
|
consistent name changes. |
|
[Richard Levitte] |
|
|
|
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). |
|
[Bodo Moeller] |
|
|
|
*) Addition of the command line parameter '-rand file' to 'openssl req'. |
|
The given file adds to whatever has already been seeded into the |
|
random pool through the RANDFILE configuration file option or |
|
environment variable, or the default random state file. |
|
[Richard Levitte] |
|
|
|
*) mkstack.pl now sorts each macro group into lexical order. |
|
Previously the output order depended on the order the files |
|
appeared in the directory, resulting in needless rewriting |
|
of safestack.h . |
|
[Steve Henson] |
|
|
|
*) Patches to make OpenSSL compile under Win32 again. Mostly |
|
work arounds for the VC++ problem that it treats func() as |
|
func(void). Also stripped out the parts of mkdef.pl that |
|
added extra typesafe functions: these no longer exist. |
|
[Steve Henson] |
|
|
|
*) Reorganisation of the stack code. The macros are now all |
|
collected in safestack.h . Each macro is defined in terms of |
|
a "stack macro" of the form SKM_<name>(type, a, b). The |
|
DEBUG_SAFESTACK is now handled in terms of function casts, |
|
this has the advantage of retaining type safety without the |
|
use of additional functions. If DEBUG_SAFESTACK is not defined |
|
then the non typesafe macros are used instead. Also modified the |
|
mkstack.pl script to handle the new form. Needs testing to see |
|
if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK |
|
the default if no major problems. Similar behaviour for ASN1_SET_OF |
|
and PKCS12_STACK_OF. |
|
[Steve Henson] |
|
|
|
*) When some versions of IIS use the 'NET' form of private key the |
|
key derivation algorithm is different. Normally MD5(password) is |
|
used as a 128 bit RC4 key. In the modified case |
|
MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some |
|
new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same |
|
as the old Netscape_RSA functions except they have an additional |
|
'sgckey' parameter which uses the modified algorithm. Also added |
|
an -sgckey command line option to the rsa utility. Thanks to |
|
Adrian Peck <bertie@ncipher.com> for posting details of the modified |
|
algorithm to openssl-dev. |
|
[Steve Henson] |
|
|
|
*) The evp_local.h macros were using 'c.##kname' which resulted in |
|
invalid expansion on some systems (SCO 5.0.5 for example). |
|
Corrected to 'c.kname'. |
|
[Phillip Porch <root@theporch.com>] |
|
|
|
*) New X509_get1_email() and X509_REQ_get1_email() functions that return |
|
a STACK of email addresses from a certificate or request, these look |
|
in the subject name and the subject alternative name extensions and |
|
omit any duplicate addresses. |
|
[Steve Henson] |
|
|
|
*) Re-implement BN_mod_exp2_mont using independent (and larger) windows. |
|
This makes DSA verification about 2 % faster. |
|
[Bodo Moeller] |
|
|
|
*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5 |
|
(meaning that now 2^5 values will be precomputed, which is only 4 KB |
|
plus overhead for 1024 bit moduli). |
|
This makes exponentiations about 0.5 % faster for 1024 bit |
|
exponents (as measured by "openssl speed rsa2048"). |
|
[Bodo Moeller] |
|
|
|
*) Rename memory handling macros to avoid conflicts with other |
|
software: |
|
Malloc => OPENSSL_malloc |
|
Malloc_locked => OPENSSL_malloc_locked |
|
Realloc => OPENSSL_realloc |
|
Free => OPENSSL_free |
|
[Richard Levitte] |
|
|
|
*) New function BN_mod_exp_mont_word for small bases (roughly 15% |
|
faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). |
|
[Bodo Moeller] |
|
|
|
*) CygWin32 support. |
|
[John Jarvie <jjarvie@newsguy.com>] |
|
|
|
*) The type-safe stack code has been rejigged. It is now only compiled |
|
in when OpenSSL is configured with the DEBUG_SAFESTACK option and |
|
by default all type-specific stack functions are "#define"d back to |
|
standard stack functions. This results in more streamlined output |
|
but retains the type-safety checking possibilities of the original |
|
approach. |
|
[Geoff Thorpe] |
|
|
|
*) The STACK code has been cleaned up, and certain type declarations |
|
that didn't make a lot of sense have been brought in line. This has |
|
also involved a cleanup of sorts in safestack.h to more correctly |
|
map type-safe stack functions onto their plain stack counterparts. |
|
This work has also resulted in a variety of "const"ifications of |
|
lots of the code, especially "_cmp" operations which should normally |
|
be prototyped with "const" parameters anyway. |
|
[Geoff Thorpe] |
|
|
|
*) When generating bytes for the first time in md_rand.c, 'stir the pool' |
|
by seeding with STATE_SIZE dummy bytes (with zero entropy count). |
|
(The PRNG state consists of two parts, the large pool 'state' and 'md', |
|
where all of 'md' is used each time the PRNG is used, but 'state' |
|
is used only indexed by a cyclic counter. As entropy may not be |
|
well distributed from the beginning, 'md' is important as a |
|
chaining variable. However, the output function chains only half |
|
of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains |
|
all of 'md', and seeding with STATE_SIZE dummy bytes will result |
|
in all of 'state' being rewritten, with the new values depending |
|
on virtually all of 'md'. This overcomes the 80 bit limitation.) |
|
[Bodo Moeller] |
|
|
|
*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when |
|
the handshake is continued after ssl_verify_cert_chain(); |
|
otherwise, if SSL_VERIFY_NONE is set, remaining error codes |
|
can lead to 'unexplainable' connection aborts later. |
|
[Bodo Moeller; problem tracked down by Lutz Jaenicke] |
|
|
|
*) Major EVP API cipher revision. |
|
Add hooks for extra EVP features. This allows various cipher |
|
parameters to be set in the EVP interface. Support added for variable |
|
key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and |
|
setting of RC2 and RC5 parameters. |
|
|
|
Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length |
|
ciphers. |
|
|
|
Remove lots of duplicated code from the EVP library. For example *every* |
|
cipher init() function handles the 'iv' in the same way according to the |
|
cipher mode. They also all do nothing if the 'key' parameter is NULL and |
|
for CFB and OFB modes they zero ctx->num. |
|
|
|
New functionality allows removal of S/MIME code RC2 hack. |
|
|
|
Most of the routines have the same form and so can be declared in terms |
|
of macros. |
|
|
|
By shifting this to the top level EVP_CipherInit() it can be removed from |
|
all individual ciphers. If the cipher wants to handle IVs or keys |
|
differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT |
|
flags. |
|
|
|
Change lots of functions like EVP_EncryptUpdate() to now return a |
|
value: although software versions of the algorithms cannot fail |
|
any installed hardware versions can. |
|
[Steve Henson] |
|
|
|
*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if |
|
this option is set, tolerate broken clients that send the negotiated |
|
protocol version number instead of the requested protocol version |
|
number. |
|
[Bodo Moeller] |
|
|
|
*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag; |
|
i.e. non-zero for export ciphersuites, zero otherwise. |
|
Previous versions had this flag inverted, inconsistent with |
|
rsa_tmp_cb (..._TMP_RSA_CB). |
|
[Bodo Moeller; problem reported by Amit Chopra] |
|
|
|
*) Add missing DSA library text string. Work around for some IIS |
|
key files with invalid SEQUENCE encoding. |
|
[Steve Henson] |
|
|
|
*) Add a document (doc/standards.txt) that list all kinds of standards |
|
and so on that are implemented in OpenSSL. |
|
[Richard Levitte] |
|
|
|
*) Enhance c_rehash script. Old version would mishandle certificates |
|
with the same subject name hash and wouldn't handle CRLs at all. |
|
Added -fingerprint option to crl utility, to support new c_rehash |
|
features. |
|
[Steve Henson] |
|
|
|
*) Eliminate non-ANSI declarations in crypto.h and stack.h. |
|
[Ulf Möller] |
|
|
|
*) Fix for SSL server purpose checking. Server checking was |
|
rejecting certificates which had extended key usage present |
|
but no ssl client purpose. |
|
[Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] |
|
|
|
*) Make PKCS#12 code work with no password. The PKCS#12 spec |
|
is a little unclear about how a blank password is handled. |
|
Since the password in encoded as a BMPString with terminating |
|
double NULL a zero length password would end up as just the |
|
double NULL. However no password at all is different and is |
|
handled differently in the PKCS#12 key generation code. NS |
|
treats a blank password as zero length. MSIE treats it as no |
|
password on export: but it will try both on import. We now do |
|
the same: PKCS12_parse() tries zero length and no password if |
|
the password is set to "" or NULL (NULL is now a valid password: |
|
it wasn't before) as does the pkcs12 application. |
|
[Steve Henson] |
|
|
|
*) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use |
|
perror when PEM_read_bio_X509_REQ fails, the error message must |
|
be obtained from the error queue. |
|
[Bodo Moeller] |
|
|
|
*) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing |
|
it in ERR_remove_state if appropriate, and change ERR_get_state |
|
accordingly to avoid race conditions (this is necessary because |
|
thread_hash is no longer constant once set). |
|
[Bodo Moeller] |
|
|
|
*) Bugfix for linux-elf makefile.one. |
|
[Ulf Möller] |
|
|
|
*) RSA_get_default_method() will now cause a default |
|
RSA_METHOD to be chosen if one doesn't exist already. |
|
Previously this was only set during a call to RSA_new() |
|
or RSA_new_method(NULL) meaning it was possible for |
|
RSA_get_default_method() to return NULL. |
|
[Geoff Thorpe] |
|
|
|
*) Added native name translation to the existing DSO code |
|
that will convert (if the flag to do so is set) filenames |
|
that are sufficiently small and have no path information |
|
into a canonical native form. Eg. "blah" converted to |
|
"libblah.so" or "blah.dll" etc. |
|
[Geoff Thorpe] |
|
|
|
*) New function ERR_error_string_n(e, buf, len) which is like |
|
ERR_error_string(e, buf), but writes at most 'len' bytes |
|
including the 0 terminator. For ERR_error_string_n, 'buf' |
|
may not be NULL. |
|
[Damien Miller <djm@mindrot.org>, Bodo Moeller] |
|
|
|
*) CONF library reworked to become more general. A new CONF |
|
configuration file reader "class" is implemented as well as a |
|
new functions (NCONF_*, for "New CONF") to handle it. The now |
|
old CONF_* functions are still there, but are reimplemented to |
|
work in terms of the new functions. Also, a set of functions |
|
to handle the internal storage of the configuration data is |
|
provided to make it easier to write new configuration file |
|
reader "classes" (I can definitely see something reading a |
|
configuration file in XML format, for example), called _CONF_*, |
|
or "the configuration storage API"... |
|
|
|
The new configuration file reading functions are: |
|
|
|
NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, |
|
NCONF_get_section, NCONF_get_string, NCONF_get_numbre |
|
|
|
NCONF_default, NCONF_WIN32 |
|
|
|
NCONF_dump_fp, NCONF_dump_bio |
|
|
|
NCONF_default and NCONF_WIN32 are method (or "class") choosers, |
|
NCONF_new creates a new CONF object. This works in the same way |
|
as other interfaces in OpenSSL, like the BIO interface. |
|
NCONF_dump_* dump the internal storage of the configuration file, |
|
which is useful for debugging. All other functions take the same |
|
arguments as the old CONF_* functions wth the exception of the |
|
first that must be a `CONF *' instead of a `LHASH *'. |
|
|
|
To make it easer to use the new classes with the old CONF_* functions, |
|
the function CONF_set_default_method is provided. |
|
[Richard Levitte] |
|
|
|
*) Add '-tls1' option to 'openssl ciphers', which was already |
|
mentioned in the documentation but had not been implemented. |
|
(This option is not yet really useful because even the additional |
|
experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) |
|
[Bodo Moeller] |
|
|
|
*) Initial DSO code added into libcrypto for letting OpenSSL (and |
|
OpenSSL-based applications) load shared libraries and bind to |
|
them in a portable way. |
|
[Geoff Thorpe, with contributions from Richard Levitte] |
|
|
|
Changes between 0.9.5 and 0.9.5a [1 Apr 2000] |
|
|
|
*) Make sure _lrotl and _lrotr are only used with MSVC. |
|
|
|
*) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status |
|
(the default implementation of RAND_status). |
|
|
|
*) Rename openssl x509 option '-crlext', which was added in 0.9.5, |
|
to '-clrext' (= clear extensions), as intended and documented. |
|
[Bodo Moeller; inconsistency pointed out by Michael Attili |
|
<attili@amaxo.com>] |
|
|
|
*) Fix for HMAC. It wasn't zeroing the rest of the block if the key length |
|
was larger than the MD block size. |
|
[Steve Henson, pointed out by Yost William <YostW@tce.com>] |
|
|
|
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument |
|
fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() |
|
using the passed key: if the passed key was a private key the result |
|
of X509_print(), for example, would be to print out all the private key |
|
components. |
|
[Steve Henson] |
|
|
|
*) des_quad_cksum() byte order bug fix. |
|
[Ulf Möller, using the problem description in krb4-0.9.7, where |
|
the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>] |
|
|
|
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly |
|
discouraged. |
|
[Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>] |
|
|
|
*) For easily testing in shell scripts whether some command |
|
'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' |
|
returns with exit code 0 iff no command of the given name is available. |
|
'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, |
|
the output goes to stdout and nothing is printed to stderr. |
|
Additional arguments are always ignored. |
|
|
|
Since for each cipher there is a command of the same name, |
|
the 'no-cipher' compilation switches can be tested this way. |
|
|
|
('openssl no-XXX' is not able to detect pseudo-commands such |
|
as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) |
|
[Bodo Moeller] |
|
|
|
*) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. |
|
[Bodo Moeller] |
|
|
|
*) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE |
|
is set; it will be thrown away anyway because each handshake creates |
|
its own key. |
|
ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition |
|
to parameters -- in previous versions (since OpenSSL 0.9.3) the |
|
'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining |
|
you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. |
|
[Bodo Moeller] |
|
|
|
*) New s_client option -ign_eof: EOF at stdin is ignored, and |
|
'Q' and 'R' lose their special meanings (quit/renegotiate). |
|
This is part of what -quiet does; unlike -quiet, -ign_eof |
|
does not suppress any output. |
|
[Richard Levitte] |
|
|
|
*) Add compatibility options to the purpose and trust code. The |
|
purpose X509_PURPOSE_ANY is "any purpose" which automatically |
|
accepts a certificate or CA, this was the previous behaviour, |
|
with all the associated security issues. |
|
|
|
X509_TRUST_COMPAT is the old trust behaviour: only and |
|
automatically trust self signed roots in certificate store. A |
|
new trust setting X509_TRUST_DEFAULT is used to specify that |
|
a purpose has no associated trust setting and it should instead |
|
use the value in the default purpose. |
|
[Steve Henson] |
|
|
|
*) Fix the PKCS#8 DSA private key code so it decodes keys again |
|
and fix a memory leak. |
|
[Steve Henson] |
|
|
|
*) In util/mkerr.pl (which implements 'make errors'), preserve |
|
reason strings from the previous version of the .c file, as |
|
the default to have only downcase letters (and digits) in |
|
automatically generated reasons codes is not always appropriate. |
|
[Bodo Moeller] |
|
|
|
*) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table |
|
using strerror. Previously, ERR_reason_error_string() returned |
|
library names as reason strings for SYSerr; but SYSerr is a special |
|
case where small numbers are errno values, not library numbers. |
|
[Bodo Moeller] |
|
|
|
*) Add '-dsaparam' option to 'openssl dhparam' application. This |
|
converts DSA parameters into DH parameters. (When creating parameters, |
|
DSA_generate_parameters is used.) |
|
[Bodo Moeller] |
|
|
|
*) Include 'length' (recommended exponent length) in C code generated |
|
by 'openssl dhparam -C'. |
|
[Bodo Moeller] |
|
|
|
*) The second argument to set_label in perlasm was already being used |
|
so couldn't be used as a "file scope" flag. Moved to third argument |
|
which was free. |
|
[Steve Henson] |
|
|
|
*) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes |
|
instead of RAND_bytes for encryption IVs and salts. |
|
[Bodo Moeller] |
|
|
|
*) Include RAND_status() into RAND_METHOD instead of implementing |
|
it only for md_rand.c Otherwise replacing the PRNG by calling |
|
RAND_set_rand_method would be impossible. |
|
[Bodo Moeller] |
|
|
|
*) Don't let DSA_generate_key() enter an infinite loop if the random |
|
number generation fails. |
|
[Bodo Moeller] |
|
|
|
*) New 'rand' application for creating pseudo-random output. |
|
[Bodo Moeller] |
|
|
|
*) Added configuration support for Linux/IA64 |
|
[Rolf Haberrecker <rolf@suse.de>] |
|
|
|
*) Assembler module support for Mingw32. |
|
[Ulf Möller] |
|
|
|
*) Shared library support for HPUX (in shlib/). |
|
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous] |
|
|
|
*) Shared library support for Solaris gcc. |
|
[Lutz Behnke <behnke@trustcenter.de>] |
|
|
|
Changes between 0.9.4 and 0.9.5 [28 Feb 2000] |
|
|
|
*) PKCS7_encrypt() was adding text MIME headers twice because they |
|
were added manually and by SMIME_crlf_copy(). |
|
[Steve Henson] |
|
|
|
*) In bntest.c don't call BN_rand with zero bits argument. |
|
[Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>] |
|
|
|
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] |
|
case was implemented. This caused BN_div_recp() to fail occasionally. |
|
[Ulf Möller] |
|
|
|
*) Add an optional second argument to the set_label() in the perl |
|
assembly language builder. If this argument exists and is set |
|
to 1 it signals that the assembler should use a symbol whose |
|
scope is the entire file, not just the current function. This |
|
is needed with MASM which uses the format label:: for this scope. |
|
[Steve Henson, pointed out by Peter Runestig <peter@runestig.com>] |
|
|
|
*) Change the ASN1 types so they are typedefs by default. Before |
|
almost all types were #define'd to ASN1_STRING which was causing |
|
STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) |
|
for example. |
|
[Steve Henson] |
|
|
|
*) Change names of new functions to the new get1/get0 naming |
|
convention: After 'get1', the caller owns a reference count |
|
and has to call ..._free; 'get0' returns a pointer to some |
|
data structure without incrementing reference counters. |
|
(Some of the existing 'get' functions increment a reference |
|
counter, some don't.) |
|
Similarly, 'set1' and 'add1' functions increase reference |
|
counters or duplicate objects. |
|
[Steve Henson] |
|
|
|
*) Allow for the possibility of temp RSA key generation failure: |
|
the code used to assume it always worked and crashed on failure. |
|
[Steve Henson] |
|
|
|
*) Fix potential buffer overrun problem in BIO_printf(). |
|
[Ulf Möller, using public domain code by Patrick Powell; problem |
|
pointed out by David Sacerdote <das33@cornell.edu>] |
|
|
|
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions |
|
RAND_egd() and RAND_status(). In the command line application, |
|
the EGD socket can be specified like a seed file using RANDFILE |
|
or -rand. |
|
[Ulf Möller] |
|
|
|
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. |
|
Some CAs (e.g. Verisign) distribute certificates in this form. |
|
[Steve Henson] |
|
|
|
*) Remove the SSL_ALLOW_ADH compile option and set the default cipher |
|
list to exclude them. This means that no special compilation option |
|
is needed to use anonymous DH: it just needs to be included in the |
|
cipher list. |
|
[Steve Henson] |
|
|
|
*) Change the EVP_MD_CTX_type macro so its meaning consistent with |
|
EVP_MD_type. The old functionality is available in a new macro called |
|
EVP_MD_md(). Change code that uses it and update docs. |
|
[Steve Henson] |
|
|
|
*) ..._ctrl functions now have corresponding ..._callback_ctrl functions |
|
where the 'void *' argument is replaced by a function pointer argument. |
|
Previously 'void *' was abused to point to functions, which works on |
|
many platforms, but is not correct. As these functions are usually |
|
called by macros defined in OpenSSL header files, most source code |
|
should work without changes. |
|
[Richard Levitte] |
|
|
|
*) <openssl/opensslconf.h> (which is created by Configure) now contains |
|
sections with information on -D... compiler switches used for |
|
compiling the library so that applications can see them. To enable |
|
one of these sections, a pre-processor symbol OPENSSL_..._DEFINES |
|
must be defined. E.g., |
|
#define OPENSSL_ALGORITHM_DEFINES |
|
#include <openssl/opensslconf.h> |
|
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc. |
|
[Richard Levitte, Ulf and Bodo Möller] |
|
|
|
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS |
|
record layer. |
|
[Bodo Moeller] |
|
|
|
*) Change the 'other' type in certificate aux info to a STACK_OF |
|
X509_ALGOR. Although not an AlgorithmIdentifier as such it has |
|
the required ASN1 format: arbitrary types determined by an OID. |
|
[Steve Henson] |
|
|
|
*) Add some PEM_write_X509_REQ_NEW() functions and a command line |
|
argument to 'req'. This is not because the function is newer or |
|
better than others it just uses the work 'NEW' in the certificate |
|
request header lines. Some software needs this. |
|
[Steve Henson] |
|
|
|
*) Reorganise password command line arguments: now passwords can be |
|
obtained from various sources. Delete the PEM_cb function and make |
|
it the default behaviour: i.e. if the callback is NULL and the |
|
usrdata argument is not NULL interpret it as a null terminated pass |
|
phrase. If usrdata and the callback are NULL then the pass phrase |
|
is prompted for as usual. |
|
[Steve Henson] |
|
|
|
*) Add support for the Compaq Atalla crypto accelerator. If it is installed, |
|
the support is automatically enabled. The resulting binaries will |
|
autodetect the card and use it if present. |
|
[Ben Laurie and Compaq Inc.] |
|
|
|
*) Work around for Netscape hang bug. This sends certificate request |
|
and server done in one record. Since this is perfectly legal in the |
|
SSL/TLS protocol it isn't a "bug" option and is on by default. See |
|
the bugs/SSLv3 entry for more info. |
|
[Steve Henson] |
|
|
|
*) HP-UX tune-up: new unified configs, HP C compiler bug workaround. |
|
[Andy Polyakov] |
|
|
|
*) Add -rand argument to smime and pkcs12 applications and read/write |
|
of seed file. |
|
[Steve Henson] |
|
|
|
*) New 'passwd' tool for crypt(3) and apr1 password hashes. |
|
[Bodo Moeller] |
|
|
|
*) Add command line password options to the remaining applications. |
|
[Steve Henson] |
|
|
|
*) Bug fix for BN_div_recp() for numerators with an even number of |
|
bits. |
|
[Ulf Möller] |
|
|
|
*) More tests in bntest.c, and changed test_bn output. |
|
[Ulf Möller] |
|
|
|
*) ./config recognizes MacOS X now. |
|
[Andy Polyakov] |
|
|
|
*) Bug fix for BN_div() when the first words of num and divsor are |
|
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). |
|
[Ulf Möller] |
|
|
|
*) Add support for various broken PKCS#8 formats, and command line |
|
options to produce them. |
|
[Steve Henson] |
|
|
|
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to |
|
get temporary BIGNUMs from a BN_CTX. |
|
[Ulf Möller] |
|
|
|
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() |
|
for p == 0. |
|
[Ulf Möller] |
|
|
|
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and |
|
include a #define from the old name to the new. The original intent |
|
was that statically linked binaries could for example just call |
|
SSLeay_add_all_ciphers() to just add ciphers to the table and not |
|
link with digests. This never worked becayse SSLeay_add_all_digests() |
|
and SSLeay_add_all_ciphers() were in the same source file so calling |
|
one would link with the other. They are now in separate source files. |
|
[Steve Henson] |
|
|
|
*) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. |
|
[Steve Henson] |
|
|
|
*) Use a less unusual form of the Miller-Rabin primality test (it used |
|
a binary algorithm for exponentiation integrated into the Miller-Rabin |
|
loop, our standard modexp algorithms are faster). |
|
[Bodo Moeller] |
|
|
|
*) Support for the EBCDIC character set completed. |
|
[Martin Kraemer <Martin.Kraemer@Mch.SNI.De>] |
|
|
|
*) Source code cleanups: use const where appropriate, eliminate casts, |
|
use void * instead of char * in lhash. |
|
[Ulf Möller] |
|
|
|
*) Bugfix: ssl3_send_server_key_exchange was not restartable |
|
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of |
|
this the server could overwrite ephemeral keys that the client |
|
has already seen). |
|
[Bodo Moeller] |
|
|
|
*) Turn DSA_is_prime into a macro that calls BN_is_prime, |
|
using 50 iterations of the Rabin-Miller test. |
|
|
|
DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 |
|
iterations of the Rabin-Miller test as required by the appendix |
|
to FIPS PUB 186[-1]) instead of DSA_is_prime. |
|
As BN_is_prime_fasttest includes trial division, DSA parameter |
|
generation becomes much faster. |
|
|
|
This implies a change for the callback functions in DSA_is_prime |
|
and DSA_generate_parameters: The callback function is called once |
|
for each positive witness in the Rabin-Miller test, not just |
|
occasionally in the inner loop; and the parameters to the |
|
callback function now provide an iteration count for the outer |
|
loop rather than for the current invocation of the inner loop. |
|
DSA_generate_parameters additionally can call the callback |
|
function with an 'iteration count' of -1, meaning that a |
|
candidate has passed the trial division test (when q is generated |
|
from an application-provided seed, trial division is skipped). |
|
[Bodo Moeller] |
|
|
|
*) New function BN_is_prime_fasttest that optionally does trial |
|
division before starting the Rabin-Miller test and has |
|
an additional BN_CTX * argument (whereas BN_is_prime always |
|
has to allocate at least one BN_CTX). |
|
'callback(1, -1, cb_arg)' is called when a number has passed the |
|
trial division stage. |
|
[Bodo Moeller] |
|
|
|
*) Fix for bug in CRL encoding. The validity dates weren't being handled |
|
as ASN1_TIME. |
|
[Steve Henson] |
|
|
|
*) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. |
|
[Steve Henson] |
|
|
|
*) New function BN_pseudo_rand(). |
|
[Ulf Möller] |
|
|
|
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) |
|
bignum version of BN_from_montgomery() with the working code from |
|
SSLeay 0.9.0 (the word based version is faster anyway), and clean up |
|
the comments. |
|
[Ulf Möller] |
|
|
|
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that |
|
made it impossible to use the same SSL_SESSION data structure in |
|
SSL2 clients in multiple threads. |
|
[Bodo Moeller] |
|
|
|
*) The return value of RAND_load_file() no longer counts bytes obtained |
|
by stat(). RAND_load_file(..., -1) is new and uses the complete file |
|
to seed the PRNG (previously an explicit byte count was required). |
|
[Ulf Möller, Bodo Möller] |
|
|
|
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes |
|
used (char *) instead of (void *) and had casts all over the place. |
|
[Steve Henson] |
|
|
|
*) Make BN_generate_prime() return NULL on error if ret!=NULL. |
|
[Ulf Möller] |
|
|
|
*) Retain source code compatibility for BN_prime_checks macro: |
|
BN_is_prime(..., BN_prime_checks, ...) now uses |
|
BN_prime_checks_for_size to determine the appropriate number of |
|
Rabin-Miller iterations. |
|
[Ulf Möller] |
|
|
|
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to |
|
DH_CHECK_P_NOT_SAFE_PRIME. |
|
(Check if this is true? OpenPGP calls them "strong".) |
|
[Ulf Möller] |
|
|
|
*) Merge the functionality of "dh" and "gendh" programs into a new program |
|
"dhparam". The old programs are retained for now but will handle DH keys |
|
(instead of parameters) in future. |
|
[Steve Henson] |
|
|
|
*) Make the ciphers, s_server and s_client programs check the return values |
|
when a new cipher list is set. |
|
[Steve Henson] |
|
|
|
*) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit |
|
ciphers. Before when the 56bit ciphers were enabled the sorting was |
|
wrong. |
|
|
|
The syntax for the cipher sorting has been extended to support sorting by |
|
cipher-strength (using the strength_bits hard coded in the tables). |
|
The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). |
|
|
|
Fix a bug in the cipher-command parser: when supplying a cipher command |
|
string with an "undefined" symbol (neither command nor alphanumeric |
|
[A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now |
|
an error is flagged. |
|
|
|
Due to the strength-sorting extension, the code of the |
|
ssl_create_cipher_list() function was completely rearranged. I hope that |
|
the readability was also increased :-) |
|
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] |
|
|
|
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 |
|
for the first serial number and places 2 in the serial number file. This |
|
avoids problems when the root CA is created with serial number zero and |
|
the first user certificate has the same issuer name and serial number |
|
as the root CA. |
|
[Steve Henson] |
|
|
|
*) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses |
|
the new code. Add documentation for this stuff. |
|
[Steve Henson] |
|
|
|
*) Changes to X509_ATTRIBUTE utilities. These have been renamed from |
|
X509_*() to X509at_*() on the grounds that they don't handle X509 |
|
structures and behave in an analagous way to the X509v3 functions: |
|
they shouldn't be called directly but wrapper functions should be used |
|
instead. |
|
|
|
So we also now have some wrapper functions that call the X509at functions |
|
when passed certificate requests. (TO DO: similar things can be done with |
|
PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other |
|
things. Some of these need some d2i or i2d and print functionality |
|
because they handle more complex structures.) |
|
[Steve Henson] |
|
|
|
*) Add missing #ifndefs that caused missing symbols when building libssl |
|
as a shared library without RSA. Use #ifndef NO_SSL2 instead of |
|
NO_RSA in ssl/s2*.c. |
|
[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller] |
|
|
|
*) Precautions against using the PRNG uninitialized: RAND_bytes() now |
|
has a return value which indicates the quality of the random data |
|
(1 = ok, 0 = not seeded). Also an error is recorded on the thread's |
|
error queue. New function RAND_pseudo_bytes() generates output that is |
|
guaranteed to be unique but not unpredictable. RAND_add is like |
|
RAND_seed, but takes an extra argument for an entropy estimate |
|
(RAND_seed always assumes full entropy). |
|
[Ulf Möller] |
|
|
|
*) Do more iterations of Rabin-Miller probable prime test (specifically, |
|
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes |
|
instead of only 2 for all lengths; see BN_prime_checks_for_size definition |
|
in crypto/bn/bn_prime.c for the complete table). This guarantees a |
|
false-positive rate of at most 2^-80 for random input. |
|
[Bodo Moeller] |
|
|
|
*) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. |
|
[Bodo Moeller] |
|
|
|
*) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain |
|
in the 0.9.5 release), this returns the chain |
|
from an X509_CTX structure with a dup of the stack and all |
|
the X509 reference counts upped: so the stack will exist |
|
after X509_CTX_cleanup() has been called. Modify pkcs12.c |
|
to use this. |
|
|
|
Also make SSL_SESSION_print() print out the verify return |
|
code. |
|
[Steve Henson] |
|
|
|
*) Add manpage for the pkcs12 command. Also change the default |
|
behaviour so MAC iteration counts are used unless the new |
|
-nomaciter option is used. This improves file security and |
|
only older versions of MSIE (4.0 for example) need it. |
|
[Steve Henson] |
|
|
|
*) Honor the no-xxx Configure options when creating .DEF files. |
|
[Ulf Möller] |
|
|
|
*) Add PKCS#10 attributes to field table: challengePassword, |
|
unstructuredName and unstructuredAddress. These are taken from |
|
draft PKCS#9 v2.0 but are compatible with v1.2 provided no |
|
international characters are used. |
|
|
|
More changes to X509_ATTRIBUTE code: allow the setting of types |
|
based on strings. Remove the 'loc' parameter when adding |
|
attributes because these will be a SET OF encoding which is sorted |
|
in ASN1 order. |
|
[Steve Henson] |
|
|
|
*) Initial changes to the 'req' utility to allow request generation |
|
automation. This will allow an application to just generate a template |
|
file containing all the field values and have req construct the |
|
request. |
|
|
|
Initial support for X509_ATTRIBUTE handling. Stacks of these are |
|
used all over the place including certificate requests and PKCS#7 |
|
structures. They are currently handled manually where necessary with |
|
some primitive wrappers for PKCS#7. The new functions behave in a |
|
manner analogous to the X509 extension functions: they allow |
|
attributes to be looked up by NID and added. |
|
|
|
Later something similar to the X509V3 code would be desirable to |
|
automatically handle the encoding, decoding and printing of the |
|
more complex types. The string types like challengePassword can |
|
be handled by the string table functions. |
|
|
|
Also modified the multi byte string table handling. Now there is |
|
a 'global mask' which masks out certain types. The table itself |
|
can use the flag STABLE_NO_MASK to ignore the mask setting: this |
|
is useful when for example there is only one permissible type |
|
(as in countryName) and using the mask might result in no valid |
|
types at all. |
|
[Steve Henson] |
|
|
|
*) Clean up 'Finished' handling, and add functions SSL_get_finished and |
|
SSL_get_peer_finished to allow applications to obtain the latest |
|
Finished messages sent to the peer or expected from the peer, |
|
respectively. (SSL_get_peer_finished is usually the Finished message |
|
actually received from the peer, otherwise the protocol will be aborted.) |
|
|
|
As the Finished message are message digests of the complete handshake |
|
(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can |
|
be used for external authentication procedures when the authentication |
|
provided by SSL/TLS is not desired or is not enough. |
|
[Bodo Moeller] |
|
|
|
*) Enhanced support for Alpha Linux is added. Now ./config checks if |
|
the host supports BWX extension and if Compaq C is present on the |
|
$PATH. Just exploiting of the BWX extension results in 20-30% |
|
performance kick for some algorithms, e.g. DES and RC4 to mention |
|
a couple. Compaq C in turn generates ~20% faster code for MD5 and |
|
SHA1. |
|
[Andy Polyakov] |
|
|
|
*) Add support for MS "fast SGC". This is arguably a violation of the |
|
SSL3/TLS protocol. Netscape SGC does two handshakes: the first with |
|
weak crypto and after checking the certificate is SGC a second one |
|
with strong crypto. MS SGC stops the first handshake after receiving |
|
the server certificate message and sends a second client hello. Since |
|
a server will typically do all the time consuming operations before |
|
expecting any further messages from the client (server key exchange |
|
is the most expensive) there is little difference between the two. |
|
|
|
To get OpenSSL to support MS SGC we have to permit a second client |
|
hello message after we have sent server done. In addition we have to |
|
reset the MAC if we do get this second client hello. |
|
[Steve Henson] |
|
|
|
*) Add a function 'd2i_AutoPrivateKey()' this will automatically decide |
|
if a DER encoded private key is RSA or DSA traditional format. Changed |
|
d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" |
|
format DER encoded private key. Newer code should use PKCS#8 format which |
|
has the key type encoded in the ASN1 structure. Added DER private key |
|
support to pkcs8 application. |
|
[Steve Henson] |
|
|
|
*) SSL 3/TLS 1 servers now don't request certificates when an anonymous |
|
ciphersuites has been selected (as required by the SSL 3/TLS 1 |
|
specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
|
is set, we interpret this as a request to violate the specification |
|
(the worst that can happen is a handshake failure, and 'correct' |
|
behaviour would result in a handshake failure anyway). |
|
[Bodo Moeller] |
|
|
|
*) In SSL_CTX_add_session, take into account that there might be multiple |
|
SSL_SESSION structures with the same session ID (e.g. when two threads |
|
concurrently obtain them from an external cache). |
|
The internal cache can handle only one SSL_SESSION with a given ID, |
|
so if there's a conflict, we now throw out the old one to achieve |
|
consistency. |
|
[Bodo Moeller] |
|
|
|
*) Add OIDs for idea and blowfish in CBC mode. This will allow both |
|
to be used in PKCS#5 v2.0 and S/MIME. Also add checking to |
|
some routines that use cipher OIDs: some ciphers do not have OIDs |
|
defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for |
|
example. |
|
[Steve Henson] |
|
|
|
*) Simplify the trust setting structure and code. Now we just have |
|
two sequences of OIDs for trusted and rejected settings. These will |
|
typically have values the same as the extended key usage extension |
|
and any application specific purposes. |
|
|
|
The trust checking code now has a default behaviour: it will just |
|
check for an object with the same NID as the passed id. Functions can |
|
be provided to override either the default behaviour or the behaviour |
|
for a given id. SSL client, server and email already have functions |
|
in place for compatibility: they check the NID and also return "trusted" |
|
if the certificate is self signed. |
|
[Steve Henson] |
|
|
|
*) Add d2i,i2d bio/fp functions for PrivateKey: these convert the |
|
traditional format into an EVP_PKEY structure. |
|
[Steve Henson] |
|
|
|
*) Add a password callback function PEM_cb() which either prompts for |
|
a password if usr_data is NULL or otherwise assumes it is a null |
|
terminated password. Allow passwords to be passed on command line |
|
environment or config files in a few more utilities. |
|
[Steve Henson] |
|
|
|
*) Add a bunch of DER and PEM functions to handle PKCS#8 format private |
|
keys. Add some short names for PKCS#8 PBE algorithms and allow them |
|
to be specified on the command line for the pkcs8 and pkcs12 utilities. |
|
Update documentation. |
|
[Steve Henson] |
|
|
|
*) Support for ASN1 "NULL" type. This could be handled before by using |
|
ASN1_TYPE but there wasn't any function that would try to read a NULL |
|
and produce an error if it couldn't. For compatibility we also have |
|
ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and |
|
don't allocate anything because they don't need to. |
|
[Steve Henson] |
|
|
|
*) Initial support for MacOS is now provided. Examine INSTALL.MacOS |
|
for details. |
|
[Andy Polyakov, Roy Woods <roy@centicsystems.ca>] |
|
|
|
*) Rebuild of the memory allocation routines used by OpenSSL code and |
|
possibly others as well. The purpose is to make an interface that |
|
provide hooks so anyone can build a separate set of allocation and |
|
deallocation routines to be used by OpenSSL, for example memory |
|
pool implementations, or something else, which was previously hard |
|
since Malloc(), Realloc() and Free() were defined as macros having |
|
the values malloc, realloc and free, respectively (except for Win32 |
|
compilations). The same is provided for memory debugging code. |
|
OpenSSL already comes with functionality to find memory leaks, but |
|
this gives people a chance to debug other memory problems. |
|
|
|
With these changes, a new set of functions and macros have appeared: |
|
|
|
CRYPTO_set_mem_debug_functions() [F] |
|
CRYPTO_get_mem_debug_functions() [F] |
|
CRYPTO_dbg_set_options() [F] |
|
CRYPTO_dbg_get_options() [F] |
|
CRYPTO_malloc_debug_init() [M] |
|
|
|
The memory debug functions are NULL by default, unless the library |
|
is compiled with CRYPTO_MDEBUG or friends is defined. If someone |
|
wants to debug memory anyway, CRYPTO_malloc_debug_init() (which |
|
gives the standard debugging functions that come with OpenSSL) or |
|
CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions |
|
provided by the library user) must be used. When the standard |
|
debugging functions are used, CRYPTO_dbg_set_options can be used to |
|
request additional information: |
|
CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting |
|
the CRYPTO_MDEBUG_xxx macro when compiling the library. |
|
|
|
Also, things like CRYPTO_set_mem_functions will always give the |
|
expected result (the new set of functions is used for allocation |
|
and deallocation) at all times, regardless of platform and compiler |
|
options. |
|
|
|
To finish it up, some functions that were never use in any other |
|
way than through macros have a new API and new semantic: |
|
|
|
CRYPTO_dbg_malloc() |
|
CRYPTO_dbg_realloc() |
|
CRYPTO_dbg_free() |
|
|
|
All macros of value have retained their old syntax. |
|
[Richard Levitte and Bodo Moeller] |
|
|
|
*) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the |
|
ordering of SMIMECapabilities wasn't in "strength order" and there |
|
was a missing NULL in the AlgorithmIdentifier for the SHA1 signature |
|
algorithm. |
|
[Steve Henson] |
|
|
|
*) Some ASN1 types with illegal zero length encoding (INTEGER, |
|
ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. |
|
[Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] |
|
|
|
*) Merge in my S/MIME library for OpenSSL. This provides a simple |
|
S/MIME API on top of the PKCS#7 code, a MIME parser (with enough |
|
functionality to handle multipart/signed properly) and a utility |
|
called 'smime' to call all this stuff. This is based on code I |
|
originally wrote for Celo who have kindly allowed it to be |
|
included in OpenSSL. |
|
[Steve Henson] |
|
|
|
*) Add variants des_set_key_checked and des_set_key_unchecked of |
|
des_set_key (aka des_key_sched). Global variable des_check_key |
|
decides which of these is called by des_set_key; this way |
|
des_check_key behaves as it always did, but applications and |
|
the library itself, which was buggy for des_check_key == 1, |
|
have a cleaner way to pick the version they need. |
|
[Bodo Moeller] |
|
|
|
*) New function PKCS12_newpass() which changes the password of a |
|
PKCS12 structure. |
|
[Steve Henson] |
|
|
|
*) Modify X509_TRUST and X509_PURPOSE so it also uses a static and |
|
dynamic mix. In both cases the ids can be used as an index into the |
|
table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() |
|
functions so they accept a list of the field values and the |
|
application doesn't need to directly manipulate the X509_TRUST |
|
structure. |
|
[Steve Henson] |
|
|
|
*) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't |
|
need initialising. |
|
[Steve Henson] |
|
|
|
*) Modify the way the V3 extension code looks up extensions. This now |
|
works in a similar way to the object code: we have some "standard" |
|
extensions in a static table which is searched with OBJ_bsearch() |
|
and the application can add dynamic ones if needed. The file |
|
crypto/x509v3/ext_dat.h now has the info: this file needs to be |
|
updated whenever a new extension is added to the core code and kept |
|
in ext_nid order. There is a simple program 'tabtest.c' which checks |
|
this. New extensions are not added too often so this file can readily |
|
be maintained manually. |
|
|
|
There are two big advantages in doing things this way. The extensions |
|
can be looked up immediately and no longer need to be "added" using |
|
X509V3_add_standard_extensions(): this function now does nothing. |
|
[Side note: I get *lots* of email saying the extension code doesn't |
|
work because people forget to call this function] |
|
Also no dynamic allocation is done unless new extensions are added: |
|
so if we don't add custom extensions there is no need to call |
|
X509V3_EXT_cleanup(). |
|
[Steve Henson] |
|
|
|
*) Modify enc utility's salting as follows: make salting the default. Add a |
|
magic header, so unsalted files fail gracefully instead of just decrypting |
|
to garbage. This is because not salting is a big security hole, so people |
|
should be discouraged from doing it. |
|
[Ben Laurie] |
|
|
|
*) Fixes and enhancements to the 'x509' utility. It allowed a message |
|
digest to be passed on the command line but it only used this |
|
parameter when signing a certificate. Modified so all relevant |
|
operations are affected by the digest parameter including the |
|
-fingerprint and -x509toreq options. Also -x509toreq choked if a |
|
DSA key was used because it didn't fix the digest. |
|
[Steve Henson] |
|
|
|
*) Initial certificate chain verify code. Currently tests the untrusted |
|
certificates for consistency with the verify purpose (which is set |
|
when the X509_STORE_CTX structure is set up) and checks the pathlength. |
|
|
|
There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: |
|
this is because it will reject chains with invalid extensions whereas |
|
every previous version of OpenSSL and SSLeay made no checks at all. |
|
|
|
Trust code: checks the root CA for the relevant trust settings. Trust |
|
settings have an initial value consistent with the verify purpose: e.g. |
|
if the verify purpose is for SSL client use it expects the CA to be |
|
trusted for SSL client use. However the default value can be changed to |
|
permit custom trust settings: one example of this would be to only trust |
|
certificates from a specific "secure" set of CAs. |
|
|
|
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions |
|
which should be used for version portability: especially since the |
|
verify structure is likely to change more often now. |
|
|
|
SSL integration. Add purpose and trust to SSL_CTX and SSL and functions |
|
to set them. If not set then assume SSL clients will verify SSL servers |
|
and vice versa. |
|
|
|
Two new options to the verify program: -untrusted allows a set of |
|
untrusted certificates to be passed in and -purpose which sets the |
|
intended purpose of the certificate. If a purpose is set then the |
|
new chain verify code is used to check extension consistency. |
|
[Steve Henson] |
|
|
|
*) Support for the authority information access extension. |
|
[Steve Henson] |
|
|
|
*) Modify RSA and DSA PEM read routines to transparently handle |
|
PKCS#8 format private keys. New *_PUBKEY_* functions that handle |
|
public keys in a format compatible with certificate |
|
SubjectPublicKeyInfo structures. Unfortunately there were already |
|
functions called *_PublicKey_* which used various odd formats so |
|
these are retained for compatibility: however the DSA variants were |
|
never in a public release so they have been deleted. Changed dsa/rsa |
|
utilities to handle the new format: note no releases ever handled public |
|
keys so we should be OK. |
|
|
|
The primary motivation for this change is to avoid the same fiasco |
|
that dogs private keys: there are several incompatible private key |
|
formats some of which are standard and some OpenSSL specific and |
|
require various evil hacks to allow partial transparent handling and |
|
even then it doesn't work with DER formats. Given the option anything |
|
other than PKCS#8 should be dumped: but the other formats have to |
|
stay in the name of compatibility. |
|
|
|
With public keys and the benefit of hindsight one standard format |
|
is used which works with EVP_PKEY, RSA or DSA structures: though |
|
it clearly returns an error if you try to read the wrong kind of key. |
|
|
|
Added a -pubkey option to the 'x509' utility to output the public key. |
|
Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() |
|
(renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add |
|
EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) |
|
that do the same as the EVP_PKEY_assign_*() except they up the |
|
reference count of the added key (they don't "swallow" the |
|
supplied key). |
|
[Steve Henson] |
|
|
|
*) Fixes to crypto/x509/by_file.c the code to read in certificates and |
|
CRLs would fail if the file contained no certificates or no CRLs: |
|
added a new function to read in both types and return the number |
|
read: this means that if none are read it will be an error. The |
|
DER versions of the certificate and CRL reader would always fail |
|
because it isn't possible to mix certificates and CRLs in DER format |
|
without choking one or the other routine. Changed this to just read |
|
a certificate: this is the best we can do. Also modified the code |
|
in apps/verify.c to take notice of return codes: it was previously |
|
attempting to read in certificates from NULL pointers and ignoring |
|
any errors: this is one reason why the cert and CRL reader seemed |
|
to work. It doesn't check return codes from the default certificate |
|
routines: these may well fail if the certificates aren't installed. |
|
[Steve Henson] |
|
|
|
*) Code to support otherName option in GeneralName. |
|
[Steve Henson] |
|
|
|
*) First update to verify code. Change the verify utility |
|
so it warns if it is passed a self signed certificate: |
|
for consistency with the normal behaviour. X509_verify |
|
has been modified to it will now verify a self signed |
|
certificate if *exactly* the same certificate appears |
|
in the store: it was previously impossible to trust a |
|
single self signed certificate. This means that: |
|
openssl verify ss.pem |
|
now gives a warning about a self signed certificate but |
|
openssl verify -CAfile ss.pem ss.pem |
|
is OK. |
|
[Steve Henson] |
|
|
|
*) For servers, store verify_result in SSL_SESSION data structure |
|
(and add it to external session representation). |
|
This is needed when client certificate verifications fails, |
|
but an application-provided verification callback (set by |
|
SSL_CTX_set_cert_verify_callback) allows accepting the session |
|
anyway (i.e. leaves x509_store_ctx->error != X509_V_OK |
|
but returns 1): When the session is reused, we have to set |
|
ssl->verify_result to the appropriate error code to avoid |
|
security holes. |
|
[Bodo Moeller, problem pointed out by Lutz Jaenicke] |
|
|
|
*) Fix a bug in the new PKCS#7 code: it didn't consider the |
|
case in PKCS7_dataInit() where the signed PKCS7 structure |
|
didn't contain any existing data because it was being created. |
|
[Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] |
|
|
|
*) Add a salt to the key derivation routines in enc.c. This |
|
forms the first 8 bytes of the encrypted file. Also add a |
|
-S option to allow a salt to be input on the command line. |
|
[Steve Henson] |
|
|
|
*) New function X509_cmp(). Oddly enough there wasn't a function |
|
to compare two certificates. We do this by working out the SHA1 |
|
hash and comparing that. X509_cmp() will be needed by the trust |
|
code. |
|
[Steve Henson] |
|
|
|
*) SSL_get1_session() is like SSL_get_session(), but increments |
|
the reference count in the SSL_SESSION returned. |
|
[Geoff Thorpe <geoff@eu.c2.net>] |
|
|
|
*) Fix for 'req': it was adding a null to request attributes. |
|
Also change the X509_LOOKUP and X509_INFO code to handle |
|
certificate auxiliary information. |
|
[Steve Henson] |
|
|
|
*) Add support for 40 and 64 bit RC2 and RC4 algorithms: document |
|
the 'enc' command. |
|
[Steve Henson] |
|
|
|
*) Add the possibility to add extra information to the memory leak |
|
detecting output, to form tracebacks, showing from where each |
|
allocation was originated: CRYPTO_push_info("constant string") adds |
|
the string plus current file name and line number to a per-thread |
|
stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() |
|
is like calling CYRPTO_pop_info() until the stack is empty. |
|
Also updated memory leak detection code to be multi-thread-safe. |
|
[Richard Levitte] |
|
|
|
*) Add options -text and -noout to pkcs7 utility and delete the |
|
encryption options which never did anything. Update docs. |
|
[Steve Henson] |
|
|
|
*) Add options to some of the utilities to allow the pass phrase |
|
to be included on either the command line (not recommended on |
|
OSes like Unix) or read from the environment. Update the |
|
manpages and fix a few bugs. |
|
[Steve Henson] |
|
|
|
*) Add a few manpages for some of the openssl commands. |
|
[Steve Henson] |
|
|
|
*) Fix the -revoke option in ca. It was freeing up memory twice, |
|
leaking and not finding already revoked certificates. |
|
[Steve Henson] |
|
|
|
*) Extensive changes to support certificate auxiliary information. |
|
This involves the use of X509_CERT_AUX structure and X509_AUX |
|
functions. An X509_AUX function such as PEM_read_X509_AUX() |
|
can still read in a certificate file in the usual way but it |
|
will also read in any additional "auxiliary information". By |
|
doing things this way a fair degree of compatibility can be |
|
retained: existing certificates can have this information added |
|
using the new 'x509' options. |
|
|
|
Current auxiliary information includes an "alias" and some trust |
|
settings. The trust settings will ultimately be used in enhanced |
|
certificate chain verification routines: currently a certificate |
|
can only be trusted if it is self signed and then it is trusted |
|
for all purposes. |
|
[Steve Henson] |
|
|
|
*) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). |
|
The problem was that one of the replacement routines had not been working |
|
since SSLeay releases. For now the offending routine has been replaced |
|
with non-optimised assembler. Even so, this now gives around 95% |
|
performance improvement for 1024 bit RSA signs. |
|
[Mark Cox] |
|
|
|
*) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 |
|
handling. Most clients have the effective key size in bits equal to |
|
the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. |
|
A few however don't do this and instead use the size of the decrypted key |
|
to determine the RC2 key length and the AlgorithmIdentifier to determine |
|
the effective key length. In this case the effective key length can still |
|
be 40 bits but the key length can be 168 bits for example. This is fixed |
|
by manually forcing an RC2 key into the EVP_PKEY structure because the |
|
EVP code can't currently handle unusual RC2 key sizes: it always assumes |
|
the key length and effective key length are equal. |
|
[Steve Henson] |
|
|
|
*) Add a bunch of functions that should simplify the creation of |
|
X509_NAME structures. Now you should be able to do: |
|
X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); |
|
and have it automatically work out the correct field type and fill in |
|
the structures. The more adventurous can try: |
|
X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); |
|
and it will (hopefully) work out the correct multibyte encoding. |
|
[Steve Henson] |
|
|
|
*) Change the 'req' utility to use the new field handling and multibyte |
|
copy routines. Before the DN field creation was handled in an ad hoc |
|
way in req, ca, and x509 which was rather broken and didn't support |
|
BMPStrings or UTF8Strings. Since some software doesn't implement |
|
BMPStrings or UTF8Strings yet, they can be enabled using the config file |
|
using the dirstring_type option. See the new comment in the default |
|
openssl.cnf for more info. |
|
[Steve Henson] |
|
|
|
*) Make crypto/rand/md_rand.c more robust: |
|
- Assure unique random numbers after fork(). |
|
- Make sure that concurrent threads access the global counter and |
|
md serializably so that we never lose entropy in them |
|
or use exactly the same state in multiple threads. |
|
Access to the large state is not always serializable because |
|
the additional locking could be a performance killer, and |
|
md should be large enough anyway. |
|
[Bodo Moeller] |
|
|
|
*) New file apps/app_rand.c with commonly needed functionality |
|
for handling the random seed file. |
|
|
|
Use the random seed file in some applications that previously did not: |
|
ca, |
|
dsaparam -genkey (which also ignored its '-rand' option), |
|
s_client, |
|
s_server, |
|
x509 (when signing). |
|
Except on systems with /dev/urandom, it is crucial to have a random |
|
seed file at least for key creation, DSA signing, and for DH exchanges; |
|
for RSA signatures we could do without one. |
|
|
|
gendh and gendsa (unlike genrsa) used to read only the first byte |
|
of each file listed in the '-rand' option. The function as previously |
|
found in genrsa is now in app_rand.c and is used by all programs |
|
that support '-rand'. |
|
[Bodo Moeller] |
|
|
|
*) In RAND_write_file, use mode 0600 for creating files; |
|
don't just chmod when it may be too late. |
|
[Bodo Moeller] |
|
|
|
*) Report an error from X509_STORE_load_locations |
|
when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. |
|
[Bill Perry] |
|
|
|
*) New function ASN1_mbstring_copy() this copies a string in either |
|
ASCII, Unicode, Universal (4 bytes per character) or UTF8 format |
|
into an ASN1_STRING type. A mask of permissible types is passed |
|
and it chooses the "minimal" type to use or an error if not type |
|
is suitable. |
|
[Steve Henson] |
|
|
|
*) Add function equivalents to the various macros in asn1.h. The old |
|
macros are retained with an M_ prefix. Code inside the library can |
|
use the M_ macros. External code (including the openssl utility) |
|
should *NOT* in order to be "shared library friendly". |
|
[Steve Henson] |
|
|
|
*) Add various functions that can check a certificate's extensions |
|
to see if it usable for various purposes such as SSL client, |
|
server or S/MIME and CAs of these types. This is currently |
|
VERY EXPERIMENTAL but will ultimately be used for certificate chain |
|
verification. Also added a -purpose flag to x509 utility to |
|
print out all the purposes. |
|
[Steve Henson] |
|
|
|
*) Add a CRYPTO_EX_DATA to X509 certificate structure and associated |
|
functions. |
|
[Steve Henson] |
|
|
|
*) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search |
|
for, obtain and decode and extension and obtain its critical flag. |
|
This allows all the necessary extension code to be handled in a |
|
single function call. |
|
[Steve Henson] |
|
|
|
*) RC4 tune-up featuring 30-40% performance improvement on most RISC |
|
platforms. See crypto/rc4/rc4_enc.c for further details. |
|
[Andy Polyakov] |
|
|
|
*) New -noout option to asn1parse. This causes no output to be produced |
|
its main use is when combined with -strparse and -out to extract data |
|
from a file (which may not be in ASN.1 format). |
|
[Steve Henson] |
|
|
|
*) Fix for pkcs12 program. It was hashing an invalid certificate pointer |
|
when producing the local key id. |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) New option -dhparam in s_server. This allows a DH parameter file to be |
|
stated explicitly. If it is not stated then it tries the first server |
|
certificate file. The previous behaviour hard coded the filename |
|
"server.pem". |
|
[Steve Henson] |
|
|
|
*) Add -pubin and -pubout options to the rsa and dsa commands. These allow |
|
a public key to be input or output. For example: |
|
openssl rsa -in key.pem -pubout -out pubkey.pem |
|
Also added necessary DSA public key functions to handle this. |
|
[Steve Henson] |
|
|
|
*) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained |
|
in the message. This was handled by allowing |
|
X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. |
|
[Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] |
|
|
|
*) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null |
|
to the end of the strings whereas this didn't. This would cause problems |
|
if strings read with d2i_ASN1_bytes() were later modified. |
|
[Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) Fix for base64 decode bug. When a base64 bio reads only one line of |
|
data and it contains EOF it will end up returning an error. This is |
|
caused by input 46 bytes long. The cause is due to the way base64 |
|
BIOs find the start of base64 encoded data. They do this by trying a |
|
trial decode on each line until they find one that works. When they |
|
do a flag is set and it starts again knowing it can pass all the |
|
data directly through the decoder. Unfortunately it doesn't reset |
|
the context it uses. This means that if EOF is reached an attempt |
|
is made to pass two EOFs through the context and this causes the |
|
resulting error. This can also cause other problems as well. As is |
|
usual with these problems it takes *ages* to find and the fix is |
|
trivial: move one line. |
|
[Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] |
|
|
|
*) Ugly workaround to get s_client and s_server working under Windows. The |
|
old code wouldn't work because it needed to select() on sockets and the |
|
tty (for keypresses and to see if data could be written). Win32 only |
|
supports select() on sockets so we select() with a 1s timeout on the |
|
sockets and then see if any characters are waiting to be read, if none |
|
are present then we retry, we also assume we can always write data to |
|
the tty. This isn't nice because the code then blocks until we've |
|
received a complete line of data and it is effectively polling the |
|
keyboard at 1s intervals: however it's quite a bit better than not |
|
working at all :-) A dedicated Windows application might handle this |
|
with an event loop for example. |
|
[Steve Henson] |
|
|
|
*) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign |
|
and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions |
|
will be called when RSA_sign() and RSA_verify() are used. This is useful |
|
if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. |
|
For this to work properly RSA_public_decrypt() and RSA_private_encrypt() |
|
should *not* be used: RSA_sign() and RSA_verify() must be used instead. |
|
This necessitated the support of an extra signature type NID_md5_sha1 |
|
for SSL signatures and modifications to the SSL library to use it instead |
|
of calling RSA_public_decrypt() and RSA_private_encrypt(). |
|
[Steve Henson] |
|
|
|
*) Add new -verify -CAfile and -CApath options to the crl program, these |
|
will lookup a CRL issuers certificate and verify the signature in a |
|
similar way to the verify program. Tidy up the crl program so it |
|
no longer accesses structures directly. Make the ASN1 CRL parsing a bit |
|
less strict. It will now permit CRL extensions even if it is not |
|
a V2 CRL: this will allow it to tolerate some broken CRLs. |
|
[Steve Henson] |
|
|
|
*) Initialize all non-automatic variables each time one of the openssl |
|
sub-programs is started (this is necessary as they may be started |
|
multiple times from the "OpenSSL>" prompt). |
|
[Lennart Bang, Bodo Moeller] |
|
|
|
*) Preliminary compilation option RSA_NULL which disables RSA crypto without |
|
removing all other RSA functionality (this is what NO_RSA does). This |
|
is so (for example) those in the US can disable those operations covered |
|
by the RSA patent while allowing storage and parsing of RSA keys and RSA |
|
key generation. |
|
[Steve Henson] |
|
|
|
*) Non-copying interface to BIO pairs. |
|
(still largely untested) |
|
[Bodo Moeller] |
|
|
|
*) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive |
|
ASCII string. This was handled independently in various places before. |
|
[Steve Henson] |
|
|
|
*) New functions UTF8_getc() and UTF8_putc() that parse and generate |
|
UTF8 strings a character at a time. |
|
[Steve Henson] |
|
|
|
*) Use client_version from client hello to select the protocol |
|
(s23_srvr.c) and for RSA client key exchange verification |
|
(s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. |
|
[Bodo Moeller] |
|
|
|
*) Add various utility functions to handle SPKACs, these were previously |
|
handled by poking round in the structure internals. Added new function |
|
NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to |
|
print, verify and generate SPKACs. Based on an original idea from |
|
Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. |
|
[Steve Henson] |
|
|
|
*) RIPEMD160 is operational on all platforms and is back in 'make test'. |
|
[Andy Polyakov] |
|
|
|
*) Allow the config file extension section to be overwritten on the |
|
command line. Based on an original idea from Massimiliano Pala |
|
<madwolf@comune.modena.it>. The new option is called -extensions |
|
and can be applied to ca, req and x509. Also -reqexts to override |
|
the request extensions in req and -crlexts to override the crl extensions |
|
in ca. |
|
[Steve Henson] |
|
|
|
*) Add new feature to the SPKAC handling in ca. Now you can include |
|
the same field multiple times by preceding it by "XXXX." for example: |
|
1.OU="Unit name 1" |
|
2.OU="Unit name 2" |
|
this is the same syntax as used in the req config file. |
|
[Steve Henson] |
|
|
|
*) Allow certificate extensions to be added to certificate requests. These |
|
are specified in a 'req_extensions' option of the req section of the |
|
config file. They can be printed out with the -text option to req but |
|
are otherwise ignored at present. |
|
[Steve Henson] |
|
|
|
*) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first |
|
data read consists of only the final block it would not decrypted because |
|
EVP_CipherUpdate() would correctly report zero bytes had been decrypted. |
|
A misplaced 'break' also meant the decrypted final block might not be |
|
copied until the next read. |
|
[Steve Henson] |
|
|
|
*) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added |
|
a few extra parameters to the DH structure: these will be useful if |
|
for example we want the value of 'q' or implement X9.42 DH. |
|
[Steve Henson] |
|
|
|
*) Initial support for DSA_METHOD. This is based on the RSA_METHOD and |
|
provides hooks that allow the default DSA functions or functions on a |
|
"per key" basis to be replaced. This allows hardware acceleration and |
|
hardware key storage to be handled without major modification to the |
|
library. Also added low level modexp hooks and CRYPTO_EX structure and |
|
associated functions. |
|
[Steve Henson] |
|
|
|
*) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO |
|
as "read only": it can't be written to and the buffer it points to will |
|
not be freed. Reading from a read only BIO is much more efficient than |
|
a normal memory BIO. This was added because there are several times when |
|
an area of memory needs to be read from a BIO. The previous method was |
|
to create a memory BIO and write the data to it, this results in two |
|
copies of the data and an O(n^2) reading algorithm. There is a new |
|
function BIO_new_mem_buf() which creates a read only memory BIO from |
|
an area of memory. Also modified the PKCS#7 routines to use read only |
|
memory BIOs. |
|
[Steve Henson] |
|
|
|
*) Bugfix: ssl23_get_client_hello did not work properly when called in |
|
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of |
|
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, |
|
but a retry condition occured while trying to read the rest. |
|
[Bodo Moeller] |
|
|
|
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as |
|
NID_pkcs7_encrypted by default: this was wrong since this should almost |
|
always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle |
|
the encrypted data type: this is a more sensible place to put it and it |
|
allows the PKCS#12 code to be tidied up that duplicated this |
|
functionality. |
|
[Steve Henson] |
|
|
|
*) Changed obj_dat.pl script so it takes its input and output files on |
|
the command line. This should avoid shell escape redirection problems |
|
under Win32. |
|
[Steve Henson] |
|
|
|
*) Initial support for certificate extension requests, these are included |
|
in things like Xenroll certificate requests. Included functions to allow |
|
extensions to be obtained and added. |
|
[Steve Henson] |
|
|
|
*) -crlf option to s_client and s_server for sending newlines as |
|
CRLF (as required by many protocols). |
|
[Bodo Moeller] |
|
|
|
Changes between 0.9.3a and 0.9.4 [09 Aug 1999] |
|
|
|
*) Install libRSAglue.a when OpenSSL is built with RSAref. |
|
[Ralf S. Engelschall] |
|
|
|
*) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. |
|
[Andrija Antonijevic <TheAntony2@bigfoot.com>] |
|
|
|
*) Fix -startdate and -enddate (which was missing) arguments to 'ca' |
|
program. |
|
[Steve Henson] |
|
|
|
*) New function DSA_dup_DH, which duplicates DSA parameters/keys as |
|
DH parameters/keys (q is lost during that conversion, but the resulting |
|
DH parameters contain its length). |
|
|
|
For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is |
|
much faster than DH_generate_parameters (which creates parameters |
|
where p = 2*q + 1), and also the smaller q makes DH computations |
|
much more efficient (160-bit exponentiation instead of 1024-bit |
|
exponentiation); so this provides a convenient way to support DHE |
|
ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of |
|
utter importance to use |
|
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
|
or |
|
SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
|
when such DH parameters are used, because otherwise small subgroup |
|
attacks may become possible! |
|
[Bodo Moeller] |
|
|
|
*) Avoid memory leak in i2d_DHparams. |
|
[Bodo Moeller] |
|
|
|
*) Allow the -k option to be used more than once in the enc program: |
|
this allows the same encrypted message to be read by multiple recipients. |
|
[Steve Henson] |
|
|
|
*) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts |
|
an ASN1_OBJECT to a text string. If the "no_name" parameter is set then |
|
it will always use the numerical form of the OID, even if it has a short |
|
or long name. |
|
[Steve Henson] |
|
|
|
*) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp |
|
method only got called if p,q,dmp1,dmq1,iqmp components were present, |
|
otherwise bn_mod_exp was called. In the case of hardware keys for example |
|
no private key components need be present and it might store extra data |
|
in the RSA structure, which cannot be accessed from bn_mod_exp. |
|
By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for |
|
private key operations. |
|
[Steve Henson] |
|
|
|
*) Added support for SPARC Linux. |
|
[Andy Polyakov] |
|
|
|
*) pem_password_cb function type incompatibly changed from |
|
typedef int pem_password_cb(char *buf, int size, int rwflag); |
|
to |
|
....(char *buf, int size, int rwflag, void *userdata); |
|
so that applications can pass data to their callbacks: |
|
The PEM[_ASN1]_{read,write}... functions and macros now take an |
|
additional void * argument, which is just handed through whenever |
|
the password callback is called. |
|
[Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] |
|
|
|
New function SSL_CTX_set_default_passwd_cb_userdata. |
|
|
|
Compatibility note: As many C implementations push function arguments |
|
onto the stack in reverse order, the new library version is likely to |
|
interoperate with programs that have been compiled with the old |
|
pem_password_cb definition (PEM_whatever takes some data that |
|
happens to be on the stack as its last argument, and the callback |
|
just ignores this garbage); but there is no guarantee whatsoever that |
|
this will work. |
|
|
|
*) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... |
|
(both in crypto/Makefile.ssl for use by crypto/cversion.c) caused |
|
problems not only on Windows, but also on some Unix platforms. |
|
To avoid problematic command lines, these definitions are now in an |
|
auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl |
|
for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). |
|
[Bodo Moeller] |
|
|
|
*) MIPS III/IV assembler module is reimplemented. |
|
[Andy Polyakov] |
|
|
|
*) More DES library cleanups: remove references to srand/rand and |
|
delete an unused file. |
|
[Ulf Möller] |
|
|
|
*) Add support for the the free Netwide assembler (NASM) under Win32, |
|
since not many people have MASM (ml) and it can be hard to obtain. |
|
This is currently experimental but it seems to work OK and pass all |
|
the tests. Check out INSTALL.W32 for info. |
|
[Steve Henson] |
|
|
|
*) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections |
|
without temporary keys kept an extra copy of the server key, |
|
and connections with temporary keys did not free everything in case |
|
of an error. |
|
[Bodo Moeller] |
|
|
|
*) New function RSA_check_key and new openssl rsa option -check |
|
for verifying the consistency of RSA keys. |
|
[Ulf Moeller, Bodo Moeller] |
|
|
|
*) Various changes to make Win32 compile work: |
|
1. Casts to avoid "loss of data" warnings in p5_crpt2.c |
|
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned |
|
comparison" warnings. |
|
3. Add sk_<TYPE>_sort to DEF file generator and do make update. |
|
[Steve Henson] |
|
|
|
*) Add a debugging option to PKCS#5 v2 key generation function: when |
|
you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and |
|
derived keys are printed to stderr. |
|
[Steve Henson] |
|
|
|
*) Copy the flags in ASN1_STRING_dup(). |
|
[Roman E. Pavlov <pre@mo.msk.ru>] |
|
|
|
*) The x509 application mishandled signing requests containing DSA |
|
keys when the signing key was also DSA and the parameters didn't match. |
|
|
|
It was supposed to omit the parameters when they matched the signing key: |
|
the verifying software was then supposed to automatically use the CA's |
|
parameters if they were absent from the end user certificate. |
|
|
|
Omitting parameters is no longer recommended. The test was also |
|
the wrong way round! This was probably due to unusual behaviour in |
|
EVP_cmp_parameters() which returns 1 if the parameters match. |
|
This meant that parameters were omitted when they *didn't* match and |
|
the certificate was useless. Certificates signed with 'ca' didn't have |
|
this bug. |
|
[Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] |
|
|
|
*) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. |
|
The interface is as follows: |
|
Applications can use |
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), |
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); |
|
"off" is now the default. |
|
The library internally uses |
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), |
|
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() |
|
to disable memory-checking temporarily. |
|
|
|
Some inconsistent states that previously were possible (and were |
|
even the default) are now avoided. |
|
|
|
-DCRYPTO_MDEBUG_TIME is new and additionally stores the current time |
|
with each memory chunk allocated; this is occasionally more helpful |
|
than just having a counter. |
|
|
|
-DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. |
|
|
|
-DCRYPTO_MDEBUG_ALL enables all of the above, plus any future |
|
extensions. |
|
[Bodo Moeller] |
|
|
|
*) Introduce "mode" for SSL structures (with defaults in SSL_CTX), |
|
which largely parallels "options", but is for changing API behaviour, |
|
whereas "options" are about protocol behaviour. |
|
Initial "mode" flags are: |
|
|
|
SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when |
|
a single record has been written. |
|
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write |
|
retries use the same buffer location. |
|
(But all of the contents must be |
|
copied!) |
|
[Bodo Moeller] |
|
|
|
*) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options |
|
worked. |
|
|
|
*) Fix problems with no-hmac etc. |
|
[Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>] |
|
|
|
*) New functions RSA_get_default_method(), RSA_set_method() and |
|
RSA_get_method(). These allows replacement of RSA_METHODs without having |
|
to mess around with the internals of an RSA structure. |
|
[Steve Henson] |
|
|
|
*) Fix memory leaks in DSA_do_sign and DSA_is_prime. |
|
Also really enable memory leak checks in openssl.c and in some |
|
test programs. |
|
[Chad C. Mulligan, Bodo Moeller] |
|
|
|
*) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess |
|
up the length of negative integers. This has now been simplified to just |
|
store the length when it is first determined and use it later, rather |
|
than trying to keep track of where data is copied and updating it to |
|
point to the end. |
|
[Steve Henson, reported by Brien Wheeler |
|
<bwheeler@authentica-security.com>] |
|
|
|
*) Add a new function PKCS7_signatureVerify. This allows the verification |
|
of a PKCS#7 signature but with the signing certificate passed to the |
|
function itself. This contrasts with PKCS7_dataVerify which assumes the |
|
certificate is present in the PKCS#7 structure. This isn't always the |
|
case: certificates can be omitted from a PKCS#7 structure and be |
|
distributed by "out of band" means (such as a certificate database). |
|
[Steve Henson] |
|
|
|
*) Complete the PEM_* macros with DECLARE_PEM versions to replace the |
|
function prototypes in pem.h, also change util/mkdef.pl to add the |
|
necessary function names. |
|
[Steve Henson] |
|
|
|
*) mk1mf.pl (used by Windows builds) did not properly read the |
|
options set by Configure in the top level Makefile, and Configure |
|
was not even able to write more than one option correctly. |
|
Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. |
|
[Bodo Moeller] |
|
|
|
*) New functions CONF_load_bio() and CONF_load_fp() to allow a config |
|
file to be loaded from a BIO or FILE pointer. The BIO version will |
|
for example allow memory BIOs to contain config info. |
|
[Steve Henson] |
|
|
|
*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. |
|
Whoever hopes to achieve shared-library compatibility across versions |
|
must use this, not the compile-time macro. |
|
(Exercise 0.9.4: Which is the minimum library version required by |
|
such programs?) |
|
Note: All this applies only to multi-threaded programs, others don't |
|
need locks. |
|
[Bodo Moeller] |
|
|
|
*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests |
|
through a BIO pair triggered the default case, i.e. |
|
SSLerr(...,SSL_R_UNKNOWN_STATE). |
|
[Bodo Moeller] |
|
|
|
*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications |
|
can use the SSL library even if none of the specific BIOs is |
|
appropriate. |
|
[Bodo Moeller] |
|
|
|
*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value |
|
for the encoded length. |
|
[Jeon KyoungHo <khjeon@sds.samsung.co.kr>] |
|
|
|
*) Add initial documentation of the X509V3 functions. |
|
[Steve Henson] |
|
|
|
*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and |
|
PEM_write_bio_PKCS8PrivateKey() that are equivalent to |
|
PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more |
|
secure PKCS#8 private key format with a high iteration count. |
|
[Steve Henson] |
|
|
|
*) Fix determination of Perl interpreter: A perl or perl5 |
|
_directory_ in $PATH was also accepted as the interpreter. |
|
[Ralf S. Engelschall] |
|
|
|
*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking |
|
wrong with it but it was very old and did things like calling |
|
PEM_ASN1_read() directly and used MD5 for the hash not to mention some |
|
unusual formatting. |
|
[Steve Henson] |
|
|
|
*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed |
|
to use the new extension code. |
|
[Steve Henson] |
|
|
|
*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c |
|
with macros. This should make it easier to change their form, add extra |
|
arguments etc. Fix a few PEM prototypes which didn't have cipher as a |
|
constant. |
|
[Steve Henson] |
|
|
|
*) Add to configuration table a new entry that can specify an alternative |
|
name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, |
|
according to Mark Crispin <MRC@Panda.COM>. |
|
[Bodo Moeller] |
|
|
|
#if 0 |
|
*) DES CBC did not update the IV. Weird. |
|
[Ben Laurie] |
|
#else |
|
des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. |
|
Changing the behaviour of the former might break existing programs -- |
|
where IV updating is needed, des_ncbc_encrypt can be used. |
|
#endif |
|
|
|
*) When bntest is run from "make test" it drives bc to check its |
|
calculations, as well as internally checking them. If an internal check |
|
fails, it needs to cause bc to give a non-zero result or make test carries |
|
on without noticing the failure. Fixed. |
|
[Ben Laurie] |
|
|
|
*) DES library cleanups. |
|
[Ulf Möller] |
|
|
|
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be |
|
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit |
|
ciphers. NOTE: although the key derivation function has been verified |
|
against some published test vectors it has not been extensively tested |
|
yet. Added a -v2 "cipher" option to pkcs8 application to allow the use |
|
of v2.0. |
|
[Steve Henson] |
|
|
|
*) Instead of "mkdir -p", which is not fully portable, use new |
|
Perl script "util/mkdir-p.pl". |
|
[Bodo Moeller] |
|
|
|
*) Rewrite the way password based encryption (PBE) is handled. It used to |
|
assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter |
|
structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms |
|
but doesn't apply to PKCS#5 v2.0 where it can be something else. Now |
|
the 'parameter' field of the AlgorithmIdentifier is passed to the |
|
underlying key generation function so it must do its own ASN1 parsing. |
|
This has also changed the EVP_PBE_CipherInit() function which now has a |
|
'parameter' argument instead of literal salt and iteration count values |
|
and the function EVP_PBE_ALGOR_CipherInit() has been deleted. |
|
[Steve Henson] |
|
|
|
*) Support for PKCS#5 v1.5 compatible password based encryption algorithms |
|
and PKCS#8 functionality. New 'pkcs8' application linked to openssl. |
|
Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE |
|
KEY" because this clashed with PKCS#8 unencrypted string. Since this |
|
value was just used as a "magic string" and not used directly its |
|
value doesn't matter. |
|
[Steve Henson] |
|
|
|
*) Introduce some semblance of const correctness to BN. Shame C doesn't |
|
support mutable. |
|
[Ben Laurie] |
|
|
|
*) "linux-sparc64" configuration (ultrapenguin). |
|
[Ray Miller <ray.miller@oucs.ox.ac.uk>] |
|
"linux-sparc" configuration. |
|
[Christian Forster <fo@hawo.stw.uni-erlangen.de>] |
|
|
|
*) config now generates no-xxx options for missing ciphers. |
|
[Ulf Möller] |
|
|
|
*) Support the EBCDIC character set (work in progress). |
|
File ebcdic.c not yet included because it has a different license. |
|
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
|
|
|
*) Support BS2000/OSD-POSIX. |
|
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
|
|
|
*) Make callbacks for key generation use void * instead of char *. |
|
[Ben Laurie] |
|
|
|
*) Make S/MIME samples compile (not yet tested). |
|
[Ben Laurie] |
|
|
|
*) Additional typesafe stacks. |
|
[Ben Laurie] |
|
|
|
*) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). |
|
[Bodo Moeller] |
|
|
|
|
|
Changes between 0.9.3 and 0.9.3a [29 May 1999] |
|
|
|
*) New configuration variant "sco5-gcc". |
|
|
|
*) Updated some demos. |
|
[Sean O Riordain, Wade Scholine] |
|
|
|
*) Add missing BIO_free at exit of pkcs12 application. |
|
[Wu Zhigang] |
|
|
|
*) Fix memory leak in conf.c. |
|
[Steve Henson] |
|
|
|
*) Updates for Win32 to assembler version of MD5. |
|
[Steve Henson] |
|
|
|
*) Set #! path to perl in apps/der_chop to where we found it |
|
instead of using a fixed path. |
|
[Bodo Moeller] |
|
|
|
*) SHA library changes for irix64-mips4-cc. |
|
[Andy Polyakov] |
|
|
|
*) Improvements for VMS support. |
|
[Richard Levitte] |
|
|
|
|
|
Changes between 0.9.2b and 0.9.3 [24 May 1999] |
|
|
|
*) Bignum library bug fix. IRIX 6 passes "make test" now! |
|
This also avoids the problems with SC4.2 and unpatched SC5. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) New functions sk_num, sk_value and sk_set to replace the previous macros. |
|
These are required because of the typesafe stack would otherwise break |
|
existing code. If old code used a structure member which used to be STACK |
|
and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with |
|
sk_num or sk_value it would produce an error because the num, data members |
|
are not present in STACK_OF. Now it just produces a warning. sk_set |
|
replaces the old method of assigning a value to sk_value |
|
(e.g. sk_value(x, i) = y) which the library used in a few cases. Any code |
|
that does this will no longer work (and should use sk_set instead) but |
|
this could be regarded as a "questionable" behaviour anyway. |
|
[Steve Henson] |
|
|
|
*) Fix most of the other PKCS#7 bugs. The "experimental" code can now |
|
correctly handle encrypted S/MIME data. |
|
[Steve Henson] |
|
|
|
*) Change type of various DES function arguments from des_cblock |
|
(which means, in function argument declarations, pointer to char) |
|
to des_cblock * (meaning pointer to array with 8 char elements), |
|
which allows the compiler to do more typechecking; it was like |
|
that back in SSLeay, but with lots of ugly casts. |
|
|
|
Introduce new type const_des_cblock. |
|
[Bodo Moeller] |
|
|
|
*) Reorganise the PKCS#7 library and get rid of some of the more obvious |
|
problems: find RecipientInfo structure that matches recipient certificate |
|
and initialise the ASN1 structures properly based on passed cipher. |
|
[Steve Henson] |
|
|
|
*) Belatedly make the BN tests actually check the results. |
|
[Ben Laurie] |
|
|
|
*) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion |
|
to and from BNs: it was completely broken. New compilation option |
|
NEG_PUBKEY_BUG to allow for some broken certificates that encode public |
|
key elements as negative integers. |
|
[Steve Henson] |
|
|
|
*) Reorganize and speed up MD5. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) VMS support. |
|
[Richard Levitte <richard@levitte.org>] |
|
|
|
*) New option -out to asn1parse to allow the parsed structure to be |
|
output to a file. This is most useful when combined with the -strparse |
|
option to examine the output of things like OCTET STRINGS. |
|
[Steve Henson] |
|
|
|
*) Make SSL library a little more fool-proof by not requiring any longer |
|
that SSL_set_{accept,connect}_state be called before |
|
SSL_{accept,connect} may be used (SSL_set_..._state is omitted |
|
in many applications because usually everything *appeared* to work as |
|
intended anyway -- now it really works as intended). |
|
[Bodo Moeller] |
|
|
|
*) Move openssl.cnf out of lib/. |
|
[Ulf Möller] |
|
|
|
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall |
|
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes |
|
-Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ |
|
[Ralf S. Engelschall] |
|
|
|
*) Various fixes to the EVP and PKCS#7 code. It may now be able to |
|
handle PKCS#7 enveloped data properly. |
|
[Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve] |
|
|
|
*) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of |
|
copying pointers. The cert_st handling is changed by this in |
|
various ways (and thus what used to be known as ctx->default_cert |
|
is now called ctx->cert, since we don't resort to s->ctx->[default_]cert |
|
any longer when s->cert does not give us what we need). |
|
ssl_cert_instantiate becomes obsolete by this change. |
|
As soon as we've got the new code right (possibly it already is?), |
|
we have solved a couple of bugs of the earlier code where s->cert |
|
was used as if it could not have been shared with other SSL structures. |
|
|
|
Note that using the SSL API in certain dirty ways now will result |
|
in different behaviour than observed with earlier library versions: |
|
Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) |
|
does not influence s as it used to. |
|
|
|
In order to clean up things more thoroughly, inside SSL_SESSION |
|
we don't use CERT any longer, but a new structure SESS_CERT |
|
that holds per-session data (if available); currently, this is |
|
the peer's certificate chain and, for clients, the server's certificate |
|
and temporary key. CERT holds only those values that can have |
|
meaningful defaults in an SSL_CTX. |
|
[Bodo Moeller] |
|
|
|
*) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure |
|
from the internal representation. Various PKCS#7 fixes: remove some |
|
evil casts and set the enc_dig_alg field properly based on the signing |
|
key type. |
|
[Steve Henson] |
|
|
|
*) Allow PKCS#12 password to be set from the command line or the |
|
environment. Let 'ca' get its config file name from the environment |
|
variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' |
|
and 'x509'). |
|
[Steve Henson] |
|
|
|
*) Allow certificate policies extension to use an IA5STRING for the |
|
organization field. This is contrary to the PKIX definition but |
|
VeriSign uses it and IE5 only recognises this form. Document 'x509' |
|
extension option. |
|
[Steve Henson] |
|
|
|
*) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, |
|
without disallowing inline assembler and the like for non-pedantic builds. |
|
[Ben Laurie] |
|
|
|
*) Support Borland C++ builder. |
|
[Janez Jere <jj@void.si>, modified by Ulf Möller] |
|
|
|
*) Support Mingw32. |
|
[Ulf Möller] |
|
|
|
*) SHA-1 cleanups and performance enhancements. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) Sparc v8plus assembler for the bignum library. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) Accept any -xxx and +xxx compiler options in Configure. |
|
[Ulf Möller] |
|
|
|
*) Update HPUX configuration. |
|
[Anonymous] |
|
|
|
*) Add missing sk_<type>_unshift() function to safestack.h |
|
[Ralf S. Engelschall] |
|
|
|
*) New function SSL_CTX_use_certificate_chain_file that sets the |
|
"extra_cert"s in addition to the certificate. (This makes sense |
|
only for "PEM" format files, as chains as a whole are not |
|
DER-encoded.) |
|
[Bodo Moeller] |
|
|
|
*) Support verify_depth from the SSL API. |
|
x509_vfy.c had what can be considered an off-by-one-error: |
|
Its depth (which was not part of the external interface) |
|
was actually counting the number of certificates in a chain; |
|
now it really counts the depth. |
|
[Bodo Moeller] |
|
|
|
*) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used |
|
instead of X509err, which often resulted in confusing error |
|
messages since the error codes are not globally unique |
|
(e.g. an alleged error in ssl3_accept when a certificate |
|
didn't match the private key). |
|
|
|
*) New function SSL_CTX_set_session_id_context that allows to set a default |
|
value (so that you don't need SSL_set_session_id_context for each |
|
connection using the SSL_CTX). |
|
[Bodo Moeller] |
|
|
|
*) OAEP decoding bug fix. |
|
[Ulf Möller] |
|
|
|
*) Support INSTALL_PREFIX for package builders, as proposed by |
|
David Harris. |
|
[Bodo Moeller] |
|
|
|
*) New Configure options "threads" and "no-threads". For systems |
|
where the proper compiler options are known (currently Solaris |
|
and Linux), "threads" is the default. |
|
[Bodo Moeller] |
|
|
|
*) New script util/mklink.pl as a faster substitute for util/mklink.sh. |
|
[Bodo Moeller] |
|
|
|
*) Install various scripts to $(OPENSSLDIR)/misc, not to |
|
$(INSTALLTOP)/bin -- they shouldn't clutter directories |
|
such as /usr/local/bin. |
|
[Bodo Moeller] |
|
|
|
*) "make linux-shared" to build shared libraries. |
|
[Niels Poppe <niels@netbox.org>] |
|
|
|
*) New Configure option no-<cipher> (rsa, idea, rc5, ...). |
|
[Ulf Möller] |
|
|
|
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for |
|
extension adding in x509 utility. |
|
[Steve Henson] |
|
|
|
*) Remove NOPROTO sections and error code comments. |
|
[Ulf Möller] |
|
|
|
*) Partial rewrite of the DEF file generator to now parse the ANSI |
|
prototypes. |
|
[Steve Henson] |
|
|
|
*) New Configure options --prefix=DIR and --openssldir=DIR. |
|
[Ulf Möller] |
|
|
|
*) Complete rewrite of the error code script(s). It is all now handled |
|
by one script at the top level which handles error code gathering, |
|
header rewriting and C source file generation. It should be much better |
|
than the old method: it now uses a modified version of Ulf's parser to |
|
read the ANSI prototypes in all header files (thus the old K&R definitions |
|
aren't needed for error creation any more) and do a better job of |
|
translating function codes into names. The old 'ASN1 error code imbedded |
|
in a comment' is no longer necessary and it doesn't use .err files which |
|
have now been deleted. Also the error code call doesn't have to appear all |
|
on one line (which resulted in some large lines...). |
|
[Steve Henson] |
|
|
|
*) Change #include filenames from <foo.h> to <openssl/foo.h>. |
|
[Bodo Moeller] |
|
|
|
*) Change behaviour of ssl2_read when facing length-0 packets: Don't return |
|
0 (which usually indicates a closed connection), but continue reading. |
|
[Bodo Moeller] |
|
|
|
*) Fix some race conditions. |
|
[Bodo Moeller] |
|
|
|
*) Add support for CRL distribution points extension. Add Certificate |
|
Policies and CRL distribution points documentation. |
|
[Steve Henson] |
|
|
|
*) Move the autogenerated header file parts to crypto/opensslconf.h. |
|
[Ulf Möller] |
|
|
|
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of |
|
8 of keying material. Merlin has also confirmed interop with this fix |
|
between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. |
|
[Merlin Hughes <merlin@baltimore.ie>] |
|
|
|
*) Fix lots of warnings. |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if |
|
the directory spec didn't end with a LIST_SEPARATOR_CHAR. |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) Fix problems with sizeof(long) == 8. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) Change functions to ANSI C. |
|
[Ulf Möller] |
|
|
|
*) Fix typos in error codes. |
|
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller] |
|
|
|
*) Remove defunct assembler files from Configure. |
|
[Ulf Möller] |
|
|
|
*) SPARC v8 assembler BIGNUM implementation. |
|
[Andy Polyakov <appro@fy.chalmers.se>] |
|
|
|
*) Support for Certificate Policies extension: both print and set. |
|
Various additions to support the r2i method this uses. |
|
[Steve Henson] |
|
|
|
*) A lot of constification, and fix a bug in X509_NAME_oneline() that could |
|
return a const string when you are expecting an allocated buffer. |
|
[Ben Laurie] |
|
|
|
*) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE |
|
types DirectoryString and DisplayText. |
|
[Steve Henson] |
|
|
|
*) Add code to allow r2i extensions to access the configuration database, |
|
add an LHASH database driver and add several ctx helper functions. |
|
[Steve Henson] |
|
|
|
*) Fix an evil bug in bn_expand2() which caused various BN functions to |
|
fail when they extended the size of a BIGNUM. |
|
[Steve Henson] |
|
|
|
*) Various utility functions to handle SXNet extension. Modify mkdef.pl to |
|
support typesafe stack. |
|
[Steve Henson] |
|
|
|
*) Fix typo in SSL_[gs]et_options(). |
|
[Nils Frostberg <nils@medcom.se>] |
|
|
|
*) Delete various functions and files that belonged to the (now obsolete) |
|
old X509V3 handling code. |
|
[Steve Henson] |
|
|
|
*) New Configure option "rsaref". |
|
[Ulf Möller] |
|
|
|
*) Don't auto-generate pem.h. |
|
[Bodo Moeller] |
|
|
|
*) Introduce type-safe ASN.1 SETs. |
|
[Ben Laurie] |
|
|
|
*) Convert various additional casted stacks to type-safe STACK_OF() variants. |
|
[Ben Laurie, Ralf S. Engelschall, Steve Henson] |
|
|
|
*) Introduce type-safe STACKs. This will almost certainly break lots of code |
|
that links with OpenSSL (well at least cause lots of warnings), but fear |
|
not: the conversion is trivial, and it eliminates loads of evil casts. A |
|
few STACKed things have been converted already. Feel free to convert more. |
|
In the fullness of time, I'll do away with the STACK type altogether. |
|
[Ben Laurie] |
|
|
|
*) Add `openssl ca -revoke <certfile>' facility which revokes a certificate |
|
specified in <certfile> by updating the entry in the index.txt file. |
|
This way one no longer has to edit the index.txt file manually for |
|
revoking a certificate. The -revoke option does the gory details now. |
|
[Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall] |
|
|
|
*) Fix `openssl crl -noout -text' combination where `-noout' killed the |
|
`-text' option at all and this way the `-noout -text' combination was |
|
inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. |
|
[Ralf S. Engelschall] |
|
|
|
*) Make sure a corresponding plain text error message exists for the |
|
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a |
|
verify callback function determined that a certificate was revoked. |
|
[Ralf S. Engelschall] |
|
|
|
*) Bugfix: In test/testenc, don't test "openssl <cipher>" for |
|
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test |
|
all available cipers including rc5, which was forgotten until now. |
|
In order to let the testing shell script know which algorithms |
|
are available, a new (up to now undocumented) command |
|
"openssl list-cipher-commands" is used. |
|
[Bodo Moeller] |
|
|
|
*) Bugfix: s_client occasionally would sleep in select() when |
|
it should have checked SSL_pending() first. |
|
[Bodo Moeller] |
|
|
|
*) New functions DSA_do_sign and DSA_do_verify to provide access to |
|
the raw DSA values prior to ASN.1 encoding. |
|
[Ulf Möller] |
|
|
|
*) Tweaks to Configure |
|
[Niels Poppe <niels@netbox.org>] |
|
|
|
*) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, |
|
yet... |
|
[Steve Henson] |
|
|
|
*) New variables $(RANLIB) and $(PERL) in the Makefiles. |
|
[Ulf Möller] |
|
|
|
*) New config option to avoid instructions that are illegal on the 80386. |
|
The default code is faster, but requires at least a 486. |
|
[Ulf Möller] |
|
|
|
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and |
|
SSL2_SERVER_VERSION (not used at all) macros, which are now the |
|
same as SSL2_VERSION anyway. |
|
[Bodo Moeller] |
|
|
|
*) New "-showcerts" option for s_client. |
|
[Bodo Moeller] |
|
|
|
*) Still more PKCS#12 integration. Add pkcs12 application to openssl |
|
application. Various cleanups and fixes. |
|
[Steve Henson] |
|
|
|
*) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and |
|
modify error routines to work internally. Add error codes and PBE init |
|
to library startup routines. |
|
[Steve Henson] |
|
|
|
*) Further PKCS#12 integration. Added password based encryption, PKCS#8 and |
|
packing functions to asn1 and evp. Changed function names and error |
|
codes along the way. |
|
[Steve Henson] |
|
|
|
*) PKCS12 integration: and so it begins... First of several patches to |
|
slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 |
|
objects to objects.h |
|
[Steve Henson] |
|
|
|
*) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 |
|
and display support for Thawte strong extranet extension. |
|
[Steve Henson] |
|
|
|
*) Add LinuxPPC support. |
|
[Jeff Dubrule <igor@pobox.org>] |
|
|
|
*) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to |
|
bn_div_words in alpha.s. |
|
[Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie] |
|
|
|
*) Make sure the RSA OAEP test is skipped under -DRSAref because |
|
OAEP isn't supported when OpenSSL is built with RSAref. |
|
[Ulf Moeller <ulf@fitug.de>] |
|
|
|
*) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h |
|
so they no longer are missing under -DNOPROTO. |
|
[Soren S. Jorvang <soren@t.dk>] |
|
|
|
|
|
Changes between 0.9.1c and 0.9.2b [22 Mar 1999] |
|
|
|
*) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still |
|
doesn't work when the session is reused. Coming soon! |
|
[Ben Laurie] |
|
|
|
*) Fix a security hole, that allows sessions to be reused in the wrong |
|
context thus bypassing client cert protection! All software that uses |
|
client certs and session caches in multiple contexts NEEDS PATCHING to |
|
allow session reuse! A fuller solution is in the works. |
|
[Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] |
|
|
|
*) Some more source tree cleanups (removed obsolete files |
|
crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed |
|
permission on "config" script to be executable) and a fix for the INSTALL |
|
document. |
|
[Ulf Moeller <ulf@fitug.de>] |
|
|
|
*) Remove some legacy and erroneous uses of malloc, free instead of |
|
Malloc, Free. |
|
[Lennart Bang <lob@netstream.se>, with minor changes by Steve] |
|
|
|
*) Make rsa_oaep_test return non-zero on error. |
|
[Ulf Moeller <ulf@fitug.de>] |
|
|
|
*) Add support for native Solaris shared libraries. Configure |
|
solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice |
|
if someone would make that last step automatic. |
|
[Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>] |
|
|
|
*) ctx_size was not built with the right compiler during "make links". Fixed. |
|
[Ben Laurie] |
|
|
|
*) Change the meaning of 'ALL' in the cipher list. It now means "everything |
|
except NULL ciphers". This means the default cipher list will no longer |
|
enable NULL ciphers. They need to be specifically enabled e.g. with |
|
the string "DEFAULT:eNULL". |
|
[Steve Henson] |
|
|
|
*) Fix to RSA private encryption routines: if p < q then it would |
|
occasionally produce an invalid result. This will only happen with |
|
externally generated keys because OpenSSL (and SSLeay) ensure p > q. |
|
[Steve Henson] |
|
|
|
*) Be less restrictive and allow also `perl util/perlpath.pl |
|
/path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', |
|
because this way one can also use an interpreter named `perl5' (which is |
|
usually the name of Perl 5.xxx on platforms where an Perl 4.x is still |
|
installed as `perl'). |
|
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
|
|
|
*) Let util/clean-depend.pl work also with older Perl 5.00x versions. |
|
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
|
|
|
*) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add |
|
advapi32.lib to Win32 build and change the pem test comparision |
|
to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the |
|
suggestion). Fix misplaced ASNI prototypes and declarations in evp.h |
|
and crypto/des/ede_cbcm_enc.c. |
|
[Steve Henson] |
|
|
|
*) DES quad checksum was broken on big-endian architectures. Fixed. |
|
[Ben Laurie] |
|
|
|
*) Comment out two functions in bio.h that aren't implemented. Fix up the |
|
Win32 test batch file so it (might) work again. The Win32 test batch file |
|
is horrible: I feel ill.... |
|
[Steve Henson] |
|
|
|
*) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected |
|
in e_os.h. Audit of header files to check ANSI and non ANSI |
|
sections: 10 functions were absent from non ANSI section and not exported |
|
from Windows DLLs. Fixed up libeay.num for new functions. |
|
[Steve Henson] |
|
|
|
*) Make `openssl version' output lines consistent. |
|
[Ralf S. Engelschall] |
|
|
|
*) Fix Win32 symbol export lists for BIO functions: Added |
|
BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data |
|
to ms/libeay{16,32}.def. |
|
[Ralf S. Engelschall] |
|
|
|
*) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled |
|
fine under Unix and passes some trivial tests I've now added. But the |
|
whole stuff is horribly incomplete, so a README.1ST with a disclaimer was |
|
added to make sure no one expects that this stuff really works in the |
|
OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources |
|
up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and |
|
openssl_bio.xs. |
|
[Ralf S. Engelschall] |
|
|
|
*) Fix the generation of two part addresses in perl. |
|
[Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie] |
|
|
|
*) Add config entry for Linux on MIPS. |
|
[John Tobey <jtobey@channel1.com>] |
|
|
|
*) Make links whenever Configure is run, unless we are on Windoze. |
|
[Ben Laurie] |
|
|
|
*) Permit extensions to be added to CRLs using crl_section in openssl.cnf. |
|
Currently only issuerAltName and AuthorityKeyIdentifier make any sense |
|
in CRLs. |
|
[Steve Henson] |
|
|
|
*) Add a useful kludge to allow package maintainers to specify compiler and |
|
other platforms details on the command line without having to patch the |
|
Configure script everytime: One now can use ``perl Configure |
|
<id>:<details>'', i.e. platform ids are allowed to have details appended |
|
to them (seperated by colons). This is treated as there would be a static |
|
pre-configured entry in Configure's %table under key <id> with value |
|
<details> and ``perl Configure <id>'' is called. So, when you want to |
|
perform a quick test-compile under FreeBSD 3.1 with pgcc and without |
|
assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' |
|
now, which overrides the FreeBSD-elf entry on-the-fly. |
|
[Ralf S. Engelschall] |
|
|
|
*) Disable new TLS1 ciphersuites by default: they aren't official yet. |
|
[Ben Laurie] |
|
|
|
*) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified |
|
on the `perl Configure ...' command line. This way one can compile |
|
OpenSSL libraries with Position Independent Code (PIC) which is needed |
|
for linking it into DSOs. |
|
[Ralf S. Engelschall] |
|
|
|
*) Remarkably, export ciphers were totally broken and no-one had noticed! |
|
Fixed. |
|
[Ben Laurie] |
|
|
|
*) Cleaned up the LICENSE document: The official contact for any license |
|
questions now is the OpenSSL core team under openssl-core@openssl.org. |
|
And add a paragraph about the dual-license situation to make sure people |
|
recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply |
|
to the OpenSSL toolkit. |
|
[Ralf S. Engelschall] |
|
|
|
*) General source tree makefile cleanups: Made `making xxx in yyy...' |
|
display consistent in the source tree and replaced `/bin/rm' by `rm'. |
|
Additonally cleaned up the `make links' target: Remove unnecessary |
|
semicolons, subsequent redundant removes, inline point.sh into mklink.sh |
|
to speed processing and no longer clutter the display with confusing |
|
stuff. Instead only the actually done links are displayed. |
|
[Ralf S. Engelschall] |
|
|
|
*) Permit null encryption ciphersuites, used for authentication only. It used |
|
to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. |
|
It is now necessary to set SSL_FORBID_ENULL to prevent the use of null |
|
encryption. |
|
[Ben Laurie] |
|
|
|
*) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder |
|
signed attributes when verifying signatures (this would break them), |
|
the detached data encoding was wrong and public keys obtained using |
|
X509_get_pubkey() weren't freed. |
|
[Steve Henson] |
|
|
|
*) Add text documentation for the BUFFER functions. Also added a work around |
|
to a Win95 console bug. This was triggered by the password read stuff: the |
|
last character typed gets carried over to the next fread(). If you were |
|
generating a new cert request using 'req' for example then the last |
|
character of the passphrase would be CR which would then enter the first |
|
field as blank. |
|
[Steve Henson] |
|
|
|
*) Added the new `Includes OpenSSL Cryptography Software' button as |
|
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay |
|
button and can be used by applications based on OpenSSL to show the |
|
relationship to the OpenSSL project. |
|
[Ralf S. Engelschall] |
|
|
|
*) Remove confusing variables in function signatures in files |
|
ssl/ssl_lib.c and ssl/ssl.h. |
|
[Lennart Bong <lob@kulthea.stacken.kth.se>] |
|
|
|
*) Don't install bss_file.c under PREFIX/include/ |
|
[Lennart Bong <lob@kulthea.stacken.kth.se>] |
|
|
|
*) Get the Win32 compile working again. Modify mkdef.pl so it can handle |
|
functions that return function pointers and has support for NT specific |
|
stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various |
|
#ifdef WIN32 and WINNTs sprinkled about the place and some changes from |
|
unsigned to signed types: this was killing the Win32 compile. |
|
[Steve Henson] |
|
|
|
*) Add new certificate file to stack functions, |
|
SSL_add_dir_cert_subjects_to_stack() and |
|
SSL_add_file_cert_subjects_to_stack(). These largely supplant |
|
SSL_load_client_CA_file(), and can be used to add multiple certs easily |
|
to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). |
|
This means that Apache-SSL and similar packages don't have to mess around |
|
to add as many CAs as they want to the preferred list. |
|
[Ben Laurie] |
|
|
|
*) Experiment with doxygen documentation. Currently only partially applied to |
|
ssl/ssl_lib.c. |
|
See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with |
|
openssl.doxy as the configuration file. |
|
[Ben Laurie] |
|
|
|
*) Get rid of remaining C++-style comments which strict C compilers hate. |
|
[Ralf S. Engelschall, pointed out by Carlos Amengual] |
|
|
|
*) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not |
|
compiled in by default: it has problems with large keys. |
|
[Steve Henson] |
|
|
|
*) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and |
|
DH private keys and/or callback functions which directly correspond to |
|
their SSL_CTX_xxx() counterparts but work on a per-connection basis. This |
|
is needed for applications which have to configure certificates on a |
|
per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis |
|
(e.g. s_server). |
|
For the RSA certificate situation is makes no difference, but |
|
for the DSA certificate situation this fixes the "no shared cipher" |
|
problem where the OpenSSL cipher selection procedure failed because the |
|
temporary keys were not overtaken from the context and the API provided |
|
no way to reconfigure them. |
|
The new functions now let applications reconfigure the stuff and they |
|
are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, |
|
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new |
|
non-public-API function ssl_cert_instantiate() is used as a helper |
|
function and also to reduce code redundancy inside ssl_rsa.c. |
|
[Ralf S. Engelschall] |
|
|
|
*) Move s_server -dcert and -dkey options out of the undocumented feature |
|
area because they are useful for the DSA situation and should be |
|
recognized by the users. |
|
[Ralf S. Engelschall] |
|
|
|
*) Fix the cipher decision scheme for export ciphers: the export bits are |
|
*not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within |
|
SSL_EXP_MASK. So, the original variable has to be used instead of the |
|
already masked variable. |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() |
|
from `int' to `unsigned int' because it's a length and initialized by |
|
EVP_DigestFinal() which expects an `unsigned int *'. |
|
[Richard Levitte <levitte@stacken.kth.se>] |
|
|
|
*) Don't hard-code path to Perl interpreter on shebang line of Configure |
|
script. Instead use the usual Shell->Perl transition trick. |
|
[Ralf S. Engelschall] |
|
|
|
*) Make `openssl x509 -noout -modulus' functional also for DSA certificates |
|
(in addition to RSA certificates) to match the behaviour of `openssl dsa |
|
-noout -modulus' as it's already the case for `openssl rsa -noout |
|
-modulus'. For RSA the -modulus is the real "modulus" while for DSA |
|
currently the public key is printed (a decision which was already done by |
|
`openssl dsa -modulus' in the past) which serves a similar purpose. |
|
Additionally the NO_RSA no longer completely removes the whole -modulus |
|
option; it now only avoids using the RSA stuff. Same applies to NO_DSA |
|
now, too. |
|
[Ralf S. Engelschall] |
|
|
|
*) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested |
|
BIO. See the source (crypto/evp/bio_ok.c) for more info. |
|
[Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) Dump the old yucky req code that tried (and failed) to allow raw OIDs |
|
to be added. Now both 'req' and 'ca' can use new objects defined in the |
|
config file. |
|
[Steve Henson] |
|
|
|
*) Add cool BIO that does syslog (or event log on NT). |
|
[Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie] |
|
|
|
*) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, |
|
TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and |
|
TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher |
|
Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. |
|
[Ben Laurie] |
|
|
|
*) Add preliminary config info for new extension code. |
|
[Steve Henson] |
|
|
|
*) Make RSA_NO_PADDING really use no padding. |
|
[Ulf Moeller <ulf@fitug.de>] |
|
|
|
*) Generate errors when private/public key check is done. |
|
[Ben Laurie] |
|
|
|
*) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support |
|
for some CRL extensions and new objects added. |
|
[Steve Henson] |
|
|
|
*) Really fix the ASN1 IMPLICIT bug this time... Partial support for private |
|
key usage extension and fuller support for authority key id. |
|
[Steve Henson] |
|
|
|
*) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved |
|
padding method for RSA, which is recommended for new applications in PKCS |
|
#1 v2.0 (RFC 2437, October 1998). |
|
OAEP (Optimal Asymmetric Encryption Padding) has better theoretical |
|
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure |
|
against Bleichbacher's attack on RSA. |
|
[Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by |
|
Ben Laurie] |
|
|
|
*) Updates to the new SSL compression code |
|
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
|
|
|
*) Fix so that the version number in the master secret, when passed |
|
via RSA, checks that if TLS was proposed, but we roll back to SSLv3 |
|
(because the server will not accept higher), that the version number |
|
is 0x03,0x01, not 0x03,0x00 |
|
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
|
|
|
*) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory |
|
leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes |
|
in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c |
|
[Steve Henson] |
|
|
|
*) Support for RAW extensions where an arbitrary extension can be |
|
created by including its DER encoding. See apps/openssl.cnf for |
|
an example. |
|
[Steve Henson] |
|
|
|
*) Make sure latest Perl versions don't interpret some generated C array |
|
code as Perl array code in the crypto/err/err_genc.pl script. |
|
[Lars Weber <3weber@informatik.uni-hamburg.de>] |
|
|
|
*) Modify ms/do_ms.bat to not generate assembly language makefiles since |
|
not many people have the assembler. Various Win32 compilation fixes and |
|
update to the INSTALL.W32 file with (hopefully) more accurate Win32 |
|
build instructions. |
|
[Steve Henson] |
|
|
|
*) Modify configure script 'Configure' to automatically create crypto/date.h |
|
file under Win32 and also build pem.h from pem.org. New script |
|
util/mkfiles.pl to create the MINFO file on environments that can't do a |
|
'make files': perl util/mkfiles.pl >MINFO should work. |
|
[Steve Henson] |
|
|
|
*) Major rework of DES function declarations, in the pursuit of correctness |
|
and purity. As a result, many evil casts evaporated, and some weirdness, |
|
too. You may find this causes warnings in your code. Zapping your evil |
|
casts will probably fix them. Mostly. |
|
[Ben Laurie] |
|
|
|
*) Fix for a typo in asn1.h. Bug fix to object creation script |
|
obj_dat.pl. It considered a zero in an object definition to mean |
|
"end of object": none of the objects in objects.h have any zeros |
|
so it wasn't spotted. |
|
[Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>] |
|
|
|
*) Add support for Triple DES Cipher Block Chaining with Output Feedback |
|
Masking (CBCM). In the absence of test vectors, the best I have been able |
|
to do is check that the decrypt undoes the encrypt, so far. Send me test |
|
vectors if you have them. |
|
[Ben Laurie] |
|
|
|
*) Correct calculation of key length for export ciphers (too much space was |
|
allocated for null ciphers). This has not been tested! |
|
[Ben Laurie] |
|
|
|
*) Modifications to the mkdef.pl for Win32 DEF file creation. The usage |
|
message is now correct (it understands "crypto" and "ssl" on its |
|
command line). There is also now an "update" option. This will update |
|
the util/ssleay.num and util/libeay.num files with any new functions. |
|
If you do a: |
|
perl util/mkdef.pl crypto ssl update |
|
it will update them. |
|
[Steve Henson] |
|
|
|
*) Overhauled the Perl interface (perl/*): |
|
- ported BN stuff to OpenSSL's different BN library |
|
- made the perl/ source tree CVS-aware |
|
- renamed the package from SSLeay to OpenSSL (the files still contain |
|
their history because I've copied them in the repository) |
|
- removed obsolete files (the test scripts will be replaced |
|
by better Test::Harness variants in the future) |
|
[Ralf S. Engelschall] |
|
|
|
*) First cut for a very conservative source tree cleanup: |
|
1. merge various obsolete readme texts into doc/ssleay.txt |
|
where we collect the old documents and readme texts. |
|
2. remove the first part of files where I'm already sure that we no |
|
longer need them because of three reasons: either they are just temporary |
|
files which were left by Eric or they are preserved original files where |
|
I've verified that the diff is also available in the CVS via "cvs diff |
|
-rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for |
|
the crypto/md/ stuff). |
|
[Ralf S. Engelschall] |
|
|
|
*) More extension code. Incomplete support for subject and issuer alt |
|
name, issuer and authority key id. Change the i2v function parameters |
|
and add an extra 'crl' parameter in the X509V3_CTX structure: guess |
|
what that's for :-) Fix to ASN1 macro which messed up |
|
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. |
|
[Steve Henson] |
|
|
|
*) Preliminary support for ENUMERATED type. This is largely copied from the |
|
INTEGER code. |
|
[Steve Henson] |
|
|
|
*) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. |
|
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
|
|
|
*) Make sure `make rehash' target really finds the `openssl' program. |
|
[Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
|
|
|
*) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd |
|
like to hear about it if this slows down other processors. |
|
[Ben Laurie] |
|
|
|
*) Add CygWin32 platform information to Configure script. |
|
[Alan Batie <batie@aahz.jf.intel.com>] |
|
|
|
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm' |
|
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>] |
|
|
|
*) New program nseq to manipulate netscape certificate sequences |
|
[Steve Henson] |
|
|
|
*) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a |
|
few typos. |
|
[Steve Henson] |
|
|
|
*) Fixes to BN code. Previously the default was to define BN_RECURSION |
|
but the BN code had some problems that would cause failures when |
|
doing certificate verification and some other functions. |
|
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
|
|
|
*) Add ASN1 and PEM code to support netscape certificate sequences. |
|
[Steve Henson] |
|
|
|
*) Add ASN1 and PEM code to support netscape certificate sequences. |
|
[Steve Henson] |
|
|
|
*) Add several PKIX and private extended key usage OIDs. |
|
[Steve Henson] |
|
|
|
*) Modify the 'ca' program to handle the new extension code. Modify |
|
openssl.cnf for new extension format, add comments. |
|
[Steve Henson] |
|
|
|
*) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' |
|
and add a sample to openssl.cnf so req -x509 now adds appropriate |
|
CA extensions. |
|
[Steve Henson] |
|
|
|
*) Continued X509 V3 changes. Add to other makefiles, integrate with the |
|
error code, add initial support to X509_print() and x509 application. |
|
[Steve Henson] |
|
|
|
*) Takes a deep breath and start addding X509 V3 extension support code. Add |
|
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this |
|
stuff is currently isolated and isn't even compiled yet. |
|
[Steve Henson] |
|
|
|
*) Continuing patches for GeneralizedTime. Fix up certificate and CRL |
|
ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. |
|
Removed the versions check from X509 routines when loading extensions: |
|
this allows certain broken certificates that don't set the version |
|
properly to be processed. |
|
[Steve Henson] |
|
|
|
*) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another |
|
Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which |
|
can still be regenerated with "make depend". |
|
[Ben Laurie] |
|
|
|
*) Spelling mistake in C version of CAST-128. |
|
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>] |
|
|
|
*) Changes to the error generation code. The perl script err-code.pl |
|
now reads in the old error codes and retains the old numbers, only |
|
adding new ones if necessary. It also only changes the .err files if new |
|
codes are added. The makefiles have been modified to only insert errors |
|
when needed (to avoid needlessly modifying header files). This is done |
|
by only inserting errors if the .err file is newer than the auto generated |
|
C file. To rebuild all the error codes from scratch (the old behaviour) |
|
either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl |
|
or delete all the .err files. |
|
[Steve Henson] |
|
|
|
*) CAST-128 was incorrectly implemented for short keys. The C version has |
|
been fixed, but is untested. The assembler versions are also fixed, but |
|
new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing |
|
to regenerate it if needed. |
|
[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun |
|
Hagino <itojun@kame.net>] |
|
|
|
*) File was opened incorrectly in randfile.c. |
|
[Ulf Möller <ulf@fitug.de>] |
|
|
|
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print |
|
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or |
|
GeneralizedTime. ASN1_TIME is the proper type used in certificates et |
|
al: it's just almost always a UTCTime. Note this patch adds new error |
|
codes so do a "make errors" if there are problems. |
|
[Steve Henson] |
|
|
|
*) Correct Linux 1 recognition in config. |
|
[Ulf Möller <ulf@fitug.de>] |
|
|
|
*) Remove pointless MD5 hash when using DSA keys in ca. |
|
[Anonymous <nobody@replay.com>] |
|
|
|
*) Generate an error if given an empty string as a cert directory. Also |
|
generate an error if handed NULL (previously returned 0 to indicate an |
|
error, but didn't set one). |
|
[Ben Laurie, reported by Anonymous <nobody@replay.com>] |
|
|
|
*) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. |
|
[Ben Laurie] |
|
|
|
*) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct |
|
parameters. This was causing a warning which killed off the Win32 compile. |
|
[Steve Henson] |
|
|
|
*) Remove C++ style comments from crypto/bn/bn_local.h. |
|
[Neil Costigan <neil.costigan@celocom.com>] |
|
|
|
*) The function OBJ_txt2nid was broken. It was supposed to return a nid |
|
based on a text string, looking up short and long names and finally |
|
"dot" format. The "dot" format stuff didn't work. Added new function |
|
OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote |
|
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the |
|
OID is not part of the table. |
|
[Steve Henson] |
|
|
|
*) Add prototypes to X509 lookup/verify methods, fixing a bug in |
|
X509_LOOKUP_by_alias(). |
|
[Ben Laurie] |
|
|
|
*) Sort openssl functions by name. |
|
[Ben Laurie] |
|
|
|
*) Get the gendsa program working (hopefully) and add it to app list. Remove |
|
encryption from sample DSA keys (in case anyone is interested the password |
|
was "1234"). |
|
[Steve Henson] |
|
|
|
*) Make _all_ *_free functions accept a NULL pointer. |
|
[Frans Heymans <fheymans@isaserver.be>] |
|
|
|
*) If a DH key is generated in s3_srvr.c, don't blow it by trying to use |
|
NULL pointers. |
|
[Anonymous <nobody@replay.com>] |
|
|
|
*) s_server should send the CAfile as acceptable CAs, not its own cert. |
|
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] |
|
|
|
*) Don't blow it for numeric -newkey arguments to apps/req. |
|
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] |
|
|
|
*) Temp key "for export" tests were wrong in s3_srvr.c. |
|
[Anonymous <nobody@replay.com>] |
|
|
|
*) Add prototype for temp key callback functions |
|
SSL_CTX_set_tmp_{rsa,dh}_callback(). |
|
[Ben Laurie] |
|
|
|
*) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and |
|
DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). |
|
[Steve Henson] |
|
|
|
*) X509_name_add_entry() freed the wrong thing after an error. |
|
[Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) rsa_eay.c would attempt to free a NULL context. |
|
[Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) BIO_s_socket() had a broken should_retry() on Windoze. |
|
[Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. |
|
[Arne Ansper <arne@ats.cyber.ee>] |
|
|
|
*) Make sure the already existing X509_STORE->depth variable is initialized |
|
in X509_STORE_new(), but document the fact that this variable is still |
|
unused in the certificate verification process. |
|
[Ralf S. Engelschall] |
|
|
|
*) Fix the various library and apps files to free up pkeys obtained from |
|
X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. |
|
[Steve Henson] |
|
|
|
*) Fix reference counting in X509_PUBKEY_get(). This makes |
|
demos/maurice/example2.c work, amongst others, probably. |
|
[Steve Henson and Ben Laurie] |
|
|
|
*) First cut of a cleanup for apps/. First the `ssleay' program is now named |
|
`openssl' and second, the shortcut symlinks for the `openssl <command>' |
|
are no longer created. This way we have a single and consistent command |
|
line interface `openssl <command>', similar to `cvs <command>'. |
|
[Ralf S. Engelschall, Paul Sutton and Ben Laurie] |
|
|
|
*) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey |
|
BIT STRING wrapper always have zero unused bits. |
|
[Steve Henson] |
|
|
|
*) Add CA.pl, perl version of CA.sh, add extended key usage OID. |
|
[Steve Henson] |
|
|
|
*) Make the top-level INSTALL documentation easier to understand. |
|
[Paul Sutton] |
|
|
|
*) Makefiles updated to exit if an error occurs in a sub-directory |
|
make (including if user presses ^C) [Paul Sutton] |
|
|
|
*) Make Montgomery context stuff explicit in RSA data structure. |
|
[Ben Laurie] |
|
|
|
*) Fix build order of pem and err to allow for generated pem.h. |
|
[Ben Laurie] |
|
|
|
*) Fix renumbering bug in X509_NAME_delete_entry(). |
|
[Ben Laurie] |
|
|
|
*) Enhanced the err-ins.pl script so it makes the error library number |
|
global and can add a library name. This is needed for external ASN1 and |
|
other error libraries. |
|
[Steve Henson] |
|
|
|
*) Fixed sk_insert which never worked properly. |
|
[Steve Henson] |
|
|
|
*) Fix ASN1 macros so they can handle indefinite length construted |
|
EXPLICIT tags. Some non standard certificates use these: they can now |
|
be read in. |
|
[Steve Henson] |
|
|
|
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) |
|
into a single doc/ssleay.txt bundle. This way the information is still |
|
preserved but no longer messes up this directory. Now it's new room for |
|
the new set of documenation files. |
|
[Ralf S. Engelschall] |
|
|
|
*) SETs were incorrectly DER encoded. This was a major pain, because they |
|
shared code with SEQUENCEs, which aren't coded the same. This means that |
|
almost everything to do with SETs or SEQUENCEs has either changed name or |
|
number of arguments. |
|
[Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>] |
|
|
|
*) Fix test data to work with the above. |
|
[Ben Laurie] |
|
|
|
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but |
|
was already fixed by Eric for 0.9.1 it seems. |
|
[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>] |
|
|
|
*) Autodetect FreeBSD3. |
|
[Ben Laurie] |
|
|
|
*) Fix various bugs in Configure. This affects the following platforms: |
|
nextstep |
|
ncr-scde |
|
unixware-2.0 |
|
unixware-2.0-pentium |
|
sco5-cc. |
|
[Ben Laurie] |
|
|
|
*) Eliminate generated files from CVS. Reorder tests to regenerate files |
|
before they are needed. |
|
[Ben Laurie] |
|
|
|
*) Generate Makefile.ssl from Makefile.org (to keep CVS happy). |
|
[Ben Laurie] |
|
|
|
|
|
Changes between 0.9.1b and 0.9.1c [23-Dec-1998] |
|
|
|
*) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and |
|
changed SSLeay to OpenSSL in version strings. |
|
[Ralf S. Engelschall] |
|
|
|
*) Some fixups to the top-level documents. |
|
[Paul Sutton] |
|
|
|
*) Fixed the nasty bug where rsaref.h was not found under compile-time |
|
because the symlink to include/ was missing. |
|
[Ralf S. Engelschall] |
|
|
|
*) Incorporated the popular no-RSA/DSA-only patches |
|
which allow to compile a RSA-free SSLeay. |
|
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] |
|
|
|
*) Fixed nasty rehash problem under `make -f Makefile.ssl links' |
|
when "ssleay" is still not found. |
|
[Ralf S. Engelschall] |
|
|
|
*) Added more platforms to Configure: Cray T3E, HPUX 11, |
|
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>] |
|
|
|
*) Updated the README file. |
|
[Ralf S. Engelschall] |
|
|
|
*) Added various .cvsignore files in the CVS repository subdirs |
|
to make a "cvs update" really silent. |
|
[Ralf S. Engelschall] |
|
|
|
*) Recompiled the error-definition header files and added |
|
missing symbols to the Win32 linker tables. |
|
[Ralf S. Engelschall] |
|
|
|
*) Cleaned up the top-level documents; |
|
o new files: CHANGES and LICENSE |
|
o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay |
|
o merged COPYRIGHT into LICENSE |
|
o removed obsolete TODO file |
|
o renamed MICROSOFT to INSTALL.W32 |
|
[Ralf S. Engelschall] |
|
|
|
*) Removed dummy files from the 0.9.1b source tree: |
|
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi |
|
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f |
|
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f |
|
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f |
|
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f |
|
[Ralf S. Engelschall] |
|
|
|
*) Added various platform portability fixes. |
|
[Mark J. Cox] |
|
|
|
*) The Genesis of the OpenSSL rpject: |
|
We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. |
|
Young and Tim J. Hudson created while they were working for C2Net until |
|
summer 1998. |
|
[The OpenSSL Project] |
|
|
|
|
|
Changes between 0.9.0b and 0.9.1b [not released] |
|
|
|
*) Updated a few CA certificates under certs/ |
|
[Eric A. Young] |
|
|
|
*) Changed some BIGNUM api stuff. |
|
[Eric A. Young] |
|
|
|
*) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, |
|
DGUX x86, Linux Alpha, etc. |
|
[Eric A. Young] |
|
|
|
*) New COMP library [crypto/comp/] for SSL Record Layer Compression: |
|
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is |
|
available). |
|
[Eric A. Young] |
|
|
|
*) Add -strparse option to asn1pars program which parses nested |
|
binary structures |
|
[Dr Stephen Henson <shenson@bigfoot.com>] |
|
|
|
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. |
|
[Eric A. Young] |
|
|
|
*) DSA fix for "ca" program. |
|
[Eric A. Young] |
|
|
|
*) Added "-genkey" option to "dsaparam" program. |
|
[Eric A. Young] |
|
|
|
*) Added RIPE MD160 (rmd160) message digest. |
|
[Eric A. Young] |
|
|
|
*) Added -a (all) option to "ssleay version" command. |
|
[Eric A. Young] |
|
|
|
*) Added PLATFORM define which is the id given to Configure. |
|
[Eric A. Young] |
|
|
|
*) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. |
|
[Eric A. Young] |
|
|
|
*) Extended the ASN.1 parser routines. |
|
[Eric A. Young] |
|
|
|
*) Extended BIO routines to support REUSEADDR, seek, tell, etc. |
|
[Eric A. Young] |
|
|
|
*) Added a BN_CTX to the BN library. |
|
[Eric A. Young] |
|
|
|
*) Fixed the weak key values in DES library |
|
[Eric A. Young] |
|
|
|
*) Changed API in EVP library for cipher aliases. |
|
[Eric A. Young] |
|
|
|
*) Added support for RC2/64bit cipher. |
|
[Eric A. Young] |
|
|
|
*) Converted the lhash library to the crypto/mem.c functions. |
|
[Eric A. Young] |
|
|
|
*) Added more recognized ASN.1 object ids. |
|
[Eric A. Young] |
|
|
|
*) Added more RSA padding checks for SSL/TLS. |
|
[Eric A. Young] |
|
|
|
*) Added BIO proxy/filter functionality. |
|
[Eric A. Young] |
|
|
|
*) Added extra_certs to SSL_CTX which can be used |
|
send extra CA certificates to the client in the CA cert chain sending |
|
process. It can be configured with SSL_CTX_add_extra_chain_cert(). |
|
[Eric A. Young] |
|
|
|
*) Now Fortezza is denied in the authentication phase because |
|
this is key exchange mechanism is not supported by SSLeay at all. |
|
[Eric A. Young] |
|
|
|
*) Additional PKCS1 checks. |
|
[Eric A. Young] |
|
|
|
*) Support the string "TLSv1" for all TLS v1 ciphers. |
|
[Eric A. Young] |
|
|
|
*) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the |
|
ex_data index of the SSL context in the X509_STORE_CTX ex_data. |
|
[Eric A. Young] |
|
|
|
*) Fixed a few memory leaks. |
|
[Eric A. Young] |
|
|
|
*) Fixed various code and comment typos. |
|
[Eric A. Young] |
|
|
|
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0 |
|
bytes sent in the client random. |
|
[Edward Bishop <ebishop@spyglass.com>] |
|
|
|
|